Professional Documents
Culture Documents
Security Analyst Student HandBook Dec2015
Security Analyst Student HandBook Dec2015
Student Handbook
Security Analyst
SSC/ Q0901
1
Student Handbook – Security Analyst
NASSCOM
4E-vandana Building (4th Floor)
11, Tolstoy Marg, Connaught Place
New Delhi 110 001, India
T 91 11 4151 9230; F 91 11 4151 9240
E ssc@nasscom.in
W www.nasscom.in
Disclaimer
The information contained herein has been obtained from sources reliable to NASSCOM.
NASSCOM disclaims all warranties to the accuracy, completeness or adequacy of such
information. NASSCOM shall have no liability for errors, omissions, or inadequacies, in the
information contained herein, or for interpretations thereof. Every effort has been made to trace
the owners of the copyright material included in the book. The publishers would be grateful for
any omissions brought to their notice for acknowledgements in future editions of the book.
No entry in NASSCOM shall be responsible for any loss whatsoever, sustained by any person who
relies on this material. The material in this publication is copyrighted. No parts of this report can
be reproduced either on paper or electronic media, unless authorized by NASSCOM.
2
Student Handbook – Security Analyst
3
Student Handbook – Security Analyst
4
Student Handbook – Security Analyst
Foreword
The Indian IT-ITeS industry has built its reputation in the global arena on several differentiators, chief
among them being the availability of manpower. Organizations across the world recognize the value India
brings to every engagement with its vast and readily available pool of IT professionals. Global entities have
found it extremely effective to leverage this significant resource in order to enjoy a competitive edge and
innovation benefits.
In the coming years, the landscape is expected to shift in ways that reveal more exciting opportunities.
The world will require people with advanced technology skills and domain knowledge, set against a
backdrop of heightened labour mobility across occupations and markets. India is largely acknowledged to
be heir apparent to the benefits of a demographic dividend over the coming decades, which has the
potential to see the nation emerge as one of the world’s largest population base of employable youth.
With many other countries set to face the effects of an aging and retirement-ready workforce, India is
poised to become a sought after destination for those seeking higher value add and specialized services.
Global markets are on their way towards revival and recovery, and this is well reflected in the proactive
recruitment measures taken by IT-ITeS organizations in India in recent times. India’s IT-BPM industry is on
track to achieve its target of USD 225 billion by 2020. From a base on about 3.1 million employees in
FY2014, the industry is expected to add another 2 million additional employees by 2020. Indirect
employment generated by 2020 is expected to be 3X the total direct employment number is between 13-
16 million by 2020.
To realize India’s potential of emerging as a skills hub of the world, a significant amount of foresight and
work is requisite. It is imperative that stakeholders engage in a concerted effort to undertake the
transformation of the labour pool estimated to enter the market into skilled and employable talent.
Enabling the creation of a future industry-ready cohort will give the IT-ITeS industry an edge in leadership
and sustainability.
One of the growing areas of global interest and concern is Information/ Cyber Security. This led to the
identification of the “hot skills” du jour, resulting in the formal creation of a Qualification Pack (QP) or job
role framework for the role of a Security Analyst. The QP is designed to capture the skills required by the
IT-BPM industry for an entry level position in this field.
To ensure the creation of an academic course that is both relevant and viable, IT-ITeS Sector Skills Council
NASSCOM (SSC NASSCOM) partnered with key industry stakeholders, including Cyber Eye Research,
Cypher Cloud, Deloitte, First American, HCL, HDFC, IBM, ISC2, Karvy Analytics, NIIT University, PwC,
Symantec, TCS, Wells Fargo, and the Data Security Council of India (DSCI) for design of the curricula and
courseware. In addition, the program addresses the need for faculty support, and achieves this by
acquainting trainers with the latest advancements in pedagogy.
We wish the universities and colleges all the very best in their endeavor.
R Chandrashekhar
President
NASSCOM
5
Student Handbook – Security Analyst
6
Student Handbook – Security Analyst
Acknowledgements
NASSCOM would like to thank its member company representatives within the Security Analyst Special
Interest Group (SIG) Council for believing in our vision to enhance the employability of the available
engineering student pool. SSC NASSCOM facilitates this by developing and enabling the implementation
of courses relevant to projected industry needs. The aim is to address two key requirements, of closing
the industry-academia skill gap, and of creating a talent pool that can reasonably weather future
externalities in the IT-BPM industry.
NASSCOM believes that this is an initiative of great importance for all stakeholders concerned – the
industry, academia, and the students. The tremendous amount of work and ceaseless support offered by
the members of this SIG in developing a meaningful strategy for the content and design of program
training materials has been truly commendable.
We would like to particularly thank Cyber Eye Research Labs, DSCI, First America, Karvy Analytics, and
Symantec for bringing much needed focus to this effort.
NASSCOM recognizes the fantastic contributions of Mr. Ram Ganesh at Cyber Eye Research labs; Mr.
Ashok Polapragada and Mr. Ranjit Kumar at Karvy Analytics; Mr. Dwaraka Ramana K at First American; Dr
Giri T at Cypher Cloud, Mr. Nanda Kumar Sarvade, Mr. Vinayak Godse and Mr. Aditya Bhatia at DSCI.
We acknowledge with sincere gratitude the immense contribution of the SIG member companies,
Deloitte, HCL, HDFC, IBM, ISC2, NIIT University, PwC, Symantec, TCS, Wells Fargo for their part in the
creation of this course and its accompanying training materials.
We extend our thanks to PROGILENCE Capability Development Pvt. Ltd. for producing this course
publication.
Dr Sandhya Chintala
7
Student Handbook – Security Analyst
8
Student Handbook – Security Analyst
Brief Job Description: Individuals at this job are responsible for protecting information and information
systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection,
recording, or destruction. They also need to ensure the confidentiality, integrity and availability of data to
the 'right' users within/outside of the organization.
Personal Attributes: This job may require the individual to work independently and take decisions for
his/her own area of work. The individual should be result oriented and have a high attention for detail.
The individual should also be able to demonstrate communication skills, logical thinking along with
willingness to undertake desk-based job with long hours.
ABOUT THE QUALIFICATION
The qualification SSC/Q0901 is part of the IT- ITeS Sector and the IT Services subsector. The qualification
is a level 7 on the National Skills Qualification Framework (NSQF).
This qualification eligibility requirements and National Occupational Standards are listed below.
NSQF level 7
Minimum Educational Qualifications Diploma in Engineering or any graduate course
Maximum Educational Qualifications Bachelor's Degree in Science/Technology/Computers
Training Certification in Information systems or related fields, Basic soft
(Suggested but not mandatory) skills training
Experience
0-2 years of work experience/internship in security
Compulsory:
1. SSC/N0901 (Contribute to managing information security)
2. SSC/N0902 (Co-ordinate responses to information security
incidents)
3. SSC/N0903 (Install and configure information security
devices)
4. SSC/N0904 (Contribute to information security audits)
5. SSC/N0905 (Support teams to prepare for and undergo
information security audits)
Applicable National Occupational 6. SSC/N9001 ( Manage your work to meet requirements)
Standards (NOS) 7. SSC/N9002 (Work effectively with colleagues )
8. SSC/N9003 (Maintain a healthy, safe and secure working
environment)
9. SSC/N9004 (Provide data/information in standard
formats)
10. SSC/N9005 (Develop your knowledge, skills and
competence)
Optional:
Not Applicable
9
Student Handbook – Security Analyst
10
Student Handbook – Security Analyst
The above equipment has to be made available for classwork and for research work in non-class hours.
The equipment has to have relatively high speed and current OS and other software applications.
Students need to have adequate number of terminals for individual use for adequate number of hours.
The equipment needs to be installed in keeping with all health and safety measures. Any routine
breakdowns should be promptly addressed.
11
Student Handbook – Security Analyst
12
Student Handbook – Security Analyst
13
Student Handbook – Security Analyst
14
Student Handbook – Security Analyst
Table of Contents
An Introduction: The industry, sub-sector, occupation and career …17
3. SSC/ N 0903 Install, configure and troubleshoot information security devices …325
SSC/ N 0905: Support teams to prepare for and undergo information security audits …551
15
Student Handbook – Security Analyst
v. Penetration Testing
vi. Information Security Audit Tasks
vii. Audit Reports and Actions
viii. Audit Support Activities
i. Effective Communication
ii. Working Effectively
7. SSC/ N 9003: Maintain a healthy, safe and secure working environment …753
i. Importance of Self-Development
ii. Knowledge and Skills Required for the Job
iii. Avenues of Self-Development
iv. Planning for Self-Development
Annexures …831
1. Security Assessment Template
2. Case studies
16
An Introduction:
The Industry, Sub-sector, Occupation &
Career
17 | P a g e
INTRODUCTION
The Industry, Sub-sector, Occupation
& Career
Lesson Plan
Resource Material
1.1. An Overview of the IT-BPM Industry
1.2. An Overview of the IT Services Sub-Sector
1.3. About Information Security and it’s Roles
18 | P a g e
LESSON PLAN
19 | P a g e
20 | P a g e
Training Resource Material
General Overview
The Information Technology – Business Process Management (IT-BPM) industry has been fuelling
India's growth story. In addition to contributing to the country's Gross Domestic Product (GDP) and
exports, the industry has played a big role in influencing the socio-economic parameters across the
country.
The industry has helped provide employment and a good standard of living to millions. It has placed
India on the world map with an image of a technologically advanced and a knowledge-based economy.
Growth of the IT-BPM industry has provided India with a wide range of economic and social benefits
which includes creating employment, raising income levels, promoting exports and significantly
contributing to the GDP of the country.
This sector attracts amongst the largest investments by venture capitalists and has been credited with
enabling the entrepreneurial ventures of many, in the country.
The IT-BPM industry has almost doubled in terms of revenue and contribution to India's GDP over the
last six years.
21 | P a g e
Global In-house Centres (GIC):
GIC organisations cater to the needs of their parent company only and do not serve external clients.
This model allows the organisation the option to keep IT Operations in-house and at the same time,
take advantage of expanding their global footprint and offering opportunities for innovation in a cost-
effective manner.
ITServices(ITS) BusinessProcessManagement(BPM)
Custom Application Development Customer Interaction and Support
(CAD) (CIS)
Hardware Deployment and Support Finance and Accounting (F&A)
Software Deployment and Support Human Resource Management
IT Consulting (HRM)
System Integration Knowledge Services
Information Systems Outsourcing Procurement and Logistics
Software Testing
Network Consultation and
Integration
Education and Training
IT-BPM Industry
EngineeringandR&D(ER&D) SoftwareProducts(SPD)
Embedded Services Product Development
Engineering Services
22 | P a g e
1.2. An Overview of the IT Services Sub-Sector
General Overview
IT-BPM market, a USD 118 billion market in India in FY2014, is a leading contributor to the services
industry in India with respect to employment and revenue.
It accounts for 38 per cent of the country's total services exports and contributes to 8.1 per cent of
India’s GDP2. It also accounts for INR 1,911 billion in FY2014. The IT Services subsector is a major
contributor to the overall IT-BPM Industry.
IT Services (ITS) sub-sector offers services to create and manage information for business functions
through host of activities that include consulting, systems integration, IT outsourcing / managed
services / hosting services, training and support/ maintenance.
The sub-sector has evolved as a major contributor to India's GDP and plays a vital role in driving
economic growth in terms of employment, export promotion and revenue generation.
The worldwide IT Services market stood at USD 655 billion in 2013. The Indian IT Services exports form
the largest and fastest growing segment of the IT services with a growth rate of >14 per cent in FY
2014. IT Services export constituted over half of the entire export of the IT Industry. Even within the
domestic market, IT services is the fastest growing segment in the Indian domestic market, growing
by 9.7 per cent to reach INR 727 billion, driven by IS outsourcing, cloud services and increasing
adoption from all customer segments – government, enterprise, consumers and small and medium
23 | P a g e
businesses. There are over 1600 companies providing IT services in the country with the top 5
comprising around 60 per cent of the total revenue from the industry.
The sub-sector has established a record as a major contributor to the country's GDP as well as
penetrated into many large sectors - established as well as upcoming like healthcare, media, education
and retail. This has ensured that the sub-sector is a field in demand, both in the present and the future.
With an increased focus on optimising efficiencies, companies in all the sectors see value in leveraging
IT to manage their business better and are increasing their IT investments.
The wide scope of the services in this sub-sector creates a requirement for a large variety of skills. This
reflects on the range of opportunities available for building a career in IT Services to a varied group of
people and the industry continues to be amongst the most sought, after for many young and aspiring
individuals.
The IT Services sub-sector started off in India with a focus on basic application development and
maintenance. The sub-sector has now grown and includes significant footprints in traditional
segments which include custom application development, application management, IS outsourcing
and software testing.
With time, the sector has expanded to provide end-to-end IT solutions and includes consulting, testing
services, infrastructure services and system integration in the offering.
After starting off, the IT Services sub-sector, served mostly the North American market until the 1990s.
While North America continues to be a major importer of Indian IT services, the sub-sector has
witnessed entry into other markets, in order to mitigate risk as well as to expand markets thus
24 | P a g e
servicing clients in a greater number of geographical areas like Latin America, the Asia Pacific and
Europe.
The client base in these markets is a healthy mix between BFSI, Manufacturing, Retail, Telecom and
all key Industry verticals.
The IT-BPM industry is standing at a watershed moment in history. In FY 2014, the industry achieved
a stellar landmark of crossing US 118 billion in revenues. However, with the industry slowly reaching
a stage of maturity and with a business model closely aligned to exports, it faces the brunt of the
economic shake-up like the one observed in 2008, which redefined the economic order amongst
nations.
While the recovery has gathered pace in the last few months, companies are becoming increasingly
conscious that in the globally connected world, the “new normal” will be characterised by business
volatility. The ups and downs will be more frequent and companies need to learn how best to manage
this volatility.
25 | P a g e
Occupations and tracks within the IT Services Sub-Sector
26 | P a g e
1.3. General Overview of Information Security
Information systems from unauthorised access, use, disclosure, disruption, modification, perusal,
inspection, recording, or destruction. The core function of this occupation is to ensure the
confidentiality, integrity and availability of data to the ‘right’ users within/outside of the organisation.
Application Security: Application Security roles are responsible for ensuring stable and secure
functioning of the applications. Application Security professionals perform the following functions in
an organisation:
Knowing threats
Securing the network, host and application
Incorporating security into the software development process
Security Testing
Security Testing involves devising testing standards and cases of confidentiality, integrity,
authentication, availability, authorisation and non-repudiation of information. Security Testing
professionals perform scheduled and adhoc tests to assess vulnerability and/or safety of an
organisation’s information systems.
Incident Management
Incident Management roles work towards restoring normal service operations in an organisation to
minimise the adverse effect on business operations, thus ensuring that the best possible level of
service quality and availability is maintained.
Incident management professionals manage and protect computer assets, networks and information
systems to answer the key question “what to do, when things go wrong.
27 | P a g e
Business Continuity Management/Disaster Recovery (BCP/DR): BCP/DR roles are responsible for
improving system availability and integration of IT operational risk management strategies for an
organisation.
Network Security
Network Security roles are responsible for defining and implementing overall network security that
includes baseline configuration, change control, security standards and process implementation.
Privacy
Privacy roles are responsible for defining and managing data/information/IP policies etc. for an
organisation. These roles require knowledge of information security norms and data privacy norms
and regulations.
Note on Information Security occupation:
Information Security related job roles may be performed in any of the following setups:
Consulting
Managed Services
Internal function within the organisation
In each of these set-ups, the essential functions and the highlighted tracks remain the same, however,
the delivery style and hence skills vary slightly, depending upon the set-up.
Privacy professionals help define and implement privacy standards, build privacy awareness to protect
an organisation’s information assets.
IT Forensics
IT Forensics roles collect, process, preserve, analyse and present computer-related evidence in
support of network vulnerability mitigation, and/or criminal, fraud, counter-intelligence or law-
enforcement investigations.
28 | P a g e
Student Handbook– Security Analyst SSC/N0901
SSC/ N 0901:
Contribute to Managing Information Security
29
Student Handbook– Security Analyst SSC/N0901
30
Student Handbook– Security Analyst SSC/N0901
31
Student Handbook– Security Analyst SSC/N0901
The Units
The module for this NOS is divided in ten units based on the learning objectives as given below:
UNIT I: Information Security and Threats UNIT VII: Risk Assessment
1.1. Information Security 7.1. Risk Overview
1.2. Information Assets & Threats 7.2. Risk Identification
7.3. Risk Analysis
UNIT II: Fundamentals of Information 7.4. Risk Treatment
Security 7.5. Risk Management Feedback Loops
2.1. Elements of information security 7.6. Risk Monitoring
2.2. Principles and concepts – data security
UNIT VIII: Configuration Reviews
2.3. Types of controls
8.1. Configuration Management
UNIT III: Data Leakage
8.2. Organisational SecCM Policy
3.1 Introduction – Data Leakage 8.3. Identify CM Tools
3.2 Organisational Data Classification, 8.4. Implementing Secure Configurations
Location and Pathways 8.5. Unauthorised Access to Configuration
3.3 Content Awareness Stores
3.4 Content Analysis Techniques
3.5 Data Protection UNIT IX: Log Correlation and Management
3.6 DLP Limitations
3.7 DRM-DLP Conundrum 9.1. Event Log Concepts
9.2. Log Management and its need
UNIT IV: Information Security Policies, 9.3. Log Management Process
Procedures, Standards and Guidelines 9.4. Configuring Windows Event Log
9.5. IIS Log Files
4.1. Information Security Policies
9.6. Analysis and Response
4.2. Key Elements of a Security Policy
4.3. Security Standards, Guidelines and
UNIT X: Data Backup
Frameworks 10.1. Data Backup
4.4. Laws, Regulations and Guidelines 10.2. Types of Backup
UNIT V: Information Security Management 10.3. Backup Procedures
– Roles and Responsibilities 10.4. Types of Storage
10.5. Features of a Good Backup Strategy
5.1. Information and Data Security Team
Structure
5.2. Security Incident Response Team
UNIT VI: Information Security Performance
Metrics
6.1. Introduction – Security Metrics
6.2. Types of Security Metrics
6.3. Using Security Metrics
6.4. Developing the Metrics Process
6.5. Metrics and Reporting
6.6. Designing Information Security
Measuring Systems
32
Student Handbook– Security Analyst SSC/N0901
UNIT I
Information Security and Threats
Lesson Plan
1.1. Information Security
1.2. Information Assets & Threats (Virus, Worms, Trojans, Other
Threats, Network Attacks)
33
Student Handbook– Security Analyst SSC/N0901
Lesson Plan
You need to know and understand: KA4, KA5. Peer group, faculty PCs/ tablets/ laptops
group and industry experts’ Availability of labs (24/7)
KA4. the organizational
evaluation. Internet with Wi-Fi
systems, procedures and tasks/
(min 2 Mbps dedicated)
checklists within the domain and KB1 - KB4. Group and faculty Access to all security sites like
how to use them. evaluation based on anticipated ISO, PCI DSS, Centre for Internet
outcomes. Reward points to be Security etc.
KB1. fundamentals of
information security and how to allocated to groups.
apply these, including:
• networks
• communication
• application security
34
Student Handbook– Security Analyst SSC/N0901
Lesson
sitated the
need for the position of information security analyst.
Those who work as information security analysts are responsible for keeping information safe from
data breaches using a variety of tools and techniques. Information security analysts protect
information stored on computer networks, in applications etc. They do this with special software that
allows them to keep track of those who can access and who have accessed data. Also, they may
perform investigations to determine whether or not data has been compromised, the extent of it and
related vulnerabilities.
Someone at an entry level position may operate the software to monitor and analyze
information.
At senior level positions, one may carry out investigative work to determine whether a security
breach has occurred.
At higher levels people design systems and architecture to address these vulnerabilities.
The field of information security has seen significant growth in recent times, and the number of job
opportunities in this area are likely to increase in the near future. Recent incidents of information theft
from large companies like Target, Sony and Citibank has shown the risks and challenges of this field
and this necessitates the growing need for information security and professionals in this field. We are
now witnessing the rising background level of data leakage from governments, businesses and other
organisations, families and individuals.
A larger part of an information security analyst’s work involves monitoring data use and access on a
computer network.
Security analysts focus on three main areas:
1. risk assessment (identifying risks or issues an organization may face)
2. vulnerability assessment (determining an organization’s weaknesses to threats)
3. defense planning (designing the protection architecture and installing security systems such
as firewalls and data encryption programs)
Information security analysts can find themselves working with IT companies, financial and utility
companies and consulting firms. They may also find positions with government organizations. Any
company or organization with data to protect may hire information security analysts so they could
find themselves working at a wide variety of different institutions. A number of companies operate
35
Student Handbook– Security Analyst SSC/N0901
‘Security Operation Centres (SOCs)’ for carrying out data security services for captive or client
services.
36
Student Handbook– Security Analyst SSC/N0901
Major Skills of
Security Analyst
• Understanding security policy
• Data & Traffic Analysis
• Identifying Security Events –> How & when to alarm
• Incident Response
Foundation and
Background
• Network infrastructure knowledge
• Diverse device configuration ability
• Security configuration knowledge
• Data management & teamwork
Challenges for
Security Analyst
• Not tied to a product or solution
• Complex knowledge – Not one specific process is correct or product solution
• Diverse set of skills are needed
37
Student Handbook– Security Analyst SSC/N0901
Security concerning IT and information is normally categorised in three categories to facilitate the
management of information.
theft
fraud/ forgery
unauthorized information access
interception or modification of data and
data management systems
The above concerns are materialised in the event of a breach caused by exploitation of vulnerability.
Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.
‘Threat agent or actor’ refers to the intent and method targeted at the intentional exploitation
of the vulnerability or a situation and method that may accidentally trigger the vulnerability.
A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target.
‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet, mobile
phone, online bank account or identity.
38
Student Handbook– Security Analyst SSC/N0901
Threat classification
Microsoft has proposed a threat classification called STRIDE from the initials of threat categories:
Spoofing of user identity
Tampering
Repudiation
Information disclosure (privacy breach or data leak)
Denial of Service (D.o.S.)
Elevation of privilege
Types of attacks
• Virus
Virus is a malicious program able to inject its code into other programs/ applications or data files
and the targeted areas become "infected". Installation of a virus is done without user's consent,
and spreads in form of executable code transferred from one host to another. Types of viruses
include Resident virus , non-resident virus; boot sector virus; macro virus; file-infecting virus (file-
infector); Polymorphic virus; Metamorphic virus; Stealth virus; Companion virus and Cavity virus.
• Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to spread itself.
In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the viruses
though worms can reproduce/ duplicate and spread by itself. During this process worm does not
require to attach itself to any existing program or executable. Different types of worms based on
their method of spread are email worms; internet worms; network worms and multi-vector worms.
• Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy. Trojans are a type of malware software that masquerades itself as
39
Student Handbook– Security Analyst SSC/N0901
a not-malicious even useful application but it will actually do damage to the host computer after its
installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install.
Types of Virus
Depending on virus "residence", we can classify viruses in following way:
Resident virus - virus that embeds itself in the memory on a target host. In such way it becomes
activated every time the OS starts or executes a specific action.
Non-resident virus - when executed, this type of virus actively seeks targets for infections either
on local, removable or network locations. Upon further infection it exits. This way is not residing
in the memory any more.
Boot sector virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc.
documents. This type of virus is executed as soon as the document that contains it, is opened.
This corresponds to the macro execution within those documents which under normal
circumstances is automatic.
Another classification of viruses can result from their characteristics:
File-infecting virus (file-infector) – this is a classic form of virus. When the infected file is being
executed, the virus seeks out other files on the host and infects them with malicious code. The
malicious code is inserted either at the beginning of the host file code (prepending virus), in the
middle (mid-infector) or in the end (appending virus). A specific type of viruses called "cavity
virus" can even inject the code in the gaps in the file structure itself. The start point of the file
execution is changed to the start of the virus code to ensure that it is run when the file is
executed. Afterwards the control may or may not be passed on to the original program in turn.
Depending on the infections routing the host file may become otherwise corrupted and
completely non-functional. More sophisticated viral forms allow through the host program
execution while trying to hide their presence completely (see polymorphic and metamorphic
viruses).
Polymorphic virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Metamorphic virus - this virus is capable of changing its own code with each infection. The
rewriting process may cause the infection to appear different each time but the functionality of
40
Student Handbook– Security Analyst SSC/N0901
the code remains the same. The metamorphic nature of this virus type makes it possible to infect
executables from two or more different operating systems or even different computer
architectures as well. The metamorphic viruses are ones of the most complex in build and very
difficult to detect.
Stealth virus - memory resident virus that utilises various mechanisms to avoid detection. This
avoidance can be achieved for example, by removing itself from the infected files and placing a
copy of itself in a different location. The virus can also maintain a clean copy of the infected files
in order to provide it to the antivirus engine for scan while the infected version still remains
undetected. Furthermore, the stealth viruses are actively working to conceal any traces of their
activities and changes made to files.
Armored virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Multipartite virus – this attempts to attack both the file executables as well as the master boot
record of the drive at the same time. This type may be tricky to remove as even when the file
executable part is clean it can re-infect the system all over again from the boot sector if it wasn't
cleaned as well.
Camouflage virus – this virus type is able to report as a harmless program to the antivirus
software. In such cases where the virus has similar code to the legitimate non-infected files code
the antivirus application is being tricked that it has to do with the legitimate program as well.
This would work only but in case of basic signature based antivirus software. Nowadays, antivirus
solutions have become more elaborate whereas the camouflage viruses are quite rare and not a
serious threat due to the ease of their detection.
Companion virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of the
infected file but instead uses the empty spaces within the program files itself (that exists there
for variety of reasons). This way the length of the program code is not being changed and the
virus can more easily avoid detection. The injection of the virus in most cases is not impacting
the functionality of the host file at all. The cavity viruses are quite rare though.
41
Student Handbook– Security Analyst SSC/N0901
……Let us discuss a recent news about a new version of a notorious virus that
takes over a system until money is paid as ransom which has been detected by
cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family, say
experts, is notorious for infecting computers of gamers. The malicious program
is now targeting online consumers and businesses via email attachments which
block access to a computer system until a sum of money, specifically in dollars,
is paid as ransom. If the victim delays, the ransom is doubled. Detected in
February 2015, TeslaCrypt began infecting systems in the US, Europe and
Southeast Asian countries. It then occurred in Indian cities including Delhi and
Mumbai. Two businessmen from Agra were targeted this year, from whom the
extortionist demanded more than $10,000. In the last six months, two cases
were reported in Agra, where the malware locked down its victim's most
important files and kept them hostage in exchange for a ransom to unlock it.
Types of Worms
The most common categorization of worms relies on the method how they spread:
Email worms: spread through email messages, especially through those with attachments.
Internet worms: spread directly over the internet by exploiting access to open ports or system
vulnerabilities.
Network worms: spread over open and unprotected network shares.
Multi-vector worms: having two or more various spread capabilities.
Types of Trojans
Computer Trojans or Trojan horses are named after the mythological Trojan horse from Trojan War,
in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the
horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city
gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar
to such strategy - it is a type of malware software that masquerades itself as not-malicious even useful
application but it will actually do damage to the host computer after its installation.
Trojans do not self-replicate since its key difference to a virus and require often end user intervention
to install itself - which happens in most scenarios where user is being tricked that the program he is
installing is a legitimate one (this is very often connected with social engineering attacks on end users).
One of the other common method is for the Trojan to be spammed as an email attachment or a link
in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging
42
Student Handbook– Security Analyst SSC/N0901
client. Trojans can be spread as well by means of drive-by downloads or downloaded and dropped by
other Trojans itself or legitimate programs that have been compromised.
The results of Trojan activities can vary greatly - starting from low invasive ones that only change the
wallpaper or desktop icons through Trojans which open backdoors on the computer and allow other
threats to infect the host or allow a hacker remote access to the targeted computer system. It is up to
Trojans to cause serious damage on the host by deleting files or destroying the data on the system
using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not
advertise their presence on the computer.
The Trojan classification can be based upon performed function and the way they breach the systems.
An important thing to keep in mind is that many Trojans have multiple payload functions so any such
classification will provide only a general overview and not a strict boundary. Some of the most
common Trojan types are:
Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor on the
targeted system to allow the attacker remote access to the system or even complete control
over it. This kind of Trojan is most widespread type and often has as well various other functions.
It may be used as an entry point for DOS attack or for allowing worms or even other Trojans to
the system. A computer with a sophisticated backdoor program installed may also be referred
to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see
part 3 of the Security 1:1 series). Backdoor. Trojans are generally created by malware authors
who are organized and aim to make money out of their efforts. These types of Trojans can be
highly sophisticated and can require more work to implement than some of the simpler malware
seen on the Internet.
Trojan-DDoS - this Trojan is installed simultaneously on a large number of computers in order to
create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack
on a particular target.
Trojan-Proxy -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Trojan-FTP – this Trojan is designed to open FTP ports on the targeted machine allow remote
attacker access to the host. Furthermore, the attacked can access as well network shares or
connections to further spread other threats.
Destructive Trojan – this is designed to destroy or delete data. It is much like a virus.
Security Software Disabler Trojan – this is designed to stop security programs like antivirus
solutions, firewalls or IPS either by disabling them or killing the processes. This kind of Trojan
functionality is often combined with destructive Trojan that can execute data deletion or
corruption only after the security software is disabled. Security Software Disablers are entry
Trojans that allow next level of attack on the targeted system.
Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide attacker with
confidential or sensitive information from compromised host and send it to a predefined location
(attacker). The stolen data comprise of login details, passwords, PII, credit card information etc.
43
Student Handbook– Security Analyst SSC/N0901
Data sending Trojans can be designed to look for specific information only or can be more generic
like Key-logger Trojans. Nowadays more than ever before attackers are concentrating on
compromising end users for financial gain. The information stolen with use of Info stealer Trojan
is often sold on the black market. Info stealers gather information by using several techniques.
The most common techniques may include log key strokes, screen shots and web cam images,
monitoring internet activity often for specific financial websites. The stolen information may be
stored locally so that it can be retrieved later or it can be sent to a remote location where it can
be accessed by an attacker. It is often encrypted before posting it to the malware author.
Keylogger Trojan – this is a type of data-sending Trojan that is recording every keystroke of the
end user. This kind of Trojan is specifically used to steal sensitive information from targeted host
and send it back to attacker. For these Trojans, the goal is to collect as much data as possible
without any direct specification what the data will be.
Trojan-PSW (Password Stealer) – this is a type of data-sending Trojans designed specifically to
steal passwords from the targeted systems. In its execution routine, the Trojan will very often
first drop a keylogging component onto the infected machine.
Trojan-Banker – a Trojan designed specifically to steal online banking information to allow
attacker further access to bank account or credit card information.
Trojan-IM – a type of data-sending Trojan designed specifically to steal data or account
information from instant messaging programs like MSN, Skype etc.
Trojan-Game Thief – a Trojan designed to steal information about online gaming account.
Trojan Mail Finder – a Trojan used to harvest any emails found on the infected computer. The
email list is being then forwarded to the remote attacker.
Trojan-Dropper -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Trojan-Downloader – a Trojan that can download other malicious programs to the target
computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders
that are encountered will attempt to download content from the internet rather than the local
network. In order to successfully achieve its primary function, a downloader must run on a
computer that is inadequately protected and connected to a network.
Trojan-FakeAV –
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
44
Student Handbook– Security Analyst SSC/N0901
This type of Trojan can be either targeted to extort money for "non-existing" threat removal or
in other cases the installation of the program itself injects other malware to the host machine.
FakeAV applications can perform fake scans with variable results, but always detect at least one
malicious object. They may as well drop files that are then ‘detected’. The FakeAV application is
constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and
appear very professional to the end users.
Trojan-Spy – this Trojan has a similar functionality to the Info stealer or Trojan-PSW and its
purpose is to spy on the actions executed on the target host. These can include tracking data
entered via keystrokes, collecting screenshots, listing active processes/ services on the host or
stealing passwords.
Trojan-ArcBomb -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
45
Student Handbook– Security Analyst SSC/N0901
……In an another incident detected by Kaspersky Labs, Pune, the TeslaCrypt Ransomware
encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan notorious for
infecting computer gamers, it displays an HTML page in the web browser which is an
exact copy of CryptoWall 3.0, another notorious ransomware program. TeslaCrypt were
detected in February 2015 and the new ransomware Trojan gained immediate notoriety
as a menace to computer gamers. Amongst other types of target files, it tries to infect
typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt
does not encrypt files that are larger than 268 MB. Few more examples of ransomware
Trojans are - CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault and CTB-Locker.
Source: New articles
46
Student Handbook– Security Analyst SSC/N0901
Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They
are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.
Rootkit are malicious software designed to hide certain processes or programs from detection.
Usually acquires and maintains privileged system access while hiding its presence in the same
time. It acts as a conduit by providing the attacker with a backdoor to a system
Spyware is a software that monitors and collects information about a particular user, computer
or organisation without user’s knowledge. There are different types of spyware, namely system
monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc.
Tracking cookies are a specific type of cookies that are distributed, shared and read across two
or more unrelated websites for the purpose of gathering information or potentially to present
customized data to you.
Riskware is a term used to describe potentially dangerous software whose installation may pose
a risk to the computer.
Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV
software. Also well known, under the names "Rogue Security Software" or "Misleading
Software". This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the "fake" infection.
Spam is the term used to describe unsolicited or unwanted electronic messages, especially
advertisements. The most widely recognized form of spam is email spam.
Creepware is a term used to describe activities like spying others through webcams (very often
combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.
Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the severity
of the damage causes and as well the speed of spreading. Blended threat defines an exploit that
combines elements of multiple types of malware components. Usage of multiple attack vectors
and payload types targets to increase the severity of the damage causes and as well the speed of
spreading.
47
Student Handbook– Security Analyst SSC/N0901
A. COHEN B. NORTON
C. SMITH D. McAfee
ANSWER : …………………………………………………………..
Network attacks
Network attack is usually defined as an intrusion on the network infrastructure that will first analyse
the environment and collect information in order to exploit the existing open ports or vulnerabilities.
This may include unauthorized access to organisation resources.
Passive attacks: they refer to attack where the purpose is only to learn and get some
information from the system, but the system resources are not altered or disabled in any way.
Active attacks: in this type of network attack, the perpetrator accesses and either alters,
disables or destroys resources or data.
Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
Inside attack: if an attack is performed from within the company by an "insider" that already
has certain access to the network it is considered to be an inside attack.
Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their
widespread occurrences.
48
Student Handbook– Security Analyst SSC/N0901
Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing
Buffer
DoS attack ICMP smurf Man-in-the-
overflow Botnet
& DDoS attack Denial of serv middle attack
attack
Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
49
Student Handbook– Security Analyst SSC/N0901
remains the same – to obtain confidential information and gain access to personal files. The
means of the attack are bit different though and include special links or posts posted on the
social media sites that attract the user with their content and convince them to click on them.
The link redirects then to malicious website or similar harmful content. The websites can mirror
the legitimate Facebook pages so that unsuspecting user does not notice the difference. The
website will require user to login with his real information. At this point, the attacker collects the
credentials gaining access to compromised account and all data on it. Other scenario includes
fake apps. Users are encouraged to download the apps and install them, apps that contain
malware used to steal confidential information.
Facebook Phishing attacks are often much more laboured. Consider the following scenario - link
posted by an attacker can include some pictures or phrase that will attract the user to click on it.
The user clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the
post first before even viewing it. User not suspecting any harm, clicks on the "like" button but
doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the
fake app to access user's personal information. At this point, data is collected and account is
compromised.
Spear phishing attack – this is a type of phishing attack targeted at specific individuals, groups
of individuals or companies. Spear phishing attacks are performed mostly with primary purpose
of industrial espionage and theft of sensitive information while ordinary phishing attacks are
directed against wide public with intent of financial fraud. It has been estimated that in last
couple of years targeted spear phishing attacks are more widespread than ever before.
The recommendations to protect your company against phishing and spear phishing include:
1. Never open or download a file from an unsolicited email, even from someone you know
(you can call or email the person to double check that it really came from them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentication whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking for a
reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted.
Watering hole attack – this is a more complex type of a phishing attack. Instead of the usual way
of sending spoofed emails to end users in order to trick them into revealing confidential
information, attackers use multiple staged approach to gain access to the targeted information.
In first steps, attacker is profiling the potential victim, collecting information about his or her’s
internet habits, history of visited websites etc. In next step attacker uses that knowledge to
inspect the specific legitimate public websites for vulnerabilities. If any vulnerabilities or
loopholes are found, the attacker compromises the website with its own malicious code. The
50
Student Handbook– Security Analyst SSC/N0901
compromised website then awaits for the targeted victim to come back and then infects them
with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at
the watering hole for his prey.
Whaling – it is a type of phishing attack specifically targeted at senior executives or other high
profile targets within a company.
Vishing (Voice Phishing or VoIP Phishing) – it is a use of social engineering techniques over
telephone system to gain access to confidential information from users. This phishing attack is
often combined with caller ID spoofing that masks the real source phone number and instead of
it displays the number familiar to the phishing victim or number known to be of a real banking
institution. General practices of Vishing include pre-recorded automated instructions for users
requesting them to provide bank account or credit card information for verification over the
phone.
Port scanning – an attack type where the attacker sends several requests to a range of ports to
a targeted host in order to find out what ports are active and open, which allows them to exploit
known service vulnerabilities related to specific ports. Port scanning can be used by the malicious
attackers to compromise the security as well by the IT professionals to verify the network
security.
Spoofing – it is a technique used to masquerade a person, program or an address as another by
falsifying the data with purpose of unauthorized access.
A few of the common spoofing types include:
IP Address spoofing – process of creating IP packets with forged source IP address to
impersonate legitimate system. This kind of spoofing is often used in DoS attacks
(Smurf Attack).
ARP spoofing (ARP Poisoning) – process of sending fake ARP messages in the network.
The purpose of this spoofing is to associate the MAC address with the IP address of
another legitimate host causing traffic redirection to the attacker host. This kind of
spoofing is often used in man-in-the-middle attacks.
DNS spoofing (DNS Cache Poisoning) – an attack where the wrong data is inserted into
DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP
addresses as results for client queries.
Email spoofing – a process of faking the email's sender "from" field in order to hide
real origin of the email. This type of spoofing is often used in spam mail or during
phishing attack.
Search engine poisoning – attackers take advantage of high profile news items or
popular events that may be of specific interest for certain group of people to spread
malware and viruses. This is performed by various methods that have in purpose
achieving highest possible search ranking on known search portals by the malicious
sites and links introduced by the hackers. Search engine poisoning techniques are often
used to distribute rogue security products (scareware) to users searching for legitimate
security solutions for download.
51
Student Handbook– Security Analyst SSC/N0901
Network sniffing (Packet Sniffing) – a process of capturing the data packets travelling in the
network. Network sniffing can be used both by IT professionals to analyse and monitor the traffic
for example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect
data send over clear text that is easily readable with use of network sniffers (protocol analysers).
Best counter measure against sniffing is the use of encrypted communication between the hosts.
Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack) –
an attack designed to cause an interruption or suspension of services of a specific host/ server
by flooding it with large quantities of useless traffic or external communication requests. When
the DoS attack succeeds the server is not able to answer even to legitimate requests anymore,
this can be observed in numbers of ways – slow response of the server, slow network
performance, unavailability of software or web page, inability to access data, website or other
resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or
infected systems (botnet) flood a particular host with traffic simultaneously.
DoS (denial-of-service) attack
Few of the most common DoS attack types:
ICMP flood attack (Ping Flood) – the attack that sends ICMP ping requests to the victim host
without waiting for the answer in order to overload it with ICMP traffic to the point where the
host cannot answer to them any more either because of the network bandwidth congestion
with ICMP packets (both requests and replies) or high CPU utilization caused by processing
the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is
either to disable propagation of ICMP traffic sent to broadcast address on the router or disable
ICMP traffic on the firewall level.
Ping of Death (PoD) – this attack involves sending a malformed or otherwise corrupted
malicious ping to the host machine for example, PING having size bigger than usual which can
cause buffer overflow on the system that lead to a system crash.
Smurf attack – this works in the same way as Ping Flood attack with one major difference that
the source IP address of the attacker host is spoofed with IP address of other legitimate non
malicious computer. Such attack will cause disruption both on the attacked host (receiving
large number of ICMP requests) as well as on the spoofed victim host (receiving large number
of ICMP replies).
52
Student Handbook– Security Analyst SSC/N0901
keeps the server with dead open connections and in the end effect prevent legitimate host
to connect to the server any more.
Buffer overflow attack – in this type of attack the victim host is being provided with traffic/ data
that is out of range of the processing specs of the victim host, protocols or applications,
overflowing the buffer and overwriting the adjacent memory. One example can be the
mentioned Ping of Death attack where malformed ICMP packet with size exceeding the normal
value can cause the buffer overflow.
Botnet – a collection of compromised computers that can be controlled by remote perpetrators
to perform various types of attacks on other computers or networks. A known example of botnet
usage is within the distributed denial of service attack where multiple systems submit as many
request as possible to the victim machine in order to overload it with incoming packets. Botnets
can be otherwise used to send out span, spread viruses and spyware and as well to steal personal
and confidential information which afterwards is being forwarded to the botmaster.
Man-in-the-middle attack – the attack is form of active monitoring or eavesdropping on victims’
connections and communication between victim hosts. This form of attack includes interaction
between both victim parties of the communication and the attacker. This is achieved by attacker
intercepting all part of the communication, changing the content of it and sending back as
legitimate replies. Both parties are not aware of the attacker presence and believing the replies
they get are legitimate. For this attack to be successful, the perpetrator must successfully
impersonate at least one of the endpoints. This can be the case if there are no protocols in place
that would secure mutual authentication or encryption during the communication process.
Session hijacking attack – this attack is targeted as exploit of the valid computer session in order
to gain unauthorized access to information on a computer system. The attack type is often
referred to as cookie hijacking as during its progress, the attacker uses the stolen session cookie
to gain access and authenticate to remote server by impersonating legitimate user.
Cross-side scripting attack (XSS attack) – the attacker exploits the XSS vulnerabilities found in
web server applications in order to inject a client side script onto the webpage that can either
point the user to a malicious website of the attacker or allow attacker to steal the user's session
cookie.
SQL injection attack – the attacker uses existing vulnerabilities in the applications to inject a
code/ string for execution that exceeds the allowed and expected input to the SQL database.
Bluetooth related attacks
Bluesnarfing – this kind of attack allows the malicious user to gain unauthorized access to
information on a device through its bluetooth connection. Any device with bluetooth
turned on and set to "discoverable" state may be prone to bluesnarfing attack.
Bluejacking – this kind of attack allows the malicious user to send unsolicited (often spam)
messages over bluetooth enabled devices.
53
Student Handbook– Security Analyst SSC/N0901
Few recent cyberattacks (or Network attacks) that shook some big businesses around the
globe:
March 2015
54
Student Handbook– Security Analyst SSC/N0901
Anthem
February 2015
One of the nation’s largest health insurers said that the personal
information of tens of millions of its customers and employees, including its
chief executive, was the subject of a “very sophisticated external
cyberattack.”
The company added that hackers were able to breach a database that
contained as many as 80 million records of current and former customers,
as well as employees. The information accessed included names, Social
Security numbers, birthdays, addresses, email and employment information,
including income data.
Sony Pictures
November 2014
A huge attack that essentially wiped clean several internal data centers and
led to cancellation of the theatrical release of "The Interview," a comedy
about the fictional assassination of the North Korean leader Kim Jong-un.
Contracts, salary lists, film budgets, entire films and Social Security numbers
were stolen, including -- to the dismay of top executives -- leaked emails
that included criticisms of Angelina Jolie and disparaging remarks about
President Obama.
Staples
October 2014
The office supply retailer said hackers had broken into the company’s
network and compromised the information of about 1.16 million credit
cards.
55
Student Handbook– Security Analyst SSC/N0901
56
Student Handbook– Security Analyst SSC/N0901
Summary
Information security analysts protect information stored on computer networks, applications,
etc., using special software that allows them to keep a track of those who can access and who
have accessed data.
There are three categories of Information technology and information security:
o confidentiality
o integrity
o availability
Keys concerns in information assets security are theft, fraud/ forgery, unauthorized information
access, interception or modification of data and data management systems.
Vulnerability is a weakness in an information system, system security procedures, internal
controls or implementation that could be exploited or triggered by a threat source.
Microsoft has proposed a threat classification called STRIDE from the initials of threat
categories.
Types of attacks: virus, worms, Trojans and others.
Network attack is usually defined as an intrusion on the network infrastructure that will first
analyse the environment and collect information in order to exploit the existing open ports or
vulnerabilities. This may include unauthorized access to organisation resources.
The recommendations to protect against Phishing and Spear Phishing include:
o Never open or download a file from an unsolicited email, even from someone you
know.
o Keep your operating system updated.
o Use a reputable anti-virus program.
o Enable two factor authentication whenever available.
o Confirm the authenticity of a website prior to entering login credentials.
o Look for HTTPS in the address bar when you enter any sensitive personal information
on a website.
57
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
List various types of attacks, and get examples of each type of virus, trojan, worm and
other malware from the internet. Compare the list with your fellow students.
Activity 2:
Find out and study cases of attacks over the years and impact of those attacks on the
organisations where these occurred. Share details of 2-3 most interesting ones in the
class.
Activity 3:
Access the CVE and list all the types of information that they can get. Present the same in
class and elaborate upon the various ways in which that information can be used.
58
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. State the reason why a Cavity virus is difficult to detect unlike traditional viruses?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
59
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
60
Student Handbook– Security Analyst SSC/N0901
UNIT II
Fundamentals of Information Security
Lesson Plan
2.1 Elements of information security
2.2 Principles and concepts – data security
2.3 Types of controls
61
Student Handbook– Security Analyst SSC/N0901
Lesson Plan
Performance Ensuring
Outcomes Measures Work Environment/ Lab Requirement
To be competent, you must be able QA session and a PCs/ tablets/ laptops
to: descriptive write-up on Availability of labs (24/7)
understanding. Internet with Wi-Fi
PC3. carry out security
(min 2 Mbps dedicated)
assessment of information security Peer group, faculty group Networking equipment (routers &
systems using automated tools and industry experts. switches)
PC8. provide inputs to root Firewalls and access points
cause analysis and the resolution of Access to all security sites like ISO, PIC
information security issues, where DSS etc.
required Commercial tools like HP Web
Inspect and IBM AppScan etc.
Open source tools like sqlmap,
Nessus etc.
You need to know and understand: KA6, KA7, KA8. Peer PCs/ tablets/ laptops
review with faculty with Availability of labs (24/7)
KA5. how to analyse root causes appropriate feedback. Internet with Wi-Fi
of information security issues (min 2 Mbps dedicated)
Networking equipment (routers &
KA6. how to carry out KB1 – KB4. switches)
information security assessments Going through the security Firewalls and access points
standards over internet by Access to all security sites like ISO, PIC
KB4. how to identify and resolve visiting sites like ISO, PCI DSS etc.
information security vulnerabilities DSS etc., and understand
Commercial Tools like HP Web
and issues various methodologies and
Inspect and IBM AppScan etc.
usage of algorithms.
Open Source tools like sqlmap,
Nessus etc.
62
Student Handbook– Security Analyst SSC/N0901
Lesson
Network Security
Network security refers to any activity designed to protect your network. Specifically, these activities
protect the usability, reliability, integrity and safety of your network and data. Effective network
security targets a variety of threats and stops them from entering or spreading on your network.
No single solution protects you from a variety of threats. You need multiple layers of security. If one
fails, others still stand. Network security is accomplished through hardware and software. The
software must be constantly updated and managed to protect you from emerging threats.
Wireless networks, which by their nature, facilitate access to the radio, are more vulnerable than
wired networks and need to encrypt communications to deal with sniffing and continuously checking
the identity of the mobile nodes. The mobility factor adds more challenges to security, namely
monitoring and maintenance of secure traffic transport of mobile nodes. This concerns both
homogenous and heterogenous mobility (inter-technology), the latter requires homogenization of the
security level of all networks visited by the mobile.
From the terminal’s side, it is important to protect its resources (battery, disk, CPU) against misuse
and ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to
ensure terminal’s integrity as it plays a dual role of router and terminal.
The difficulty of designing security solutions that could address these challenges is not only to ensure
robustness faced with potential attacks or to ensure that it does not slow down communications, but
also to optimize the use of resources in terms of bandwidth, memory, battery, etc. More importantly,
in this open context the wireless network is to ensure anonymity and privacy, while allowing
traceability for legal reasons. Indeed, the growing need for traceability is now necessary for the fight
against criminal organizations and terrorists, but also to minimize the plundering of copyright. It is
therefore facing a dilemma of providing a network support of free exchange of information while
controlling the content of the communication to avoid harmful content. Actually, this concerns both
wired and wireless networks. All these factors influence the selection and implementation of security
tools that are guided by a prior risk assessment and security policy.
Finally, we are increasingly thinking about trust models in the design of secured systems, that should
offer higher level of trust than classical security mechanisms, and it seems that future networks should
implement both models: security and trust models.
In fact, if communication nodes will be capable of building and maintaining a predefined trust level in
the network, then the communication system will be trustable all the time, thus allowing a trusted
and secure service deployment. However, such trust models are very difficult to design and the trust
level is generally a biased concept presently. It is very similar to the human based trust model. Note
that succeeding in building such trust models will allow infrastructure based networks but especially
infrastructure-less or self-organized networks such as ad hoc sensors to be trusted enough to deploy
several applications. This will also have an impact on current business models where the economic
model would have to change in order to include new players in the telecommunication value chain
63
Student Handbook– Security Analyst SSC/N0901
such as users offering their machines to build an infrastructure-less network. For example, in the
context of ad hoc networks, we could imagine that ad hoc users become distributors of content or
provide any other networked services1, being a sort of service providers. In this case, an appropriate
charging and billing system needs to be designed.
A network security system usually consists of many components. Ideally, all components work
together, which minimizes maintenance and improves security.
Communication security
Application Security
Application security (AppSec) is the use of software, hardware and procedural methods to protect
applications from external threats. AppSec is the operational solution to the problem of software risk.
AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application
irrespective of the function, language or platform.
As a best practice, AppSec employs proactive and preventative methods to manage software
risk, and align an organization’s security investments with the reality of today’s threats. It has
three distinct elements:
A software vulnerability can be defined as a programmatic function that processes critical data
in an insecure way. These “holes” in an application can be exploited by a hacker, spy or
cybercriminal as an entry point to steal sensitive, protected or confidential data.
64
Student Handbook– Security Analyst SSC/N0901
The severity and frequency of cyber-attacks is increasing which is making the practice of AppSec
important. AppSec as a discipline is also becoming more complex the variety of business software
continues to proliferate. Here are some of the reasons why (and see if these sound familiar):
Software developers have an endless choice of programming languages to choose from – Java, .NET,
C++, PHP and more.
Applications can be deployed across myriad platforms – installed to operate locally, over virtual
servers and networks, accessed as a service in the cloud or run on mobile devices.
AppSec products must provide capabilities for managing security risk across all of these options as
each of these development and deployment options can introduce security vulnerabilities. An
effective software security strategy addresses both immediate and systemic risk.
The Application Security market has reached sufficient maturity to allow organizations of all sizes to
follow a well-established roadmap:
Begin with software security testing to find and assess potential vulnerabilities:
Testing and remediation form the baseline response to insecure applications, but the critical element
of a successful AppSec effort is ongoing developer training. Security conscious development teams
write bulletproof code, and avoid common errors. For example, data input validation – the process of
ensuring that a program operates with clean, correct and useful data. Neglecting this important step,
and failing to build in standard input validation rules or “check routines” leaves the application open
to common attacks such as cross-site scripting and SQL injection.
When undertaken correctly, Application Security is an orderly process of reducing the risks associated
with developing and running business critical software. Properly managed, a good application security
program will move your organization from a state of unmanaged risk and reactive security to effective,
proactive risk mitigation.
65
Student Handbook– Security Analyst SSC/N0901
Communications Security
Communications Security (COMSEC) ensures the security of telecommunications confidentiality and
integrity – the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of
any information that is transmitted, transferred or communicated.
Emission Security (EMSEC): This prevents the release or capture of emanations from
equipment, such as cryptographic equipment, thereby preventing unauthorized
interception.
Physical Security: This ensures the safety of, and prevents unauthorized access to,
cryptographic information, documents and equipment.
66
Student Handbook– Security Analyst SSC/N0901
Confidentiality
Integrity Availability
Information States
Information has three basic states, at any given moment, information is being transmitted, stored or
processed. The three states exist irrespective of the media in which information resides.
Transmission
Information
States
Processing Storage
Information systems security concerns itself with the maintenance of three critical characteristics of
information: confidentiality, integrity and availability. These attributes of information represent the
full spectrum of security concerns in an automated environment. They are applicable for any
organization irrespective of its philosophical outlook on sharing information.
67
Student Handbook– Security Analyst SSC/N0901
Authentication happens right after identification and before authorization. It verifies the
authenticity of the identity declared at the identification stage. In other words, it is at the
authentication stage that you prove you are indeed the person or the system you claim to
be. The three methods of authentication are what you know, what you have and what you
are. Regardless of the particular authentication method used, the aim is to obtain
reasonable assurance that the identity declared at the identification stage belongs to the
party in communication. It is important to note that reasonable assurance may mean
different degrees of assurance, depending on the particular environment and application,
and therefore may require different approaches to authentication. Authentication
requirements of a national security – critical system naturally differ from authentication
68
Student Handbook– Security Analyst SSC/N0901
69
Student Handbook– Security Analyst SSC/N0901
The following types of non-repudiation services are defined in international standard ISO
14516:2002 (guidelines for the use and management of trusted third party services).
o Approval: non-repudiation of approval provides proof of who is responsible for approval
of the contents of a message.
o Transport: non-repudiation of transport provides proof for the message originator that
a delivery agent has delivered the message to the intended recipient.
o Receipt: non-repudiation of receipt provides proof that the recipient received the
message.
70
Student Handbook– Security Analyst SSC/N0901
71
Student Handbook– Security Analyst SSC/N0901
Central to information security is the concept of controls, which may be categorized by their
functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane of
application (physical, administrative or technical).
By functionality:
Preventive controls
Preventive controls are the first controls met by an adversary. These try to prevent security
violations and enforce access control. Like other controls, these may be physical, administrative
or technical. Doors, security procedures and authentication requirements are examples of
physical, administrative and technical preventive controls respectively.
Detective controls
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs and similar mechanisms.
Corrective controls
Corrective controls try to correct the situation after a security violation has occurred. Although a
violation occurred, but the data remains secure, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.
Deterrent controls
Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls
include notices of monitoring and logging as well as the visible practice of sound information
security management.
Recovery controls
Recovery controls are somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and information processing
resources. Recovery controls may include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements and similar controls.
Compensating controls
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of controls addresses the same
threats that are addressed by another set of controls, it acts as a compensating control.
72
Student Handbook– Security Analyst SSC/N0901
By plane of application:
Physical controls include doors, secure facilities, fire extinguishers, flood protection and air
conditioning.
Administrative controls are the organization’s policies, procedures and guidelines intended to
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems and file encryption among others.
The Discretionary Access Control model is the most widely used of the three models.
In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide
about and set access control restrictions on the object in question, which may, for example, be a file
or a directory. The advantage of DAC is its flexibility. Users may decide who can access information
and what they can do with it — read, write, delete, rename, execute and so on. At the same time, this
flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access
control restrictions or maliciously set insecure or inappropriate permissions. Nevertheless, the DAC
model remains the model of choice for the absolute majority of operating systems today, including
Solaris.
Mandatory access control, as its name suggests, takes a stricter approach to access control. In systems
utilizing MAC, users have little or no discretion as to what access permissions they can set on their
information. Instead, mandatory access controls specified in a system-wide security policy are
enforced by the operating system and applied to all operations on that system. MAC based systems
use data classification levels (such as public, confidential, secret and top secret) and security clearance
labels corresponding to data classification levels to decide in accordance with the security policy set
by the system administrator what access control restrictions to enforce. Additionally, per group and/
73
Student Handbook– Security Analyst SSC/N0901
or per domain access control restrictions may be imposed i.e. in addition to having the required
security clearance level, subjects (users or applications) must also belong to the appropriate group or
domain. For example, a file with a confidential label belonging only to the research group may not be
accessed by a user from the marketing group, even if that user has a security clearance level higher
than confidential (for example, secret or top secret). This concept is known as compartmentalization
or ‘need to know’.
Although MAC based systems, when used appropriately, are thought to be more secure than DAC
based systems, they are also much more difficult to use and administer because of the additional
restrictions and limitations imposed by the operating system. MAC based systems are typically used
in government, military and financial environments where higher than usual security is required and
where the added complexity and costs are tolerated. MAC is implemented in Trusted Solaris, a version
of the Solaris operating environment intended for high security environments.
In the role based access control model, rights and permissions are assigned to roles instead of
individual users. This added layer of abstraction permits easier and more flexible administration and
enforcement of access controls. For example, access to marketing files may be restricted only to the
marketing manager role, and users Ann, David, and Joe may be assigned the role of marketing
manager. Later, when David moves from the marketing department elsewhere, it is enough to revoke
his role of marketing manager, and no other changes would be necessary. When you apply this
approach to an organization with thousands of employees and hundreds of roles, you can see the
added security and convenience of using RBAC. Solaris has supported RBAC since release 8.
A vulnerability can occur anywhere in the IT environment, and can be the result of many different root
causes. Security vulnerability management solutions gather comprehensive endpoint and network
intelligence, and apply advanced analytics to identify and prioritize the vulnerabilities that pose the
most risk to critical systems. The result is actionable data that enables IT security teams to focus on
74
Student Handbook– Security Analyst SSC/N0901
the tasks that will most quickly and effectively reduce overall network risk with the fewest possible
resources.
Vulnerability assessment and management is an essential piece for managing overall IT risk
because:
Persistent threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.
Regulation
Risk management
Mature organizations treat it as a key risk management component. Organizations that follow
mature IT security principles understand the importance of risk management.
Properly planned and implemented threat and vulnerability management programs represent a key
element in an organization’s information security program, providing an approach to risk and threat
mitigation that is proactive and business aligned, not just reactive and technology focused.
Vulnerability Assessment
Includes assessment the environment for known vulnerabilities, and to assess IT components, using
the security configuration policies (by device role) that have been defined for the environment. This
is accomplished through scheduled vulnerability and configuration assessments of the environment.
Network based vulnerability assessment (VA) has been the primary method employed to baseline
networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and
accurate vulnerability assessments can be accomplished for managed systems via credentialed access.
Unmanaged systems can be discovered and a basic assessment can be completed. The ability to
evaluate databases and web applications for security weaknesses is crucial, considering the rise of
attacks that target these components.
Database scanners check database configuration and properties to verify whether they comply with
database security best practices.
75
Student Handbook– Security Analyst SSC/N0901
Web application scanners test an application’s logic for “abuse” cases that can break or exploit the
application. Additional tools can be leveraged to perform more in-depth testing and analysis.
All three scanning technologies (network, application and database) assess a different class of security
weaknesses, and most organizations need to implement all three.
Risk assessment
Larger issues should be expressed in the language of risk (e.g. ISO 27005), specifically expressing
impact in terms of business impact. The business case for any remedial action should incorporate
considerations relating to the reduction of risk and compliance with policy. This incorporates the basis
of the action to be agreed on between the relevant line of business and the security team.
Risk analysis
“Fixing” the issue may involve acceptance of the risk, shifting of the risk to another party or reducing
the risk by applying remedial action, which could be anything from a configuration change to
implementing a new infrastructure (e.g. data loss prevention, firewalls, host intrusion prevention
software).
Elimination of the root cause of security weaknesses may require changes to user administration and
system provisioning processes. Many processes and often several teams may come into play (e.g.
configuration management, change management, patch management etc.). Monitoring and incident
management processes are also required to maintain the environment.
Vulnerability enumeration
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE Identifiers)
for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to
share data across separate network security databases and tools, and provide a baseline for
evaluating the coverage of an organization’s security tools. If a report from one of your security tools
incorporates CVE identifiers, you may then quickly and accurately access fix information in one or
more separate CVE compatible databases to remediate the problem.
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating
the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable,
accurate measurement while enabling users to see the underlying vulnerability characteristics that
were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for
industries, organizations and governments that need accurate and consistent vulnerability impact
scores.
The Common Weakness Enumeration Specification (CWE) provides a common language of discourse
for discussing, finding and dealing with the causes of software security vulnerabilities as they are
found in code, design or system architecture. Each individual CWE represents a single vulnerability
type. CWEs are used as a classification mechanism that differentiates CVEs by the type of vulnerability
they represent. For more details see: Common Weakness Enumeration.
76
Student Handbook– Security Analyst SSC/N0901
Remediation Planning
Prioritization
Vulnerability and security configuration assessments typically generate very long remediation work
lists, and this remediation work needs to be prioritized. When organizations initially implement
vulnerability assessment and security configuration baselines, they typically discover that a large
number of systems contain multiple vulnerabilities and security configuration errors. There is typically
more mitigation work to do than the resources available to accomplish it. Therefore, prioritization is
important.
It is important to analyse security and vulnerability assessments in order to determine the root cause.
In many cases, the root cause of a set of vulnerabilities lies within the provisioning, administration and
maintenance processes of IT operations or within their development or the procurement processes of
applications. Elimination of the root cause of security weaknesses may require changes to user
administration and system provisioning processes.
An RCA is an analysis of a failure to determine the first (or root) failure that cause the ultimate
condition in which the system finds itself. For example, in an application crash one should be thinking,
why did it crash this way?
A security analyst’s job in performing an RCA is to keep asking the inquisitive "why" until one runs out
of room for questions, and then they are faced with the problem at the root of the situation.
Example: an application that had its database pilfered by hackers where the ultimate failure the
analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isn't what
caused the failure. Why did the SQL Injection happen? Was the root of the problem that the developer
responsible simply didn't follow the corporate policy for building SQL queries? Or was the issue a
failure to implement something like the OWASP ESAPI (ESAPI - The OWASP Enterprise Security API is
a free, open source web application security control library that makes it easier for programmers to
write lower-risk applications.) in the appropriate manner? Or maybe the cause was a vulnerable open-
source piece of code that was incorporated into the corporate application without passing it through
the full source code lifecycle process?
Your job when you're performing an RCA is to figure this out. Root cause analysis is super critical in
the software security world. A number of automated solutions are also available for various types of
RCA. For example, HP's web application security testing technology which can link XSS issues to a single
line of code in the application input handler.
Decision tree and algorithms may be used for further detailed analysis as tools. To learn more about
it, visit: https://www.sans.org/reading-room/whitepapers/detection/decision-tree-analysis-
intrusion-detection-how-to-guide-33678 .
77
Student Handbook– Security Analyst SSC/N0901
5 4.4 4.7
4.5
4 3.5
3.5
3 2.8
2.5 1.9
2
1.5
1
0.5
0
78
Student Handbook– Security Analyst SSC/N0901
Summary
Elements of information security include network security, application security and
communication security
Types of communication security are Cryptosecurity, Emission Security (EMSEC), Physical Security,
Traffic-Flow Security and Transmission Security (TRANSEC).
Critical information characteristics are Confidentiality, Integrity and Availability.
Information states include transmission, storage and processing.
Basic information security concepts:
o Identification
o Authentication
o Authorization
o Confidentiality
o Integrity
o Availability
o Non-repudiation
Types of control for information security can be classified into:
o Preventive
o Detective
o Corrective
o Deterrent
o Recovery
o Compensating
Three main access control models exist:
o Discretionary Access Control model
o Mandatory Access Control model
o Role Based Access Control model
A Root Cause Analysis is an analysis of a failure to determine the first (or root) failure that cause
the ultimate condition in which the system finds itself.
79
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Investigate into the various types of threats to network security, application security
and, communication security and prepare a white paper on the same. Also, list the
various counter measures or security devices that may be used to address the same.
Present it in class.
Activity 2:
Collect information about various information security service companies’ websites, and
understand the various security services they offer. Carry out a comparison of the
various services or products offered and list their features and benefits.
Activity 3:
Collect information about various categories of controls and state which various
controls are within each category? Discuss in groups the benefits and limitations of
examples of each type of control within a category.
Activity 4:
Collect information about various elements of a decision tree and an algorithm. Create
algorithms and decision trees for various situations in case of planning for security of
information assets.
80
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Authentication
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Authorization
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Confidentiality
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Integrity
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Availability
__________________________________________________________________________________
__________________________________________________________________________________
81
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
• Non-repudiation
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
______________________________________
______________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
82
Student Handbook– Security Analyst SSC/N0901
UNIT III
Data Leakage and Prevention
Lesson Plan
3.1 Introduction Data Leakage
3.2 Organisational Data Classification, Location and Pathways
3.3 Content Awareness
3.4 Content Analysis Techniques
3.5 Data Protection
3.6 DLP Limitations
3.7 DRM – DLP Conundrum
3.1.
83
Student Handbook– Security Analyst SSC/N0901
Lesson Plan
Performance Ensuring
Outcomes Measures Work Environment/ Lab Requirement
To be competent, you must be able PCs/ tablets/ laptops
to: Availability of labs (24/7)
Going through various
PC2. monitor systems and apply organizations’ websites Internet with Wi-Fi
controls in line with information and understand the (min 2 Mbps dedicated)
security policies, procedures and policies and guidelines Networking equipment (routers
guidelines (Research). & switches)
PC3. carry out security Firewalls and access points
Project charter,
assessment of information security Architecture (charts), Access to all security sites like
systems using automated tools Project plan, Poster ISO, PIC DSS etc.
PC11. comply with your presentation and Commercial tools like HP Web
organization’s policies, standards, Execution plan. Inspect and IBM AppScan etc.
procedures and guidelines when Open source tools like sqlmap,
contributing to managing Nessus etc.
information security
You need to know and understand: KA12. Going through KA1 to KA13:
KA12. your organization’s various organizations’
information security systems and websites and understand PCs/ tablets/ laptops
tools and how to access and the policies and guidelines Availability of labs (24/7)
maintain the same (Research). Internet with Wi-Fi
(min 2 Mbps dedicated)
KA13. standard tools and KA12. Project charter, Networking equipment (routers &
templates available and how to use Architecture (charts), switches)
these Project plan, Poster Firewalls and access points
presentation and Access to all security sites like ISO,
KB4. how to identify and resolve Execution plan. PIC DSS etc.
information security vulnerabilities Commercial tools like HP Web
and issues KA13. Creation of Inspect and IBM AppScan etc.
templates based on the
learnings from KA1 to Open Source tools like sqlmap,
KA12. Nessus etc.
KB1 – KB4
84
Student Handbook– Security Analyst SSC/N0901
Lesson
Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data, and other information depending
on the business and the industry. Data leakage poses a serious issue for companies as the
number of incidents and the cost to those experiencing them continue to increase.
Data leakage is enhanced by the fact that transmitted data (both inbound and outbound), including
emails, instant messaging, website forms and file transfers among others, are largely unregulated and
unmonitored on their way to their destinations. Furthermore, in many cases, sensitive data are shared
among various stakeholders such as employees working from outside the organization’s premises (e.g.
on laptops), business partners and customers. This increases the risk that confidential information will
fall into unauthorized hands. Whether caused by malicious intent or an inadvertent mistake by an
insider or outsider, exposure of sensitive information can seriously hurt an organization. The potential
damage and adverse consequences of a data leakage incident can be classified into two categories:
Direct losses refer to tangible damage that is easy to measure or to estimate quantitatively. Indirect
losses, on the other hand, are much harder to quantify and have a much broader impact in terms of
cost, place and time.
Direct losses include violations of regulations (such as those protecting customer privacy) resulting in
fines; settlements or customer compensation fees; litigation involving lawsuits; loss of future sales;
costs of investigation and remedial or restoration fees. Indirect losses include reduced share price as
a result of negative publicity; damage to a company’s goodwill and reputation; customer
abandonment; and exposure of intellectual property (business plans, code, financial reports and
meeting agendas) to competitors.
85
Student Handbook– Security Analyst SSC/N0901
Standard security measures are used by many organizations and include common mechanisms such
as firewalls, intrusion detection systems (IDSs) and antivirus software that can provide protection
against both outsider attacks (e.g. a firewall which limits access to the internal network and an
intrusion detection system which detects attempted intrusions) and inside attacks (e.g. antivirus scans
to detect a Trojan horse that may be installed on a PC to send confidential information).
Another example is the use of thin clients which operate in a client-server architecture, with no
personal or sensitive data stored on a client’s computer. Policies and training for improving the
awareness of employees and partners provide additional standard security measures.
Advanced or intelligent security measures include machine learning and temporal reasoning
algorithms for detecting abnormal access to data (i.e. databases or information retrieval systems),
activity based verification (e.g. based on keystrokes and mouse patterns), detection of abnormal email
exchange patterns, and applying the honeypot concept for detecting malicious insiders.
Device control, access control and encryption are used to prevent access by an unauthorized user.
These are the simplest measures that can be taken to protect large amounts of personal data
against malicious outsider and insider attacks.
Designated DLP solutions are intended to detect and prevent attempts to copy or send sensitive data,
intentionally or unintentionally, without authorization, mainly by personnel who are authorized to
access the sensitive information. A major capability of such solutions is an ability to classify content as
sensitive. Designated DLP solutions are typically implemented using mechanisms such as exact data
matching, structured data fingerprinting, statistical methods (e.g. machine learning), rule and regular
expression matching, published lexicons, conceptual definitions and keywords.
Data Leakage Prevention (DLP) solutions, are often referred to as Information Leak Prevention
(ILP), Data Leak/ Loss Prevention (DLP), Outbound Content Compliance, Content Monitoring and
Filtering, Content Monitoring and Protection (CMP) or Extrusion Prevention.
A designated data leakage prevention solution is defined as a system that is designed to detect and
prevent the unauthorized access, use or transmission of confidential information.
86
Student Handbook– Security Analyst SSC/N0901
8% 4%
15%
NPI ( e.g. Customer Data)
Confidentiality Info
12% HTTP
3%
1% Email
5%
42% Networked Printer
10%
End Point
11% Internal Mail
16% IM
Webmail
Others
Source: http://www.networksunlimited.com
87
Student Handbook– Security Analyst SSC/N0901
Enterprises are often unaware of all of the types and locations of information they possess.
It is important, prior to purchasing a DLP solution, to identify and classify sensitive data types and their
flow from system to system and to users. This process should yield a data taxonomy or classification
system that will be leveraged by various DLP modules as they scan for and take action on information
that falls into the various classifications within the taxonomy. Analysis of critical business processes
should yield the required information.
Classifications can include categories such as private customer or employee data, financial data and
intellectual property. Once the data have been identified and classified appropriately, further analysis
of processes should facilitate the location of primary data stores and key data pathways.
Frequently multiple copies and variations of the same data are scattered across the enterprise on
servers, individual workstations, tape and other media. Copies are frequently made to facilitate
application testing without first cleansing the data of sensitive content. Having a good idea of the data
classifications and location of the primary data stores proves helpful in both the selection and
placement of the DLP solution.
Once the DLP solution is in place, it can assist in locating additional data locations and pathways. It is
also important to understand the enterprise’s data life cycle. Understanding the life cycle from point
of origin through processing, maintenance, storage and disposal will help uncover further data
repositories and transmission paths. Additional information should be collected by conducting an
inventory of all data egress points since not all business processes are documented and not all data
movement is a result of an established process. Analysis of firewall and router rule sets can aid these
efforts.
The DLP market is also split between DLP as a feature and DLP as a solution. A number of
products, particularly email security solutions, provide basic DLP functions, but aren't complete
DLP solutions. The difference is:
88
Student Handbook– Security Analyst SSC/N0901
Context includes things like source; destination; size; recipients; sender; header information;
metadata; time; format and anything else short of the content of the letter itself. Context is highly
useful and any DLP solution should include contextual analysis as part of an overall solution. A more
advanced version of contextual analysis is business context analysis, which involves deeper analysis of
the content, its environment at the time of analysis and the use of the content at that time.
Content awareness involves peering inside containers and analysing the content itself. The advantage
of content awareness is that while we use context, we're not restricted by it. If I want to protect a
piece of sensitive data, I would want to protect it everywhere and not just in obviously sensitive
containers. I'm protecting the data, not the envelope, so it makes a lot more sense to open the letter,
read it, and decide how to treat it. This is more difficult and time consuming than basic contextual
analysis and is the defining characteristic of DLP solutions.
Content Analysis
The first step in content analysis is capturing the envelope and opening it. The engine then needs to
parse the context (we'll need that for the analysis) and dig into it. This is easy for a plain text email,
but when you want to look inside binary files, it gets a little more complicated.
All DLP solutions solve this using file cracking. File cracking is the technology used to read and
understand the file, even if the content is buried multiple levels down. For example, it's not unusual
for the cracker to read an Excel spreadsheet embedded in a Word file that's zipped. The product needs
to unzip the file, read the Word doc, analyse it, find the Excel data, read it and analyse it.
Other situations get far more complex, like a .pdf embedded in a CAD file. Many of the products in the
market today support around 300 file types, embedded content, multiple languages, double byte
character sets for Asian languages, and pulling plain text from unidentified file types. Quite a few use
the autonomy or verity content engines to help with file cracking, but all the serious tools have quite
a bit of proprietary capability, in addition to the embedded content engine. Some tools support
analysis of encrypted data if enterprise encryption is used with recovery keys, and most tools can
identify standard encryption and use that as a contextual rule to block/ quarantine content.
89
Student Handbook– Security Analyst SSC/N0901
Once the content is accessed, there are seven major analysis techniques used to find policy violations,
each with its own strengths and weaknesses.
1. Rule based/ Regular expressions: This is the most common analysis technique available in both DLP
products and other tools with DLP features. It analyses the content for specific rules, such as 16 digit
numbers that meet credit card checksum requirements, medical billing codes or other textual
analyses. Most DLP solutions enhance basic regular expressions with their own additional analysis
rules (e.g. a name in proximity to an address near a credit card number).
Its advantages are: as a first-pass filter or for detecting easily identified pieces of structured data like
credit card numbers, social security numbers and healthcare codes/ records.
Strengths: rules process quickly and can be easily configured. Most products ship with initial rule sets.
The technology is well understood and easy to incorporate into a variety of products.
Weaknesses: prone to high false positive rates. Offers very little protection for unstructured content
like sensitive intellectual property.
2._Database fingerprinting: Sometimes called Exact Data Matching – this technique takes either a
database dump or live data (via ODBC connection) from a database and only looks for exact matches.
For example, you could generate a policy to look only for credit card numbers in your customer base,
thus ignoring your own employees buying online. More advanced tools look for combinations of
information, such as the magic combination of first name or initial with last name, credit card or social
security number that triggers a disclosure. Make sure you understand the performance and security
implications of nightly extracts vs. live database connections.
Strengths: very low false positives (close to 0). Allows you to protect customer/ sensitive data while
ignoring other, similar data used by employees (like their personal credit cards for online orders).
Weaknesses: nightly dumps won't contain transaction data since the last extract. Live connections can
affect database performance. Large databases affect product performance.
3._Exact file matching: With this technique you take a hash of a file and monitor for any files that
match that exact fingerprint. Some consider this to be a contextual analysis technique since the file
contents themselves are not analysed.
Its advantages are: media files and other binaries where textual analysis isn't necessarily possible.
Strengths: works on any file type, low false positives with a large enough hash value (effectively none).
Weaknesses: trivial to evade. Worthless for content that's edited, such as standard office documents
and edited media files.
4._Partial document matching: This technique looks for a complete or partial match on protected
content. Thus you could build a policy to protect a sensitive document, and the DLP solution will look
for either the complete text of the document, or even excerpts as small as a few sentences. For
example, you could load up a business plan for a new product and the DLP solution would alert if an
employee pasted a single paragraph into an Instant Message. Most solutions are based on a technique
90
Student Handbook– Security Analyst SSC/N0901
known as cyclical hashing, where you take a hash of a portion of the content, offset a predetermined
number of characters, then take another hash, and keep going until the document is completely
loaded as a series of overlapping hash values. Outbound content is run through the same hash
technique, and the hash values compared for matches. Many products use cyclical hashing as a base,
then add more advanced linguistic analysis.
Its advantages are: protecting sensitive documents or similar content with text such as CAD files (with
text labels) and source code. Unstructured content that's known to be sensitive.
Strengths: ability to protect unstructured data. Generally low false positives (some vendors will say
zero false positives, but any common sentence/ text in a protected document can trigger alerts).
Doesn't rely on complete matching of large documents. It can find policy violations on even a partial
match.
Weaknesses: performance limitations on the total volume of content that can be protected. Common
phrases/ verbiage in a protected document may trigger false positives. Must know exactly which
documents you want to protect. Trivial to avoid (ROT 1 encryption is sufficient for evasion).
5._Statistical analysis: Use of machine learning, Bayesian analysis and other statistical techniques to
analyse a corpus of content and find policy violations in content that resembles the protected content.
This category includes a wide range of statistical techniques which vary greatly in implementation and
effectiveness. Some techniques are very similar to those used to block spam.
Its advantages are: unstructured content where a deterministic technique, like partial document
matching would be ineffective. For example, a repository of engineering plans that's impractical to
load for partial document matching due to high volatility or massive volume.
Strengths: can work with more nebulous content where you may not be able to isolate exact
documents for matching. Can enforce policies such as "alert on anything outbound that resembles the
documents in this directory".
Weaknesses: prone to false positives and false negatives. Requires a large corpus of source content –
the bigger, the better.
6._Conceptual/ Lexicon: This technique uses a combination of dictionaries, rules and other analyses
to protect nebulous content that resembles an "idea". It's easier to give an example — a policy that
alerts on traffic that resembles insider trading, which uses key phrases, word counts and positions to
find violations. Other examples are sexual harassment, running a private business from a work account
and job hunting.
Its advantages are: completely unstructured ideas that defy simple categorization based on matching
known documents, databases or other registered sources.
Strengths: not all corporate policies or content can be described using specific examples. Conceptual
analysis can find closely defined policy violations other techniques can't even think of monitoring for.
Weaknesses: in most cases, these are not user-definable and the rule sets must be built by the DLP
vendor with significant effort, which costs more. This technique is very prone to false positives and
negatives because of the flexible nature of the rules.
7._Categories: Pre-built categories with rules and dictionaries for common types of sensitive data,
such as credit card numbers/ PCI protection, HIPAA etc.
91
Student Handbook– Security Analyst SSC/N0901
Its advantages are: anything that neatly fits a provided category. Typically, easy to describe content
related to privacy, regulations or industry specific guidelines.
Strengths: extremely simple to configure. Saves significant policy generation time. Category policies
can form the basis for more advanced, enterprise specific policies. For many organizations, categories
can meet a large percentage of their data protection needs.
Weaknesses: one size fits all might not work. Only good for easily categorized rules and content.
These seven techniques form the basis for most of the DLP products on the market. Not all products
include all techniques, and there can be significant differences between implementations. Most
products can also chain techniques — building complex policies from combinations of content and
contextual analysis techniques.
92
Student Handbook– Security Analyst SSC/N0901
The goal of DLP is to protect content throughout its lifecycle. In terms of DLP, this includes three
major aspects:
• Data at Rest includes scanning of storage and other content repositories to identify where
sensitive content is located. We call this content discovery. For example, you can use a DLP
product to scan your servers and identify documents with credit card numbers. If the server
isn't authorized for that kind of data, the file can be encrypted or removed or a warning sent to
the file owner.
• Data in Motion is sniffing of traffic on the network (passively or inline via proxy) to identify
content being sent across specific communications channels. For example, this includes sniffing
emails, instant messages and web traffic for snippets of sensitive source code. In motion, tools
can often block based on central policies depending on the type of traffic.
• Data in Use is typically addressed by endpoint solutions that monitor data as the user interacts
with it. For example, they can identify when you attempt to transfer a sensitive document to a
USB drive and block it (as opposed to blocking use of the USB drive entirely). Data in use tools
can also detect things like copy and paste or use of sensitive data in an unapproved application
(such as someone attempting to encrypt data to sneak it past the sensors).
Many organizations first enter the world of DLP with network based products that provide broad
protection for managed and unmanaged systems. It’s typically easier to start a deployment with
network products to gain broad coverage quickly. Early products limited themselves to basic
monitoring and alerting, but all current products include advanced capabilities to integrate with
existing network infrastructure and provide protective, not just detective controls.
93
Student Handbook– Security Analyst SSC/N0901
Data In Motion
Network Monitor
At the heart of most DLP solutions lies a passive network monitor. The network monitoring component
is typically deployed at or near the gateway on a SPAN port (or a similar tap). It performs full packet
capture, session reconstruction and content analysis in real time. Performance is more complex and
subtle than vendors normally discuss. First, on the client expectation side, most clients claim they need
full gigabit ethernet performance, but that level of performance is unnecessary except in very unusual
circumstances since few organizations are really running that high a level of communications traffic.
DLP is a tool to monitor employee communications, not web application traffic. Realistically, we find
that small enterprises normally run under 50 MByte/s of relevant traffic, medium enterprises run
closer to 50-200 MB/s and large enterprises around 300 MB/s (maybe as high as 500 in a few cases).,
Not every product runs full packet capture because of the content analysis overhead. You might have
to choose between pre-filtering (and thus missing non-standard traffic) or buying more boxes and load
balancing. Also, some products lock monitoring into pre-defined port and protocol combinations,
rather than using service/ channel identification based on packet content. Even if full application
channel identification is included, you want to make sure it's enabled otherwise you might miss non-
standard communications such as connecting over an unusual port. Most of the network monitors are
dedicated general purpose server hardware with DLP software installed. A few vendors deploy true
specialized appliances. While some products have their management, workflow and reporting built
into the network monitor, this is often offloaded to a separate server or appliance.
Email Integration
The next major component is email integration. Since email is stored and forwarded, you can gain a
lot of capabilities, including quarantine, encryption integration and filtering without the same hurdles
to avoid blocking synchronous traffic.
Most products embed an MTA (Mail Transport Agent) into the product, allowing you to just add it as
another hop in the email chain. Quite a few also integrate with some of the major existing MTAs/
email security solutions directly for better performance. One weakness of this approach is it doesn't
give you access to internal email. If you're on an exchange server, internal messages never make it
through the external MTA since there's no reason to send that traffic out. To monitor internal mail,
you'll need direct Exchange/ Lotus integration, which is surprisingly rare in the market. Full integration
is different from just scanning logs/ libraries after the fact, which is what some companies call internal
mail support. Good email integration is absolutely critical if you ever want to do any filtering, as
opposed to just monitoring.
Nearly anyone deploying a DLP solution will eventually want to start blocking traffic. There's only so
long you can take watching all your sensitive data running to the nether regions of the Internet before
you start taking some action. Blocking isn't the easiest thing in the world, especially since we're trying
to allow good traffic. Block only bad traffic, and make the decision using real-time content analysis.
Email, as we mentioned, is fairly straightforward to filter. It's not quite real time and is ‘proxied’ by its
very nature. Adding one more analysis hop is a manageable problem in even the most complex
environments. Outside of email, most of our communications traffic is synchronous. Everything runs
in real time. Thus if we want to filter it we either need to bridge the traffic, proxy it or poison it from
the outside.
94
Student Handbook– Security Analyst SSC/N0901
Bridge
With a bridge, we just have a system with two network cards which performs content analysis in the
middle. If we see something bad, the bridge breaks the connection for that session. Bridging isn't the
best approach for DLP since it might not stop all the bad traffic before it leaks out. It's like sitting in a
doorway watching everything go past with a magnifying glass. By the time you get enough traffic to
make an intelligent decision, you may have missed the really good stuff. Very few products take this
approach although it does have the advantage of being protocol agnostic.
Proxy
In simplified terms, a proxy is protocol/ application specific and queues up traffic before passing it on,
allowing for deeper analysis. We see gateway proxies mostly for HTTP, FTP and IM protocols. Few DLP
solutions include their own proxies. They tend to integrate with existing gateway/ proxy vendors since
most customers prefer integration with these existing tools. Integration for web gateways is typically
through the iCAP protocol, allowing the proxy to grab the traffic, send it to the DLP product for analysis
and cut communication, if there's a violation. This means you don't have to add another piece of
hardware in front of your network traffic, and the DLP vendors can avoid the difficulties of building
dedicated network hardware for inline analysis. If the gateway includes a reverse SSL proxy you can
also sniff SSL connections. You will need to make changes on your endpoints to deal with all the
certificate alerts, but you can now peer into encrypted traffic. For Instant Messaging, you'll need an
IM proxy and a DLP product that specifically supports whatever IM protocol you're using.
TCP Poisoning
The last method of filtering is TCP poisoning. You monitor the traffic and when you see something
bad, you inject a TCP reset packet to kill the connection. This works on every TCP protocol but isn't
very efficient. For one thing, some protocols will keep trying to get the traffic through. If you TCP
poison a single email message, the server will keep trying to send it for three days, as often as every
15 minutes. The other problem is the same as bridging. Since you don't queue the traffic at all, by the
time you notice something bad, it might be too late. It's a good stop-gap to cover non-standard
protocols, but you'll want to proxy as much as possible.
Internal Networks
Although technically capable of monitoring internal networks, DLP is rarely used on internal traffic
other than email. Gateways provide convenient choke points. Internal monitoring is a daunting
prospect from cost, performance, and policy management/ false positive standpoints. A few DLP
vendors have partnerships for internal monitoring, but this is a lower priority feature for most
organizations.
All medium to large enterprises and many smaller organizations have multiple locations and web
gateways. A DLP solution should support multiple monitoring points, including a mix of passive
network monitoring, proxy points, email servers and remote locations. While processing/ analysis can
be offloaded to remote enforcement points, they should send all events back to a central management
server for workflow, reporting, investigations and archiving. Remote offices are usually easy to
support since you can just push policies down and reporting back, but not every product has this
capability. The more advanced products support hierarchical deployments for organizations that want
to manage DLP differently in multiple geographic locations or by business unit. International
companies often need this to meet legal monitoring requirements which vary by country. Hierarchical
95
Student Handbook– Security Analyst SSC/N0901
management supports coordinated local policies and enforcement in different regions, running on
their own management servers and communicating back to a central management server. Early
products only supported one management server but now we have options to deal with these
distributed situations with a mix of corporate/ regional/ business unit policies, reporting and
workflow.
Data At Rest
While catching leaks on the network is fairly powerful, it's only one small part of the problem. Many
customers are finding that it's just as valuable, if not more valuable, to figure out where all that data
is stored in the first place. We call this content discovery. Enterprise search tools might be able to help
with this, but they really aren't tuned well for this specific problem. Enterprise data classification tools
can also help, but based on discussions with a number of clients, they don't seem to work well for
finding specific policy violations. Thus we see many clients opting to use the content discovery features
of their DLP products. The biggest advantage of content discovery in a DLP tool is that it allows you to
take a single policy, and apply it across data no matter where it's stored, how it's shared, or how it's
used. For example, you can define a policy that requires credit card numbers to only be emailed when
encrypted, never be shared via HTTP or HTTPS, only be stored on approved servers and only be stored
on workstations/ laptops by employees on the accounting team. All of this can be specified in a single
policy on the DLP management server.
Storage discovery: scanning mass storage, including file servers, SAN and NAS.
Server discovery: application specific scanning of stored data on email servers, document
management systems and databases (not currently a feature of most DLP products, but
beginning to appear in some Database Activity Monitoring products).
Content Discovery Techniques
1. Remote scanning: a connection is made to the server or device using a file sharing or application
protocol, and scanning is performed remotely. This is essentially mounting a remote drive and
scanning it from a server that takes policies from, and sends results to the central policy server.
For some vendors, this is an appliance while for others, it's a commodity server. For smaller
deployments, it's integrated into the central management server.
2. Agent Based scanning: an agent is installed on the system (server) to be scanned and scanning is
performed locally. Agents are platform specific, and use local CPU cycles, but can potentially
perform significantly faster than remote scanning, especially for large repositories. For endpoints,
this should be a feature of the same agent used for enforcing.
3. Memory Resident Agent scanning: rather than deploying a full-time agent, a memory resident
agent is installed, which performs a scan, then exits without leaving anything running or stored on
the local system. This offers the performance of agent based scanning in situations where you
don't want an agent running all the time. Any of these technologies can work for any of the modes,
and enterprises will typically deploy a mix depending on policy and infrastructure requirements.
96
Student Handbook– Security Analyst SSC/N0901
We currently see technology limitations with each approach which guide deployment:
• Remote scanning can significantly increase network traffic and has performance limitations based
on network bandwidth and target and scanner network performance. Some solutions can only
scan gigabytes per day (sometimes hundreds, but not terabytes per day), per server based on
these practical limitations, which may be inadequate for very large storage.
• Agents, temporal or permanent, are limited by processing power and memory on the target
system, which often translates to restrictions on the number of policies that can be enforced, and
the types of content analysis that can be used. For example, most endpoint agents are not capable
of partial document matching or database fingerprinting against large data sets. This is especially
true of endpoint agents which are more limited.
• Agents don't support all platforms.
Once a policy violation is discovered, the DLP tool can take a variety of actions:
Alert/ report: create an incident in the central management server just like a network violation.
Warn: notify the user via email that they may be in violation of policy.
Quarantine/ notify: move the file to the central management server and leave a text file with
instructions on how to request recovery of the file.
Quarantine/ encrypt: encrypt the file in place, usually leaving a plain text file describing how to
request decryption.
Quarantine/ access control: change access controls to restrict access to the file.
Remove/ delete: either transfer the file to the central server without notification or just delete it.
Data In Use
DLP usually starts on the network because that's the most cost-effective way to get the broadest
coverage. Network monitoring is non-intrusive (unless you have to crack SSL), and offers visibility to
any system on the network, managed or unmanaged, server or workstation. Filtering is more difficult,
but again still relatively straightforward on the network (especially for email) and covers all systems
connected to the network. However, this isn't a complete solution. It doesn't protect data when
someone walks out the door with a laptop, and can't even prevent people from copying data to
portable storage like USB drives. To move from a "leak prevention" solution to a "content protection"
solution, products need to expand not only to stored data, but to the endpoints where data is used.
Note: Although there have been large advancements in endpoint DLP, endpoint-only solutions are not
recommended for most users. DLP endpoint solutions normally require compromise on the number
and types of policies that can be enforced, offer limited email integration with no protection for
97
Student Handbook– Security Analyst SSC/N0901
unmanaged systems. An organisation will need both network and endpoint capabilities, and most of
the leading network solutions are adding or already offer at least some endpoint protection.
Adding an endpoint agent to a DLP solution not only gives you the ability to discover stored content,
but to potentially protect systems no longer on the network or even protect data as it's being actively
used. While extremely powerful, it has been problematic to implement. Agents need to perform
within the resource constraints of a standard laptop while maintaining content awareness. This can
be difficult if you have large policies such as, "protect all 10 million credit card numbers from our
database", as opposed to something simpler like, "protect any credit card number" that will generate
false positives every time an employee visits say, flipkart.com.
Key capabilities existing products vary widely in functionality, but we can break out three key
capabilities:
1. Monitoring and enforcement within the network stack: this allows enforcement of network
rules without a network appliance. The product should be able to enforce the same rules as if
the system were on the managed network as well as separate rules designed only for use on
unmanaged networks.
2. Monitoring and enforcement within the system kernel: by plugging directly into the operating
system kernel you can monitor user activity, such as copying and pasting sensitive content. This
can also allow products to detect (and block) policy violations when the user is taking sensitive
content and attempting to hide it from detection, perhaps by encrypting it or modifying source
documents.
3. Monitoring and enforcement within the file system: this allows monitoring and enforcement
based on where data is stored. For example, you can perform local discovery and/ or restrict
transfer of sensitive content to unencrypted USB devices.
These options are simplified, and most early products focus on 1 and 3 to solve the portable storage
problem, and protect devices on unmanaged networks. System/ kernel integration is much more
complex and there are a variety of approaches to gaining this functionality.
98
Student Handbook– Security Analyst SSC/N0901
The following features are highly desirable when deploying DLP at the endpoint:
Endpoint agents and rules should be centrally managed by the same DLP management server
that controls data in motion and data at rest (network and discovery).
Policy creation and management should be fully integrated with other DLP policies in a single
interface.
Incidents should be reported to, and managed by a central management server.
Endpoint agent should use the same content analysis techniques and rules as the network
servers/ appliances.
Rules (policies) should adjust based on where the endpoint is located (on or off the network).
When the endpoint is on a managed network with gateway DLP, redundant local rules should
be skipped to improve performance.
Agent deployment should integrate with existing enterprise software deployment tools.
Policy updates should offer options for secure management via the DLP management server
or existing enterprise software update tools.
Endpoint limitations
Realistically, the performance and storage limitations of the endpoint will restrict the types of
content analysis supported and the number and type of policies that are locally enforced. For
some enterprises, this might not matter depending on the kinds of policies to be enforced, but
in many cases endpoints impose significant constraints on data in use policies.
99
Student Handbook– Security Analyst SSC/N0901
While DLP solutions can go far in helping an enterprise gain greater insight over and control of
sensitive data, stakeholders need to be apprised of limitations and gaps in DLP solutions.
Understanding these limitations is the first step in the development of strategies and policies to help
compensate for the limitations of the technology.
Some of the most significant limitations common among DLP solutions are:
Encryption — DLP solutions can only inspect encrypted information that they can first decrypt. To
do this, DLP agents, network appliances and crawlers must have access to, and be able to utilize,
the appropriate decryption keys. If users have the ability to use personal encryption packages
where keys are not managed by the enterprise and provided to the DLP solution, the files cannot
be analyzed. To mitigate this risk, policies should forbid the installation and use of encryption
solutions that are not centrally managed, and users should be educated that anything that cannot
be decrypted for inspection (meaning that the DLP solution has the encryption key) will ultimately
be blocked.
Graphics — DLP solutions cannot intelligently interpret graphics files. Short of blocking or
manually inspecting all such information, a significant gap will exist in an enterprise’s control of
its information. Sensitive information scanned into a graphics file or intellectual property (IP) that
exists in a graphics format, such as design documents would fall into this category. Enterprises
that have significant IP in a graphics format should develop strong policies that govern the use and
dissemination of this information. While DLP solutions cannot intelligently read the contents of a
graphics file, they can identify specific file types, their source and destination. This capability,
combined with well-defined traffic analysis can flag uncharacteristic movement of this type of
information and provide some level of control.
Third-party service providers — When an enterprise sends its sensitive information to a trusted
third party, it is inherently trusting that the service provider mirrors the same level of control over
information leaks since the enterprise’s DLP solutions rarely extend to the service provider’s
network. A robust third-party management program that incorporates effective contract language
and a supporting audit program can help mitigate this risk.
Mobile devices — With the advent of mobile computing devices, such as smartphones, there are
communication channels that are not easily monitored or controlled. Short message service (SMS)
is the communication protocol that allows text messaging, and is a key example. Another
consideration is the ability of many of these devices to utilize Wi-Fi or even become a Wi-Fi hotspot
themselves. Both cases allow for out-of-band communication that cannot be monitored by most
enterprises. Finally, the ability of many of these devices to capture and store digital photographs
and audio information presents yet another potential gap. While some progress is being made in
this area, the significant limitations of processing power and centralized management remain a
challenge. Again, this situation is best addressed by the development of strong policies and
supporting user education to compel appropriate use of these devices.
100
Student Handbook– Security Analyst SSC/N0901
Multilingual support — A few DLP solutions support multiple languages, but virtually all
management consoles support only English. It is also true that for each additional language and
character set, the system must support processing requirements and time windows for analysis
increase. Until such time that vendors recognize sufficient market demand to address this gap,
there is little recourse but to seek other methods to control information leaks in languages other
than English. Multinational enterprises must carefully consider this potential gap when evaluating
and deploying a DLP solution. These points are not intended to discourage the adoption of DLP
technology.
The only recourse for most enterprises is the adoption of behavioral policies and physical
security controls that complement the suite of technology controls that is available today, such
as:
• Solution lock-in — At this time there is no portability of rule sets across various DLP platforms,
which means that changing from one vendor to another or integration with an acquired
organization’s solution can require significant work to replicate a complex rule set in a different
product.
• Limited client OS support — Many DLP solutions do not provide endpoint DLP agents for
operating systems such as Linux and Mac because their use as clients in the enterprise is much less
common. This does, however, leave a potentially significant gap for enterprises that have a
number of these clients. This risk can only be addressed by behavior oriented policies or requires
the use of customized solutions that are typically not integrated with the enterprise DLP platform.
• Cross application support — DLP functions can also be limited by application types. A DLP agent
that can monitor the data manipulations of one application may not be able to do so for another
application on the same system. Enterprises must ensure that all applications that can manipulate
sensitive data are identified and must verify that the DLP solution supports them. In cases where
unsupported applications exist, other actions may be required through policy, or if feasible,
through removal of the application in question.
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft
or exposure of personally identifiable information (PII). DataLossDB's dataset, in current and previous
forms, has been used in research by numerous educational, governmental and commercial entities,
which often have been able to provide statistical analysis with graphical presentations.
101
Student Handbook– Security Analyst SSC/N0901
The charts below are provided in "as-is" format based on the current dataset maintained by the Open
Security Foundation and DataLossDB.
102
Student Handbook– Security Analyst SSC/N0901
103
Student Handbook– Security Analyst SSC/N0901
Digital Rights Management (DRM), a system for protecting the copyrights of data circulated via the
Internet or other digital media by enabling secure distribution and/ or disabling illegal distribution of
the data. Typically, a DRM system protects intellectual property by either encrypting the data so that
it can only be accessed by authorized users or marking the content with a digital watermark or similar
method so that the content cannot be freely distributed. The practice of imposing technological
restrictions that control what users can do with digital media. When a program is designed to prevent
you from copying or sharing a song, reading an ebook on another device, or playing a single player
game without an internet connection, you are being restricted by DRM. In other words, DRM creates
a damaged good – it prevents you from doing what would be possible without it. This concentrates
control over production and distribution of media, giving DRM peddlers the power to carry out
massive digital book burnings and conduct large scale surveillance over people's media viewing habits.
Enterprise Digital Rights Management (DRM) and Data Loss Prevention (DLP) are typically thought of
as separate technologies that could replace each other. DRM encrypts files and controls access
privileges dynamically as a file is in use. DLP detects patterns and can restrict movement of
information that meets certain criteria. Rather than being competitive, the reality is that many
organizations can use them as complementary solutions.
DLP’s ability to scan, detect data patterns and enforce appropriate actions using contextual awareness
reduces the risk of losing sensitive data. A drawback of DLP is that it does not provide any protection
in case users have to send confidential information legitimately to a business partner or
customer. DLP cannot protect information once it is outside the organization’s perimeter.
DLP is very good at monitoring the flow of data throughout an organization and applying predefined
policies at endpoint devices or the network. The policies can log activities, send warnings to end users
and administrators, quarantine data or block it altogether.
The challenge is that most businesses need to share sensitive data with outside people. Considering
most data leaks originate from trusted insiders who have or had access to sensitive documents,
organizations must complement and empower the existing security infrastructure with a data centric
security solution that protects data in use persistently. That is where DRM comes in. DRM ensures
that only intended recipients can view sensitive files regardless of their location. This assures
protection of data beyond controlled boundaries so that an organization is always in control of its
information. DRM policy stays with the document even if it is renamed or saved to another format,
like a PDF. This provides a more complete solution to limit the possibility of a data breach.
104
Student Handbook– Security Analyst SSC/N0901
Summary
Data leakage is defined as the accidental or unintentional distribution of private or sensitive
data to an unauthorized entity.
Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data and other information depending
on the business and the industry. Data leakage poses a serious issue for companies as the
number of incidents and the cost to those experiencing them continue to increase.
Enterprises use Data Leakage Prevention (DLP) technology as one component in a
comprehensive plan for the handling and transmission of sensitive data. The technological
means employed for enhancing DLP can be divided into the following categories:
o standard security measures
o advanced/ intelligent security measures
o access control and encryption
o designated DLP systems
Device control, access control and encryption are used to prevent access by an unauthorized
user. These are the simplest measures that can be taken to protect large amounts of personal
data against malicious outsider and insider attacks.
Designated DLP solutions are intended to detect and prevent attempts to copy or send sensitive
data, intentionally or unintentionally, without authorization, mainly by personnel who are
authorized to access the sensitive information. A major capability of such solutions is an ability
to classify content as sensitive.
Designated DLP solutions are typically implemented using mechanisms such as exact data
matching, structured data fingerprinting, statistical methods (e.g. machine learning), rule and
regular expression matching, published lexicons, conceptual definitions and keywords.
Content discovery consists of three components:
o Endpoint discovery
o Storage discovery
o Server discovery
Some of the most significant limitations common among DLP solutions are:
Encryption — DLP solutions can only inspect encrypted information that they can first
decrypt.
Graphics — DLP solutions cannot intelligently interpret graphics files.
Third-party service providers — When an enterprise sends its sensitive information to a
trusted third party, it is inherently trusting that the service provider mirrors the same level
of control over information leaks since the enterprise’s DLP solutions rarely extend to the
service provider’s network.
Mobile devices — With the advent of mobile computing devices, such as smartphones,
there are communication channels that are not easily monitored or controlled.
Multilingual support — A few DLP solutions support multiple languages, but virtually all
management consoles support only English.
DRM, short for Digital Rights Management, a system for protecting the copyrights of data
circulated via the internet or other digital media by enabling secure distribution and/ or
disabling illegal distribution of the data.
Typically, a DRM system protects intellectual property by either encrypting the data so that it
can only be accessed by authorized users or marking the content with a digital watermark or
similar method so that the content cannot be freely distributed.
105
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Collect information about the extent of data leakage in its various forms across different
types of organisations and incidents of leakage and related loss. Present the cases in
class and discuss the various steps that can be taken proactively and post event to
ensure loss prevention and minimisation.
Activity 2:
Identify work behaviours and practices that can lead to data leakage in a work context.
Look at yours and your colleagues’ behaviour in your own environment, and identify
various confidential and personal information and how their own practices and habits
can cause data leakage.
Activity 3:
Collect information about various organisations that offer products and services in the
Data Leakage Prevention and Data Risk Management. Compare the two, note down and
present the various offerings, tools and their features, benefits and limitations.
Activity 4:
Data at Rest
Data in Motion
Data in Use
Find examples of data around yourself in your daily life that are categorized in these
three. State risks of data leakages and the various sources of it.
106
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
107
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
108
Student Handbook– Security Analyst SSC/N0901
UNIT IV
Information Security Policies,
Procedures, Standards and Guidelines
Lesson Plan
4.1. Information Security Policies
4.2. Key Elements of a Security Policy
4.3. Security Standards, Guidelines and Frameworks
4.4. Laws, Regulations and Guidelines
109
Student Handbook– Security Analyst SSC/N0901
Lesson Plan
Performance Ensuring
Outcomes Measures Work Environment/ Lab Requirement
To be competent, you must be able PCs/ tablets/ laptops
to: Availability of labs (24/7)
Internet with Wi-Fi (min 2 Mbps
PC2. monitor systems and apply
dedicated)
controls in line with information
Networking equipment (routers &
security policies, procedures and
switches)
guidelines
Firewalls and access points
PC11. comply with your Commercial tools like HP Web
organization’s policies, standards, Inspect and IBM AppScan etc.
procedures and guidelines when Open source tools like sqlmap,
contributing to managing Nessus etc.
information security
You need to know and understand: KA1. QA session and a PCs/ tablets/ laptops
descriptive write-up on Availability of labs (24/7)
KA1. your organization’s understanding. Internet with Wi-Fi (min 2 Mbps
policies, procedures, standards and
dedicated)
guidelines for managing KA2 Group presentation
Access to all security sites like ISO,
information security and peer evaluation along
PCI DSS, Center for Internet Security
KA2. your organization’s with faculty.
etc.
knowledge base and how to access
and update the same KA4 Performance Security templates from ITIL & ISO
KA4. the organizational evaluation from faculty
systems, procedures and tasks/ and industry with reward
checklists within the domain and points.
how to use these KA12. Faculty and peer
KA12. your organization’s review.
information security systems and
tools and how to access and KA13. Faculty and peer
maintain these review.
KA13. standard tools and
templates available and how to use KB1 - KB4
the same Group and faculty
KB1. fundamentals of evaluation based on
information security and how to anticipated out comes.
apply these, including: Reward points to be
• networks allocated to groups.
• communication
• application security
110
Student Handbook– Security Analyst SSC/N0901
Lesson
Security policies are the foundation of your security infrastructure. Without them, you cannot protect
your company from possible lawsuits, lost revenue and bad publicity, not to mention basic security
attacks. A security policy is a document or set of documents that describes, at a high level, the security
controls that will be implemented by the company.
Policies are not technology specific and do three things for an organisation:
Organisations are giving more priority to development of information security policies, protecting
their assets is one of the prominent things that needs to be considered. Lack of clarity in InfoSec
policies can lead to catastrophic damages which cannot be recovered. So an organisation makes
different strategies in implementing a security policy successfully. An information security policy
provides management direction and support for information security across the organisation.
Technical security policies: these include how technology should be configured and used.
Administrative security policies: these include how people (both end users and management)
should behave/ respond to security.
Information in an organisation will be both electronic and hard copy, and this information needs to be
secured properly against the consequences of breaches of confidentiality, integrity and availability.
Proper security measures need to be implemented to control and secure information from
unauthorised changes, deletions and disclosures. To find the level of security measures that need to
be applied, a risk assessment is mandatory.
Security policies are intended to define what is expected from employees within an organisation with
respect to information systems.
The objective is to guide or control the use of systems to reduce the risk to information assets. It also
gives the staff who are dealing with information systems an acceptable use policy, explaining what is
111
Student Handbook– Security Analyst SSC/N0901
allowed and what not. Security policies of all companies are not same, but the key motive behind
them is to protect assets. Security policies are tailored to the specific mission goals.
A security policy should determine rules and regulations for the following systems:
Encryption mechanisms
Access control devices
Authentication systems
Firewalls
Anti-virus systems
Websites
Gateways
Routers and switches
Necessity of a security policy
It is generally impossible to accomplish a complex task without a detailed plan for doing so.
A security policy is that plan that provides for the consistent application of security principles
throughout your company. After implementation, it becomes a reference guide when matters of
security arise.
A security policy indicates senior management’s commitment to maintain a secure network, which
allows the IT staff to do a more effective job of securing the company’s information assets. Ultimately,
a security policy will reduce the risk of a damaging security incident. In the event of a security incident,
certain policies, such as an Incident Response Policy may limit your company’s exposure and reduce
the scope of the incident.
A security policy can provide legal protection to your company. By specifying to your users exactly
how they can and cannot use the network, how they should treat confidential information, and the
proper use of encryption, you are reducing your liability and exposure in the event of an incident.
Further, a security policy provides a written record of your company’s policies if there is ever a
question about what is and is not an approved act.
Security policies are often required by third parties that do business with your company as part of
their due diligence process. Some examples of these might be auditors, customers, partners and
investors. Companies that do business with your company, particularly those that will be sharing
confidential data or connectivity to electronic systems, will be concerned about your security policy.
Lastly, one of the most common reasons why companies create security policies today is to fulfill
regulations and meet standards that relate to security of digital information.
Once the security policy is implemented, it will be a part of day-to-day business activities. Security
policies that are implemented need to be reviewed whenever there is an organizational change.
Policies can be monitored by depending on any monitoring solutions like SIEM and the violation of
security policies can be seriously dealt with. There should also be a mechanism to report any violations
to the policy.
112
Student Handbook– Security Analyst SSC/N0901
While developing these policies, it is obligatory to make them as simple as possible because complex
policies are less secure than simple systems. Security policies can be modified at a later time i.e. not
to say that you can create a violent policy now and a perfect policy can be developed some time later.
It is also mandatory to update the policy based upon the environmental changes that an organization
goes into when it progresses.
The policy updates also need to be communicated with all employees as well as the person who
authorized to monitor policy violations as they may flag for some scenarios which have been ignored
by the organization.
Management is responsible for establishing controls and should regularly review the status of
controls.
Below is a list of some of the security policies that an organization may have:
Change Control Policy How changes are made to directories or the file server
Encryption Policy How data are encrypted, the encryption method used etc.
Promiscuous Policy Firewall Management Policy
Others
Permissive Policy
113
Student Handbook– Security Analyst SSC/N0901
Acceptable Usage Policy (AUP) is the policy that one should adhere to while accessing the
network. Some of the assets that this policy covers are mobile, wireless, desktop, laptop and
tablet computers, email, servers, internet etc. For each asset, we need to look at how we can
protect it, manage it, authorised persons to use and administer the asset, accepted methods of
communication in these assets etc.
Once a reasonable security policy has been developed, an engineer has to look at the country’s laws,
which should be incorporated in security policies. One example is the use of encryption to create a
secure channel between two entities. Some encryption algorithms and their levels (128,192) will not
be allowed by the government for a standard use. Legal experts need to be consulted if you want to
know what level of encryption is allowed in an area. This would become a challenge if security policies
are derived for a big organisation spread across the globe.
Some of the laws, regulation and standards used for policy definition include:
The PCI Data Security Standard (PCIDSS)
The Health Insurance Portability and Accountability Act (HIPAA)
The Sarbanes-Oxley Act (SOX)
The ISO family of security standards
The Graham-Leach-Bliley Act (GLBA)
114
Student Handbook– Security Analyst SSC/N0901
Policy Content
When developing content, many go about creating a policy exactly the wrong way. The goal is not to
create hundreds of pages of impressive looking information, but rather to create an actionable
security plan. The following guidelines apply to the content of successful IT security policies.
• A security policy should be no longer than absolutely necessary. Some believe that policies are more
impressive when they fill enormous binders or contain hundreds or even thousands of policies. These
types of policies overwhelm you with data, and are frequently advertised on the internet. But quantity
does not equal quality, and it is the sheer amount of information in those policies that makes them
useless. Brevity is of utmost importance.
• A security policy should be written in “plain English.” While, by nature, technical topics will be
covered, it is important that the policy be clear and understood by the target audience for that
particular policy. There is never room for “consultant speak” in a security policy. If there is a doubt,
the policy should be written so that more people can understand it rather than fewer. Clarity must be
a priority in security policies so that a policy isn’t misunderstood during a crisis or otherwise
misapplied, which could lead to a critical vulnerability.
• A security policy must be consistent with applicable laws and regulations. In some countries there
are laws that apply to a company’s security practices, such as those covering the use of encryption.
Some states have specific disclosure laws or regulations governing the protection of citizens’ personal
information, and some industries have regulations governing security policies. It is recommended that
you research and become familiar with any regulations or standards that apply to your company’s
security controls.
• A security policy should be reasonable. The point of this process is to create a policy that you can
actually use rather than one that makes your company secure on paper but is impossible to
implement. Keep in mind that the more secure a policy is, the greater the burden it places on your
users and IT staff to comply with. Find a middle ground in the balance between security and usability
that will work for you.
115
Student Handbook– Security Analyst SSC/N0901
• A security policy must be enforceable. A policy should clearly state which actions are permitted and
which of those are in violation of the policy. Further, the policy should spell out enforcement options
when non-compliance or violations are discovered, and must be consistent with applicable laws. A
security policy can be formatted to be consistent with your company’s internal documentation,
however certain information should be placed on each page of the policy. At a minimum, this
information should include: policy name, creation date, target audience and a clear designation that
the policy is company confidential.
116
Student Handbook– Security Analyst SSC/N0901
with Human Resources so that the policies can be included with any other HR documents that require
a user signature. No matter how well implemented, no policy will be 100% applicable for every
scenario, and exceptions will need to be granted. Exceptions, however, must be granted only in writing
and must be well documented. It should be made clear from the outset that the policy is the official
company standard, and an exception will only be granted when there is an overwhelming business
need.
After the security policy has been in place for some period, which can be anywhere from three months
to a year, the company’s information security controls should be audited against the applicable
policies. Make sure that each policy is being followed as intended and is still appropriate to the
situation. If discrepancies are found or the policies are no longer applicable as written, they must be
changed to fit your company’s current requirements. After the initial review process, you should
regularly review the security policy to ensure that it still meets your company’s requirements. Create
a process so that the policy is periodically reviewed by the appropriate persons. This should occur both
at certain intervals (i.e. once per year), and when certain business changes occur (i.e. the company
opens in a new location). This will ensure that the policy does not get “stale”, and will continue to be
a useful management tool for years to come. When changes need to be made, be sure to: update the
revision history section of the document to differentiate the new document from past versions; and
distribute any modified user level policies to your users. Clearly communicate the policy changes to
any affected parties.
118
Student Handbook– Security Analyst SSC/N0901
COSO
The Foreign Corrupt Practices Act of 1977 (FCPA) is a law that requires any publicly traded company
to accurately document any transactions or monetary exchanges it is involved in (to prevent off-the-
books money transfers). Additionally, the law requires that a publicly traded company also have a
system of internal accounting controls to monitor fraud and abuse and test them through compliance
auditing. This law had little guidance from the Securities and Exchange Commission (SEC), and in
response to this, a consortium of private organizations created the Treadway Commission to figure
out what companies needed to do to comply with this law.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985
to improve the accuracy of financial reports and to standardize on internal control methods to reduce
fraudulent reporting. COSO studied the problem and issued guidance about how to create an internal
controls framework that complies with the FCPA. The resulting document, called “Internal Controls:
Integrated Framework,” was published in 1994 and provided common language, definitions and
assessment methodologies for a company’s internal accounting controls. This COSO report is
considered the standard by which accounting auditors assess companies to ensure compliance with
the FCPA and SOX section 404.
The COSO report lists a few main concepts that guided the development of the COSO framework and
define what internal controls can and cannot do for an organization. These concepts show the
relationship between people and processes in respect to the effectiveness of controls, and they define
the principles with which to implement them:
Internal control is affected by people; it must be adopted through the organization and is not
simply a policy document that gets filed away.
An internal control can provide only reasonable assurance, not absolute assurance to the
management and board of a business. A control cannot ensure success.
119
Student Handbook– Security Analyst SSC/N0901
The COSO internal controls framework consists of five main control components as seen in the figure
below. These controls are the foundation of the COSO framework and provide a means for auditors
to assess a company’s control efficiency, effectiveness, reliability of financial reporting and
compliance with the law.
Monitor
Information and
Communication
Control Activities
Risk Assessment
Control Environment
120
Student Handbook– Security Analyst SSC/N0901
Having an organization in which information and communication are free to flow between all aspects
of the business is addressed in this component of COSO.
Information, according to COSO, is the data used to run the business, whereas communication is
defined as the method used to disseminate information to the appropriate individuals. People cannot
do their jobs efficiently and effectively if they are not provided with the necessary information.
Without the appropriate lines of communication and timely action, problems can turn into
catastrophes. Communication is the mechanism that drives the other four components of the COSO
framework.
Monitoring
Auditing and measurement are essential in determining how controls perform.
Monitoring can be the alarm system that identifies a problem and provides valuable data for fixing
issues for the future. Monitoring can consist of periodic reports, audits or testing mechanisms that
provide the status of individual controls.
COSO is one of the more widely adopted internal control frameworks for large companies due in no
small part to the mandates set forth through SOX 404. In response to criticism that the framework
was impractical for smaller organizations, the committee published “Internal Control over Financial
Reporting for Small Public Companies” in 2006.
The COSO framework represents the grandfather of internal controls and though it was designed
primarily for accounting controls, it still provides value for companies building out a security
governance strategy. From an IT perspective, the five main components are entirely relevant to
securing information, but the actual controls themselves don’t go to the same level of depth as other
frameworks such as Control Objects for Information and related Technologies (COBIT).
COBIT
The COBIT framework was created by the Information Systems Audit and Control.
Association (ISACA) and IT Governance Institute (ITGI) as a response to the needs of the IT community
for a less generalized and more actionable set of controls for securing information systems. The ITGI
is a non-profit organization that leads the development of COBIT through committees consisting of
experts from universities, governments and auditors across the globe. The COBIT framework is a series
of manuals and implementation guidelines for creating a full IT governance, auditing and service
delivery program for any organization.
COBIT is not a replacement but an augmentation to COSO, and maps directly to COSO from an IT
perspective. Although COSO covers the whole enterprise from an accounting perspective, it does so
by providing high level objectives that require the business to figure out how to accomplish them.
COBIT on the other hand, works with COSO by fully detailing the necessary controls required and how
to measure and audit them. The built-in auditable nature of COBIT is why it has become one of the
leading IT governance frameworks as it gets as close as can be expected to a turnkey governance
program. COBIT does not dig down into the actual tasks and procedures however, which necessitates
using other sources to develop standards and procedures for implementing the controls. In other
words, COBIT won’t tell you the best way to configure AES encryption for your wireless infrastructure,
but it will provide you with a mechanism for identifying where and why you need to apply it based on
risk.
121
Student Handbook– Security Analyst SSC/N0901
The role of COBIT in IT governance is to provide a model that takes the guesswork out of how to bridge
the gap between business and IT goals. COBIT considers business the customer of IT services. Business
requirements (needs) ultimately drive the investment in IT resources, which in turn need processes
that can deliver enterprise information back to the business. At the foundation of COBIT is the cyclical
nature of business needing information and IT delivering information services.
Information is what IT provides to the business and COBIT defines the following seven control areas
as business requirements for information:
Reliability of information: data correctly represents the state of the business and transactions.
IT resources in COBIT are the components of information delivery and represent the technology,
people and procedures used to meet business goals. Resources are divided into four areas:
Applications: information processing systems and procedures
Information: the data as used by the business
Infrastructure: technology and systems used for data delivery and processing
People: the human talent needed to keep everything operating
IT processes (or activities) are the planned utilization of resources and divided into four inter-related
domains. Each process has its own controls that govern how the process is to be accomplished and
measured. There are 34 high level processes and hundreds of individual controls. The domains and
processes are:
Plan and Organize (PO): Defines strategy and guides the creation of a service and solutions
delivery organization. The high level process for this domain is as follows:
o PO1 Define a strategic IT plan
o PO2 Define the information architecture
o PO3 Determine technological direction
o PO4 Define the IT processes, organization and relationships
o PO5 Manage the IT investment
o PO6 Communicate management aims and direction
o PO7 Manage IT Human Resources
o PO8 Manage quality
o PO9 Assess and manage IT risks
o PO10 Manage projects
122
Student Handbook– Security Analyst SSC/N0901
Acquire and Implement (AI): Builds IT solutions and creates services. The high level process for
this domain is as follows:
o AI1 Identify automated solutions
o AI2 Acquire and maintain application software
o AI3 Acquire and maintain technology infrastructure
o AI4 Enable operation and use
o AI5 Procure IT resources
o AI6 Manage changes
o AI7 Install and accredit solutions and changes
Deliver and Support (DS): User facing delivery of services and solutions. The high level process for
this domain is as follows:
o DS1 Define and manage service levels
o DS2 Manage third-party services
o DS3 Manage performance and capacity
o DS4 Ensure continuous service
o DS5 Ensure systems security
o DS6 Identify and allocate costs
o DS7 Educate and train users
o DS8 Manage service desk and incidents
o DS9 Manage the configuration
o DS10 Manage problems
o DS11 Manage data
o DS12 Manage the physical environment
o DS13 Manage operations
Monitor and Evaluate (ME): Monitors IT processes to ensure synergy between business
requirements. The high level process for this domain is as follows:
o ME1 Monitor and evaluate IT performance
o ME2 Monitor and evaluate internal control
o ME3 Ensure compliance with external requirements
o ME4 Provide IT governance
Each of the processes in COBIT is written for managers, users and auditors by addressing each
group’s needs. Each process control objective is built using a template that includes:
o a general statement that provides answers to why management needs the control and
were it fits
o the key business requirements that the control addresses
o how the controls are achieved
o control goals and metrics
o who is responsible for each individual control activity
o how the controls can be measured
o clear descriptions of measuring how mature the organization is in accomplishing the
control using a detailed 0–5 scale Maturity Model
Measurement of each process and control is accomplished through a Maturity Model. The COBIT
Maturity Model is based on the Capabilities Maturity Model pioneered by Carnegie Mellon’s Software
Engineering Institute (SEI). The Capabilities Maturity Model was designed as a tool for ensuring quality
123
Student Handbook– Security Analyst SSC/N0901
software development. COBIT has modified the model to deliver a measurement and tracking tool
that identifies the current state of adoption (maturity level) for each process so as to compare an
organization execution with industry averages and business targets. This helps management identify
where the company’s performance is in relation to its peers and provides a path to improve with
specific and prescriptive steps used to get there.
The COBIT Maturity Model scale provides the following measurements:
COBIT Maturity Scale
0 Non existent
Not performed.
1 Initial/ Ad hoc
Process is chaotic, not standardized and done case by case.
2 Repeatable
Relies on individual knowledge, no formal training and no process intuitive management.
3 Defined process
Standardized and documented processes and formal training to communicate standards.
4 Managed
Processes are monitored and checked for compliance by management, measurable processes
are reviewed for improvement and limited automation.
5 Optimized
Processes are refined and compared with others based on maturity, processes are automated
through workflow tools to improve quality and effectiveness.
Using COBIT requires customization to better align with the company implementing it. COBIT is not
designed as a governance strategy in a box, but as a reference for building a process focused system,
utilizing international standards and good practices. Companies still need to determine a risk
management methodology and build out a technical infrastructure to automate the various COBIT
processes identified. COBIT’s real value is in providing the management, measurement and
organizational glue to tie these functions together.
IT auditors like to use COBIT mainly because it creates a well-documented set of processes and
controls that can be assessed along with the metrics and requirements for each control. COBIT’s
usefulness is also apparent when the organization under audit does not use COBIT as a governance
framework because an auditor can build checklists and plan audits based on COBIT to ensure that all
aspects of the IT process are performed. COBIT is also an invaluable resource when writing the audit
report because it allows the auditor to justify and compare his findings to a well-respected standard.
ITIL
The Information Technology Infrastructure Library (ITIL) provides documentations for best practices
for IT Service Management. ITIL was created in the late 1980s by Great Britain’s Office of Government
Commerce to standardize Britain’s government agencies and to follow security best practices. A study
was conducted and generated a significant amount of information (roughly 40 books) that became
known as ITIL. The books were revised and consolidated in 2004 and became a series of eight books
focused on IT services management. This version 2 of ITIL became popular among organizations
looking for an internationally recognized, proactive framework for managing IT services, reducing cost
124
Student Handbook– Security Analyst SSC/N0901
and improving quality. Version 3 of ITIL was released in June 2007 to refresh the core service and
support delivery material that many companies have implemented, and to move the ITIL framework
towards a life cycle model that includes management of all lifecycle services provided by IT. The five
books that make up Version 3 are:
Service Strategy: This book is the foundation for the others by defining business to IT alignment,
value to business, services strategy and service portfolio management.
Service Design: Focused on the design of IT processes, policies and architectures. Includes service
level, management, capacity management, information security management and availability
management.
Service Transition: Covers moving from the design phase to production business services and
change management. It also includes service asset and configuration management, service
validation and testing, evaluation and knowledge management.
Service Operation: Provides information on the day-to-day support of production systems. This
includes service delivery and services support, service desk design, application management,
problem management and technical management.
Continual Service Improvement: This book covers service improvements and service retirement
strategies.
ITIL is primarily about delivering IT as a service and the lifecycle of service development,
implementation, operation and management. ITIL is used by companies for overall management of IT
and also for managing security processes. Auditing an ITIL shop requires that the auditor understand
the basics of ITIL to speak the same language. ITIL also works well with COBIT as a means for fleshing
out the service delivery of each process. The ITGI even creates a mapping between COBIT and ITIL for
organizations that want to utilize the two standards. ITIL also meets the criteria for ISO 20000, which
means that it can be used to achieve international certification. Whether a company chooses to go
for certification or not, ITIL gives guidance about how to move from a reactive to a proactive approach
to managing IT and security as a service.
and originating from British Standard 7799, the ISO 27000 series is one of the most widely used and
cited documents in information security today. All the major governance frameworks reference ISO
when discussing key controls, and it is a great resource to address a wide range of security needs from
data-handling standards, to physical security, to policy. ISO 27000 is broad and covers a great deal of
content that is broken into seven published standards documents with ten more currently in
preparation. This overview is centered on the first two standards: ISO 27001 and 27002.
The first ISO standard is ISO 27001:2005 Information Technology Techniques Information Security
Management Systems. It provides the requirements for a security management system in accordance
with ISO 27002 best practices. ISO 27001 identifies generic technological controls and processes that
must be in place if a business wants to be certified as compliant with the ISO standard.
The contents of ISO 27001 are:
ISMS: Establish the ISM, implement and operate, monitor and review, maintain and improve
documentation requirements, control documents and records.
The Deming Cycle is simple yet powerful, and ISO 27001 applies it to security management in the
following manner:
Step 1. Plan: Establish the ISM according to the policies, processes and objectives of the
organization to manage risk.
126
Student Handbook– Security Analyst SSC/N0901
ISO 27001 provides guidance for setting up an ISMS and an excellent checklist for assessing
compliance with the standard by specifying what controls need to be in place. An organization can be
certified through an approved assessment and registration organization as being in compliance with
27001. There are over 3,000 companies certified against ISO 27001. Many companies choose
certification as a mechanism to “prove” their competence in building an information security program,
but also because certification provides proof for SOX and other legal compliance frameworks that the
company has met the requirements of those laws. The other benefit of ISO 27001 is its global
acceptance as an accepted standard that is required for conducting business with some companies,
which can provide a unique business opportunity for a company that goes down the path of
certification.
The second ISO standard is ISO 27002:2005 Security Techniques Code of Practice, which consists of
international best practices for securing systems. This standard provides best practice information
about everything from Human Resources security needs to physical security and it represents the
detailed implementation requirements for ISO 27001.
ISO 27002 is full of good high level information that can be used as a source document for any
generalized audit or assessment. It consists of security controls across all forms of data
communication, including electronic, paper and voice (notes tied to pigeons are not included).
The twelve areas covered in ISO 27002:2005 are:
Intro to information security management
Risk assessment and treatment
Security policy
Organization of information security
Asset management
Human Resources security
Physical security
Communications and ops management
Access control
Information systems acquisition, development and maintenance
Information security incident management
Business continuity
Compliance
The ISO standards define a solid benchmark for assessing a company’s information security practices,
but as with most of high level control documents, it doesn’t give the auditor details about security
architecture or implementation guidance. 27002 is a great internationally recognized standard to
refer back to for control requirements in an audit report or findings document, and makes excellent
source material for an auditor’s checklist.
127
Student Handbook– Security Analyst SSC/N0901
NIST
The National Institute of Standards and Technologies (NIST) is a federal agency of the United States
government, tasked with helping commerce in the U.S. by providing weights and measurements,
materials references and technology standards. If you have configured your computer to use an
atomic clock source from the internet to synchronize time to, then you have used a NIST service. NIST
also provides reference samples of over 1,300 items, including cesium 137, peanut butter and oysters.
The division within NIST, most interesting from an information security standpoint is the Computer
Security Resource Centre (CSRC), which is the division tasked with creating information security
standards.
The CSRC is currently directed by the United States Congress to create standards for information
security in response to laws such as the Information Technology Reform Act of 1996, the Federal
Information Security Management Act of 2002 (FISMA) and HIPAA. Although FISMA is a federal law
and not enforceable in the private sector, private companies can reap the benefits of the many
excellent documents NIST has created for FISMA compliance.
Federal Information Processing Standards Publications (FIPS) standards are a series of standards that
government agencies must follow by law according to FISMA. FIPS standards include encryption
standards, information categorization and other requirements. FIPS also mandates standards for
technology through a certification program. Hardware and software involved in encrypting data via
AES for example, must be FIPS 140-2 (level 2) compliant to be used by the federal government.
The NIST Special Publications (800 series documents) are a treasure trove of good information for
auditors, systems administrators and security practitioners of any size company. These documents
give guidance and provide specific recommendations about how to address a wide range of security
requirements. These documents are created by academic researchers, security consultants and
government scientists. They are reviewed by the security community through a draft process that
allows anyone to provide comments and feedback on the documents before they are made standards.
The documents are also revised on a regular basis as new technologies become adopted.
Table below provides a list of some of the most widely used NIST 800 series documents. This list is not
exhaustive, and there are new documents added all of the time, so check the NIST website on a regular
basis for updates and new drafts.
128
Student Handbook– Security Analyst SSC/N0901
The Cyber Security Research and Development Act of 2002 requires that NIST develop checklists to
help minimize the security risks of hardware and software used by the federal government. These
checklists show detailed configurations of many hardware and software platforms including Cisco. SP
800-70 outlines the format, goals, and objectives of the checklists and how to submit a checklist if you
build one that you would like to share. NIST provides these checklists in Security Content Automation
Protocol (SCAP) format, and can be loaded into a SCAP validated scanner for automated auditing.
There are a number of scanning vendors that support SCAP such as Qualys and Tenable (Nessus
129
Student Handbook– Security Analyst SSC/N0901
Scanner). For a complete list of scanning vendors and downloadable checklists, visit
http://checklists.nist.gov.
Centre for Internet Security
The Centre for Internet Security (CIS) is a not-for-profit group dedicated to creating security best
practices and configuration guidance for companies to help reduce the risk of inadequately securing
corporate systems. CIS provides peer-reviewed configuration guides and templates that
administrators and auditors can follow when securing or testing the security of a target system. These
guides are well written and provide a sufficient level of detail down to the actual configuration level
to use as a checklist while also explaining why the particular configuration option needs to be
implemented.
CIS refers to its best practice documents as benchmarks and has two categories:
Level 1 benchmarks consist of the minimum level of security that needs to be configured that any
skilled administrator can implement.
Level 2 benchmarks focus on particular applications of security based on the type of system or
manner in which the system is used. Proper security depends on understanding risk, which
determines at what level you need to protect an asset. Laptops, for example, have a different risk
profile than servers, which are explored in the Level 2 benchmark section in detail.
The CIS benchmarks are often used for configuration level auditing of technology for proper
implementation of security features and good defensive practices. Many compliance laws dictate high
level controls, but never go into the details of how to actually perform the tasks necessary. These
benchmarks developed by CIS help to fill in the blanks when auditing for compliance through
consensus-validated device configuration recommendations. CIS also makes available automated
assessment tools that leverage these benchmarks. CIS benchmarks can be found at
www.cisecurity.org.
NSA
The National Security Agency (NSA) has been responsible for securing information and information
assurance since it began in 1952. As a component of the U.S. Department of Defense, the NSA is
typically known for its cryptology research and cryptanalysis of encrypted communications. The NSA
created the DES encryption standard that was (and still used in the form of 3DES) the most commonly
deployed encryption technique until it was replaced by AES.
Although the NSA’s mission is to keep government communications private, it has also shared a
significant amount of computer security research in the form of configuration guides on hardening
computer systems and network infrastructure equipment. Through research conducted by the
Information Assurance Department of the NSA, a series of security configuration guides have been
posted to help the public better secure computers and networks.
These guides cover:
Applications
Database servers
Operating systems
Routers
130
Student Handbook– Security Analyst SSC/N0901
Supporting documents
Switches
VoIP and IP telephony
Vulnerability reports
Web servers and browsers
Wireless
Auditors are free to use these configuration guidelines when examining security controls. They make
a great resource and are updated as new technologies and applications are studied. You can find the
guides at http://www.nsa.gov/ia/index.cfm.
DISA
The Defense Information Security Agency (DISA) is a component of the U.S. Department of Defense
that is charged with protecting military networks and creating configuration standards for military
network deployments. DISA provides a number of useful configuration checklists for a wide variety of
information system technologies. Security Technical Implementation Guides (STIG) are great source
material for security configuration assessments and highly recommended as a tool for any auditor
looking for vetted configuration recommendations. While STIGs are written with military auditors in
mind, they are easy to read and include justification for the configuration requirements and what
threats are mitigated. You can access the current list of STIGs at http://iase.disa.mil/
stigs/stig/index.html.
SANS
The SANS (SysAdmin, Audit, Network, Security) Institute is by far one of the best sources of free
security information available on the Internet today. Established in 1989 as a security research and
education organization, it has become a source of training and knowledge that shares information
about security for hundreds of thousands of individuals across the globe. The SANS website has
something for everyone involved in information security, from the CIO to the hard-core security
technologists and researchers.
SANS is in the business of security education and delivers training events, conferences, and webcasts.
It offers an extensive array of technical security and management tracks covering everything from
incident handling and hacking to creating security policies. SANS security training conferences are the
most common venue for a student attending these courses, but many are also offered through on-
demand web training and self-study. Each of these courses also offers an opportunity to test for
certification through the GIAC organization (a separate entity that governs the certification and testing
process for SANS). For those students who want a more traditional education process, SANS is
accredited in the state of Maryland to grant master’s degrees in information assurance and
management.
Although SANS focuses on training, it also provides a wealth of free security information as part of its
mission to use knowledge and expertise to give back to the Internet community.
SANS offers the following free services and resources that are perfect for auditors and security
professionals to use to gain insight into new issues and understanding technical security controls:
SANS reading room: The reading room consists of over 1,600 computer security whitepapers
from vendors and research projects written by SANS students going for GIAC Gold certification.
131
Student Handbook– Security Analyst SSC/N0901
There are a wide range of topic categories, ensuring you will find something relevant to what
you are looking for from best practices to configuration guidance.
SANS Top 20: SANS Top 20 is a list of the top 20 vulnerabilities in operating systems and
applications that hackers attack. This information is updated yearly by a large panel of security
experts, and it provides auditors and security practitioners with a good list of high-risk areas
they need to ensure are addressed. Although this list is good, it doesn’t cover the latest threats,
so it should not be used as a checklist, but rather as a tool to focus your efforts.
SANS security policy samples: If you are looking for sample security policies, this resource is a
goldmine. All of the policies represented are free for use, and in some cases, you can simply
insert the business’s name. These policy templates cover a wide range of security functional
areas and are added to on a regular basis. It is important to note that security policies are a
serious documents and require that legal departments and HR departments be involved in their
adoptions.
SANS newsletters: SANS provides a number of newsletters available as e-mails or RSS feeds that
you can subscribe to. Many topics are present, including one focused on auditing (SANS
AuditBits).
Internet Storm Center: The Internet Storm Center is a group of volunteer incident handlers who
analyze suspicious Internet traffic from across the globe. They look at packet traces to
determine if a new virus, worm, or other attack vectors have popped up in the wild. The ISC
also compiles attack trend data and the most frequently attacked ports. Incident handlers are
always “on duty,” and you can read their notes as they go about analyzing attacks.
SCORE: SCORE is a joint project with the CIS to create minimum standards of configuration for
security devices connected to the Internet. These checklists are available for free and provide
sound guidance about necessary technical controls.
Intrusion Detection FAQ: The Intrusion Detection FAQ is a fantastic resource for better
understanding how to identify an attack on your network. FAQs cover the basics of intrusion
detection, details about tools to use, and a detailed analysis of sample attacks.
The SANS website should be considered mandatory reading for auditors who want to better
understand the tools and techniques attackers use to break into systems. Having all of this
knowledge in a single place is useful as auditors tailor their checklists and audit criteria to address
current events and attacks.
ISACA
If you are involved in security auditing to any degree, you undoubtedly have heard of the Information
Systems Audit and Control Association (ISACA). ISACA is the largest association of IT auditors in
existence with over 65,000 members across the world. Many of the auditing techniques and security
governance processes used to audit IT today have been compiled and standardized by ISACA. Over
50,000 people have earned the Certified Information Systems Auditor certification (CISA),
demonstrating knowledge in auditing. The Certified Information Systems Manager (CISM) is also
offered to test IT governance and management expertise.
132
Student Handbook– Security Analyst SSC/N0901
ISACA is more than just a certification granting organization. In addition to establishing the IT
Governance Institute and developing COBIT, they have created the de-facto standards guide for
assessing and auditing IT controls. The IS standards, guidelines and procedures for auditing and
control professionals are regularly updated and reviewed to provide the auditing community with
standards, guidelines and procedures for conducting audits.
The auditing guide includes:
Standards of IS auditing: This section includes code of conduct for professional auditors,
auditing process from planning to follow up and various other standards for performing audits.
Auditing G: This section provides information on how to conduct audits while following the
standards of IS auditing.
Auditing procedures: This section provides details on how to audit various types of systems and
processes, providing a sample approach to testing controls such as firewalls and intrusion
detection systems.
The IT Assurance Guide to using COBIT is another excellent resource for how to conduct an audit
using COBIT as the governance framework. Regardless of whether or not the company being
audited uses COBIT, the guide describes how to leverage the controls identified by COBIT and
apply those to the audit process. This enables an auditor to follow a well-documented
framework to ensure that no major areas are missed.
ISO 27003
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It
describes the process of ISMS specification and design from inception to the production of
implementation plans. It describes the process of obtaining management approval to implement an
ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project),
and provides guidance on how to plan the ISMS project, resulting in a final ISMS project
implementation plan.
ISO 27004
ISO/IEC 27004 concerns measurements relating to information security management. These are
commonly known as ‘security metrics’ in the profession. The standard is intended to help
organizations measure, report on and hence systematically improve the effectiveness of their
Information Security Management Systems. It “provides guidance on the development and use of
measures and measurement in order to assess the effectiveness of an implemented information
security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.
This would include policy, information security risk management, control objectives, controls,
processes and procedures, and support the process of its revision, helping to determine whether any
of the ISMS processes or controls need to be changed or improved.”
ISO 15408 Evaluation Common Criteria Evaluation for Security
133
Student Handbook– Security Analyst SSC/N0901
SO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and
specifies the general model of evaluation given by various parts of ISO/IEC 15408, which in its entirety
is meant to be used as the basis for evaluation of security properties of IT products.
It provides an overview of all parts of ISO/IEC 15408, describes the various parts of ISO/IEC 15408,
defines the terms and abbreviations to be used in all parts ISO/IEC 15408, establishes the core concept
of a Target of Evaluation (TOE), the evaluation context and describes the audience to which the
evaluation criteria are addressed. An introduction to the basic security concepts necessary for
evaluation of IT products is given.
It defines the various operations by which the functional and assurance components given in ISO/IEC
15408-2 and ISO/IEC 15408-3 may be tailored through the use of permitted operations. The key
concepts of protection profiles (PP), packages of security requirements and the topic of conformance
are specified and the consequences of evaluation and evaluation results are described. ISO/IEC 15408-
1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the
organization of components throughout the model.
ISO/IEC 13335 (IT Security Management)
SO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT
security, and addresses the general management issues that are essential to the successful planning,
implementation and operation of ICT security. Part 2 of ISO/IEC 13335 (currently 2nd WD) provides
operational guidance on ICT security. Together, these parts can be used to help identify and manage
all aspects of ICT security.
ISO 13335 is focused on Information and Communication Technologies, also called ICT. ISO standard
13335 was created to help businesses improve their information and communication security. There
is currently only one part of the ISO 13335 standard, ISO 13335-1. ISO standard 13335 is designed to
create an IT management framework, including information security policies, internal controls,
company approved practices and configuration management of hardware and software components.
No one changes information and communication technologies without formal review and approval
after thorough testing was completed. In addition, ISO 13335 was created in an effort to improve
business continuity, the continuation of business operations in case of a massive technical failure,
natural disaster or hack attack.
ISO 13335-1
The ICT standard ISO 13335-1 originated as a technical report on information security before it became
a separate ISO standard. ISO 13335-1 is focused on technical security controls over administrative
procedures and internal corporate rules. ISO standard 13335-1 is now the entire ISO 13335 standard
with the other sections either consolidated into ISO 13335-1 or made into their own standards.
Network security controls like firewalls can block traffic from selected IP addresses or prevent users
from accessing specific websites. Built-in data archiving modules attached to routers or network
connections automatically save all email messages, creating an instant record of communications
available if the main email server goes down or if messages are deleted by unauthorized parties.
ISO 13335-2
134
Student Handbook– Security Analyst SSC/N0901
ISO 13335-2 originally contained the ISO’s guidance on ICT security. The 1990s version of the standard
was broken up into ISO 13335-1 and 13335-2. The ICT security recommendations in ISO 13335-2 were
incorporated into ISO 13335-1 in the 2004 update of the standard.
ISO 13335-3
ISO 13335-3 was originally the guidelines for managing IT security. ISO standard 13335-3 has been
replaced by ISO 27005. In essence, what was ISO 13335-3 is now part of ISO 27005.
ISO 13335-4
ISO 13335-4 outlined the ISO recommended practices of selecting technical security controls or IT
safeguards. ISO 13335-5 has also been replaced with ISO 27005.
ISO 13335-5
ISO 13335-5 was originally a set of guidelines on network security. ISO 13335-5 was replaced with ISO
18028-1 in 2006. ISO 18028-1 has since been revised by ISO 27033-1, released in 2009.
ISO 27005
ISO 27005 replaced several sections of the original ISO 13335 standard. ISO 27005 describes how
organizations define their context, the areas for which they are responsible. Risks are identified and
the estimation of the severity of the risk are set during risk analysis. During risk treatment, the
organization decides whether to accept the risk, mitigate its effects or work to prevent the risk from
occurring. During risk monitoring, the group monitors the risks to the network. Some risks may
disappear as more security hardware is installed while others may grow due to user complacency or
evolving security threats. For example, the risk that a server’s compromise would shut down a
business is reduced when a backup server off site is created with hot backups of the organization’s
data. If the main server compromises and is removed from the network to prevent hackers from using
it to access other areas, the business simply switches over the remote backup server and keeps going.
ISO Standard 24762 for Technical Disaster Recovery
ISO/IEC 24762:2008 provides guidelines on the provision of information and communications
technology disaster recovery (ICT DR) services as part of business continuity management, applicable
to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.
ISO/IEC 24762:2008 specifies:
the requirements for implementing, operating, monitoring and maintaining ICT DR services and
facilities
the capabilities which outsourced ICT DR service providers should possess and the practices they
should follow so as to provide basic secure operating environments and facilitate organizations'
recovery efforts
the guidance for selection of recovery site
the guidance for ICT DR service providers to continuously improve their ICT DR services
ISO Standard for BCM – 22301
ISO 22301 is a management systems standard for BCM which can be used by organizations of all sizes
and types. These organizations will be able to obtain accredited certification against this standard and
135
Student Handbook– Security Analyst SSC/N0901
136
Student Handbook– Security Analyst SSC/N0901
• IEEE Std 1619.2-2010 IEEE Standard for Wide-Block Encryption for Shared Storage Media
• IEEE Std 1667-2009 IEEE Standard Protocol for Authentication in Host Attachments of
Transient Storage Devices
ISO 17799
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing,
maintaining and improving information security management in an organization. The objectives
outlined provide general guidance on the commonly accepted goals of information security
management.
ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas
of information security management:
o security policy
o organization of information security
o asset management
o human resources security
o physical and environmental security
o communications and operations management
o access control
o information systems acquisition, development and maintenance
o information security incident management
o business continuity management
o compliance
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet
the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis
137
Student Handbook– Security Analyst SSC/N0901
and practical guideline for developing organizational security standards and effective security
management practices and to help build confidence in inter-organizational activities.
The standard has ten domains, which address key areas of Information Security Management.
1. Information security policy for the organization
This activity involves a thorough understanding of the organization business goals and its
dependence on information security. This entire exercise begins with creation of the IT security
policy. This is an extremely important task and should convey total commitment of top
management. The policy cannot be a theoretical exercise. It should reflect the needs of the actual
users. It should be implementable, easy to understand and must balance the level of protection
with productivity. The policy should cover all the important areas like personnel, physical,
procedural and technical.
2. Creation of information security infrastructure
A management framework needs to be established to initiate, implement and control information
security within the organization. This needs proper procedures for approval of the information
security policy, assigning of the security roles and coordination of security across the organization.
3. Asset classification and control
One of the most laborious but essential task is to manage inventory of all the IT assets, which
could be information assets, software assets, physical assets or other similar services. These
information assets need to be classified to indicate the degree of protection. The classification
should result into appropriate information labelling to indicate whether it is sensitive or critical
and what procedure, which is appropriate for copy, store, transmit or destruction of the
information asset.
4. Personnel security
Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities.
Various proactive measures that should be taken are: creation of personnel screening policies,
confidentiality agreements, terms and conditions of employment and information security
education and training.
Alert and well-trained employees who are aware of what to look for can prevent future security
breaches.
5. Physical and environmental security
Designing a secure physical environment to prevent unauthorized access, damage and
interference to business premises and information is usually the beginning point of any security
138
Student Handbook– Security Analyst SSC/N0901
plan. This involves creating physical security perimeter and entry control, secure offices; rooms;
facilities, providing physical access controls and protection devices to minimize risks ranging from
fire to electromagnetic radiation and providing adequate protection to power supplies and data
cables are some of the activities. Cost effective design and constant monitoring are two key
aspects to maintain adequate physical security control.
6. Communications and operations management
Properly documented procedures for the management and operation of all information
processing facilities should be established. This includes detailed operating instructions and
incident response procedures.
Network management requires a range of controls to achieve and maintain security in computer
networks. This also includes establishing procedures for remote equipment including equipment
in user areas. Special controls should be established to safeguard the confidentiality and integrity
of data passing over public networks. Special controls may also be required to maintain the
availability of the network services.
Exchange of information and software between external organizations should be controlled and
should be compliant with any relevant legislation. There should be proper information and
software exchange agreements. The media in transit need to be secured and should not be
vulnerable to unauthorized access, misuse or corruption.
Electronic commerce involves electronic data interchange, electronic mail and online transactions
across public networks such as Internet. Electronic commerce is vulnerable to a number of
network threats that may result in fraudulent activity, contract dispute and disclosure or
modification of information. Controls should be applied to protect electronic commerce from such
threats.
7. Access control
Access to information and business processes should be controlled on the business and security
requirements. This will include defining access control policy and rules; user access management;
user registration; privilege management; user password use and management; review of user
access rights; network access controls; enforcing path from user terminal to computer; user
authentication; node authentication; segregation of networks; network connection control;
network routing control; operating system access control; user identification and authentication;
use of system utilities; application access control; monitoring system access and use and ensuring
information security when using mobile computing and tele-working facilities.
8. System development and maintenance
Security should ideally be built at the time of inception of a system. Hence security requirements
should be identified and agreed prior to the development of information systems. This begins with
security requirements analysis and specification and providing controls at every stage i.e. data
input; data processing; data storage and retrieval and data output. It may be necessary to build
applications with cryptographic controls. There should be a defined policy on the use of such
controls, which may involve encryption; digital signature; use of digital certificates; protection of
cryptographic keys and standards to be used for cryptography.
139
Student Handbook– Security Analyst SSC/N0901
A strict change control procedure should be in place to facilitate tracking of changes. Any changes
to operating system changes, software packages should be strictly controlled. Special precaution
must be taken to ensure that no covert channels, back doors or Trojans are left in the application
system for later exploitation.
9. Business Continuity Management
A business continuity management process should be designed, implemented and periodically
tested to reduce the disruption caused by disasters and security failures. This begins by identifying
all events that could cause interruptions to business processes and depending on the risk
assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained
and re-assessed based on changing circumstances.
10. Compliance
It is essential that strict adherence is observed to the provision of national and international IT
laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of
organizational records, data protection and privacy of personal information, prevention of misuse
of information processing facilities, regulation of cryptographic controls and collection of
evidence.
Information Technology’s use in business has also resulted in enacting of laws that enforce
responsibility of compliance. All legal requirements must be complied with to avoid breaches of any
criminal and civil law, statutory, regulatory or contractual obligations and of any security
requirements.
BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:
Although Indian companies and the Government have invested in IT, facts of theft and attacks on
Indian sites and companies are alarming. Attacks and theft that happen on corporate websites are
high and is usually kept under "strict" secrecy to avoid embarrassment from business partners,
investors, media and customers.
Huge losses are sometimes un-audited and the only solution is to involve a model where one can see
a long run business led approach to Information Security Management.
BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed
above) which Indian companies can adopt to build their Security Infrastructure. Even if a company
decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security
through ongoing, integrated management of policies and procedures, personnel training, selecting
and implementing effective controls, reviewing their effectiveness and improvement. Additional
benefits of an ISMS are improved customer confidence, a competitive edge, better personnel
motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.
140
Student Handbook– Security Analyst SSC/N0901
ICANN’s role is to oversee the huge and complex interconnected network of unique identifiers
that allow computers on the Internet to find one another.
To reach another person on the Internet you have to type an address into your computer - a name
or a number. That address has to be unique so computers know where to find each other. ICANN
coordinates these unique identifiers across the world. Without that coordination we wouldn't
have one global Internet.
ICANN was formed in 1998. It is a not-for-profit partnership of people from all over the world
dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and
develops policy on the Internet’s unique identifiers. This is commonly termed “universal
resolvability” and means that wherever you are on the network – and hence the world – that you
receive the same predictable results when you access the network. Without this, you could end
up with an Internet that worked entirely differently depending on your location on the globe.
International Organization for Standardization (ISO)
ISO (International Organization for Standardization) is an independent, non-governmental
membership organization and the world's largest developer of voluntary International Standards.
They are made up of 162 member countries who are the national standards bodies around the world,
with a Central Secretariat that is based in Geneva, Switzerland.
International Standards make things work. They give world-class specifications for products, services
and systems, to ensure quality, safety and efficiency. They are instrumental in facilitating international
trade.
ISO has published more than 19 500 International Standards covering almost every industry, from
technology, to food safety, to agriculture and healthcare. ISO International Standards impact
everyone, everywhere.
141
Student Handbook– Security Analyst SSC/N0901
Vision
W3C's vision for the Web involves participation, sharing knowledge, and thereby building
trust on a global scale.
142
Student Handbook– Security Analyst SSC/N0901
The social value of the Web is that it enables human communication, commerce, and
opportunities to share knowledge. One of W3C's primary goals is to make these benefits available
to all people, whatever their hardware, software, network infrastructure, native language,
culture, geographical location, or physical or mental ability.
Web on Everything
The number of different kinds of devices that can access the Web has grown immensely. Mobile
phones, smart phones, personal digital assistants, interactive television systems, voice response
systems, kiosks and even certain domestic appliances can all access the Web. L
Web for Rich Interaction
The Web was invented as a communications tool intended to allow anyone, anywhere to share
information. For many years, the Web was a "read-only" tool for many. Blogs and wikis brought
more authors to the Web, and social networking emerged from the flourishing market for content
and personalized Web experiences. W3C standards have supported this evolution thanks to
strong architecture and design principles. Some people view the Web as a giant repository of
linked data while others as a giant set of services that exchange messages. The two views are
complementary, and which to use often depends on the application.
Web of Trust
The Web has transformed the way we communicate with each other. In doing so, it has also
modified the nature of our social relationships. People now "meet on the Web" and carry out
commercial and personal relationships, in some cases without ever meeting in person. W3C
recognizes that trust is a social phenomenon, but technology design can foster trust and
confidence. As more activity moves on-line, it will become even more important to support
complex interactions among parties around the globe.
Web Application Security Consortium (WASC)
The Web Application Security Consortium (WASC) is a non-profit made up of an international
group of experts, industry practitioners, and organizational representatives who produce open
source and widely agreed upon best-practice security standards for the World Wide Web. As an
active community, WASC facilitates the exchange of ideas and organizes several industry projects.
WASC consistently releases technical information, contributed articles, security guidelines, and
other useful documentation. Businesses, educational institutions, governments, application
developers, security professionals, and software vendors all over the world utilize our materials
to assist with the challenges presented by web application security.
143
Student Handbook– Security Analyst SSC/N0901
India
India’s Ministry of Communications and Information Technology (“Department of Information
Technology”) has implemented the Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”). Clarifications to
the Privacy Rules were issued via Press Note by the Ministry. India’s enabling legislation is India’s
Information Technology Act 2000 (the “Act”). While India continues to adhere to the Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011 (Rules) enacted in 2011, the Centre for Internet and Society presented a new
Privacy (Protection) Bill, 2013 (Bill), on September 30, 2013. The Bill seeks to further refine provisions
of the Rules, with a focus on protection of personal data through limitations on use and requirements
for notice. The collection of personal data would be prohibited unless “necessary for the achievement
of a purpose of the person seeking its collection,” and, subject to sections 6 and 7 of the Bill, “no
personal data may be collected under this Act prior to the data subject being given notice, in such
form and manner as may be prescribed, of the collection.” The Bill acknowledges the collection of data
with and without consent; the regulation of personal data storage, processing, transfer, and security;
and discusses the different types of disclosure.
http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
http://pib.nic.in/newsite/erelease.aspx?relid=74990
http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan010239.pdf
Data Protection Authority and Registration Requirements
No specific data protection authority exists, but the Privacy Rules state that in the case of a breach,
a “Body Corporate,” as defined under the Act, must answer to “the agency mandated under the
law” (presumably, the Ministry).
There are no registration requirements for the collection of data. However, the Data Security
Council of India (the “DSCI”) provides a certification service by which organizations within India
may become “DSCI Privacy Certified.”
Protected Personal Data
Personal information is defined as any information that relates to a natural person, which, either
directly or indirectly, in combination with other information available or likely to be available with a
corporate entity, is capable of identifying such person.
Sensitive personal data or information is defined as “personal information” which consists of
information relating to any of the following: passwords; financial information such as bank account or
credit card or debit card or other payment instrument details; physical, physiological and mental
health condition; sexual orientation; medical records and history; biometric information; any detail
relating to any of the above as provided to a corporate entity for providing service; and any of the
information received under the above by a corporate entity for processing, stored or processed under
144
Student Handbook– Security Analyst SSC/N0901
lawful contract or otherwise. Data or information is not sensitive and personal if it is available in the
public domain or furnished under the Right to Information Act of 2005.
Data Collection and Processing
The Privacy Rules apply to data collection, but do not define processing.
The Privacy Rules requires a Body Corporate that collects, receives, possesses, stores, deals, or handles
sensitive or personal data to provide a privacy policy for handling of such data and ensure that the
policies are available for view by the data subjects who have provided the information under contract.
The policy shall provide for:
clear and easily accessible statements of its practices and policies;
the type of personal or sensitive personal data or information collected;
the purpose of collection and usage of such information;
the disclosure of information including sensitive personal data or information; and
reasonable security practices and procedures.
Data may be collected and processed when all of the following conditions are met:
the data subject has provided written consent and is aware at the time of collection that the
information is being collected, the purpose of collection, the intended recipients of the
information; and the name and address of the agency that is collecting and will retain the
information;
the data subject has been provided with the option not to provide its sensitive personal data
or information;
the data subject is permitted to withdraw his/her consent, in writing, at any time;
the information is collected for a lawful purpose connected with a function or activity of the
body corporate or any person on its behalf; and
the collection of the sensitive personal data or information is considered necessary for that
lawful purpose.
Data Transfer
Disclosure of data to a third party requires prior permission of the data subject, whether the
information is provided under contract or otherwise, except in the following situations:
Data Security
A Body Corporate is required to implement reasonable security practices and procedures. The Privacy
Rules indicate that reasonable practice methodologies include IS/ISO/EIC 27001 or other measures
that have been pre-approved by the central government and are subject to annual audits by a central
government approved auditor.
Breach Notification
There is no mandatory requirement to report data security breach incidents under the Privacy Rules.
Other Considerations
Data retention rules state that information should not be retained longer than is required for the
purposes for which the information may lawfully be used or is otherwise required under any other
law.
A clarification to the Privacy Rules stating that a “Body corporate providing services relating to
collection, storage, dealing or handling of sensitive personal data or information under contractual
obligation with any legal entity located within or outside India is exempt from the requirement to
obtain consent” was issued via Press Note by the Department of Information and Technology.
Accordingly, outsourcing service providers in India should be exempt from obtaining consent from the
individuals whose data they process.
Enforcement & Penalties
A corporate entity may be liable for up to Rs. 50,000,000 for the negligent failure to implement and
maintain reasonable practices and procedures, causing wrongful loss or gain.
International Directory of laws:
This directory includes laws, regulations and industry guidelines with significant security and privacy impact
and requirements. This is largely USA focused but used by International agencies as a reference point.
Broad laws:
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules
of Civil Procedure (FRCP)
146
Student Handbook– Security Analyst SSC/N0901
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records;
The Health Information Technology for Economic and Clinical Health Act (HITECH);
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule);
147
Student Handbook– Security Analyst SSC/N0901
Summary
A security policy is a document or set of documents that describes, at a high level, the security
controls that will be implemented by the company
There are two types of basic security policies: Technical security policies and Administrative
security policies.
Key Elements of Security Policy
o Overview – Background information of what issue the policy addresses.
o Purpose – Why the policy is created.
o Scope – To what areas this policy covers.
o Targeted Audience – Tells to whom the policy is applicable.
o Policy – A good description of the policy.
o Definitions – A brief introduction of the technical jargon used inside the policy.
o Version – A version number to control the changes made to the document.
Auditing the security governance practices of a company requires understanding how the
organization manages the processes and procedures that make up its security program and
compare those aspects to recognized governance frameworks.
The COSO internal controls framework consists of five main control components
o Control Environment
o Risk Assessment
o Control Activities
o Information and Communication
o Monitoring
The role of COBIT in IT governance is to provide a model that takes the guesswork out of how
to bridge the gap between business goals and IT goals.
ITIL is used by companies for overall management of IT and also for managing security processes
as well.
Standards and best practices can help the auditor distinguish good security designs from bad
and provide reference architectures to compare against.
Various standards include:
o ISO 27000 Series of Standards
o NIST
o Center for Internet Security
o NSA
o DISA
o SANS
o ISACA
o ISO 27003
o ISO 27004
o ISO/IEC 13335 (IT Security Management)
o ISO 27005
o ISO Standard 24762 for Technical Disaster Recovery
o ISO Standard for BCM – 22301
o IEEE Standards
o ISO 17799
o BS 7799 (ISO 17799)
148
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Work in groups and collate various security policies available across various
organizations. Categorize various policies and highlight the differences between these
based on context including sector, size of organization, types of information or data they
possess, country, etc.
Compile a list of component that are similar across policies. Discuss as to why you think
these elements are similar or dissimilar and what is the impact of the variances.
Activity 2:
Work in groups and Research various standards of data security that area available.
Categorize the various standards based on the area they pertain to.
Present key highlights of a selected standard. Discuss why standards are important, why
these standards have credibility and legitimacy. Think about what is the composition of
the standard setting body and who are their members or patrons.
Activity 3:
Develop a set of standards for various aspects of your student life and education; make
a plan for advocacy and promotion of these standards so that more and more people
adopt them. List down key imperatives and challenges for the successful adoption and
recognition of their proposed standards
Activity 4:
Explore the various laws and regulations that are applied in the areas of information
security. Present key features of the laws and cite cases where these were violated and
cases were filed in breach of law. Present findings in the class, discussing the details of
the case and interesting facets of it.
149
Student Handbook– Security Analyst SSC/N0901
_________________________________________________________________________________
_________________________________________________________________________________
2. State at least three key constituents of a security policy
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. Explain at least two main concepts in the COSO framework
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. Explain the application of Deming Cycle in IT security?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
5. Name the two categories of CIS benchmarks. Explain why are they used for configuration-level
auditing of technology?
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
6. How is BS 7799 (ISO 17799) relevant to Indian Companies?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
7. State at least five different data security policies an organisation may have.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
150
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
151
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
152
Student Handbook– Security Analyst SSC/N0901
UNIT V
Information Security Management
– Roles and Responsibilities
Lesson Plan
Resource Material
5.1. Information and Data Security Team Structure
5.2. Security Incident Response Team
153
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
154
Student Handbook– Security Analyst SSC/N0901
Lesson
With the growing importance and scope of information and data security, numerous organizational
structures and configurations have been implemented to get a handle on the complexities associated
with managing and protecting data.
Information security governance begins at the top with the Board of Directors and CEO enforcing
accountability for adherence to standards and commissioning the development of security
architectures that address the security requirements of the business as a whole. The auditing function
might be its own group (or outsourced to a third party) and might report to the CEO or directly to the
Board of Directors to maintain its independence.
Board of Directors
The Board of Directors is responsible for protecting the interests of the shareholders of the
corporation. This duty of care (fiduciary responsibility) requires that it understand the risk to the
business and its data. The Board of Directors is responsible for approving the appropriate resources
necessary to safeguard data. It also needs to be kept aware of how the security program is
performing.
CIO/CISO
The CIO/CISO is responsible for aligning the information security program strategy and vision to
business requirements. The CIO/CISO ensures that the correct resources are in place to adhere to
the policies and procedures set forth by the steering committee. This role generally reports to the
CEO and Board of Directors and reports how the organization is performing relative to the
company’s goals and similar organizations in the same industry.
Security Director
The security director’s role is to coordinate the efforts for securing corporate assets. The
responsibilities include reporting on the progress of initiatives to executive management and
building the teams and resources to address the various tasks necessary for information security.
155
Student Handbook– Security Analyst SSC/N0901
This role also acts as a liaison to other aspects of the business to articulate security requirements
throughout the company. The security director manages the teams in developing corporate data
security policies, standards, procedures, and guidelines.
Security Analyst
A security analyst builds the policies, analyses risk, and identifies new threats to the business.
Business continuity and disaster recovery planning are important functions performed by the
analyst to prepare the company for the unexpected. The analyst is also responsible for creating
reports about the performance of the organization’s security systems.
Security Architect
A security architect defines the procedures, guidelines, and standards used by the company.
Architects help to select the controls used to protect the company’s data and they make sure that
the controls are sufficient for addressing the risk and complying with policy. This role is also
responsible for testing security products and making recommendations about what will best serve
the needs of the company.
Security Engineer
A security engineer implements the controls selected by the security architect. Security engineers
are responsible for the maintenance of firewalls, IPS, and other tools. This includes upgrades,
testing, patching, and overall maintenance of the security systems. This role might also be
responsible for testing the functionality of equipment to make sure that it operates as expected.
Systems Administrator
A systems administrator is responsible for monitoring and maintaining the servers, printers, and
workstations a company uses. In addition, administrators add and/or remove user accounts as
necessary, control access to shared resources, and maintain company-wide antivirus software.
Database Administrator
The Database Administrator (DBA) has an important job in most companies. The DBA is responsible
for designing and maintaining corporate databases and also securing access to the data to ensure
its integrity. The ramifications of lax security in this role can be severe, especially considering the
reporting requirements mandated by SOX.
IS Auditor
An auditor’s role in security governance is to assess the effectiveness in meeting the requirements
set forth by policy and management direction. The auditor is tasked to identify risk and report on
how the organization performs to upper management. The auditor provides an impartial review of
projects and technologies to identify weaknesses that could result in loss to the company.
End User
End users have a critical role in security governance that is often overlooked. They must be aware
of the impact their actions can have on the security of the company and be able to safeguard
confidential information. They are responsible for complying with policies and procedures and
following safe computing practices, such as not opening attachments without antimalware software
running or loading unauthorized software. A solid user security awareness program can help
promote safe computing habits.
156
Student Handbook– Security Analyst SSC/N0901
1. Board of
Directors
3. CIO/CISO 2. CEO
8. System
5. Security Analyst 10. IS Auditor
Administrator
9. Database
11. End User
Administrator
157
Student Handbook– Security Analyst SSC/N0901
The security incident response team is a group of individuals who have been trained in incident
management, each having distinct response roles. The team works under the direction of the incident
officer. The team is tasked with the following responsibilities:
Processes IT security complaints or incidents.
Assesses threats to IT resources.
Alerts IT managers of imminent threats.
Determines incident severity and escalates it, if necessary, with notification to CTO and
president’s senior staff.
Coordinates security incidents (level 2 or 3) from discovery to closure.
Reviews incidents, provides solutions/resolutions and closure.
Table-Top Exercise:
Students are recommended to follow this link and perform an interesting exercise on Security
Breach by assuming various roles as mentioned in the corresponding exercise:
http://www.nascio.org/portals/0/awards/nominations2015/2015/2015PA12-
PA%20Cyber%20Continuity%20CIO%20Exercise%20DR%20Sec%20Biz%20Continuity%20NASCIO%20
2015%20FINAL.pdf
Summary
Information security governance begins at the top with the Board of Directors and CEO
enforcing accountability for adherence to standards and commissioning the development of
security architectures that address the security requirements of the business as a whole.
The auditing function might be its own group (or outsourced to a third party) and might report
to the CEO or directly to the Board of Directors to maintain its independence
Various roles in information security in an organisation: Board of Directors, Security Steering
Committee, CEO or Executive Management, CIO/CISO, Security Director, Security Analyst,
Security Architect, Security Engineer, Systems Administrator, Database Administrator, IS
Auditor and End User
Role of security incident team and their responsibilities
o Processes IT security complaints or incidents.
o Assesses threats to IT resources
o Alerts IT managers of imminent threats.
o Determines incident severity and escalates it, if necessary, with notification to CTO and
president’s senior staff
o Coordinates security incidents (level 2 or 3) from discovery to closure
o Reviews incidents, provides solutions/resolutions and closure
158
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Collect information about various job titles and roles within the data security sub-
sector. Meet industry representatives and compile a list of functions, qualification and
experience requirements for each role. Present the same in class in groups.
Activity 2:
composition,
liaising with different departments inside the organisation,
interactions with other organisations, their functions, etc.
2. Explain how is the role of a Security Analyst different from Security Engineer?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• The security director’s role is to coordinate the efforts for securing _____________ ________.
• A ___________ ___________builds the policies, analyses risk, and identifies new threats to
the business.
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
160
Student Handbook– Security Analyst SSC/N0901
UNIT VI
Information Security
Performance Metrics
Lesson Plan
6.1. Introduction – Security Metrics
6.2. Types of Security Metrics
6.3. Using Security Metrics
6.4. Developing the Metrics Process
6.5. Metrics and Reporting
6.6. Designing Information Security Measuring Systems
161
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
162
Student Handbook– Security Analyst SSC/N0901
Lesson
6.1 Introduction – Security Metrics
It helps to understand what metrics are by drawing a distinction between metrics and measurements.
Measurements provide single-point-in-time views of specific, discrete factors, while metrics are
derived by comparing to a predetermined baseline of two or more measurements taken over time.
Measurements are generated by counting; metrics are generated from analysis. In other words,
measurements are objective raw data and metrics are either objective or subjective human
interpretations of those data.
In the face of regular, high-profile news reports of serious security breaches, as well as intense scrutiny
of institutional costs, security managers are more than ever being held accountable for demonstrating
effectiveness of their security programs. What means should managers be using to meet this
challenge? Key among these should be security metrics. This presentation will provide a definition of
security metrics, explain their value, discuss the difficulties in generating them, suggest a methodology
for building a security metrics program, and review factors that affect its ongoing success
Good metrics are those that are SMART, i.e. specific, measurable, attainable, repeatable, and time-
dependent. Truly useful metrics indicate the degree to which security goals, such as data
confidentiality, are being met, and they drive actions taken to improve an organization’s overall
security program. Distinguishing metrics meaningful primarily to those with direct responsibility for
security management from those that speak directly to executive management interests and issues is
critical to development of an effective security metrics program.
While there are multiple ways to categorize metrics, guidance from the National Institute for
Standards and Technology (NIST) does this in a way that is more helpful than simply providing tag
names for metric groupings. The Performance Measurement Guide for Information Security (NIST SP
800-55 Revision 1) divides security metrics into three categories and links each to levels of security
program maturity.
Impact – metrics used to convey the impact of the information security program on the
institution's mission, often through quantifying cost avoidance or risk reduction produced by
the overall security program
As mentioned earlier, truly useful metrics indicate the degree to which security goals are being met
and they drive actions taken to improve an organization's overall security program. Before expending
resources producing metrics in any of these three categories, it is essential that goals and objectives
of the security program be articulated.
163
Student Handbook– Security Analyst SSC/N0901
Software Security Metrics: Software measures are usually troublesome (LOC, FPs, Complexity,
etc.) Metrics are context sensitive and environment-dependent and architecture dependent.
Examples are Size and complexity, defects/LOC, defects (severity, type) over time, cost per defect,
attack surface (# of interfaces), layers of security and design flaws
People Security Metrics: Are usually relevant, but unreliable. As people behavior is difficult to
model. There are biases and non-standard responses that make it difficult to predict. Examples
include associates/contractors that have completed information security policy training, team
size, etc.
Other
A sample list of metrics is given below. These metrics cover the following business functions:
Application Security
o Number of Applications
o Percentage of Critical Applications
o Risk Assessment Coverage
o Security Testing Coverage
Configuration Change Management
o Mean-Time to Complete Changes
o Percent of Changes with Security Review
o Percent of Changes with Security Exceptions
Financial
o Information Security Budget as % of IT Budget
o Information Security Budget Allocation
Incident Management
o Mean-Time to Incident Discovery
o Incident Rate
o Percentage of Incidents Detected by Internal Controls
o Mean-Time Between Security Incidents
o Mean-Time to Recovery
Patch Management
o Patch Policy Compliance
o Patch Management Coverage
o Mean-Time to Patch
Vulnerability Management
o Vulnerability Scan Coverage
o Percent of Systems Without Known Severe Vulnerabilities
o Mean-Time to Mitigate Vulnerabilities
Number of Known Vulnerability Instances
165
Student Handbook– Security Analyst SSC/N0901
Using security metrics involves data acquisition. This may be automated or manually collected. Data
collection automation depends on the availability of data from automated sources versus the
availability of data from people. Manual data collection involves developing questionnaires and
conducting interviews and surveys with the organization’s staff.
More useful data becomes available from semi-automated and automated data sources, such
as self-assessment tools, certification and accreditation (C&A) databases, incident reporting
and response databases, and other data sources as a security program matures.
Metrics data collection is fully automated when all data is gathered by using automated data
sources without human involvement or intervention.
o Schedule
o Implement metrics
Measurement efforts are finite (while in reality a metrics programme is aimed at continual
improvement and long term benefits).
Data for metrics support is readily accessible and conducive to measurement (in many cases,
depending on the IS management's maturity, size and structure of the organization, et cetera, this
may not be so and changes to the existing data collection and analysis processes may have to be
made, especially toward higher levels of standardization, to make metrics effective and efficient).
166
Student Handbook– Security Analyst SSC/N0901
Metrics provide quick returns (this again depends on factors such as maturity of IS management;
expecting business impact metrics from an ISMS that does not have the capability to effectively
provide them is unrealistic, for instance).
Metrics can be automated easily/rapidly (attempting to automate measures that have not yet
been thoroughly tested and proven to be effective can be ultimately counterproductive).
Measures should help ensure maximum ROI (while not unreasonable per se, this often receives a
high priority at the expense of the other facets of measurement, which get neglected and, ones
again, the capability of IS management to deliver on these expectations is not always fully
considered).
The lack of consensus definitions and vocabulary, and a broadly accepted model for mapping IS
metrics to organizational structure and clearly illustrating how the lower level metrics can roll up into
the higher level ones in a meaningful way can possibly contribute to this problem (although, based on
the information presented in earlier chapters of the report, it can be recognized that efforts are being
made to rectify these issues). Without a good model or methodology for rolling up quantitative
measures, security professionals often struggle to find a compromise between reporting methods that
are too technical for the senior management and ones that impair the utility of a metric due to
oversimplification.
The frequency of reports depends on organizational norms, the volume and gravity of information
available, and management requirements. Regular reporting periods may vary from daily or weekly
to monthly, quarterly, six-monthly or annual. The latter ones are more likely to identify and discuss
trends and strategic issues, and to include status reports on security-relevant development projects,
information security initiatives and so forth, in other words they provide the context to make sense
of the numbers
An annual, highly-confidential Information Security Report for the CEO, the Board and other
senior management (including Internal Audit). This report might include commentary on the
success or otherwise of specific security investments. A forward-looking section can help to set
the scene for planned future investments, and is a good opportunity to point out the ever
changing legal and regulatory environment and the corresponding personal liabilities on senior
managers.
Quarterly status reports to the most senior body directly responsible for information security,
physical security, risk and/or governance. Traffic light status reports are common and KPIs may
be required, but the Information Security Manager’s commentary (supplemented or endorsed
by that of the CTO/CIO) is a good value add.
Monthly reports to the CTO/CIO, listing projects participated in and security incidents, along
with their monetary value (the financial impacts do not need to be precisely accurate, they are
used to indicate the scale of losses).
167
Student Handbook– Security Analyst SSC/N0901
Identifying the right metrics, we shouldn’t implement a measurement process if we don’t intend to
follow it routinely and systematically - we need repeatable and reliable measures; we shouldn’t
capture data that we don’t intend to analyse, that is simply an avoidable cost. We shouldn’t analyse
data if we don’t intend to make practical use of the results.
Where will the data come from and where will they be stored? If the source information is not
already captured and available, there will be a need to put in place the processes to gather it. This
in turn raises the issue of who will capture the data. Will it be centralized or will we distribute the
data collection processes? If departments and functions outside central control are reporting, how
far can they be trusted not to manipulate the figures? Will they meet deadlines and formatting
requirements? How much data gathering and reporting can be automated?
What do senior management actually want? To get senior management buy-in it is important to
discuss the purpose and outputs with managers and peers. Provide alternative formats initially to
assess their preference. It may be required to report differently from other functions in the
organization, using different presentation formats as well as different content. Managers are likely
to feel more comfortable with conventional management reports, so look at a range of sample
reports to pick out the style cues.
When developing metrics, it’s worth testing out the feasibility and effectiveness of the
measurement processes and the usefulness of chosen metrics on a limited scale before rolling them
out across the entire corporation. Pilot studies or trials are useful ways to iron-out any glitches in
the processes for collecting and analysing metrics, and for deciding whether the metrics are truly
indicative of what you are trying to measure.
Even after the initial trial period, continuous feedback on the metrics can help to refine the
measurement system. Changes in both the organization and the information security risks it faces
mean that some metrics are likely to become outdated over time.
5. Setting targets
Measuring and reporting leads to the identification and benchmarking of Key Performance
Indicators (KPIs) and then tracking measures to evaluate performance.
Before publishing the chosen metrics it is important to figure out which ones would truly indicate
making progress towards the organization’s information security goals.
168
Student Handbook– Security Analyst SSC/N0901
Summary
Good security metrics are those that are SMART, i.e. specific, measurable, attainable,
repeatable and time-dependent.
The Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1)
divides security metrics into three categories and links each to levels of security program
maturity, namely –Implementation, Effectiveness/Efficiency & Impact
Security Metrics are classified into three distinct categories such as
o Strategic security metrics which are measures concerning the information security
elements of high level business goals, objectives and strategies
o Security management metrics which are numerous facets to managing information
security risks that could be measured, hence many possible metrics
o Operational security metrics which are at the lowest level of analysis, most information
security controls, systems and processes need to be measured in order to operate and
control them
Using security metrics involves data acquisition and the latter may be automated or manually
collected.
The frequency of reports depends on organizational norms, the volume and gravity of
information available, and management requirements. Regular reporting periods may vary
from daily or weekly to monthly, quarterly, six-monthly or annual.
The following questions should be asked while designing information security measurement
systems
o What are we going to measure?
o How will we measure things?
o How will we report?
o How should we implement our reporting system?
o How to set targets?
Practical activities:
Activity 1:
Work in teams and gather as much information from industry and the internet about
the various information security performance metrics they use in their organisations.
Discuss the various challenges in identifying, monitoring and inferencing performance
through these metrics.
Activity 2:
Develop performance metrics for various aspects of their own academic and non-
academic behaviours and track these over a period of a week. Draw out various
inferences from this monitoring. Present the object of your study, the metric you
chose, and the challenges in implementing these metrics and your process of
inferencing. Debate the inferences and validity of each other’s findings.
Activity 3:
Research the various information security companies offering products and services for
tracking and instituting performance metrics systems in organisations. Compare
services, present features, benefits and limitations of the same.
169
Student Handbook– Security Analyst SSC/N0901
Q. State TRUE or FALSE as to which of the following accurately describe some of the misconceptions
regarding metrics.
Metrics provide single-point-in-time views of specific, discrete factors, while measurements are
derived by comparing to a predetermined baseline of two or more measurements taken over
time. ( )
Metrics efforts are finite, while in reality a measurement programme is aimed at continual
improvement and long term benefits ( )
Measurement can be automated easily/rapidly, attempting to automate metrics that have not yet
been thoroughly tested and proven to be effective can be ultimately counterproductive. (
)
Q. Which type of security metrics is used to monitor results of security control implementation for a
single control or across multiple controls?
_______________________________________________________
Q. The reporting/updating of which of the following types of security metrics is carried out monthly
or quarterly:
Q. Data capturing process plays vital role in determining appropriate information security
measurement systems. Give one example in support of the statement.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
170
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
171
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
172
Student Handbook– Security Analyst SSC/N0901
UNIT VII
Risk Assessment
Lesson Plan
Resource Material
7.1. Risk Overview
7.2. Risk Identification
7.3. Risk Analysis
7.4. Risk Treatment
7.5. Risk Management Feedback Loops
7.6. Risk Monitoring
173
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
174
Student Handbook– Security Analyst SSC/N0901
Lesson
Risk assessments, whether they pertain to information security or other types of risk, are a means of
providing decision makers with information needed to understand factors that can negatively
influence operations and outcomes and make informed judgments concerning the extent of actions
needed to reduce risk.
As reliance on computer systems and electronic data has grown, information security risk has joined
the array of risks that governments and businesses must manage. Regardless of the types of risk being
considered, all risk assessments generally include the following elements. Identifying threats that
could harm and, thus, adversely affect critical operations and assets. Threats include such things as
intruders, criminals, disgruntled employees, terrorists, and natural disasters.
Estimating the likelihood that such threats will materialize based on historical information and
judgment of knowledgeable individuals. Identifying and ranking the value, sensitivity, and criticality of
the operations and assets that could be affected should a threat materialize in order to determine
which operations and assets are the most important. Estimating, for the most critical and sensitive
assets and operations, the potential losses or damage that could occur if a threat materializes,
including recovery costs. Identifying cost-effective actions to mitigate or reduce the risk. These actions
can include implementing new organizational policies and procedures as well as technical or physical
controls. Documenting the results and developing an action plan. There are various models and
methods for assessing risk, and the extent of an analysis and the resources expended can vary
depending on the scope of the assessment and the availability of reliable data on risk factors. In
addition, the availability of data can affect the extent to which risk assessment results can be reliably
quantified.
A quantitative approach generally estimates the monetary cost of risk and risk reduction techniques
based on
When reliable data on likelihood and costs are not available, a qualitative approach can be taken by
defining risk in more subjective and general terms such as high, medium, and low. In this regard,
qualitative assessments depend more on the expertise, experience, and judgment of those conducting
the assessment. It is also possible to use a combination of quantitative and qualitative methods.
175
Student Handbook– Security Analyst SSC/N0901
There are multiple types of risk assessments, including program risk assessments, risk assessments to
support an investment decision, analysis of alternatives, and assessments of operational or cost
uncertainty. Risk identification needs to match the type of assessment required to support risk-
informed decision making. For an acquisition program, the first step is to identify the program goals
and objectives, thus fostering a common understanding across the team of what is needed for
program success. This gives context and bounds the scope by which risks are identified and assessed.
There are multiple sources of risk. For risk identification, the project team should review the program
scope, cost estimates, schedule (to include evaluation of the critical path), technical maturity, key
performance parameters, performance challenges, stakeholder expectations vs. current plan, external
and internal dependencies, implementation challenges, integration, interoperability, supportability,
supply-chain vulnerabilities, ability to handle threats, cost deviations, test event expectations, safety,
security, and more. In addition, historical data from similar projects, stakeholder interviews, and risk
lists provide valuable insight into areas for consideration of risk.
Risk identification is an iterative process. As the program progresses, more information will be gained
about the program (e.g., specific design), and the risk statement will be adjusted to reflect the current
understanding. New risks will be identified as the project progresses through the life cycle.
176
Student Handbook– Security Analyst SSC/N0901
Gather data.
Risk Evaluation
The risk evaluation process receives as input the output of risk analysis process. It compares each risk
level against the risk acceptance criteria and prioritise the risk list with risk treatment indications.
177
Student Handbook– Security Analyst SSC/N0901
Risk reduction
Taking the mitigation steps necessary to reduce the overall risk to an asset. Often this will
include selecting countermeasures that will either reduce the likelihood of occurrence or
reduce the severity of loss, or achieve both objectives at the same time. Countermeasures can
include technical or operational controls or changes to the physical environment. For example,
the risk of computer viruses can be mitigated by acquiring and implementing antivirus software.
When evaluating the strength of a control, consideration should be given to whether the
controls are preventative or detective. The remaining level of risk after the
controls/countermeasures have been applied is often referred to as “residual risk.” An
organization may choose to undergo a further cycle of risk treatment to address this.
Risk sharing/transference
The organization shares its risk with third parties through insurance and/or service providers.
Insurance is a post-event compensatory mechanism used to reduce the burden of loss if the
event were to occur. Transference is the shifting of risk from one party to another. For example,
when hard-copy documents are moved offsite for storage at a secure-storage vendor location,
the responsibility and costs associated with protecting the data transfers to the service
provider. The cost of storage may include compensation (insurance) if documents are damaged,
lost, or stolen.
Risk avoidance
The practice of eliminating the risk by withdrawing from or not becoming involved in the activity
that allows the risk to be realized. For example, an organization decides to discontinue a
business process in order to avoid a situation that exposes the organization to risk.
Risk acceptance
178
Student Handbook– Security Analyst SSC/N0901
An organization decides to accept a particular risk because it falls within its risk-tolerance
parameters and therefore agrees to accept the cost when it occurs. Risk acceptance is a viable
strategy where the cost of insuring against the risk would be greater over time than the total
losses sustained. All risks that are not avoided or transferred are accepted by default
Risk management is carried out as a holistic, organization wide activity that addresses risk from the
strategic level to the tactical level, ensuring that risk based decision making is integrated into every
aspect of the organization. The following sections briefly describe each of the four risk management
components. The first component of risk management addresses how organizations frame risk or
establish a risk context—that is, describing the environment in which risk-based decisions are made.
The purpose of the risk framing component is to produce a risk management strategy that addresses
how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and
transparent the risk perceptions that organizations routinely use in making both investment and
operational decisions. The risk frame establishes a foundation for managing risk and delineates the
boundaries for risk-based decisions within organizations.
Establishing a realistic and credible risk frame requires that organizations identify:
179
Student Handbook– Security Analyst SSC/N0901
The risk framing component and the associated risk management strategy also include any strategic-
level decisions on how risk to organizational operations and assets, individuals, other organizations,
and the Nation, is to be managed by senior leaders/executives.
The second component of risk management addresses how organizations assess risk within the
context of the organizational risk frame. The purpose of the risk assessment component is to identify:
the tools, techniques, and methodologies that are used to assess risk;
the assumptions related to risk assessments;
the constraints that may affect risk assessments;
roles and responsibilities;
how risk assessment information is collected, processed, and communicated throughout
organizations;
how risk assessments are conducted within organizations;
the frequency of risk assessments; and
how threat information is obtained (i.e., sources and methods).
The third component of risk management addresses how organizations respond to risk once that risk
is determined based on the results of risk assessments.
The purpose of the risk response component is to provide a consistent, organization-wide, response
to risk in accordance with the organizational risk frame by:
To support the risk response component, organizations describe the types of risk responses that can
be implemented (i.e., accepting, avoiding, mitigating, sharing, or transferring risk).
Organizations also identify the tools, techniques, and methodologies used to develop courses of action
for responding to risk, how courses of action are evaluated, and how risk responses are communicated
across organizations and as appropriate, to external entities (e.g., external service providers, supply
chain partners).
The fourth component of risk management addresses how organizations monitor risk over time. The
purpose of the risk monitoring component is to:
180
Student Handbook– Security Analyst SSC/N0901
verify that planned risk response measures are implemented and information security
requirements derived from/traceable to organizational mission/business functions, federal
legislation, directives, regulations, policies, and standards, and guidelines, are satisfied;
determine the ongoing effectiveness of risk response measures following implementation;
and
identify risk-impacting changes to organizational information systems and the environments
in which the systems operate.
To support the risk monitoring component, organizations describe how compliance is verified and how
the ongoing effectiveness of risk responses is determined (e.g., the types of tools, techniques, and
methodologies used to determine the sufficiency/correctness of risk responses and if risk mitigation
measures are implemented correctly, operating as intended, and producing the desired effect with
regard to reducing risk). In addition, organizations describe how changes that may impact the ongoing
effectiveness of risk responses are monitored.
verify compliance;
determine the ongoing effectiveness of risk response measures; and
identify risk-impacting changes to organizational information systems and environments of
operation.
Analysing monitoring results gives organizations the capability to maintain awareness of the risk being
incurred, highlight the need to revisit other steps in the risk management process, and initiate process
improvement activities as needed.
Organizations employ risk monitoring tools, techniques, and procedures to increase risk awareness,
helping senior leaders/executives develop a better understanding of the ongoing risk to organizational
operations and assets, individuals, other organizations, and the Nation. Organizations can implement
risk monitoring at any of the risk management tiers with different objectives and utility of information
produced. For example, Tier 1 monitoring activities might include ongoing threat assessments and
how changes in the threat space may affect Tier 2 and Tier 3 activities, including enterprise
architectures (with embedded information security architectures) and organizational information
systems. Tier 2 monitoring activities might include, for example, analyses of new or current
technologies either in use or considered for future use by organizations to identify exploitable
weaknesses and/or deficiencies in those technologies that may affect mission/business success. Tier
3 monitoring activities focus on information systems and might include, for example, automated
monitoring of standard configuration settings for information technology products, vulnerability
scanning, and ongoing assessments of security controls. In addition to deciding on appropriate
181
Student Handbook– Security Analyst SSC/N0901
monitoring activities across the risk management tiers, organizations also decide how monitoring is
to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities
based on, for example, the frequency with which deployed security controls change, critical items on
plans of action and milestones, and risk tolerance.
Summary
Definition of Risk: A probability or threat of damage, injury, liability, loss, or any other negative
occurrence that is caused by external or internal vulnerabilities, and that may be avoided
through pre-emptive action.
A quantitative approach generally estimates the monetary cost of risk and risk reduction
techniques based on
o the likelihood that a damaging event will occur,
o the costs of potential losses, and
o the costs of mitigating actions that could be taken.
Risk identification is an iterative process.
Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities and
threats, and assessing the possible damage to determine where to implement security
safeguards.
The risk evaluation process receives as input the output of risk analysis process.
Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate
administrative, technical and physical controls.
Risk management is carried out as a holistic, organization wide activity that addresses risk from
the strategic level to the tactical level, ensuring that risk based decision making is integrated
into every aspect of the organization.
Analysing monitoring results gives organizations the capability to maintain awareness of the
risk being incurred, highlight the need to revisit other steps in the risk management process,
and initiate process improvement activities as needed. h as laptop, appropriate software such
as packet sniffers, digital forensics, back up devices, blank media etc.
Practical activities:
Activity 1:
Research various risks for their institute in the area of information security. Prepare a
process report highlighting your approach towards identifying risk, recording, monitoring,
analysing and treating risk. The approach should be shared with the faculty and the
report should be submitted for evaluation.
182
Student Handbook– Security Analyst SSC/N0901
Q. Analyse and state the differences between risk analysis and risk evaluation in two lines.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Suggest one of the appropriate measures that can curb the problem of ‘residual risk.’
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Complete the following requirements that an organization needs to identify in order to build a
realistic and credible risk frame
a) risk constraints
b) ________________
c) risk tolerance
d) ________________
183
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
184
Student Handbook– Security Analyst SSC/N0901
UNIT VIII
Configuration review
Lesson Plan
8.1. Configuration Management
8.2. Organisational SecCM Policy
8.3. Identify CM Tools
8.4. Implementing Secure Configurations
8.5. Unauthorised Access to Configuration Stores
185
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
Performance Ensuring
Work Environment/Lab Requirement
Outcomes Measures
To be competent, you must be able Performance evaluation PCs/Tablets/Laptops
to: from Faculty and Industry Labs availability (24/7)
with reward points Internet with Wi-Fi
PC4. carry out configuration
(Min 2 Mbps Dedicated)
reviews of information security
Networking Equipment - Routers &
systems using automated tools, QA session and a Switches
where required Descriptive write up on Firewalls and Access Points
understanding. Access to all security sites like ISO,
PIC DSS
Commercial Tools like HP Web
Inspect and IBM AppScan etc.,
Open Source tools like sqlmap,
Nessus etc.,
186
Student Handbook– Security Analyst SSC/N0901
Lesson
Organizations apply configuration management (CM) for establishing baselines and for tracking,
controlling, and managing many aspects of business development and operation (e.g., products,
services, manufacturing, business processes, and information technology). Organizations with a
robust and effective CM process need to consider information security implications with respect to
the development and operation of information systems including hardware, software, applications,
and documentation. Effective CM of information systems requires the integration of the management
of secure configurations into the organizational CM process or processes. For this reason, this
document assumes that information security is an integral part of an organization’s overall CM
process; however, the focus of this document is on implementation of the information system security
aspects of CM, and as such the term security-focused configuration management (SecCM) is used to
emphasize the concentration on information security. Though both IT business application functions
and security-focused practices are expected to be integrated as a single process, SecCM in this context
is defined as the management and control of configurations for information systems to enable security
and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing and
maintaining the integrity of products and systems, through control of the processes for initializing,
changing, and monitoring the configurations of those products and systems.
A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware,
documentation, or a combination thereof) that is a discrete target of configuration control processes.
A Baseline Configuration is a set of specifications for a system, or CI within a system, that has been
formally reviewed and agreed on at a given point in time, and which can be changed only through
change control procedures. The baseline configuration is used as a basis for future builds, releases,
and/or changes.
The basic parts of a CM Plan include:
Configuration Control Board (CCB) – Establishment of and charter for a group of qualified people with
responsibility for the process of controlling and approving changes throughout the development and
operational lifecycle of products and systems; may also be referred to as a change control board;
Configuration Item Identification – methodology for selecting and naming configuration items that
need to be placed under CM;
Configuration Change Control – process for managing updates to the baseline configurations for the
configuration items; and
187
Student Handbook– Security Analyst SSC/N0901
Configuration Monitoring – process for assessing or testing the level of compliance with the
established baseline configuration and mechanisms for reporting on the configuration status of items
placed under CM.
Security-Focused Configuration Management (SecCM) is the management and control of secure
configurations for an information system to enable security and facilitate the management of risk.
SecCM builds on the general concepts, processes, and activities of configuration management by
attention on the implementation and maintenance of the established security requirements of the
organization and information systems.
Information security configuration management requirements are integrated into (or complement)
existing organizational configuration management processes (e.g., business functions, applications,
products) and information systems. SecCM activities include:
identification and recording of configurations that impact the security posture of the
information system and the organization;
the consideration of security risks in approving the initial configuration;
the analysis of security implications of changes to the information system configuration; and
documentation of the approved/implemented changes.
SecCM requires an ongoing investment in time and resources. Product patches, fixes, and updates
require time for security impact analysis even as threats and vulnerabilities continue to exist. As
changes to information systems are made, baseline configurations are updated, specific configuration
settings confirmed, and configuration items tracked, verified, and reported. SecCM is a continuous
activity that, once incorporated into IT management processes, touches all stages of the system
development life cycle (SDLC).
In the context of SecCM of information systems, a configuration item (CI) is an aggregation of
information system components that is designated for configuration management and treated as a
single entity throughout the SecCM process. This implies that the CI is identified, labelled, and tracked
during its life cycle – the CI is the target of many of the activities within SecCM, such as configuration
change control and monitoring activities. A CI may be a specific information system component (e.g.,
server, workstation, router, application), a group of information system components (e.g., group of
servers with like operating systems, group of network components such as routers and switches, an
application or suite of applications), a non-component object (e.g., firmware, documentation), or an
information system as a whole. CIs give organizations a way to decompose the information system
into manageable parts whose configurations can be actively managed.
The purpose of breaking up an information system into CIs is to allow more granularity and control in
managing the secure configuration of the system. The level of granularity will vary among
organizations and systems and is balanced against the associated management overhead for each CI.
In one organization, it may be appropriate to create a single CI to track all of the laptops within a
system, while in another organization, each laptop may represent an individual CI.
Baseline configuration
A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within a
system, that has been formally reviewed and agreed on at a given point in time, and which can be
changed only through change control procedures. The baseline configuration is used as a basis for
future builds, releases, and/or changes.
Security-focused configuration management of information systems involves a set of activities that
can be organized into four major phases – Planning, Identifying and Implementing Configurations,
Controlling Configuration Changes, and Monitoring.
188
Student Handbook– Security Analyst SSC/N0901
Planning - Planning includes developing policy and procedures to incorporate SecCM into existing
information technology and security programs, and then disseminating the policy throughout the
organization.
Identifying and implementing configurations - After the planning and preparation activities are
completed, a secure baseline configuration for the information system is developed, reviewed,
approved, and implemented. The approved baseline configuration for an information system and
associated components represents the most secure state consistent with operational requirements
and constraints. For a typical information system, the secure baseline may address configuration
settings, software loads, patch levels, how the information system is physically or logically arranged,
how various security controls are implemented, and documentation. Where possible, automation is
used to enable interoperability of tools and uniformity of baseline configurations across the
information system.
Controlling configuration changes - Given the continually evolving nature of an information system
and the mission it supports, the challenge for organizations is not only to establish an initial baseline
configuration that represents a secure state (which is also cost-effective, functional, and supportive
of mission and business processes), but also to maintain a secure configuration in the face of the
significant waves of change that ripple through organizations.
Monitoring
Monitoring activities are used as the mechanism within SecCM to validate that the information system
is adhering to organizational policies, procedures, and the approved secure baseline configuration.
Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose organizations to
increased risk. Using automated tools helps organizations to efficiently identify when the information
system is not consistent with the approved baseline configuration and when remediation actions are
necessary. In addition, the use of automated tools often facilitates situational awareness and the
documentation of deviations from the baseline configuration.
189
Student Handbook– Security Analyst SSC/N0901
2. Scope – the extent of the enterprise architecture to which the policy applies;
3. Roles – the roles that are significant within the context of the policy;
190
Student Handbook– Security Analyst SSC/N0901
191
Student Handbook– Security Analyst SSC/N0901
Implementing secure configurations for IT products is no simple task. There are many IT products, and
each has a myriad of possible parameters that can be configured. In addition, organizations have
mission and business process needs which may require that IT products be configured in a particular
manner. To further complicate matters, for some products, the configuration settings of the
underlying platform may need to be modified to allow for the functionality required for mission
accomplishment such that they deviate from the approved common secure configurations.
Using the secure configuration previously established as a starting point, the following
structured approach is recommended when implementing the secure configuration:
1) Prioritize Configurations
2) Test Configurations
3) Resolve Issues and Document Deviations
4) Record and Approve the Baseline Configuration
5) Deploy the Baseline Configuration
i. Prioritize Configurations
In the ideal environment, all IT products within an organization would be configured to the most
secure state that still provided the functionality required by the organization. However, due to limited
resources and other constraints, many organizations may find it necessary to prioritize which
information systems, IT products, or CIs to target first for secure configuration as they implement
SecCM.
In determining the priorities for implementing secure configurations in information systems, IT
products, or CIs, organizations consider the following criteria:
• System impact level – Implementing secure configurations in information systems with a high or
moderate security impact level may have priority over information systems with a low security
impact level.
• Risk assessments – Risk assessments can be used to target information systems, IT products, or
CIs having the most impact on security and organizational risk.
• Vulnerability scanning – Vulnerability scans can be used to target information systems, IT
products, or CIs that are most vulnerable. For example, the Common Vulnerability Scoring System
(CVSS) is a specification within SCAP that provides an open framework for communicating the
characteristics of software flaw vulnerabilities and in calculating their relative severity. CVSS
scores can be used to help prioritize configuration and patching activities.
• Degree of penetration – The degree of penetration represents the extent to which the same
product is deployed within an information technology environment. For example, if an
organization uses a specific operating system on 95 percent of its workstations, it may obtain the
most immediate value by planning and deploying secure configurations for that operating system.
Other IT products or CIs can be targeted afterwards.
ii. Test Configurations
Organizations fully test secure configurations prior to implementation in the production environment.
There are a number of issues that may be encountered when implementing configurations including
software compatibility and hardware device driver issues. For example, there may be legacy
applications with special operating requirements that do not function correctly after a common secure
192
Student Handbook– Security Analyst SSC/N0901
configuration has been applied. Additionally, configuration errors could occur if OS and multiple
application configurations are applied to the same component. For example, a setting for an
application configuration parameter may conflict with a similar setting for an OS configuration
parameter.
Virtual environments are recommended for testing secure configurations as they allow organizations
to examine the functional impact on applications without having to configure actual machines.
iii. Resolve Issues and Document Deviations
Testing secure configuration implementations may introduce functional problems within the system
or applications. For example, the new secure configuration may close a port or stop a service that is
needed for OS or application functionality. These problems are examined individually and either
resolved or documented as a deviation from, or exception to, the established common secure
configurations.
In some cases, changing one configuration setting may require changes to another setting, another CI,
or another information system. For instance, a common secure configuration may specify
strengthened password requirements which may require a change to existing single sign-on
applications. Or there may be a requirement that the OS-provided firewall be enabled by default. To
ensure that applications function as expected, the firewall policy may need to be revised to allow
specific ports, services, IP addresses, etc. When conflicts between applications and secure
configurations cannot be resolved, deviations are documented and approved through the
configuration change control process as appropriate.
iv. Record and Approve the Baseline Configuration
The established and tested secure configuration, including any necessary deviations, represents the
preliminary baseline configuration and is recorded in order to support configuration change
control/security impact analysis, incident resolution, problem solving, and monitoring activities. Once
recorded, the preliminary baseline configuration is approved in accordance with organizationally
defined policy. Once approved, the preliminary baseline configuration becomes the initial baseline
configuration for the information system and its constituent CIs.
The baseline configuration of an information system includes the sum total of the secure
configurations of its constituent CIs and represents the system-specific configuration against which all
changes are controlled.
The baseline configuration may include, as applicable, information regarding the system architecture,
the interconnection of hardware components, secure configuration settings of software components,
the software load, supporting documentation, and the elements in a release package. There could be
a different baseline configuration for each life cycle stage (development, test, staging, production) of
the information system.
When possible, organizations employ automated tools to support the management of baseline
configurations and to keep the configuration information as up to date and near real time as possible.
There are a number of solutions which maintain baseline configurations for a wide variety of hardware
and software products. Some comprehensive SecCM solutions integrate the maintenance of baseline
configurations with component inventory and monitoring tools.
v. Deploy the Baseline Configuration
Organizations are encouraged to implement baseline configurations in a centralized and automated
manner using automated configuration management tools, automated scripts, vendor-provided
mechanisms, etc.
193
Student Handbook– Security Analyst SSC/N0901
SecCM monitoring is accomplished through assessment and reporting activities. For organizations
with a large number of components, the only practical and effective solution for SecCM monitoring
activities is the use of automated solutions that use standardized reporting methods such as SCAP.
An information system may have many components and many baseline configurations. To manually
collect information on the configuration of all components and assess them against policy and
approved baseline configurations is not practical, or even possible, in most cases. Automated tools
can also facilitate reporting for Security Information and Event Management applications that can be
accessed by management and/or formatted into other reports on baseline configuration status. Care
is exercised in collecting and analysing the results generated by automated tools to account for any
false positives.
SecCM monitoring may be supported by numerous means, including, but not limited to:
• Scanning to discover components not recorded in the inventory. For example, after testing of a
new firewall, a technician forgets to remove it from the network. If it is not properly configured,
it may provide access to the network for intruders. A scan would identify this network device as
not a part of the inventory, enabling the organization to take action.
• Scanning to identify disparities between the approved baseline configuration and the actual
configuration for an information system.
Example I. A technician rolls out a new patch but forgets to update the baseline configurations of the
information systems impacted by the new patch. A scan would identify a difference between the
actual environment and the description in the baseline configuration enabling the organization to take
action.
Example II. A new tool is installed on the workstations of a few end users of the information system.
During installation, the tool changes a number of configuration settings in the browser on the users’
workstations, exposing them to attack. A scan would identify the change in the workstation
configuration, allowing the appropriate individuals to take action.
Implementation of automated change monitoring tools (e.g., change/configuration management
tools, application whitelisting tools). Unauthorized changes to information systems may be an
indication that the systems are under attack or that SecCM procedures are not being followed or need
updating. Automated tools are available that monitor information systems for changes and alert
system staff if unauthorized changes occur or are attempted.
When possible, organizations seek to normalize data to describe their information system in order
that the various outputs from monitoring can be combined, correlated, analysed, and reported in a
consistent manner. SCAP provides a common language for describing vulnerabilities,
misconfigurations, and products and is an obvious starting point for organizations seeking a consistent
way of communicating across the organization regarding the security status of the enterprise
architecture.
When inconsistencies are discovered as a result of monitoring activities, the organization may want
to take remedial action. Action taken may be via manual methods or via use of automated tools.
Automated tools are preferable since actions are not reliant upon human intervention and are taken
immediately once an unauthorized change is identified. Examples of possible actions include:
194
Student Handbook– Security Analyst SSC/N0901
Many applications support configuration management interfaces and functionality to allow operators
and administrators to change configuration parameters, update Web site content, and to perform
routine maintenance. Top configuration management threats include:
Administration interfaces are often provided through additional Web pages or separate Web
applications that allow administrators, operators, and content developers to managed site content
and configuration. Administration interfaces such as these should be available only to restricted and
authorized users. Malicious users able to access a configuration management function can potentially
deface the Web site, access downstream systems and databases, or take the application out of action
altogether by corrupting configuration data.
Consider supporting only local administration. If remote administration is absolutely essential, use
encrypted channels, for example, with VPN technology or SSL, because of the sensitive nature of the
data passed over administrative interfaces. To further reduce risk, also consider using IPSec policies
to limit remote administration to computers on the internal network.
195
Student Handbook– Security Analyst SSC/N0901
Restricting access to the configuration store is a must. As an important defence in depth mechanism,
you should encrypt sensitive data such as passwords and connection strings. This helps prevent
external attackers from obtaining sensitive configuration data. It also prevents rogue administrators
and internal employees from obtaining sensitive details such as database connection strings and
account credentials that might allow them to gain access to other systems.
Lack of auditing and logging of changes made to configuration information threatens the ability to
identify when changes were made and who made those changes. When a breaking change is made
either by an honest operator error or by a malicious change to grant privileged access, action must
first be taken to correct the change. Then apply preventive measures to prevent breaking changes to
be introduced in the same manner. Keep in mind that auditing and logging can be circumvented by a
shared account; this applies to both administrative and user/application/service accounts.
Administrative accounts must not be shared. User/application/service accounts must be assigned at
a level that allows the identification of a single source of access using the account, and that contains
any damage to the privileges granted that account.
If application and service accounts are granted access to change configuration information on the
system, they may be manipulated to do so by an attacker. The risk of this threat can be mitigated by
adopting a policy of using least privileged service and application accounts. Be wary of granting
accounts the ability to modify their own configuration information unless explicitly required by design.
196
Student Handbook– Security Analyst SSC/N0901
Summary
SecCM is defined as the management and control of configurations for information systems to
enable security and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing
and maintaining the integrity of products and systems, through control of the processes for
initializing, changing, and monitoring the configurations of those products and systems.
The activities of SecCM include the following:
o identification and recording of configurations that impact the security posture of the
information system and the organization;
o the consideration of security risks in approving the initial configuration;
o the analysis of security implications of changes to the information system
configuration;
o documentation of the approved/implemented changes.
Product patches, fixes, and updates require time for security impact analysis even as threats
and vulnerabilities continue to exist.
Configuration Item (CI) is identified, labelled, and tracked during its life cycle – the CI is the
target of many of the activities within SecCM. It may be—
o specific information system component (e.g., server, workstation, router, application)
o group of information system components (e.g., group of servers with like operating
systems, group of network components such as routers and switches, an application or
suite of applications)
o non-component object (e.g., firmware, documentation)
o an information system as a whole. CIs give organizations a way to decompose the
information system into manageable parts whose configurations can be actively
managed
A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within
a system, that has been formally reviewed and agreed on at a given point in time, and which
can be changed only through change control procedures.
Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose
organizations to increased risk.
The organization is typically responsible for defining documented policies for the SecCM
program. A SecCM policy should include the following :
Purpose – the objective(s) in establishing organization-wide SecCM policy;
Scope – the extent of the enterprise architecture to which the policy applies;
Roles – the roles that are significant within the context of the policy;
Responsibilities – the responsibilities of each identified role;
Activities – the functions that are performed to meet policy objectives
Tools to support SecCM activities are selected for use across the organization by SecCM
program management, and information system owners are responsible for applying the tools
to the SecCM activities performed on each information system
197
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Activity 2:
Create a group project by interacting with companies that offer CM tools and prepare a
sequential process map of how the tool functions in order to carry out its functions.
Present the same in class, highlighting the functionality and dependencies of the tools.
198
Student Handbook– Security Analyst SSC/N0901
a. ________________________________________
b. ________________________________________
Q. State the key criteria on which priority for implementing SecCM secure configurations are
determined?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. If Configuration Item is an identifiable part of a system then what does Configuration Item
Identification mean?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
There could be a different baseline configuration for each life cycle stage (development, test,
staging, production) of the information system. ( )
Semi-automated tools work best to scan Web server, database server, network devices, etc. in
SecCM program. ( )
____Planning
____Monitoring
199
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
200
Student Handbook– Security Analyst SSC/N0901
UNIT IX
Log Correlation and
Management
Lesson Plan
9.1. Event Log Concepts
9.2. Log Management and its need
9.3. Log Management Process
9.4. Configuring Windows Event Log
9.5. IIS Log Files
9.6. Analysis and Response
201
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
203
Student Handbook– Security Analyst SSC/N0901
Lesson
Logs have evolved to contain information related to many different types of events occurring within
networks and systems. Within an organization, many logs contain records related to computer
security; common examples of these computer security logs are audit logs that track user
authentication attempts and security device logs that record possible attacks
Key Concepts
Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes. Data logging devices collect incredible amounts of
information on security, operational and application events — log management comprises the tools
to search and parse this data for trends, anomalies and other relevant information.
Security information event management (SIEM): Like log management, SIEM also involves the
collection and analysis of data. The key distinction to be made is that SIEM is a specialized tool for
information security. SIEM appliances enable event reduction and real-time alerting, and they provide
specific workflows to address security breaches as they occur. Another key feature of SIEM is the
incorporation of non-event based data, such as vulnerability scanning reports, for correlation and
analysis.
A lot of money has been invested in security products such as firewalls, intrusion detection, and strong
authentication over the past several years. However, system penetration attempts continue to occur
and go unnoticed until it is too late. It is not that security countermeasures are ineffective against
intrusive activity. Indeed, they can be very effective within an organization where security policies and
procedures require analysis of security events and appropriate incident response. However, deploying
and analysing a single device in an effort to maintain situational awareness with respect to the state
of security within an organization is the "computerized version of tunnel vision”. Security events must
be analysed from as many sources as possible in order to assess threat and formulate appropriate
response. Extraordinary levels of security awareness can be attained in an organization's network by
simply listening to what its devices are telling you.
204
Student Handbook– Security Analyst SSC/N0901
Security Software
Most organizations use several types of network-based and host-based security software to detect
malicious activity, protect systems and data, and support incident response efforts. Accordingly,
security software is a major source of computer security log data. Common types of network-based
and host based security software include the following:
Antimalware Software. The most common form of antimalware software is antivirus software, which
typically records all instances of detected malware, file and system disinfection attempts, and file
quarantines.
Additionally, antivirus software might also record when malware scans were performed and when
antivirus signature or software updates occurred. Antispyware software and other types of
antimalware software (e.g., rootkit detectors) are also common sources of security information.
Intrusion Detection and Intrusion Prevention Systems. Intrusion detection and intrusion prevention
systems record detailed information on suspicious behaviour and detected attacks, as well as any
actions intrusion prevention systems performed to stop malicious activity in progress.
Some intrusion detection systems, such as file integrity checking software, run periodically instead of
continuously, so they generate log entries in batches instead of on an ongoing basis.
Remote access is often granted and secured through virtual private networking (VPN). VPN systems
typically log successful and failed login attempts, as well as the dates and times each user connected
and disconnected, and the amount of data sent and received in each user session. VPN systems that
support granular access control, such as many Secure Sockets Layer (SSL) VPNs, may log detailed
information about the use of resources.
Web Proxies
Web proxies are intermediate hosts through which Web sites are accessed. Web proxies make Web
page requests on behalf of users, and they cache copies of retrieved Web pages to make additional
accesses to those pages more efficient. Web proxies can also be used to restrict Web access and to
add a layer of protection between Web clients and Web servers. Web proxies often keep a record of
all URLs accessed through them.
Vulnerability management software, which includes patch management software and vulnerability
assessment software, typically logs the patch installation history and vulnerability status of each host,
which includes known vulnerabilities and missing software updates.
Vulnerability management software may also record additional information about hosts’
configurations. Vulnerability management software typically runs occasionally, not continuously, and
is likely to generate large batches of log entries.
205
Student Handbook– Security Analyst SSC/N0901
Authentication Servers
Authentication servers, including directory servers and single sign-on servers, typically log each
authentication attempt, including its origin, username, success or failure, and date and time.
Routers
Routers may be configured to permit or block certain types of network traffic based on a policy.
Routers that block traffic are usually configured to log only the most basic characteristics of blocked
activity.
Firewalls
Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more
sophisticated methods to examine network traffic.
Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to
have more complex policies and generate more detailed logs of activity than routers.
Some organizations check each remote host’s security posture before allowing it to join the network.
This is often done through a network quarantine server and agents placed on each host. Hosts that do
not respond to the server’s checks or that fail the checks are quarantined on a separate virtual local
area network (VLAN) segment. Network quarantine servers log information about the status of checks,
including which hosts were quarantined and for what reasons.
Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches)
usually log a variety of information related to security. The most common types of security-related OS
data are as follows:
System Events
System events are operational actions performed by OS components, such as shutting down the
system or starting a service. Typically, failed events and the most significant successful events are
logged, but many OSs permit administrators to specify which types of events will be logged. The details
logged for each event also vary widely; each event is usually timestamped, and other supporting
information could include event, status, and error codes; service name; and user or system account
associated with an event.
Audit Records
Audit records contain security event information such as successful and failed authentication
attempts, file accesses, security policy changes, account changes (e.g., account creation and deletion,
account privilege assignment), and use of privileges. OSs typically permit system administrators to
specify which types of events should be audited and whether successful and/or failed attempts to
perform certain actions should be logged.
OS logs are most beneficial for identifying or investigating suspicious activity involving a particular
host. After suspicious activity is identified by security software, OS logs are often consulted to get
more information on the activity.
206
Student Handbook– Security Analyst SSC/N0901
Applications
Operating systems and security software provide the foundation and protection for applications,
which are used to store, access, and manipulate the data used for the organization’s business
processes. Most organizations rely on a variety of commercial off-the-shelf (COTS) applications, such
as e-mail servers and clients, Web servers and browsers, file servers and file sharing clients, and
database servers and clients. Some applications generate their own log files, while others use the
logging capabilities of the OS on which they are installed. Applications vary significantly in the types
of information that they log. The following lists some of the most commonly logged types of
information and the potential benefits of each:
Client requests and server responses, which can be very helpful in reconstructing sequences of events
and determining their apparent outcome. If the application logs successful user authentications, it is
usually possible to determine which user made each request. Some applications can perform highly
detailed logging, such as e-mail servers recording the sender, recipients, subject name, and
attachment names for each e-mail; Web servers recording each URL requested and the type of
response provided by the server; and business applications recording which financial records were
accessed by each user. This information can be used to identify or investigate incidents and to monitor
application usage for compliance and auditing purposes.
Account information such as successful and failed authentication attempts, account changes (e.g.,
account creation and deletion, account privilege assignment), and use of privileges. In addition to
identifying security events such as brute force password guessing and escalation of privileges, it can
be used to identify who has used the application and when each person has used it.
Usage information such as the number of transactions occurring in a certain period (e.g., minute, hour)
and the size of transactions (e.g., e-mail message size, file transfer size). This can be useful for certain
types of security monitoring (e.g., a ten-fold increase in e-mail activity might indicate a new e-mail–
borne malware threat; an unusually large outbound e-mail message might indicate inappropriate
release of information).
Significant operational actions such as application startup and shutdown, application failures, and
major application configuration changes. This can be used to identify security compromises and
operational failures.
Much of this information, particularly for applications that are not used through unencrypted network
communications, can only be logged by the applications, which makes application logs particularly
valuable for application-related security incidents, auditing, and compliance efforts. However, these
logs are often in proprietary formats that make them more difficult to use, and the data they contain
is often highly context-dependent, necessitating more resources to review their contents.
207
Student Handbook– Security Analyst SSC/N0901
Log Generation
The first tier contains the hosts that generate the log data. Some hosts run logging client
applications or services that make their log data available through networks to log servers
in the second tier. Other hosts make their logs available through other means, such as
allowing the servers to authenticate to them and retrieve copies of the log files.
Log Monitoring
The third tier contains consoles that may be used to monitor and review log data and the
results of automated analysis. Log monitoring consoles can also be used to generate
reports. In some log management infrastructures, consoles can also be used to provide
management for the log servers and clients. Also, console user privileges sometimes can
be limited to only the necessary functions and data sources for each user.
Log management infrastructures typically perform several functions that assist in the storage,
analysis, and disposal of log data. These functions are normally performed in such a way that they do
not alter the original logs.
Log parsing is extracting data from a log so that the parsed values can be used as input for another
logging process. A simple example of parsing is reading a text-based log file that contains 10 comma-
separated values per line and extracting the 10 values from each line.
Parsing is performed as part of many other logging functions, such as log conversion and log
viewing.
208
Student Handbook– Security Analyst SSC/N0901
Event filtering is the suppression of log entries from analysis, reporting, or long-term storage
because their characteristics indicate that they are unlikely to contain information of interest.
For example, duplicate entries and standard informational entries might be filtered because they
do not provide useful information to log analysts. Typically, filtering does not affect the generation
or short-term storage of events because it does not alter the original log files.
In event aggregation, similar entries are consolidated into a single entry containing a count of the
number of occurrences of the event. For example, a thousand entries that each record part of a
scan could be aggregated into a single entry that indicates how many hosts were scanned.
Aggregation is often performed as logs are originally generated (the generator counts similar
related events and periodically writes a log entry containing the count), and it can also be
performed as part of log reduction or event correlation processes, which are described below.
Storage
Log rotation is closing a log file and opening a new log file when the first file is considered to be
complete. Log rotation is typically performed according to a schedule (e.g., hourly, daily, weekly) or
when a log file reaches a certain size. The primary benefits of log rotation are preserving log entries
and keeping the size of log files manageable. When a log file is rotated, the preserved log file can be
compressed to save space. Also, during log rotation, scripts are often run that act on the archived log.
For example, a script might analyse the old log to identify malicious activity, or might perform filtering
that causes only log entries meeting certain characteristics to be preserved. Many log generators offer
log rotation capabilities; many log files can also be rotated through simple scripts or third-party
utilities, which in some cases offer features not provided by the log generators.
Log archival is retaining logs for an extended period of time, typically on removable media, a storage
area network (SAN), or a specialized log archival appliance or server. Logs often need to be preserved
to meet legal or regulatory requirements.
There are two types of log archival: retention and preservation. Log retention is archiving logs on a
regular basis as part of standard operational activities. Log preservation is keeping logs that normally
would be discarded, because they contain records of activity of particular interest. Log preservation is
typically performed in support of incident handling or investigations.
Log compression is storing a log file in a way that reduces the amount of storage space needed for the
file without altering the meaning of its contents. Log compression is often performed when logs are
rotated or archived.
Log reduction is removing unneeded entries from a log to create a new log that is smaller. A similar
process is event reduction, which removes unneeded data fields from all log entries. Log and event
reduction are often performed in conjunction with log archival so that only the log entries and data
fields of interest are placed into long-term storage.
Log conversion is parsing a log in one format and storing its entries in a second format. For example,
conversion could take data from a log stored in a database and save it in an XML format in a text file.
Many log generators can convert their own logs to another format; third party conversion utilities are
also available. Log conversion sometimes includes actions such as filtering, aggregation, and
normalization. – In log normalization, each log data field is converted to a particular data
209
Student Handbook– Security Analyst SSC/N0901
representation and categorized consistently. One of the most common uses of normalization is storing
dates and times in a single format. For example, one log generator might store the event time in a
twelve-hour format (2:34:56 P.M. EDT) categorized as Timestamp, while another log generator might
store it in twenty-four (14:34) format categorized as Event Time, with the time zone stored in different
notation (-0400) in a different field categorized as Time Zone. 24 Normalizing the data makes analysis
and reporting much easier when multiple log formats are in use. However, normalization can be very
resource-intensive, especially for complex log entries (e.g., typical intrusion detection logs).
Log file integrity checking involves calculating a message digest for each file and storing the message
digest securely to ensure that changes to archived logs are detected. A message digest is a digital
signature that uniquely identifies data and has the property that changing a single bit in the data
causes a completely different message digest to be generated. The most commonly used message
digest algorithms are MD5 and Secure Hash Algorithm 1 (SHA- 1). 25 If the log file is modified and its
message digest is recalculated, it will not match the original message digest, indicating that the file
has been altered. The original message digests should be protected from alteration through FIPS-
approved encryption algorithms, storage on read-only media, or other suitable means. Analysis
Event correlation is finding relationships between two or more log entries. The most common form
of event correlation is rule-based correlation, which matches multiple log entries from a single source
or multiple sources based on logged values, such as timestamps, IP addresses, and event types.
Event correlation can also be performed in other ways, such as using statistical methods or
visualization tools. If correlation is performed through automated methods, generally the result of
successful correlation is a new log entry that brings together the pieces of information into a single
place. Depending on the nature of that information, the infrastructure might also generate an alert to
indicate that the identified event needs further investigation. – Log viewing is displaying log entries in
a human-readable format. Most log generators provide some sort of log viewing capability; third-party
log viewing utilities are also available. Some log viewers provide filtering and aggregation capabilities.
Log reporting is displaying the results of log analysis. Log reporting is often performed to summarize
significant activity over a particular period of time or to record detailed information related to a
particular event or series of events.
Disposal
Log clearing is removing all entries from a log that precede a certain date and time. Log clearing is
often performed to remove old log data that is no longer needed on a system because it is not of
importance or it has been archived.
210
Student Handbook– Security Analyst SSC/N0901
Configure the log sources, including log generation, storage, and security
Perform analysis of log data
Initiate appropriate responses to identified events
Manage the long-term storage of log data.
System-level administrators need to configure log sources so that they capture the necessary
information in the desired format and locations, as well as retain the information for the appropriate
period of time.
administrators determine which of their hosts and host components must or should participate in
the log management infrastructure,
A single log file might contain information from several sources, such as an OS log containing
information from the OS itself and several security software programs and applications.
Administrators ascertain which log sources use each log file.
For each identified log source, administrators determine which types of events each log source
must or should log, as well as which data characteristics must or should be logged for each type
of event.
The administrator’s ability to configure each log source is dependent on the features offered by that
particular type of log source. For example, some log sources offer very granular configuration options,
while some offer no granularity at all—logging is simply enabled or disabled, with no control over what
is logged. This section discusses log source configuration in three categories: log generation, log
storage and disposal, and log security.
Event Logs
Event logs are special files that record significant events on your computer, such as when a user logs
on to the computer or when a program encounters an error.
Whenever the significant types of events occur, Windows records the event in an event log that you
can read by using Event Viewer. Advanced users might find the details in event logs helpful when
troubleshooting problems with Windows and other programs.
211
Student Handbook– Security Analyst SSC/N0901
Event Viewer tracks information in several different logs. Windows Logs include:
Application (program) events
Events are classified as error, warning, or information, depending on the severity of the event. An
error is a significant problem, such as loss of data. A warning is an event that isn't necessarily
significant, but might indicate a possible future problem. An information event describes the
successful operation of a program, driver, or service.
Security-related events
These events are called audits and are described as successful or failed depending on the event,
such as whether a user trying to log on to Windows was successful.
Setup events
Computers that are configured as domain controllers will have additional logs displayed here.
System events
System events are logged by Windows and Windows system services, and are classified as error,
warning, or information.
Forwarded events
These events are forwarded to this log by other computers.
Applications and Services Logs vary. They include separate logs about the programs that run on your
computer, as well as more detailed logs that pertain to specific Windows services.
Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel,
clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer.
Administrator permission is required if you're prompted for an administrator password or
confirmation, type the password or provide confirmation.
212
Student Handbook– Security Analyst SSC/N0901
1. Click Start, select Programs, select Administrative Tools, click Computer Management.
2. In the console tree, click Event Viewer. Right-click Security and select Properties.
3. The Security Properties window will appear. Here authorized administrators can set
the Maximum log size and select what action to
take when the maximum log size is reached.
To retain all the events in the log, click Do not overwrite events (clear log manually). This option
requires that logs be cleared manually. When the maximum log size is reached, new events are
discarded. If the event log is not cleared and archived regularly, the following message will appear.
213
Student Handbook– Security Analyst SSC/N0901
1. After establishing the security log settings, click the Apply button.
5. Once all the desired filtering options have been selected, click the Apply button and click OK. The
Event Viewer will filter the log and display the information as defined by the filter.
Logon Types are logged in the Logon Type field of logon events (event IDs 528 and 540 for successful
logons, and 529-537 and 539 for failed logons).
Windows supports the following logon types and associated logon type values:
2: Interactive logon—This is used for a logon at the console of a computer. A type 2 logon is
logged when you attempt to log on at a Windows computer’s local keyboard and screen.
3: Network logon—This logon occurs when you access remote file shares or printers. Also, most
logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons
that use the basic authentication protocol (those are logged as logon type 8).
4: Batch logon—This is used for scheduled tasks. When the Windows Scheduler service starts a
scheduled task, it first creates a new logon session for the task, so that it can run in the security
context of the account that was specified when the task was created.
5: Service logon—This is used for services and service accounts that log on to start a service.
When a service starts, Windows first creates a logon session for the user account that is specified
in the service configuration.
7: Unlock—This is used whenever you unlock your Windows machine.
8: Network clear text logon—This is used when you log on over a network and the password is
sent in clear text. This happens, for example, when you use basic authentication to authenticate
to an IIS server.
214
Student Handbook– Security Analyst SSC/N0901
9: New credentials-based logon—This is used when you run an application using the RunAs
command and specify the /netonly switch. When you start a program with RunAs using /netonly,
the program starts in a new logon session that has the same local identity (this is the identity of
the user you are currently logged on with), but uses different credentials (the ones specified in the
runas command) for other network connections. Without /netonly, Windows runs the program on
the local computer and on the network as the user specified in the runas command, and logs the
logon event with type 2.
10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services,
Remote Desktop or Remote Assistance.
11: Cached Interactive logon—This is logged when users log on using cached credentials, which
basically means that in the absence of a domain controller, you can still log on to your local
machine using your domain credentials. Windows supports logon using cached credentials to ease
the life of mobile users and users who are often disconnected.
How to Read the Windows Application, Security, and System Log Files
The Windows application, security, and system log files can be read with a Windows application called
“Event Viewer,” which is accessed through the Control Panel:
Click the Start button on the desktop’s Taskbar
Click the Control Panel menu item
The Control Panel’s window will open
In the Control Panel, double-click the Administrative Tools icon
The Administrative Tools window will open with a list of different icons
Double click the Event Viewer icon
Many log files that software applications use are written as plain text file, making it possible to use
any freeware text editor, “Notepad” or “WordPad”, to read the generated log files. To read .txt files
in WordPad:
215
Student Handbook– Security Analyst SSC/N0901
Internet Information Services (IIS) is a web server developed by Microsoft for use with Windows
Server. The server is meant for a variety of hosting uses while attempting to maintain a high level of
flexibility and scalability.
To help with server use and analysis, IIS is integrated with several types of log files. These log file
formats provide information on a range of websites and specific statistics, including Internet Protocol
(IP) addresses, user information and site visits as well as dates, times and queries.
IIS provides six different log file formats that you can use to track and analyse information about your
IIS-based sites and services. In addition to the six available formats, you can create your own custom
log file format.
The following log file formats and logging options are available in IIS:
W3C Extended Log File Format Text-based, customizable format for a single site. This is the
default format.
W3C Centralized Logging All data from all Web sites is recorded in a single log file in the W3C
log file format.
NCSA Common Log File Format Text-based, fixed format for a single site.
IIS Log File Format Text-based, fixed format for a single site.
ODBC Logging Fixed format for a single site. Data is recorded in an ODBC-compliant database.
Centralized Binary Logging Binary-based, unformatted data that is not customizable. Data is
recorded from multiple Web sites and sent to a single log file. To interpret the data, you need
a special parser.
HTTP.sys Error Log Files Fixed format for HTTP.sys-generated errors.
You can read text-based log files using a text editor such as Notepad, which is included with Windows,
but administrators often import the files into a report-generating software tool for further analysis.
IIS logs, when properly analysed, provide information about demographics and usage of the IIS web
server. By tracking usage data, web providers can better tailor their services to support specific
regions, time frames or IP ranges. Log filters also allow providers to track only the data deemed
necessary for analysis.
IIS logs contain crucial information for improving the web site. Log files for an IIS server are the key
source of information for managing the websites hosted on the server. The log files contains a record
of each request from a web user and the response provided by the IIS server. This data is crucial for
marketing, site performance and security. Logs are often the only indication that a user is attempting
to hack into your IIS server. Patterns and trends can be spotted in this data to help you segment your
users for marketing opportunities. IIS log analysis is a critical tool in improving your website.
216
Student Handbook– Security Analyst SSC/N0901
Internet Information Services (IIS) 6.0 offers a number of ways to record the activity of your Web sites,
File Transfer Protocol (FTP) sites, Network News Transfer Protocol (NNTP) service, and Simple Mail
Transfer Protocol (SMTP) service and allows you to choose the log file format that works best for your
environment. IIS logging is designed to be more detailed than the event logging or performance
monitoring features of the Microsoft® Windows® Server 2003, Standard Edition, Windows® Server
2003, Enterprise Edition, and Windows® Server 2003, Datacenter Edition, operating systems. IIS log
files can include information such as who has visited your site, what was viewed, and when the
information was last viewed. You can monitor attempts to access your sites, virtual folders, or files
and determine whether attempts were made to read or write to your files. IIS log file formats allow
you to record events independently for any site, virtual folder, or file.
Using a text editor, the following steps can be used to analyse the IIS file:
Open the log file labeled as "ex010110.log" in your text editor. The six digits in the log file
name are in the format day, month and year the file was created.
Locate the header information. This is a line starting with "#Fields:." Use this line to determine
the corresponding values in each column.
Use the date and time to identify when the request was created. The "sitename" and
"computername" will indicate what server responded to the request.
Identify the visitor to your web server by the "c-ip" which is the ip address of the visitors’
computer.
The "cs-method" column will most often contain either "post" or "get" depending on the
request made by the visitors’ browser. The fields "cs-uri-stem" and "cs-uri-query" will denote
the resource such as an image or web page the visitor requested.
Use the "sc-status" column to determine whether the web server was capable of correctly
responding to the request. A link is provided in the resource section of this article to a
complete list of response codes.
Use the "cs(User-Agent)" to determine what type of browser the visitor used, or if the visitor
is actually a search engine. A link to a list of common user agents has been provided in the
resource area of this article.
217
Student Handbook– Security Analyst SSC/N0901
Effective analysis of log data is often the most challenging aspect of log management, but is also
usually the most important. Although analysing log data is sometimes perceived by administrators as
uninteresting and inefficient (e.g., little value for much effort), having robust log management
infrastructures and automating as much of the log analysis process as possible can significantly
improve analysis so that it takes less time to perform and produces more valuable results.
The most effective way to gain a solid understanding of log data is to review and analyse portions of
it regularly (e.g., every day). The goal is to eventually gain an understanding of the baseline of typical
log entries, likely encompassing the vast majority of log entries on the system. (Because a few types
of entries often comprise a significant percentage of the log entries, this is not as difficult as it may
first sound.) Daily log reviews should include those entries that have been deemed most likely to be
important, as well as some of the entries that are not yet fully understood. Because it can make
considerable effort to understand the significance of most log entries, the initial days, weeks, or even
months of performing the log analysis process are the most challenging and time-consuming. Over
time, as the baseline of normal activity is broadened and deepened, the daily log reviews should take
less time and be more focused on the most important log entries, thus leading to more valuable
analysis results.
Another motivation for understanding the log entries is so that the analysis process can be automated
as much as possible. By determining which types of log entries are of interest and which are not,
administrators can configure automated filtering of the log entries. This allows events known to be
malicious to be recognized and responded to automatically (e.g., alerting administrators,
reconfiguring other security controls). Another purpose for filtering is to ensure that the manual
analysis performed by administrators is prioritized appropriately. The filtering should be configured
so that it presents administrators with a reasonable number of entries for manual analysis.
Web log analysis software (also called a web log analyzer) is a kind of web analytics software that
passes a server log file from a web server, and based on the values contained in the log file, derives
indicators about when, how, and by whom a web server is visited. Usually reports are generated from
the log files immediately, but the log files can alternatively be passed for a database and reports
generated on demand.
There are free, open source and paid software tools available for log analysis or management.
Response to events
During their log analysis, infrastructure and system-level administrators may identify events of
significance, such as incidents and operational problems that necessitate some type of response.
When an administrator identifies a likely computer security incident, as defined by the organization’s
incident response policies, the administrator should follow the organization’s incident response
procedures to ensure that it is addressed appropriately. Examples of computer security incidents
include a host being infected by malware and a person gaining unauthorized access to a host.
218
Student Handbook– Security Analyst SSC/N0901
Administrators should perform their own responses to non-incident events, such as minor operational
problems (e.g., misconfiguration of host security software). Some organizations require system-level
administrators to report incidents and logging-related operational problems to infrastructure
administrators so that the infrastructure administrators can better identify additional instances of the
same activities and patterns that cannot be seen at the individual system level. Infrastructure and
system-level administrators should also be prepared to assist incident response teams with their
efforts. For example, when an incident occurs, affected system-level administrators may be asked to
review their systems’ logs for particular signs of malicious activity or to provide copies of their logs to
incident handlers for further analysis. Administrators should also be prepared to alter their logging
configurations as part of a response. Adverse events such as worms often cause unusually large
numbers of events to be logged. This can cause various negative impacts, such as slowing system
performance, overwhelming logging processes, and overwriting recent log entries. Analysts may not
be able to see other events of significance because their records are hidden among all of the other log
entries. Accordingly, administrators may need to reconfigure logging for the short term, long term, or
permanently, depending on the source of the log data, to prevent it from overwhelming the system
and the logs. Administrators may also need to adjust logging to capture more data as part of a
response effort, such as collecting additional information on a particular type of activity. To identify
similar incidents, especially in the short term, administrators may need to perform additional log
monitoring and analysis, such as more closely examining the types of logging sources that recorded
pertinent information on the initial incident.
219
Student Handbook– Security Analyst SSC/N0901
Summary
Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes.
Security information event management (SIEM) involves the collection and analysis of data
Security software is a major source of computer security log data.
Web proxies often keep a record of all URLs accessed through them.
Routers and Firewalls permit or block certain types of network traffic based on a policy
however, they differ in terms of the level of complexity
OS logs are most beneficial for identifying or investigating suspicious activity involving a
particular host.
Operating systems and security software provide the foundation and protection for
applications; Applications vary significantly in the types of information that they log and some
of the most commonly logged types of information include:
o Client requests and server responses
o e-mail servers recording the sender, recipients, subject name, and attachment names
for each e-mail
o web servers recording each URL requested and the type of response provided by the
server;
o business applications recording which financial records were accessed by each user
o successful and failed authentication attempts, account changes (e.g., account creation
and deletion, account privilege assignment), and use of privileges
o brute force password guessing and escalation of privileges
o number of transactions occurring in a certain period and size of transactions, etc.
Log management ensures that computer security records are stored in sufficient detail for
an appropriate period of time. A log management infrastructure typically comprises the
following three tiers:
Log Generation: contains the hosts that generate the log data
Log Analysis and Storage: composed of one or more log servers that receive log
data or copies of log data
Log Monitoring: contains consoles that may be used to monitor and review log data
and the results of automated analysis
Log management infrastructures typically perform several functions that assist in the
storage, analysis, and disposal of log data. These functions are normally performed in such
a way that they do not alter the original logs.
Major operational processes for log management are as follows:
Configure the log sources, including log generation, storage, and security
Perform analysis of log data
Initiate appropriate responses to identified events
Manage the long-term storage of log data
Authorized administrators can define security settings for the event logs. The choices are
somewhat limited, and include log size, the length of time a log should be stored, and when
the log should be cleared.
Internet Information Services (IIS) is a web server developed by Microsoft for use with
Windows Server. The server is meant for a variety of hosting uses while attempting to
maintain a high level of flexibility and scalability.
The most effective way to gain a solid understanding of log data is to review and analyse
portions of it regularly (e.g., every day)
Infrastructure and system-level administrators may identify events of significance, such as
incidents and operational problems that necessitate some type of response during log
analysis.
220
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Study various log report templates and sources which provide guidance on using log
reports. The various information available in the report should be understood and
possible anomalies listed.
Activity 2:
Work in groups to explore the log configurations of your own training institute server
and generate reports from the servers each week. These should be analysed and
activity reports and inferences from it presented in class by a different group each
week.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. What do you understand by the technical phrase “computerized version of tunnel vision”?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. State the type of log which is most beneficial for identifying or investigating suspicious activity
involving a particular host
__________________________________________________________________________________
Event Filtering is extracting data from a log so that the parsed values can be used as input for
another logging process. ( )
__________________________________________________________________________________
__________________________________________________________________________________
Q. Why are log and event reduction performed simultaneously with log archival?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
222
Student Handbook– Security Analyst SSC/N0901
UNIT X
Data Backup
Lesson Plan
10.1. Data Backup
10.2. Types of Backup
10.3. Backup Procedures
10.4. Types of Storage
10.5. Features of a Good Backup Strategy
223
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
224
Student Handbook– Security Analyst SSC/N0901
Lesson
Purpose
All electronic information considered of institutional value should be copied onto secure storage
media on a regular basis (i.e., backed up), for disaster recovery and business resumption. Special
backup needs, identified through technical risk analysis that exceeds these requirements, should be
accommodated on an individual basis.
Scope
Data custodians are responsible for providing adequate backups to ensure the recovery of data and
systems in the event of failure. Backup provisions allow business processes to be resumed in a
reasonable amount of time with minimal loss of data. Since hardware and software failures can take
many forms, and may occur over time, multiple generations of institutional data backups need to be
maintained.
225
Student Handbook– Security Analyst SSC/N0901
Full backup
Full backup is a method of backup where all the files and folders selected for the backup will be backed
up. It is commonly used as an initial or first backup followed with subsequent incremental or
differential backups. After several incremental or differential backups, it is common to start over with
a fresh full backup again.
Some also like to do full backups for all backup runs typically for smaller folders or projects that do
not occupy too much storage space.
Advantages
Restores are fast and easy to manage as the entire list of files and folders are in one backup set.
Easy to maintain and restore different versions.
Disadvantages
Backups can take very long as each file is backed up again every time the full backup is run.
Consumes the most storage space compared to incremental and differential backups. The exact
same files are be stored repeatedly resulting in inefficient use of storage.
Incremental backup
Incremental backup is a backup of all changes made since the last backup. The last backup can be a
full backup or simply the last incremental backup. With incremental backups, one full backup is done
first and subsequent backup runs are just the changed files and new files added since the last backup.
Advantages
Much faster backups
Efficient use of storage space as files is not duplicated. Much less storage space used compared to
running full backups and even differential backups.
Disadvantages
Restores are slower than with a full backup and differential backups.
Restores are a little more complicated. All backup sets (first full backup and all incremental backups)
are needed to perform a restore.
Differential backups
Differential backups fall in the middle between full backups and incremental backup. A differential
backup is a backup of all changes made since the last full backup. With differential backups, one full
backup is done first and subsequent backup runs are the changes made since the last full backup. The
result is a much faster backup than a full backup for each backup run. Storage space used is less than
a full backup but more than Incremental backups. Restores are slower than with a full backup but
usually faster than Incremental backups.
Advantages
Much faster backups then full backups
226
Student Handbook– Security Analyst SSC/N0901
More efficient use of storage space then full backups since only files changed since the last full
backup will be copied on each differential backup run.
Faster restores than incremental backups
Disadvantages
Backups are slower then incremental backups
Not as efficient use of storage space as compared to incremental backups. All files added or edited
after the initial full backup will be duplicated again with each subsequent differential backup.
Restores are slower than with full backups.
Restores are a little more complicated than full backups but simpler than incremental backups. Only
the full backup set and the last differential backup are needed to perform a restore.
Mirror backups
Mirror backups are as the name suggests a mirror of the source being backed up. With mirror backups,
when a file in the source is deleted, that file is eventually also deleted in the mirror backup. Because
of this, mirror backups should be used with caution as a file that is deleted by accident, sabotage or
through a virus may also cause that same file in mirror to be deleted as well. Some do not consider a
mirror to be a backup.
Many online backup services offer a mirror backup with, a 30 days delete. This means that when you
delete a file on your source, that file is kept on the storage server for at least 30 days before it is
eventually deleted. This helps strike a balance offering a level of safety while not allowing the backups
to keep growing since online storage can be relatively expensive.
Advantages
The backup is clean and does not contain old and obsolete files
Disadvantages
There is a chance that files in the source deleted accidentally, by sabotage or through a virus may
also be deleted from the backup mirror.
Full PC backup
Full PC backup of full computer backup typically involves backing up entire images of the computer’s
hard drives rather than individual files and folders. The drive image is like a snapshot of the drive. It
may be stored compressed or uncompressed.
With other file backups, only the user’s document, pictures, videos and music files can be restored
while the operating system, programs etc. need to be reinstalled from is source download or disc
media.
With the full PC backup however, you can restore the hard drives to its exact state when the backup
was done. Hence, not only can the documents, pictures, videos and audio files be restored but the
operating system, hardware drivers, system files, registry, programs, emails etc. In other words, a full
PC backup can restore a crashed computer to its exact state at the time the backup was made.
Advantages
A crashed computer can be restored in minutes with all programs databases emails etc intact. No
need to install the operating system, programs and perform settings etc.
Ideal backup solution for a hard drive failure.
Disadvantages
May not be able to restore on a completely new computer with a different motherboard, CPU,
Display adapters, sound card etc.
Any problems that were present on the computer (like viruses, or mis-configured drivers, unused
programs etc.) at the time of the backup may still be present after a full restore.
Local backup
A local backup is any backup where the storage medium is kept close at hand. Typically, the storage
medium is plugged in directly to the source computer being backed up or is connected through a local
area network to the source being backed up.
Advantages
Offers good protection from hard drive failures, virus attacks, accidental deletes and deliberate
employee sabotage on the source data.
Very fast backup and very fast restore.
Storage cost can be very cheap when the right storage medium is used like external hard drives
Data transfer cost to the storage medium can be negligible or very cheap
Since the backups are stored close by, they are very conveniently obtained whenever needed for
backups and restore.
Full internal control over the backup storage media and the security of the data on it. There is no
need to entrust the storage media to third parties.
Disadvantages
Since the backup is stored close by to the source, it does not offer good protections against theft,
fire, flood, earthquakes and other natural disasters. When the source is damaged by any of these
circumstances, there’s a good chance the backup will be also damaged.
Offsite Backup
Any backup where the backup storage medium is kept at a different geographic location from
the source is known as an offsite backup. The backup may be done locally at first on the usual
storage devices but once the storage medium is brought to another location, it becomes an
offsite backup.
228
Student Handbook– Security Analyst SSC/N0901
Advantages
Offers additional protection when compared to local backup such as protection from theft, fire,
flood, earthquakes, hurricanes and more.
Disadvantages
Except for online backups, it requires more due diligence to bring the storage media to the offsite
location.
May cost more as people usually need to rotate between several storage devices. For example when
keeping in a bank deposit box, people usually use 2 or 3 hard drives and rotate between them. So
at least one drive will be in storage at any time while the other is removed to perform the backup.
Because of increased handling of the storage devices, the risk of damaging delicate hard disk is
higher. (does not apply to online storage)
Online backup
An online backup is a backup done on an ongoing basis to a storage medium that is always connected
to the source being backed up. The term “online” refers to the storage device or facility being always
connected. Typically, the storage medium or facility is located offsite and connected to the backup
source by a network or Internet connection. It does not involve human intervention to plug in drives
and storage media for backups to run.
Many commercial data centers now offer this as a subscription service to consumers. The storage data
centers are located away from the source being backed up and the data is sent from the source to the
storage center securely over the Internet.
Typically, a client application is installed on the source computer being backed up. Users can define
what folders and files they want to backup and at one times of the day they want the backups to run.
The data may be compressed and encrypted before being sent over the Internet to the storage data
center.
The storage facility is a commercial data center located away from the source computers being backed
up. Typically, they are built to certain fire and earthquake safety specifications. They have higher
security standards with CCTV and round the clock monitoring. They typically have backup generators
to deal with grid power outages and the facility is temperature controlled. Data is not just stored in
one physical media but replicated across several devices. These facilities are usually serviced by
multiple redundant Internet connection so there is no single point of failure to bring the service down.
Advantages
Offers the best protection against fires, theft and natural disasters.
Because data is replicated across several storage media, the risk of data loss from hardware failure
is very low.
Because backups are frequent or continuous, data loss is very minimal compared to other backups
that are run less frequently.
Because it is online, it requires little human or manual interaction after it is setup.
Disadvantages
Is a more expensive option then local backups.
Initial or first backups can be a slow process spanning a few days or weeks depending on Internet
connection speed and the amount of data backed up.
Can be slow to restore.
229
Student Handbook– Security Analyst SSC/N0901
Remote backups
Remote backups are a form of offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location. The term
“remote” refers to the ability to control or administer the backups from another location.
You do not need to be physically present at the backup storage facility to access the backups.
Putting your backup hard drive at your bank safe deposit box would not be considered a remote
backup. You cannot administer or access it without making a trip to the bank. The term “remote
backup” is often used loosely and interchangeably with “online backup” and “cloud backup”.
Advantages
Much better protection from natural disasters than local backups.
Easier administration as it does not need a physical trip to the offsite backup location.
Disadvantages
More expensive then local backups
Can take longer to backup and restore than local backups
Cloud backup
Cloud backup is a term often used loosely and interchangeably with Online Backup and Remote
Backup. This is a type of backup where data is backed up to a storage server or facility connected to
the source via the Internet. With the proper login credentials, that backup can then be accessed
securely from any other computer with an Internet connection. The term “cloud” refers to the backup
storage facility being accessible from the Internet.
Advantages
Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural
disasters.
Able to easily connect and access the backup with just an Internet connection.
Data is replicated across several storage devices and usually serviced by multiple internet
connections so the system is not at the mercy of a single point of failure.
When the service is provided by a good commercial data center, service is managed and protection
is un-paralleled.
Disadvantages
More expensive then local backups
Can take longer to backup and restore
FTP Backup
This is a kind of backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server. Typically, the FTP Server is located in a commercial data center away from the source
data being backed up. When the FTP server is located at a different location, this is another form of
offsite backup.
Advantages
230
Student Handbook– Security Analyst SSC/N0901
Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural
disasters.
Able to easily connect and access the backup with just an Internet connection.
Disadvantages
More expensive then local backups
Can take longer to backup and restore. Backup and restore times are dependent to the Internet
connection.
231
Student Handbook– Security Analyst SSC/N0901
We recommend keeping 3 copies of any important file (a primary and two backups)
We recommend having the files on 2 different media types (such as hard drive and optical media), to
protect against different types of hazards.*
frequency,
data backup retention,
testing,
media replacement,
recovery time,
roles and responsibilities
Data Backup Retention. Retention of backup data must meet System and institution
requirements for critical data.
Testing - Restoration of backup data must be performed and validated on all types of media
in use periodically.
Media Replacement - Backup media should be replaced according to manufacturer
recommendations.
Recovery Time - The recovery time objective (RTO) must be defined and support business
requirements.
Roles and Responsibilities - Appropriate roles and responsibilities must be defined for data
backup and restoration to ensure timeliness and accountability.
Offsite Storage - Removable backup media taken offsite must be stored in an offsite location
that is insured and bonded or in a locked media rated, fire safe.
Onsite Storage - Removable backup media kept onsite must be stored in a locked container
with restricted physical access.
Media Destruction - How to dispose of data storage media in various situations.
Encryption - Non-public data stored on removable backup media must be encrypted. Non-
public data must be encrypted in transit and at rest when sent to an offsite backup facility,
either physically or via electronic transmission.
Third Parties - Third parties' backup handling & storage procedures must meet System, or
institution policy or procedure requirements related to data protection, security and privacy.
These procedures must cover contract terms that include bonding, insurance, disaster
recovery planning and requirements for storage facilities with appropriate environmental
controls.
232
Student Handbook– Security Analyst SSC/N0901
Definitions
Archive: An archive is a collection of historical data specifically selected for long-term retention and
future reference. It is usually data that is no longer actively used, and is often stored on removable
media.
Backup: A copy of data that may be used to restore the original in the event the latter is lost or
damaged beyond repair. It is a safeguard for data that is being used. Backups are not intended to
provide a means to archive data for future reference or to maintain a versioned history of data to
meet specific retention requirements.
Critical Data: Data that needs to be preserved in support of the institution's ability to recover from
a disaster or to ensure business continuity.
Data: Information collected, stored, transferred or reported for any purpose, whether in computers
or in manual files. Data can include: financial transactions, lists, identifying information about
people, projects or processes, and information in the form of reports. Because data has value, and
because it has various sensitivity classifications defined by federal law and state statute, it must be
protected.
Destruction: Destruction of media includes: disintegration, incineration, pulverizing, shredding, and
melting. Information cannot be restored in any form following destruction.
Media Rated, Fire Safe: A safe designed to maintain internal temperature and humidity levels low
enough to prevent damage to CDs, tapes, and other computer storage devices in a fire. Safes are
rated based on the length of time the contents of a safe are preserved while directly exposed to fire
and high temperatures.
Information Technology Resources: Facilities, technologies, and information resources used for
System information processing, transfer, storage, and communications. Included in this definition
are computer labs, classroom technologies, computing and electronic communications devices and
services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax
transmissions, video, multimedia, and instructional materials. This definition is not all-inclusive, but
rather, reflects examples of System equipment, supplies and services.
Recovery Point Objective (RPO): Acceptable amount of service or data loss measured in time. The
RPO is the point in time prior to service or data loss that service or data will be recovered to.
Recovery Time Objective (RTO). Acceptable duration from the time of service or data loss to the
time of restoration.
Automated Backup
If the data backup plan defines a daily interval, making manual backups becomes quite time
consuming, and one may discover now and then that they have skipped making backups because they
had something else more important to do at same time. It is better to foresee the risk of not making
backups and try to automate the whole backup process as much as possible.
233
Student Handbook– Security Analyst SSC/N0901
These are hard drives similar to the type that is installed within a desktop computer or laptop
computer. The difference being that they can be plugged in to the computer or removed and kept
separate from the main computer.
Advantages:
Disadvantages:
Solid State Drives look and function similar to traditional mechanical/ magnetic hard drives but the
similarities stop there. Internally, they are completely different. They have no moving parts or rotating
platers. They rely solely on semiconductors and electronics for data storage making it a more reliable
and robust than traditional magnetic. No moving parts also means that they use less power than
traditional hard drives and are much faster too.
With the prices of Solid State Drives coming down and is lower power usage, SSD’s are used extensively
on laptops and mobile devices. External SSD’s are also a viable option for data backups.
Advantages:
Disadvantages:
NAS are simply one or more regular IDE or SATA hard drives plugged in an array storage enclosure and
connected to a network Router or Hub through a Ethernet port. Some of these NAS enclosures have
ventilating fans to protect the hard drives from overheating.
Advantages:
Very good option for local backups especially for networks and small businesses.
As several hard drives can be plugged in, NAS can hold very large amounts of data
234
Student Handbook– Security Analyst SSC/N0901
Can be setup with Redundancy (RAID) increasing the reliability and/ or read and write
performance. Depending on the type of RAID level used, the NAS can still function even if one
hard drive in the RAID set fails. Or two hard drives can be setup to double the read and write
speed of single hard drive.
The drive is always connected and available to the network making the NAS a good option for
implementing automated scheduled backups.
Disadvantages:
These are similar to Solid State Drives except that it is much smaller in size and capacity. They have no
moving parts making them quite robust. They are extremely portable and can fit on a keychain. They
are Ideal for backing up a small amount of data that need to be brought with you on the go.
Advantages:
The most portable storage option. Can fit on a keychain making it an offsite backup when you
bring it with you.
Much more robust than traditional magnetic hard drives
Disadvantages:
Relatively expensive per GB so can only be used for backing up a small amount of data
CD’s and DVD’s are ideal for storing a list of songs, movies, media or software for distribution or for
giving to a friend due to the very low cost per disk. They do not make good storage options for backups
due to their shorter lifespan, small storage space and slower read and write speeds.
Advantages:
Disadvantages:
Cloud storage is storage space on commercial data center accessible from any computer with Internet
access. It is usually provided by a service provider. A limited storage space may be provided free with
more space available for a subscription fee. Examples of service providers are Amazon S3, Google
Drive, Sky Drive etc.
235
Student Handbook– Security Analyst SSC/N0901
Advantages:
A very good offsite backup. Not affected by events and disasters such as theft, floods, fire etc
Disadvantages:
More expensive than traditional external hard drives. Often requires an ongoing subscription.
Requires an Internet connection to access the cloud storage.
Much slower than other local backups
236
Student Handbook– Security Analyst SSC/N0901
The following are features to aim for when designing your backup strategy:
Able to recover from data loss in all circumstances like hard drive failure, virus
attacks, theft, accidental deletes or data entry errors, sabotage, fire, flood, earth
quakes and other natural disasters.
Able to recover to an earlier state if necessary like due to data entry errors or
accidental deletes.
Able to recover as quickly as possible with minimum effort, cost and data loss.
Require minimum ongoing human interaction and maintenance after the initial
setup. Hence able to run automated or semi-automated.
Local backups are needed due to its lower cost allowing you to backup a huge amount of data. Local
backups are also useful for its very fast restore speed allowing you to get back online in minimal
time. Offsite backups are needed for its wider scope of protection from major disasters or
catastrophes not covered by local backups.
3. When to Backup
Frequency: How often you backup your data is the next major consideration when planning your
backup policy. Some folders are fairly static and do not need to be backed up very often. Other
folders are frequently updated and should correspondingly have a higher backup frequency like
once a day or more.
Your decision regarding backup frequency should be based on a worst case scenario. For example,
if tragedy struck just before the next backup was scheduled to run, how much data would you lose
since the last backup. How long would it take and how much would it cost to re key that lost data?
Backup Start Time: You would typically want to run your backups when there’s minimal usage on
the computers. Backups may consume some computer resources that may affect performance.
Also, files that are open or in use may not get backed up.
Scheduling backups to run after business hours is a good practice providing the computer is left on
overnight. Backups will not normally run when the computer is in “sleep” or “hibernate mode”.
237
Student Handbook– Security Analyst SSC/N0901
Some backup software will run immediately upon boot up if it missed a scheduled backup the
previous night.
So if the first hour on a business day morning is your busiest time, you would not want your
computer doing its backups then. If you always shut down or put your computer in sleep or
hibernate mode at the end of a work day, maybe your lunch time would be a better time to schedule
a backup. Just leave the computer on but logged-off when you go out for lunch.
Since servers are usually left running 24 hours, overnight backups for servers are a good choice.
4. Backup Types
Many backup softwares offer several backup types like Full Backup, Incremental Backup and
Differential backup. Each backup type has its own advantages and disadvantages. Full backups are
useful for projects, databases or small websites where many different files (text, pictures, videos
etc.) are needed to make up the entire project and you may want to keep different versions of the
project.
5. Compression & Encryption
As part of your backup plan, you also need to decide if you want to apply any compression to your
backups. For example, when backing up to an online service, you may want to apply compression
to save on storage cost and upload bandwidth. You may also want to apply compression when
backing up to storage devices with limited space like USB thumb drives.
If you are backing up very private or sensitive data to an offsite service, some backup tools and
services also offer support for encryption. Encryption is a good way to protect your content should
it fall into malicious hands. When applying encryption, always ensure that you remember your
encryption key. You will not be able to restore it without your encryption key or phrase.
6. Testing Your Backup
A backup is only worth doing if it can be restored when you need it most. It is advisable to
periodically test your backup by attempting to restore it. Some backup utilities offer a validation
option for your backups. While this is a welcome feature, it is still a good idea to test your backup
with an actual restore once in a while.
7. Backup Utilities & Services
Simply copying and pasting files and folders to another drive would be considered a backup.
However, the aim of a good backup plan is to set it up once and leave it to run on its own. You
would check up on it occasionally but the backup strategy should not depend on your ongoing
interaction for it to continue backing up. A good backup plan would incorporate the use of good
quality, proven backup software utilities and backup services.
https://www.owasp.org/index.php/Logging_Cheat_Sheet
https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-log-files-
2074
http://blog.hicube.in/2012/11/07/understanding-log-files-linux-server/
238
Student Handbook– Security Analyst SSC/N0901
Summary
Backup is the activity of copying files or databases so that they will be preserved in case of
equipment failure or other catastrophe.
Data custodians are responsible for providing adequate backups to ensure the recovery of data
and systems in the event of failure. Types of Backup include:
Full backup where all the files and folders selected for the backup will be backed up
Incremental backup is a backup of all changes made since the last backup
Differential backups fall in the middle between full backups and incremental backup
Mirror backups are mirror of the source being backed up
Full PC backup involves backing up entire images of the computer hard drives
Local backup is any backup where the storage medium is kept close at hand
Offsite Backup where the backup storage medium is kept at a different geographic location
Online backup is ongoing backup to a storage medium that is always connected to the
source being backed up
Remote backups are offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location
Cloud backup where data is backed up to a storage server or facility connected to the
source via the Internet
FTP Backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server
The simplest way to remember how to back up your images safely is to use the 3-2-1 rule. To
keep 3 copies of any important file (a primary and two backups); have files on 2 different media
types (such as hard drive and optical media); 1 copy should be stored offsite (or at least offline).
Different types of Local Storage Options
External Hard Drive are hard drives similar to the type that is installed within a desktop
computer or laptop computer
Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic
hard drives but different
Network Attached Storage (NAS) are simply one or more regular IDE or SATA hard
drives plugged in an array storage enclosure and connected to a network Router or Hub
through a Ethernet port
USB Thumb Drive or Flash Drive are similar to Solid State Drives except that it is much
smaller in size and capacity
Optical Drive (CD/ DVD) are ideal for storing a list of songs, movies, media or software
for distribution or for giving to a friend due to the very low cost per disk.
Cloud Storage is storage space on commercial data center accessible from any
computer with Internet access
Ask the key questions while planning your backup strategy
What to Backup
Where to Backup to
When to Backup
Backup Types
Compression & Encryption
Testing Your Backup
Backup Utilities & Services
239
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Backup data available in the institute and evaluate the backup requirements for the
institute. If there isn’t a policy for backup then work in a group to develop one and
define all necessary steps for successful implementation.
Activity 2:
Activity 3:
Collect information on various products and services for backup available in the
industry and compare the benefits, features and limitations of each. The comparison
should be presented in class.
240
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Explain why is Full PC backup also known as “Drive Image Backups”?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic hard drives
but are different. State the difference.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Is it possible to retrieve a file deleted in a source with a mirror backup? Explain your answer in
brief.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
241
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
242
Student Handbook– Security Analyst SSC/N0901
SSC/ N 0901:
Contribute to Managing Information Security
29
Student Handbook– Security Analyst SSC/N0901
30
Student Handbook– Security Analyst SSC/N0901
31
Student Handbook– Security Analyst SSC/N0901
The Units
The module for this NOS is divided in ten units based on the learning objectives as given below:
UNIT I: Information Security and Threats UNIT VII: Risk Assessment
1.1. Information Security 7.1. Risk Overview
1.2. Information Assets & Threats 7.2. Risk Identification
7.3. Risk Analysis
UNIT II: Fundamentals of Information 7.4. Risk Treatment
Security 7.5. Risk Management Feedback Loops
2.1. Elements of information security 7.6. Risk Monitoring
2.2. Principles and concepts – data security
UNIT VIII: Configuration Reviews
2.3. Types of controls
8.1. Configuration Management
UNIT III: Data Leakage
8.2. Organisational SecCM Policy
3.1 Introduction – Data Leakage 8.3. Identify CM Tools
3.2 Organisational Data Classification, 8.4. Implementing Secure Configurations
Location and Pathways 8.5. Unauthorised Access to Configuration
3.3 Content Awareness Stores
3.4 Content Analysis Techniques
3.5 Data Protection UNIT IX: Log Correlation and Management
3.6 DLP Limitations
3.7 DRM-DLP Conundrum 9.1. Event Log Concepts
9.2. Log Management and its need
UNIT IV: Information Security Policies, 9.3. Log Management Process
Procedures, Standards and Guidelines 9.4. Configuring Windows Event Log
9.5. IIS Log Files
4.1. Information Security Policies
9.6. Analysis and Response
4.2. Key Elements of a Security Policy
4.3. Security Standards, Guidelines and
UNIT X: Data Backup
Frameworks 10.1. Data Backup
4.4. Laws, Regulations and Guidelines 10.2. Types of Backup
UNIT V: Information Security Management 10.3. Backup Procedures
– Roles and Responsibilities 10.4. Types of Storage
10.5. Features of a Good Backup Strategy
5.1. Information and Data Security Team
Structure
5.2. Security Incident Response Team
UNIT VI: Information Security Performance
Metrics
6.1. Introduction – Security Metrics
6.2. Types of Security Metrics
6.3. Using Security Metrics
6.4. Developing the Metrics Process
6.5. Metrics and Reporting
6.6. Designing Information Security
Measuring Systems
32
Student Handbook– Security Analyst SSC/N0901
UNIT I
Information Security and Threats
Lesson Plan
1.1. Information Security
1.2. Information Assets & Threats (Virus, Worms, Trojans, Other
Threats, Network Attacks)
33
Student Handbook– Security Analyst SSC/N0901
Lesson Plan
You need to know and understand: KA4, KA5. Peer group, faculty PCs/ tablets/ laptops
group and industry experts’ Availability of labs (24/7)
KA4. the organizational
evaluation. Internet with Wi-Fi
systems, procedures and tasks/
(min 2 Mbps dedicated)
checklists within the domain and KB1 - KB4. Group and faculty Access to all security sites like
how to use them. evaluation based on anticipated ISO, PCI DSS, Centre for Internet
outcomes. Reward points to be Security etc.
KB1. fundamentals of
information security and how to allocated to groups.
apply these, including:
• networks
• communication
• application security
34
Student Handbook– Security Analyst SSC/N0901
Lesson
sitated the
need for the position of information security analyst.
Those who work as information security analysts are responsible for keeping information safe from
data breaches using a variety of tools and techniques. Information security analysts protect
information stored on computer networks, in applications etc. They do this with special software that
allows them to keep track of those who can access and who have accessed data. Also, they may
perform investigations to determine whether or not data has been compromised, the extent of it and
related vulnerabilities.
Someone at an entry level position may operate the software to monitor and analyze
information.
At senior level positions, one may carry out investigative work to determine whether a security
breach has occurred.
At higher levels people design systems and architecture to address these vulnerabilities.
The field of information security has seen significant growth in recent times, and the number of job
opportunities in this area are likely to increase in the near future. Recent incidents of information theft
from large companies like Target, Sony and Citibank has shown the risks and challenges of this field
and this necessitates the growing need for information security and professionals in this field. We are
now witnessing the rising background level of data leakage from governments, businesses and other
organisations, families and individuals.
A larger part of an information security analyst’s work involves monitoring data use and access on a
computer network.
Security analysts focus on three main areas:
1. risk assessment (identifying risks or issues an organization may face)
2. vulnerability assessment (determining an organization’s weaknesses to threats)
3. defense planning (designing the protection architecture and installing security systems such
as firewalls and data encryption programs)
Information security analysts can find themselves working with IT companies, financial and utility
companies and consulting firms. They may also find positions with government organizations. Any
company or organization with data to protect may hire information security analysts so they could
find themselves working at a wide variety of different institutions. A number of companies operate
35
Student Handbook– Security Analyst SSC/N0901
‘Security Operation Centres (SOCs)’ for carrying out data security services for captive or client
services.
36
Student Handbook– Security Analyst SSC/N0901
Major Skills of
Security Analyst
• Understanding security policy
• Data & Traffic Analysis
• Identifying Security Events –> How & when to alarm
• Incident Response
Foundation and
Background
• Network infrastructure knowledge
• Diverse device configuration ability
• Security configuration knowledge
• Data management & teamwork
Challenges for
Security Analyst
• Not tied to a product or solution
• Complex knowledge – Not one specific process is correct or product solution
• Diverse set of skills are needed
37
Student Handbook– Security Analyst SSC/N0901
Security concerning IT and information is normally categorised in three categories to facilitate the
management of information.
theft
fraud/ forgery
unauthorized information access
interception or modification of data and
data management systems
The above concerns are materialised in the event of a breach caused by exploitation of vulnerability.
Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.
‘Threat agent or actor’ refers to the intent and method targeted at the intentional exploitation
of the vulnerability or a situation and method that may accidentally trigger the vulnerability.
A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target.
‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet, mobile
phone, online bank account or identity.
38
Student Handbook– Security Analyst SSC/N0901
Threat classification
Microsoft has proposed a threat classification called STRIDE from the initials of threat categories:
Spoofing of user identity
Tampering
Repudiation
Information disclosure (privacy breach or data leak)
Denial of Service (D.o.S.)
Elevation of privilege
Types of attacks
• Virus
Virus is a malicious program able to inject its code into other programs/ applications or data files
and the targeted areas become "infected". Installation of a virus is done without user's consent,
and spreads in form of executable code transferred from one host to another. Types of viruses
include Resident virus , non-resident virus; boot sector virus; macro virus; file-infecting virus (file-
infector); Polymorphic virus; Metamorphic virus; Stealth virus; Companion virus and Cavity virus.
• Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to spread itself.
In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the viruses
though worms can reproduce/ duplicate and spread by itself. During this process worm does not
require to attach itself to any existing program or executable. Different types of worms based on
their method of spread are email worms; internet worms; network worms and multi-vector worms.
• Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy. Trojans are a type of malware software that masquerades itself as
39
Student Handbook– Security Analyst SSC/N0901
a not-malicious even useful application but it will actually do damage to the host computer after its
installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install.
Types of Virus
Depending on virus "residence", we can classify viruses in following way:
Resident virus - virus that embeds itself in the memory on a target host. In such way it becomes
activated every time the OS starts or executes a specific action.
Non-resident virus - when executed, this type of virus actively seeks targets for infections either
on local, removable or network locations. Upon further infection it exits. This way is not residing
in the memory any more.
Boot sector virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc.
documents. This type of virus is executed as soon as the document that contains it, is opened.
This corresponds to the macro execution within those documents which under normal
circumstances is automatic.
Another classification of viruses can result from their characteristics:
File-infecting virus (file-infector) – this is a classic form of virus. When the infected file is being
executed, the virus seeks out other files on the host and infects them with malicious code. The
malicious code is inserted either at the beginning of the host file code (prepending virus), in the
middle (mid-infector) or in the end (appending virus). A specific type of viruses called "cavity
virus" can even inject the code in the gaps in the file structure itself. The start point of the file
execution is changed to the start of the virus code to ensure that it is run when the file is
executed. Afterwards the control may or may not be passed on to the original program in turn.
Depending on the infections routing the host file may become otherwise corrupted and
completely non-functional. More sophisticated viral forms allow through the host program
execution while trying to hide their presence completely (see polymorphic and metamorphic
viruses).
Polymorphic virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Metamorphic virus - this virus is capable of changing its own code with each infection. The
rewriting process may cause the infection to appear different each time but the functionality of
40
Student Handbook– Security Analyst SSC/N0901
the code remains the same. The metamorphic nature of this virus type makes it possible to infect
executables from two or more different operating systems or even different computer
architectures as well. The metamorphic viruses are ones of the most complex in build and very
difficult to detect.
Stealth virus - memory resident virus that utilises various mechanisms to avoid detection. This
avoidance can be achieved for example, by removing itself from the infected files and placing a
copy of itself in a different location. The virus can also maintain a clean copy of the infected files
in order to provide it to the antivirus engine for scan while the infected version still remains
undetected. Furthermore, the stealth viruses are actively working to conceal any traces of their
activities and changes made to files.
Armored virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Multipartite virus – this attempts to attack both the file executables as well as the master boot
record of the drive at the same time. This type may be tricky to remove as even when the file
executable part is clean it can re-infect the system all over again from the boot sector if it wasn't
cleaned as well.
Camouflage virus – this virus type is able to report as a harmless program to the antivirus
software. In such cases where the virus has similar code to the legitimate non-infected files code
the antivirus application is being tricked that it has to do with the legitimate program as well.
This would work only but in case of basic signature based antivirus software. Nowadays, antivirus
solutions have become more elaborate whereas the camouflage viruses are quite rare and not a
serious threat due to the ease of their detection.
Companion virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of the
infected file but instead uses the empty spaces within the program files itself (that exists there
for variety of reasons). This way the length of the program code is not being changed and the
virus can more easily avoid detection. The injection of the virus in most cases is not impacting
the functionality of the host file at all. The cavity viruses are quite rare though.
41
Student Handbook– Security Analyst SSC/N0901
……Let us discuss a recent news about a new version of a notorious virus that
takes over a system until money is paid as ransom which has been detected by
cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family, say
experts, is notorious for infecting computers of gamers. The malicious program
is now targeting online consumers and businesses via email attachments which
block access to a computer system until a sum of money, specifically in dollars,
is paid as ransom. If the victim delays, the ransom is doubled. Detected in
February 2015, TeslaCrypt began infecting systems in the US, Europe and
Southeast Asian countries. It then occurred in Indian cities including Delhi and
Mumbai. Two businessmen from Agra were targeted this year, from whom the
extortionist demanded more than $10,000. In the last six months, two cases
were reported in Agra, where the malware locked down its victim's most
important files and kept them hostage in exchange for a ransom to unlock it.
Types of Worms
The most common categorization of worms relies on the method how they spread:
Email worms: spread through email messages, especially through those with attachments.
Internet worms: spread directly over the internet by exploiting access to open ports or system
vulnerabilities.
Network worms: spread over open and unprotected network shares.
Multi-vector worms: having two or more various spread capabilities.
Types of Trojans
Computer Trojans or Trojan horses are named after the mythological Trojan horse from Trojan War,
in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the
horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city
gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar
to such strategy - it is a type of malware software that masquerades itself as not-malicious even useful
application but it will actually do damage to the host computer after its installation.
Trojans do not self-replicate since its key difference to a virus and require often end user intervention
to install itself - which happens in most scenarios where user is being tricked that the program he is
installing is a legitimate one (this is very often connected with social engineering attacks on end users).
One of the other common method is for the Trojan to be spammed as an email attachment or a link
in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging
42
Student Handbook– Security Analyst SSC/N0901
client. Trojans can be spread as well by means of drive-by downloads or downloaded and dropped by
other Trojans itself or legitimate programs that have been compromised.
The results of Trojan activities can vary greatly - starting from low invasive ones that only change the
wallpaper or desktop icons through Trojans which open backdoors on the computer and allow other
threats to infect the host or allow a hacker remote access to the targeted computer system. It is up to
Trojans to cause serious damage on the host by deleting files or destroying the data on the system
using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not
advertise their presence on the computer.
The Trojan classification can be based upon performed function and the way they breach the systems.
An important thing to keep in mind is that many Trojans have multiple payload functions so any such
classification will provide only a general overview and not a strict boundary. Some of the most
common Trojan types are:
Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor on the
targeted system to allow the attacker remote access to the system or even complete control
over it. This kind of Trojan is most widespread type and often has as well various other functions.
It may be used as an entry point for DOS attack or for allowing worms or even other Trojans to
the system. A computer with a sophisticated backdoor program installed may also be referred
to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see
part 3 of the Security 1:1 series). Backdoor. Trojans are generally created by malware authors
who are organized and aim to make money out of their efforts. These types of Trojans can be
highly sophisticated and can require more work to implement than some of the simpler malware
seen on the Internet.
Trojan-DDoS - this Trojan is installed simultaneously on a large number of computers in order to
create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack
on a particular target.
Trojan-Proxy -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Trojan-FTP – this Trojan is designed to open FTP ports on the targeted machine allow remote
attacker access to the host. Furthermore, the attacked can access as well network shares or
connections to further spread other threats.
Destructive Trojan – this is designed to destroy or delete data. It is much like a virus.
Security Software Disabler Trojan – this is designed to stop security programs like antivirus
solutions, firewalls or IPS either by disabling them or killing the processes. This kind of Trojan
functionality is often combined with destructive Trojan that can execute data deletion or
corruption only after the security software is disabled. Security Software Disablers are entry
Trojans that allow next level of attack on the targeted system.
Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide attacker with
confidential or sensitive information from compromised host and send it to a predefined location
(attacker). The stolen data comprise of login details, passwords, PII, credit card information etc.
43
Student Handbook– Security Analyst SSC/N0901
Data sending Trojans can be designed to look for specific information only or can be more generic
like Key-logger Trojans. Nowadays more than ever before attackers are concentrating on
compromising end users for financial gain. The information stolen with use of Info stealer Trojan
is often sold on the black market. Info stealers gather information by using several techniques.
The most common techniques may include log key strokes, screen shots and web cam images,
monitoring internet activity often for specific financial websites. The stolen information may be
stored locally so that it can be retrieved later or it can be sent to a remote location where it can
be accessed by an attacker. It is often encrypted before posting it to the malware author.
Keylogger Trojan – this is a type of data-sending Trojan that is recording every keystroke of the
end user. This kind of Trojan is specifically used to steal sensitive information from targeted host
and send it back to attacker. For these Trojans, the goal is to collect as much data as possible
without any direct specification what the data will be.
Trojan-PSW (Password Stealer) – this is a type of data-sending Trojans designed specifically to
steal passwords from the targeted systems. In its execution routine, the Trojan will very often
first drop a keylogging component onto the infected machine.
Trojan-Banker – a Trojan designed specifically to steal online banking information to allow
attacker further access to bank account or credit card information.
Trojan-IM – a type of data-sending Trojan designed specifically to steal data or account
information from instant messaging programs like MSN, Skype etc.
Trojan-Game Thief – a Trojan designed to steal information about online gaming account.
Trojan Mail Finder – a Trojan used to harvest any emails found on the infected computer. The
email list is being then forwarded to the remote attacker.
Trojan-Dropper -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Trojan-Downloader – a Trojan that can download other malicious programs to the target
computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders
that are encountered will attempt to download content from the internet rather than the local
network. In order to successfully achieve its primary function, a downloader must run on a
computer that is inadequately protected and connected to a network.
Trojan-FakeAV –
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
44
Student Handbook– Security Analyst SSC/N0901
This type of Trojan can be either targeted to extort money for "non-existing" threat removal or
in other cases the installation of the program itself injects other malware to the host machine.
FakeAV applications can perform fake scans with variable results, but always detect at least one
malicious object. They may as well drop files that are then ‘detected’. The FakeAV application is
constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and
appear very professional to the end users.
Trojan-Spy – this Trojan has a similar functionality to the Info stealer or Trojan-PSW and its
purpose is to spy on the actions executed on the target host. These can include tracking data
entered via keystrokes, collecting screenshots, listing active processes/ services on the host or
stealing passwords.
Trojan-ArcBomb -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
45
Student Handbook– Security Analyst SSC/N0901
……In an another incident detected by Kaspersky Labs, Pune, the TeslaCrypt Ransomware
encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan notorious for
infecting computer gamers, it displays an HTML page in the web browser which is an
exact copy of CryptoWall 3.0, another notorious ransomware program. TeslaCrypt were
detected in February 2015 and the new ransomware Trojan gained immediate notoriety
as a menace to computer gamers. Amongst other types of target files, it tries to infect
typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt
does not encrypt files that are larger than 268 MB. Few more examples of ransomware
Trojans are - CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault and CTB-Locker.
Source: New articles
46
Student Handbook– Security Analyst SSC/N0901
Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They
are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.
Rootkit are malicious software designed to hide certain processes or programs from detection.
Usually acquires and maintains privileged system access while hiding its presence in the same
time. It acts as a conduit by providing the attacker with a backdoor to a system
Spyware is a software that monitors and collects information about a particular user, computer
or organisation without user’s knowledge. There are different types of spyware, namely system
monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc.
Tracking cookies are a specific type of cookies that are distributed, shared and read across two
or more unrelated websites for the purpose of gathering information or potentially to present
customized data to you.
Riskware is a term used to describe potentially dangerous software whose installation may pose
a risk to the computer.
Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV
software. Also well known, under the names "Rogue Security Software" or "Misleading
Software". This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the "fake" infection.
Spam is the term used to describe unsolicited or unwanted electronic messages, especially
advertisements. The most widely recognized form of spam is email spam.
Creepware is a term used to describe activities like spying others through webcams (very often
combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.
Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the severity
of the damage causes and as well the speed of spreading. Blended threat defines an exploit that
combines elements of multiple types of malware components. Usage of multiple attack vectors
and payload types targets to increase the severity of the damage causes and as well the speed of
spreading.
47
Student Handbook– Security Analyst SSC/N0901
A. COHEN B. NORTON
C. SMITH D. McAfee
ANSWER : …………………………………………………………..
Network attacks
Network attack is usually defined as an intrusion on the network infrastructure that will first analyse
the environment and collect information in order to exploit the existing open ports or vulnerabilities.
This may include unauthorized access to organisation resources.
Passive attacks: they refer to attack where the purpose is only to learn and get some
information from the system, but the system resources are not altered or disabled in any way.
Active attacks: in this type of network attack, the perpetrator accesses and either alters,
disables or destroys resources or data.
Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
Inside attack: if an attack is performed from within the company by an "insider" that already
has certain access to the network it is considered to be an inside attack.
Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their
widespread occurrences.
48
Student Handbook– Security Analyst SSC/N0901
Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing
Buffer
DoS attack ICMP smurf Man-in-the-
overflow Botnet
& DDoS attack Denial of serv middle attack
attack
Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
49
Student Handbook– Security Analyst SSC/N0901
remains the same – to obtain confidential information and gain access to personal files. The
means of the attack are bit different though and include special links or posts posted on the
social media sites that attract the user with their content and convince them to click on them.
The link redirects then to malicious website or similar harmful content. The websites can mirror
the legitimate Facebook pages so that unsuspecting user does not notice the difference. The
website will require user to login with his real information. At this point, the attacker collects the
credentials gaining access to compromised account and all data on it. Other scenario includes
fake apps. Users are encouraged to download the apps and install them, apps that contain
malware used to steal confidential information.
Facebook Phishing attacks are often much more laboured. Consider the following scenario - link
posted by an attacker can include some pictures or phrase that will attract the user to click on it.
The user clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the
post first before even viewing it. User not suspecting any harm, clicks on the "like" button but
doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the
fake app to access user's personal information. At this point, data is collected and account is
compromised.
Spear phishing attack – this is a type of phishing attack targeted at specific individuals, groups
of individuals or companies. Spear phishing attacks are performed mostly with primary purpose
of industrial espionage and theft of sensitive information while ordinary phishing attacks are
directed against wide public with intent of financial fraud. It has been estimated that in last
couple of years targeted spear phishing attacks are more widespread than ever before.
The recommendations to protect your company against phishing and spear phishing include:
1. Never open or download a file from an unsolicited email, even from someone you know
(you can call or email the person to double check that it really came from them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentication whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking for a
reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted.
Watering hole attack – this is a more complex type of a phishing attack. Instead of the usual way
of sending spoofed emails to end users in order to trick them into revealing confidential
information, attackers use multiple staged approach to gain access to the targeted information.
In first steps, attacker is profiling the potential victim, collecting information about his or her’s
internet habits, history of visited websites etc. In next step attacker uses that knowledge to
inspect the specific legitimate public websites for vulnerabilities. If any vulnerabilities or
loopholes are found, the attacker compromises the website with its own malicious code. The
50
Student Handbook– Security Analyst SSC/N0901
compromised website then awaits for the targeted victim to come back and then infects them
with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at
the watering hole for his prey.
Whaling – it is a type of phishing attack specifically targeted at senior executives or other high
profile targets within a company.
Vishing (Voice Phishing or VoIP Phishing) – it is a use of social engineering techniques over
telephone system to gain access to confidential information from users. This phishing attack is
often combined with caller ID spoofing that masks the real source phone number and instead of
it displays the number familiar to the phishing victim or number known to be of a real banking
institution. General practices of Vishing include pre-recorded automated instructions for users
requesting them to provide bank account or credit card information for verification over the
phone.
Port scanning – an attack type where the attacker sends several requests to a range of ports to
a targeted host in order to find out what ports are active and open, which allows them to exploit
known service vulnerabilities related to specific ports. Port scanning can be used by the malicious
attackers to compromise the security as well by the IT professionals to verify the network
security.
Spoofing – it is a technique used to masquerade a person, program or an address as another by
falsifying the data with purpose of unauthorized access.
A few of the common spoofing types include:
IP Address spoofing – process of creating IP packets with forged source IP address to
impersonate legitimate system. This kind of spoofing is often used in DoS attacks
(Smurf Attack).
ARP spoofing (ARP Poisoning) – process of sending fake ARP messages in the network.
The purpose of this spoofing is to associate the MAC address with the IP address of
another legitimate host causing traffic redirection to the attacker host. This kind of
spoofing is often used in man-in-the-middle attacks.
DNS spoofing (DNS Cache Poisoning) – an attack where the wrong data is inserted into
DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP
addresses as results for client queries.
Email spoofing – a process of faking the email's sender "from" field in order to hide
real origin of the email. This type of spoofing is often used in spam mail or during
phishing attack.
Search engine poisoning – attackers take advantage of high profile news items or
popular events that may be of specific interest for certain group of people to spread
malware and viruses. This is performed by various methods that have in purpose
achieving highest possible search ranking on known search portals by the malicious
sites and links introduced by the hackers. Search engine poisoning techniques are often
used to distribute rogue security products (scareware) to users searching for legitimate
security solutions for download.
51
Student Handbook– Security Analyst SSC/N0901
Network sniffing (Packet Sniffing) – a process of capturing the data packets travelling in the
network. Network sniffing can be used both by IT professionals to analyse and monitor the traffic
for example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect
data send over clear text that is easily readable with use of network sniffers (protocol analysers).
Best counter measure against sniffing is the use of encrypted communication between the hosts.
Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack) –
an attack designed to cause an interruption or suspension of services of a specific host/ server
by flooding it with large quantities of useless traffic or external communication requests. When
the DoS attack succeeds the server is not able to answer even to legitimate requests anymore,
this can be observed in numbers of ways – slow response of the server, slow network
performance, unavailability of software or web page, inability to access data, website or other
resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or
infected systems (botnet) flood a particular host with traffic simultaneously.
DoS (denial-of-service) attack
Few of the most common DoS attack types:
ICMP flood attack (Ping Flood) – the attack that sends ICMP ping requests to the victim host
without waiting for the answer in order to overload it with ICMP traffic to the point where the
host cannot answer to them any more either because of the network bandwidth congestion
with ICMP packets (both requests and replies) or high CPU utilization caused by processing
the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is
either to disable propagation of ICMP traffic sent to broadcast address on the router or disable
ICMP traffic on the firewall level.
Ping of Death (PoD) – this attack involves sending a malformed or otherwise corrupted
malicious ping to the host machine for example, PING having size bigger than usual which can
cause buffer overflow on the system that lead to a system crash.
Smurf attack – this works in the same way as Ping Flood attack with one major difference that
the source IP address of the attacker host is spoofed with IP address of other legitimate non
malicious computer. Such attack will cause disruption both on the attacked host (receiving
large number of ICMP requests) as well as on the spoofed victim host (receiving large number
of ICMP replies).
52
Student Handbook– Security Analyst SSC/N0901
keeps the server with dead open connections and in the end effect prevent legitimate host
to connect to the server any more.
Buffer overflow attack – in this type of attack the victim host is being provided with traffic/ data
that is out of range of the processing specs of the victim host, protocols or applications,
overflowing the buffer and overwriting the adjacent memory. One example can be the
mentioned Ping of Death attack where malformed ICMP packet with size exceeding the normal
value can cause the buffer overflow.
Botnet – a collection of compromised computers that can be controlled by remote perpetrators
to perform various types of attacks on other computers or networks. A known example of botnet
usage is within the distributed denial of service attack where multiple systems submit as many
request as possible to the victim machine in order to overload it with incoming packets. Botnets
can be otherwise used to send out span, spread viruses and spyware and as well to steal personal
and confidential information which afterwards is being forwarded to the botmaster.
Man-in-the-middle attack – the attack is form of active monitoring or eavesdropping on victims’
connections and communication between victim hosts. This form of attack includes interaction
between both victim parties of the communication and the attacker. This is achieved by attacker
intercepting all part of the communication, changing the content of it and sending back as
legitimate replies. Both parties are not aware of the attacker presence and believing the replies
they get are legitimate. For this attack to be successful, the perpetrator must successfully
impersonate at least one of the endpoints. This can be the case if there are no protocols in place
that would secure mutual authentication or encryption during the communication process.
Session hijacking attack – this attack is targeted as exploit of the valid computer session in order
to gain unauthorized access to information on a computer system. The attack type is often
referred to as cookie hijacking as during its progress, the attacker uses the stolen session cookie
to gain access and authenticate to remote server by impersonating legitimate user.
Cross-side scripting attack (XSS attack) – the attacker exploits the XSS vulnerabilities found in
web server applications in order to inject a client side script onto the webpage that can either
point the user to a malicious website of the attacker or allow attacker to steal the user's session
cookie.
SQL injection attack – the attacker uses existing vulnerabilities in the applications to inject a
code/ string for execution that exceeds the allowed and expected input to the SQL database.
Bluetooth related attacks
Bluesnarfing – this kind of attack allows the malicious user to gain unauthorized access to
information on a device through its bluetooth connection. Any device with bluetooth
turned on and set to "discoverable" state may be prone to bluesnarfing attack.
Bluejacking – this kind of attack allows the malicious user to send unsolicited (often spam)
messages over bluetooth enabled devices.
53
Student Handbook– Security Analyst SSC/N0901
Few recent cyberattacks (or Network attacks) that shook some big businesses around the
globe:
March 2015
54
Student Handbook– Security Analyst SSC/N0901
Anthem
February 2015
One of the nation’s largest health insurers said that the personal
information of tens of millions of its customers and employees, including its
chief executive, was the subject of a “very sophisticated external
cyberattack.”
The company added that hackers were able to breach a database that
contained as many as 80 million records of current and former customers,
as well as employees. The information accessed included names, Social
Security numbers, birthdays, addresses, email and employment information,
including income data.
Sony Pictures
November 2014
A huge attack that essentially wiped clean several internal data centers and
led to cancellation of the theatrical release of "The Interview," a comedy
about the fictional assassination of the North Korean leader Kim Jong-un.
Contracts, salary lists, film budgets, entire films and Social Security numbers
were stolen, including -- to the dismay of top executives -- leaked emails
that included criticisms of Angelina Jolie and disparaging remarks about
President Obama.
Staples
October 2014
The office supply retailer said hackers had broken into the company’s
network and compromised the information of about 1.16 million credit
cards.
55
Student Handbook– Security Analyst SSC/N0901
56
Student Handbook– Security Analyst SSC/N0901
Summary
Information security analysts protect information stored on computer networks, applications,
etc., using special software that allows them to keep a track of those who can access and who
have accessed data.
There are three categories of Information technology and information security:
o confidentiality
o integrity
o availability
Keys concerns in information assets security are theft, fraud/ forgery, unauthorized information
access, interception or modification of data and data management systems.
Vulnerability is a weakness in an information system, system security procedures, internal
controls or implementation that could be exploited or triggered by a threat source.
Microsoft has proposed a threat classification called STRIDE from the initials of threat
categories.
Types of attacks: virus, worms, Trojans and others.
Network attack is usually defined as an intrusion on the network infrastructure that will first
analyse the environment and collect information in order to exploit the existing open ports or
vulnerabilities. This may include unauthorized access to organisation resources.
The recommendations to protect against Phishing and Spear Phishing include:
o Never open or download a file from an unsolicited email, even from someone you
know.
o Keep your operating system updated.
o Use a reputable anti-virus program.
o Enable two factor authentication whenever available.
o Confirm the authenticity of a website prior to entering login credentials.
o Look for HTTPS in the address bar when you enter any sensitive personal information
on a website.
57
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
List various types of attacks, and get examples of each type of virus, trojan, worm and
other malware from the internet. Compare the list with your fellow students.
Activity 2:
Find out and study cases of attacks over the years and impact of those attacks on the
organisations where these occurred. Share details of 2-3 most interesting ones in the
class.
Activity 3:
Access the CVE and list all the types of information that they can get. Present the same in
class and elaborate upon the various ways in which that information can be used.
58
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. State the reason why a Cavity virus is difficult to detect unlike traditional viruses?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
59
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
60
Student Handbook– Security Analyst SSC/N0901
UNIT II
Fundamentals of Information Security
Lesson Plan
2.1 Elements of information security
2.2 Principles and concepts – data security
2.3 Types of controls
61
Student Handbook– Security Analyst SSC/N0901
Lesson Plan
Performance Ensuring
Outcomes Measures Work Environment/ Lab Requirement
To be competent, you must be able QA session and a PCs/ tablets/ laptops
to: descriptive write-up on Availability of labs (24/7)
understanding. Internet with Wi-Fi
PC3. carry out security
(min 2 Mbps dedicated)
assessment of information security Peer group, faculty group Networking equipment (routers &
systems using automated tools and industry experts. switches)
PC8. provide inputs to root Firewalls and access points
cause analysis and the resolution of Access to all security sites like ISO, PIC
information security issues, where DSS etc.
required Commercial tools like HP Web
Inspect and IBM AppScan etc.
Open source tools like sqlmap,
Nessus etc.
You need to know and understand: KA6, KA7, KA8. Peer PCs/ tablets/ laptops
review with faculty with Availability of labs (24/7)
KA5. how to analyse root causes appropriate feedback. Internet with Wi-Fi
of information security issues (min 2 Mbps dedicated)
Networking equipment (routers &
KA6. how to carry out KB1 – KB4. switches)
information security assessments Going through the security Firewalls and access points
standards over internet by Access to all security sites like ISO, PIC
KB4. how to identify and resolve visiting sites like ISO, PCI DSS etc.
information security vulnerabilities DSS etc., and understand
Commercial Tools like HP Web
and issues various methodologies and
Inspect and IBM AppScan etc.
usage of algorithms.
Open Source tools like sqlmap,
Nessus etc.
62
Student Handbook– Security Analyst SSC/N0901
Lesson
Network Security
Network security refers to any activity designed to protect your network. Specifically, these activities
protect the usability, reliability, integrity and safety of your network and data. Effective network
security targets a variety of threats and stops them from entering or spreading on your network.
No single solution protects you from a variety of threats. You need multiple layers of security. If one
fails, others still stand. Network security is accomplished through hardware and software. The
software must be constantly updated and managed to protect you from emerging threats.
Wireless networks, which by their nature, facilitate access to the radio, are more vulnerable than
wired networks and need to encrypt communications to deal with sniffing and continuously checking
the identity of the mobile nodes. The mobility factor adds more challenges to security, namely
monitoring and maintenance of secure traffic transport of mobile nodes. This concerns both
homogenous and heterogenous mobility (inter-technology), the latter requires homogenization of the
security level of all networks visited by the mobile.
From the terminal’s side, it is important to protect its resources (battery, disk, CPU) against misuse
and ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to
ensure terminal’s integrity as it plays a dual role of router and terminal.
The difficulty of designing security solutions that could address these challenges is not only to ensure
robustness faced with potential attacks or to ensure that it does not slow down communications, but
also to optimize the use of resources in terms of bandwidth, memory, battery, etc. More importantly,
in this open context the wireless network is to ensure anonymity and privacy, while allowing
traceability for legal reasons. Indeed, the growing need for traceability is now necessary for the fight
against criminal organizations and terrorists, but also to minimize the plundering of copyright. It is
therefore facing a dilemma of providing a network support of free exchange of information while
controlling the content of the communication to avoid harmful content. Actually, this concerns both
wired and wireless networks. All these factors influence the selection and implementation of security
tools that are guided by a prior risk assessment and security policy.
Finally, we are increasingly thinking about trust models in the design of secured systems, that should
offer higher level of trust than classical security mechanisms, and it seems that future networks should
implement both models: security and trust models.
In fact, if communication nodes will be capable of building and maintaining a predefined trust level in
the network, then the communication system will be trustable all the time, thus allowing a trusted
and secure service deployment. However, such trust models are very difficult to design and the trust
level is generally a biased concept presently. It is very similar to the human based trust model. Note
that succeeding in building such trust models will allow infrastructure based networks but especially
infrastructure-less or self-organized networks such as ad hoc sensors to be trusted enough to deploy
several applications. This will also have an impact on current business models where the economic
model would have to change in order to include new players in the telecommunication value chain
63
Student Handbook– Security Analyst SSC/N0901
such as users offering their machines to build an infrastructure-less network. For example, in the
context of ad hoc networks, we could imagine that ad hoc users become distributors of content or
provide any other networked services1, being a sort of service providers. In this case, an appropriate
charging and billing system needs to be designed.
A network security system usually consists of many components. Ideally, all components work
together, which minimizes maintenance and improves security.
Communication security
Application Security
Application security (AppSec) is the use of software, hardware and procedural methods to protect
applications from external threats. AppSec is the operational solution to the problem of software risk.
AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application
irrespective of the function, language or platform.
As a best practice, AppSec employs proactive and preventative methods to manage software
risk, and align an organization’s security investments with the reality of today’s threats. It has
three distinct elements:
A software vulnerability can be defined as a programmatic function that processes critical data
in an insecure way. These “holes” in an application can be exploited by a hacker, spy or
cybercriminal as an entry point to steal sensitive, protected or confidential data.
64
Student Handbook– Security Analyst SSC/N0901
The severity and frequency of cyber-attacks is increasing which is making the practice of AppSec
important. AppSec as a discipline is also becoming more complex the variety of business software
continues to proliferate. Here are some of the reasons why (and see if these sound familiar):
Software developers have an endless choice of programming languages to choose from – Java, .NET,
C++, PHP and more.
Applications can be deployed across myriad platforms – installed to operate locally, over virtual
servers and networks, accessed as a service in the cloud or run on mobile devices.
AppSec products must provide capabilities for managing security risk across all of these options as
each of these development and deployment options can introduce security vulnerabilities. An
effective software security strategy addresses both immediate and systemic risk.
The Application Security market has reached sufficient maturity to allow organizations of all sizes to
follow a well-established roadmap:
Begin with software security testing to find and assess potential vulnerabilities:
Testing and remediation form the baseline response to insecure applications, but the critical element
of a successful AppSec effort is ongoing developer training. Security conscious development teams
write bulletproof code, and avoid common errors. For example, data input validation – the process of
ensuring that a program operates with clean, correct and useful data. Neglecting this important step,
and failing to build in standard input validation rules or “check routines” leaves the application open
to common attacks such as cross-site scripting and SQL injection.
When undertaken correctly, Application Security is an orderly process of reducing the risks associated
with developing and running business critical software. Properly managed, a good application security
program will move your organization from a state of unmanaged risk and reactive security to effective,
proactive risk mitigation.
65
Student Handbook– Security Analyst SSC/N0901
Communications Security
Communications Security (COMSEC) ensures the security of telecommunications confidentiality and
integrity – the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of
any information that is transmitted, transferred or communicated.
Emission Security (EMSEC): This prevents the release or capture of emanations from
equipment, such as cryptographic equipment, thereby preventing unauthorized
interception.
Physical Security: This ensures the safety of, and prevents unauthorized access to,
cryptographic information, documents and equipment.
66
Student Handbook– Security Analyst SSC/N0901
Confidentiality
Integrity Availability
Information States
Information has three basic states, at any given moment, information is being transmitted, stored or
processed. The three states exist irrespective of the media in which information resides.
Transmission
Information
States
Processing Storage
Information systems security concerns itself with the maintenance of three critical characteristics of
information: confidentiality, integrity and availability. These attributes of information represent the
full spectrum of security concerns in an automated environment. They are applicable for any
organization irrespective of its philosophical outlook on sharing information.
67
Student Handbook– Security Analyst SSC/N0901
Authentication happens right after identification and before authorization. It verifies the
authenticity of the identity declared at the identification stage. In other words, it is at the
authentication stage that you prove you are indeed the person or the system you claim to
be. The three methods of authentication are what you know, what you have and what you
are. Regardless of the particular authentication method used, the aim is to obtain
reasonable assurance that the identity declared at the identification stage belongs to the
party in communication. It is important to note that reasonable assurance may mean
different degrees of assurance, depending on the particular environment and application,
and therefore may require different approaches to authentication. Authentication
requirements of a national security – critical system naturally differ from authentication
68
Student Handbook– Security Analyst SSC/N0901
69
Student Handbook– Security Analyst SSC/N0901
The following types of non-repudiation services are defined in international standard ISO
14516:2002 (guidelines for the use and management of trusted third party services).
o Approval: non-repudiation of approval provides proof of who is responsible for approval
of the contents of a message.
o Transport: non-repudiation of transport provides proof for the message originator that
a delivery agent has delivered the message to the intended recipient.
o Receipt: non-repudiation of receipt provides proof that the recipient received the
message.
70
Student Handbook– Security Analyst SSC/N0901
71
Student Handbook– Security Analyst SSC/N0901
Central to information security is the concept of controls, which may be categorized by their
functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane of
application (physical, administrative or technical).
By functionality:
Preventive controls
Preventive controls are the first controls met by an adversary. These try to prevent security
violations and enforce access control. Like other controls, these may be physical, administrative
or technical. Doors, security procedures and authentication requirements are examples of
physical, administrative and technical preventive controls respectively.
Detective controls
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs and similar mechanisms.
Corrective controls
Corrective controls try to correct the situation after a security violation has occurred. Although a
violation occurred, but the data remains secure, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.
Deterrent controls
Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls
include notices of monitoring and logging as well as the visible practice of sound information
security management.
Recovery controls
Recovery controls are somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and information processing
resources. Recovery controls may include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements and similar controls.
Compensating controls
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of controls addresses the same
threats that are addressed by another set of controls, it acts as a compensating control.
72
Student Handbook– Security Analyst SSC/N0901
By plane of application:
Physical controls include doors, secure facilities, fire extinguishers, flood protection and air
conditioning.
Administrative controls are the organization’s policies, procedures and guidelines intended to
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems and file encryption among others.
The Discretionary Access Control model is the most widely used of the three models.
In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide
about and set access control restrictions on the object in question, which may, for example, be a file
or a directory. The advantage of DAC is its flexibility. Users may decide who can access information
and what they can do with it — read, write, delete, rename, execute and so on. At the same time, this
flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access
control restrictions or maliciously set insecure or inappropriate permissions. Nevertheless, the DAC
model remains the model of choice for the absolute majority of operating systems today, including
Solaris.
Mandatory access control, as its name suggests, takes a stricter approach to access control. In systems
utilizing MAC, users have little or no discretion as to what access permissions they can set on their
information. Instead, mandatory access controls specified in a system-wide security policy are
enforced by the operating system and applied to all operations on that system. MAC based systems
use data classification levels (such as public, confidential, secret and top secret) and security clearance
labels corresponding to data classification levels to decide in accordance with the security policy set
by the system administrator what access control restrictions to enforce. Additionally, per group and/
73
Student Handbook– Security Analyst SSC/N0901
or per domain access control restrictions may be imposed i.e. in addition to having the required
security clearance level, subjects (users or applications) must also belong to the appropriate group or
domain. For example, a file with a confidential label belonging only to the research group may not be
accessed by a user from the marketing group, even if that user has a security clearance level higher
than confidential (for example, secret or top secret). This concept is known as compartmentalization
or ‘need to know’.
Although MAC based systems, when used appropriately, are thought to be more secure than DAC
based systems, they are also much more difficult to use and administer because of the additional
restrictions and limitations imposed by the operating system. MAC based systems are typically used
in government, military and financial environments where higher than usual security is required and
where the added complexity and costs are tolerated. MAC is implemented in Trusted Solaris, a version
of the Solaris operating environment intended for high security environments.
In the role based access control model, rights and permissions are assigned to roles instead of
individual users. This added layer of abstraction permits easier and more flexible administration and
enforcement of access controls. For example, access to marketing files may be restricted only to the
marketing manager role, and users Ann, David, and Joe may be assigned the role of marketing
manager. Later, when David moves from the marketing department elsewhere, it is enough to revoke
his role of marketing manager, and no other changes would be necessary. When you apply this
approach to an organization with thousands of employees and hundreds of roles, you can see the
added security and convenience of using RBAC. Solaris has supported RBAC since release 8.
A vulnerability can occur anywhere in the IT environment, and can be the result of many different root
causes. Security vulnerability management solutions gather comprehensive endpoint and network
intelligence, and apply advanced analytics to identify and prioritize the vulnerabilities that pose the
most risk to critical systems. The result is actionable data that enables IT security teams to focus on
74
Student Handbook– Security Analyst SSC/N0901
the tasks that will most quickly and effectively reduce overall network risk with the fewest possible
resources.
Vulnerability assessment and management is an essential piece for managing overall IT risk
because:
Persistent threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.
Regulation
Risk management
Mature organizations treat it as a key risk management component. Organizations that follow
mature IT security principles understand the importance of risk management.
Properly planned and implemented threat and vulnerability management programs represent a key
element in an organization’s information security program, providing an approach to risk and threat
mitigation that is proactive and business aligned, not just reactive and technology focused.
Vulnerability Assessment
Includes assessment the environment for known vulnerabilities, and to assess IT components, using
the security configuration policies (by device role) that have been defined for the environment. This
is accomplished through scheduled vulnerability and configuration assessments of the environment.
Network based vulnerability assessment (VA) has been the primary method employed to baseline
networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and
accurate vulnerability assessments can be accomplished for managed systems via credentialed access.
Unmanaged systems can be discovered and a basic assessment can be completed. The ability to
evaluate databases and web applications for security weaknesses is crucial, considering the rise of
attacks that target these components.
Database scanners check database configuration and properties to verify whether they comply with
database security best practices.
75
Student Handbook– Security Analyst SSC/N0901
Web application scanners test an application’s logic for “abuse” cases that can break or exploit the
application. Additional tools can be leveraged to perform more in-depth testing and analysis.
All three scanning technologies (network, application and database) assess a different class of security
weaknesses, and most organizations need to implement all three.
Risk assessment
Larger issues should be expressed in the language of risk (e.g. ISO 27005), specifically expressing
impact in terms of business impact. The business case for any remedial action should incorporate
considerations relating to the reduction of risk and compliance with policy. This incorporates the basis
of the action to be agreed on between the relevant line of business and the security team.
Risk analysis
“Fixing” the issue may involve acceptance of the risk, shifting of the risk to another party or reducing
the risk by applying remedial action, which could be anything from a configuration change to
implementing a new infrastructure (e.g. data loss prevention, firewalls, host intrusion prevention
software).
Elimination of the root cause of security weaknesses may require changes to user administration and
system provisioning processes. Many processes and often several teams may come into play (e.g.
configuration management, change management, patch management etc.). Monitoring and incident
management processes are also required to maintain the environment.
Vulnerability enumeration
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE Identifiers)
for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to
share data across separate network security databases and tools, and provide a baseline for
evaluating the coverage of an organization’s security tools. If a report from one of your security tools
incorporates CVE identifiers, you may then quickly and accurately access fix information in one or
more separate CVE compatible databases to remediate the problem.
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating
the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable,
accurate measurement while enabling users to see the underlying vulnerability characteristics that
were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for
industries, organizations and governments that need accurate and consistent vulnerability impact
scores.
The Common Weakness Enumeration Specification (CWE) provides a common language of discourse
for discussing, finding and dealing with the causes of software security vulnerabilities as they are
found in code, design or system architecture. Each individual CWE represents a single vulnerability
type. CWEs are used as a classification mechanism that differentiates CVEs by the type of vulnerability
they represent. For more details see: Common Weakness Enumeration.
76
Student Handbook– Security Analyst SSC/N0901
Remediation Planning
Prioritization
Vulnerability and security configuration assessments typically generate very long remediation work
lists, and this remediation work needs to be prioritized. When organizations initially implement
vulnerability assessment and security configuration baselines, they typically discover that a large
number of systems contain multiple vulnerabilities and security configuration errors. There is typically
more mitigation work to do than the resources available to accomplish it. Therefore, prioritization is
important.
It is important to analyse security and vulnerability assessments in order to determine the root cause.
In many cases, the root cause of a set of vulnerabilities lies within the provisioning, administration and
maintenance processes of IT operations or within their development or the procurement processes of
applications. Elimination of the root cause of security weaknesses may require changes to user
administration and system provisioning processes.
An RCA is an analysis of a failure to determine the first (or root) failure that cause the ultimate
condition in which the system finds itself. For example, in an application crash one should be thinking,
why did it crash this way?
A security analyst’s job in performing an RCA is to keep asking the inquisitive "why" until one runs out
of room for questions, and then they are faced with the problem at the root of the situation.
Example: an application that had its database pilfered by hackers where the ultimate failure the
analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isn't what
caused the failure. Why did the SQL Injection happen? Was the root of the problem that the developer
responsible simply didn't follow the corporate policy for building SQL queries? Or was the issue a
failure to implement something like the OWASP ESAPI (ESAPI - The OWASP Enterprise Security API is
a free, open source web application security control library that makes it easier for programmers to
write lower-risk applications.) in the appropriate manner? Or maybe the cause was a vulnerable open-
source piece of code that was incorporated into the corporate application without passing it through
the full source code lifecycle process?
Your job when you're performing an RCA is to figure this out. Root cause analysis is super critical in
the software security world. A number of automated solutions are also available for various types of
RCA. For example, HP's web application security testing technology which can link XSS issues to a single
line of code in the application input handler.
Decision tree and algorithms may be used for further detailed analysis as tools. To learn more about
it, visit: https://www.sans.org/reading-room/whitepapers/detection/decision-tree-analysis-
intrusion-detection-how-to-guide-33678 .
77
Student Handbook– Security Analyst SSC/N0901
5 4.4 4.7
4.5
4 3.5
3.5
3 2.8
2.5 1.9
2
1.5
1
0.5
0
78
Student Handbook– Security Analyst SSC/N0901
Summary
Elements of information security include network security, application security and
communication security
Types of communication security are Cryptosecurity, Emission Security (EMSEC), Physical Security,
Traffic-Flow Security and Transmission Security (TRANSEC).
Critical information characteristics are Confidentiality, Integrity and Availability.
Information states include transmission, storage and processing.
Basic information security concepts:
o Identification
o Authentication
o Authorization
o Confidentiality
o Integrity
o Availability
o Non-repudiation
Types of control for information security can be classified into:
o Preventive
o Detective
o Corrective
o Deterrent
o Recovery
o Compensating
Three main access control models exist:
o Discretionary Access Control model
o Mandatory Access Control model
o Role Based Access Control model
A Root Cause Analysis is an analysis of a failure to determine the first (or root) failure that cause
the ultimate condition in which the system finds itself.
79
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Investigate into the various types of threats to network security, application security
and, communication security and prepare a white paper on the same. Also, list the
various counter measures or security devices that may be used to address the same.
Present it in class.
Activity 2:
Collect information about various information security service companies’ websites, and
understand the various security services they offer. Carry out a comparison of the
various services or products offered and list their features and benefits.
Activity 3:
Collect information about various categories of controls and state which various
controls are within each category? Discuss in groups the benefits and limitations of
examples of each type of control within a category.
Activity 4:
Collect information about various elements of a decision tree and an algorithm. Create
algorithms and decision trees for various situations in case of planning for security of
information assets.
80
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Authentication
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Authorization
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Confidentiality
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Integrity
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Availability
__________________________________________________________________________________
__________________________________________________________________________________
81
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
• Non-repudiation
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
______________________________________
______________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
82
Student Handbook– Security Analyst SSC/N0901
UNIT III
Data Leakage and Prevention
Lesson Plan
3.1 Introduction Data Leakage
3.2 Organisational Data Classification, Location and Pathways
3.3 Content Awareness
3.4 Content Analysis Techniques
3.5 Data Protection
3.6 DLP Limitations
3.7 DRM – DLP Conundrum
3.1.
83
Student Handbook– Security Analyst SSC/N0901
Lesson Plan
Performance Ensuring
Outcomes Measures Work Environment/ Lab Requirement
To be competent, you must be able PCs/ tablets/ laptops
to: Availability of labs (24/7)
Going through various
PC2. monitor systems and apply organizations’ websites Internet with Wi-Fi
controls in line with information and understand the (min 2 Mbps dedicated)
security policies, procedures and policies and guidelines Networking equipment (routers
guidelines (Research). & switches)
PC3. carry out security Firewalls and access points
Project charter,
assessment of information security Architecture (charts), Access to all security sites like
systems using automated tools Project plan, Poster ISO, PIC DSS etc.
PC11. comply with your presentation and Commercial tools like HP Web
organization’s policies, standards, Execution plan. Inspect and IBM AppScan etc.
procedures and guidelines when Open source tools like sqlmap,
contributing to managing Nessus etc.
information security
You need to know and understand: KA12. Going through KA1 to KA13:
KA12. your organization’s various organizations’
information security systems and websites and understand PCs/ tablets/ laptops
tools and how to access and the policies and guidelines Availability of labs (24/7)
maintain the same (Research). Internet with Wi-Fi
(min 2 Mbps dedicated)
KA13. standard tools and KA12. Project charter, Networking equipment (routers &
templates available and how to use Architecture (charts), switches)
these Project plan, Poster Firewalls and access points
presentation and Access to all security sites like ISO,
KB4. how to identify and resolve Execution plan. PIC DSS etc.
information security vulnerabilities Commercial tools like HP Web
and issues KA13. Creation of Inspect and IBM AppScan etc.
templates based on the
learnings from KA1 to Open Source tools like sqlmap,
KA12. Nessus etc.
KB1 – KB4
84
Student Handbook– Security Analyst SSC/N0901
Lesson
Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data, and other information depending
on the business and the industry. Data leakage poses a serious issue for companies as the
number of incidents and the cost to those experiencing them continue to increase.
Data leakage is enhanced by the fact that transmitted data (both inbound and outbound), including
emails, instant messaging, website forms and file transfers among others, are largely unregulated and
unmonitored on their way to their destinations. Furthermore, in many cases, sensitive data are shared
among various stakeholders such as employees working from outside the organization’s premises (e.g.
on laptops), business partners and customers. This increases the risk that confidential information will
fall into unauthorized hands. Whether caused by malicious intent or an inadvertent mistake by an
insider or outsider, exposure of sensitive information can seriously hurt an organization. The potential
damage and adverse consequences of a data leakage incident can be classified into two categories:
Direct losses refer to tangible damage that is easy to measure or to estimate quantitatively. Indirect
losses, on the other hand, are much harder to quantify and have a much broader impact in terms of
cost, place and time.
Direct losses include violations of regulations (such as those protecting customer privacy) resulting in
fines; settlements or customer compensation fees; litigation involving lawsuits; loss of future sales;
costs of investigation and remedial or restoration fees. Indirect losses include reduced share price as
a result of negative publicity; damage to a company’s goodwill and reputation; customer
abandonment; and exposure of intellectual property (business plans, code, financial reports and
meeting agendas) to competitors.
85
Student Handbook– Security Analyst SSC/N0901
Standard security measures are used by many organizations and include common mechanisms such
as firewalls, intrusion detection systems (IDSs) and antivirus software that can provide protection
against both outsider attacks (e.g. a firewall which limits access to the internal network and an
intrusion detection system which detects attempted intrusions) and inside attacks (e.g. antivirus scans
to detect a Trojan horse that may be installed on a PC to send confidential information).
Another example is the use of thin clients which operate in a client-server architecture, with no
personal or sensitive data stored on a client’s computer. Policies and training for improving the
awareness of employees and partners provide additional standard security measures.
Advanced or intelligent security measures include machine learning and temporal reasoning
algorithms for detecting abnormal access to data (i.e. databases or information retrieval systems),
activity based verification (e.g. based on keystrokes and mouse patterns), detection of abnormal email
exchange patterns, and applying the honeypot concept for detecting malicious insiders.
Device control, access control and encryption are used to prevent access by an unauthorized user.
These are the simplest measures that can be taken to protect large amounts of personal data
against malicious outsider and insider attacks.
Designated DLP solutions are intended to detect and prevent attempts to copy or send sensitive data,
intentionally or unintentionally, without authorization, mainly by personnel who are authorized to
access the sensitive information. A major capability of such solutions is an ability to classify content as
sensitive. Designated DLP solutions are typically implemented using mechanisms such as exact data
matching, structured data fingerprinting, statistical methods (e.g. machine learning), rule and regular
expression matching, published lexicons, conceptual definitions and keywords.
Data Leakage Prevention (DLP) solutions, are often referred to as Information Leak Prevention
(ILP), Data Leak/ Loss Prevention (DLP), Outbound Content Compliance, Content Monitoring and
Filtering, Content Monitoring and Protection (CMP) or Extrusion Prevention.
A designated data leakage prevention solution is defined as a system that is designed to detect and
prevent the unauthorized access, use or transmission of confidential information.
86
Student Handbook– Security Analyst SSC/N0901
8% 4%
15%
NPI ( e.g. Customer Data)
Confidentiality Info
12% HTTP
3%
1% Email
5%
42% Networked Printer
10%
End Point
11% Internal Mail
16% IM
Webmail
Others
Source: http://www.networksunlimited.com
87
Student Handbook– Security Analyst SSC/N0901
Enterprises are often unaware of all of the types and locations of information they possess.
It is important, prior to purchasing a DLP solution, to identify and classify sensitive data types and their
flow from system to system and to users. This process should yield a data taxonomy or classification
system that will be leveraged by various DLP modules as they scan for and take action on information
that falls into the various classifications within the taxonomy. Analysis of critical business processes
should yield the required information.
Classifications can include categories such as private customer or employee data, financial data and
intellectual property. Once the data have been identified and classified appropriately, further analysis
of processes should facilitate the location of primary data stores and key data pathways.
Frequently multiple copies and variations of the same data are scattered across the enterprise on
servers, individual workstations, tape and other media. Copies are frequently made to facilitate
application testing without first cleansing the data of sensitive content. Having a good idea of the data
classifications and location of the primary data stores proves helpful in both the selection and
placement of the DLP solution.
Once the DLP solution is in place, it can assist in locating additional data locations and pathways. It is
also important to understand the enterprise’s data life cycle. Understanding the life cycle from point
of origin through processing, maintenance, storage and disposal will help uncover further data
repositories and transmission paths. Additional information should be collected by conducting an
inventory of all data egress points since not all business processes are documented and not all data
movement is a result of an established process. Analysis of firewall and router rule sets can aid these
efforts.
The DLP market is also split between DLP as a feature and DLP as a solution. A number of
products, particularly email security solutions, provide basic DLP functions, but aren't complete
DLP solutions. The difference is:
88
Student Handbook– Security Analyst SSC/N0901
Context includes things like source; destination; size; recipients; sender; header information;
metadata; time; format and anything else short of the content of the letter itself. Context is highly
useful and any DLP solution should include contextual analysis as part of an overall solution. A more
advanced version of contextual analysis is business context analysis, which involves deeper analysis of
the content, its environment at the time of analysis and the use of the content at that time.
Content awareness involves peering inside containers and analysing the content itself. The advantage
of content awareness is that while we use context, we're not restricted by it. If I want to protect a
piece of sensitive data, I would want to protect it everywhere and not just in obviously sensitive
containers. I'm protecting the data, not the envelope, so it makes a lot more sense to open the letter,
read it, and decide how to treat it. This is more difficult and time consuming than basic contextual
analysis and is the defining characteristic of DLP solutions.
Content Analysis
The first step in content analysis is capturing the envelope and opening it. The engine then needs to
parse the context (we'll need that for the analysis) and dig into it. This is easy for a plain text email,
but when you want to look inside binary files, it gets a little more complicated.
All DLP solutions solve this using file cracking. File cracking is the technology used to read and
understand the file, even if the content is buried multiple levels down. For example, it's not unusual
for the cracker to read an Excel spreadsheet embedded in a Word file that's zipped. The product needs
to unzip the file, read the Word doc, analyse it, find the Excel data, read it and analyse it.
Other situations get far more complex, like a .pdf embedded in a CAD file. Many of the products in the
market today support around 300 file types, embedded content, multiple languages, double byte
character sets for Asian languages, and pulling plain text from unidentified file types. Quite a few use
the autonomy or verity content engines to help with file cracking, but all the serious tools have quite
a bit of proprietary capability, in addition to the embedded content engine. Some tools support
analysis of encrypted data if enterprise encryption is used with recovery keys, and most tools can
identify standard encryption and use that as a contextual rule to block/ quarantine content.
89
Student Handbook– Security Analyst SSC/N0901
Once the content is accessed, there are seven major analysis techniques used to find policy violations,
each with its own strengths and weaknesses.
1. Rule based/ Regular expressions: This is the most common analysis technique available in both DLP
products and other tools with DLP features. It analyses the content for specific rules, such as 16 digit
numbers that meet credit card checksum requirements, medical billing codes or other textual
analyses. Most DLP solutions enhance basic regular expressions with their own additional analysis
rules (e.g. a name in proximity to an address near a credit card number).
Its advantages are: as a first-pass filter or for detecting easily identified pieces of structured data like
credit card numbers, social security numbers and healthcare codes/ records.
Strengths: rules process quickly and can be easily configured. Most products ship with initial rule sets.
The technology is well understood and easy to incorporate into a variety of products.
Weaknesses: prone to high false positive rates. Offers very little protection for unstructured content
like sensitive intellectual property.
2._Database fingerprinting: Sometimes called Exact Data Matching – this technique takes either a
database dump or live data (via ODBC connection) from a database and only looks for exact matches.
For example, you could generate a policy to look only for credit card numbers in your customer base,
thus ignoring your own employees buying online. More advanced tools look for combinations of
information, such as the magic combination of first name or initial with last name, credit card or social
security number that triggers a disclosure. Make sure you understand the performance and security
implications of nightly extracts vs. live database connections.
Strengths: very low false positives (close to 0). Allows you to protect customer/ sensitive data while
ignoring other, similar data used by employees (like their personal credit cards for online orders).
Weaknesses: nightly dumps won't contain transaction data since the last extract. Live connections can
affect database performance. Large databases affect product performance.
3._Exact file matching: With this technique you take a hash of a file and monitor for any files that
match that exact fingerprint. Some consider this to be a contextual analysis technique since the file
contents themselves are not analysed.
Its advantages are: media files and other binaries where textual analysis isn't necessarily possible.
Strengths: works on any file type, low false positives with a large enough hash value (effectively none).
Weaknesses: trivial to evade. Worthless for content that's edited, such as standard office documents
and edited media files.
4._Partial document matching: This technique looks for a complete or partial match on protected
content. Thus you could build a policy to protect a sensitive document, and the DLP solution will look
for either the complete text of the document, or even excerpts as small as a few sentences. For
example, you could load up a business plan for a new product and the DLP solution would alert if an
employee pasted a single paragraph into an Instant Message. Most solutions are based on a technique
90
Student Handbook– Security Analyst SSC/N0901
known as cyclical hashing, where you take a hash of a portion of the content, offset a predetermined
number of characters, then take another hash, and keep going until the document is completely
loaded as a series of overlapping hash values. Outbound content is run through the same hash
technique, and the hash values compared for matches. Many products use cyclical hashing as a base,
then add more advanced linguistic analysis.
Its advantages are: protecting sensitive documents or similar content with text such as CAD files (with
text labels) and source code. Unstructured content that's known to be sensitive.
Strengths: ability to protect unstructured data. Generally low false positives (some vendors will say
zero false positives, but any common sentence/ text in a protected document can trigger alerts).
Doesn't rely on complete matching of large documents. It can find policy violations on even a partial
match.
Weaknesses: performance limitations on the total volume of content that can be protected. Common
phrases/ verbiage in a protected document may trigger false positives. Must know exactly which
documents you want to protect. Trivial to avoid (ROT 1 encryption is sufficient for evasion).
5._Statistical analysis: Use of machine learning, Bayesian analysis and other statistical techniques to
analyse a corpus of content and find policy violations in content that resembles the protected content.
This category includes a wide range of statistical techniques which vary greatly in implementation and
effectiveness. Some techniques are very similar to those used to block spam.
Its advantages are: unstructured content where a deterministic technique, like partial document
matching would be ineffective. For example, a repository of engineering plans that's impractical to
load for partial document matching due to high volatility or massive volume.
Strengths: can work with more nebulous content where you may not be able to isolate exact
documents for matching. Can enforce policies such as "alert on anything outbound that resembles the
documents in this directory".
Weaknesses: prone to false positives and false negatives. Requires a large corpus of source content –
the bigger, the better.
6._Conceptual/ Lexicon: This technique uses a combination of dictionaries, rules and other analyses
to protect nebulous content that resembles an "idea". It's easier to give an example — a policy that
alerts on traffic that resembles insider trading, which uses key phrases, word counts and positions to
find violations. Other examples are sexual harassment, running a private business from a work account
and job hunting.
Its advantages are: completely unstructured ideas that defy simple categorization based on matching
known documents, databases or other registered sources.
Strengths: not all corporate policies or content can be described using specific examples. Conceptual
analysis can find closely defined policy violations other techniques can't even think of monitoring for.
Weaknesses: in most cases, these are not user-definable and the rule sets must be built by the DLP
vendor with significant effort, which costs more. This technique is very prone to false positives and
negatives because of the flexible nature of the rules.
7._Categories: Pre-built categories with rules and dictionaries for common types of sensitive data,
such as credit card numbers/ PCI protection, HIPAA etc.
91
Student Handbook– Security Analyst SSC/N0901
Its advantages are: anything that neatly fits a provided category. Typically, easy to describe content
related to privacy, regulations or industry specific guidelines.
Strengths: extremely simple to configure. Saves significant policy generation time. Category policies
can form the basis for more advanced, enterprise specific policies. For many organizations, categories
can meet a large percentage of their data protection needs.
Weaknesses: one size fits all might not work. Only good for easily categorized rules and content.
These seven techniques form the basis for most of the DLP products on the market. Not all products
include all techniques, and there can be significant differences between implementations. Most
products can also chain techniques — building complex policies from combinations of content and
contextual analysis techniques.
92
Student Handbook– Security Analyst SSC/N0901
The goal of DLP is to protect content throughout its lifecycle. In terms of DLP, this includes three
major aspects:
• Data at Rest includes scanning of storage and other content repositories to identify where
sensitive content is located. We call this content discovery. For example, you can use a DLP
product to scan your servers and identify documents with credit card numbers. If the server
isn't authorized for that kind of data, the file can be encrypted or removed or a warning sent to
the file owner.
• Data in Motion is sniffing of traffic on the network (passively or inline via proxy) to identify
content being sent across specific communications channels. For example, this includes sniffing
emails, instant messages and web traffic for snippets of sensitive source code. In motion, tools
can often block based on central policies depending on the type of traffic.
• Data in Use is typically addressed by endpoint solutions that monitor data as the user interacts
with it. For example, they can identify when you attempt to transfer a sensitive document to a
USB drive and block it (as opposed to blocking use of the USB drive entirely). Data in use tools
can also detect things like copy and paste or use of sensitive data in an unapproved application
(such as someone attempting to encrypt data to sneak it past the sensors).
Many organizations first enter the world of DLP with network based products that provide broad
protection for managed and unmanaged systems. It’s typically easier to start a deployment with
network products to gain broad coverage quickly. Early products limited themselves to basic
monitoring and alerting, but all current products include advanced capabilities to integrate with
existing network infrastructure and provide protective, not just detective controls.
93
Student Handbook– Security Analyst SSC/N0901
Data In Motion
Network Monitor
At the heart of most DLP solutions lies a passive network monitor. The network monitoring component
is typically deployed at or near the gateway on a SPAN port (or a similar tap). It performs full packet
capture, session reconstruction and content analysis in real time. Performance is more complex and
subtle than vendors normally discuss. First, on the client expectation side, most clients claim they need
full gigabit ethernet performance, but that level of performance is unnecessary except in very unusual
circumstances since few organizations are really running that high a level of communications traffic.
DLP is a tool to monitor employee communications, not web application traffic. Realistically, we find
that small enterprises normally run under 50 MByte/s of relevant traffic, medium enterprises run
closer to 50-200 MB/s and large enterprises around 300 MB/s (maybe as high as 500 in a few cases).,
Not every product runs full packet capture because of the content analysis overhead. You might have
to choose between pre-filtering (and thus missing non-standard traffic) or buying more boxes and load
balancing. Also, some products lock monitoring into pre-defined port and protocol combinations,
rather than using service/ channel identification based on packet content. Even if full application
channel identification is included, you want to make sure it's enabled otherwise you might miss non-
standard communications such as connecting over an unusual port. Most of the network monitors are
dedicated general purpose server hardware with DLP software installed. A few vendors deploy true
specialized appliances. While some products have their management, workflow and reporting built
into the network monitor, this is often offloaded to a separate server or appliance.
Email Integration
The next major component is email integration. Since email is stored and forwarded, you can gain a
lot of capabilities, including quarantine, encryption integration and filtering without the same hurdles
to avoid blocking synchronous traffic.
Most products embed an MTA (Mail Transport Agent) into the product, allowing you to just add it as
another hop in the email chain. Quite a few also integrate with some of the major existing MTAs/
email security solutions directly for better performance. One weakness of this approach is it doesn't
give you access to internal email. If you're on an exchange server, internal messages never make it
through the external MTA since there's no reason to send that traffic out. To monitor internal mail,
you'll need direct Exchange/ Lotus integration, which is surprisingly rare in the market. Full integration
is different from just scanning logs/ libraries after the fact, which is what some companies call internal
mail support. Good email integration is absolutely critical if you ever want to do any filtering, as
opposed to just monitoring.
Nearly anyone deploying a DLP solution will eventually want to start blocking traffic. There's only so
long you can take watching all your sensitive data running to the nether regions of the Internet before
you start taking some action. Blocking isn't the easiest thing in the world, especially since we're trying
to allow good traffic. Block only bad traffic, and make the decision using real-time content analysis.
Email, as we mentioned, is fairly straightforward to filter. It's not quite real time and is ‘proxied’ by its
very nature. Adding one more analysis hop is a manageable problem in even the most complex
environments. Outside of email, most of our communications traffic is synchronous. Everything runs
in real time. Thus if we want to filter it we either need to bridge the traffic, proxy it or poison it from
the outside.
94
Student Handbook– Security Analyst SSC/N0901
Bridge
With a bridge, we just have a system with two network cards which performs content analysis in the
middle. If we see something bad, the bridge breaks the connection for that session. Bridging isn't the
best approach for DLP since it might not stop all the bad traffic before it leaks out. It's like sitting in a
doorway watching everything go past with a magnifying glass. By the time you get enough traffic to
make an intelligent decision, you may have missed the really good stuff. Very few products take this
approach although it does have the advantage of being protocol agnostic.
Proxy
In simplified terms, a proxy is protocol/ application specific and queues up traffic before passing it on,
allowing for deeper analysis. We see gateway proxies mostly for HTTP, FTP and IM protocols. Few DLP
solutions include their own proxies. They tend to integrate with existing gateway/ proxy vendors since
most customers prefer integration with these existing tools. Integration for web gateways is typically
through the iCAP protocol, allowing the proxy to grab the traffic, send it to the DLP product for analysis
and cut communication, if there's a violation. This means you don't have to add another piece of
hardware in front of your network traffic, and the DLP vendors can avoid the difficulties of building
dedicated network hardware for inline analysis. If the gateway includes a reverse SSL proxy you can
also sniff SSL connections. You will need to make changes on your endpoints to deal with all the
certificate alerts, but you can now peer into encrypted traffic. For Instant Messaging, you'll need an
IM proxy and a DLP product that specifically supports whatever IM protocol you're using.
TCP Poisoning
The last method of filtering is TCP poisoning. You monitor the traffic and when you see something
bad, you inject a TCP reset packet to kill the connection. This works on every TCP protocol but isn't
very efficient. For one thing, some protocols will keep trying to get the traffic through. If you TCP
poison a single email message, the server will keep trying to send it for three days, as often as every
15 minutes. The other problem is the same as bridging. Since you don't queue the traffic at all, by the
time you notice something bad, it might be too late. It's a good stop-gap to cover non-standard
protocols, but you'll want to proxy as much as possible.
Internal Networks
Although technically capable of monitoring internal networks, DLP is rarely used on internal traffic
other than email. Gateways provide convenient choke points. Internal monitoring is a daunting
prospect from cost, performance, and policy management/ false positive standpoints. A few DLP
vendors have partnerships for internal monitoring, but this is a lower priority feature for most
organizations.
All medium to large enterprises and many smaller organizations have multiple locations and web
gateways. A DLP solution should support multiple monitoring points, including a mix of passive
network monitoring, proxy points, email servers and remote locations. While processing/ analysis can
be offloaded to remote enforcement points, they should send all events back to a central management
server for workflow, reporting, investigations and archiving. Remote offices are usually easy to
support since you can just push policies down and reporting back, but not every product has this
capability. The more advanced products support hierarchical deployments for organizations that want
to manage DLP differently in multiple geographic locations or by business unit. International
companies often need this to meet legal monitoring requirements which vary by country. Hierarchical
95
Student Handbook– Security Analyst SSC/N0901
management supports coordinated local policies and enforcement in different regions, running on
their own management servers and communicating back to a central management server. Early
products only supported one management server but now we have options to deal with these
distributed situations with a mix of corporate/ regional/ business unit policies, reporting and
workflow.
Data At Rest
While catching leaks on the network is fairly powerful, it's only one small part of the problem. Many
customers are finding that it's just as valuable, if not more valuable, to figure out where all that data
is stored in the first place. We call this content discovery. Enterprise search tools might be able to help
with this, but they really aren't tuned well for this specific problem. Enterprise data classification tools
can also help, but based on discussions with a number of clients, they don't seem to work well for
finding specific policy violations. Thus we see many clients opting to use the content discovery features
of their DLP products. The biggest advantage of content discovery in a DLP tool is that it allows you to
take a single policy, and apply it across data no matter where it's stored, how it's shared, or how it's
used. For example, you can define a policy that requires credit card numbers to only be emailed when
encrypted, never be shared via HTTP or HTTPS, only be stored on approved servers and only be stored
on workstations/ laptops by employees on the accounting team. All of this can be specified in a single
policy on the DLP management server.
Storage discovery: scanning mass storage, including file servers, SAN and NAS.
Server discovery: application specific scanning of stored data on email servers, document
management systems and databases (not currently a feature of most DLP products, but
beginning to appear in some Database Activity Monitoring products).
Content Discovery Techniques
1. Remote scanning: a connection is made to the server or device using a file sharing or application
protocol, and scanning is performed remotely. This is essentially mounting a remote drive and
scanning it from a server that takes policies from, and sends results to the central policy server.
For some vendors, this is an appliance while for others, it's a commodity server. For smaller
deployments, it's integrated into the central management server.
2. Agent Based scanning: an agent is installed on the system (server) to be scanned and scanning is
performed locally. Agents are platform specific, and use local CPU cycles, but can potentially
perform significantly faster than remote scanning, especially for large repositories. For endpoints,
this should be a feature of the same agent used for enforcing.
3. Memory Resident Agent scanning: rather than deploying a full-time agent, a memory resident
agent is installed, which performs a scan, then exits without leaving anything running or stored on
the local system. This offers the performance of agent based scanning in situations where you
don't want an agent running all the time. Any of these technologies can work for any of the modes,
and enterprises will typically deploy a mix depending on policy and infrastructure requirements.
96
Student Handbook– Security Analyst SSC/N0901
We currently see technology limitations with each approach which guide deployment:
• Remote scanning can significantly increase network traffic and has performance limitations based
on network bandwidth and target and scanner network performance. Some solutions can only
scan gigabytes per day (sometimes hundreds, but not terabytes per day), per server based on
these practical limitations, which may be inadequate for very large storage.
• Agents, temporal or permanent, are limited by processing power and memory on the target
system, which often translates to restrictions on the number of policies that can be enforced, and
the types of content analysis that can be used. For example, most endpoint agents are not capable
of partial document matching or database fingerprinting against large data sets. This is especially
true of endpoint agents which are more limited.
• Agents don't support all platforms.
Once a policy violation is discovered, the DLP tool can take a variety of actions:
Alert/ report: create an incident in the central management server just like a network violation.
Warn: notify the user via email that they may be in violation of policy.
Quarantine/ notify: move the file to the central management server and leave a text file with
instructions on how to request recovery of the file.
Quarantine/ encrypt: encrypt the file in place, usually leaving a plain text file describing how to
request decryption.
Quarantine/ access control: change access controls to restrict access to the file.
Remove/ delete: either transfer the file to the central server without notification or just delete it.
Data In Use
DLP usually starts on the network because that's the most cost-effective way to get the broadest
coverage. Network monitoring is non-intrusive (unless you have to crack SSL), and offers visibility to
any system on the network, managed or unmanaged, server or workstation. Filtering is more difficult,
but again still relatively straightforward on the network (especially for email) and covers all systems
connected to the network. However, this isn't a complete solution. It doesn't protect data when
someone walks out the door with a laptop, and can't even prevent people from copying data to
portable storage like USB drives. To move from a "leak prevention" solution to a "content protection"
solution, products need to expand not only to stored data, but to the endpoints where data is used.
Note: Although there have been large advancements in endpoint DLP, endpoint-only solutions are not
recommended for most users. DLP endpoint solutions normally require compromise on the number
and types of policies that can be enforced, offer limited email integration with no protection for
97
Student Handbook– Security Analyst SSC/N0901
unmanaged systems. An organisation will need both network and endpoint capabilities, and most of
the leading network solutions are adding or already offer at least some endpoint protection.
Adding an endpoint agent to a DLP solution not only gives you the ability to discover stored content,
but to potentially protect systems no longer on the network or even protect data as it's being actively
used. While extremely powerful, it has been problematic to implement. Agents need to perform
within the resource constraints of a standard laptop while maintaining content awareness. This can
be difficult if you have large policies such as, "protect all 10 million credit card numbers from our
database", as opposed to something simpler like, "protect any credit card number" that will generate
false positives every time an employee visits say, flipkart.com.
Key capabilities existing products vary widely in functionality, but we can break out three key
capabilities:
1. Monitoring and enforcement within the network stack: this allows enforcement of network
rules without a network appliance. The product should be able to enforce the same rules as if
the system were on the managed network as well as separate rules designed only for use on
unmanaged networks.
2. Monitoring and enforcement within the system kernel: by plugging directly into the operating
system kernel you can monitor user activity, such as copying and pasting sensitive content. This
can also allow products to detect (and block) policy violations when the user is taking sensitive
content and attempting to hide it from detection, perhaps by encrypting it or modifying source
documents.
3. Monitoring and enforcement within the file system: this allows monitoring and enforcement
based on where data is stored. For example, you can perform local discovery and/ or restrict
transfer of sensitive content to unencrypted USB devices.
These options are simplified, and most early products focus on 1 and 3 to solve the portable storage
problem, and protect devices on unmanaged networks. System/ kernel integration is much more
complex and there are a variety of approaches to gaining this functionality.
98
Student Handbook– Security Analyst SSC/N0901
The following features are highly desirable when deploying DLP at the endpoint:
Endpoint agents and rules should be centrally managed by the same DLP management server
that controls data in motion and data at rest (network and discovery).
Policy creation and management should be fully integrated with other DLP policies in a single
interface.
Incidents should be reported to, and managed by a central management server.
Endpoint agent should use the same content analysis techniques and rules as the network
servers/ appliances.
Rules (policies) should adjust based on where the endpoint is located (on or off the network).
When the endpoint is on a managed network with gateway DLP, redundant local rules should
be skipped to improve performance.
Agent deployment should integrate with existing enterprise software deployment tools.
Policy updates should offer options for secure management via the DLP management server
or existing enterprise software update tools.
Endpoint limitations
Realistically, the performance and storage limitations of the endpoint will restrict the types of
content analysis supported and the number and type of policies that are locally enforced. For
some enterprises, this might not matter depending on the kinds of policies to be enforced, but
in many cases endpoints impose significant constraints on data in use policies.
99
Student Handbook– Security Analyst SSC/N0901
While DLP solutions can go far in helping an enterprise gain greater insight over and control of
sensitive data, stakeholders need to be apprised of limitations and gaps in DLP solutions.
Understanding these limitations is the first step in the development of strategies and policies to help
compensate for the limitations of the technology.
Some of the most significant limitations common among DLP solutions are:
Encryption — DLP solutions can only inspect encrypted information that they can first decrypt. To
do this, DLP agents, network appliances and crawlers must have access to, and be able to utilize,
the appropriate decryption keys. If users have the ability to use personal encryption packages
where keys are not managed by the enterprise and provided to the DLP solution, the files cannot
be analyzed. To mitigate this risk, policies should forbid the installation and use of encryption
solutions that are not centrally managed, and users should be educated that anything that cannot
be decrypted for inspection (meaning that the DLP solution has the encryption key) will ultimately
be blocked.
Graphics — DLP solutions cannot intelligently interpret graphics files. Short of blocking or
manually inspecting all such information, a significant gap will exist in an enterprise’s control of
its information. Sensitive information scanned into a graphics file or intellectual property (IP) that
exists in a graphics format, such as design documents would fall into this category. Enterprises
that have significant IP in a graphics format should develop strong policies that govern the use and
dissemination of this information. While DLP solutions cannot intelligently read the contents of a
graphics file, they can identify specific file types, their source and destination. This capability,
combined with well-defined traffic analysis can flag uncharacteristic movement of this type of
information and provide some level of control.
Third-party service providers — When an enterprise sends its sensitive information to a trusted
third party, it is inherently trusting that the service provider mirrors the same level of control over
information leaks since the enterprise’s DLP solutions rarely extend to the service provider’s
network. A robust third-party management program that incorporates effective contract language
and a supporting audit program can help mitigate this risk.
Mobile devices — With the advent of mobile computing devices, such as smartphones, there are
communication channels that are not easily monitored or controlled. Short message service (SMS)
is the communication protocol that allows text messaging, and is a key example. Another
consideration is the ability of many of these devices to utilize Wi-Fi or even become a Wi-Fi hotspot
themselves. Both cases allow for out-of-band communication that cannot be monitored by most
enterprises. Finally, the ability of many of these devices to capture and store digital photographs
and audio information presents yet another potential gap. While some progress is being made in
this area, the significant limitations of processing power and centralized management remain a
challenge. Again, this situation is best addressed by the development of strong policies and
supporting user education to compel appropriate use of these devices.
100
Student Handbook– Security Analyst SSC/N0901
Multilingual support — A few DLP solutions support multiple languages, but virtually all
management consoles support only English. It is also true that for each additional language and
character set, the system must support processing requirements and time windows for analysis
increase. Until such time that vendors recognize sufficient market demand to address this gap,
there is little recourse but to seek other methods to control information leaks in languages other
than English. Multinational enterprises must carefully consider this potential gap when evaluating
and deploying a DLP solution. These points are not intended to discourage the adoption of DLP
technology.
The only recourse for most enterprises is the adoption of behavioral policies and physical
security controls that complement the suite of technology controls that is available today, such
as:
• Solution lock-in — At this time there is no portability of rule sets across various DLP platforms,
which means that changing from one vendor to another or integration with an acquired
organization’s solution can require significant work to replicate a complex rule set in a different
product.
• Limited client OS support — Many DLP solutions do not provide endpoint DLP agents for
operating systems such as Linux and Mac because their use as clients in the enterprise is much less
common. This does, however, leave a potentially significant gap for enterprises that have a
number of these clients. This risk can only be addressed by behavior oriented policies or requires
the use of customized solutions that are typically not integrated with the enterprise DLP platform.
• Cross application support — DLP functions can also be limited by application types. A DLP agent
that can monitor the data manipulations of one application may not be able to do so for another
application on the same system. Enterprises must ensure that all applications that can manipulate
sensitive data are identified and must verify that the DLP solution supports them. In cases where
unsupported applications exist, other actions may be required through policy, or if feasible,
through removal of the application in question.
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft
or exposure of personally identifiable information (PII). DataLossDB's dataset, in current and previous
forms, has been used in research by numerous educational, governmental and commercial entities,
which often have been able to provide statistical analysis with graphical presentations.
101
Student Handbook– Security Analyst SSC/N0901
The charts below are provided in "as-is" format based on the current dataset maintained by the Open
Security Foundation and DataLossDB.
102
Student Handbook– Security Analyst SSC/N0901
103
Student Handbook– Security Analyst SSC/N0901
Digital Rights Management (DRM), a system for protecting the copyrights of data circulated via the
Internet or other digital media by enabling secure distribution and/ or disabling illegal distribution of
the data. Typically, a DRM system protects intellectual property by either encrypting the data so that
it can only be accessed by authorized users or marking the content with a digital watermark or similar
method so that the content cannot be freely distributed. The practice of imposing technological
restrictions that control what users can do with digital media. When a program is designed to prevent
you from copying or sharing a song, reading an ebook on another device, or playing a single player
game without an internet connection, you are being restricted by DRM. In other words, DRM creates
a damaged good – it prevents you from doing what would be possible without it. This concentrates
control over production and distribution of media, giving DRM peddlers the power to carry out
massive digital book burnings and conduct large scale surveillance over people's media viewing habits.
Enterprise Digital Rights Management (DRM) and Data Loss Prevention (DLP) are typically thought of
as separate technologies that could replace each other. DRM encrypts files and controls access
privileges dynamically as a file is in use. DLP detects patterns and can restrict movement of
information that meets certain criteria. Rather than being competitive, the reality is that many
organizations can use them as complementary solutions.
DLP’s ability to scan, detect data patterns and enforce appropriate actions using contextual awareness
reduces the risk of losing sensitive data. A drawback of DLP is that it does not provide any protection
in case users have to send confidential information legitimately to a business partner or
customer. DLP cannot protect information once it is outside the organization’s perimeter.
DLP is very good at monitoring the flow of data throughout an organization and applying predefined
policies at endpoint devices or the network. The policies can log activities, send warnings to end users
and administrators, quarantine data or block it altogether.
The challenge is that most businesses need to share sensitive data with outside people. Considering
most data leaks originate from trusted insiders who have or had access to sensitive documents,
organizations must complement and empower the existing security infrastructure with a data centric
security solution that protects data in use persistently. That is where DRM comes in. DRM ensures
that only intended recipients can view sensitive files regardless of their location. This assures
protection of data beyond controlled boundaries so that an organization is always in control of its
information. DRM policy stays with the document even if it is renamed or saved to another format,
like a PDF. This provides a more complete solution to limit the possibility of a data breach.
104
Student Handbook– Security Analyst SSC/N0901
Summary
Data leakage is defined as the accidental or unintentional distribution of private or sensitive
data to an unauthorized entity.
Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data and other information depending
on the business and the industry. Data leakage poses a serious issue for companies as the
number of incidents and the cost to those experiencing them continue to increase.
Enterprises use Data Leakage Prevention (DLP) technology as one component in a
comprehensive plan for the handling and transmission of sensitive data. The technological
means employed for enhancing DLP can be divided into the following categories:
o standard security measures
o advanced/ intelligent security measures
o access control and encryption
o designated DLP systems
Device control, access control and encryption are used to prevent access by an unauthorized
user. These are the simplest measures that can be taken to protect large amounts of personal
data against malicious outsider and insider attacks.
Designated DLP solutions are intended to detect and prevent attempts to copy or send sensitive
data, intentionally or unintentionally, without authorization, mainly by personnel who are
authorized to access the sensitive information. A major capability of such solutions is an ability
to classify content as sensitive.
Designated DLP solutions are typically implemented using mechanisms such as exact data
matching, structured data fingerprinting, statistical methods (e.g. machine learning), rule and
regular expression matching, published lexicons, conceptual definitions and keywords.
Content discovery consists of three components:
o Endpoint discovery
o Storage discovery
o Server discovery
Some of the most significant limitations common among DLP solutions are:
Encryption — DLP solutions can only inspect encrypted information that they can first
decrypt.
Graphics — DLP solutions cannot intelligently interpret graphics files.
Third-party service providers — When an enterprise sends its sensitive information to a
trusted third party, it is inherently trusting that the service provider mirrors the same level
of control over information leaks since the enterprise’s DLP solutions rarely extend to the
service provider’s network.
Mobile devices — With the advent of mobile computing devices, such as smartphones,
there are communication channels that are not easily monitored or controlled.
Multilingual support — A few DLP solutions support multiple languages, but virtually all
management consoles support only English.
DRM, short for Digital Rights Management, a system for protecting the copyrights of data
circulated via the internet or other digital media by enabling secure distribution and/ or
disabling illegal distribution of the data.
Typically, a DRM system protects intellectual property by either encrypting the data so that it
can only be accessed by authorized users or marking the content with a digital watermark or
similar method so that the content cannot be freely distributed.
105
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Collect information about the extent of data leakage in its various forms across different
types of organisations and incidents of leakage and related loss. Present the cases in
class and discuss the various steps that can be taken proactively and post event to
ensure loss prevention and minimisation.
Activity 2:
Identify work behaviours and practices that can lead to data leakage in a work context.
Look at yours and your colleagues’ behaviour in your own environment, and identify
various confidential and personal information and how their own practices and habits
can cause data leakage.
Activity 3:
Collect information about various organisations that offer products and services in the
Data Leakage Prevention and Data Risk Management. Compare the two, note down and
present the various offerings, tools and their features, benefits and limitations.
Activity 4:
Data at Rest
Data in Motion
Data in Use
Find examples of data around yourself in your daily life that are categorized in these
three. State risks of data leakages and the various sources of it.
106
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
107
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
108
Student Handbook– Security Analyst SSC/N0901
UNIT IV
Information Security Policies,
Procedures, Standards and Guidelines
Lesson Plan
4.1. Information Security Policies
4.2. Key Elements of a Security Policy
4.3. Security Standards, Guidelines and Frameworks
4.4. Laws, Regulations and Guidelines
109
Student Handbook– Security Analyst SSC/N0901
Lesson Plan
Performance Ensuring
Outcomes Measures Work Environment/ Lab Requirement
To be competent, you must be able PCs/ tablets/ laptops
to: Availability of labs (24/7)
Internet with Wi-Fi (min 2 Mbps
PC2. monitor systems and apply
dedicated)
controls in line with information
Networking equipment (routers &
security policies, procedures and
switches)
guidelines
Firewalls and access points
PC11. comply with your Commercial tools like HP Web
organization’s policies, standards, Inspect and IBM AppScan etc.
procedures and guidelines when Open source tools like sqlmap,
contributing to managing Nessus etc.
information security
You need to know and understand: KA1. QA session and a PCs/ tablets/ laptops
descriptive write-up on Availability of labs (24/7)
KA1. your organization’s understanding. Internet with Wi-Fi (min 2 Mbps
policies, procedures, standards and
dedicated)
guidelines for managing KA2 Group presentation
Access to all security sites like ISO,
information security and peer evaluation along
PCI DSS, Center for Internet Security
KA2. your organization’s with faculty.
etc.
knowledge base and how to access
and update the same KA4 Performance Security templates from ITIL & ISO
KA4. the organizational evaluation from faculty
systems, procedures and tasks/ and industry with reward
checklists within the domain and points.
how to use these KA12. Faculty and peer
KA12. your organization’s review.
information security systems and
tools and how to access and KA13. Faculty and peer
maintain these review.
KA13. standard tools and
templates available and how to use KB1 - KB4
the same Group and faculty
KB1. fundamentals of evaluation based on
information security and how to anticipated out comes.
apply these, including: Reward points to be
• networks allocated to groups.
• communication
• application security
110
Student Handbook– Security Analyst SSC/N0901
Lesson
Security policies are the foundation of your security infrastructure. Without them, you cannot protect
your company from possible lawsuits, lost revenue and bad publicity, not to mention basic security
attacks. A security policy is a document or set of documents that describes, at a high level, the security
controls that will be implemented by the company.
Policies are not technology specific and do three things for an organisation:
Organisations are giving more priority to development of information security policies, protecting
their assets is one of the prominent things that needs to be considered. Lack of clarity in InfoSec
policies can lead to catastrophic damages which cannot be recovered. So an organisation makes
different strategies in implementing a security policy successfully. An information security policy
provides management direction and support for information security across the organisation.
Technical security policies: these include how technology should be configured and used.
Administrative security policies: these include how people (both end users and management)
should behave/ respond to security.
Information in an organisation will be both electronic and hard copy, and this information needs to be
secured properly against the consequences of breaches of confidentiality, integrity and availability.
Proper security measures need to be implemented to control and secure information from
unauthorised changes, deletions and disclosures. To find the level of security measures that need to
be applied, a risk assessment is mandatory.
Security policies are intended to define what is expected from employees within an organisation with
respect to information systems.
The objective is to guide or control the use of systems to reduce the risk to information assets. It also
gives the staff who are dealing with information systems an acceptable use policy, explaining what is
111
Student Handbook– Security Analyst SSC/N0901
allowed and what not. Security policies of all companies are not same, but the key motive behind
them is to protect assets. Security policies are tailored to the specific mission goals.
A security policy should determine rules and regulations for the following systems:
Encryption mechanisms
Access control devices
Authentication systems
Firewalls
Anti-virus systems
Websites
Gateways
Routers and switches
Necessity of a security policy
It is generally impossible to accomplish a complex task without a detailed plan for doing so.
A security policy is that plan that provides for the consistent application of security principles
throughout your company. After implementation, it becomes a reference guide when matters of
security arise.
A security policy indicates senior management’s commitment to maintain a secure network, which
allows the IT staff to do a more effective job of securing the company’s information assets. Ultimately,
a security policy will reduce the risk of a damaging security incident. In the event of a security incident,
certain policies, such as an Incident Response Policy may limit your company’s exposure and reduce
the scope of the incident.
A security policy can provide legal protection to your company. By specifying to your users exactly
how they can and cannot use the network, how they should treat confidential information, and the
proper use of encryption, you are reducing your liability and exposure in the event of an incident.
Further, a security policy provides a written record of your company’s policies if there is ever a
question about what is and is not an approved act.
Security policies are often required by third parties that do business with your company as part of
their due diligence process. Some examples of these might be auditors, customers, partners and
investors. Companies that do business with your company, particularly those that will be sharing
confidential data or connectivity to electronic systems, will be concerned about your security policy.
Lastly, one of the most common reasons why companies create security policies today is to fulfill
regulations and meet standards that relate to security of digital information.
Once the security policy is implemented, it will be a part of day-to-day business activities. Security
policies that are implemented need to be reviewed whenever there is an organizational change.
Policies can be monitored by depending on any monitoring solutions like SIEM and the violation of
security policies can be seriously dealt with. There should also be a mechanism to report any violations
to the policy.
112
Student Handbook– Security Analyst SSC/N0901
While developing these policies, it is obligatory to make them as simple as possible because complex
policies are less secure than simple systems. Security policies can be modified at a later time i.e. not
to say that you can create a violent policy now and a perfect policy can be developed some time later.
It is also mandatory to update the policy based upon the environmental changes that an organization
goes into when it progresses.
The policy updates also need to be communicated with all employees as well as the person who
authorized to monitor policy violations as they may flag for some scenarios which have been ignored
by the organization.
Management is responsible for establishing controls and should regularly review the status of
controls.
Below is a list of some of the security policies that an organization may have:
Change Control Policy How changes are made to directories or the file server
Encryption Policy How data are encrypted, the encryption method used etc.
Promiscuous Policy Firewall Management Policy
Others
Permissive Policy
113
Student Handbook– Security Analyst SSC/N0901
Acceptable Usage Policy (AUP) is the policy that one should adhere to while accessing the
network. Some of the assets that this policy covers are mobile, wireless, desktop, laptop and
tablet computers, email, servers, internet etc. For each asset, we need to look at how we can
protect it, manage it, authorised persons to use and administer the asset, accepted methods of
communication in these assets etc.
Once a reasonable security policy has been developed, an engineer has to look at the country’s laws,
which should be incorporated in security policies. One example is the use of encryption to create a
secure channel between two entities. Some encryption algorithms and their levels (128,192) will not
be allowed by the government for a standard use. Legal experts need to be consulted if you want to
know what level of encryption is allowed in an area. This would become a challenge if security policies
are derived for a big organisation spread across the globe.
Some of the laws, regulation and standards used for policy definition include:
The PCI Data Security Standard (PCIDSS)
The Health Insurance Portability and Accountability Act (HIPAA)
The Sarbanes-Oxley Act (SOX)
The ISO family of security standards
The Graham-Leach-Bliley Act (GLBA)
114
Student Handbook– Security Analyst SSC/N0901
Policy Content
When developing content, many go about creating a policy exactly the wrong way. The goal is not to
create hundreds of pages of impressive looking information, but rather to create an actionable
security plan. The following guidelines apply to the content of successful IT security policies.
• A security policy should be no longer than absolutely necessary. Some believe that policies are more
impressive when they fill enormous binders or contain hundreds or even thousands of policies. These
types of policies overwhelm you with data, and are frequently advertised on the internet. But quantity
does not equal quality, and it is the sheer amount of information in those policies that makes them
useless. Brevity is of utmost importance.
• A security policy should be written in “plain English.” While, by nature, technical topics will be
covered, it is important that the policy be clear and understood by the target audience for that
particular policy. There is never room for “consultant speak” in a security policy. If there is a doubt,
the policy should be written so that more people can understand it rather than fewer. Clarity must be
a priority in security policies so that a policy isn’t misunderstood during a crisis or otherwise
misapplied, which could lead to a critical vulnerability.
• A security policy must be consistent with applicable laws and regulations. In some countries there
are laws that apply to a company’s security practices, such as those covering the use of encryption.
Some states have specific disclosure laws or regulations governing the protection of citizens’ personal
information, and some industries have regulations governing security policies. It is recommended that
you research and become familiar with any regulations or standards that apply to your company’s
security controls.
• A security policy should be reasonable. The point of this process is to create a policy that you can
actually use rather than one that makes your company secure on paper but is impossible to
implement. Keep in mind that the more secure a policy is, the greater the burden it places on your
users and IT staff to comply with. Find a middle ground in the balance between security and usability
that will work for you.
115
Student Handbook– Security Analyst SSC/N0901
• A security policy must be enforceable. A policy should clearly state which actions are permitted and
which of those are in violation of the policy. Further, the policy should spell out enforcement options
when non-compliance or violations are discovered, and must be consistent with applicable laws. A
security policy can be formatted to be consistent with your company’s internal documentation,
however certain information should be placed on each page of the policy. At a minimum, this
information should include: policy name, creation date, target audience and a clear designation that
the policy is company confidential.
116
Student Handbook– Security Analyst SSC/N0901
with Human Resources so that the policies can be included with any other HR documents that require
a user signature. No matter how well implemented, no policy will be 100% applicable for every
scenario, and exceptions will need to be granted. Exceptions, however, must be granted only in writing
and must be well documented. It should be made clear from the outset that the policy is the official
company standard, and an exception will only be granted when there is an overwhelming business
need.
After the security policy has been in place for some period, which can be anywhere from three months
to a year, the company’s information security controls should be audited against the applicable
policies. Make sure that each policy is being followed as intended and is still appropriate to the
situation. If discrepancies are found or the policies are no longer applicable as written, they must be
changed to fit your company’s current requirements. After the initial review process, you should
regularly review the security policy to ensure that it still meets your company’s requirements. Create
a process so that the policy is periodically reviewed by the appropriate persons. This should occur both
at certain intervals (i.e. once per year), and when certain business changes occur (i.e. the company
opens in a new location). This will ensure that the policy does not get “stale”, and will continue to be
a useful management tool for years to come. When changes need to be made, be sure to: update the
revision history section of the document to differentiate the new document from past versions; and
distribute any modified user level policies to your users. Clearly communicate the policy changes to
any affected parties.
118
Student Handbook– Security Analyst SSC/N0901
COSO
The Foreign Corrupt Practices Act of 1977 (FCPA) is a law that requires any publicly traded company
to accurately document any transactions or monetary exchanges it is involved in (to prevent off-the-
books money transfers). Additionally, the law requires that a publicly traded company also have a
system of internal accounting controls to monitor fraud and abuse and test them through compliance
auditing. This law had little guidance from the Securities and Exchange Commission (SEC), and in
response to this, a consortium of private organizations created the Treadway Commission to figure
out what companies needed to do to comply with this law.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985
to improve the accuracy of financial reports and to standardize on internal control methods to reduce
fraudulent reporting. COSO studied the problem and issued guidance about how to create an internal
controls framework that complies with the FCPA. The resulting document, called “Internal Controls:
Integrated Framework,” was published in 1994 and provided common language, definitions and
assessment methodologies for a company’s internal accounting controls. This COSO report is
considered the standard by which accounting auditors assess companies to ensure compliance with
the FCPA and SOX section 404.
The COSO report lists a few main concepts that guided the development of the COSO framework and
define what internal controls can and cannot do for an organization. These concepts show the
relationship between people and processes in respect to the effectiveness of controls, and they define
the principles with which to implement them:
Internal control is affected by people; it must be adopted through the organization and is not
simply a policy document that gets filed away.
An internal control can provide only reasonable assurance, not absolute assurance to the
management and board of a business. A control cannot ensure success.
119
Student Handbook– Security Analyst SSC/N0901
The COSO internal controls framework consists of five main control components as seen in the figure
below. These controls are the foundation of the COSO framework and provide a means for auditors
to assess a company’s control efficiency, effectiveness, reliability of financial reporting and
compliance with the law.
Monitor
Information and
Communication
Control Activities
Risk Assessment
Control Environment
120
Student Handbook– Security Analyst SSC/N0901
COBIT
The COBIT framework was created by the Information Systems Audit and Control.
Association (ISACA) and IT Governance Institute (ITGI) as a response to the needs of the IT community
for a less generalized and more actionable set of controls for securing information systems. The ITGI
is a non-profit organization that leads the development of COBIT through committees consisting of
experts from universities, governments and auditors across the globe. The COBIT framework is a series
of manuals and implementation guidelines for creating a full IT governance, auditing and service
delivery program for any organization.
COBIT is not a replacement but an augmentation to COSO, and maps directly to COSO from an IT
perspective. Although COSO covers the whole enterprise from an accounting perspective, it does so
by providing high level objectives that require the business to figure out how to accomplish them.
COBIT on the other hand, works with COSO by fully detailing the necessary controls required and how
to measure and audit them. The built-in auditable nature of COBIT is why it has become one of the
leading IT governance frameworks as it gets as close as can be expected to a turnkey governance
program. COBIT does not dig down into the actual tasks and procedures however, which necessitates
using other sources to develop standards and procedures for implementing the controls. In other
words, COBIT won’t tell you the best way to configure AES encryption for your wireless infrastructure,
121
Student Handbook– Security Analyst SSC/N0901
but it will provide you with a mechanism for identifying where and why you need to apply it based on
risk.
The role of COBIT in IT governance is to provide a model that takes the guesswork out of how to bridge
the gap between business and IT goals. COBIT considers business the customer of IT services. Business
requirements (needs) ultimately drive the investment in IT resources, which in turn need processes
that can deliver enterprise information back to the business. At the foundation of COBIT is the cyclical
nature of business needing information and IT delivering information services.
Information is what IT provides to the business and COBIT defines the following seven control areas
as business requirements for information:
Reliability of information: data correctly represents the state of the business and transactions.
IT resources in COBIT are the components of information delivery and represent the technology,
people and procedures used to meet business goals. Resources are divided into four areas:
123
Student Handbook– Security Analyst SSC/N0901
Measurement of each process and control is accomplished through a Maturity Model. The COBIT
Maturity Model is based on the Capabilities Maturity Model pioneered by Carnegie Mellon’s Software
Engineering Institute (SEI). The Capabilities Maturity Model was designed as a tool for ensuring quality
software development. COBIT has modified the model to deliver a measurement and tracking tool
that identifies the current state of adoption (maturity level) for each process so as to compare an
organization execution with industry averages and business targets. This helps management identify
where the company’s performance is in relation to its peers and provides a path to improve with
specific and prescriptive steps used to get there.
The COBIT Maturity Model scale provides the following measurements:
COBIT Maturity Scale
0 Non existent
Not performed.
1 Initial/ Ad hoc
Process is chaotic, not standardized and done case by case.
2 Repeatable
Relies on individual knowledge, no formal training and no process intuitive management.
3 Defined process
Standardized and documented processes and formal training to communicate standards.
4 Managed
Processes are monitored and checked for compliance by management, measurable processes
are reviewed for improvement and limited automation.
5 Optimized
Processes are refined and compared with others based on maturity, processes are automated
through workflow tools to improve quality and effectiveness.
Using COBIT requires customization to better align with the company implementing it. COBIT is not
designed as a governance strategy in a box, but as a reference for building a process focused system,
utilizing international standards and good practices. Companies still need to determine a risk
management methodology and build out a technical infrastructure to automate the various COBIT
processes identified. COBIT’s real value is in providing the management, measurement and
organizational glue to tie these functions together.
IT auditors like to use COBIT mainly because it creates a well-documented set of processes and
controls that can be assessed along with the metrics and requirements for each control. COBIT’s
usefulness is also apparent when the organization under audit does not use COBIT as a governance
framework because an auditor can build checklists and plan audits based on COBIT to ensure that all
aspects of the IT process are performed. COBIT is also an invaluable resource when writing the audit
report because it allows the auditor to justify and compare his findings to a well-respected standard.
ITIL
The Information Technology Infrastructure Library (ITIL) provides documentations for best practices
for IT Service Management. ITIL was created in the late 1980s by Great Britain’s Office of Government
Commerce to standardize Britain’s government agencies and to follow security best practices. A study
was conducted and generated a significant amount of information (roughly 40 books) that became
124
Student Handbook– Security Analyst SSC/N0901
known as ITIL. The books were revised and consolidated in 2004 and became a series of eight books
focused on IT services management. This version 2 of ITIL became popular among organizations
looking for an internationally recognized, proactive framework for managing IT services, reducing cost
and improving quality. Version 3 of ITIL was released in June 2007 to refresh the core service and
support delivery material that many companies have implemented, and to move the ITIL framework
towards a life cycle model that includes management of all lifecycle services provided by IT. The five
books that make up Version 3 are:
Service Strategy: This book is the foundation for the others by defining business to IT alignment,
value to business, services strategy and service portfolio management.
Service Design: Focused on the design of IT processes, policies and architectures. Includes service
level, management, capacity management, information security management and availability
management.
Service Transition: Covers moving from the design phase to production business services and
change management. It also includes service asset and configuration management, service
validation and testing, evaluation and knowledge management.
Service Operation: Provides information on the day-to-day support of production systems. This
includes service delivery and services support, service desk design, application management,
problem management and technical management.
Continual Service Improvement: This book covers service improvements and service retirement
strategies.
ITIL is primarily about delivering IT as a service and the lifecycle of service development,
implementation, operation and management. ITIL is used by companies for overall management of IT
and also for managing security processes. Auditing an ITIL shop requires that the auditor understand
the basics of ITIL to speak the same language. ITIL also works well with COBIT as a means for fleshing
out the service delivery of each process. The ITGI even creates a mapping between COBIT and ITIL for
organizations that want to utilize the two standards. ITIL also meets the criteria for ISO 20000, which
means that it can be used to achieve international certification. Whether a company chooses to go
for certification or not, ITIL gives guidance about how to move from a reactive to a proactive approach
to managing IT and security as a service.
125
Student Handbook– Security Analyst SSC/N0901
ISMS: Establish the ISM, implement and operate, monitor and review, maintain and improve
documentation requirements, control documents and records.
126
Student Handbook– Security Analyst SSC/N0901
The Deming Cycle is simple yet powerful, and ISO 27001 applies it to security management in the
following manner:
Step 1. Plan: Establish the ISM according to the policies, processes and objectives of the
organization to manage risk.
Step 2. Do: Implement and operate the ISM.
Step 3. Check: Audit, assess and review the ISM against policies, objectives and experiences.
Step 4. Act: Take action to correct deficiencies identified for continuous improvement.
ISO 27001 provides guidance for setting up an ISMS and an excellent checklist for assessing
compliance with the standard by specifying what controls need to be in place. An organization can be
certified through an approved assessment and registration organization as being in compliance with
27001. There are over 3,000 companies certified against ISO 27001. Many companies choose
certification as a mechanism to “prove” their competence in building an information security program,
but also because certification provides proof for SOX and other legal compliance frameworks that the
company has met the requirements of those laws. The other benefit of ISO 27001 is its global
acceptance as an accepted standard that is required for conducting business with some companies,
which can provide a unique business opportunity for a company that goes down the path of
certification.
The second ISO standard is ISO 27002:2005 Security Techniques Code of Practice, which consists of
international best practices for securing systems. This standard provides best practice information
about everything from Human Resources security needs to physical security and it represents the
detailed implementation requirements for ISO 27001.
ISO 27002 is full of good high level information that can be used as a source document for any
generalized audit or assessment. It consists of security controls across all forms of data
communication, including electronic, paper and voice (notes tied to pigeons are not included).
The twelve areas covered in ISO 27002:2005 are:
Intro to information security management
Risk assessment and treatment
Security policy
Organization of information security
Asset management
Human Resources security
Physical security
Communications and ops management
Access control
Information systems acquisition, development and maintenance
Information security incident management
Business continuity
Compliance
127
Student Handbook– Security Analyst SSC/N0901
The ISO standards define a solid benchmark for assessing a company’s information security practices,
but as with most of high level control documents, it doesn’t give the auditor details about security
architecture or implementation guidance. 27002 is a great internationally recognized standard to
refer back to for control requirements in an audit report or findings document, and makes excellent
source material for an auditor’s checklist.
NIST
The National Institute of Standards and Technologies (NIST) is a federal agency of the United States
government, tasked with helping commerce in the U.S. by providing weights and measurements,
materials references and technology standards. If you have configured your computer to use an
atomic clock source from the internet to synchronize time to, then you have used a NIST service. NIST
also provides reference samples of over 1,300 items, including cesium 137, peanut butter and oysters.
The division within NIST, most interesting from an information security standpoint is the Computer
Security Resource Centre (CSRC), which is the division tasked with creating information security
standards.
The CSRC is currently directed by the United States Congress to create standards for information
security in response to laws such as the Information Technology Reform Act of 1996, the Federal
Information Security Management Act of 2002 (FISMA) and HIPAA. Although FISMA is a federal law
and not enforceable in the private sector, private companies can reap the benefits of the many
excellent documents NIST has created for FISMA compliance.
Federal Information Processing Standards Publications (FIPS) standards are a series of standards that
government agencies must follow by law according to FISMA. FIPS standards include encryption
standards, information categorization and other requirements. FIPS also mandates standards for
technology through a certification program. Hardware and software involved in encrypting data via
AES for example, must be FIPS 140-2 (level 2) compliant to be used by the federal government.
The NIST Special Publications (800 series documents) are a treasure trove of good information for
auditors, systems administrators and security practitioners of any size company. These documents
give guidance and provide specific recommendations about how to address a wide range of security
requirements. These documents are created by academic researchers, security consultants and
government scientists. They are reviewed by the security community through a draft process that
allows anyone to provide comments and feedback on the documents before they are made standards.
The documents are also revised on a regular basis as new technologies become adopted.
Table below provides a list of some of the most widely used NIST 800 series documents. This list is not
exhaustive, and there are new documents added all of the time, so check the NIST website on a regular
basis for updates and new drafts.
128
Student Handbook– Security Analyst SSC/N0901
129
Student Handbook– Security Analyst SSC/N0901
The Cyber Security Research and Development Act of 2002 requires that NIST develop checklists to
help minimize the security risks of hardware and software used by the federal government. These
checklists show detailed configurations of many hardware and software platforms including Cisco. SP
800-70 outlines the format, goals, and objectives of the checklists and how to submit a checklist if you
build one that you would like to share. NIST provides these checklists in Security Content Automation
Protocol (SCAP) format, and can be loaded into a SCAP validated scanner for automated auditing.
There are a number of scanning vendors that support SCAP such as Qualys and Tenable (Nessus
Scanner). For a complete list of scanning vendors and downloadable checklists, visit
http://checklists.nist.gov.
Centre for Internet Security
The Centre for Internet Security (CIS) is a not-for-profit group dedicated to creating security best
practices and configuration guidance for companies to help reduce the risk of inadequately securing
corporate systems. CIS provides peer-reviewed configuration guides and templates that
administrators and auditors can follow when securing or testing the security of a target system. These
guides are well written and provide a sufficient level of detail down to the actual configuration level
to use as a checklist while also explaining why the particular configuration option needs to be
implemented.
CIS refers to its best practice documents as benchmarks and has two categories:
Level 1 benchmarks consist of the minimum level of security that needs to be configured that any
skilled administrator can implement.
Level 2 benchmarks focus on particular applications of security based on the type of system or
manner in which the system is used. Proper security depends on understanding risk, which
determines at what level you need to protect an asset. Laptops, for example, have a different risk
profile than servers, which are explored in the Level 2 benchmark section in detail.
The CIS benchmarks are often used for configuration level auditing of technology for proper
implementation of security features and good defensive practices. Many compliance laws dictate high
level controls, but never go into the details of how to actually perform the tasks necessary. These
benchmarks developed by CIS help to fill in the blanks when auditing for compliance through
consensus-validated device configuration recommendations. CIS also makes available automated
assessment tools that leverage these benchmarks. CIS benchmarks can be found at
www.cisecurity.org.
NSA
The National Security Agency (NSA) has been responsible for securing information and information
assurance since it began in 1952. As a component of the U.S. Department of Defense, the NSA is
typically known for its cryptology research and cryptanalysis of encrypted communications. The NSA
created the DES encryption standard that was (and still used in the form of 3DES) the most commonly
deployed encryption technique until it was replaced by AES.
Although the NSA’s mission is to keep government communications private, it has also shared a
significant amount of computer security research in the form of configuration guides on hardening
computer systems and network infrastructure equipment. Through research conducted by the
130
Student Handbook– Security Analyst SSC/N0901
Information Assurance Department of the NSA, a series of security configuration guides have been
posted to help the public better secure computers and networks.
These guides cover:
Applications
Database servers
Operating systems
Routers
Supporting documents
Switches
VoIP and IP telephony
Vulnerability reports
Web servers and browsers
Wireless
Auditors are free to use these configuration guidelines when examining security controls. They make
a great resource and are updated as new technologies and applications are studied. You can find the
guides at http://www.nsa.gov/ia/index.cfm.
DISA
The Defense Information Security Agency (DISA) is a component of the U.S. Department of Defense
that is charged with protecting military networks and creating configuration standards for military
network deployments. DISA provides a number of useful configuration checklists for a wide variety of
information system technologies. Security Technical Implementation Guides (STIG) are great source
material for security configuration assessments and highly recommended as a tool for any auditor
looking for vetted configuration recommendations. While STIGs are written with military auditors in
mind, they are easy to read and include justification for the configuration requirements and what
threats are mitigated. You can access the current list of STIGs at http://iase.disa.mil/
stigs/stig/index.html.
SANS
The SANS (SysAdmin, Audit, Network, Security) Institute is by far one of the best sources of free
security information available on the Internet today. Established in 1989 as a security research and
education organization, it has become a source of training and knowledge that shares information
about security for hundreds of thousands of individuals across the globe. The SANS website has
something for everyone involved in information security, from the CIO to the hard-core security
technologists and researchers.
SANS is in the business of security education and delivers training events, conferences, and webcasts.
It offers an extensive array of technical security and management tracks covering everything from
incident handling and hacking to creating security policies. SANS security training conferences are the
most common venue for a student attending these courses, but many are also offered through on-
demand web training and self-study. Each of these courses also offers an opportunity to test for
certification through the GIAC organization (a separate entity that governs the certification and testing
process for SANS). For those students who want a more traditional education process, SANS is
131
Student Handbook– Security Analyst SSC/N0901
accredited in the state of Maryland to grant master’s degrees in information assurance and
management.
Although SANS focuses on training, it also provides a wealth of free security information as part of its
mission to use knowledge and expertise to give back to the Internet community.
SANS offers the following free services and resources that are perfect for auditors and security
professionals to use to gain insight into new issues and understanding technical security controls:
SANS reading room: The reading room consists of over 1,600 computer security whitepapers
from vendors and research projects written by SANS students going for GIAC Gold certification.
There are a wide range of topic categories, ensuring you will find something relevant to what
you are looking for from best practices to configuration guidance.
SANS Top 20: SANS Top 20 is a list of the top 20 vulnerabilities in operating systems and
applications that hackers attack. This information is updated yearly by a large panel of security
experts, and it provides auditors and security practitioners with a good list of high-risk areas
they need to ensure are addressed. Although this list is good, it doesn’t cover the latest threats,
so it should not be used as a checklist, but rather as a tool to focus your efforts.
SANS security policy samples: If you are looking for sample security policies, this resource is a
goldmine. All of the policies represented are free for use, and in some cases, you can simply
insert the business’s name. These policy templates cover a wide range of security functional
areas and are added to on a regular basis. It is important to note that security policies are a
serious documents and require that legal departments and HR departments be involved in their
adoptions.
SANS newsletters: SANS provides a number of newsletters available as e-mails or RSS feeds that
you can subscribe to. Many topics are present, including one focused on auditing (SANS
AuditBits).
Internet Storm Center: The Internet Storm Center is a group of volunteer incident handlers who
analyze suspicious Internet traffic from across the globe. They look at packet traces to
determine if a new virus, worm, or other attack vectors have popped up in the wild. The ISC
also compiles attack trend data and the most frequently attacked ports. Incident handlers are
always “on duty,” and you can read their notes as they go about analyzing attacks.
SCORE: SCORE is a joint project with the CIS to create minimum standards of configuration for
security devices connected to the Internet. These checklists are available for free and provide
sound guidance about necessary technical controls.
Intrusion Detection FAQ: The Intrusion Detection FAQ is a fantastic resource for better
understanding how to identify an attack on your network. FAQs cover the basics of intrusion
detection, details about tools to use, and a detailed analysis of sample attacks.
The SANS website should be considered mandatory reading for auditors who want to better
understand the tools and techniques attackers use to break into systems. Having all of this
knowledge in a single place is useful as auditors tailor their checklists and audit criteria to address
current events and attacks.
132
Student Handbook– Security Analyst SSC/N0901
ISACA
If you are involved in security auditing to any degree, you undoubtedly have heard of the Information
Systems Audit and Control Association (ISACA). ISACA is the largest association of IT auditors in
existence with over 65,000 members across the world. Many of the auditing techniques and security
governance processes used to audit IT today have been compiled and standardized by ISACA. Over
50,000 people have earned the Certified Information Systems Auditor certification (CISA),
demonstrating knowledge in auditing. The Certified Information Systems Manager (CISM) is also
offered to test IT governance and management expertise.
ISACA is more than just a certification granting organization. In addition to establishing the IT
Governance Institute and developing COBIT, they have created the de-facto standards guide for
assessing and auditing IT controls. The IS standards, guidelines and procedures for auditing and
control professionals are regularly updated and reviewed to provide the auditing community with
standards, guidelines and procedures for conducting audits.
The auditing guide includes:
Standards of IS auditing: This section includes code of conduct for professional auditors,
auditing process from planning to follow up and various other standards for performing audits.
Auditing G: This section provides information on how to conduct audits while following the
standards of IS auditing.
Auditing procedures: This section provides details on how to audit various types of systems and
processes, providing a sample approach to testing controls such as firewalls and intrusion
detection systems.
The IT Assurance Guide to using COBIT is another excellent resource for how to conduct an audit
using COBIT as the governance framework. Regardless of whether or not the company being
audited uses COBIT, the guide describes how to leverage the controls identified by COBIT and
apply those to the audit process. This enables an auditor to follow a well-documented
framework to ensure that no major areas are missed.
ISO 27003
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It
describes the process of ISMS specification and design from inception to the production of
implementation plans. It describes the process of obtaining management approval to implement an
ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project),
and provides guidance on how to plan the ISMS project, resulting in a final ISMS project
implementation plan.
ISO 27004
ISO/IEC 27004 concerns measurements relating to information security management. These are
commonly known as ‘security metrics’ in the profession. The standard is intended to help
organizations measure, report on and hence systematically improve the effectiveness of their
Information Security Management Systems. It “provides guidance on the development and use of
133
Student Handbook– Security Analyst SSC/N0901
134
Student Handbook– Security Analyst SSC/N0901
Network security controls like firewalls can block traffic from selected IP addresses or prevent users
from accessing specific websites. Built-in data archiving modules attached to routers or network
connections automatically save all email messages, creating an instant record of communications
available if the main email server goes down or if messages are deleted by unauthorized parties.
ISO 13335-2
ISO 13335-2 originally contained the ISO’s guidance on ICT security. The 1990s version of the standard
was broken up into ISO 13335-1 and 13335-2. The ICT security recommendations in ISO 13335-2 were
incorporated into ISO 13335-1 in the 2004 update of the standard.
ISO 13335-3
ISO 13335-3 was originally the guidelines for managing IT security. ISO standard 13335-3 has been
replaced by ISO 27005. In essence, what was ISO 13335-3 is now part of ISO 27005.
ISO 13335-4
ISO 13335-4 outlined the ISO recommended practices of selecting technical security controls or IT
safeguards. ISO 13335-5 has also been replaced with ISO 27005.
ISO 13335-5
ISO 13335-5 was originally a set of guidelines on network security. ISO 13335-5 was replaced with ISO
18028-1 in 2006. ISO 18028-1 has since been revised by ISO 27033-1, released in 2009.
ISO 27005
ISO 27005 replaced several sections of the original ISO 13335 standard. ISO 27005 describes how
organizations define their context, the areas for which they are responsible. Risks are identified and
the estimation of the severity of the risk are set during risk analysis. During risk treatment, the
organization decides whether to accept the risk, mitigate its effects or work to prevent the risk from
occurring. During risk monitoring, the group monitors the risks to the network. Some risks may
disappear as more security hardware is installed while others may grow due to user complacency or
evolving security threats. For example, the risk that a server’s compromise would shut down a
business is reduced when a backup server off site is created with hot backups of the organization’s
data. If the main server compromises and is removed from the network to prevent hackers from using
it to access other areas, the business simply switches over the remote backup server and keeps going.
ISO Standard 24762 for Technical Disaster Recovery
ISO/IEC 24762:2008 provides guidelines on the provision of information and communications
technology disaster recovery (ICT DR) services as part of business continuity management, applicable
to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.
ISO/IEC 24762:2008 specifies:
the requirements for implementing, operating, monitoring and maintaining ICT DR services and
facilities
the capabilities which outsourced ICT DR service providers should possess and the practices they
should follow so as to provide basic secure operating environments and facilitate organizations'
recovery efforts
135
Student Handbook– Security Analyst SSC/N0901
the guidance for ICT DR service providers to continuously improve their ICT DR services
ISO Standard for BCM – 22301
ISO 22301 is a management systems standard for BCM which can be used by organizations of all sizes
and types. These organizations will be able to obtain accredited certification against this standard and
so demonstrate to legislators, regulators, customers, prospective customers and other interested
parties that they are adhering to good practice in BCM. ISO 22301 also enables the business continuity
manager to show top management that a recognized standard has been achieved.
While ISO 22301 may be used for certification and therefore includes rather short and concise
requirements, describing the central elements of BCM, a more extensive guidance standard (ISO
22313) is being developed to provide greater detail on each requirement in ISO 22301.
ISO 22301 may also be used within an organization to measure itself against good practice, and by
auditors wishing to report to management. The influence of the standard will therefore be much
greater than those who simply choose to be certified against the standard.
ISO/IEC 27031 provides guidance on the concepts and principles behind the role of information and
communications technology in ensuring business continuity.
The standard:
Suggests a structure or framework (actually a set of methods and processes) for any organization –
private, governmental and non-governmental.
Identifies and specifies all relevant aspects including performance criteria, design and implementation
details for improving ICT readiness as part of the organization’s ISMS, helping to ensure business
continuity.
Enables an organization to measure its ICT continuity, security and hence readiness to survive a
disaster in a consistent and recognized manner.
IEEE Standards
IEEE has standardization activities in the network and information security space and in anti-malware
technologies, including in the encryption, fixed and removable storage and hard copy devices areas as
well as applications of these technologies in smart grids.
Encryption Approved standards:
IEEE Std 1363-2000 IEEE Standard Specifications for Public-Key Cryptography [Also 1363a-
2004]
IEEE Std 1363.1-2008 IEEE Standard Specification for Public-Key Cryptographic Techniques
Based on Hard Problems over Lattices
IEEE Std 1363.2-2008 IEEE Standard Specification for Password-Based Public Key
Cryptographic Techniques
136
Student Handbook– Security Analyst SSC/N0901
ISO 17799
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing,
maintaining and improving information security management in an organization. The objectives
outlined provide general guidance on the commonly accepted goals of information security
management.
ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas
of information security management:
o security policy
o organization of information security
o asset management
o human resources security
o physical and environmental security
o communications and operations management
o access control
o information systems acquisition, development and maintenance
137
Student Handbook– Security Analyst SSC/N0901
The standard has ten domains, which address key areas of Information Security Management.
1. Information security policy for the organization
This activity involves a thorough understanding of the organization business goals and its
dependence on information security. This entire exercise begins with creation of the IT security
policy. This is an extremely important task and should convey total commitment of top
management. The policy cannot be a theoretical exercise. It should reflect the needs of the actual
users. It should be implementable, easy to understand and must balance the level of protection
with productivity. The policy should cover all the important areas like personnel, physical,
procedural and technical.
2. Creation of information security infrastructure
A management framework needs to be established to initiate, implement and control information
security within the organization. This needs proper procedures for approval of the information
security policy, assigning of the security roles and coordination of security across the organization.
3. Asset classification and control
One of the most laborious but essential task is to manage inventory of all the IT assets, which
could be information assets, software assets, physical assets or other similar services. These
information assets need to be classified to indicate the degree of protection. The classification
should result into appropriate information labelling to indicate whether it is sensitive or critical
and what procedure, which is appropriate for copy, store, transmit or destruction of the
information asset.
4. Personnel security
Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities.
Various proactive measures that should be taken are: creation of personnel screening policies,
confidentiality agreements, terms and conditions of employment and information security
education and training.
138
Student Handbook– Security Analyst SSC/N0901
Alert and well-trained employees who are aware of what to look for can prevent future security
breaches.
5. Physical and environmental security
Designing a secure physical environment to prevent unauthorized access, damage and
interference to business premises and information is usually the beginning point of any security
plan. This involves creating physical security perimeter and entry control, secure offices; rooms;
facilities, providing physical access controls and protection devices to minimize risks ranging from
fire to electromagnetic radiation and providing adequate protection to power supplies and data
cables are some of the activities. Cost effective design and constant monitoring are two key
aspects to maintain adequate physical security control.
6. Communications and operations management
Properly documented procedures for the management and operation of all information
processing facilities should be established. This includes detailed operating instructions and
incident response procedures.
Network management requires a range of controls to achieve and maintain security in computer
networks. This also includes establishing procedures for remote equipment including equipment
in user areas. Special controls should be established to safeguard the confidentiality and integrity
of data passing over public networks. Special controls may also be required to maintain the
availability of the network services.
Exchange of information and software between external organizations should be controlled and
should be compliant with any relevant legislation. There should be proper information and
software exchange agreements. The media in transit need to be secured and should not be
vulnerable to unauthorized access, misuse or corruption.
Electronic commerce involves electronic data interchange, electronic mail and online transactions
across public networks such as Internet. Electronic commerce is vulnerable to a number of
network threats that may result in fraudulent activity, contract dispute and disclosure or
modification of information. Controls should be applied to protect electronic commerce from such
threats.
7. Access control
Access to information and business processes should be controlled on the business and security
requirements. This will include defining access control policy and rules; user access management;
user registration; privilege management; user password use and management; review of user
access rights; network access controls; enforcing path from user terminal to computer; user
authentication; node authentication; segregation of networks; network connection control;
network routing control; operating system access control; user identification and authentication;
use of system utilities; application access control; monitoring system access and use and ensuring
information security when using mobile computing and tele-working facilities.
8. System development and maintenance
Security should ideally be built at the time of inception of a system. Hence security requirements
should be identified and agreed prior to the development of information systems. This begins with
security requirements analysis and specification and providing controls at every stage i.e. data
139
Student Handbook– Security Analyst SSC/N0901
input; data processing; data storage and retrieval and data output. It may be necessary to build
applications with cryptographic controls. There should be a defined policy on the use of such
controls, which may involve encryption; digital signature; use of digital certificates; protection of
cryptographic keys and standards to be used for cryptography.
A strict change control procedure should be in place to facilitate tracking of changes. Any changes
to operating system changes, software packages should be strictly controlled. Special precaution
must be taken to ensure that no covert channels, back doors or Trojans are left in the application
system for later exploitation.
9. Business Continuity Management
A business continuity management process should be designed, implemented and periodically
tested to reduce the disruption caused by disasters and security failures. This begins by identifying
all events that could cause interruptions to business processes and depending on the risk
assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained
and re-assessed based on changing circumstances.
10. Compliance
It is essential that strict adherence is observed to the provision of national and international IT
laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of
organizational records, data protection and privacy of personal information, prevention of misuse
of information processing facilities, regulation of cryptographic controls and collection of
evidence.
Information Technology’s use in business has also resulted in enacting of laws that enforce
responsibility of compliance. All legal requirements must be complied with to avoid breaches of any
criminal and civil law, statutory, regulatory or contractual obligations and of any security
requirements.
BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:
Although Indian companies and the Government have invested in IT, facts of theft and attacks on
Indian sites and companies are alarming. Attacks and theft that happen on corporate websites are
high and is usually kept under "strict" secrecy to avoid embarrassment from business partners,
investors, media and customers.
Huge losses are sometimes un-audited and the only solution is to involve a model where one can see
a long run business led approach to Information Security Management.
BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed
above) which Indian companies can adopt to build their Security Infrastructure. Even if a company
decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security
through ongoing, integrated management of policies and procedures, personnel training, selecting
and implementing effective controls, reviewing their effectiveness and improvement. Additional
benefits of an ISMS are improved customer confidence, a competitive edge, better personnel
motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.
140
Student Handbook– Security Analyst SSC/N0901
activities. IEEE, pronounced "Eye-triple-E," stands for the Institute of Electrical and Electronics
Engineers.
Electronic Industries Association
The Electronic Industries Association (EIA) comprises individual organizations that together have
agreed on certain data transmission standards such as EIA/TIA-232 (formerly known as RS-232). The
Electronics Industries Alliance (EIA) is an alliance of trade organizations that lobby in the interest of
companies engaged in the manufacture of electronics-related products.
National Center for Standards and Certification Information (NIST)
National Institute of Standards and Technology's web site. Founded in 1901 and now part of the U.S.
Department of Commerce, NIST is one of the nation's oldest physical science laboratories. US Congress
established the agency to remove a major handicap to U.S. industrial competitiveness at the time.
Today, NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens
of thousands can fit on the end of a single human hair—to the largest and most complex of human-
made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global
communication networks. The National Centre for Standards and Certification Information provides
research services on standards, technical regulations and conformity assessment procedures for non-
agricultural products. The Centre is a central repository for standards-related information in the
United States and has access to U.S., foreign and international documents and contact points through
its role as the U.S. national inquiry point under the World Trade Organization Agreement on Technical
Barriers to Trade. The Program maintains a database on NIST and Department of Commerce staff
participation in standards developing activities.
World Wide Web Consortium (W3C)
The World Wide Web Consortium (W3C) is an international community where Member organizations,
a full-time staff, and the public work together to develop Web standards. Led by Web inventor Tim
Berners-Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its full potential.
Vision
W3C's vision for the Web involves participation, sharing knowledge, and thereby building
trust on a global scale.
142
Student Handbook– Security Analyst SSC/N0901
143
Student Handbook– Security Analyst SSC/N0901
India
India’s Ministry of Communications and Information Technology (“Department of Information
Technology”) has implemented the Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”). Clarifications to
the Privacy Rules were issued via Press Note by the Ministry. India’s enabling legislation is India’s
Information Technology Act 2000 (the “Act”). While India continues to adhere to the Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011 (Rules) enacted in 2011, the Centre for Internet and Society presented a new
Privacy (Protection) Bill, 2013 (Bill), on September 30, 2013. The Bill seeks to further refine provisions
of the Rules, with a focus on protection of personal data through limitations on use and requirements
for notice. The collection of personal data would be prohibited unless “necessary for the achievement
of a purpose of the person seeking its collection,” and, subject to sections 6 and 7 of the Bill, “no
personal data may be collected under this Act prior to the data subject being given notice, in such
form and manner as may be prescribed, of the collection.” The Bill acknowledges the collection of data
with and without consent; the regulation of personal data storage, processing, transfer, and security;
and discusses the different types of disclosure.
http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
http://pib.nic.in/newsite/erelease.aspx?relid=74990
http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan010239.pdf
Data Protection Authority and Registration Requirements
No specific data protection authority exists, but the Privacy Rules state that in the case of a breach,
a “Body Corporate,” as defined under the Act, must answer to “the agency mandated under the
law” (presumably, the Ministry).
There are no registration requirements for the collection of data. However, the Data Security
Council of India (the “DSCI”) provides a certification service by which organizations within India
may become “DSCI Privacy Certified.”
Protected Personal Data
Personal information is defined as any information that relates to a natural person, which, either
directly or indirectly, in combination with other information available or likely to be available with a
corporate entity, is capable of identifying such person.
Sensitive personal data or information is defined as “personal information” which consists of
information relating to any of the following: passwords; financial information such as bank account or
credit card or debit card or other payment instrument details; physical, physiological and mental
health condition; sexual orientation; medical records and history; biometric information; any detail
relating to any of the above as provided to a corporate entity for providing service; and any of the
information received under the above by a corporate entity for processing, stored or processed under
144
Student Handbook– Security Analyst SSC/N0901
lawful contract or otherwise. Data or information is not sensitive and personal if it is available in the
public domain or furnished under the Right to Information Act of 2005.
Data Collection and Processing
The Privacy Rules apply to data collection, but do not define processing.
The Privacy Rules requires a Body Corporate that collects, receives, possesses, stores, deals, or handles
sensitive or personal data to provide a privacy policy for handling of such data and ensure that the
policies are available for view by the data subjects who have provided the information under contract.
The policy shall provide for:
clear and easily accessible statements of its practices and policies;
the type of personal or sensitive personal data or information collected;
the purpose of collection and usage of such information;
the disclosure of information including sensitive personal data or information; and
reasonable security practices and procedures.
Data may be collected and processed when all of the following conditions are met:
the data subject has provided written consent and is aware at the time of collection that the
information is being collected, the purpose of collection, the intended recipients of the
information; and the name and address of the agency that is collecting and will retain the
information;
the data subject has been provided with the option not to provide its sensitive personal data
or information;
the data subject is permitted to withdraw his/her consent, in writing, at any time;
the information is collected for a lawful purpose connected with a function or activity of the
body corporate or any person on its behalf; and
the collection of the sensitive personal data or information is considered necessary for that
lawful purpose.
Data Transfer
Disclosure of data to a third party requires prior permission of the data subject, whether the
information is provided under contract or otherwise, except in the following situations:
Data Security
A Body Corporate is required to implement reasonable security practices and procedures. The Privacy
Rules indicate that reasonable practice methodologies include IS/ISO/EIC 27001 or other measures
that have been pre-approved by the central government and are subject to annual audits by a central
government approved auditor.
Breach Notification
There is no mandatory requirement to report data security breach incidents under the Privacy Rules.
Other Considerations
Data retention rules state that information should not be retained longer than is required for the
purposes for which the information may lawfully be used or is otherwise required under any other
law.
A clarification to the Privacy Rules stating that a “Body corporate providing services relating to
collection, storage, dealing or handling of sensitive personal data or information under contractual
obligation with any legal entity located within or outside India is exempt from the requirement to
obtain consent” was issued via Press Note by the Department of Information and Technology.
Accordingly, outsourcing service providers in India should be exempt from obtaining consent from the
individuals whose data they process.
Enforcement & Penalties
A corporate entity may be liable for up to Rs. 50,000,000 for the negligent failure to implement and
maintain reasonable practices and procedures, causing wrongful loss or gain.
International Directory of laws:
This directory includes laws, regulations and industry guidelines with significant security and privacy impact
and requirements. This is largely USA focused but used by International agencies as a reference point.
Broad laws:
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules
of Civil Procedure (FRCP)
146
Student Handbook– Security Analyst SSC/N0901
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records;
The Health Information Technology for Economic and Clinical Health Act (HITECH);
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule);
147
Student Handbook– Security Analyst SSC/N0901
Summary
A security policy is a document or set of documents that describes, at a high level, the security
controls that will be implemented by the company
There are two types of basic security policies: Technical security policies and Administrative
security policies.
Key Elements of Security Policy
o Overview – Background information of what issue the policy addresses.
o Purpose – Why the policy is created.
o Scope – To what areas this policy covers.
o Targeted Audience – Tells to whom the policy is applicable.
o Policy – A good description of the policy.
o Definitions – A brief introduction of the technical jargon used inside the policy.
o Version – A version number to control the changes made to the document.
Auditing the security governance practices of a company requires understanding how the
organization manages the processes and procedures that make up its security program and
compare those aspects to recognized governance frameworks.
The COSO internal controls framework consists of five main control components
o Control Environment
o Risk Assessment
o Control Activities
o Information and Communication
o Monitoring
The role of COBIT in IT governance is to provide a model that takes the guesswork out of how
to bridge the gap between business goals and IT goals.
ITIL is used by companies for overall management of IT and also for managing security processes
as well.
Standards and best practices can help the auditor distinguish good security designs from bad
and provide reference architectures to compare against.
Various standards include:
o ISO 27000 Series of Standards
o NIST
o Center for Internet Security
o NSA
o DISA
o SANS
o ISACA
o ISO 27003
o ISO 27004
o ISO/IEC 13335 (IT Security Management)
o ISO 27005
o ISO Standard 24762 for Technical Disaster Recovery
o ISO Standard for BCM – 22301
o IEEE Standards
o ISO 17799
o BS 7799 (ISO 17799)
148
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Work in groups and collate various security policies available across various
organizations. Categorize various policies and highlight the differences between these
based on context including sector, size of organization, types of information or data they
possess, country, etc.
Compile a list of component that are similar across policies. Discuss as to why you think
these elements are similar or dissimilar and what is the impact of the variances.
Activity 2:
Work in groups and Research various standards of data security that area available.
Categorize the various standards based on the area they pertain to.
Present key highlights of a selected standard. Discuss why standards are important, why
these standards have credibility and legitimacy. Think about what is the composition of
the standard setting body and who are their members or patrons.
Activity 3:
Develop a set of standards for various aspects of your student life and education; make
a plan for advocacy and promotion of these standards so that more and more people
adopt them. List down key imperatives and challenges for the successful adoption and
recognition of their proposed standards
Activity 4:
Explore the various laws and regulations that are applied in the areas of information
security. Present key features of the laws and cite cases where these were violated and
cases were filed in breach of law. Present findings in the class, discussing the details of
the case and interesting facets of it.
149
Student Handbook– Security Analyst SSC/N0901
_________________________________________________________________________________
_________________________________________________________________________________
2. State at least three key constituents of a security policy
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. Explain at least two main concepts in the COSO framework
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. Explain the application of Deming Cycle in IT security?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
5. Name the two categories of CIS benchmarks. Explain why are they used for configuration-level
auditing of technology?
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
6. How is BS 7799 (ISO 17799) relevant to Indian Companies?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
7. State at least five different data security policies an organisation may have.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
150
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
151
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
152
Student Handbook– Security Analyst SSC/N0901
UNIT V
Information Security Management
– Roles and Responsibilities
Lesson Plan
Resource Material
5.1. Information and Data Security Team Structure
5.2. Security Incident Response Team
153
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
154
Student Handbook– Security Analyst SSC/N0901
Lesson
With the growing importance and scope of information and data security, numerous organizational
structures and configurations have been implemented to get a handle on the complexities associated
with managing and protecting data.
Information security governance begins at the top with the Board of Directors and CEO enforcing
accountability for adherence to standards and commissioning the development of security
architectures that address the security requirements of the business as a whole. The auditing function
might be its own group (or outsourced to a third party) and might report to the CEO or directly to the
Board of Directors to maintain its independence.
Board of Directors
The Board of Directors is responsible for protecting the interests of the shareholders of the
corporation. This duty of care (fiduciary responsibility) requires that it understand the risk to the
business and its data. The Board of Directors is responsible for approving the appropriate resources
necessary to safeguard data. It also needs to be kept aware of how the security program is
performing.
CIO/CISO
The CIO/CISO is responsible for aligning the information security program strategy and vision to
business requirements. The CIO/CISO ensures that the correct resources are in place to adhere to
the policies and procedures set forth by the steering committee. This role generally reports to the
CEO and Board of Directors and reports how the organization is performing relative to the
company’s goals and similar organizations in the same industry.
Security Director
The security director’s role is to coordinate the efforts for securing corporate assets. The
responsibilities include reporting on the progress of initiatives to executive management and
building the teams and resources to address the various tasks necessary for information security.
155
Student Handbook– Security Analyst SSC/N0901
This role also acts as a liaison to other aspects of the business to articulate security requirements
throughout the company. The security director manages the teams in developing corporate data
security policies, standards, procedures, and guidelines.
Security Analyst
A security analyst builds the policies, analyses risk, and identifies new threats to the business.
Business continuity and disaster recovery planning are important functions performed by the
analyst to prepare the company for the unexpected. The analyst is also responsible for creating
reports about the performance of the organization’s security systems.
Security Architect
A security architect defines the procedures, guidelines, and standards used by the company.
Architects help to select the controls used to protect the company’s data and they make sure that
the controls are sufficient for addressing the risk and complying with policy. This role is also
responsible for testing security products and making recommendations about what will best serve
the needs of the company.
Security Engineer
A security engineer implements the controls selected by the security architect. Security engineers
are responsible for the maintenance of firewalls, IPS, and other tools. This includes upgrades,
testing, patching, and overall maintenance of the security systems. This role might also be
responsible for testing the functionality of equipment to make sure that it operates as expected.
Systems Administrator
A systems administrator is responsible for monitoring and maintaining the servers, printers, and
workstations a company uses. In addition, administrators add and/or remove user accounts as
necessary, control access to shared resources, and maintain company-wide antivirus software.
Database Administrator
The Database Administrator (DBA) has an important job in most companies. The DBA is responsible
for designing and maintaining corporate databases and also securing access to the data to ensure
its integrity. The ramifications of lax security in this role can be severe, especially considering the
reporting requirements mandated by SOX.
IS Auditor
An auditor’s role in security governance is to assess the effectiveness in meeting the requirements
set forth by policy and management direction. The auditor is tasked to identify risk and report on
how the organization performs to upper management. The auditor provides an impartial review of
projects and technologies to identify weaknesses that could result in loss to the company.
End User
End users have a critical role in security governance that is often overlooked. They must be aware
of the impact their actions can have on the security of the company and be able to safeguard
confidential information. They are responsible for complying with policies and procedures and
following safe computing practices, such as not opening attachments without antimalware software
running or loading unauthorized software. A solid user security awareness program can help
promote safe computing habits.
156
Student Handbook– Security Analyst SSC/N0901
1. Board of
Directors
3. CIO/CISO 2. CEO
8. System
5. Security Analyst 10. IS Auditor
Administrator
9. Database
11. End User
Administrator
157
Student Handbook– Security Analyst SSC/N0901
The security incident response team is a group of individuals who have been trained in incident
management, each having distinct response roles. The team works under the direction of the incident
officer. The team is tasked with the following responsibilities:
Processes IT security complaints or incidents.
Assesses threats to IT resources.
Alerts IT managers of imminent threats.
Determines incident severity and escalates it, if necessary, with notification to CTO and
president’s senior staff.
Coordinates security incidents (level 2 or 3) from discovery to closure.
Reviews incidents, provides solutions/resolutions and closure.
Table-Top Exercise:
Students are recommended to follow this link and perform an interesting exercise on Security
Breach by assuming various roles as mentioned in the corresponding exercise:
http://www.nascio.org/portals/0/awards/nominations2015/2015/2015PA12-
PA%20Cyber%20Continuity%20CIO%20Exercise%20DR%20Sec%20Biz%20Continuity%20NASCIO%20
2015%20FINAL.pdf
Summary
Information security governance begins at the top with the Board of Directors and CEO
enforcing accountability for adherence to standards and commissioning the development of
security architectures that address the security requirements of the business as a whole.
The auditing function might be its own group (or outsourced to a third party) and might report
to the CEO or directly to the Board of Directors to maintain its independence
Various roles in information security in an organisation: Board of Directors, Security Steering
Committee, CEO or Executive Management, CIO/CISO, Security Director, Security Analyst,
Security Architect, Security Engineer, Systems Administrator, Database Administrator, IS
Auditor and End User
Role of security incident team and their responsibilities
o Processes IT security complaints or incidents.
o Assesses threats to IT resources
o Alerts IT managers of imminent threats.
o Determines incident severity and escalates it, if necessary, with notification to CTO and
president’s senior staff
o Coordinates security incidents (level 2 or 3) from discovery to closure
o Reviews incidents, provides solutions/resolutions and closure
158
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Collect information about various job titles and roles within the data security sub-
sector. Meet industry representatives and compile a list of functions, qualification and
experience requirements for each role. Present the same in class in groups.
Activity 2:
composition,
liaising with different departments inside the organisation,
interactions with other organisations, their functions, etc.
2. Explain how is the role of a Security Analyst different from Security Engineer?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• The security director’s role is to coordinate the efforts for securing _____________ ________.
• A ___________ ___________builds the policies, analyses risk, and identifies new threats to
the business.
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
160
Student Handbook– Security Analyst SSC/N0901
UNIT VI
Information Security
Performance Metrics
Lesson Plan
6.1. Introduction – Security Metrics
6.2. Types of Security Metrics
6.3. Using Security Metrics
6.4. Developing the Metrics Process
6.5. Metrics and Reporting
6.6. Designing Information Security Measuring Systems
161
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
162
Student Handbook– Security Analyst SSC/N0901
Lesson
6.1 Introduction – Security Metrics
It helps to understand what metrics are by drawing a distinction between metrics and measurements.
Measurements provide single-point-in-time views of specific, discrete factors, while metrics are
derived by comparing to a predetermined baseline of two or more measurements taken over time.
Measurements are generated by counting; metrics are generated from analysis. In other words,
measurements are objective raw data and metrics are either objective or subjective human
interpretations of those data.
In the face of regular, high-profile news reports of serious security breaches, as well as intense scrutiny
of institutional costs, security managers are more than ever being held accountable for demonstrating
effectiveness of their security programs. What means should managers be using to meet this
challenge? Key among these should be security metrics. This presentation will provide a definition of
security metrics, explain their value, discuss the difficulties in generating them, suggest a methodology
for building a security metrics program, and review factors that affect its ongoing success
Good metrics are those that are SMART, i.e. specific, measurable, attainable, repeatable, and time-
dependent. Truly useful metrics indicate the degree to which security goals, such as data
confidentiality, are being met, and they drive actions taken to improve an organization’s overall
security program. Distinguishing metrics meaningful primarily to those with direct responsibility for
security management from those that speak directly to executive management interests and issues is
critical to development of an effective security metrics program.
While there are multiple ways to categorize metrics, guidance from the National Institute for
Standards and Technology (NIST) does this in a way that is more helpful than simply providing tag
names for metric groupings. The Performance Measurement Guide for Information Security (NIST SP
800-55 Revision 1) divides security metrics into three categories and links each to levels of security
program maturity.
Impact – metrics used to convey the impact of the information security program on the
institution's mission, often through quantifying cost avoidance or risk reduction produced by
the overall security program
As mentioned earlier, truly useful metrics indicate the degree to which security goals are being met
and they drive actions taken to improve an organization's overall security program. Before expending
resources producing metrics in any of these three categories, it is essential that goals and objectives
of the security program be articulated.
163
Student Handbook– Security Analyst SSC/N0901
Software Security Metrics: Software measures are usually troublesome (LOC, FPs, Complexity,
etc.) Metrics are context sensitive and environment-dependent and architecture dependent.
Examples are Size and complexity, defects/LOC, defects (severity, type) over time, cost per defect,
attack surface (# of interfaces), layers of security and design flaws
People Security Metrics: Are usually relevant, but unreliable. As people behavior is difficult to
model. There are biases and non-standard responses that make it difficult to predict. Examples
include associates/contractors that have completed information security policy training, team
size, etc.
Other
A sample list of metrics is given below. These metrics cover the following business functions:
Application Security
o Number of Applications
o Percentage of Critical Applications
o Risk Assessment Coverage
o Security Testing Coverage
Configuration Change Management
o Mean-Time to Complete Changes
o Percent of Changes with Security Review
o Percent of Changes with Security Exceptions
Financial
o Information Security Budget as % of IT Budget
o Information Security Budget Allocation
Incident Management
o Mean-Time to Incident Discovery
o Incident Rate
o Percentage of Incidents Detected by Internal Controls
o Mean-Time Between Security Incidents
o Mean-Time to Recovery
Patch Management
o Patch Policy Compliance
o Patch Management Coverage
o Mean-Time to Patch
Vulnerability Management
o Vulnerability Scan Coverage
o Percent of Systems Without Known Severe Vulnerabilities
o Mean-Time to Mitigate Vulnerabilities
Number of Known Vulnerability Instances
165
Student Handbook– Security Analyst SSC/N0901
Using security metrics involves data acquisition. This may be automated or manually collected. Data
collection automation depends on the availability of data from automated sources versus the
availability of data from people. Manual data collection involves developing questionnaires and
conducting interviews and surveys with the organization’s staff.
More useful data becomes available from semi-automated and automated data sources, such
as self-assessment tools, certification and accreditation (C&A) databases, incident reporting
and response databases, and other data sources as a security program matures.
Metrics data collection is fully automated when all data is gathered by using automated data
sources without human involvement or intervention.
o Schedule
o Implement metrics
Measurement efforts are finite (while in reality a metrics programme is aimed at continual
improvement and long term benefits).
Data for metrics support is readily accessible and conducive to measurement (in many cases,
depending on the IS management's maturity, size and structure of the organization, et cetera, this
may not be so and changes to the existing data collection and analysis processes may have to be
made, especially toward higher levels of standardization, to make metrics effective and efficient).
166
Student Handbook– Security Analyst SSC/N0901
Metrics provide quick returns (this again depends on factors such as maturity of IS management;
expecting business impact metrics from an ISMS that does not have the capability to effectively
provide them is unrealistic, for instance).
Metrics can be automated easily/rapidly (attempting to automate measures that have not yet
been thoroughly tested and proven to be effective can be ultimately counterproductive).
Measures should help ensure maximum ROI (while not unreasonable per se, this often receives a
high priority at the expense of the other facets of measurement, which get neglected and, ones
again, the capability of IS management to deliver on these expectations is not always fully
considered).
The lack of consensus definitions and vocabulary, and a broadly accepted model for mapping IS
metrics to organizational structure and clearly illustrating how the lower level metrics can roll up into
the higher level ones in a meaningful way can possibly contribute to this problem (although, based on
the information presented in earlier chapters of the report, it can be recognized that efforts are being
made to rectify these issues). Without a good model or methodology for rolling up quantitative
measures, security professionals often struggle to find a compromise between reporting methods that
are too technical for the senior management and ones that impair the utility of a metric due to
oversimplification.
The frequency of reports depends on organizational norms, the volume and gravity of information
available, and management requirements. Regular reporting periods may vary from daily or weekly
to monthly, quarterly, six-monthly or annual. The latter ones are more likely to identify and discuss
trends and strategic issues, and to include status reports on security-relevant development projects,
information security initiatives and so forth, in other words they provide the context to make sense
of the numbers
An annual, highly-confidential Information Security Report for the CEO, the Board and other
senior management (including Internal Audit). This report might include commentary on the
success or otherwise of specific security investments. A forward-looking section can help to set
the scene for planned future investments, and is a good opportunity to point out the ever
changing legal and regulatory environment and the corresponding personal liabilities on senior
managers.
Quarterly status reports to the most senior body directly responsible for information security,
physical security, risk and/or governance. Traffic light status reports are common and KPIs may
be required, but the Information Security Manager’s commentary (supplemented or endorsed
by that of the CTO/CIO) is a good value add.
Monthly reports to the CTO/CIO, listing projects participated in and security incidents, along
with their monetary value (the financial impacts do not need to be precisely accurate, they are
used to indicate the scale of losses).
167
Student Handbook– Security Analyst SSC/N0901
Identifying the right metrics, we shouldn’t implement a measurement process if we don’t intend to
follow it routinely and systematically - we need repeatable and reliable measures; we shouldn’t
capture data that we don’t intend to analyse, that is simply an avoidable cost. We shouldn’t analyse
data if we don’t intend to make practical use of the results.
Where will the data come from and where will they be stored? If the source information is not
already captured and available, there will be a need to put in place the processes to gather it. This
in turn raises the issue of who will capture the data. Will it be centralized or will we distribute the
data collection processes? If departments and functions outside central control are reporting, how
far can they be trusted not to manipulate the figures? Will they meet deadlines and formatting
requirements? How much data gathering and reporting can be automated?
What do senior management actually want? To get senior management buy-in it is important to
discuss the purpose and outputs with managers and peers. Provide alternative formats initially to
assess their preference. It may be required to report differently from other functions in the
organization, using different presentation formats as well as different content. Managers are likely
to feel more comfortable with conventional management reports, so look at a range of sample
reports to pick out the style cues.
When developing metrics, it’s worth testing out the feasibility and effectiveness of the
measurement processes and the usefulness of chosen metrics on a limited scale before rolling them
out across the entire corporation. Pilot studies or trials are useful ways to iron-out any glitches in
the processes for collecting and analysing metrics, and for deciding whether the metrics are truly
indicative of what you are trying to measure.
Even after the initial trial period, continuous feedback on the metrics can help to refine the
measurement system. Changes in both the organization and the information security risks it faces
mean that some metrics are likely to become outdated over time.
5. Setting targets
Measuring and reporting leads to the identification and benchmarking of Key Performance
Indicators (KPIs) and then tracking measures to evaluate performance.
Before publishing the chosen metrics it is important to figure out which ones would truly indicate
making progress towards the organization’s information security goals.
168
Student Handbook– Security Analyst SSC/N0901
Summary
Good security metrics are those that are SMART, i.e. specific, measurable, attainable,
repeatable and time-dependent.
The Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1)
divides security metrics into three categories and links each to levels of security program
maturity, namely –Implementation, Effectiveness/Efficiency & Impact
Security Metrics are classified into three distinct categories such as
o Strategic security metrics which are measures concerning the information security
elements of high level business goals, objectives and strategies
o Security management metrics which are numerous facets to managing information
security risks that could be measured, hence many possible metrics
o Operational security metrics which are at the lowest level of analysis, most information
security controls, systems and processes need to be measured in order to operate and
control them
Using security metrics involves data acquisition and the latter may be automated or manually
collected.
The frequency of reports depends on organizational norms, the volume and gravity of
information available, and management requirements. Regular reporting periods may vary
from daily or weekly to monthly, quarterly, six-monthly or annual.
The following questions should be asked while designing information security measurement
systems
o What are we going to measure?
o How will we measure things?
o How will we report?
o How should we implement our reporting system?
o How to set targets?
Practical activities:
Activity 1:
Work in teams and gather as much information from industry and the internet about
the various information security performance metrics they use in their organisations.
Discuss the various challenges in identifying, monitoring and inferencing performance
through these metrics.
Activity 2:
Develop performance metrics for various aspects of their own academic and non-
academic behaviours and track these over a period of a week. Draw out various
inferences from this monitoring. Present the object of your study, the metric you
chose, and the challenges in implementing these metrics and your process of
inferencing. Debate the inferences and validity of each other’s findings.
Activity 3:
Research the various information security companies offering products and services for
tracking and instituting performance metrics systems in organisations. Compare
services, present features, benefits and limitations of the same.
169
Student Handbook– Security Analyst SSC/N0901
Q. State TRUE or FALSE as to which of the following accurately describe some of the misconceptions
regarding metrics.
Metrics provide single-point-in-time views of specific, discrete factors, while measurements are
derived by comparing to a predetermined baseline of two or more measurements taken over
time. ( )
Metrics efforts are finite, while in reality a measurement programme is aimed at continual
improvement and long term benefits ( )
Measurement can be automated easily/rapidly, attempting to automate metrics that have not yet
been thoroughly tested and proven to be effective can be ultimately counterproductive. ( )
Q. Which type of security metrics is used to monitor results of security control implementation for a
single control or across multiple controls?
_______________________________________________________
Q. The reporting/updating of which of the following types of security metrics is carried out monthly
or quarterly:
Q. Data capturing process plays vital role in determining appropriate information security
measurement systems. Give one example in support of the statement.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
170
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
171
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
172
Student Handbook– Security Analyst SSC/N0901
UNIT VII
Risk Assessment
Lesson Plan
Resource Material
7.1. Risk Overview
7.2. Risk Identification
7.3. Risk Analysis
7.4. Risk Treatment
7.5. Risk Management Feedback Loops
7.6. Risk Monitoring
173
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
174
Student Handbook– Security Analyst SSC/N0901
Lesson
Risk assessments, whether they pertain to information security or other types of risk, are a means of
providing decision makers with information needed to understand factors that can negatively
influence operations and outcomes and make informed judgments concerning the extent of actions
needed to reduce risk.
As reliance on computer systems and electronic data has grown, information security risk has joined
the array of risks that governments and businesses must manage. Regardless of the types of risk being
considered, all risk assessments generally include the following elements. Identifying threats that
could harm and, thus, adversely affect critical operations and assets. Threats include such things as
intruders, criminals, disgruntled employees, terrorists, and natural disasters.
Estimating the likelihood that such threats will materialize based on historical information and
judgment of knowledgeable individuals. Identifying and ranking the value, sensitivity, and criticality of
the operations and assets that could be affected should a threat materialize in order to determine
which operations and assets are the most important. Estimating, for the most critical and sensitive
assets and operations, the potential losses or damage that could occur if a threat materializes,
including recovery costs. Identifying cost-effective actions to mitigate or reduce the risk. These actions
can include implementing new organizational policies and procedures as well as technical or physical
controls. Documenting the results and developing an action plan. There are various models and
methods for assessing risk, and the extent of an analysis and the resources expended can vary
depending on the scope of the assessment and the availability of reliable data on risk factors. In
addition, the availability of data can affect the extent to which risk assessment results can be reliably
quantified.
A quantitative approach generally estimates the monetary cost of risk and risk reduction techniques
based on
When reliable data on likelihood and costs are not available, a qualitative approach can be taken by
defining risk in more subjective and general terms such as high, medium, and low. In this regard,
qualitative assessments depend more on the expertise, experience, and judgment of those conducting
the assessment. It is also possible to use a combination of quantitative and qualitative methods.
175
Student Handbook– Security Analyst SSC/N0901
There are multiple types of risk assessments, including program risk assessments, risk assessments to
support an investment decision, analysis of alternatives, and assessments of operational or cost
uncertainty. Risk identification needs to match the type of assessment required to support risk-
informed decision making. For an acquisition program, the first step is to identify the program goals
and objectives, thus fostering a common understanding across the team of what is needed for
program success. This gives context and bounds the scope by which risks are identified and assessed.
There are multiple sources of risk. For risk identification, the project team should review the program
scope, cost estimates, schedule (to include evaluation of the critical path), technical maturity, key
performance parameters, performance challenges, stakeholder expectations vs. current plan, external
and internal dependencies, implementation challenges, integration, interoperability, supportability,
supply-chain vulnerabilities, ability to handle threats, cost deviations, test event expectations, safety,
security, and more. In addition, historical data from similar projects, stakeholder interviews, and risk
lists provide valuable insight into areas for consideration of risk.
Risk identification is an iterative process. As the program progresses, more information will be gained
about the program (e.g., specific design), and the risk statement will be adjusted to reflect the current
understanding. New risks will be identified as the project progresses through the life cycle.
176
Student Handbook– Security Analyst SSC/N0901
Gather data.
Risk Evaluation
The risk evaluation process receives as input the output of risk analysis process. It compares each risk
level against the risk acceptance criteria and prioritise the risk list with risk treatment indications.
177
Student Handbook– Security Analyst SSC/N0901
Risk reduction
Taking the mitigation steps necessary to reduce the overall risk to an asset. Often this will
include selecting countermeasures that will either reduce the likelihood of occurrence or
reduce the severity of loss, or achieve both objectives at the same time. Countermeasures can
include technical or operational controls or changes to the physical environment. For example,
the risk of computer viruses can be mitigated by acquiring and implementing antivirus software.
When evaluating the strength of a control, consideration should be given to whether the
controls are preventative or detective. The remaining level of risk after the
controls/countermeasures have been applied is often referred to as “residual risk.” An
organization may choose to undergo a further cycle of risk treatment to address this.
Risk sharing/transference
The organization shares its risk with third parties through insurance and/or service providers.
Insurance is a post-event compensatory mechanism used to reduce the burden of loss if the
event were to occur. Transference is the shifting of risk from one party to another. For example,
when hard-copy documents are moved offsite for storage at a secure-storage vendor location,
the responsibility and costs associated with protecting the data transfers to the service
provider. The cost of storage may include compensation (insurance) if documents are damaged,
lost, or stolen.
Risk avoidance
The practice of eliminating the risk by withdrawing from or not becoming involved in the activity
that allows the risk to be realized. For example, an organization decides to discontinue a
business process in order to avoid a situation that exposes the organization to risk.
178
Student Handbook– Security Analyst SSC/N0901
Risk acceptance
An organization decides to accept a particular risk because it falls within its risk-tolerance
parameters and therefore agrees to accept the cost when it occurs. Risk acceptance is a viable
strategy where the cost of insuring against the risk would be greater over time than the total
losses sustained. All risks that are not avoided or transferred are accepted by default
Risk management is carried out as a holistic, organization wide activity that addresses risk from the
strategic level to the tactical level, ensuring that risk based decision making is integrated into every
aspect of the organization. The following sections briefly describe each of the four risk management
components. The first component of risk management addresses how organizations frame risk or
establish a risk context—that is, describing the environment in which risk-based decisions are made.
The purpose of the risk framing component is to produce a risk management strategy that addresses
how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and
transparent the risk perceptions that organizations routinely use in making both investment and
operational decisions. The risk frame establishes a foundation for managing risk and delineates the
boundaries for risk-based decisions within organizations.
Establishing a realistic and credible risk frame requires that organizations identify:
179
Student Handbook– Security Analyst SSC/N0901
must address risk, and any factors of uncertainty that organizations consider in risk
responses).
The risk framing component and the associated risk management strategy also include any strategic-
level decisions on how risk to organizational operations and assets, individuals, other organizations,
and the Nation, is to be managed by senior leaders/executives.
The second component of risk management addresses how organizations assess risk within the
context of the organizational risk frame. The purpose of the risk assessment component is to identify:
the tools, techniques, and methodologies that are used to assess risk;
the assumptions related to risk assessments;
the constraints that may affect risk assessments;
roles and responsibilities;
how risk assessment information is collected, processed, and communicated throughout
organizations;
how risk assessments are conducted within organizations;
the frequency of risk assessments; and
how threat information is obtained (i.e., sources and methods).
The third component of risk management addresses how organizations respond to risk once that risk
is determined based on the results of risk assessments.
The purpose of the risk response component is to provide a consistent, organization-wide, response
to risk in accordance with the organizational risk frame by:
To support the risk response component, organizations describe the types of risk responses that can
be implemented (i.e., accepting, avoiding, mitigating, sharing, or transferring risk).
Organizations also identify the tools, techniques, and methodologies used to develop courses of action
for responding to risk, how courses of action are evaluated, and how risk responses are communicated
across organizations and as appropriate, to external entities (e.g., external service providers, supply
chain partners).
180
Student Handbook– Security Analyst SSC/N0901
The fourth component of risk management addresses how organizations monitor risk over time. The
purpose of the risk monitoring component is to:
verify that planned risk response measures are implemented and information security
requirements derived from/traceable to organizational mission/business functions, federal
legislation, directives, regulations, policies, and standards, and guidelines, are satisfied;
determine the ongoing effectiveness of risk response measures following implementation;
and
identify risk-impacting changes to organizational information systems and the environments
in which the systems operate.
To support the risk monitoring component, organizations describe how compliance is verified and how
the ongoing effectiveness of risk responses is determined (e.g., the types of tools, techniques, and
methodologies used to determine the sufficiency/correctness of risk responses and if risk mitigation
measures are implemented correctly, operating as intended, and producing the desired effect with
regard to reducing risk). In addition, organizations describe how changes that may impact the ongoing
effectiveness of risk responses are monitored.
181
Student Handbook– Security Analyst SSC/N0901
verify compliance;
determine the ongoing effectiveness of risk response measures; and
identify risk-impacting changes to organizational information systems and environments of
operation.
Analysing monitoring results gives organizations the capability to maintain awareness of the risk being
incurred, highlight the need to revisit other steps in the risk management process, and initiate process
improvement activities as needed.
Organizations employ risk monitoring tools, techniques, and procedures to increase risk awareness,
helping senior leaders/executives develop a better understanding of the ongoing risk to organizational
operations and assets, individuals, other organizations, and the Nation. Organizations can implement
risk monitoring at any of the risk management tiers with different objectives and utility of information
produced. For example, Tier 1 monitoring activities might include ongoing threat assessments and
how changes in the threat space may affect Tier 2 and Tier 3 activities, including enterprise
architectures (with embedded information security architectures) and organizational information
systems. Tier 2 monitoring activities might include, for example, analyses of new or current
technologies either in use or considered for future use by organizations to identify exploitable
weaknesses and/or deficiencies in those technologies that may affect mission/business success. Tier
3 monitoring activities focus on information systems and might include, for example, automated
monitoring of standard configuration settings for information technology products, vulnerability
scanning, and ongoing assessments of security controls. In addition to deciding on appropriate
monitoring activities across the risk management tiers, organizations also decide how monitoring is
to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities
based on, for example, the frequency with which deployed security controls change, critical items on
plans of action and milestones, and risk tolerance.
182
Student Handbook– Security Analyst SSC/N0901
Summary
Definition of Risk: A probability or threat of damage, injury, liability, loss, or any other negative
occurrence that is caused by external or internal vulnerabilities, and that may be avoided
through pre-emptive action.
A quantitative approach generally estimates the monetary cost of risk and risk reduction
techniques based on
o the likelihood that a damaging event will occur,
o the costs of potential losses, and
o the costs of mitigating actions that could be taken.
Risk identification is an iterative process.
Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities and
threats, and assessing the possible damage to determine where to implement security
safeguards.
The risk evaluation process receives as input the output of risk analysis process.
Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate
administrative, technical and physical controls.
Risk management is carried out as a holistic, organization wide activity that addresses risk from
the strategic level to the tactical level, ensuring that risk based decision making is integrated
into every aspect of the organization.
Analysing monitoring results gives organizations the capability to maintain awareness of the
risk being incurred, highlight the need to revisit other steps in the risk management process,
and initiate process improvement activities as needed. h as laptop, appropriate software such
as packet sniffers, digital forensics, back up devices, blank media etc.
Practical activities:
Activity 1:
Research various risks for their institute in the area of information security. Prepare a
process report highlighting your approach towards identifying risk, recording, monitoring,
analysing and treating risk. The approach should be shared with the faculty and the
report should be submitted for evaluation.
183
Student Handbook– Security Analyst SSC/N0901
Q. Analyse and state the differences between risk analysis and risk evaluation in two lines.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Suggest one of the appropriate measures that can curb the problem of ‘residual risk.’
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Complete the following requirements that an organization needs to identify in order to build a
realistic and credible risk frame
a) risk constraints
b) ________________
c) risk tolerance
d) ________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
184
Student Handbook– Security Analyst SSC/N0901
UNIT VIII
Configuration review
Lesson Plan
8.1. Configuration Management
8.2. Organisational SecCM Policy
8.3. Identify CM Tools
8.4. Implementing Secure Configurations
8.5. Unauthorised Access to Configuration Stores
185
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
Performance Ensuring
Work Environment/Lab Requirement
Outcomes Measures
To be competent, you must be able Performance evaluation PCs/Tablets/Laptops
to: from Faculty and Industry Labs availability (24/7)
with reward points Internet with Wi-Fi
PC4. carry out configuration
(Min 2 Mbps Dedicated)
reviews of information security
Networking Equipment - Routers &
systems using automated tools, QA session and a Switches
where required Descriptive write up on Firewalls and Access Points
understanding. Access to all security sites like ISO,
PIC DSS
Commercial Tools like HP Web
Inspect and IBM AppScan etc.,
Open Source tools like sqlmap,
Nessus etc.,
186
Student Handbook– Security Analyst SSC/N0901
Lesson
Organizations apply configuration management (CM) for establishing baselines and for tracking,
controlling, and managing many aspects of business development and operation (e.g., products,
services, manufacturing, business processes, and information technology). Organizations with a
robust and effective CM process need to consider information security implications with respect to
the development and operation of information systems including hardware, software, applications,
and documentation. Effective CM of information systems requires the integration of the management
of secure configurations into the organizational CM process or processes. For this reason, this
document assumes that information security is an integral part of an organization’s overall CM
process; however, the focus of this document is on implementation of the information system security
aspects of CM, and as such the term security-focused configuration management (SecCM) is used to
emphasize the concentration on information security. Though both IT business application functions
and security-focused practices are expected to be integrated as a single process, SecCM in this context
is defined as the management and control of configurations for information systems to enable security
and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing and
maintaining the integrity of products and systems, through control of the processes for initializing,
changing, and monitoring the configurations of those products and systems.
A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware,
documentation, or a combination thereof) that is a discrete target of configuration control processes.
A Baseline Configuration is a set of specifications for a system, or CI within a system, that has been
formally reviewed and agreed on at a given point in time, and which can be changed only through
change control procedures. The baseline configuration is used as a basis for future builds, releases,
and/or changes.
The basic parts of a CM Plan include:
Configuration Control Board (CCB) – Establishment of and charter for a group of qualified people with
responsibility for the process of controlling and approving changes throughout the development and
operational lifecycle of products and systems; may also be referred to as a change control board;
Configuration Item Identification – methodology for selecting and naming configuration items that
need to be placed under CM;
Configuration Change Control – process for managing updates to the baseline configurations for the
configuration items; and
187
Student Handbook– Security Analyst SSC/N0901
Configuration Monitoring – process for assessing or testing the level of compliance with the
established baseline configuration and mechanisms for reporting on the configuration status of items
placed under CM.
Security-Focused Configuration Management (SecCM) is the management and control of secure
configurations for an information system to enable security and facilitate the management of risk.
SecCM builds on the general concepts, processes, and activities of configuration management by
attention on the implementation and maintenance of the established security requirements of the
organization and information systems.
Information security configuration management requirements are integrated into (or complement)
existing organizational configuration management processes (e.g., business functions, applications,
products) and information systems. SecCM activities include:
identification and recording of configurations that impact the security posture of the
information system and the organization;
the consideration of security risks in approving the initial configuration;
the analysis of security implications of changes to the information system configuration; and
documentation of the approved/implemented changes.
SecCM requires an ongoing investment in time and resources. Product patches, fixes, and updates
require time for security impact analysis even as threats and vulnerabilities continue to exist. As
changes to information systems are made, baseline configurations are updated, specific configuration
settings confirmed, and configuration items tracked, verified, and reported. SecCM is a continuous
activity that, once incorporated into IT management processes, touches all stages of the system
development life cycle (SDLC).
In the context of SecCM of information systems, a configuration item (CI) is an aggregation of
information system components that is designated for configuration management and treated as a
single entity throughout the SecCM process. This implies that the CI is identified, labelled, and tracked
during its life cycle – the CI is the target of many of the activities within SecCM, such as configuration
change control and monitoring activities. A CI may be a specific information system component (e.g.,
server, workstation, router, application), a group of information system components (e.g., group of
servers with like operating systems, group of network components such as routers and switches, an
application or suite of applications), a non-component object (e.g., firmware, documentation), or an
information system as a whole. CIs give organizations a way to decompose the information system
into manageable parts whose configurations can be actively managed.
The purpose of breaking up an information system into CIs is to allow more granularity and control in
managing the secure configuration of the system. The level of granularity will vary among
organizations and systems and is balanced against the associated management overhead for each CI.
In one organization, it may be appropriate to create a single CI to track all of the laptops within a
system, while in another organization, each laptop may represent an individual CI.
Baseline configuration
A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within a
system, that has been formally reviewed and agreed on at a given point in time, and which can be
changed only through change control procedures. The baseline configuration is used as a basis for
future builds, releases, and/or changes.
Security-focused configuration management of information systems involves a set of activities that
can be organized into four major phases – Planning, Identifying and Implementing Configurations,
Controlling Configuration Changes, and Monitoring.
188
Student Handbook– Security Analyst SSC/N0901
Planning - Planning includes developing policy and procedures to incorporate SecCM into existing
information technology and security programs, and then disseminating the policy throughout the
organization.
Identifying and implementing configurations - After the planning and preparation activities are
completed, a secure baseline configuration for the information system is developed, reviewed,
approved, and implemented. The approved baseline configuration for an information system and
associated components represents the most secure state consistent with operational requirements
and constraints. For a typical information system, the secure baseline may address configuration
settings, software loads, patch levels, how the information system is physically or logically arranged,
how various security controls are implemented, and documentation. Where possible, automation is
used to enable interoperability of tools and uniformity of baseline configurations across the
information system.
Controlling configuration changes - Given the continually evolving nature of an information system
and the mission it supports, the challenge for organizations is not only to establish an initial baseline
configuration that represents a secure state (which is also cost-effective, functional, and supportive
of mission and business processes), but also to maintain a secure configuration in the face of the
significant waves of change that ripple through organizations.
Monitoring
Monitoring activities are used as the mechanism within SecCM to validate that the information system
is adhering to organizational policies, procedures, and the approved secure baseline configuration.
Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose organizations to
increased risk. Using automated tools helps organizations to efficiently identify when the information
system is not consistent with the approved baseline configuration and when remediation actions are
necessary. In addition, the use of automated tools often facilitates situational awareness and the
documentation of deviations from the baseline configuration.
189
Student Handbook– Security Analyst SSC/N0901
2. Scope – the extent of the enterprise architecture to which the policy applies;
3. Roles – the roles that are significant within the context of the policy;
190
Student Handbook– Security Analyst SSC/N0901
191
Student Handbook– Security Analyst SSC/N0901
Implementing secure configurations for IT products is no simple task. There are many IT products, and
each has a myriad of possible parameters that can be configured. In addition, organizations have
mission and business process needs which may require that IT products be configured in a particular
manner. To further complicate matters, for some products, the configuration settings of the
underlying platform may need to be modified to allow for the functionality required for mission
accomplishment such that they deviate from the approved common secure configurations.
Using the secure configuration previously established as a starting point, the following
structured approach is recommended when implementing the secure configuration:
1) Prioritize Configurations
2) Test Configurations
3) Resolve Issues and Document Deviations
4) Record and Approve the Baseline Configuration
5) Deploy the Baseline Configuration
i. Prioritize Configurations
In the ideal environment, all IT products within an organization would be configured to the most
secure state that still provided the functionality required by the organization. However, due to limited
resources and other constraints, many organizations may find it necessary to prioritize which
information systems, IT products, or CIs to target first for secure configuration as they implement
SecCM.
In determining the priorities for implementing secure configurations in information systems, IT
products, or CIs, organizations consider the following criteria:
• System impact level – Implementing secure configurations in information systems with a high or
moderate security impact level may have priority over information systems with a low security
impact level.
• Risk assessments – Risk assessments can be used to target information systems, IT products, or
CIs having the most impact on security and organizational risk.
• Vulnerability scanning – Vulnerability scans can be used to target information systems, IT
products, or CIs that are most vulnerable. For example, the Common Vulnerability Scoring System
(CVSS) is a specification within SCAP that provides an open framework for communicating the
characteristics of software flaw vulnerabilities and in calculating their relative severity. CVSS
scores can be used to help prioritize configuration and patching activities.
• Degree of penetration – The degree of penetration represents the extent to which the same
product is deployed within an information technology environment. For example, if an
organization uses a specific operating system on 95 percent of its workstations, it may obtain the
most immediate value by planning and deploying secure configurations for that operating system.
Other IT products or CIs can be targeted afterwards.
ii. Test Configurations
Organizations fully test secure configurations prior to implementation in the production environment.
There are a number of issues that may be encountered when implementing configurations including
software compatibility and hardware device driver issues. For example, there may be legacy
applications with special operating requirements that do not function correctly after a common secure
192
Student Handbook– Security Analyst SSC/N0901
configuration has been applied. Additionally, configuration errors could occur if OS and multiple
application configurations are applied to the same component. For example, a setting for an
application configuration parameter may conflict with a similar setting for an OS configuration
parameter.
Virtual environments are recommended for testing secure configurations as they allow organizations
to examine the functional impact on applications without having to configure actual machines.
iii. Resolve Issues and Document Deviations
Testing secure configuration implementations may introduce functional problems within the system
or applications. For example, the new secure configuration may close a port or stop a service that is
needed for OS or application functionality. These problems are examined individually and either
resolved or documented as a deviation from, or exception to, the established common secure
configurations.
In some cases, changing one configuration setting may require changes to another setting, another CI,
or another information system. For instance, a common secure configuration may specify
strengthened password requirements which may require a change to existing single sign-on
applications. Or there may be a requirement that the OS-provided firewall be enabled by default. To
ensure that applications function as expected, the firewall policy may need to be revised to allow
specific ports, services, IP addresses, etc. When conflicts between applications and secure
configurations cannot be resolved, deviations are documented and approved through the
configuration change control process as appropriate.
iv. Record and Approve the Baseline Configuration
The established and tested secure configuration, including any necessary deviations, represents the
preliminary baseline configuration and is recorded in order to support configuration change
control/security impact analysis, incident resolution, problem solving, and monitoring activities. Once
recorded, the preliminary baseline configuration is approved in accordance with organizationally
defined policy. Once approved, the preliminary baseline configuration becomes the initial baseline
configuration for the information system and its constituent CIs.
The baseline configuration of an information system includes the sum total of the secure
configurations of its constituent CIs and represents the system-specific configuration against which all
changes are controlled.
The baseline configuration may include, as applicable, information regarding the system architecture,
the interconnection of hardware components, secure configuration settings of software components,
the software load, supporting documentation, and the elements in a release package. There could be
a different baseline configuration for each life cycle stage (development, test, staging, production) of
the information system.
When possible, organizations employ automated tools to support the management of baseline
configurations and to keep the configuration information as up to date and near real time as possible.
There are a number of solutions which maintain baseline configurations for a wide variety of hardware
and software products. Some comprehensive SecCM solutions integrate the maintenance of baseline
configurations with component inventory and monitoring tools.
v. Deploy the Baseline Configuration
Organizations are encouraged to implement baseline configurations in a centralized and automated
manner using automated configuration management tools, automated scripts, vendor-provided
mechanisms, etc.
193
Student Handbook– Security Analyst SSC/N0901
SecCM monitoring is accomplished through assessment and reporting activities. For organizations
with a large number of components, the only practical and effective solution for SecCM monitoring
activities is the use of automated solutions that use standardized reporting methods such as SCAP.
An information system may have many components and many baseline configurations. To manually
collect information on the configuration of all components and assess them against policy and
approved baseline configurations is not practical, or even possible, in most cases. Automated tools
can also facilitate reporting for Security Information and Event Management applications that can be
accessed by management and/or formatted into other reports on baseline configuration status. Care
is exercised in collecting and analysing the results generated by automated tools to account for any
false positives.
SecCM monitoring may be supported by numerous means, including, but not limited to:
• Scanning to discover components not recorded in the inventory. For example, after testing of a
new firewall, a technician forgets to remove it from the network. If it is not properly configured,
it may provide access to the network for intruders. A scan would identify this network device as
not a part of the inventory, enabling the organization to take action.
• Scanning to identify disparities between the approved baseline configuration and the actual
configuration for an information system.
Example I. A technician rolls out a new patch but forgets to update the baseline configurations of the
information systems impacted by the new patch. A scan would identify a difference between the
actual environment and the description in the baseline configuration enabling the organization to take
action.
Example II. A new tool is installed on the workstations of a few end users of the information system.
During installation, the tool changes a number of configuration settings in the browser on the users’
workstations, exposing them to attack. A scan would identify the change in the workstation
configuration, allowing the appropriate individuals to take action.
Implementation of automated change monitoring tools (e.g., change/configuration management
tools, application whitelisting tools). Unauthorized changes to information systems may be an
indication that the systems are under attack or that SecCM procedures are not being followed or need
updating. Automated tools are available that monitor information systems for changes and alert
system staff if unauthorized changes occur or are attempted.
When possible, organizations seek to normalize data to describe their information system in order
that the various outputs from monitoring can be combined, correlated, analysed, and reported in a
consistent manner. SCAP provides a common language for describing vulnerabilities,
misconfigurations, and products and is an obvious starting point for organizations seeking a consistent
way of communicating across the organization regarding the security status of the enterprise
architecture.
When inconsistencies are discovered as a result of monitoring activities, the organization may want
to take remedial action. Action taken may be via manual methods or via use of automated tools.
Automated tools are preferable since actions are not reliant upon human intervention and are taken
immediately once an unauthorized change is identified. Examples of possible actions include:
194
Student Handbook– Security Analyst SSC/N0901
Many applications support configuration management interfaces and functionality to allow operators
and administrators to change configuration parameters, update Web site content, and to perform
routine maintenance. Top configuration management threats include:
Administration interfaces are often provided through additional Web pages or separate Web
applications that allow administrators, operators, and content developers to managed site content
and configuration. Administration interfaces such as these should be available only to restricted and
authorized users. Malicious users able to access a configuration management function can potentially
deface the Web site, access downstream systems and databases, or take the application out of action
altogether by corrupting configuration data.
Consider supporting only local administration. If remote administration is absolutely essential, use
encrypted channels, for example, with VPN technology or SSL, because of the sensitive nature of the
data passed over administrative interfaces. To further reduce risk, also consider using IPSec policies
to limit remote administration to computers on the internal network.
195
Student Handbook– Security Analyst SSC/N0901
Restricting access to the configuration store is a must. As an important defence in depth mechanism,
you should encrypt sensitive data such as passwords and connection strings. This helps prevent
external attackers from obtaining sensitive configuration data. It also prevents rogue administrators
and internal employees from obtaining sensitive details such as database connection strings and
account credentials that might allow them to gain access to other systems.
Lack of auditing and logging of changes made to configuration information threatens the ability to
identify when changes were made and who made those changes. When a breaking change is made
either by an honest operator error or by a malicious change to grant privileged access, action must
first be taken to correct the change. Then apply preventive measures to prevent breaking changes to
be introduced in the same manner. Keep in mind that auditing and logging can be circumvented by a
shared account; this applies to both administrative and user/application/service accounts.
Administrative accounts must not be shared. User/application/service accounts must be assigned at
a level that allows the identification of a single source of access using the account, and that contains
any damage to the privileges granted that account.
If application and service accounts are granted access to change configuration information on the
system, they may be manipulated to do so by an attacker. The risk of this threat can be mitigated by
adopting a policy of using least privileged service and application accounts. Be wary of granting
accounts the ability to modify their own configuration information unless explicitly required by design.
196
Student Handbook– Security Analyst SSC/N0901
Summary
SecCM is defined as the management and control of configurations for information systems to
enable security and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing
and maintaining the integrity of products and systems, through control of the processes for
initializing, changing, and monitoring the configurations of those products and systems.
The activities of SecCM include the following:
o identification and recording of configurations that impact the security posture of the
information system and the organization;
o the consideration of security risks in approving the initial configuration;
o the analysis of security implications of changes to the information system
configuration;
o documentation of the approved/implemented changes.
Product patches, fixes, and updates require time for security impact analysis even as threats
and vulnerabilities continue to exist.
Configuration Item (CI) is identified, labelled, and tracked during its life cycle – the CI is the
target of many of the activities within SecCM. It may be—
o specific information system component (e.g., server, workstation, router, application)
o group of information system components (e.g., group of servers with like operating
systems, group of network components such as routers and switches, an application or
suite of applications)
o non-component object (e.g., firmware, documentation)
o an information system as a whole. CIs give organizations a way to decompose the
information system into manageable parts whose configurations can be actively
managed
A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within
a system, that has been formally reviewed and agreed on at a given point in time, and which
can be changed only through change control procedures.
Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose
organizations to increased risk.
The organization is typically responsible for defining documented policies for the SecCM
program. A SecCM policy should include the following :
Purpose – the objective(s) in establishing organization-wide SecCM policy;
Scope – the extent of the enterprise architecture to which the policy applies;
Roles – the roles that are significant within the context of the policy;
Responsibilities – the responsibilities of each identified role;
Activities – the functions that are performed to meet policy objectives
Tools to support SecCM activities are selected for use across the organization by SecCM
program management, and information system owners are responsible for applying the tools
to the SecCM activities performed on each information system
197
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Activity 2:
Create a group project by interacting with companies that offer CM tools and prepare a
sequential process map of how the tool functions in order to carry out its functions.
Present the same in class, highlighting the functionality and dependencies of the tools.
198
Student Handbook– Security Analyst SSC/N0901
a. ________________________________________
b. ________________________________________
Q. State the key criteria on which priority for implementing SecCM secure configurations are
determined?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. If Configuration Item is an identifiable part of a system then what does Configuration Item
Identification mean?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
There could be a different baseline configuration for each life cycle stage (development, test,
staging, production) of the information system. ( )
Semi-automated tools work best to scan Web server, database server, network devices, etc. in
SecCM program. ( )
____Planning
____Monitoring
199
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
200
Student Handbook– Security Analyst SSC/N0901
UNIT IX
Log Correlation and
Management
Lesson Plan
9.1. Event Log Concepts
9.2. Log Management and its need
9.3. Log Management Process
9.4. Configuring Windows Event Log
9.5. IIS Log Files
9.6. Analysis and Response
201
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
203
Student Handbook– Security Analyst SSC/N0901
Lesson
Logs have evolved to contain information related to many different types of events occurring within
networks and systems. Within an organization, many logs contain records related to computer
security; common examples of these computer security logs are audit logs that track user
authentication attempts and security device logs that record possible attacks
Key Concepts
Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes. Data logging devices collect incredible amounts of
information on security, operational and application events — log management comprises the tools
to search and parse this data for trends, anomalies and other relevant information.
Security information event management (SIEM): Like log management, SIEM also involves the
collection and analysis of data. The key distinction to be made is that SIEM is a specialized tool for
information security. SIEM appliances enable event reduction and real-time alerting, and they provide
specific workflows to address security breaches as they occur. Another key feature of SIEM is the
incorporation of non-event based data, such as vulnerability scanning reports, for correlation and
analysis.
A lot of money has been invested in security products such as firewalls, intrusion detection, and strong
authentication over the past several years. However, system penetration attempts continue to occur
and go unnoticed until it is too late. It is not that security countermeasures are ineffective against
intrusive activity. Indeed, they can be very effective within an organization where security policies and
procedures require analysis of security events and appropriate incident response. However, deploying
and analysing a single device in an effort to maintain situational awareness with respect to the state
of security within an organization is the "computerized version of tunnel vision”. Security events must
be analysed from as many sources as possible in order to assess threat and formulate appropriate
response. Extraordinary levels of security awareness can be attained in an organization's network by
simply listening to what its devices are telling you.
204
Student Handbook– Security Analyst SSC/N0901
Security Software
Most organizations use several types of network-based and host-based security software to detect
malicious activity, protect systems and data, and support incident response efforts. Accordingly,
security software is a major source of computer security log data. Common types of network-based
and host based security software include the following:
Antimalware Software. The most common form of antimalware software is antivirus software, which
typically records all instances of detected malware, file and system disinfection attempts, and file
quarantines.
Additionally, antivirus software might also record when malware scans were performed and when
antivirus signature or software updates occurred. Antispyware software and other types of
antimalware software (e.g., rootkit detectors) are also common sources of security information.
Intrusion Detection and Intrusion Prevention Systems. Intrusion detection and intrusion prevention
systems record detailed information on suspicious behaviour and detected attacks, as well as any
actions intrusion prevention systems performed to stop malicious activity in progress.
Some intrusion detection systems, such as file integrity checking software, run periodically instead of
continuously, so they generate log entries in batches instead of on an ongoing basis.
Remote access is often granted and secured through virtual private networking (VPN). VPN systems
typically log successful and failed login attempts, as well as the dates and times each user connected
and disconnected, and the amount of data sent and received in each user session. VPN systems that
support granular access control, such as many Secure Sockets Layer (SSL) VPNs, may log detailed
information about the use of resources.
Web Proxies
Web proxies are intermediate hosts through which Web sites are accessed. Web proxies make Web
page requests on behalf of users, and they cache copies of retrieved Web pages to make additional
accesses to those pages more efficient. Web proxies can also be used to restrict Web access and to
add a layer of protection between Web clients and Web servers. Web proxies often keep a record of
all URLs accessed through them.
Vulnerability management software, which includes patch management software and vulnerability
assessment software, typically logs the patch installation history and vulnerability status of each host,
which includes known vulnerabilities and missing software updates.
Vulnerability management software may also record additional information about hosts’
configurations. Vulnerability management software typically runs occasionally, not continuously, and
is likely to generate large batches of log entries.
205
Student Handbook– Security Analyst SSC/N0901
Authentication Servers
Authentication servers, including directory servers and single sign-on servers, typically log each
authentication attempt, including its origin, username, success or failure, and date and time.
Routers
Routers may be configured to permit or block certain types of network traffic based on a policy.
Routers that block traffic are usually configured to log only the most basic characteristics of blocked
activity.
Firewalls
Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more
sophisticated methods to examine network traffic.
Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to
have more complex policies and generate more detailed logs of activity than routers.
Some organizations check each remote host’s security posture before allowing it to join the network.
This is often done through a network quarantine server and agents placed on each host. Hosts that do
not respond to the server’s checks or that fail the checks are quarantined on a separate virtual local
area network (VLAN) segment. Network quarantine servers log information about the status of checks,
including which hosts were quarantined and for what reasons.
Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches)
usually log a variety of information related to security. The most common types of security-related OS
data are as follows:
System Events
System events are operational actions performed by OS components, such as shutting down the
system or starting a service. Typically, failed events and the most significant successful events are
logged, but many OSs permit administrators to specify which types of events will be logged. The details
logged for each event also vary widely; each event is usually timestamped, and other supporting
information could include event, status, and error codes; service name; and user or system account
associated with an event.
Audit Records
Audit records contain security event information such as successful and failed authentication
attempts, file accesses, security policy changes, account changes (e.g., account creation and deletion,
account privilege assignment), and use of privileges. OSs typically permit system administrators to
specify which types of events should be audited and whether successful and/or failed attempts to
perform certain actions should be logged.
OS logs are most beneficial for identifying or investigating suspicious activity involving a particular
host. After suspicious activity is identified by security software, OS logs are often consulted to get
more information on the activity.
206
Student Handbook– Security Analyst SSC/N0901
Applications
Operating systems and security software provide the foundation and protection for applications,
which are used to store, access, and manipulate the data used for the organization’s business
processes. Most organizations rely on a variety of commercial off-the-shelf (COTS) applications, such
as e-mail servers and clients, Web servers and browsers, file servers and file sharing clients, and
database servers and clients. Some applications generate their own log files, while others use the
logging capabilities of the OS on which they are installed. Applications vary significantly in the types
of information that they log. The following lists some of the most commonly logged types of
information and the potential benefits of each:
Client requests and server responses, which can be very helpful in reconstructing sequences of events
and determining their apparent outcome. If the application logs successful user authentications, it is
usually possible to determine which user made each request. Some applications can perform highly
detailed logging, such as e-mail servers recording the sender, recipients, subject name, and
attachment names for each e-mail; Web servers recording each URL requested and the type of
response provided by the server; and business applications recording which financial records were
accessed by each user. This information can be used to identify or investigate incidents and to monitor
application usage for compliance and auditing purposes.
Account information such as successful and failed authentication attempts, account changes (e.g.,
account creation and deletion, account privilege assignment), and use of privileges. In addition to
identifying security events such as brute force password guessing and escalation of privileges, it can
be used to identify who has used the application and when each person has used it.
Usage information such as the number of transactions occurring in a certain period (e.g., minute, hour)
and the size of transactions (e.g., e-mail message size, file transfer size). This can be useful for certain
types of security monitoring (e.g., a ten-fold increase in e-mail activity might indicate a new e-mail–
borne malware threat; an unusually large outbound e-mail message might indicate inappropriate
release of information).
Significant operational actions such as application startup and shutdown, application failures, and
major application configuration changes. This can be used to identify security compromises and
operational failures.
Much of this information, particularly for applications that are not used through unencrypted network
communications, can only be logged by the applications, which makes application logs particularly
valuable for application-related security incidents, auditing, and compliance efforts. However, these
logs are often in proprietary formats that make them more difficult to use, and the data they contain
is often highly context-dependent, necessitating more resources to review their contents.
207
Student Handbook– Security Analyst SSC/N0901
Log Generation
The first tier contains the hosts that generate the log data. Some hosts run logging client
applications or services that make their log data available through networks to log servers
in the second tier. Other hosts make their logs available through other means, such as
allowing the servers to authenticate to them and retrieve copies of the log files.
Log Monitoring
The third tier contains consoles that may be used to monitor and review log data and the
results of automated analysis. Log monitoring consoles can also be used to generate
reports. In some log management infrastructures, consoles can also be used to provide
management for the log servers and clients. Also, console user privileges sometimes can
be limited to only the necessary functions and data sources for each user.
Log management infrastructures typically perform several functions that assist in the storage,
analysis, and disposal of log data. These functions are normally performed in such a way that they do
not alter the original logs.
208
Student Handbook– Security Analyst SSC/N0901
Log parsing is extracting data from a log so that the parsed values can be used as input for another
logging process. A simple example of parsing is reading a text-based log file that contains 10 comma-
separated values per line and extracting the 10 values from each line.
Parsing is performed as part of many other logging functions, such as log conversion and log
viewing.
Event filtering is the suppression of log entries from analysis, reporting, or long-term storage
because their characteristics indicate that they are unlikely to contain information of interest.
For example, duplicate entries and standard informational entries might be filtered because they
do not provide useful information to log analysts. Typically, filtering does not affect the generation
or short-term storage of events because it does not alter the original log files.
In event aggregation, similar entries are consolidated into a single entry containing a count of the
number of occurrences of the event. For example, a thousand entries that each record part of a
scan could be aggregated into a single entry that indicates how many hosts were scanned.
Aggregation is often performed as logs are originally generated (the generator counts similar
related events and periodically writes a log entry containing the count), and it can also be
performed as part of log reduction or event correlation processes, which are described below.
Storage
Log rotation is closing a log file and opening a new log file when the first file is considered to be
complete. Log rotation is typically performed according to a schedule (e.g., hourly, daily, weekly) or
when a log file reaches a certain size. The primary benefits of log rotation are preserving log entries
and keeping the size of log files manageable. When a log file is rotated, the preserved log file can be
compressed to save space. Also, during log rotation, scripts are often run that act on the archived log.
For example, a script might analyse the old log to identify malicious activity, or might perform filtering
that causes only log entries meeting certain characteristics to be preserved. Many log generators offer
log rotation capabilities; many log files can also be rotated through simple scripts or third-party
utilities, which in some cases offer features not provided by the log generators.
Log archival is retaining logs for an extended period of time, typically on removable media, a storage
area network (SAN), or a specialized log archival appliance or server. Logs often need to be preserved
to meet legal or regulatory requirements.
There are two types of log archival: retention and preservation. Log retention is archiving logs on a
regular basis as part of standard operational activities. Log preservation is keeping logs that normally
would be discarded, because they contain records of activity of particular interest. Log preservation is
typically performed in support of incident handling or investigations.
Log compression is storing a log file in a way that reduces the amount of storage space needed for the
file without altering the meaning of its contents. Log compression is often performed when logs are
rotated or archived.
Log reduction is removing unneeded entries from a log to create a new log that is smaller. A similar
process is event reduction, which removes unneeded data fields from all log entries. Log and event
209
Student Handbook– Security Analyst SSC/N0901
reduction are often performed in conjunction with log archival so that only the log entries and data
fields of interest are placed into long-term storage.
Log conversion is parsing a log in one format and storing its entries in a second format. For example,
conversion could take data from a log stored in a database and save it in an XML format in a text file.
Many log generators can convert their own logs to another format; third party conversion utilities are
also available. Log conversion sometimes includes actions such as filtering, aggregation, and
normalization. – In log normalization, each log data field is converted to a particular data
representation and categorized consistently. One of the most common uses of normalization is storing
dates and times in a single format. For example, one log generator might store the event time in a
twelve-hour format (2:34:56 P.M. EDT) categorized as Timestamp, while another log generator might
store it in twenty-four (14:34) format categorized as Event Time, with the time zone stored in different
notation (-0400) in a different field categorized as Time Zone. 24 Normalizing the data makes analysis
and reporting much easier when multiple log formats are in use. However, normalization can be very
resource-intensive, especially for complex log entries (e.g., typical intrusion detection logs).
Log file integrity checking involves calculating a message digest for each file and storing the message
digest securely to ensure that changes to archived logs are detected. A message digest is a digital
signature that uniquely identifies data and has the property that changing a single bit in the data
causes a completely different message digest to be generated. The most commonly used message
digest algorithms are MD5 and Secure Hash Algorithm 1 (SHA- 1). 25 If the log file is modified and its
message digest is recalculated, it will not match the original message digest, indicating that the file
has been altered. The original message digests should be protected from alteration through FIPS-
approved encryption algorithms, storage on read-only media, or other suitable means. Analysis
Event correlation is finding relationships between two or more log entries. The most common form
of event correlation is rule-based correlation, which matches multiple log entries from a single source
or multiple sources based on logged values, such as timestamps, IP addresses, and event types.
Event correlation can also be performed in other ways, such as using statistical methods or
visualization tools. If correlation is performed through automated methods, generally the result of
successful correlation is a new log entry that brings together the pieces of information into a single
place. Depending on the nature of that information, the infrastructure might also generate an alert to
indicate that the identified event needs further investigation. – Log viewing is displaying log entries in
a human-readable format. Most log generators provide some sort of log viewing capability; third-party
log viewing utilities are also available. Some log viewers provide filtering and aggregation capabilities.
Log reporting is displaying the results of log analysis. Log reporting is often performed to summarize
significant activity over a particular period of time or to record detailed information related to a
particular event or series of events.
Disposal
Log clearing is removing all entries from a log that precede a certain date and time. Log clearing is
often performed to remove old log data that is no longer needed on a system because it is not of
importance or it has been archived.
210
Student Handbook– Security Analyst SSC/N0901
Configure the log sources, including log generation, storage, and security
Perform analysis of log data
Initiate appropriate responses to identified events
Manage the long-term storage of log data.
System-level administrators need to configure log sources so that they capture the necessary
information in the desired format and locations, as well as retain the information for the appropriate
period of time.
administrators determine which of their hosts and host components must or should participate in
the log management infrastructure,
A single log file might contain information from several sources, such as an OS log containing
information from the OS itself and several security software programs and applications.
Administrators ascertain which log sources use each log file.
For each identified log source, administrators determine which types of events each log source
must or should log, as well as which data characteristics must or should be logged for each type
of event.
The administrator’s ability to configure each log source is dependent on the features offered by that
particular type of log source. For example, some log sources offer very granular configuration options,
while some offer no granularity at all—logging is simply enabled or disabled, with no control over what
is logged. This section discusses log source configuration in three categories: log generation, log
storage and disposal, and log security.
Event Logs
Event logs are special files that record significant events on your computer, such as when a user logs
on to the computer or when a program encounters an error.
Whenever the significant types of events occur, Windows records the event in an event log that you
can read by using Event Viewer. Advanced users might find the details in event logs helpful when
troubleshooting problems with Windows and other programs.
211
Student Handbook– Security Analyst SSC/N0901
Event Viewer tracks information in several different logs. Windows Logs include:
Application (program) events
Events are classified as error, warning, or information, depending on the severity of the event. An
error is a significant problem, such as loss of data. A warning is an event that isn't necessarily
significant, but might indicate a possible future problem. An information event describes the
successful operation of a program, driver, or service.
Security-related events
These events are called audits and are described as successful or failed depending on the event,
such as whether a user trying to log on to Windows was successful.
Setup events
Computers that are configured as domain controllers will have additional logs displayed here.
System events
System events are logged by Windows and Windows system services, and are classified as error,
warning, or information.
Forwarded events
These events are forwarded to this log by other computers.
Applications and Services Logs vary. They include separate logs about the programs that run on your
computer, as well as more detailed logs that pertain to specific Windows services.
Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel,
clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer.
Administrator permission is required if you're prompted for an administrator password or
confirmation, type the password or provide confirmation.
212
Student Handbook– Security Analyst SSC/N0901
1. Click Start, select Programs, select Administrative Tools, click Computer Management.
2. In the console tree, click Event Viewer. Right-click Security and select Properties.
3. The Security Properties window will appear. Here authorized administrators can set
the Maximum log size and select what action to
take when the maximum log size is reached.
To retain all the events in the log, click Do not overwrite events (clear log manually). This option
requires that logs be cleared manually. When the maximum log size is reached, new events are
discarded. If the event log is not cleared and archived regularly, the following message will appear.
213
Student Handbook– Security Analyst SSC/N0901
1. After establishing the security log settings, click the Apply button.
5. Once all the desired filtering options have been selected, click the Apply button and click OK. The
Event Viewer will filter the log and display the information as defined by the filter.
Logon Types are logged in the Logon Type field of logon events (event IDs 528 and 540 for successful
logons, and 529-537 and 539 for failed logons).
Windows supports the following logon types and associated logon type values:
2: Interactive logon—This is used for a logon at the console of a computer. A type 2 logon is
logged when you attempt to log on at a Windows computer’s local keyboard and screen.
3: Network logon—This logon occurs when you access remote file shares or printers. Also, most
logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons
that use the basic authentication protocol (those are logged as logon type 8).
4: Batch logon—This is used for scheduled tasks. When the Windows Scheduler service starts a
scheduled task, it first creates a new logon session for the task, so that it can run in the security
context of the account that was specified when the task was created.
5: Service logon—This is used for services and service accounts that log on to start a service.
When a service starts, Windows first creates a logon session for the user account that is specified
in the service configuration.
7: Unlock—This is used whenever you unlock your Windows machine.
8: Network clear text logon—This is used when you log on over a network and the password is
sent in clear text. This happens, for example, when you use basic authentication to authenticate
to an IIS server.
214
Student Handbook– Security Analyst SSC/N0901
9: New credentials-based logon—This is used when you run an application using the RunAs
command and specify the /netonly switch. When you start a program with RunAs using /netonly,
the program starts in a new logon session that has the same local identity (this is the identity of
the user you are currently logged on with), but uses different credentials (the ones specified in the
runas command) for other network connections. Without /netonly, Windows runs the program on
the local computer and on the network as the user specified in the runas command, and logs the
logon event with type 2.
10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services,
Remote Desktop or Remote Assistance.
11: Cached Interactive logon—This is logged when users log on using cached credentials, which
basically means that in the absence of a domain controller, you can still log on to your local
machine using your domain credentials. Windows supports logon using cached credentials to ease
the life of mobile users and users who are often disconnected.
How to Read the Windows Application, Security, and System Log Files
The Windows application, security, and system log files can be read with a Windows application called
“Event Viewer,” which is accessed through the Control Panel:
Click the Start button on the desktop’s Taskbar
Click the Control Panel menu item
The Control Panel’s window will open
In the Control Panel, double-click the Administrative Tools icon
The Administrative Tools window will open with a list of different icons
Double click the Event Viewer icon
Many log files that software applications use are written as plain text file, making it possible to use
any freeware text editor, “Notepad” or “WordPad”, to read the generated log files. To read .txt files
in WordPad:
215
Student Handbook– Security Analyst SSC/N0901
Internet Information Services (IIS) is a web server developed by Microsoft for use with Windows
Server. The server is meant for a variety of hosting uses while attempting to maintain a high level of
flexibility and scalability.
To help with server use and analysis, IIS is integrated with several types of log files. These log file
formats provide information on a range of websites and specific statistics, including Internet Protocol
(IP) addresses, user information and site visits as well as dates, times and queries.
IIS provides six different log file formats that you can use to track and analyse information about your
IIS-based sites and services. In addition to the six available formats, you can create your own custom
log file format.
The following log file formats and logging options are available in IIS:
W3C Extended Log File Format Text-based, customizable format for a single site. This is the
default format.
W3C Centralized Logging All data from all Web sites is recorded in a single log file in the W3C
log file format.
NCSA Common Log File Format Text-based, fixed format for a single site.
IIS Log File Format Text-based, fixed format for a single site.
ODBC Logging Fixed format for a single site. Data is recorded in an ODBC-compliant database.
Centralized Binary Logging Binary-based, unformatted data that is not customizable. Data is
recorded from multiple Web sites and sent to a single log file. To interpret the data, you need
a special parser.
HTTP.sys Error Log Files Fixed format for HTTP.sys-generated errors.
You can read text-based log files using a text editor such as Notepad, which is included with Windows,
but administrators often import the files into a report-generating software tool for further analysis.
IIS logs, when properly analysed, provide information about demographics and usage of the IIS web
server. By tracking usage data, web providers can better tailor their services to support specific
regions, time frames or IP ranges. Log filters also allow providers to track only the data deemed
necessary for analysis.
IIS logs contain crucial information for improving the web site. Log files for an IIS server are the key
source of information for managing the websites hosted on the server. The log files contains a record
of each request from a web user and the response provided by the IIS server. This data is crucial for
marketing, site performance and security. Logs are often the only indication that a user is attempting
to hack into your IIS server. Patterns and trends can be spotted in this data to help you segment your
users for marketing opportunities. IIS log analysis is a critical tool in improving your website.
216
Student Handbook– Security Analyst SSC/N0901
Internet Information Services (IIS) 6.0 offers a number of ways to record the activity of your Web sites,
File Transfer Protocol (FTP) sites, Network News Transfer Protocol (NNTP) service, and Simple Mail
Transfer Protocol (SMTP) service and allows you to choose the log file format that works best for your
environment. IIS logging is designed to be more detailed than the event logging or performance
monitoring features of the Microsoft® Windows® Server 2003, Standard Edition, Windows® Server
2003, Enterprise Edition, and Windows® Server 2003, Datacenter Edition, operating systems. IIS log
files can include information such as who has visited your site, what was viewed, and when the
information was last viewed. You can monitor attempts to access your sites, virtual folders, or files
and determine whether attempts were made to read or write to your files. IIS log file formats allow
you to record events independently for any site, virtual folder, or file.
Using a text editor, the following steps can be used to analyse the IIS file:
Open the log file labeled as "ex010110.log" in your text editor. The six digits in the log file
name are in the format day, month and year the file was created.
Locate the header information. This is a line starting with "#Fields:." Use this line to determine
the corresponding values in each column.
Use the date and time to identify when the request was created. The "sitename" and
"computername" will indicate what server responded to the request.
Identify the visitor to your web server by the "c-ip" which is the ip address of the visitors’
computer.
The "cs-method" column will most often contain either "post" or "get" depending on the
request made by the visitors’ browser. The fields "cs-uri-stem" and "cs-uri-query" will denote
the resource such as an image or web page the visitor requested.
Use the "sc-status" column to determine whether the web server was capable of correctly
responding to the request. A link is provided in the resource section of this article to a
complete list of response codes.
Use the "cs(User-Agent)" to determine what type of browser the visitor used, or if the visitor
is actually a search engine. A link to a list of common user agents has been provided in the
resource area of this article.
217
Student Handbook– Security Analyst SSC/N0901
Effective analysis of log data is often the most challenging aspect of log management, but is also
usually the most important. Although analysing log data is sometimes perceived by administrators as
uninteresting and inefficient (e.g., little value for much effort), having robust log management
infrastructures and automating as much of the log analysis process as possible can significantly
improve analysis so that it takes less time to perform and produces more valuable results.
The most effective way to gain a solid understanding of log data is to review and analyse portions of
it regularly (e.g., every day). The goal is to eventually gain an understanding of the baseline of typical
log entries, likely encompassing the vast majority of log entries on the system. (Because a few types
of entries often comprise a significant percentage of the log entries, this is not as difficult as it may
first sound.) Daily log reviews should include those entries that have been deemed most likely to be
important, as well as some of the entries that are not yet fully understood. Because it can make
considerable effort to understand the significance of most log entries, the initial days, weeks, or even
months of performing the log analysis process are the most challenging and time-consuming. Over
time, as the baseline of normal activity is broadened and deepened, the daily log reviews should take
less time and be more focused on the most important log entries, thus leading to more valuable
analysis results.
Another motivation for understanding the log entries is so that the analysis process can be automated
as much as possible. By determining which types of log entries are of interest and which are not,
administrators can configure automated filtering of the log entries. This allows events known to be
malicious to be recognized and responded to automatically (e.g., alerting administrators,
reconfiguring other security controls). Another purpose for filtering is to ensure that the manual
analysis performed by administrators is prioritized appropriately. The filtering should be configured
so that it presents administrators with a reasonable number of entries for manual analysis.
Web log analysis software (also called a web log analyzer) is a kind of web analytics software that
passes a server log file from a web server, and based on the values contained in the log file, derives
indicators about when, how, and by whom a web server is visited. Usually reports are generated from
the log files immediately, but the log files can alternatively be passed for a database and reports
generated on demand.
There are free, open source and paid software tools available for log analysis or management.
Response to events
During their log analysis, infrastructure and system-level administrators may identify events of
significance, such as incidents and operational problems that necessitate some type of response.
When an administrator identifies a likely computer security incident, as defined by the organization’s
incident response policies, the administrator should follow the organization’s incident response
procedures to ensure that it is addressed appropriately. Examples of computer security incidents
include a host being infected by malware and a person gaining unauthorized access to a host.
218
Student Handbook– Security Analyst SSC/N0901
Administrators should perform their own responses to non-incident events, such as minor operational
problems (e.g., misconfiguration of host security software). Some organizations require system-level
administrators to report incidents and logging-related operational problems to infrastructure
administrators so that the infrastructure administrators can better identify additional instances of the
same activities and patterns that cannot be seen at the individual system level. Infrastructure and
system-level administrators should also be prepared to assist incident response teams with their
efforts. For example, when an incident occurs, affected system-level administrators may be asked to
review their systems’ logs for particular signs of malicious activity or to provide copies of their logs to
incident handlers for further analysis. Administrators should also be prepared to alter their logging
configurations as part of a response. Adverse events such as worms often cause unusually large
numbers of events to be logged. This can cause various negative impacts, such as slowing system
performance, overwhelming logging processes, and overwriting recent log entries. Analysts may not
be able to see other events of significance because their records are hidden among all of the other log
entries. Accordingly, administrators may need to reconfigure logging for the short term, long term, or
permanently, depending on the source of the log data, to prevent it from overwhelming the system
and the logs. Administrators may also need to adjust logging to capture more data as part of a
response effort, such as collecting additional information on a particular type of activity. To identify
similar incidents, especially in the short term, administrators may need to perform additional log
monitoring and analysis, such as more closely examining the types of logging sources that recorded
pertinent information on the initial incident.
219
Student Handbook– Security Analyst SSC/N0901
Summary
Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes.
Security information event management (SIEM) involves the collection and analysis of data
Security software is a major source of computer security log data.
Web proxies often keep a record of all URLs accessed through them.
Routers and Firewalls permit or block certain types of network traffic based on a policy
however, they differ in terms of the level of complexity
OS logs are most beneficial for identifying or investigating suspicious activity involving a
particular host.
Operating systems and security software provide the foundation and protection for
applications; Applications vary significantly in the types of information that they log and some
of the most commonly logged types of information include:
o Client requests and server responses
o e-mail servers recording the sender, recipients, subject name, and attachment names
for each e-mail
o web servers recording each URL requested and the type of response provided by the
server;
o business applications recording which financial records were accessed by each user
o successful and failed authentication attempts, account changes (e.g., account creation
and deletion, account privilege assignment), and use of privileges
o brute force password guessing and escalation of privileges
o number of transactions occurring in a certain period and size of transactions, etc.
Log management ensures that computer security records are stored in sufficient detail for
an appropriate period of time. A log management infrastructure typically comprises the
following three tiers:
Log Generation: contains the hosts that generate the log data
Log Analysis and Storage: composed of one or more log servers that receive log
data or copies of log data
Log Monitoring: contains consoles that may be used to monitor and review log data
and the results of automated analysis
Log management infrastructures typically perform several functions that assist in the
storage, analysis, and disposal of log data. These functions are normally performed in such
a way that they do not alter the original logs.
Major operational processes for log management are as follows:
Configure the log sources, including log generation, storage, and security
Perform analysis of log data
Initiate appropriate responses to identified events
Manage the long-term storage of log data
Authorized administrators can define security settings for the event logs. The choices are
somewhat limited, and include log size, the length of time a log should be stored, and when
the log should be cleared.
Internet Information Services (IIS) is a web server developed by Microsoft for use with
Windows Server. The server is meant for a variety of hosting uses while attempting to
maintain a high level of flexibility and scalability.
The most effective way to gain a solid understanding of log data is to review and analyse
portions of it regularly (e.g., every day)
Infrastructure and system-level administrators may identify events of significance, such as
incidents and operational problems that necessitate some type of response during log
analysis.
220
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Study various log report templates and sources which provide guidance on using log
reports. The various information available in the report should be understood and
possible anomalies listed.
Activity 2:
Work in groups to explore the log configurations of your own training institute server
and generate reports from the servers each week. These should be analysed and
activity reports and inferences from it presented in class by a different group each
week.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. What do you understand by the technical phrase “computerized version of tunnel vision”?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. State the type of log which is most beneficial for identifying or investigating suspicious activity
involving a particular host
__________________________________________________________________________________
Event Filtering is extracting data from a log so that the parsed values can be used as input for
another logging process. ( )
__________________________________________________________________________________
__________________________________________________________________________________
Q. Why are log and event reduction performed simultaneously with log archival?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
222
Student Handbook– Security Analyst SSC/N0901
UNIT X
Data Backup
Lesson Plan
10.1. Data Backup
10.2. Types of Backup
10.3. Backup Procedures
10.4. Types of Storage
10.5. Features of a Good Backup Strategy
223
Student Handbook– Security Analyst SSC/N0901
LESSON PLAN
224
Student Handbook– Security Analyst SSC/N0901
Lesson
Purpose
All electronic information considered of institutional value should be copied onto secure storage
media on a regular basis (i.e., backed up), for disaster recovery and business resumption. Special
backup needs, identified through technical risk analysis that exceeds these requirements, should be
accommodated on an individual basis.
Scope
Data custodians are responsible for providing adequate backups to ensure the recovery of data and
systems in the event of failure. Backup provisions allow business processes to be resumed in a
reasonable amount of time with minimal loss of data. Since hardware and software failures can take
many forms, and may occur over time, multiple generations of institutional data backups need to be
maintained.
225
Student Handbook– Security Analyst SSC/N0901
Full backup
Full backup is a method of backup where all the files and folders selected for the backup will be backed
up. It is commonly used as an initial or first backup followed with subsequent incremental or
differential backups. After several incremental or differential backups, it is common to start over with
a fresh full backup again.
Some also like to do full backups for all backup runs typically for smaller folders or projects that do
not occupy too much storage space.
Advantages
Restores are fast and easy to manage as the entire list of files and folders are in one backup set.
Easy to maintain and restore different versions.
Disadvantages
Backups can take very long as each file is backed up again every time the full backup is run.
Consumes the most storage space compared to incremental and differential backups. The exact
same files are be stored repeatedly resulting in inefficient use of storage.
Incremental backup
Incremental backup is a backup of all changes made since the last backup. The last backup can be a
full backup or simply the last incremental backup. With incremental backups, one full backup is done
first and subsequent backup runs are just the changed files and new files added since the last backup.
Advantages
Much faster backups
Efficient use of storage space as files is not duplicated. Much less storage space used compared to
running full backups and even differential backups.
Disadvantages
Restores are slower than with a full backup and differential backups.
Restores are a little more complicated. All backup sets (first full backup and all incremental backups)
are needed to perform a restore.
Differential backups
Differential backups fall in the middle between full backups and incremental backup. A differential
backup is a backup of all changes made since the last full backup. With differential backups, one full
backup is done first and subsequent backup runs are the changes made since the last full backup. The
result is a much faster backup than a full backup for each backup run. Storage space used is less than
a full backup but more than Incremental backups. Restores are slower than with a full backup but
usually faster than Incremental backups.
Advantages
Much faster backups then full backups
226
Student Handbook– Security Analyst SSC/N0901
More efficient use of storage space then full backups since only files changed since the last full
backup will be copied on each differential backup run.
Faster restores than incremental backups
Disadvantages
Backups are slower then incremental backups
Not as efficient use of storage space as compared to incremental backups. All files added or edited
after the initial full backup will be duplicated again with each subsequent differential backup.
Restores are slower than with full backups.
Restores are a little more complicated than full backups but simpler than incremental backups. Only
the full backup set and the last differential backup are needed to perform a restore.
Mirror backups
Mirror backups are as the name suggests a mirror of the source being backed up. With mirror backups,
when a file in the source is deleted, that file is eventually also deleted in the mirror backup. Because
of this, mirror backups should be used with caution as a file that is deleted by accident, sabotage or
through a virus may also cause that same file in mirror to be deleted as well. Some do not consider a
mirror to be a backup.
Many online backup services offer a mirror backup with, a 30 days delete. This means that when you
delete a file on your source, that file is kept on the storage server for at least 30 days before it is
eventually deleted. This helps strike a balance offering a level of safety while not allowing the backups
to keep growing since online storage can be relatively expensive.
Advantages
The backup is clean and does not contain old and obsolete files
Disadvantages
There is a chance that files in the source deleted accidentally, by sabotage or through a virus may
also be deleted from the backup mirror.
Full PC backup
Full PC backup of full computer backup typically involves backing up entire images of the computer’s
hard drives rather than individual files and folders. The drive image is like a snapshot of the drive. It
may be stored compressed or uncompressed.
With other file backups, only the user’s document, pictures, videos and music files can be restored
while the operating system, programs etc. need to be reinstalled from is source download or disc
media.
With the full PC backup however, you can restore the hard drives to its exact state when the backup
was done. Hence, not only can the documents, pictures, videos and audio files be restored but the
operating system, hardware drivers, system files, registry, programs, emails etc. In other words, a full
PC backup can restore a crashed computer to its exact state at the time the backup was made.
Advantages
A crashed computer can be restored in minutes with all programs databases emails etc intact. No
need to install the operating system, programs and perform settings etc.
Ideal backup solution for a hard drive failure.
Disadvantages
May not be able to restore on a completely new computer with a different motherboard, CPU,
Display adapters, sound card etc.
Any problems that were present on the computer (like viruses, or mis-configured drivers, unused
programs etc.) at the time of the backup may still be present after a full restore.
Local backup
A local backup is any backup where the storage medium is kept close at hand. Typically, the storage
medium is plugged in directly to the source computer being backed up or is connected through a local
area network to the source being backed up.
Advantages
Offers good protection from hard drive failures, virus attacks, accidental deletes and deliberate
employee sabotage on the source data.
Very fast backup and very fast restore.
Storage cost can be very cheap when the right storage medium is used like external hard drives
Data transfer cost to the storage medium can be negligible or very cheap
Since the backups are stored close by, they are very conveniently obtained whenever needed for
backups and restore.
Full internal control over the backup storage media and the security of the data on it. There is no
need to entrust the storage media to third parties.
Disadvantages
Since the backup is stored close by to the source, it does not offer good protections against theft,
fire, flood, earthquakes and other natural disasters. When the source is damaged by any of these
circumstances, there’s a good chance the backup will be also damaged.
Offsite Backup
Any backup where the backup storage medium is kept at a different geographic location from
the source is known as an offsite backup. The backup may be done locally at first on the usual
storage devices but once the storage medium is brought to another location, it becomes an
offsite backup.
228
Student Handbook– Security Analyst SSC/N0901
Advantages
Offers additional protection when compared to local backup such as protection from theft, fire,
flood, earthquakes, hurricanes and more.
Disadvantages
Except for online backups, it requires more due diligence to bring the storage media to the offsite
location.
May cost more as people usually need to rotate between several storage devices. For example when
keeping in a bank deposit box, people usually use 2 or 3 hard drives and rotate between them. So
at least one drive will be in storage at any time while the other is removed to perform the backup.
Because of increased handling of the storage devices, the risk of damaging delicate hard disk is
higher. (does not apply to online storage)
Online backup
An online backup is a backup done on an ongoing basis to a storage medium that is always connected
to the source being backed up. The term “online” refers to the storage device or facility being always
connected. Typically, the storage medium or facility is located offsite and connected to the backup
source by a network or Internet connection. It does not involve human intervention to plug in drives
and storage media for backups to run.
Many commercial data centers now offer this as a subscription service to consumers. The storage data
centers are located away from the source being backed up and the data is sent from the source to the
storage center securely over the Internet.
Typically, a client application is installed on the source computer being backed up. Users can define
what folders and files they want to backup and at one times of the day they want the backups to run.
The data may be compressed and encrypted before being sent over the Internet to the storage data
center.
The storage facility is a commercial data center located away from the source computers being backed
up. Typically, they are built to certain fire and earthquake safety specifications. They have higher
security standards with CCTV and round the clock monitoring. They typically have backup generators
to deal with grid power outages and the facility is temperature controlled. Data is not just stored in
one physical media but replicated across several devices. These facilities are usually serviced by
multiple redundant Internet connection so there is no single point of failure to bring the service down.
Advantages
Offers the best protection against fires, theft and natural disasters.
Because data is replicated across several storage media, the risk of data loss from hardware failure
is very low.
Because backups are frequent or continuous, data loss is very minimal compared to other backups
that are run less frequently.
Because it is online, it requires little human or manual interaction after it is setup.
Disadvantages
Is a more expensive option then local backups.
Initial or first backups can be a slow process spanning a few days or weeks depending on Internet
connection speed and the amount of data backed up.
Can be slow to restore.
229
Student Handbook– Security Analyst SSC/N0901
Remote backups
Remote backups are a form of offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location. The term
“remote” refers to the ability to control or administer the backups from another location.
You do not need to be physically present at the backup storage facility to access the backups.
Putting your backup hard drive at your bank safe deposit box would not be considered a remote
backup. You cannot administer or access it without making a trip to the bank. The term “remote
backup” is often used loosely and interchangeably with “online backup” and “cloud backup”.
Advantages
Much better protection from natural disasters than local backups.
Easier administration as it does not need a physical trip to the offsite backup location.
Disadvantages
More expensive then local backups
Can take longer to backup and restore than local backups
Cloud backup
Cloud backup is a term often used loosely and interchangeably with Online Backup and Remote
Backup. This is a type of backup where data is backed up to a storage server or facility connected to
the source via the Internet. With the proper login credentials, that backup can then be accessed
securely from any other computer with an Internet connection. The term “cloud” refers to the backup
storage facility being accessible from the Internet.
Advantages
Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural
disasters.
Able to easily connect and access the backup with just an Internet connection.
Data is replicated across several storage devices and usually serviced by multiple internet
connections so the system is not at the mercy of a single point of failure.
When the service is provided by a good commercial data center, service is managed and protection
is un-paralleled.
Disadvantages
More expensive then local backups
Can take longer to backup and restore
FTP Backup
This is a kind of backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server. Typically, the FTP Server is located in a commercial data center away from the source
data being backed up. When the FTP server is located at a different location, this is another form of
offsite backup.
Advantages
230
Student Handbook– Security Analyst SSC/N0901
Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural
disasters.
Able to easily connect and access the backup with just an Internet connection.
Disadvantages
More expensive then local backups
Can take longer to backup and restore. Backup and restore times are dependent to the Internet
connection.
231
Student Handbook– Security Analyst SSC/N0901
We recommend keeping 3 copies of any important file (a primary and two backups)
We recommend having the files on 2 different media types (such as hard drive and optical media), to
protect against different types of hazards.*
frequency,
data backup retention,
testing,
media replacement,
recovery time,
roles and responsibilities
Data Backup Retention. Retention of backup data must meet System and institution
requirements for critical data.
Testing - Restoration of backup data must be performed and validated on all types of media
in use periodically.
Media Replacement - Backup media should be replaced according to manufacturer
recommendations.
Recovery Time - The recovery time objective (RTO) must be defined and support business
requirements.
Roles and Responsibilities - Appropriate roles and responsibilities must be defined for data
backup and restoration to ensure timeliness and accountability.
Offsite Storage - Removable backup media taken offsite must be stored in an offsite location
that is insured and bonded or in a locked media rated, fire safe.
Onsite Storage - Removable backup media kept onsite must be stored in a locked container
with restricted physical access.
Media Destruction - How to dispose of data storage media in various situations.
Encryption - Non-public data stored on removable backup media must be encrypted. Non-
public data must be encrypted in transit and at rest when sent to an offsite backup facility,
either physically or via electronic transmission.
Third Parties - Third parties' backup handling & storage procedures must meet System, or
institution policy or procedure requirements related to data protection, security and privacy.
These procedures must cover contract terms that include bonding, insurance, disaster
recovery planning and requirements for storage facilities with appropriate environmental
controls.
232
Student Handbook– Security Analyst SSC/N0901
Definitions
Archive: An archive is a collection of historical data specifically selected for long-term retention and
future reference. It is usually data that is no longer actively used, and is often stored on removable
media.
Backup: A copy of data that may be used to restore the original in the event the latter is lost or
damaged beyond repair. It is a safeguard for data that is being used. Backups are not intended to
provide a means to archive data for future reference or to maintain a versioned history of data to
meet specific retention requirements.
Critical Data: Data that needs to be preserved in support of the institution's ability to recover from
a disaster or to ensure business continuity.
Data: Information collected, stored, transferred or reported for any purpose, whether in computers
or in manual files. Data can include: financial transactions, lists, identifying information about
people, projects or processes, and information in the form of reports. Because data has value, and
because it has various sensitivity classifications defined by federal law and state statute, it must be
protected.
Destruction: Destruction of media includes: disintegration, incineration, pulverizing, shredding, and
melting. Information cannot be restored in any form following destruction.
Media Rated, Fire Safe: A safe designed to maintain internal temperature and humidity levels low
enough to prevent damage to CDs, tapes, and other computer storage devices in a fire. Safes are
rated based on the length of time the contents of a safe are preserved while directly exposed to fire
and high temperatures.
Information Technology Resources: Facilities, technologies, and information resources used for
System information processing, transfer, storage, and communications. Included in this definition
are computer labs, classroom technologies, computing and electronic communications devices and
services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax
transmissions, video, multimedia, and instructional materials. This definition is not all-inclusive, but
rather, reflects examples of System equipment, supplies and services.
Recovery Point Objective (RPO): Acceptable amount of service or data loss measured in time. The
RPO is the point in time prior to service or data loss that service or data will be recovered to.
Recovery Time Objective (RTO). Acceptable duration from the time of service or data loss to the
time of restoration.
Automated Backup
If the data backup plan defines a daily interval, making manual backups becomes quite time
consuming, and one may discover now and then that they have skipped making backups because they
had something else more important to do at same time. It is better to foresee the risk of not making
backups and try to automate the whole backup process as much as possible.
233
Student Handbook– Security Analyst SSC/N0901
These are hard drives similar to the type that is installed within a desktop computer or laptop
computer. The difference being that they can be plugged in to the computer or removed and kept
separate from the main computer.
Advantages:
Disadvantages:
Solid State Drives look and function similar to traditional mechanical/ magnetic hard drives but the
similarities stop there. Internally, they are completely different. They have no moving parts or rotating
platers. They rely solely on semiconductors and electronics for data storage making it a more reliable
and robust than traditional magnetic. No moving parts also means that they use less power than
traditional hard drives and are much faster too.
With the prices of Solid State Drives coming down and is lower power usage, SSD’s are used extensively
on laptops and mobile devices. External SSD’s are also a viable option for data backups.
Advantages:
Disadvantages:
NAS are simply one or more regular IDE or SATA hard drives plugged in an array storage enclosure and
connected to a network Router or Hub through a Ethernet port. Some of these NAS enclosures have
ventilating fans to protect the hard drives from overheating.
Advantages:
Very good option for local backups especially for networks and small businesses.
As several hard drives can be plugged in, NAS can hold very large amounts of data
234
Student Handbook– Security Analyst SSC/N0901
Can be setup with Redundancy (RAID) increasing the reliability and/ or read and write
performance. Depending on the type of RAID level used, the NAS can still function even if one
hard drive in the RAID set fails. Or two hard drives can be setup to double the read and write
speed of single hard drive.
The drive is always connected and available to the network making the NAS a good option for
implementing automated scheduled backups.
Disadvantages:
These are similar to Solid State Drives except that it is much smaller in size and capacity. They have no
moving parts making them quite robust. They are extremely portable and can fit on a keychain. They
are Ideal for backing up a small amount of data that need to be brought with you on the go.
Advantages:
The most portable storage option. Can fit on a keychain making it an offsite backup when you
bring it with you.
Much more robust than traditional magnetic hard drives
Disadvantages:
Relatively expensive per GB so can only be used for backing up a small amount of data
CD’s and DVD’s are ideal for storing a list of songs, movies, media or software for distribution or for
giving to a friend due to the very low cost per disk. They do not make good storage options for backups
due to their shorter lifespan, small storage space and slower read and write speeds.
Advantages:
Disadvantages:
Cloud storage is storage space on commercial data center accessible from any computer with Internet
access. It is usually provided by a service provider. A limited storage space may be provided free with
more space available for a subscription fee. Examples of service providers are Amazon S3, Google
Drive, Sky Drive etc.
235
Student Handbook– Security Analyst SSC/N0901
Advantages:
A very good offsite backup. Not affected by events and disasters such as theft, floods, fire etc
Disadvantages:
More expensive than traditional external hard drives. Often requires an ongoing subscription.
Requires an Internet connection to access the cloud storage.
Much slower than other local backups
236
Student Handbook– Security Analyst SSC/N0901
The following are features to aim for when designing your backup strategy:
Able to recover from data loss in all circumstances like hard drive failure, virus
attacks, theft, accidental deletes or data entry errors, sabotage, fire, flood, earth
quakes and other natural disasters.
Able to recover to an earlier state if necessary like due to data entry errors or
accidental deletes.
Able to recover as quickly as possible with minimum effort, cost and data loss.
Require minimum ongoing human interaction and maintenance after the initial
setup. Hence able to run automated or semi-automated.
Local backups are needed due to its lower cost allowing you to backup a huge amount of data. Local
backups are also useful for its very fast restore speed allowing you to get back online in minimal
time. Offsite backups are needed for its wider scope of protection from major disasters or
catastrophes not covered by local backups.
3. When to Backup
Frequency: How often you backup your data is the next major consideration when planning your
backup policy. Some folders are fairly static and do not need to be backed up very often. Other
folders are frequently updated and should correspondingly have a higher backup frequency like
once a day or more.
Your decision regarding backup frequency should be based on a worst case scenario. For example,
if tragedy struck just before the next backup was scheduled to run, how much data would you lose
since the last backup. How long would it take and how much would it cost to re key that lost data?
Backup Start Time: You would typically want to run your backups when there’s minimal usage on
the computers. Backups may consume some computer resources that may affect performance.
Also, files that are open or in use may not get backed up.
Scheduling backups to run after business hours is a good practice providing the computer is left on
overnight. Backups will not normally run when the computer is in “sleep” or “hibernate mode”.
237
Student Handbook– Security Analyst SSC/N0901
Some backup software will run immediately upon boot up if it missed a scheduled backup the
previous night.
So if the first hour on a business day morning is your busiest time, you would not want your
computer doing its backups then. If you always shut down or put your computer in sleep or
hibernate mode at the end of a work day, maybe your lunch time would be a better time to schedule
a backup. Just leave the computer on but logged-off when you go out for lunch.
Since servers are usually left running 24 hours, overnight backups for servers are a good choice.
4. Backup Types
Many backup softwares offer several backup types like Full Backup, Incremental Backup and
Differential backup. Each backup type has its own advantages and disadvantages. Full backups are
useful for projects, databases or small websites where many different files (text, pictures, videos
etc.) are needed to make up the entire project and you may want to keep different versions of the
project.
5. Compression & Encryption
As part of your backup plan, you also need to decide if you want to apply any compression to your
backups. For example, when backing up to an online service, you may want to apply compression
to save on storage cost and upload bandwidth. You may also want to apply compression when
backing up to storage devices with limited space like USB thumb drives.
If you are backing up very private or sensitive data to an offsite service, some backup tools and
services also offer support for encryption. Encryption is a good way to protect your content should
it fall into malicious hands. When applying encryption, always ensure that you remember your
encryption key. You will not be able to restore it without your encryption key or phrase.
6. Testing Your Backup
A backup is only worth doing if it can be restored when you need it most. It is advisable to
periodically test your backup by attempting to restore it. Some backup utilities offer a validation
option for your backups. While this is a welcome feature, it is still a good idea to test your backup
with an actual restore once in a while.
7. Backup Utilities & Services
Simply copying and pasting files and folders to another drive would be considered a backup.
However, the aim of a good backup plan is to set it up once and leave it to run on its own. You
would check up on it occasionally but the backup strategy should not depend on your ongoing
interaction for it to continue backing up. A good backup plan would incorporate the use of good
quality, proven backup software utilities and backup services.
https://www.owasp.org/index.php/Logging_Cheat_Sheet
https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-log-files-
2074
http://blog.hicube.in/2012/11/07/understanding-log-files-linux-server/
238
Student Handbook– Security Analyst SSC/N0901
Summary
Backup is the activity of copying files or databases so that they will be preserved in case of
equipment failure or other catastrophe.
Data custodians are responsible for providing adequate backups to ensure the recovery of data
and systems in the event of failure. Types of Backup include:
Full backup where all the files and folders selected for the backup will be backed up
Incremental backup is a backup of all changes made since the last backup
Differential backups fall in the middle between full backups and incremental backup
Mirror backups are mirror of the source being backed up
Full PC backup involves backing up entire images of the computer hard drives
Local backup is any backup where the storage medium is kept close at hand
Offsite Backup where the backup storage medium is kept at a different geographic location
Online backup is ongoing backup to a storage medium that is always connected to the
source being backed up
Remote backups are offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location
Cloud backup where data is backed up to a storage server or facility connected to the
source via the Internet
FTP Backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server
The simplest way to remember how to back up your images safely is to use the 3-2-1 rule. To
keep 3 copies of any important file (a primary and two backups); have files on 2 different media
types (such as hard drive and optical media); 1 copy should be stored offsite (or at least offline).
Different types of Local Storage Options
External Hard Drive are hard drives similar to the type that is installed within a desktop
computer or laptop computer
Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic
hard drives but different
Network Attached Storage (NAS) are simply one or more regular IDE or SATA hard
drives plugged in an array storage enclosure and connected to a network Router or Hub
through a Ethernet port
USB Thumb Drive or Flash Drive are similar to Solid State Drives except that it is much
smaller in size and capacity
Optical Drive (CD/ DVD) are ideal for storing a list of songs, movies, media or software
for distribution or for giving to a friend due to the very low cost per disk.
Cloud Storage is storage space on commercial data center accessible from any
computer with Internet access
Ask the key questions while planning your backup strategy
What to Backup
Where to Backup to
When to Backup
Backup Types
Compression & Encryption
Testing Your Backup
Backup Utilities & Services
239
Student Handbook– Security Analyst SSC/N0901
Practical activities:
Activity 1:
Backup data available in the institute and evaluate the backup requirements for the
institute. If there isn’t a policy for backup then work in a group to develop one and
define all necessary steps for successful implementation.
Activity 2:
Activity 3:
Collect information on various products and services for backup available in the
industry and compare the benefits, features and limitations of each. The comparison
should be presented in class.
240
Student Handbook– Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Explain why is Full PC backup also known as “Drive Image Backups”?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic hard drives
but are different. State the difference.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Is it possible to retrieve a file deleted in a source with a mirror backup? Explain your answer in
brief.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
241
Student Handbook– Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
242
Student Handbook – Security Analyst SSC/N0902
SSC/ N 0902:
Coordinate responses to information security
Incidents
243
Student Handbook – Security Analyst SSC/N0902
Unit Title
Co-ordinate responses to information security incidents
(Task)
244
Student Handbook – Security Analyst SSC/N0902
PC1.
establish your role and responsibilities in co-ordinating responses to
information security incidents.
PC2. record, classify and prioritize information security incidents using
standard templates and tools.
PC3. access your organization’s knowledge base for information on previous
information security incidents and how these were managed.
PC4. assign information security incidents promptly to appropriate people
for investigation/ action.
PC5. liaise with stakeholders to gather, validate and provide information
related to information security incidents, where required.
PC6. track progress of investigations into information security incidents and
escalate to appropriate people where progress does not comply with
standards or service level agreements (SLAs).
PC7. prepare accurate preliminary reports on information security incidents
using standard templates and tools.
PC8. submit preliminary reports promptly to appropriate people for action
PC9. update the status of information security incidents following
investigation/ action using standard templates and tools.
PC10. obtain advice and guidance on co-ordinating information security
incidents from appropriate people, where required.
PC11. update your organization’s knowledge base promptly and accurately
with information security incidents and how they were managed.
PC12. comply with your organization’s policies, standards, procedures,
guidelines and service level agreements (SLAs) when co-ordinating
responses to information security incidents.
Knowledge and Understanding (K)
245
Student Handbook – Security Analyst SSC/N0902
246
Student Handbook – Security Analyst SSC/N0902
THE UNITS
The module for this NOS is divided in five units based on the learning objectives as given below:
247
Student Handbook – Security Analyst SSC/N0902
248
Student Handbook – Security Analyst SSC/N0902
UNIT I
Incident Response Overview
249
Student Handbook – Security Analyst SSC/N0902
Lesson Plan
You need to know and understand: KA1. QA session and a descriptive PCs/ tablets/ laptops
write-up on understanding. Availability of labs (24/7)
KA5. the purpose of managing
Internet with Wi-Fi (min 2
information security incidents. KA5. Performance evaluation from Mbps dedicated)
faculty and Industry with reward points.
KA9. The impact information
security incidents can have on your KA9. QA session and a descriptive
organization. write-up on understanding.
KA15. how to classify and prioritize KA14. KB3 Group and faculty evaluation
information security incidents. for highlighting the various parts and
their purpose of an incident response
KB3. different stages of incident plan/ tasks of incident management,
management and your role in using live researched examples.
relation to these, including:
• identify
• contain
• cleanse
• recover
• close
250
Student Handbook – Security Analyst SSC/N0902
Lesson
An incident is a set of one or more security events or conditions that requires action and closure
in order to maintain an acceptable risk profile.
Incidents
In the haystack of events, organizations must find the "needles" that are the security incidents. Events
are isolated and disconnected, but incidents add the context that enables security administrators to
gain understanding and take action.
It can be defined as a set of events or conditions requiring response and closure. Incidents comprise
not only the significant threats that jeopardize business and require intervention.
They include more mundane situations that occur on a daily basis, and only threaten the business if
no action is taken. Examples of these routine situations include “low and slow” port scans and some
varieties of email worms. Most organizations face thousands of instances of the latter types of threats,
together with the higher profile blended threats like Code Red, Nimda, and Klez.
Besides attacks, known system vulnerabilities or discovered policy violations are also incidents that
require a response in order to protect the business. When related events (e.g. attacks, vulnerabilities,
and policy violations) are viewed together, the true nature (or type) of the incident becomes evident.
Attrition (brute force methods that compromise, degrade, or destroy systems, networks or
services)
Website or web based application
Other factors
251
Student Handbook – Security Analyst SSC/N0902
• Functional impact (current and likely future negative impact to business functions)
• Information impact (effect on the confidentiality, integrity, and availability of the
organization’s information)
• Recoverability from the incident (time and types of resources that must be spent
on recovering from the incident)
Organizations prioritize information security incidents based on the weightages they give to each of
the above categories for a particular incident. For example, an organization that deals with massive
amounts of personal identifying information (PII) might weight information impact more heavily than
recoverability impact, while an emergency response agency might prioritize functional impact to
ensure the continued delivery of emergency services.
252
Student Handbook – Security Analyst SSC/N0902
Incident Information
253
Student Handbook – Security Analyst SSC/N0902
Handling incidents
There are five important incident handling phases:
Preparation: establishing and training an incident response team, and acquiring the necessary
tools and resources.
Detection and analysis: detecting security breaches and alerting organization during any
imminent attack.
Containment: mitigating the impact of the incident by containing
Eradication and recovery: carrying out detection and analysis cycle to eradicate incident and
ultimately initiate recovery.
Post-incident activity: preparing detailed report of the cause and cost of the incident and future
preventive measures against similar attacks.
Organizations should have a plan to respond to various types of incidents detailing various aspects of
incident handling including the above.
Incident Response Plan is an organization’s foundation to a formal, focused and coordinated approach
for incident response.
The objective of instating an incident response plan is to provide the roadmap for implementing the
incidence response capability. The incident response plan acts as a defence mechanism against
hackers, malware, human error and a series of other security threats.
The intervention of an incident response plan can be the structure to building an organization’s
incident response capability. Emphasis on computing security policies and practices are the main
objectives of most organization in their overall risk management strategies. Elements that are
recommended as important to an incident response plan are:
254
Student Handbook – Security Analyst SSC/N0902
incident response team’s communication with the rest of the organization and with other
organizations
metrics for measuring the incident response capability and its effectiveness
roadmap for maturing the incident response capability (regular reviews, audits and tests etc.)
how the program fits into the overall organization
Developing an incident response plan checklist can minimize the threat of security breach in the form
of attacks in websites and servers, or inadvertent leakage of share sensitive data etc. Instating a
structure that ensures the latest developments are captured, understood, evaluated as threats to the
business, documented and distributed will help ensure an effective incident response. An incident
response plan checklist should be an amalgamation of the following key practices:
255
Student Handbook – Security Analyst SSC/N0902
Integrity of business security demands the presence of an effective incidence response team and the
latter can be achieved through the selection of appropriate structure and staffing models. Typically, a
designated incident response team or personnel function as the first point of contact (POC) in a
situation involving security breach in an organization. The incident handlers may then analyse the
incident data, determine the impact of the incident, and act appropriately to limit the damage and
restore normal services. The incident response team’s success depends on the participation and
cooperation of individuals throughout the organization. Therefore, an organization must create a core
team, identify suitable individuals, discuss incident response team models, and provide advice on
selecting an appropriate model.
Listed below are range of various tool kit, systems and instrumentation that may be useful in an
incident response:
Incident handler communications and facilities: these may include contact information of team
members and others within the organization and external, on-call information matrix, incident
reporting mechanisms such as phone numbers, email addresses, online forms, etc. Incident
tracking systems; smartphones for round-the-clock communication; use of encryption software
for internal team members; security materials storage facility etc.
Incident analysis hardware and software: digital forensic workstations and/ or backup devices to
create disk images, preserve log files and save other relevant incident data etc. Laptops; spare
workstations; servers; networking equipment or the virtualized equivalents for storing and trying
out malware; blank removable media; packet sniffers and protocol analyzers; digital forensic
software; evidence gathering accessories such as digital cameras, audio recorders, chain of
custody forms etc.
Incident analysis resources: port lists, including commonly used ports and Trojan horse ports;
documentation for Oss; applications; protocols etc. Network diagrams and lists of critical assets
such as database servers; current baselines of expected network system and application activity;
cryptographic hashes of critical files to speed incident analysis, verification and eradication.
Incident mitigation software: access to images of clean OS and application installations for
restoration and recovery purposes.
256
Student Handbook – Security Analyst SSC/N0902
Through a routine evaluation of system logs, a Determine the actions that would help
system administrator discovers that XYZ’s data prevent this type of incident (preparation).
has been exfiltrated from the system by an Determine the controls in place that
unauthorized user account. would help identify this incident, along
A remote user has lost his/her laptop. The with procedures on how to report the
user’s job function required that XYZ’s incident (detection and analysis).
information be stored on the laptop. How to prevent further damage
(containment),
After a recent office move, it is discovered that How to clean the system (eradication).
a locked cabinet containing XYZ’s information is How to restore the system in a secure
missing. manner (recovery).
257
Student Handbook – Security Analyst SSC/N0902
Summary
An incident is a set of one or more security events or conditions that requires action and closure
in order to maintain an acceptable risk profile.
These can be classified into:
o Malicious code incidents
o Network reconnaissance incidents
o Unauthorised access incidents
o Inappropriate usage incidents
o Multiple component incidents
Impact of information security incidents can be classified into:
o Functional impact
o Information impact
o Recoverability from the incident
Signs of security incident: Two main types of signs of an incident are:
o Precursors: It is technically a sign that an incident may occur in the future.
o Indicator: A sign that an incident may have occurred or may be occurring now.
There are five important incident handling phases:
o Preparation
o Detection and analysis
o Containment
o Eradication and recovery
o Post-incident activity
Incident Response Plan is an organization’s foundation to a formal, focused and coordinated
approach for incident response.
Central Incident Response team: a functional model for small organizations with limited or no
geographic presence wherein a single incident response team handles core security computing.
Distributed Incident Response team: this model is effective for large organizations (e.g. one
team per division) and for organizations with major computing resources at distant locations
(e.g. one team per geographic region, one team per major facility).
A jumpkit is a portable case instrumental to incident response teams and it contains items such
as laptop, appropriate software such as packet sniffers, digital forensics, back up devices, blank
media etc.
258
Student Handbook – Security Analyst SSC/N0902
Practical activities:
Activity 1:
Collate information on various types of information security incidents from the internet
and populate the various categories of incidents mentioned in the unit with examples
of each. Present a few details of these incidents, if possible.
Activity 2:
Visit various company sites, and find out their incident response plans and list out
various components of it.
Activity 3:
Work in a group to create an incident response plan for the training institute and
modify it as they progress through this module.
a. ________________________________________
b. ________________________________________
Q. A portable case instrumental to incident response teams and it contains items such as laptop,
appropriate software such as packet sniffers, digital forensics, back up devices, blank media etc. is
known as a ________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
259
Student Handbook – Security Analyst SSC/N0902
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Which of the following is not a category of security incidents? Mark all that apply.
a) Malicious code
b) Network usage
c) CSIRT
d) Inappropriate usage
e) Precursor
f) Multiple component
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
260
Student Handbook – Security Analyst SSC/N0902
UNIT II
Incident Response
- Roles and Responsibilities
261
Student Handbook – Security Analyst SSC/N0902
Lesson Plan
You need to know and understand: KA4. Peer group, faculty group PCs/ tablets/ laptops
KA4. limits of your role and and industry experts. Availability of labs (24/7)
responsibilities and who to seek guidance Internet with Wi-Fi (min 2
from where required. KA6. Performance evaluation Mbps dedicated)
from faculty and industry with Access to all security
KA6. who to involve when investigating reward points. sites like ISO, PCI DSS,
and co-ordinating responses to
Center for Internet
information security incidents and how KA11. Online exam and rewards
to contact them. points based on reviews from Security etc.
the forums. Security Templates from
KA11. how to assign and escalate ITIL & ISO
information on information security KA12. Faculty and peer review.
incidents.
KB5, KB6, KB7. Going through
KA12. different methods and techniques the security standards over
used when working with others. internet by visiting sites like ISO,
PCI DSS etc. and understand
KB5. common issues and incidents of various methodologies and
information security that may require usage of algorithms.
action and whom to report these.
Learn about CIA triad relating to
KB6. how to obtain and validate latest threats and vulnerabilities.
information related to information
security issues.
262
Student Handbook – Security Analyst SSC/N0902
Lesson
A single employee, with one or more designated alternates should be in charge of incident response.
In a fully outsourced model, this person oversees and evaluates the outsourcer’s work. All other
models generally have a team manager and one or more deputies who assume authority in the
absence of the team manager. Every team member should have good problem solving skills and
critical thinking abilities.
An incident response team member should possess technical skills, such as system administration,
network administration, programming, technical support or intrusion detection. An incident
response team should be a combination of skilled members in the area of technology (e.g. operating
systems and applications) and other technical areas such as network intrusion detection, malware
analysis or forensics.
A team member in an incident response unit is expected to have the basic understanding of the
technologies used and their applications. The individual should be capable of comprehending
and handling the following security incidents:
the type of incident activity that is being reported or seen by the community.
the way in which incident response team services are being provided (the level and
depth of technical assistance provided to the constituency).
the responses that are appropriate for the team (e.g. what policies and procedures or
other regulations must be considered or followed while undertaking the response).
the level of authority the incident response team has in taking any specific actions when
applying technical solutions to an incident reported to the incident response team.
maintain, enhance and expand proficiency in technical areas and security disciplines as well as
less technical topics such as the legal aspects of incident response.
incentivize participation in staff conferences.
promote deeper technical understanding.
engage external technical knowledge facilitator with deep technical knowledge in needed areas
to impart learning and development.
provide opportunities to perform other tasks in non-functional areas.
rotate staffing of members across functions to gain new technical skills.
263
Student Handbook – Security Analyst SSC/N0902
create a mentoring program to enable senior technical staff to help less experienced staff learn
incident handling.
develop incident handling scenarios and conduct team discussions.
After successfully selecting a functional core team, it is best followed that team members be further
integrated and modelled into appropriate staffing based on the magnitude of incident response and
size of the organization. Find details of the three types of staffing methods below:
In house employees
Partially outsourced
Fully outsourced
Therefore, an organization must consider the following factors before selecting an appropriate
incident response team structures:
The need for 24/7 availability: real-time availability is considered one of the best for
incident response options because the longer an incident last, the more potential there is for
damage and loss.
Full-time versus part-time team members: organizations with limited funding, staffing or
incident response needs may have only part-time incident response team members, serving
as more of a virtual incident response team. An existing group such as the IT help desk can
act as a first POC for incident reporting and perform initial investigation and data collection.
Employee morale: segregate administrative work and core incident response to minimize
stress on employees and to help boost morale.
Cost: implement sufficient funding for training and skills development of incident response
team members the area of work function demands broader knowledge of IT.
Staff expertise: incident handling requires specialized knowledge and experience in several
technical areas. The breadth and depth of knowledge required varies based on the severity
of the organization’s risks.
Outsourced
In the case of outsourced work, the organization must consider not only the current quality
(breadth and depth) of the outsourcer’s work, but also efforts to ensure the quality of future
work.
Document line of work or authority of outsourced incident response work appropriately and
ensure actions for these decision points are handled.
Divide incident response responsibilities and restrict access to sensitive information.
Provide regularly updated documents that define what incidents outsources is concerned
about.
Create correlation among multiple data sources.
Maintain basic incident response skills in-house.
264
Student Handbook – Security Analyst SSC/N0902
Defining the relationship between incident response, incident handling, and incident management
Incident handling refers to the several phases of incident response process i.e. preparation,
detection and analysis, containment, eradication and recovery and post-incident activity required in
adequate handling of an incident.
Incident management is term used to describe the overall computing security management to
detect the occurrence of incident, initiate and handle an incident response and prevent any future
re-occurrences.
Routine operational procedures and tasks required to co-ordinate and respond to information
security incidents
Prepare to handle incidents.
Use incident analysis hardware and software.
Use incident analysis resources.
Use of incident mitigation software.
Management responsible for coordinating incident response among various stakeholders,
minimizing damage, and reporting to Congress, OMB, the General Accounting Office (GAO),
and other parties.
Information security staff members may be needed during certain stages of incident handling
(prevention, containment, eradication and recovery). For example, to alter network security
controls (e.g. firewall rule sets).
265
Student Handbook – Security Analyst SSC/N0902
IT technical experts (e.g. system and network administrators) can ensure that the appropriate
actions are taken for the affected system, such as whether to disconnect an attacked system.
Coordinate with relevant legal experts to review incident response plans, policies and
procedures to ensure their compliance with law and federal guidance, including the right to
privacy.
Ensure that incident response policies and procedures and business continuity processes are
in sync.
Coordinate with Physical Security and Facilities Management to access facilities during
incident handling.
Start to create a documented action script that will outline your response steps so your IR Manager
can follow them consistently. Your script should show steps similar to the following:
STEP # ACTION
1 Incident announced
2 IR Manager alerted
3 IR Manager begins information gathering from affected site
4 IR Manager begins tracking and documentation of incident
IR Manager invokes Assessment Team
5
(Details of call bridge or other communication mechanism)
266
Student Handbook – Security Analyst SSC/N0902
References: Students are encouraged to read more on Roles and Responsibilities in IR team of any
Organization from following references.
http://www.cert.org/csirts/Creating-A-CSIRT.html
http://www.cert.org/csirts/Creating-A-CSIRT.html#practices
O’Reilly Incident Response – Kenneth R. vanWyk and Richard Forno
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
267
Student Handbook – Security Analyst SSC/N0902
Summary
An incident response team member should possess technical skills, such as system
administration, network administration, programming, technical support or intrusion
detection.
An incident response team should be a combination of skilled members in the area of
technology (operating systems and applications) and other technical areas such as network
intrusion detection, malware analysis or forensics.
An incident response team may include: in-house, partially outsourced, fully outsourced
employees.
The main focus of an incident response team is performing incident response, but it may also
undertake the provision of the following services: intrusion detection, advisory distribution,
education and awareness and information sharing.
Incident response means responding to computer security incidents systematically or by
following a consistent incident handling methodology so that the appropriate actions are taken
timely. It is a mechanism to minimize loss or theft of information and disruption of services
caused by incidents.
Incident handling refers to the several phases of incident response process i.e. preparation,
detection and analysis, containment, eradication and recovery and post-incident activity
required in adequate handling of an incident.
Incident management is a term used to describe the overall computing security management
to detect the occurrence of incident, initiate and handle an incident response and prevent any
future re-occurrences.
Practical activities:
Activity 1:
Activity 2:
Research various external service providers and services that support incident team in
the organisation in responding to information security incidents.
268
Student Handbook – Security Analyst SSC/N0902
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List the various other teams and departments the Incident Response team has to work or
coordinate with.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
269
Student Handbook – Security Analyst SSC/N0902
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
270
Student Handbook – Security Analyst SSC/N0902
UNIT III
Incident Response Process
271
Student Handbook – Security Analyst SSC/N0902
Lesson Plan
272
Student Handbook – Security Analyst SSC/N0902
273
Student Handbook – Security Analyst SSC/N0902
Lesson
Step 1: Identification
Obtaining and validating information related to information security issues
In incident handling, detection may be the most difficult task. Incident response teams in an
organization are equipped to handle security incidents using well-defined response strategies
beginning with information gathering. Preparing a list most common attack vectors such as
external/removable media, web, email, impersonation, improper use by authorized users etc. can
narrow down to the most competent incident handling procedure. Therefore, it is important to
validate each incident using defined standard procedures and document each step taken accurately.
Common issues and incidents of information security that may require action and whom to report
An indicator may not always translate into a security incident given the possibility of technical faults
due to human error in cases such as server crash or modification of critical files. Determining whether
a particular event is actually an incident is sometimes a matter of judgment. It may be necessary to
collaborate with other technical and information security personnel to make a decision. Therefore,
incident handlers need to report the matter to highly experienced and proficient staff members who
can analyse the precursors and indicators effectively and take appropriate actions.
Mentioned below are some of the means to conduct initial analysis for validation:
Profiling Networks and Systems in order to measure the characteristics of expected activity so
that changes to it can be more easily identified and used one of the several detection and
analysis techniques.
Studying networks, systems and applications to understand what their normal behavior is so
that abnormal behavior can be recognized more easily.
Creating and implementing a log retention policy that specifies how long log data should be
maintained may be extremely helpful in analysis because older log entries may show
reconnaissance activity or previous instances of similar attacks.
Correlating events using evidence of an incident captured in several logs such wherein each
may contain different types of data — a firewall log may have the source IP address that was
used, whereas an application log may contain a username.
Synchronizing hosts clock using protocols such as the Network Time Protocol (NTP) to record
time of attack.
Maintain and use a knowledge base of information that handlers need for referencing quickly
during incident analysis.
Use internet search engines for research to help analysts find information on unusual activity.
Run packet sniffers to collect additional data to record traffic that matches specified criteria
should keep the volume of data manageable and minimize the inadvertent capture of other
information.
Filter the data to segregate categories of indicators that tend to be insignificant.
274
Student Handbook – Security Analyst SSC/N0902
Documenting system events, conversations and observed changes in files can lead to a more efficient,
more systematic and error-free handling of the problem. Using an application or a database, such as
an issue tracking system helps ensure that incidents are handled and resolved in a timely manner.
Organizations should also establish an escalation process for those instances when the team does not
respond to an incident within the designated time. This can happen for many reasons. For example,
cell phones may fail or people may have personal emergencies. The escalation process should state
how long a person should wait for a response and what to do if no response occurs. On failure to
respond within a stipulated time, then the incident should be escalated again to a higher level of
management. This process should be repeated until the incident is successfully handled.
275
Student Handbook – Security Analyst SSC/N0902
Step 5: Containment
Containment and Quarantine
Quarantine
Handling an incident may necessitate the use of strategies to contain the existing predicament and
one such method being redirecting the attacker to a sandbox (a form of containment) so that they can
monitor the attacker’s activity, usually to gather additional evidence. Hence, once a system has been
compromised and if allowed with the compromise to continue, it may help the attacker to use the
compromised system to attack other systems.
On the other hand, containment may give rise to another potential issue and that is some attacks may
cause additional damage when they are contained. When the incident handler attempts to contain
the incident by disconnecting the compromised host from the network, the subsequent pings will fail.
As a result of the failure, the malicious process may overwrite or encrypt all the data on the host’s
hard drive.
Network information systems are vulnerable to threats and benign nodes often compromised because
of unknown, incomplete or distorted information while interacting with external sources. In this case,
malicious nodes need to be identified and isolated from the environment. The solution to insecure
can be found in the establishment of trust. Trust model can be formed based on the characteristics,
information sources to compute, most relevant and reliable information source, experience of other
members of community etc.
276
Student Handbook – Security Analyst SSC/N0902
based on business impact caused by the incident and the estimated efforts required to recover from
the incident.
Incident response policies should include provisions concerning incident reporting at a minimum,
what must be reported to whom and at what times.
Important information to be included are CIO, head of information security, local information security
officer, other incident response teams within the organization, external incident response teams (if
appropriate), system owner, human resources (for cases involving employees, such as harassment
through email), public affairs etc.
An incident may be broadly classified based on common attack vectors such as external/
removable media; attrition; web; email; improper usage; loss or theft of equipment;
miscellaneous.
Incident prioritization
Functional impact of the incident on the existing functionality of the affected systems and
future functional impact of the incident if it is not immediately contained.
Information impact of the incident that may amount to information exfiltration and impact
on organization’s overall mission and impact of exfiltration of sensitive information on
other organizations if any of the data pertain to a partner organization.
Recoverability from the incident and how to determine the amount of time and resources
that must be spent on recovering from that incident. Necessity to actually recover from an
incident and carefully weigh that against the value the recovery effort will create and any
requirements related to incident handling.
Organizations should document their guidelines and templates to handle any incident but should
focus on being prepared to handle incidents that use common attack vectors. Capturing the attack
pattern formally with required information may help understand specific parts of an attack, how it is
designed and executed, providing the adversary's perspective on the problem and the solution, and
gives guidance on ways to mitigate the attack's effectiveness.
277
Student Handbook – Security Analyst SSC/N0902
Creating written guidelines for prioritizing incidents serve as a good practice and help achieve effective
information sharing within an organization. The step may also help in identifying situations that are of
greater severity and demand immediate attention. An ideal template for incident prioritization should
be formulated based on relevant factors such as the functional impact of the incident (e.g. current and
likely future negative impact to business functions), the information impact of the incident (e.g. effect
on the confidentiality, integrity and availability of the organization’s information) and the
recoverability from the incident (e.g. the time and types of resources that must be spent on recovering
from the incident).
One of the key tasks of an incident response team is to receive information on possible incidents,
investigate them, and take action to ensure that the damage caused by the incidents is minimized.
In the course of the work, the team must adhere to the following procedures deemed appropriate
to a given situation:
• receive initial investigation and data gathering from IT help desk members and
escalate to high strategic level specialist if situation demands.
• use appropriate materials that may be needed during an investigation.
• should become acquainted with various law enforcement representatives before an
incident occurs to discuss conditions under which incidents should be reported to
them.
• maintain record of chain of custody forms should detail the transfer and include each
party’s signature while transferring evidence from person to person.
• should be careful to give out only appropriate information — the affected parties may
request details about internal investigations that should not be revealed publicly.
• ensure law enforcement are available to investigate incidents wherever necessary.
• collect required list of evidence gathered during the incident investigation.
• should collect evidence in accordance with procedures that meet all applicable laws
and regulations that have been developed from previous discussions with legal staff
and appropriate law enforcement agencies so that any evidence can be admissible in
court.
Handling and rectifying security incident work best in a “learning and improving” model. Therefore,
incident handling teams must evolve to reflect on new threats, improved technology and lessons
learned. Each lesson’s learned brief must include the following agenda:
278
Student Handbook – Security Analyst SSC/N0902
How could information sharing with other organizations have been improved?
What corrective actions can prevent similar incidents in the future?
What precursors or indicators should be watched for in the future to detect similar incidents?
What additional tools or resources are needed to detect, analyze and mitigate future incidents?
The changing nature of information technology and changes in personnel requires the incident
response team to review all related documentation and procedures for handling incidents at
designated intervals. A study of incident characteristics (data collected of previous incidents) may
indicate systemic security weaknesses and threats as well as changes in incident trends.
Incident data can also be collected to determine if a change to incident response capabilities causes a
corresponding change in the team’s performance (improvements in efficiency, reductions in costs
etc).
Incident record keeping or collecting data that are actionable, rather than collecting data simply
because they are available will be useful in several capacities to the organization. It may help in
deriving at the following information:
Evidences collected should be accounted for at all times whenever evidence is transferred from person
to person, chain of custody forms should detail the transfer and include each party’s signature. A
detailed log should be kept for all evidence, including the following:
Identifying information (e.g. the location, serial number, model number, hostname, media access
control (MAC) addresses and IP addresses of a computer).
Name, title, and phone number of each individual who collected or handled the evidence during
the investigation.
Time and date (including time zone) of each occurrence of evidence handling.
Locations where the evidence was stored.
279
Student Handbook – Security Analyst SSC/N0902
image than it is to perform analysis on the original system because the analysis may inadvertently
alter the original. Some of the useful resources in forensic aspects of incident analysis may include
digital forensic workstations and/ or backup devices to create disk images, preserve log files, and save
other relevant incident data
Collecting evidence from computing resources presents some challenges. It is generally desirable to
acquire evidence from a system of interest as soon as one suspects that an incident may have
occurred. Users and system administrators should be made aware of the steps that they should take
to preserve evidence. In addition, evidence should be accounted for at all times whenever evidence is
transferred from person to person, chain of custody forms should detail the transfer and include each
party’s signature and a registry or log be maintained location of the stored evidence.
Some of the organizations’ external agencies may include other or external incident response teams,
law enforcement agencies, Internet service providers and constituents, law enforcements/ legal
departments and customers or system owner etc.
Verify data back-up and restore procedures. Incident response should be aware of the location of
back-up date storage, maintenance, user access and security procedures for data restoration and
system recovery. Following are the suggested data back-up sources:
spare workstations, servers, networking equipment or virtualized equivalents, which may be used
for many purposes, such as restoring back-ups and trying out malware.
other important materials include back-up devices, blank media, basic networking equipment and
cables.
Operating system updates and patch management
All hosts patched appropriately using standard configurations be configured to follow the principle of
least privilege — granting users only the privileges necessary for performing their authorized tasks.
Hosts should have auditing enabled and should log significant security-related events, security of hosts
and their configurations should be continuously monitored. In some organizations, the use of Security
Content Automation Protocol (SCAP) expressed operating system and application configuration
checklists to assist in securing hosts consistently and effectively.
280
Student Handbook – Security Analyst SSC/N0902
Security cannot be achieved by merely implementing various security systems, tools or products.
However, security failures are less likely through the implementation of security policy, process,
procedure and product(s). Multiple layers of defence need to be applied to design a fail-safe security
system. The organization should also report all changes and updates made to its IT infrastructure,
network configuration and systems. Organization should also focus on longer-term changes (e.g.
infrastructure changes) and ongoing work to keep the enterprise as secure as possible.
The incident response team should maintain records about the status of incidents along with other
pertinent information. Using an application or a database, such as an issue tracking system, helps
ensure that incidents are handled and resolved in a timely manner.
Recording details of evidence gathering accessories including hard-bound notebooks, digital cameras,
audio recorders, chain of custody forms etc. is one of the common strategies used to track incidents
and security. In addition, laptops, audio recorders, and digital cameras can also serve the purpose
beside system events, conversations, and observed changes in files can lead to a more efficient, more
systematic and less error prone handling of the problem.
Incident handling team may need to provide status updates to certain parties even in some cases the
entire organization. The team should plan and prepare several communication methods, including
out-of-band methods (in person or on paper), and select the methods that are appropriate for a
particular incident.
281
Student Handbook – Security Analyst SSC/N0902
Email
Website (internal, external or portal)
Telephone calls
In person (daily briefings)
Voice mailbox greeting (set up a separate voice mailbox for incident updates and update the
greeting message to reflect the current incident status and use the help desk’s voice mail greeting)
Paper (post notices on bulletin boards and doors, hand out notices at all entrance points etc.)
An incident status should carry statement of the current status of the incident so that
communications with the media are consistent and up-to-date. Template may include the following
details:
Current status of the incident (new, in progress, forwarded for investigation, resolved etc.)
Contact information for other involved parties (e.g. system owners, system administrators)
This estimate may become the basis for subsequent prosecution activity by law enforcement entities.
Follow-up reports should be kept for a period of time as specified in record retention policies
Another important post-incident activity is creating a follow-up report for each incident, which can be
quite valuable for future use. The report provides a reference that can be used to assist in handling
similar incidents.
Creating a formal chronology of events in the incident report template for criteria including time-
stamped information such as log data from systems (important for legal reasons) and monetary
estimate of the amount of damage the incident caused.
282
Student Handbook – Security Analyst SSC/N0902
Organizations should specify which incidents must be reported, when they must be reported and to
whom. The parties most commonly notified are the CIO, head of information security, local
information security officer, other incident response teams within the organization and system
owners.
Security follow-up reports are usually kept for a period of time as specified in record retention policies.
Most organizations have data retention policies that state how long certain types of data may be kept.
For example, an organization may state that email messages should be retained for only 180 days. If
a disk image contains thousands of emails, the organization may not want the image to be kept for
more than 180 days unless it is absolutely necessary.
The incident data, particularly the total hours of involvement and the cost, may be used to justify
additional funding of the incident response team. Cost of storing evidence and the cost of retaining
functional computers that can use the stored hardware and media can be substantial.
Cost is a major factor, especially if employees are required to be onsite 24/7. Organizations may fail
to include incident response-specific costs in budgets, such as sufficient funding for training and
maintaining skills.
283
Student Handbook – Security Analyst SSC/N0902
Establishing an incident response training and awareness should include the following actions:
creating an incident response training and awareness policy and plan.
training IT staff on complying with the organization’s security standards and making users aware
of policies and procedures regarding appropriate use of networks, systems and applications.
training should be provided for SOP (delineation of the specific technical processes, techniques,
checklists and forms) users.
training to maintain networks, systems and applications in accordance with the organization’s
security standards.
creating awareness of policies and procedures regarding appropriate use of networks, systems,
and applications.
The knowledge base is the consolidated incident data collected onto common incident database.
Organizations can create their own knowledge base or refer to those established by several groups
and organizations. Although it is possible to build a knowledge base with a complex structure, a simple
approach can be effective. Text documents, spreadsheets and relatively simple databases provide
effective, flexible and searchable mechanisms for sharing data among team members. The knowledge
base should also contain a variety of information, including explanations of the significance and
validity of precursors and indicators, such as IDPS alerts, operating system log entries and application
error codes.
An incident handler may access knowledge databases information quickly during incident analysis, a
centralized knowledge base provides a consistent and maintainable source of information. The
knowledge base should include general information such as data on precursors and indicators of
previous incidents.
Several groups collect and consolidate incident data from various organizations into incident
databases. This information sharing may take place in many forms such as trackers and real-time
284
Student Handbook – Security Analyst SSC/N0902
blacklists. The organization can also check its own knowledge base or issue tracking system for related
activity.
In the absence of security controls higher volumes of incidents may occur overwhelming the incident
response team. An incident response team may be able to identify problems that the organization is
otherwise not aware of. The team can play a key role in risk assessment and training by identifying
gaps.
The following text, however, provides a brief overview of some of the main recommended practices
for securing networks, systems and applications:
Periodic risk assessments of systems and applications to determine what risks posed by
combinations of threats and vulnerabilities.
Hardened hosts appropriately using standard configurations while keeping each host properly
patched, hosts should be configured to follow the principle of least privilege — granting users only
the privileges necessary for performing their authorized tasks.
The network perimeter should be configured to deny all activity that is not expressly permitted.
Software to detect and stop malware should be deployed throughout the organization.
Users should be made aware of policies and procedures regarding appropriate use of networks,
systems and applications.
285
Student Handbook – Security Analyst SSC/N0902
Summary
The Incident Handling Process includes the following steps:
o Identification
o Incident recording
o Initial response
o Communicating the incident
o Containment
o Formulating a incident response strategy
o Incident classification
o Incident investigation
o Data collection
o Forensic analysis
o Evidence protection
o Notify external agencies
o Eradication
o System recovery
o Incident documentation
o Incident damage and cost analysis
o Review and update the response policies
o Training awareness
Evidences collected should be accounted for at all times. Whenever evidence is transferred
from person to person, chain of custody forms should detail the transfer and include each
party’s signature. A detailed log should be kept for all evidence, including the following:
o Identifying information (e.g. the location, serial number, model number, hostname,
media access control (MAC) addresses and IP addresses of a computer).
o Name, title, and phone number of each individual who collected or handled the
evidence during the investigation.
o Time and date (including time zone) of each occurrence of evidence handling.
o Locations where the evidence was stored.
Incident record keeping or collecting data that are actionable rather than collecting data simply
because they are available will be useful in several capacities to the organization. It may help in
deriving at the following information:
o Systemic security weaknesses and threats as well as changes in incident trends
o Selection and implementation of additional controls
o Measure the success of the incident response team
o Expected return on investment from the data
An incident may be broadly classified based on common attack vectors, such as external/
removable media; attrition; web; email; improper usage; loss or theft of equipment;
miscellaneous.
Handling and rectifying security incident work best in a “learning and improving” model.
Therefore, incident handling teams must evolve to reflect on new threats, improved
technology and lessons learnt.
286
Student Handbook – Security Analyst SSC/N0902
Practical activities:
Activity 1:
Go through the internet to collect ideas and templates on incident report forms and
formats. Meet with industry experts/ personnel, if possible to understand the usage and
applicability of these.
Activity 2:
Work in groups to prepare an incident report using templates available for preparing a
report for your training institute. Highlight the sources of information for various parts
of the report.
287
Student Handbook – Security Analyst SSC/N0902
Q. Evidences collected should be accounted for at all times. Whenever evidence is transferred from
person to person, the concept is captured in which form?
________________________________________
Q. Actions such as restoring systems from clean backups, rebuilding systems from scratch, replacing
compromised files with clean versions, installing patches, changing passwords and tightening network
perimeter security (e.g. firewall rulesets, boundary router access control lists) is known as:
__________________________________________
a) All hosts patched appropriately using standard configurations be configured to follow the
principle of_________________ granting users only the privileges necessary for performing
their authorized tasks.
b) ______________________ is important before an incident overwhelms resources or
increases damage.
c) A/ An ______________________ may not always translate into a security incident given the
possibility of technical faults due to human error in cases such as server crash or modification
of critical files.
__________________________________________________________________________________
288
Student Handbook – Security Analyst SSC/N0902
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
289
Student Handbook – Security Analyst SSC/N0902
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
290
Student Handbook – Security Analyst SSC/N0902
UNIT IV
Handling Malicious Code Incidents
Lesson Plan
5.1. Incident handling preparation
5.2. Incident prevention
5.3. Detection of Malicious Code
5.4. Containment strategy
5.5. Evidence gathering and handling
5.6. Eradication and Recovery
291
Student Handbook – Security Analyst SSC/N0902
Lesson Plan
292
Student Handbook – Security Analyst SSC/N0902
Lesson
Malicious code refers to a program that is covertly inserted into another program with the
intent to destroy data, run destructive or intrusive programs or otherwise compromise the
security or integrity of the victim’s data.
Generally, malicious code is designed to perform these nefarious functions without the system’s user
knowing. Malicious code attacks can be divided into five categories: viruses, Trojan horses, worms,
mobile code and blended.
293
Student Handbook – Security Analyst SSC/N0902
For malicious code incidents, the following preparation steps can be taken:
STEP 1. Make users aware of malicious code issues – this information should include a basic review
of the methods that malicious code uses to propagate and the symptoms of infections. Holding
regular user education sessions helps to ensure that users are aware of the risks that malicious
code poses.
STEP 2. Read antivirus vendor bulletins – sign up for mailing lists from antivirus vendors that provide
timely information on new malicious code threats.
STEP 3. Deploy host-based intrusion detection systems to critical hosts – host-based IDS software can
detect signs of malicious code incidents such as configuration changes and system executable
modifications. File integrity checkers are useful in identifying the affected components of a
system.
Some organizations configure their network perimeters to block connections to specific common
Trojan horse ports, with the goal of preventing Trojan horse client and server component
communications. However, this approach is generally ineffective. Known Trojan horses use hundreds
of different port numbers, and many Trojan horses can be configured to use any port number. Also,
some Trojan horses use the same port numbers that legitimate services use so their communication
cannot be blocked by port number. Some organizations also implement port blocking incorrectly so
legitimate connections are sometimes blocked. Implementing filtering rules for each Trojan horse port
will also increase the demands placed on the filtering device. Generally, a Trojan horse port should be
blocked only if the organization has a serious Trojan horse infestation.
294
Student Handbook – Security Analyst SSC/N0902
Some of the recommended practices for securing networks, systems and applications include:
periodic risk assessments of systems and applications.
configuring network perimeters such as securing all connection points, such as virtual private
networks (VPNs) and dedicated connections to other organizations.
deploying malware protection at the host level (server and workstation operating systems), the
application server level (email server, web proxies etc.) and the application client level (email
clients, instant messaging clients etc.)
applying the learning from previous incidents, and sharing with users so they can see how their
actions could affect the organization.
For preventing malicious code incidents, the following steps can be taken:
STEP 1. Use antivirus software: antivirus software is a necessity to combat the threat of malicious
code and limit damage. The software should be running on all hosts throughout the
organization, and all copies should be kept current with the latest virus signatures so that the
newest threats can be thwarted. Antivirus software should also be used for applications used
to transfer malicious code, such as e-mail, file transfer and instant messaging software. The
software should be configured to perform periodic scans of the system as well as real-time
scans of each file as it is downloaded, opened or executed. The antivirus software should also
be configured to disinfect and quarantine infected files. Some antivirus products not only look
for viruses, worms and Trojan horses, but they also examine HTML, ActiveX, JavaScript and
other types of mobile code for malicious content.
STEP 2. Block suspicious files: configure email servers and clients to block attachments with file
extensions that are associated with malicious code (e.g. .pif, .vbs) and suspicious file extension
combinations (e.g. .txt.vbs, .htm.exe).
STEP 3. Limit the use of nonessential programs with file transfer capabilities: examples include peer-
to-peer file and music sharing programs, instant messaging software and IRC clients and
servers. These programs are frequently used to spread malicious code among users.
STEP 4. Educate users on the safe handling of email attachments: antivirus software should be
configured to scan each attachment before opening it. Users should not open suspicious
attachments or attachments from unknown sources. Users should also not assume that if the
sender is known, the attachment is not infected. Senders may not know that their systems are
infected with malicious code that can extract email addresses from files and send copies of the
malicious code to those addresses. This activity creates the impression that the emails are
coming from a trusted person even though the person is not aware that they have been sent.
Users can also be educated on file types that they should never open (e.g. .bat, .com, .exe, .pif,
.vbs). Although user awareness of good practices should lessen the number and severity of
295
Student Handbook – Security Analyst SSC/N0902
malicious code incidents, organizations should assume that users will make mistakes and infect
systems.
STEP 5. Eliminate open windows shares: many worms spread through unsecured shares on hosts
running Windows. If one host in the organization is infected with a worm, it could rapidly
spread to hundreds or thousands of other hosts within the organization through their
unsecured shares. Organizations should routinely check all hosts for open shares and direct
the system owners to secure the shares properly. Also, the network perimeter should be
configured to prevent traffic that uses NetBIOS ports from entering or leaving the
organization’s networks. This should not only prevent external hosts from directly infecting
internal hosts through open shares but should also prevent internal worm infections from
spreading to other organizations through open shares.
STEP 6. Use web browser security to limit mobile code: all web browsers should have their security
settings configured so as to prevent unsigned ActiveX and other mobile code vehicles from
unknowingly being downloaded to and executed on local systems. Organizations should
consider establishing an internet security policy that specifies which types of mobile code may
be used from various sources (e.g. internal servers, external servers).
STEP 7. Configure email clients to act more securely: email clients throughout the organization should
be configured to avoid actions that may inadvertently permit infections to occur. For example,
email clients should not automatically execute attachments.
296
Student Handbook – Security Analyst SSC/N0902
Because malicious code incidents can take many forms, they may be detected via a number of
precursors and indications. Some precursors and possible responses are listed below:
Precursor: An alert warns of new malicious code that targets software that the organization uses.
Response: Research the new virus to determine whether it is real or a hoax. This can be done
through antivirus vendor websites and virus hoax sites. If the malicious code is confirmed as
authentic, ensure that antivirus software is updated with virus signatures for the new malicious
code. If a virus signature is not yet available, and the threat is serious and imminent, the activity
might be blocked through other means, such as configuring email servers or clients to block
emails matching characteristics of the new malicious code. The team might also want to notify
antivirus vendors of the new virus.
Precursor: Antivirus software detects and successfully disinfects or quarantines a newly received
infected file.
Response: Determine how the malicious code entered the system and what vulnerability or
weakness it was attempting to exploit. If the malicious code might pose a significant risk to other
users and hosts, mitigate the weaknesses that the malicious code used to reach the system and
would have used to infect the target host.
297
Student Handbook – Security Analyst SSC/N0902
For Example:
Similarly, there are certain indications that can highlight the onset of a malicious action. For example:
Malicious action: a worm that spreads through a vulnerable service infects a host.
Indicators:
Antivirus software alerts of infected files
Port scans and failed connection attempts targeted at the vulnerable service (e.g. open
Windows shares, HTTP)
Increased network usage
Programs start slowly, run slowly or do not run at all
System instability and crashes
Malicious action: malicious mobile code on a Web site is used to infect a host with a virus, worm or
Trojan horse.
Indicators:
Indications listed above for the pertinent type of malicious code
Unexpected dialog boxes, requesting permission to do something
Unusual graphics such as overlapping or overlaid message boxes
298
Student Handbook – Security Analyst SSC/N0902
Identifying and isolating other infected hosts: antivirus alert messages are a good source of
information, but not every infection will be detected by antivirus software.
Incident handlers may need to search for indications of infection through other means such as:
performing port scans to detect hosts listening on a known Trojan horse or backdoor port.
using antivirus scanning and clean-up tools released to combat a specific instance of malicious
code.
reviewing logs from email servers, firewalls and other systems that the malicious code may have
passed through as well as individual host logs.
configuring network and host intrusion detection software to identify activity associated with
infections.
auditing the processes running on systems to confirm that they are all legitimate.
Sending unknown malicious code to antivirus vendors: malicious code that cannot be definitively
identified by antivirus software may occasionally enter the environment. Eradicating the malicious
code from systems and preventing additional infections may be difficult or impossible without having
updated antivirus signatures from the vendor. Incident handlers should be familiar with the
procedures for submitting copies of unknown malicious code to the organization’s antivirus vendors.
Configuring email servers and clients to block emails: many email programs can be configured
manually to block emails by particular subjects, attachment names or other criteria that correspond
to the malicious code. This is neither a foolproof nor an efficient solution, but it may be the best option
available if an imminent threat exists and antivirus signatures are not yet available.
Blocking outbound access: if the malicious code attempts to generate outbound emails or
connections, handlers should consider blocking access to IP addresses or services to which the infected
system may be attempting to connect.
299
Student Handbook – Security Analyst SSC/N0902
Shutting down email servers: during the most severe malicious code incidents with hundreds or
thousands of internal hosts infected, email servers may become completely overwhelmed by viruses
trying to spread via email. It may be necessary to shut down an email server to halt the spread of
email-borne viruses.
Isolating networks from the internet: networks may become overwhelmed with worm traffic when a
severe worm infestation occurs. Occasionally a worm will generate so much traffic throughout the
internet that network perimeters are completely overwhelmed. It may be better to disconnect the
organization from the internet, particularly if the organization’s internet access is essentially useless
as a result of the volume of worm traffic. This protects the organization’s systems from being attacked
by external worms should the organization’s systems already be infected. This prevents them from
attacking other systems and adding to the traffic congestion.
With respect to legal proceedings, it is important to clearly document how all evidence, including
compromised systems, has been preserved. Evidence should be collected according to procedures
that meet all applicable laws and regulations that have been developed from previous discussions with
legal staff and appropriate law enforcement agencies so that any evidence can be admissible in court.
Thus, users and system administrators should be made aware of the steps that they should take to
preserve evidence.
300
Student Handbook – Security Analyst SSC/N0902
repeat the detection and analysis steps to identify all other affected hosts, if more affected
hosts are discovered (e.g. new malware infections.
Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from
scratch, replacing compromised files with clean versions, installing patches, changing passwords and
tightening network perimeter security (e.g. firewall rulesets, boundary router access control lists).
Eradication and recovery should be done in a phased approach so that remediation steps are
prioritized.
Antivirus systems
Antivirus software effectively identifies and removes malicious code infections however, some
infected files cannot be disinfected. (Files can be deleted and replaced with clean backup copies. In
case of an application, the affected application can be reinstalled.) If the malicious code provided
attackers with root-level access, it may not be possible to determine what other actions the attackers
may have performed. In such cases, the system should either be restored from a previous, uninfected
backup or be rebuilt from scratch. Of course, the system should then be secured so that it will not be
susceptible to another infection from the same malicious code.
Antivirus software sends alerts when it detects that a host is infected with malware. It detects various
forms of malware, generates alerts and prevents the malware from infecting hosts. Current antivirus
products are effective at stopping many instances of malware if their signatures are kept up to date.
Anti-spam software is used to detect spam and prevent it from reaching users’ mailboxes. Spam may
contain malware, phishing attacks and other malicious content, so alerts from anti-spam software may
indicate attack attempts.
301
Student Handbook – Security Analyst SSC/N0902
The Challenge
A large, multinational organization was alerted by US-CERT/FBI that it had been the source of a number
of credit cards and details being leaked/sold on underground (carding) forums. After an initial
investigation, the organization's security team discovered a compromised credit-card processing server
but, having insufficient resources and skills in dealing with the incident, called in OSEC.
The Solution
OSEC sent a team of analysts, including Incident Response, Crisis Management, and Digital Forensics
personnel to the organization's head office and data centres to deal with the incident. Once there, the
team initiated full incident response based on the information supplied by the organization itself as well
as law enforcement/authorities.
The first task was understanding what measures were in place to deal with the incident. Unfortunately,
while the organization had an incident response plan, it had not undertaken the first step of Incident
Response - preparation. OSEC's incident response manager, along with the team, got to work coming up
with a strategy: analysing the available information, using it to understand the extent of the
compromise, and the incident, and working out how to contain and eradicate it. All the while,
information to the rest of the organization and the world at large had to be controlled, due to the
possible legal and regulatory implications.
Now that you know the security challenge that had been faced by US-CERT/FBI, you may now read
the Detection and Eradication process that was adopted to handle the incident in a controlled
manner:
Containment required understanding what data had been exfiltrated, and working back from there to
the compromised resources, as well as examining the rest of the environment for other footholds that
the attackers had. Quickly gaining an understanding of the network and segmentation, as well as
rapidly implementing network behavioural analysis and performing content inspection between the
payment processing infrastructure and external networks, OSEC detected connections back to
command and control servers that were known to be operated by organized criminal elements
('carders'). From there, we started performing analysis of the compromised systems using forensics
techniques to determine how and what vulnerabilities had been exploited to gain access, correlating
that with available logging information, all the while monitoring network flows to both ensure that no
additional card information was being exfiltrated for the purposes of understanding what machines
were under their control, all without alerting the bad guys.
Within a short amount of time, OSEC determined that a third-party web application/site that was
vulnerable to SQL injection had been initially compromised, and then used as a "base of operations" to
penetrate further into the network, ultimately gaining access to the payment processing segments. By
targeting administrators using social engineering attacks in combination with an Internet Explorer
vulnerability, they had then stolen credentials that could be used to authenticate to payment
processing servers, and utilized privilege escalation vulnerabilities on the servers themselves to harvest
credit card numbers as they were being processed. In addition, they had installed customized malware
that communicated with the command and control servers and exfiltrated data through encrypted
tunnels, in bursts, to evade detection.
302
Student Handbook – Security Analyst SSC/N0902
OSEC then went about stopping the spread of the malware and compromise, and expelling the
attackers from the network. Once we had determined that the malware installed would not respond
negatively to loss of connectivity to command and control servers, we quickly: ensured the initial point
of compromise (SQL injection) was corrected scanned for similar common vulnerabilities in externally-
visible systems, and ensured any identified issues were corrected reset all relevant authentication
credentials blocked the attackers at the network perimeter. We then set about isolating and cleaning
each of the compromised hosts as quickly as we could, in coordination with IT personnel, to ensure
that the processing systems were impacted as little as possible. In most cases, we were able to wipe
hosts and perform recovery to ensure all traces of malware were eradicated, but a number of systems
required manual cleaning, which we undertook with the relevant organizational resources, and
initiated extensive monitoring to ensure no undetected issues remained.
Finally, once the full extent of the breach was understood - particularly what and how much data had
been stolen, OSEC coordinated with PR and Legal personnel to manage client and other regulatory-
body notifications.
Post-Incident Activity
Once the immediate incident had been dealt with, OSEC performed a post-mortem analysis of the
incident, the organization's response, and compared it to OSEC's internally-developed IR processes,
procedures, and frameworks to identify what needed to be done to ensure IR, vulnerability
management, as well as overall Information Security Management process and procedures were
improved such that future incidents would be minimized We then sat down with the various
stakeholders in the organization that had been involved and discussed the incident and response,
explaining the relevant issues, identifying organizational problems that also needed to be corrected, as
well as future strategies for avoiding incidents and dealing with them when they occurred,
communicating our recommended incident response strategy and implementation to the
organization's senior levels.
Having reviewed OSEC's recommendations, the organization then asked us back to assist with
implementing them. Over a 3 months’ period, OSEC led a number of efforts, including implementing
protection mechanisms at the host, application, and network layers; establishing a functioning
vulnerability management within the overall information security management program, verifying
processes, helping with staffing and training, and performing incident response drills to test the final
product.
The Result
Twelve months after implementing the recommendations, and achieving a practical incident response
program, the organization has not suffered any subsequent breaches. In addition, it has gained the
assurance, through incident response drills, that should a breach occur, response will be swift and
effective.
303
Student Handbook – Security Analyst SSC/N0902
Summary
Malicious code attacks can be divided into five categories: viruses, Trojan horses, worms,
mobile code and blended.
Set recommendations for organizing a computer security incident handling are summarized
below:
o Develop an incident response plan based on the incident response policy.
o Develop incident response procedures.
o Establish policies and procedures regarding incident related information sharing.
o Consider the relevant factors when selecting an incident response team model.
o Profile networks and systems.
o Understand the normal behaviors of networks, systems and applications.
o Create a log retention policy.
o Perform event correlation.
o Acquire tools and resources that may be of value during incident handling.
o Prevent incidents from occurring by ensuring that networks, systems and applications
are sufficiently secure.
o Identify precursors and indicators through alerts generated by several types of
security software.
o Establish mechanisms for outside parties to report incidents.
o Require a baseline level of logging and auditing on all systems and a higher baseline
level on all critical systems.
o Keep all host clocks synchronized.
o Maintain and use a knowledge base of information.
Summary of recommendations for handling malicious code incidents include:
o Deploy host based intrusion detection systems, including file integrity checkers to
critical hosts.
o Make users aware of malicious code issues.
o Use antivirus software, and keep it updated with the latest virus signatures.
o Configure software to block suspicious files.
o Eliminate open Windows shares.
o Contain malicious code incidents as quickly as possible.
304
Student Handbook – Security Analyst SSC/N0902
Practical activities:
Activity 1:
Work in groups and list various service providers and products that help in addressing
malicious code incidents through prevention and eradication. Compare features and
benefits of various products and service providers. Present your finding in class and
compare the findings with that of your peers.
Activity 2:
Collate data on various OS and the inbuilt provisions to prevent malicious code
incidents. Present the same in class.
a) _________ ___________ objectively works on minimizing larger negative business (e.g. more
extensive damage, longer periods of service and data unavailability, etc.) impact and reduced number
of incidents.
b) Malware can be deployed at the levels of _____________ level, ______________ _________ level
and ___________ ___________ level.
Q. List at least one each of file extensions of attachments that are associated with malicious code and
suspicious file extension combinations.
Q. List at least two indicators for the following malicious code action:
Malicious action: a worm that spreads through a vulnerable service infects a host.
Indicators:
_____________________________________________________________________
_____________________________________________________________________
Malicious action: malicious mobile code on a website is used to infect a host with a virus, worm or
Trojan horse.
Indicators:
305
Student Handbook – Security Analyst SSC/N0902
_____________________________________________________________________
_____________________________________________________________________
Indicators:
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
306
Student Handbook – Security Analyst SSC/N0902
UNIT V
Handling Network Security
Incidents
Lesson Plan
307
Student Handbook – Security Analyst SSC/N0902
Lesson Plan
308
Student Handbook – Security Analyst SSC/N0902
Lesson
Intruders over computer networks to gather information about computer systems and
resources. A probe is any attempt launched to detect:
• active hosts and networks that are reachable over a public or an accessible medium.
• services and applications they are running that could be connected to any vulnerability
that these services and applications may have, which could be exposed and taken
advantage of.
1. Active
2. Passive
An active probe involves some attempted interaction over the network on behalf of the
intruder. This may involve sending a packet directly to a target host or a network or some
intermediary used for the purposes of probing.
A passive probe, on the other hand, would involve an intruder restricting herself to sniffing
and logging traffic, originating from and destined to a potential or an identified target and
obtaining relevant information. The choice of being passive may be due to reasons of
configuration or access or it may be a deliberate act by an intruder to avoid detection.
This probe by their nature are hard to detect. Any reconnaissance information gained using
such tactics, however, is limited to the traffic visible to an intruder. Active probes are
necessary if an intruder wishes to gather information both timely and of her choice.
309
Student Handbook – Security Analyst SSC/N0902
A variety of techniques exist for active probes, including making use of mechanisms such as the TCP
handshake to judge a host’s liveness, fingerprinting the protocol stack (which often indicates the
operating system the host is running), probing DNS servers and grabbing service banners volunteering
information on the host.
Most active probes make use of techniques that use the core protocols of the modern day
communications, namely IP, ICMP, TCP and UDP. Common approaches to counter-probing activity at
this level include:
• filtering inbound ICMP probes (responses to which are used to determine what machine
is alive).
• filtering outbound ICMP responses to UDP port scanning attempts (where a lack of
response allows an intruder to determine a live host).
• filtering inbound TCP probes with different combinations of flags set, (response or lack of
it, to which (depending on the flags set and the operating system probed) may indicate to
an intruder whether a host is live or not).
• using a variety of firewalling techniques that allow throttling of probes and stateful
mechanisms that disallow unsolicited packets aimed at generating responses from target
hosts.
A somewhat more proactive approach is suggested by Kang et al, who propose to generate false
positive responses to any probes attempting to detect hosts or enumerate ports targeting an unused
address space or closed ports on active hosts. Their approach, referred to as all positive response
(APR), is designed to make it difficult for an intruder to distinguish active hosts from inactive ones,
and open ports from closed ones. To an intruder, all machines appear active and all ports appear open.
Such an approach could also help in detecting any packets that follow up after initial probes, which
attempt to probe the host further, enumerating ports or assessing some vulnerability.
Using false responses is useful in hiding any information about the network that an intruder may try
to gather, but an all positive approach will certainly indicate to an intruder that false responses are
being generated to all probing. Another important issue is that generating false responses for a very
large network may require untenably large resources, and may therefore not be scalable. Some
factors to consider here are the size of the entire (used and unused) address space that the false
response needs to be generated for, the rate at which the network is probed, the various types of
probes launched (that need to be responded to) and memory state required to detect any attempts
at intrusion that follow up a false response.
Generating a false positive response to probes targeting a closed port on an active host could also
result in a conflict: an active host may have a port closed at the time of the probe, but the port may
open (upon the host initiating a connection or starting a service, for instance) sometime after the false
response is generated. Some alternatives to APR could be designed so that such responses are
generated:
• where some probes are randomly replied to and some are not.
• to a specified subset of the unused address space. This subset could be chosen randomly (from a
given chunk of addresses) or strategically (from an address space used non-contiguously).
310
Student Handbook – Security Analyst SSC/N0902
• for all probes destined for the unused address space. This is similar to APR, except that only probes
destined for the unused parts of the address space are replied to and one or a few services
depicted.
Handling specific types of incidents
Denial of Service (DoS) — an attack that prevents the usage of network, system or application
resources.
Malicious Code — a virus, worm, Trojan horse or other code based malicious entity that infects
a host.
Unauthorized Access — a user gains access without permission to a network, system,
application, data or other resource.
Inappropriate Usage — a user violates acceptable computing use policies.
Multiple Component — a single incident that encompasses two or more incidents. For example,
a malicious code infection leads to unauthorized access to a host, which is then used to gain
unauthorized access to additional hosts.
311
Student Handbook – Security Analyst SSC/N0902
General considerations
DDoS attacks often take the form of flooding the network with unwanted traffic. Some attacks
focus on overwhelming resources of a specific system.
It will be very difficult to defend against the attack without specialized equipment or your ISP’s
help.
Too many people often participate during incident response. Limit the number of people on the
team.
DDoS incidents may span days. Consider how your team will handle a prolonged attack. Humans
get tired!
Understand your equipment’s capabilities in mitigating a DDoS attack. Many underappreciate the
capabilities of their devices or overestimate their performance.
If you do not prepare for a DDoS incident in advance, you will waste precious time during the
attack.
Contact your ISP to understand the paid and free DDoS mitigation it offers and what process you
should follow.
Create a whitelist of the source IPs and protocols you must allow if prioritizing traffic during an
attack. Include your big customers, critical partners etc.
Confirm DNS time-to-live (TTL) settings for the systems that might be attacked. Lower the TTLs, if
necessary, to facilitate DNS redirection if the original IPs get attacked.
Establish contacts for your ISP, law enforcement, IDS, firewall, systems and network teams.
Document your IT infrastructure details, including business owners, IP addresses and circuit IDs.
Prepare a network topology diagram and an asset inventory.
Understand business implications (e.g. money lost) of likely DDoS attack scenarios.
If the risk of a DDoS attack is high, consider purchasing specialized DDoS mitigation products or
services.
Collaborate with your BCP/ DR planning team to understand their perspective on DDoS incidents.
Harden the configuration of network, OS and application components that may be targeted by
DDoS.
Baseline your current infrastructure’s performance so you can identify the attack faster and more
accurately.
Understand the logical flow of the DDoS attack and identify the infrastructure components
affected by it.
Review the load and logs of servers, routers, firewalls, applications and other affected
infrastructure.
Identify what aspects of the DDoS traffic differentiate it from benign traffic (e.g. specific source
IPs, destination ports, URLs, TCP flags etc.).
Use a network analyzer (e.g. tcpdump, ntop, Aguri, MRTG, a NetFlow tool) to review the traffic.
312
Student Handbook – Security Analyst SSC/N0902
Contact your ISP and internal teams to learn about their visibility into the attack, and to ask for
help.
If contacting the ISP, be specific about the traffic you would like to control (e.g. blackhole what
networks blocks to be blackholed what source IPs to be rate-limited).
Find out whether the company received an extortion demand as a precursor to the attack.
Create a NIDS signature to focus to differentiate between benign and malicious traffic, if possible.
Notify your company’s executive and legal teams upon their direction. Consider involving law
enforcement.
While it is very difficult to fully block DDoS attacks. You may be able to mitigate their effects.
Attempt to throttle or block DDoS traffic as close to the network’s “cloud” as possible via a router,
firewall, load balancer, specialized device etc.
Terminate unwanted connections or processes on servers and routers and tune their TCP/ IP
settings.
Switch to alternate sites or networks using DNS or another mechanism. Blackhole DDoS traffic
targeting the original IPs, if possible.
If the bottle neck is a particular a feature of an application, temporarily disable that feature.
Add servers or network bandwidth to handle the DDoS load (this is an arms race though).
Route traffic through a traffic-scrubbing service or product via DNS or routing changes.
If adjusting defenses, make one change at a time, so you know the cause of the changes you may
observe.
Configure egress filters to block the traffic your systems may send in response to DDoS traffic to
avoid adding unnecessary packets to the network.
consider what preparation steps you could have taken to respond to the incident faster or more
effectively.
adjust assumptions that affected the decisions made during DDoS incident preparation, if
necessary.
assess the effectiveness of your DDoS response process, involving people and communication.
consider what relationships inside and outside your organizations could help you with future
incidents.
Preparation: establish contacts, define procedures and gather tools to save time during an attack.
Analysis: detect the incident, determine its scope and involve the appropriate parties.
Mitigation: mitigate the attack’s effects on the targeted environment.
Wrap up: document the incident’s details, discuss lessons learned and adjust plans and defenses.
313
Student Handbook – Security Analyst SSC/N0902
Preparation
configure network based and host based IDS software (such as file integrity checkers and log
monitors) to identify and alert on attempts to gain unauthorized access. Each type of intrusion
detection software may detect attacks that others are not able to detect.
use centralized log servers so pertinent information from hosts across the organization is stored
in a single secured location.
establish procedures to be followed when all users of an application, system, trust domain or
organization should change their passwords because of a password compromise. The procedures
should adhere to the organization’s password policy.
discuss unauthorized access incidents with system administrators so that they understand their
roles in the incident handling process.
Prevention
Network security
Configure the network perimeter to deny all incoming traffic that is not expressly permitted.
Secure all remote access methods properly, including modems and VPNs. An unsecured modem can
provide easily attainable unauthorized access to internal systems and networks. War dialling is the
most efficient technique for identifying improperly secured modems. When securing remote access,
carefully consider the trustworthiness of the clients. If they are outside the organization’s control,
they should be given as little access to resources as possible, and their actions should be closely
monitored.
Put all publicly accessible services on secured demilitarized zone (DMZ) network segments. The
network perimeter can then be configured so that external hosts can establish connections only to
hosts on the DMZ, not internal network segments.
314
Student Handbook – Security Analyst SSC/N0902
Use private IP addresses for all hosts on internal networks. This will severely restrict the ability of
attackers to establish direct connections to internal hosts.
Host security
• perform regular vulnerability assessments to identify serious risks and mitigate the risks to an
acceptable level.
• disable all unneeded services on hosts. Separate critical services so they run on different hosts. If an
attacker then compromises a host, immediate access should be gained only to a single service.
• run services with the least privileges possible to reduce the immediate impact of successful exploits.
• use host based firewall software to limit individual hosts’ exposure to attacks.
• limit unauthorized physical access to logged-in systems by requiring hosts to lock idle screens
automatically and asking users to log off before leaving the office.
• verify the permission settings regularly for critical resources, including password files, sensitive
databases and public web pages. This process can easily be automated to report changes in
permissions on a regular basis.
• create a password policy that requires the use of complex, ‘difficult-to-guess’ passwords, forbids
password sharing, and directs users to use different passwords on different systems, especially
external hosts and applications.
• create authentication and authorization standards for employees and contractors to follow when
developing software. For example, passwords should be strongly encrypted using a FIPS 140-2
validated algorithm when they are transmitted or stored.
• establish procedures for provisioning and de-provisioning user accounts. These should include an
approval process for new account requests and a process for periodically disabling or deleting
accounts that are no longer needed.
Physical security
As unauthorized access incidents can occur in many forms, they can be detected through dozens of
types of precursors and indications.
315
Student Handbook – Security Analyst SSC/N0902
Precursors
List of precursors and respective responses:
Precursor: unauthorized access incidents are often preceded by reconnaissance activity to map
hosts and services and to identify vulnerabilities. Activity may include port scans, host scans,
vulnerability scans, pings, trace routes, DNS zone transfers, OS fingerprinting and banner
grabbing. Such activity is detected primarily through IDS software and secondarily, through log
analysis.
Response: incident handlers should look for distinct changes in reconnaissance patterns. For
example, a sudden interest in a particular port number or host. If this activity points out a
vulnerability that could be exploited, the organization may have time to block future attacks by
mitigating the vulnerability (e.g. patching a host, disabling an unused service, modifying firewall
rules etc.).
Precursor: a new exploit for gaining unauthorized access is released publicly, and it poses a
significant threat to the organization.
Response: the organization should investigate the new exploit and, if possible, alter security
controls to minimize the potential impact of the exploit for the organization.
Precursor: users report possible social engineering attempts — attackers trying to trick them into
revealing sensitive information, such as passwords or encouraging them to download or run
programs and file attachments.
Response: the incident response team should send a bulletin to users with guidance on handling
the social engineering attempts. The team should determine what resources the attacker was
interested in and look for corresponding log based precursors, as it is likely that the social
engineering is only part of the reconnaissance.
Precursor: a person or system may observe a failed physical access attempt (e.g. outsider
attempting to open a locked wiring closet door, unknown individual using a cancelled ID badge).
Response: security should detain the person, if possible. The purpose of the activity should be
determined and it should be verified that the physical and computer security controls are strong
enough to block the apparent threat. (An attacker who cannot gain physical access may perform
remote computing based attacks instead.) Physical and computer security controls should be
strengthened if necessary.
316
Student Handbook – Security Analyst SSC/N0902
Indications
List of Malicious actions and their respective indicators:
Malicious action: unauthorized data modification (e.g. web server defacement, FTP warez
server)
Indicators:
317
Student Handbook – Security Analyst SSC/N0902
Successful attackers frequently install rootkits, which modify or replace dozens or hundreds of files,
including system binaries. Rootkits hide much of what they do, making it tricky to identify what was
changed. Therefore, if an attacker appears to have gained root access to a system, handlers cannot
trust the operating system software. Typically, the best solution is to restore the system from a known
good backup or reinstall the operating system and applications from scratch, and then secure the
system properly.
Changing all passwords on the system, and possibly on all systems that have trust relationships with
the victim system, is also highly recommended.
If an attacker only gains a lesser level of access than administrator level, eradication and recovery
actions should be based on the extent to which the attacker gained access. Vulnerabilities that were
used to gain access should be mitigated appropriately.
Additional actions should be performed as merited to identify and address weaknesses systemically.
For example, if an attacker gained user level access by guessing a weak password, then not only should
that account’s password be changed to a stronger password, but also the system administrator and
owner should consider enforcing stronger password requirements. If the system was in compliance
with the organization’s password policies, the organization should consider revising its password
policies.
Recommendations
Key recommendations for handling unauthorized access incidents are summarized below:
configure intrusion detection software to alert on attempts to gain unauthorized access. Network
and host based intrusion detection software (including file integrity checking software) is valuable
for detecting attempts to gain unauthorized access. Each type of software may detect incidents
that the other types of software cannot so the use of multiple types of computer security software
is highly recommended.
configure all hosts to use centralized logging. Incidents are easier to detect if data from all hosts
across the organization is stored in a centralized, secured location.
318
Student Handbook – Security Analyst SSC/N0902
establish procedures for having all users change their passwords. A password compromise may
force the organization to require all users of an application, system, trust domain or perhaps, the
entire organization to change their passwords.
configure the network perimeter to deny all incoming traffic that is not expressly permitted. By
limiting the types of incoming traffic, attackers should be able to reach fewer targets and should
be able to reach the targets using only designated protocols. This should reduce the number of
unauthorized access incidents.
secure all remote access methods, including modems and VPNs. Unsecured modems provide
easily attainable unauthorized access to internal systems and networks. Remote access clients are
often outside the organization’s control, granting them access to resources increases risk.
put all publicly accessible services on secured DMZ network segments. This permits the
organization to allow external hosts to initiate connections to hosts only on the DMZ segments,
not to hosts on internal network segments. This should reduce the number of unauthorized access
incidents.
disable all unneeded services on hosts and separate critical services. Every service that is running
presents another potential opportunity for compromise. Separating critical services is important
because if an attacker compromises a host that is running a critical service, immediate access
should be gained only to that one service.
use host based firewall software to limit individual hosts’ exposure to attacks. Deploying host
based firewall software to individual hosts and configuring it to deny all activity that is not
expressly permitted should further reduce the likelihood of unauthorized access incidents.
create and implement a password policy. The password policy should require the use of complex,
‘difficult-to-guess’ passwords and ensure that authentication methods are sufficiently strong for
accessing critical resources. Weak and default passwords are likely to be guessed or cracked,
leading to unauthorized access.
provide change management information to the incident response team. Indications such as
system shutdowns, audit configuration changes and executable modifications are probably
caused by routine system administration rather than attacks. When such indications are detected,
the team should be able to use change management information to verify that the indications are
caused by authorized activity.
select containment strategies that balance mitigating risks and maintaining services. Incident
handlers should consider moderate containment solutions that focus on mitigating the risks as
much as is practical while maintaining unaffected services.
restore or reinstall systems that appear to have suffered a root compromise. The effects of root
compromises are often difficult to identify completely. The system should be restored from a
known good backup, or the operating system and applications should be reinstalled from scratch.
The system should then be secured properly so the incident cannot recur.
319
Student Handbook – Security Analyst SSC/N0902
Recommendations
Key recommendations for handling inappropriate usage incidents include:
discuss the handling of inappropriate usage incidents with the organization’s human resources
and legal departments. Processes for monitoring and logging user activities should comply with
the organization’s policies and all applicable laws. Procedures for handling incidents that directly
involve employees should incorporate discretion and confidentiality.
discuss liability issues with the organization’s legal departments. Liability issues may arise during
inappropriate usage incidents, particularly for incidents that are targeted at outside parties.
Incident handlers should understand when they should discuss incidents with the allegedly
attacked party and what information they should reveal.
configure network based intrusion detection software to detect certain types of inappropriate
usage. Intrusion detection software has built-in capabilities to detect certain inappropriate usage
incidents, such as the use of unauthorized services, outbound reconnaissance activity and attacks
and improper mail relay usage (e.g. sending spam).
log basic information on user activities. Basic information on user activities such as FTP commands,
web requests, and email headers may be valuable for investigative and evidentiary purposes.
configure all email servers so they cannot be used for unauthorized mail relaying. Mail relaying is
commonly used to send spam.
implement spam filtering software on all email servers. Spam filtering software can block much of
the spam sent by external parties to the organization’s users as well as spam that is sent by internal
users.
implement URL filtering software. URL filtering software prevents access to many inappropriate
websites. Users should be required to use the software, typically by preventing access to external
websites unless the traffic passes through a server that performs URL filtering.
320
Student Handbook – Security Analyst SSC/N0902
2. An attacker (who may or may not be the one who sent the malicious code) uses the infected
workstation to compromise additional workstations and servers.
3. An attacker (who may or may not have been involved in steps 1 or 2) uses one of the compromised
hosts to launch a DDoS attack against another organization.
This multiple component incident consists of a malicious code incident, several unauthorized access
incidents and a DoS incident.
Recommendations
The key recommendations for handling multiple component incidents are given below:
use centralized logging and event correlation software. Incident handlers should identify an
incident as having multiple components more quickly if all precursors and indications are
accessible from a single point of view.
contain the initial incident and then search for signs of other incident components. It can take an
extended period of time for a handler to authoritatively determine that an incident has only a
single component; meanwhile, the initial incident has not been contained. It is generally better to
contain the initial incident first.
prioritize the handling of each incident component. Resources are probably too limited to handle
all incident components simultaneously. Components should be prioritized based on the current
component and its response guidelines.
321
Student Handbook – Security Analyst SSC/N0902
Summary
Intruders over computer networks to gather information about computer systems and
resources. A probe is any attempt launched to detect:
o Active hosts and networks that are reachable over a public or an accessible medium.
o The services and applications they are running that could be connected to any
vulnerability that these services and applications may have, which could be exposed
and taken advantage of.
Probes can be classified appropriately into three main activities:
o Host detection
o Port enumeration
o Vulnerability assessment
A probe could be seen to be launched by an intruder in two modes: active and passive.
Denial of Service (DoS) — an attack that prevents the usage of network, system or application
resources.
Malicious Code — a virus, worm, Trojan horse or other code based malicious entity that infects
a host.
Unauthorized Access — a user gains access without permission to a network, system,
application, data or other resource.
Inappropriate Usage — a user violates acceptable computing use policies.
Multiple Component — a single incident that encompasses two or more incidents. For example,
a malicious code infection leads to unauthorized access to a host, which is then used to gain
unauthorized access to additional hosts.
Practical activities:
Activity 1:
Present to class different types of incidents that impact network security and research
various service providers who offer services for network incident management.
Compare their offerings.
Activity 2:
Create an action plan for your training institute for addressing network security
incidents. As part of the plan state dos and don’ts for the network administrator and
users.
322
Student Handbook – Security Analyst SSC/N0902
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
323
Student Handbook – Security Analyst SSC/N0902
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
324
Student Handbook – Security Analyst SSC/N0903
SSC/ N 0903
Install, configure and troubleshoot information
security devices
325
Student Handbook – Security Analyst SSC/N0903
Unit Title (Task) Install, configure and troubleshoot information security devices
326
Student Handbook – Security Analyst SSC/N0903
appropriate people
PC3. liaise with stakeholders clearly and promptly regarding the installation/
configuration of information security devices
PC4. install/configure information security devices as per instructions and
guidelines
PC5. test installed/configured information security devices, following
instructions and guidelines
PC6. resolve problems with security devices, following instructions and
guidelines
PC7. obtain advice and guidance on
installing/configuring/testing/troubleshooting information security
devices from appropriate people, where required
PC8. record the installation/configuration/testing/troubleshooting of
information security devices promptly using standard templates and
tools
PC9. provide reports for troubleshooting, configurations and deployment
using standard templates and tools
PC10. comply with your organization’s policies, standards, procedures,
guidelines and service level agreements (SLAs) when Installing /
configuring / troubleshooting information security devices
Knowledge and Understanding (K)
327
Student Handbook – Security Analyst SSC/N0903
THE UNITS
328
Student Handbook – Security Analyst SSC/N0903
UNIT I
Configuring Network Devices
329
Student Handbook – Security Analyst SSC/N0903
LESSON PLAN
Performance
Ensuring Work Environment / Lab
Outcomes Measures Requirement
PC1. identify the information security devices you The learners must KA1 to KA13:
are required to install/ configure/troubleshoot and demonstrate all
source relevant instructions and guidelines PCs on given PCs/Tablets/Laptops
work tasks
PC2. identify any issues with instructions and Labs availability
guidelines for installing/configuring information (24/7)
security devices and clarify these with appropriate
people Internet with Wi-Fi
PC3. liaise with stakeholders clearly and promptly (Min 2 Mbps
regarding the installation/ configuration of Dedicated)
information security devices
Networking
PC4. install/configure information security
devices as per instructions and guidelines Equipment- Routers
& Switches
PC5. test installed/configured information
security devices, following instructions and Firewalls and Access
guidelines Points
PC6. resolve problems with security devices,
Access to all security
following instructions and guidelines
sites like ISO, PIC
PC7. obtain advice and guidance on DSS
installing/configuring/testing/troubleshooting
information security devices from appropriate Commercial Tools
people, where required like HP Web Inspect
PC8. record the and IBM AppScan
installation/configuration/testing/troubleshooting of etc.,
information security devices promptly using
standard templates and tools Open Source tools
like sqlmap, Nessus
PC9. provide reports for troubleshooting,
etc.,
configurations and deployment using standard
templates and tools
Security Templates
PC10. comply with your organization’s policies, from ITIL
standards, procedures, guidelines and service level
agreements (SLAs) when
installing/configuring/troubleshooting information
security devices
330
Student Handbook – Security Analyst SSC/N0903
KB1 – KB5
Installation and
configuration of
security tools in
the lab
environment by
peer groups and
validation by the
faculty
331
Student Handbook – Security Analyst SSC/N0903
Lesson
The challenge with rogue devices is that they are not part of the management framework. This
means that they are not part of any standards, policies, security controls, or patch updates. They
pose a unique threat to an environment.
Consider a server that a developer built to test something and never decommissioned. This server
remains online, running company code on an unpatched database. Without actively monitoring the
network, there is no way that an administrator can have any real idea of the volume of unmanaged
systems on the network.
The greater the number of unmanaged systems, the greater the risk to the network. Where
administrators have audited the network, typically between 1 percent and 10 percent of assets were
previously unknown to the administrator. Once detected, local system administrators can manage
modest numbers of assets. However, if the volume or location of rogue assets is excessive or
dangerous, these results provide justification and motivation for automated and proactive
enforcement performed by Network Access Control.
Identify Assets
There are two general approaches to identifying assets on the network, techniques that are very
similar in nature to finding viruses:
Note that the optimal solution is likely to be able to cater for both approaches to device
identification.
Real-time detection - Relies on detection of traffic generated by the endpoint. The benefit is its
timely nature—detection is immediate. Consequently, you can take action very quickly. The
downside of this approach is that since detection is based on traffic generated by the endpoint,
there must be a sensor located near this traffic. This technique may not be practical for all network
topologies.
Scheduled detection - The system queries network addresses for a response according to a
schedule. This model can overcome the proximity limitations of the first approach. Sensors can
execute scans from a limited number of locations or a single location on the network. The
downside of this approach is that detection is not immediate. It is limited to the detection interval
determined by the schedule. As in the example of off-hours scanning, rogue systems may operate
on the network between detection scans and escape identification.
332
Student Handbook – Security Analyst SSC/N0903
Deploy DHCP Server logging, and utilize a system to improve the asset inventory and help detect
unknown systems through this DHCP information.
All equipment acquisitions should automatically update the inventory system as new, approved
devices are connected to the network.
Maintain an asset inventory of all systems connected to the network and the network devices
themselves recording at least the network addresses, machine name(s), purpose of each system, an
asset owner responsible for each device, and the department associated with each device.
The inventory should include every system that has an Internet Protocol (IP) address on the network,
including but not limited to desktops, laptops, servers, network equipment (routers, switches,
firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses,
virtual addresses, etc.
The asset inventory created must also include data on whether the device is a portable and/or
personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic
devices that store or process data must be identified, regardless of whether or not they are attached
to the organization’s network. Make sure that asset inventory database is properly protected and a
copy stored in a secure location.
Information asset inventory should map critical information to the hardware assets (including
servers, workstations, and laptops) on which it is located. A department and individual responsible
for each information asset should be identified, recorded, and tracked.
Organizations must first establish information/asset owners, deciding and documenting which
organizations and individuals are responsible for each component of a business process that includes
information, software, and hardware. In particular, when organizations acquire new systems, they
record the owner and features of each new asset, including its network interface media access
control (MAC) address and location. This mapping of asset attributes and owner-to-MAC address can
be stored in a free or commercial database management system.
333
Student Handbook – Security Analyst SSC/N0903
Use tools to pull information from network assets such as switches and routers regarding the
machines connected to the network.
Using securely authenticated and encrypted network management protocols, tools can retrieve MAC
addresses and other information from network devices that can be reconciled with the
organization’s asset inventory of servers, workstations, laptops, and other devices. Once MAC
addresses are confirmed, switches should implement 802.1x and NAC to only allow authorized
systems that are properly configured to connect to the network.
Effective organizations configure free or commercial network scanning tools to perform network
sweeps on a regular basis, sending a variety of different packet types to identify devices connected
to the network. In addition to active scanning tools that sweep the network, other asset
identification tools passively listen on network interfaces looking for devices to announce their
presence by sending traffic. Such passive tools can be connected to switch span ports at critical
places in the network to view all data flowing through such switches, maximizing the chance of
identifying systems communicating through those switches. Whether physical or virtual, each
machine using an IP address should be included in an organization’s asset inventory.
The system must be capable of identifying any new unauthorized devices that are connected to the
network within 24 hours. Alerting or sending e-mail notification to a list of enterprise administrative
personnel. The system must automatically isolate the unauthorized system from the network within
one hour of the initial alert.
Send a follow-up alert or e-mail notification when isolation is achieved. Every 24 hours after that
point, the system must alert or send e-mail about the status of the system until the unauthorized
system has been removed from the network. The asset inventory database and alerting system must
be able to identify the location, department, and other details of where authorized and
unauthorized devices are plugged into the network.
To evaluate the implementation of Control 1 on a periodic basis, the evaluation team will connect
hardened test systems to at least 10 locations on the network, including a selection of subnets
associated with demilitarized zones (DMZs), workstations, and servers. Two of the systems must be
included in the asset inventory database, while the other systems are not. The evaluation team must
then verify that the systems generate an alert or e-mail notice regarding the newly connected
systems within 24 hours of the test machines being connected to the network. The evaluation team
must verify that the system provides details of the location of all the test machines connected to the
network. For those test machines included in the asset inventory, the team must also verify that the
system provides information about the asset owner. The evaluation team must then verify that the
test systems are automatically isolated from the production network within one hour of initial
notification and that an e-mail or alert indicating the isolation has occurred. The team must then
verify that the connected test systems are isolated from production systems.
334
Student Handbook – Security Analyst SSC/N0903
There are four basic recommendations for Traffic Filtering in order to reduce security threats,
organisations use various devices, technologies and techniques for traffic filtering. Each
institution/organisation that wishes to improve the efficiency of filtering and increase the level of
security in its network should apply the following recommendations:
1. Define traffic-filtering rules that will determine the manner in which the incoming and outgoing
traffic flows in the network will be regulated. A set of traffic-filtering rules can be adopted as an
independent packet filtering policy or as a part of the information security policy;
3. Implement defined rules on the selected technology and optimise the performance of devices
accordingly;
4. Maintain all the components of the solution, including not only devices, but also the policy.
The packet-filtering functionality (stateless firewall) is built into the majority of operating systems
and devices with a traffic routing feature. In most cases, it is a router on which access control lists
(ACLs) are applied. A packet filter implemented on a router is the simplest, but only one of the
available traffic-filtering methods.
Packet filtering is the basic feature of all firewall devices. The first firewall devices, with only a packet
filter, were also called stateless inspection firewalls. Unlike them, modern firewall devices provide
far more possibilities for packet filtering. A packet filter enables the implementation of control of
access to resources by deciding whether a packet should be allowed to pass, based on the
information contained in the IP packet header. The packet filter does not analyse the content of the
packet (unlike a content filter), nor does it attempt to determine the sessions to which individual
packets belong, based on the information contained in the TCP or UPD header, and therefore it does
not make any further decisions in that regard. For this reason, the process is also known as stateless
packet inspection. Due to its manner of operation, which does not track the information on the state
of connections, it is necessary to explicitly allow two-way traffic on the connection when configuring
a stateless firewall device. Stateless firewall devices analyse each packet individually and filter them
based on the information contained in Layers 3 and 4 of the OSI reference model. A filtering decision
is made based on the following information:
source IP address;
destination IP address;
protocol;
335
Student Handbook – Security Analyst SSC/N0903
They are commonly implemented as a part of the functionality on routers (ACL, firewall filters, etc.),
but can also be implemented on servers.
simple implementation;
supported by most routers, so there is no need to invest in new equipment and software;
rarely cause bottlenecks in the area of their application, even at high speeds in Gigabit
networks.
vulnerability to attacks that exploit problems within the TCP/IP specification and the
protocol stack;
problems with filtering packets that are fragmented (causing interoperability and non-
functioning of VPN connections);
no support for the dynamic filtering of some services (the services that require
dynamic negotiation about the ports that will be used in communication – passive FTP).
Stateful packet inspection improves the packet filtering process by monitoring the state of each
connection established through a firewall device. It is known that the TCP protocol, allows two-way
communication and that TCP traffic is characterised by three phases: establishing the connection,
data transfer, and terminating the connection. In the connection establishment phase, stateful
packet inspection records each connection in the state-table. In the data transfer phase, the device
monitors certain parameters in the header of the L3 packet and L4 segment and makes a filtering
decision depending on their values and the content of the state-table. The state-table contains all
currently active connections. As a result, a potential attacker trying to spoof a packet with a header
indicating that the packet is a part of an established connection can only be detected by the stateful
inspection firewall device, which verifies whether the connection is recorded in the state-table. The
state-table contains the following information:
source IP address;
destination IP address;
source port number;
destination port number;
TCP sequence numbers;
TCP flag values.
336
Student Handbook – Security Analyst SSC/N0903
The state of the synchronize (SYN), reset (RST), acknowledgment (ACK) and finish (FIN) flags are
monitored within the TCP header and a conclusion is reached about the state of a specific
connection. The UDP protocol does not have a formal procedure for establishing and terminating a
connection. However, devices with stateful inspection can monitor the state of individual flows1 and
match different flows when they logically correspond to each other (e.g., a DNS response from an
external server will only be allowed to pass if the corresponding DNS query from the internal source
to that server has previously been recorded).
a higher level of protection compared to stateless firewall devices (greater efficiency and more
detailed traffic analysis);
• performance degradation of the router on which they are deployed (this depends on the size
of the network and other services run on the router);
• not all of them provide support for UDP, GRE and IPSEC protocols, treating them in the same
way as stateless firewall devices;
Lately, attempts have been made to improve the standard stateful packet inspection technology by
adding basic solutions from intrusion detection technology. The improved version is called stateful
protocol analysis, also known as DPI (Deep Packet Inspection) analysis of data on the application
layer. The devices resulting from this development trend include Application Firewall, Application
Proxy Gateways and Proxy servers. Unlike stateful firewall devices that filter traffic based on the
data on layers 3, 4 and 5 of the OSI reference model, these devices also enable traffic filtering based
on the information on the application layer of the OSI reference model (Layer 7).
Application Firewall
Application Firewall (AF) devices perform a stateful protocol analysis of the application layer. They
support numerous common protocols, such as HTTP, SQL, e-mail service (SMTP, POP3 and IMAP),
VoIP and XML. Stateful protocol analysis relies on predefined profiles of acceptable operating modes
for the selected protocol, enabling the identification of potential deviations and irregularities in the
message flow of the protocol through the device. Problems may arise if there is a conflict between
the operating mode of a specific protocol, which is defined on the AF device, and the way in which
the protocol is implemented in the specific version of the application or of the operating systems
used in the network.
337
Student Handbook – Security Analyst SSC/N0903
determine whether an e-mail message contains a type of attachment that is not allowed (e.g.,
exec files);
block the connection through which an unwanted command is executed (e.g., an FTP put
command on the FTP server);
enable the verification of individual commands and the minimum and maximum length of
appropriate command-line arguments (e.g., the number of characters used in a username). An
AF device cannot detect attacks that meet the generally acceptable procedures of operation of
a specific protocol, such as DoS (Denial of Service) attacks caused by the repetition of a large
number of acceptable message sequences in a short time interval. Due to the complexity of
the analysis they perform, and the large number of concurrent sessions they monitor, the
main disadvantage of the method of stateful protocol analysis is the intensive use of AF
devices.
APG devices contain so-called proxy agents or “intermediaries” in the communication between two
end hosts. In this way, they prevent direct communication between them. Each successful
connection between the end hosts consists of two connections – one between the client and the
proxy server and the other between the proxy server and the destination device. Based on the
filtering rules defined on the APG device, proxy agents decide whether network traffic will be
allowed or not. Traffic-filtering decisions can also be made based on the information contained in
the header of an application-layer message or even based on the content conveyed by that message.
In addition, proxy agents can require user authentication. There are also APG devices with the
capability of packet decryption, analysis and re-encryption, before a packet is forwarded to the
destination host. Packets that cannot be decrypted are simply forwarded through the device.
Compared to packet filters and stateful devices, APG devices have numerous deficiencies. The
manner of operation of APG devices requires a significantly greater utilisation of resources, i.e., they
require more memory and greater utilisation of processor time for analysing and interpreting each
packet passing through the device. As a result, APG devices are not suitable for filtering applications
that are more demanding in terms of bandwidth or applications that are sensitive to time delays
338
Student Handbook – Security Analyst SSC/N0903
(real-time applications). Another deficiency of these devices is the limitation in the number of
services that can be filtered through them. Each type of traffic passing through the device requires a
specific proxy agent that acts as an intermediary in the communication. Consequently, APG devices
do not always support the filtering of new applications or protocols. Due to their price, APG devices
are commonly used for protecting data centres or other networks containing publicly available
servers that are of high importance to an organisation. In order to reduce the load on APG devices
and achieve greater efficiency, modern networks more frequently use proxy servers (dedicated
proxy servers) that are dedicated to specific services that are not so sensitive to time delays (e.g., e-
mail or web proxy servers).
339
Student Handbook – Security Analyst SSC/N0903
Other related functionalities, such as VPN and IDP, are often available on firewall devices. In order to
have a complete overview and due to their frequent use, these technologies are also addressed
briefly in this chapter.
The application of NAT technology may limit (intentionally or unintentionally) the number of
available services, i.e., it may disable the functioning of the services that require direct, end-to-end
connectivity (e.g., VoIP).
There are three types of NAT translations: dynamic, static and PAT.
Dynamic NAT uses a set of publicly available IP addresses, successively assigning them to hosts with
private IP addresses. When a host with a private IP address needs to communicate with a device on
the Internet, dynamic NAT translates its private IP address into a publicly available IP address, by
taking the first available IP address from a defined pool of publicly available IP addresses. Dynamic
NAT is suitable for client computers.
Static NAT provides one-to-one mapping between the private IP address of a host and the public IP
address assigned to it. In this manner, the host with a private IP address always appears on the
Internet with the same public IP address. This is the main difference between static and dynamic
translation. Static NAT is suitable for servers. In both types of translation mentioned above, each
private IP address is translated into a separate, public IP address. In order to support a sufficient
number of simultaneous user sessions, an organisation using dynamic and/or static NAT needs to
have a sufficient number of public IP addresses.
PAT (Port Address Translation or so-called NAT overload) performs mapping between several private
IP addresses and one or more public IP addresses. The mapping of each private IP address is
performed by way of the port number of the public IP address. PAT translation ensures that each
client on a LAN that establishes a connection with a device on the Internet is assigned a different
port number of the public IP address. The response from the Internet, which comes as a result of the
request, is sent to the port from which the request was forwarded. In this manner, a device that
performs the translation (a router, firewall or server) knows to which host from the LAN it should
forward the packet. This feature of PAT increases the level of security of the LAN to a certain degree,
since it prevents a connection from the Internet being established directly with the hosts on the
LAN. Due to this manner of operation, PAT is sometimes, incorrectly, regarded as a security
technology, although it is primarily a routing technology.
340
Student Handbook – Security Analyst SSC/N0903
341
Student Handbook – Security Analyst SSC/N0903
various malware programmes (e.g., worms, spyware, viruses, and Trojans), as a result of attempts at
unauthorised access to a system through public infrastructure (Internet), or as a result of the
operation of authorised system users who abuse their privileges.
Network Intrusion Prevention (IP) includes the process of detecting network intrusion events, but
also includes the process of preventing and blocking detected or potential network incidents.
Network Intrusion Detection and Prevention systems (IDP) are based on identifying potential
incidents, logging information about them, attempting to prevent them and alerting the
administrators responsible for security. In addition to this basic function, IDP systems can also be
used to identify problems concerning the adopted security policies, to document existing security
threats and to discourage individuals from violating security rules. IDP systems use various incident-
detection methods.
1. Signature-based detection
Certain security threats can be detected based on the characteristic manner in which they appear.
The behaviour of an already detected security threat, described in a form that can be used for the
detection of any subsequent appearance of the same threat, is called an attack signature. This
detection method, based on the characteristic signature of an attack, is a process of comparing the
known forms in which the threat has appeared with the specific network traffic in order to identify
certain incidents. Although it can be very efficient in detecting the subsequent appearance of known
threats, this detection method is extremely inefficient in the detection of completely unknown
threats, of threats hidden by using various techniques, and of already known threats that have
somehow been modified in the meantime. It is considered the simplest detection method and it
cannot be used for monitoring and analysing the state of certain, more complex forms of
communication.
2. Anomaly-based detection
This method of IDP is based on detecting anomalies in a specific traffic flow in the network. Anomaly
detection is performed, based on the defined profile of acceptable traffic and its comparison with
the specific traffic in the network. Acceptable traffic profiles are formed by tracking the typical
characteristics of the traffic in the network during a certain period of time (e.g., the number of e-
mail messages sent by a user, and the number of attempts to log in to a host, or the level of
utilisation of the processor in a given time interval). These characteristics of the behaviour of users,
hosts, connections or applications in the same time interval are then considered to be completely
acceptable. However, acceptable-behaviour profiles can unintentionally contain certain security
threats, which lead to problems in their application. Likewise, imprecisely defined profiles of
acceptable behaviour can cause numerous alarms, generated by the system itself as a reaction to
certain (acceptable) activities on the network. The greatest advantage of this detection method is its
exceptional efficiency in detecting previously unknown security threats.
Stateful protocol analysis is a process of comparing predefined operation profiles with the specific
data flow of that protocol on the network. Predefined profiles of operation of a protocol are defined
by the manufacturers of IDP devices and they identify everything that is acceptable or not
acceptable in the exchange of messages in a protocol. Unlike anomaly-based detection, where
profiles are created based on the hosts or specific activities on the network, stateful protocol
342
Student Handbook – Security Analyst SSC/N0903
analysis uses general profiles generated by the equipment manufacturers. Most IDP systems use
several detection methods simultaneously, thus enabling a more comprehensive and precise
method of detection.
Testing tools are used for testing the detection, recognition and response capabilities of devices that
perform packet filtering (including those that use network address translation), such as firewalls,
IDSes/IPSes, routers and switches. These test the Traffic Filtering devices' ability to detect and/or
block DoS attacks, spyware, backdoors, and attacks against applications such as IIS, SQL Server and
WINS. Standard traffic sessions can be used to test how packet filtering devices handle a variety of
protocols including HTTP, FTP, SNMP and SMTP.
Anomaly
Detection
Intrusion Detection
Approach Signature Detection
HIDS
Protected NIDS
System
Hybrids
Centralised System
Structure
Distributed System Agent
System
Data Source
System State
Analysis(kernel,
services, files)
Active IDS
Behavior
after an
attack Passive IDS
On-the-fly Processing
Analysis
Internal Based IDS
343
Student Handbook – Security Analyst SSC/N0903
Summary
The greater the number of unmanaged systems, the greater the risk to the network. Where
administrators have audited the network, typically between 1 percent and 10 percent of assets
were previously unknown to the administrator.
Further to the asset inventory tool the organisation needs to:
o Deploy network level authentication via 802.1x to limit and control which devices can be
connected to the network.
o Deploy network access control (NAC) to monitor authorized systems so if attacks occur,
the impact can be remediated by moving the untrusted system to a virtual local area
network that has minimal access.
o Create separate VLANs for BYOD (bring your own device) systems or other untrusted
devices.
o Utilize client certificates to validate and authenticate systems prior to connecting to the
private network.
There are four basic recommendations for Traffic Filtering in order to reduce security threats,
organisations use various devices, technologies and techniques for traffic filtering. Each
institution/organisation that wishes to improve the efficiency of filtering and increase the level
of security in its network should apply the following recommendations:
o Define traffic-filtering rules that will determine the manner in which the incoming and
outgoing traffic flow in the network will be regulated. A set of traffic-filtering rules can
be adopted as an independent packet filtering policy or as a part of the information
security policy;
o Select a traffic-filtering technology that will be implemented depending on the
requirements and needs;
o Implement defined rules on the selected technology and optimise the performance of
devices accordingly;
o Maintain all the components of the solution, including not only devices, but also the
policy.
Traffic-filtering technologies are commonly divided into
o packet filtering/stateless firewall
o stateful firewall technologies
NAT is a technology that enables devices that use private IP addresses to communicate with
devices on the Internet. This technology translates private IP addresses, which can be used by
devices within a Local Area Network (LAN), into publicly available Internet addresses.
There are three types of NAT translations: dynamic, static and PAT.
344
Student Handbook – Security Analyst SSC/N0903
Practical activities:
Activity 1:
Collect information through industry interaction what all they do to manage unauthorised
devices on the network and how these are dealt with.
Activity 2:
Find out about various tools and technologies that are used to monitor and deal with
unauthorised devices.
a. ________________________________________
b. ________________________________________
c. ________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. State at least two advantages and two disadvantages of applying packet filters?
Advantages:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Disadvantages:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. State at least two advantages and two disadvantages of applying stateful firewall devices?
Advantages:
345
Student Handbook – Security Analyst SSC/N0903
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Disadvantages:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
a. Dynamic NAT uses a set of publicly available IP addresses, successively assigning them to
hosts with private IP addresses. ( )
b. PAT (Port Address Translation) provides one-to-one mapping between the private IP address
of a host and the public IP address assigned to it. ( )
c. The packet-filtering functionality (stateless firewall) is built into very few and select
operating systems and devices with a traffic routing feature. ( )
d. As part of asset inventory, only those devices such as mobile phones, tablets, laptops, and
other portable electronic devices that store or process data must be identified, that are
attached to the organization’s network. ( )
e. The disadvantage of stateful firewall device is that it does not detect IP Spoofing and DoS
attacks. ( )
346
Student Handbook – Security Analyst SSC/N0903
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
347
Student Handbook – Security Analyst SSC/N0903
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
348
Student Handbook – Security Analyst SSC/N0903
UNIT II
Configuring Secure Content
Management
Lesson Plan
2.1 Secure Content Management Overview
2.2 The importance of Secure Content Management
2.3 How does Secure Content Management Work?
2.4 Solution Architectures
349
Student Handbook – Security Analyst SSC/N0903
LESSON PLAN
You need to know and understand: KA1-KA3. QA session Open Source tools like
and a Descriptive write sqlmap, Nessus etc.,
KA1. your organization’s policies,
procedures, standards, guidelines and up on understanding. Security Templates from
client specific service level agreements ITIL
Installation and
for installing, configuring information
security devices configuration of security
KA2. limits of your role and tools in the lab
responsibilities and who to seek guidance environment by peer
from where required groups and validation
by the faculty
350
Student Handbook – Security Analyst SSC/N0903
Lesson
Advent of Web 2.0 technologies and proliferation of file sharing protocols, data sharing portals,
media streaming, etc. by the users expand the attack surface of an organization. They create
enormous opportunities for external threats to exploit weaknesses. Allowing the inbound and
outbound connections — as access given to the employees to initiate or receive traffic — creates
issues of employee productivity. It also contributes to bandwidth issue as connection to public or
media streaming sites consumes an organization’s network bandwidth.
While allowing legitimate traffic, organizations may not like their employee to indulge in different
forms of entertainment and attractions available online, which can lead to security threats, data
leakage and productivity issues. Security has been evolving to address these challenges through a set
of practices and technical solutions under a category which can broadly be classified as ‘Secure
Content Management’ (SCM).
DSCI believes that SCM is an important discipline of security. It deserves a close attention as it
promises defense against the threats that are increasingly concentrating their acts to exploit
weakness in the content management. It also offers effective instruments to curb the data leakages,
hence, is regarded as an important element of data security strategies.
351
Student Handbook – Security Analyst SSC/N0903
Unrestricted Access
The use of the Internet is on the rise, as are the risks of uncontrolled access. When employees and
staff inadvertently or deliberately access sites containing inappropriate, illegal or dangerous content,
businesses suffer losses of productivity, expose themselves to legal liabilities and can experience
degraded network performance that negatively affects mission-critical tasks. There are also a
growing number of security risks—including Trojans and worms—that can seriously impact
operations.
Restricting access to inappropriate Web sites helps companies prevent excessive non-productive
Web surfing and preserves network bandwidth.
Liability Exposure
Employees who visit pornographic or racist/hate sites represent a major legal liability concern.
Businesses need to shield themselves from potential legal liability that can arise if an employee is
repeatedly exposed to offensive material on a co-worker’s computer or anywhere in the workplace.
Other sources of liability exposure include peer-to-peer networking and file sharing, which have
opened the door to charges of copyright violations and high-profile litigation. Corporations can be
held liable for breaking copyright laws if employees use company networks to download music or
movies illegally.
Instant messaging, peer-to-peer file sharing and multimedia downloads make businesses vulnerable
to backdoor attacks.
352
Student Handbook – Security Analyst SSC/N0903
More advanced content management solutions also provide the ability to block applications such as
instant messaging and peer-to-peer services.
Site blocking
The site blocking approach for content management typically uses list-based or URL-based filters to
identify and block certain Web sites. Some solutions rely on white lists that allow access to only
those sites that appear on the list. For example, a retail store might create a white list containing
only the company’s Web site, shipping Web sites and supplier Web sites. Other solutions use black
lists, which permit access to all sites except those on the black list. The black list approach is
preferable for businesses whose employees need less restrictive Internet access. With a black list
approach, the database of Web sites is organized into categories, such as “violence” or “drugs,” and
network administrators can selectively block categories.
Database size—A larger database allows more sites to be added to the restricted list.
Update frequency—New sites continually emerge, and many existing sites are relocated. Most site
blocking solutions update their databases on a daily basis, often automatically downloading new
URLs every night.
A general limitation of site blocking is that it focuses exclusively on HTTP-based Web traffic. It does
not block instant messaging, e-mail attachments, peer-to-peer applications and other applications
that could contain security threats.
Content Monitoring
The most basic level of content monitoring uses a keyword-blocking approach. Instead of blocking
URLs, it compares the keyboard data to a user-defined library of words and phrases. When a match
to one of the blocked words or phrases is detected, the solution filters or blocks the data, or in some
cases even closes the application. The problem with this approach is that it can inadvertently block
353
Student Handbook – Security Analyst SSC/N0903
legitimate pages based on the fact that they contain one or more targeted keywords.
For example, a Web site about cancer research could be blocked because it contains the word
“breast.”
More advanced content monitoring solutions not only examine the individual words on the page,
but also evaluate context and other data such as HTML tags. Armed with this information, advanced
content monitoring solutions can more accurately assess Web sites and consequently more
accurately control blocking. Another valuable advantage of content monitoring is the ability to
monitor and filter content not only from Web sites, but also chat rooms, instant messaging, e-mail
attachments and Windows applications.
2. 4 Solution Architectures
Content management software can be embedded on a networked device such as a proxy server,
caching appliance or firewall, or it can reside on a dedicated server running the Microsoft Windows,
Linux or UNIX operating system. The three common deployment methods vary in terms of
effectiveness, cost and manageability.
Client Solutions
Installed on the desktop, client solutions are most suited for home environments where parental
control is the primary application. Client software solutions include a management interface and a
database of blocked Web sites; the parent downloads database updates via the Internet. Leading
providers of client solutions include Zone Labs, Net Nanny® and Internet Service Providers (ISPs)
such as Microsoft® MSN and AOL®.
Standalone Solutions
Standalone solutions consist of a dedicated database server for defining policies and a separate
gateway or firewall that enforces the content management policies. These solutions are more
manageable than client based solutions because an administrator can create a policy once on the
gateway and then apply it across all desktops. However, most standalone solutions require
organizations to purchase and manage two separate hardware devices in addition to content
management software. They also require additional storage to be purchased as needed, when the
policy database grows to exceed the storage available. Key vendors of standalone solutions include
SonicWALL®, Websense and Surf Control®.
Integrated Solutions
Integrated solutions consolidate management and processing in a single gateway or firewall, thereby
reducing capital and operational expenses. However, when the gateway or firewall is also used for
services like anti-virus and intrusion prevention, performance can suffer. Key vendors of integrated
content filtering solutions include SonicWALL®, Symantec™ and WatchGuard®. Evaluating Solutions
Depending on the levels of protection, performance and manageability required, non-residential
customers should choose between an integrated solution and a standalone appliance. Both
alternatives can combine Internet content management with dynamic threat protection techniques
to control access and secure the network against an array of threats from viruses, spyware, worms,
instant messaging and peer-to-peer applications. At the core of both integrated and standalone
solutions is a rating architecture that leverages a comprehensive database of millions of pre-rated
Web sites and domains. When a user attempts to access a Web site, the URL is cross-referenced
354
Student Handbook – Security Analyst SSC/N0903
against a master ratings database. These databases can be managed and maintained by the content
filtering solution vendor, and made available at multiple locations for performance efficiency and
high availability. A rating is returned to the requestor and compared to the content filtering policy
established by the administrator. If the Web request is permitted, the user is able to view the page.
If the requested Web site is denied, a custom block message informs the user that the site has been
blocked according to policy.
Standalone Appliances
For larger businesses and enterprise environments requiring more comprehensive content control
abilities, a standalone content filtering appliance maximizes the protection of any network from
today’s sophisticated Internet threats. Although it requires the purchase of additional hardware,
ease of installation and use make this an attractive solution. The appliance can be dropped into the
existing network without any reconfiguration of existing hardware or software. Appliances are also
an affordable way to upgrade existing firewalls by introducing new functionality without an actual
upgrade on the firewall itself. A standalone appliance can affordably combine Internet content
management with real-time gateway anti-virus and antispyware capabilities, and the best appliances
are rich in features and functionality and deliver superior value for the investment.
Beyond these advantages and basic Web site access controls, other advantages of a standalone
appliance include:
Seamless integration—Appliances can be easily installed in virtually any network, and combined
with any existing firewall. Plug-and-play designs speed installation, making them drop-in solutions
that eliminate the need for additional servers or hardware.
Dynamic rating engine—Built-in capabilities can dynamically evaluate new URLs. Real-time
analysis of page content, context for flagged words, HTML tags and other data can produce a
rating and category for immediate access or blocking based on the organizations’ predetermined
policies. New ratings can be automatically added to a master ratings database for subsequent
requests.
Protection from attacks—Deep packet inspection technology can block viruses, worms, Trojans,
spyware, phishing, malicious code and other attacks before they are able to infect a network.
Appliances can scan and clean network traffic over a multitude of ports and protocols including
HTTP, SMTP, POP3, FTP and NetBIOS.
Advanced security for bandwidth protection and reduced legal liabilities—Appliances can provide
controls for managing instant messaging, peer-to-peer and multimedia applications.
355
Student Handbook – Security Analyst SSC/N0903
rating lists provides more granular control over filtering policies. Advanced reporting and analysis
tools provide granular insight into network usage through custom reports.
They also share another less encouraging similarity: they are among the most common hacking targets
on the Internet.
A WP White Security study found that a staggering 73% of all WordPress installations had known
vulnerabilities that could easily be detected using automated tools.
Cyber criminals have long discovered these security holes, with over 170,000 WordPress sites being
hacked last year.
356
Student Handbook – Security Analyst SSC/N0903
However, the opposite is true. Fact is, CMSes are vulnerable by nature because they are built on
open source frameworks. Such shared development environments offer several benefits but they
also have their share of flaws, many of which arise form a lack of accountability.
With no price tag, and with no one to take direct responsibility for potential problems, it’s no
surprise when the final product has some security issues. Since the top CMSes are so popular,
these security vulnerabilities are actively sought after — both by security researchers and
members of the hacker community.
Once identified, these flaws can turn into a virtual gold mine for hackers, creating a much more
efficient way for them to execute automated mass-scale attacks.
Adding to the issue are website operators who use weak passwords, leaving their admin accounts
vulnerable to automated brute force attacks.
In past we’ve showed how such weak passwords were used to inject the website with malware,
turning them into DDoS zombies.
Obviously, with administrative access hackers can also deal other kinds of damage: anything from
defacing the site (for fun) to using it for malware distribution, which eventually gets it blacklisted
in Google and in other search engines.
357
Student Handbook – Security Analyst SSC/N0903
Finally, there is also the issue of various CMS plugins and themes, which are also exposed to attacks.
Each of these is created by a different developer and may introduce an additional set of vulnerabilities.
A recent study found that over 20% of the fifty most popular WordPress plugins were vulnerable to
hacking, while a staggering eight million susceptible plugins had been downloaded from WordPress
alone.
Considering that most users have at least 3-4 plugins running on their CMS platform, it’s apparent how
they can further expose their sites to new security risks.
Create a regular schedule to update or patch their CMS, and all installed plugins and themes.
This will ensure that all components are up-to-date. CMS platforms usually display a dashboard
message whenever a new update is available; users should quickly install it even if it’s outside
their update schedule.
Regularly backup the CMS and its underlying database. This should be performed weekly at a
minimum.
Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used (e.g.,
WordPress).
Delete default admin usernames (e.g., ‘admin’•) and use strong passwords (at least eight
characters long, with a combination of upper and lower case, as well as both letters and
numerical characters).
Use a plugin for strong authentication, or two-factor authentication (2FA) for an additional
layer of protection.
358
Student Handbook – Security Analyst SSC/N0903
Summary
DSCI believes that SCM is an important discipline of security. It deserves a close attention as it
promises defence against the threats that are increasingly concentrating their acts to exploit
weakness in the content management. It also offers effective instruments to curb the data
leakages, hence, is regarded as an important element of data security strategies.
Due to unrestricted access the organisation faces increased risk due to impacted employee
productivity, liability Exposure, Hacker Attacks and Privacy Violations
Securing content starts with controlling access to certain Web sites based on predetermined
criteria. At a basic level, user access to Internet content is controlled using the URL address or
the URL content category (such as nudity or gambling).
Basic content management solutions can also examine the way the content is delivered, such as
through Java applets or ActiveX scripts, and determine access permissions accordingly.
More advanced content management solutions also provide the ability to block applications
such as instant messaging and peer-to-peer services.
Secure content management solutions employ one of two basic approaches: site blocking or
content monitoring.
Both of these are based on pass-through filtering technology. That is, all requests for Web pages
pass through an Internet control point such as a firewall, proxy server or caching device. The
device then evaluates each request to determine whether it should be allowed or denied based
on company policy.
The most basic level of content monitoring uses a keyword-blocking approach. Instead of
blocking URLs, it compares the keyboard data to a user-defined library of words and phrases.
More advanced content monitoring solutions not only examine the individual words on the
page, but also evaluate context and other data such as HTML tags. Armed with this information,
advanced content monitoring solutions can more accurately assess Web sites and consequently
more accurately control blocking.
Content management software can be embedded on a networked device such as a proxy server,
caching appliance or firewall, or it can reside on a dedicated server running the Microsoft
Windows, Linux or UNIX operating system. The three common deployment methods vary in
terms of effectiveness, cost and manageability.
The three categories of solution include client solutions, standalone solution and integrated
solutions
359
Student Handbook – Security Analyst SSC/N0903
Practical activities:
Activity 1:
List the various content management service providers and tools available in the market.
Compare at least two tools and their features, benefits and limitations.
Activity 2:
Try and learn about the content management system in your institute if they are using any, or
interact with consultants or companies to enquire about the configuration process of a secure
content management system.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Installed on the desktop, ________ __________are most suited for home environments
where parental control is the primary application.
Secure content management solutions employ one of two basic approaches: ____________
or ____________________.
At the core of both integrated and standalone solutions is an __________ architecture that
leverages a comprehensive database of millions of pre-rated Web sites and domains.
Q. What is the difference between a Black List and a White list, in the context of site blocking?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
360
Student Handbook – Security Analyst SSC/N0903
Q. List at least two factors based on which the effectiveness and manageability of site blocking
depends.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
361
Student Handbook – Security Analyst SSC/N0903
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
362
Student Handbook – Security Analyst SSC/N0903
UNIT III
Configuring Firewall
Lesson Plan
Resource Material
3.1. What Firewall Software Does?
3.2. Firewall Configuration
3.3. Why Firewall Security?
3.4. Configuring a Simple Firewall
363
Student Handbook – Security Analyst SSC/N0903
LESSON PLAN
Work Environment /
Outcomes Performance Ensuring Measures Lab Requirement
PC1. identify information The learners must demonstrate PC1, KA1 to KA13:
security devices (firewall) you PC4 on given work task
are required to install/ PCs/Tablets/Laptops
configure/troubleshoot and Labs availability (24/7)
source relevant instructions and
guidelines Internet with Wi-Fi
PC4. install/configure (Min 2 Mbps Dedicated)
information security devices
(firewall) as per instructions and Networking Equipment-
guidelines Routers & Switches
364
Student Handbook – Security Analyst SSC/N0903
Lesson
Let's say that you work at a company with 500 employees. The company will therefore have
hundreds of computers that all have network cards connecting them together. In addition, the
company will have one or more connections to the Internet through something like T1 or T3 lines.
Without a firewall in place, all of those hundreds of computers are directly accessible to anyone on
the Internet. A person who knows what he or she is doing can probe those computers, try to make
FTP connections to them, try to make telnet connections to them and so on. If one employee makes
a mistake and leaves a security hole, hackers can get to the machine and exploit the hole.
With a firewall in place, the landscape is much different. A company will place a firewall at every
connection to the Internet (for example, at every T1 line coming into the company). The firewall can
implement security rules. For example, one of the security rules inside the company might be:
Out of the 500 computers inside this company, only one of them is permitted to receive public FTP
traffic. Allow FTP connections only to that one computer and prevent them on all others.
A company can set up rules like this for FTP servers, Web servers, Telnet servers and so on. In
addition, the company can control how employees connect to Web sites, whether files are allowed
to leave the company over the network and so on. A firewall gives a company tremendous control
over how people use the network.
Firewalls use one or more of three methods to control traffic flowing in and out of the
network:
Packet filtering
Packets (small chunks of data) are analyzed against a set of filters. Packets that make it
through the filters are sent to the requesting system and all others are discarded.
Proxy service
Information from the Internet is retrieved by the firewall and then sent to the requesting
system and vice versa.
Stateful inspection
A newer method that doesn't examine the contents of each packet but instead compares
certain key parts of the packet to a database of trusted information. Information traveling
from inside the firewall to the outside is monitored for specific defining characteristics, then
incoming information is compared to these characteristics. If the comparison yields a
reasonable match, the information is allowed through. Otherwise it is discarded.
365
Student Handbook – Security Analyst SSC/N0903
Working of Firewall
366
Student Handbook – Security Analyst SSC/N0903
Firewall Configuration
Firewalls are customizable. This means that you can add or remove filters based on several
conditions. Some of these are:
IP addresses
Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-
bit numbers, normally expressed as four "octets" in a "dotted decimal number." A typical IP address
looks like this: 216.27.61.137. For example, if a certain IP address outside the company is reading too
many files from a server, the firewall can block all traffic to or from that IP address.
Domain names
As it is hard to remember the string of numbers that make up an IP address, and because IP
addresses sometimes need to change, all servers on the Internet also have human-readable names,
called domain names.
A company might block all access to certain domain names, or allow access only to specific domain
names.
Protocols
The protocol is the pre-defined way that someone who wants to use a service talks with that service.
The "someone" could be a person, but more often it is a computer program like a Web browser.
Protocols are often text, and simply describe how the client and server will have their conversation.
The http in the Web's protocol.
Some common protocols that you can set firewall filters for include:
IP (Internet Protocol) - the main delivery system for information over the Internet
TCP (Transmission Control Protocol) - used to break apart and rebuild information that
travels over the Internet
UDP (User Datagram Protocol) - used for information that requires no response, such as
streaming audio and video
367
Student Handbook – Security Analyst SSC/N0903
ICMP (Internet Control Message Protocol) - used by a router to exchange the information
with other routers
SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
SNMP (Simple Network Management Protocol) - used to collect system information from a
remote computer
A company might set up only one or two machines to handle a specific protocol and ban that
protocol on all other machines.
Ports
Any server machine makes its services available to the Internet using numbered ports, one for each
service that is available on the server (see How Web Servers Work for details). For example, if a
server machine is running a Web (HTTP) server and an FTP server, the Web server would typically be
available on port 80, and the FTP server would be available on port 21. A company might block port
21 access on all machines but one inside the company.
For example, you could instruct the firewall to block any packet with the word "X-rated" in it. The
key here is that it has to be an exact match. The "X-rated" filter would not catch "X rated" (no
hyphen). But you can include as many words, phrases and variations of them as you need.
Some operating systems come with a firewall built in. Otherwise, a software firewall can be installed
on the computer in your home that has an Internet connection. This computer is considered a
gateway because it provides the only point of access between your home network and the Internet.
With a hardware firewall, the firewall unit itself is normally the gateway. A good example is the
Linksys Cable/DSL router. It has a built-in Ethernet card and hub. Computers in your home network
connect to the router, which in turn is connected to either a cable or DSL modem. You configure the
router via a Web-based interface that you reach through the browser on your computer. You can
then set any filters or additional information.
Hardware firewalls are incredibly secure and not very expensive. Home versions that include a
router, firewall and Ethernet hub for broadband connections can be found for well under Rs 10000.
368
Student Handbook – Security Analyst SSC/N0903
There are many creative ways that unscrupulous people use to access or abuse unprotected
computers:
Remote login
When someone is able to connect to your computer and control it in some form. This can range from
being able to view or access your files to actually running programs on your computer.
Application backdoors
Some programs have special features that allow for remote access. Others contain bugs that provide
a backdoor, or hidden access that provides some level of control of the program.
SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of
e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is
done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making
the actual sender of the spam difficult to trace.
Like applications, some operating systems have backdoors. Others provide remote access with
insufficient security controls or have bugs that an experienced hacker can take advantage of.
Denial of service
You have probably heard this phrase used in news reports on the attacks on major Web sites. This
type of attack is nearly impossible to counter. What happens is that the hacker sends a request to
the server to connect to it. When the server responds with an acknowledgement and tries to
establish a session, it cannot find the system that made the request. By inundating a server with
these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually
crash.
E-mail bombs
An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or
thousands of times until your e-mail system cannot accept any more messages.
Macros
To simplify complicated procedures, many applications allow you to create a script of commands
that the application can run. This script is known as a macro. Hackers have taken advantage of this to
create their own macros that, depending on the application, can destroy your data or crash your
computer.
369
Student Handbook – Security Analyst SSC/N0903
Viruses
Probably the most well-known threat is computer viruses. A virus is a small program that can copy
itself to other computers. This way it can spread quickly from one system to the next. Viruses range
from harmless messages to erasing all of your data.
Spam
Typically, harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be
dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because
you may accidentally accept a cookie that provides a backdoor to your computer.
Redirect bombs
Hackers can use ICMP to change (redirect) the path information takes by sending it to a different
router. This is one of the ways that a denial of service attack is set up.
Source routing
In most cases, the path a packet travels over the Internet (or any other network) is determined by
the routers along that path. But the source providing the packet can arbitrarily specify the route that
the packet should travel. Hackers sometimes take advantage of this to make information appear to
come from a trusted source or even from inside the network! Most firewall products disable source
routing by default.
The level of security you establish will determine how many of these threats can be stopped by your
firewall. The highest level of security would be to simply block everything. Obviously that defeats the
purpose of having an Internet connection. But a common rule of thumb is to block everything, then
begin to select what types of traffic you will allow.
You can also restrict traffic that travels through the firewall so that only certain types of information,
such as e-mail, can get through. This is a good rule for businesses that have an experienced network
administrator that understands what the needs are and knows exactly what traffic to allow through.
For most of us, it is probably better to work with the defaults provided by the firewall developer
unless there is a specific reason to change it.
One of the best things about a firewall from a security standpoint is that it stops anyone on the
outside from logging onto a computer in your private network. While this is a big deal for businesses,
most home networks will probably not be threatened in this manner. Still, putting a firewall in place
provides some peace of mind.
370
Student Handbook – Security Analyst SSC/N0903
A function that is often combined with a firewall is a proxy server. The proxy server is used to access
Web pages by the other computers. When another computer requests a Web page, it is retrieved by
the proxy server and then sent to the requesting computer. The net effect of this action is that the
remote computer hosting the Web page never comes into direct contact with anything on your
home network, other than the proxy server.
Proxy servers can also make your Internet access work more efficiently. If you access a page on a
Web site, it is cached (stored) on the proxy server. This means that the next time you go back to that
page; it normally doesn't have to load again from the Web site. Instead it loads instantaneously from
the proxy server.
There are times that you may want remote users to have access to items on your network. Some
examples are:
Web site
Online business
FTP download and upload area
In cases like this, you may want to create a DMZ (Demilitarized Zone). DMZ is just an area that is
outside the firewall. Think of DMZ as the front yard of a house. It belongs to the owner, who may put
some things there, but would put anything valuable inside the house where it can be properly
secured.
Setting up a DMZ is very easy. If you have multiple computers, you can choose to simply place one of
the computers between the Internet connection and the firewall. Most of the software firewalls
available will allow you to designate a directory on the gateway computer as a DMZ.
371
Student Handbook – Security Analyst SSC/N0903
5 Protected network
6 Unprotected network
7 Fast Ethernet or ATM WAN interface (the outside interface for NAT)
In the configuration example that follows, the firewall is applied to the outside WAN interface (FE0)
on the Cisco 1811 or Cisco 1812 and protects the Fast Ethernet LAN on FE2 by filtering and
inspecting all traffic entering the router on the Fast Ethernet WAN interface FE1.
Note that in this example, the network traffic originating from the corporate network, network
address 10.1.1.0, is considered safe traffic and is not filtered.
Configuration Tasks
Perform the following tasks to configure this network scenario:
372
Student Handbook – Security Analyst SSC/N0903
Perform these steps to create access lists for use by the firewall, beginning in global configuration
mode:
Command Purpose
Step 1 access-list access-list-number {deny | permit} protocol Creates an access
source source-wildcard [ operator [port]] destination list which prevents
Example: Internet- initiated
traffic from
Router(config)# access-list 103 permit host 200.1.1.1 eq
reaching the local
isakmp any
(inside) network of
Router(config)# the router, and
which compares
source and
destination ports.
See the Cisco IOS IP
Command
Reference, Volume
1 of 4: Addressing
and Services for
details about this
command.
Step 2 access-list access-list-number {deny | permit} protocol Creates an access
source source-wildcard destination destination-wildcard list that allows
Example: network traffic to
pass freely between
Router(config)# access-list 105 permit ip 10.1.1.0 0.0.0.255
the corporate
192.168.0.0 0.0.255.255
network and the
Router(config)# local networks
through the
configured VPN
tunnel.
373
Student Handbook – Security Analyst SSC/N0903
Step 2 ip inspect name inspection- Repeat this command for each inspection rule that
name protocol you wish to use.
Example:
Router(config)# ip inspect
name firewall rtsp
Router(config)# ip inspect
name firewall h323
Router(config)# ip inspect
name firewall netshow
Router(config)# ip inspect
name firewall ftp
Router(config)# ip inspect
name firewall sqlnet
Router(config)#
Command Purpose
Step 1 interface type number Enters interface configuration mode for
Example: the inside network interface on your
router.
Router(config)# interface vlan 1
Router(config-if)#
Step 2 ip inspect inspection-name { in | out } Assigns the set of firewall inspection rules
Example: to the inside interface on the router.
374
Student Handbook – Security Analyst SSC/N0903
Router(config-if)#
Step 5 ip access-group { access-list- Assigns the defined ACLs to the outside
number | access-list-name } { in | out } interface on the router.
Example:
Router(config-if)# ip access-group 103
in
Router(config-if)#
Step 6 exit Returns to global configuration mode.
Example:
Router(config-if)# exit
Router(config)#
Configuration Example
A telecommuter is granted secure access to a corporate network, using IPSec tunnelling. Security to
the home network is accomplished through firewall inspection. The protocols that are allowed are
all TCP, UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network;
therefore, no traffic is allowed that is initiated from outside. IPSec tunnelling secures the connection
from the Home LAN to the corporate network.
Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary.
Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is
specified for DNS.
The following configuration example shows a portion of the configuration file for the simple firewall
scenario described in the preceding sections.
! Firewall inspection is setup for all tcp and udp traffic as well as specific application
protocols as defined by the security policy.
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
!
interface vlan 1 ! This is the internal home network
ip inspect firewall in ! inspection examines outbound traffic
no cdp enable
!
interface fastethernet 0 ! FE0 is the outside or internet exposed interface.
ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as
denies internet initiated traffic inbound.
ip nat outside
no cdp enable
!
375
Student Handbook – Security Analyst SSC/N0903
! acl 103 defines traffic allowed from the peer for the ipsec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
access-list 103 permit icmp any any ! allow icmp for debugging but should be disabled due
to security implications.
access-list 103 deny ip any any ! prevents internet initiated traffic inbound.
no cdp run
!
376
Student Handbook – Security Analyst SSC/N0903
Firewall Limitations
A firewall is a crucial component of securing your network and is designed to address the
issues of data integrity or traffic authentication (via stateful packet inspection) and
confidentiality of your internal network (via NAT). Your network gains these benefits from a
firewall by receiving all transmitted traffic through the firewall. Your network gains these
benefits from a firewall by receiving all transmitted traffic through the firewall. The importance
of including a firewall in your security strategy is apparent; however, firewalls do have the
following limitations:
A firewall cannot prevent users or attackers with modems from dialing into or out of
the internal network, thus bypassing the firewall and its protection completely.
Firewalls cannot enforce your password policy or prevent misuse of passwords. Your
password policy is crucial in this area because it outlines acceptable conduct and sets
the ramifications of noncompliance.
Firewalls are ineffective against nontechnical security risks such as social engineering,
as discussed in Chapter 1, “There Be Hackers Here.”
Firewalls cannot stop internal users from accessing websites with malicious code,
making user education critical.
Firewalls cannot protect you when your security policy is too lax.
377
Student Handbook – Security Analyst SSC/N0903
Summary
A firewall is simply a program or hardware device that filters the information coming through
the Internet connection into your private network or computer system. If an incoming packet of
information is flagged by the filters, it is not allowed through.
Firewalls use one or more of three methods to control traffic flowing in and out of the network:
Packet filtering: Packets (small chunks of data) are analysed against a set of filters. Packets that
make it through the filters are sent to the requesting system and all others are discarded.
Proxy service: Information from the Internet is retrieved by the firewall and then sent to the
requesting system and vice versa.
Stateful inspection: A newer method that doesn't examine the contents of each packet but
instead compares certain key parts of the packet to a database of trusted information.
Information traveling from inside the firewall to the outside is monitored for specific defining
characteristics, then incoming information is compared to these characteristics. If the
comparison yields a reasonable match, the information is allowed through. Otherwise it is
discarded.
Firewalls are customizable. This means that you can add or remove filters based on several
conditions. Some of these are: IP addresses, Domain Names, Ports, Specific words or phrases,
Protocols,
Firewall security is used to protect against: Access or abuse of unprotected computers
A function that is often combined with a firewall is a proxy server. The proxy server is used to
access Web pages by the other computers. When another computer requests a Web page, it is
retrieved by the proxy server and then sent to the requesting computer. The net effect of this
action is that the remote computer hosting the Web page never comes into direct contact with
anything on your home network, other than the proxy server.
Perform the following tasks to configure a firewall in a network scenario:
o Configure Access Lists
o Configure Inspection Rules
o Apply Access Lists and Inspection Rules to Interfaces
378
Student Handbook – Security Analyst SSC/N0903
Practical activities:
Activity 1:
List the various kinds of firewalls in the market and the various vendors for the same. Compare
the features, benefits and limitations of various kind of firewall products offered. Share with
your fellow students.
Activity 2:
Configure a firewall product or first job shadow someone who installs a firewall. List down the
various steps of the same, then configure it on your own.
a. ________________________________________
b. ________________________________________
c. ________________________________________
d. ________________________________________
e. ________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
379
Student Handbook – Security Analyst SSC/N0903
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
380
Student Handbook – Security Analyst SSC/N0903
UNIT IV
Troubleshooting information security
devices
Lesson Plan
4.1 Troubleshooting the Cisco IOS Firewall Configuration
4.2 Troubleshooting routers
381
Student Handbook – Security Analyst SSC/N0903
LESSON PLAN
382
Student Handbook – Security Analyst SSC/N0903
Lesson
int <interface>
no ip access-group # in|out
If too much traffic is denied, study the logic of your list or try to define an additional broader list,
and then apply it instead. For example:
int <interface>
ip access-group # in|out
The show ip access-lists command shows which access lists are applied and what traffic is
denied by them. If you look at the packet count denied before and after the failed operation
with the source and destination IP address, this number increases if the access list blocks traffic.
If the router is not heavily loaded, debugging can be done at a packet level on the extended or ip
inspect access list. If the router is heavily loaded, traffic is slowed through the router. Use
discretion with debugging commands.
int <interface>
no ip route-cache
term mon
383
Student Handbook – Security Analyst SSC/N0903
Extended access lists can also be used with the "log" option at the end of the various
statements:
You therefore see messages on the screen for permitted and denied traffic:
If the ip inspect list is suspect, the debug ip inspect <type_of_traffic> command produces
output such as this output:
Feb 14 12:41:17 10.31.1.52 56: 3d05h: CBAC* sis 258488 pak 16D0DC TCP P ack 3195751223
Feb 14 12:41:17 10.31.1.52 57: 3d05h: CBAC* sis 258488 pak 17CE30 TCP P ack 3659219378
384
Student Handbook – Security Analyst SSC/N0903
When a router isn’t functioning, here are some steps to perform to eliminate basic faults as the
source of trouble:
Physical Layer Stuff: Check power issues. Look for power lights, check plugs, and circuit breakers.
Check the Interfaces: Use the command show ip interface brief or show ipv6 interface brief to
ensure that desired interfaces are up and configured properly.
Ping: Use the ping and trace commands to check for connectivity.
Check the Routing Table: Use the show ip route or show ipv6 route command to find out what the
router knows. Is there either an explicit route to the remote network or a gateway of last resort?
Is there a Firewall on the Computer? If the problem involves a computer, check to ensure that its
firewall is not blocking packets. Sometimes there are computers at client locations with firewalls in
operation without the client’s knowledge.
Any Access Lists? If the above steps don’t resolve the issue, check for access-control lists that block
traffic. There is an implicit “deny any” at the end of every access-control list, so even if you don’t see
a statement explicitly denying traffic, it might be blocked by an implicit “deny any.”
Is the VPN Up? If a VPN is part of the connection, check to ensure that it is up. Use the show crypto
family of commands to check VPN connections. With VPN connections, each end of the connection
must mirror the other. For example, even something as seemingly inconsequential as a different
timeout value or a different key lifetime can prevent a connection.
Do the Protocols Match? If you are trying to gain remote access to a server, ensure that it supports
the protocol you’re attempting to use. For example, if the router hasn’t been configured to support
SSH and you use the default settings in PuTTY which call for SSH, you won’t be able to connect. Also,
some admins change the default port numbers, so you may expect to use port 22 with SSH, but the
admin may have configured it to use a non-standard port.
Check for Human Error: User errors can also be the source of errors. Check to ensure that correct
usernames and passwords are being used, that you and the admin on the other end of the
connection are using the same network addresses and matching subnet masks.
Often, by using the above steps, you can solve the problem. If that doesn’t do it, then proceed to
more advanced show and debug commands to isolate the problem.
385
Student Handbook – Security Analyst SSC/N0903
• The show commands help monitor installation behaviour and normal network
behaviour, as well as isolate problem areas.
• The debug commands assist in the isolation of protocol and configuration problems.
• The ping commands help determine connectivity between devices on your network.
• The trace commands provide a method of determining the route by which packets
reach their destination from one device to another.
• show interfaces—Use the show interfaces exec command to display statistics for all
interfaces configured on the router or access server. The resulting output varies,
depending on the network for which an interface has been configured.
Some of the more frequently used show interfaces commands include the following:
386
Student Handbook – Security Analyst SSC/N0903
Some of the most frequently used show controllers commands include the following:
387
Student Handbook – Security Analyst SSC/N0903
To access and list the privileged exec commands, complete the following tasks:
Step 1 Enter the privileged exec mode:
Command:
Router> enable
Password: XXXXXX Router#
Step 2 List privileged exec commands:
Router# debug ?
Exercise care when using debug commands. Many debug commands are processor
intensive and can cause serious network problems (such as degraded performance
or loss of connectivity) if they are enabled on an already heavily loaded router.
When you finish using a debug command, remember to disable it with its specific no
debug command (or use the no debug all command to turn off all debugging).
Use debug commands to isolate problems, not to monitor normal network
operation. Because the high processor overhead of debug commands can disrupt
router operation, you should use them only when you are looking for specific types
of traffic or problems and have narrowed your problems to a likely subset of causes.
Output formats vary with each debug command. Some generate a single line of
output per packet, and others generate multiple lines of output per packet. Some
generate large amounts of output, and others generate only occasional output.
Some generate lines of text, and others generate information in field format.
To minimize the negative impact of using debug commands, follow this procedure:
Step 1 Use the no logging console global configuration command on your router.
This command disables all logging to the console terminal.
Step 2 Telnet to a router port and enter the enable exec command. The enable exec
command will place the router in the privileged exec mode. After entering the
enable password, you will receive a prompt that will consist of the router
name with a # symbol.
Step 3 Use the terminal monitor command to copy debug command output and
system error messages to your current terminal display.
By redirecting output to your current terminal display, you can view debug
command output remotely, without being connected through the console
port.
If you use debug commands at the console port, character-by-character
processor interrupts are generated, maximizing the processor load already
caused by using debug.
If you intend to keep the output of the debug command, spool the output to a file.
388
Student Handbook – Security Analyst SSC/N0903
389
Student Handbook – Security Analyst SSC/N0903
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_______________________________________________________________________________
__________________________________________________________________________________
390
Student Handbook – Security Analyst SSC/N0903
UNIT V
Configuring IDS
Lesson Plan
5.1 Cisco IOS Firewall IDS feature
5.2 Cisco IOS Firewall IDS Signature List
5.3 Cisco IOS Firewall IDS Configuration Task List
5.4 Configuring Snort
391
Student Handbook – Security Analyst SSC/N0903
LESSON PLAN
Work
Performance Ensuring Environment /
Outcomes Measures Lab Requirement
PC1. identify information security devices (IDS) The learners must KA1 to KA13:
you are required to install/ demonstrate all PCs on PCs/Tablets/Lapt
configure/troubleshoot and source relevant given work tasks ops
instructions and guidelines
Labs availability
PC4. install/configure information security (24/7)
devices (IDS) as per instructions and guidelines
Internet with WiFi
PC5. test installed/configured information
(Min 2 Mbps
security devices (IDS), following instructions and
Dedicated)
guidelines
Networking
PC6. resolve problems with information security
Equipment-
devices (IDS), following instructions and
Routers &
guidelines
Switches
PC7. obtain advice and guidance on installing /
Firewalls and
configuring / testing / information security
Access Points
devices (IDS) from appropriate people, where
required Access to all
security sites like
PC8. record the installation / configuration /
ISO, PIC DSS
testing of information security devices (IDS)
promptly using standard templates and tools Commercial Tools
like HP Web
PC10. comply with your organization’s policies,
Inspect and IBM
standards, procedures, guidelines and service
AppScan etc.,
level agreements (SLAs) when installing /
configuring information security devices (IDS) Open Source
tools like sqlmap,
You need to know and understand: KA1-KA3. QA session and Nessus etc.,
a Descriptive write up on
KA1. your organization’s policies, procedures, Security
standards, guidelines and client specific service understanding. Templates from
level agreements for installing, configuring ITIL
KA4, KA7 Group
information security devices (IDS)
KA2. limits of your role and responsibilities and presentation and peer
who to seek guidance from where required evaluation along with
KA3. your organization’s systems, procedures and Faculty.
tasks/checklists relevant to your work and how to
use these KA5, KA6. Presentation of
KA4. the importance of following manufacturer’s best practices document
installation guides and procedures and how to by peer group to the
access and apply these to install, information faculty and loading the
security devices (IDS) same into different sites
KA5. who to involve when installing, configuring
information security devices (IDS) KA8. Presentation of the
KA6. methods and techniques used when customized templates by
working with others peer groups and
KA7. the importance of recording issues when
392
Student Handbook – Security Analyst SSC/N0903
393
Student Handbook – Security Analyst SSC/N0903
Lesson
394
Student Handbook – Security Analyst SSC/N0903
The maximum incomplete sessions (modified via the ip inspect max-incomplete high and the ip
inspect max-incomplete low commands)
After the incoming TCP session setup rate crosses the one-minute high water mark, the router will
reset the oldest half-open session, which is the default behaviour of the Cisco IOS Firewall. Cisco IOS
IDS cannot modify this default behaviour. Thus, after a new TCP session rate crosses the one-minute
high water mark and a router attempts to open new connections by sending SYN packets at the
same time, the latest SYN packet will cause the router to reset the half-open session that was
opened by the earlier SYN packet. Only the last SYN request will survive.
Functional Description
The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets as they
traverse the router's interfaces and acting upon them in a definable fashion. When a packet, or a
number of packets in a session, match a signature, the Cisco IOS Firewall IDS may perform the
following configurable actions:
395
Student Handbook – Security Analyst SSC/N0903
396
Student Handbook – Security Analyst SSC/N0903
• Service providers that want to set up managed services, providing firewalling and intrusion
detection to their customers, all housed within the necessary function of a router.
397
Student Handbook – Security Analyst SSC/N0903
In Cisco IOS Firewall IDS, signatures are categorized into four types:
• Info Atomic
• Info Compound
• Attack Atomic
• Attack Compound
An info signature detects information-gathering activity, such as a port sweep.
An attack signature detects attacks attempted into the protected network, such as denial-of-service
attempts or the execution of illegal commands during an FTP session.
Info and attack signatures can be either atomic or compound signatures. Atomic signatures can
detect patterns as simple as an attempt to access a specific port on a specific host. Compound
signatures can detect complex patterns, such as a sequence of operations distributed across multiple
hosts over an arbitrary period of time.
The intrusion-detection signatures included in the Cisco IOS Firewall were chosen from a broad
cross-section of intrusion-detection signatures as representative of the most common network
attacks and information-gathering scans that are not commonly found in an operational network.
The following signatures are listed in numerical order by their signature number in the Cisco Secure
IDS Network Security Database. After each signature's name is an indication of the type of signature
(info or attack, atomic or compound).
Atomic signatures marked with an asterisk (Atomic*) are allocated memory for session states by
CBAC.
398
Student Handbook – Security Analyst SSC/N0903
Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3
(Loose Source Route).
1005 IP options-SATNET ID (Info, Atomic)
Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 8
(SATNET stream identifier).
1006 IP options-Strict Source Route (Info, Atomic)
Triggers on receipt of an IP datagram in which the IP option list for the datagram includes
option 2 (Strict Source Routing).
1100 IP Fragment Attack (Attack, Atomic)
Triggers when any IP datagram is received with the "more fragments" flag set to 1 or if there is
an offset indicated in the offset field.
1101 Unknown IP Protocol (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field set to 101 or greater. These
protocol types are undefined or reserved and should not be used.
1102 Impossible IP Packet (Attack, Atomic)
This triggers when an IP packet arrives with source equal to destination address. This signature
will catch the so-called Land Attack.
2000 ICMP Echo Reply (Info, Atomic)
Triggers when a IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP)
and the "type" field in the ICMP header set to 0 (Echo Reply).
2001 ICMP Host Unreachable (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 3 (Host Unreachable).
2002 ICMP Source Quench (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 4 (Source Quench).
2003 ICMP Redirect (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 5 (Redirect).
2004 ICMP Echo Request (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 8 (Echo Request).
2005 ICMP Time Exceeded for a Datagram (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 11(Time Exceeded for a Datagram).
2006 ICMP Parameter Problem on Datagram (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 12 (Parameter Problem on Datagram).
2007 ICMP Timestamp Request (Info, Atomic)
399
Student Handbook – Security Analyst SSC/N0903
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 13 (Timestamp Request).
2008 ICMP Timestamp Reply (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 14 (Timestamp Reply).
2009 ICMP Information Request (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 15 (Information Request).
2010 ICMP Information Reply (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 16 (ICMP Information Reply).
2011 ICMP Address Mask Request (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 17 (Address Mask Request).
2012 ICMP Address Mask Reply (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 18 (Address Mask Reply).
2150 Fragmented ICMP Traffic (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP)
and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset
field.
2151 Large ICMP Traffic (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP)
and the IP length is greater than 1024.
2154 Ping of Death Attack (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP),
the Last Fragment bit is set, and
( IP offset * 8 ) + (IP data length) > 65535
In other words, the IP offset (which represents the starting position of this fragment in the
original packet, and which is in 8-byte units) plus the rest of the packet is greater than the
maximum size for an IP packet.
3040 TCP - no bits set in flags (Attack, Atomic)
Triggers when a TCP packet is received with no bits set in the flags field.
3041 TCP - SYN and FIN bits set (Attack, Atomic)
Triggers when a TCP packet is received with both the SYN and FIN bits set in the flag field.
3042 TCP - FIN bit with no ACK bit in flags (Attack, Atomic)
Triggers when a TCP packet is received with the FIN bit set but with no ACK bit set in the flags
field.
3050 Half-open SYN Attack/SYN Flood (Attack, Compound)
400
Student Handbook – Security Analyst SSC/N0903
Triggers when multiple TCP sessions have been improperly initiated on any of several well-
known service ports. Detection of this signature is currently limited to FTP, Telnet, HTTP, and e-
mail servers (TCP ports 21, 23, 80, and 25 respectively).
3100 Smail Attack (Attack, Compound)
Triggers on the very common "smail" attack against SMTP-compliant e-mail servers (frequently
sendmail).
3101 Sendmail Invalid Recipient (Attack, Compound)
Triggers on any mail message with a "pipe" (|) symbol in the recipient field.
3102 Sendmail Invalid Sender (Attack, Compound)
Triggers on any mail message with a "pipe" (|) symbol in the "From:" field.
3103 Sendmail Reconnaissance (Attack, Compound)
Triggers when "expn" or "vrfy" commands are issued to the SMTP port.
3104 Archaic Sendmail Attacks (Attack, Compound)
Triggers when "wiz" or "debug" commands are issued to the SMTP port.
3105 Sendmail Decode Alias (Attack, Compound)
Triggers on any mail message with ": decode@" in the header.
3106 Mail Spam (Attack, Compound)
Counts number of Rcpt to: lines in a single mail message and alarms after a user-definable
maximum has been exceeded (default is 250).
3107 Majordomo Execute Attack (Attack, Compound)
A bug in the Majordomo program will allow remote users to execute arbitrary commands at the
privilege level of the server.
3150 FTP Remote Command Execution (Attack, Compound)
Triggers when someone tries to execute the FTP SITE command.
3151 FTP SYST Command Attempt (Info, Compound)
Triggers when someone tries to execute the FTP SYST command.
3152 FTP CWD ~root (Attack, Compound)
Triggers when someone tries to execute the CWD ~root command.
3153 FTP Improper Address Specified (Attack, Atomic*)
Triggers if a port command is issued with an address that is not the same as the requesting host.
3154 FTP Improper Port Specified (Attack, Atomic*)
Triggers if a port command is issued with a data port specified that is less than 1024 or greater
than 65535.
4050 UDP Bomb (Attack, Atomic)
Triggers when the UDP length specified is less than the IP length specified.
4100 Tftp Passwd File (Attack, Compound)
Triggers on an attempt to access the passwd file (typically /etc/passwd) via TFTP.
401
Student Handbook – Security Analyst SSC/N0903
402
Student Handbook – Security Analyst SSC/N0903
Command Purpose
Step 1 Router(config)# ip audit Sets the threshold beyond which spamming in e-mail
smtp spamrecipients messages is suspected. Here, recipients is the maximum
number of recipients in an e-mail message. The default is
250.
Step 2 Router(config)# ip audit Sets the threshold beyond which queued events are
po max- dropped from the queue for sending to the Cisco Secure
eventsnumber_events IDS Director.
Here, eventsnumber events is the number of events in the
event queue. The default is 100. Increasing this number
may have an impact on memory and performance, as each
event in the event queue requires 32 KB of memory.
Step 3 Router(config)# exit Exits global configuration mode.
Command Purpose
Step 1 Router(config)# ip audit Sends event notifications (alarms) to either a Cisco Secure
notifynr-director IDS Director, a syslog server, or both.
or For example, if you are sending alarms to a Cisco Secure
Router(config)#ip audit IDS Director, use the nr-director keyword in the command
notifylog syntax. If you are sending alarms to a syslog server, use
the log keyword in the command syntax.
Step 2 router(config)# ip audit po local Sets the Post Office parameters for both the router (using
hostid host-id orgid org-id the ip audit po local command) and the Cisco Secure IDS
Director (using the ip audit po remote command).
Here, host-id is a unique number between 1 and 65535
that identifies the router, and org-id is a unique number
403
Student Handbook – Security Analyst SSC/N0903
After you have configured the router, add the Cisco IOS Firewall IDS router's Post Office information
to the /usr/nr/etc/hosts and /usr/nr/etc/routes files on the Cisco Secure IDS Sensors and Directors
communicating with the router. You can do this with the nrConfigure tool in Cisco Secure IDS. For
more information, refer to the NetRanger User Guide.
404
Student Handbook – Security Analyst SSC/N0903
To configure and apply audit rules, use the following commands starting in global configuration
mode:
Command Purpose
Step 1 Router(config)# ip audit Sets the default actions for info and attack signatures.
info {action [alarm] [drop] Both types of signatures can take any or all of the
[reset]} following actions: alarm, drop, and reset. The default
action is alarm.
and
Router(config)# ip audit
attack {action [alarm]
[drop] [reset]}
Step 2 Router(config)# ip audit Creates audit rules, where audit-name is a user-defined
name audit-name name for an audit rule. For example:
{info |attack}
ip audit name audit-name info
[list standard-acl]
[action [alarm] [drop] ip audit name audit-name attack
[reset]]
The default action is alarm.
Note Use the same name when you assign attack and
info type signatures.
You can also use the ip audit name command to attach
access control lists to an audit rule for filtering out
sources of false alarms. In this case standard-acl is an
integer representing an ACL. If you attach an ACL to an
audit rule, the ACL must be defined as well:
ip audit name audit-name {info|attack} list
acl-list
405
Student Handbook – Security Analyst SSC/N0903
406
Student Handbook – Security Analyst SSC/N0903
You can verify which interfaces have audit rules applied to them with the show ip audit
interface command (see Example 2).
Example 2 Output from show ip audit interface Command
ids2611# show ip audit interface
Interface Configuration
Interface Ethernet0
Inbound IDS audit rule is AUDIT.1
info actions alarm
attack actions alarm drop reset
Outgoing IDS audit rule is not set
Interface Ethernet1
Inbound IDS audit rule is AUDIT.1
info actions alarm
attack actions alarm drop reset
Outgoing IDS audit rule is not set
Command Purpose
Router# clear ip audit Disables Cisco IOS Firewall IDS, removes all intrusion detection
configuration configuration entries, and releases dynamic resources.
Router# clear ip audit statistics Resets statistics on packets analyzed and alarms sent.
Router# show ip audit statistics Displays the number of packets audited and the number of
alarms sent, among other information.
The following display provides sample output from the show ip audit statistics command:
Signature audit statistics [process switch:fast switch]
signature 2000 packets audited: [0:2]
signature 2001 packets audited: [9:9]
signature 2004 packets audited: [0:2]
signature 3151 packets audited: [0:12]
Interfaces configured for audit 2
Session creations since subsystem startup or last reset 11
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:0]
Last session created 19:18:27
Last statistic reset never
407
Student Handbook – Security Analyst SSC/N0903
In the following example, Cisco IOS Firewall IDS is initialized. Notice that the router is reporting to
two Directors. Also notice that the AUDIT.1 audit rule will apply both info and attack signatures.
ip audit smtp spam 25
ip audit notify nr-director
ip audit notify log
ip audit po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1
ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
In the following example, an ACL is added to account for a Cisco Secure IDS Scanner (172.16.59.16)
that scans for all types of attacks. As a result, no packets originating from the device will be audited.
ip audit smtp spam 25
ip audit notify nr-director
ip audit notify log
ip audit po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1
ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
408
Student Handbook – Security Analyst SSC/N0903
The security administrator notices that the router is generating a lot of false positives for signatures
1234, 2345, and 3456. The system administrator knows that there is an application on the network
that is causing signature 1234 to fire, and it is not an application that should cause security concerns.
This signature can be disabled, as illustrated in the following example:
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
After further investigation, the security administrator discovers that the false positives for signatures
2345 and 3456 are caused by specific applications on hosts 10.4.1.1 and 10.4.1.2, as well as by some
workstations using DHCP on the 172.16.58.0 subnetwork. Attaching an ACL that denies processing of
these hosts stops the creation of false positive alarms, as illustrated in the following example:
ip audit smtp spam 25
ip audit notify nr-director
ip audit notify log
ip audit po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1
ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
409
Student Handbook – Security Analyst SSC/N0903
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
The company has now reorganized and has placed only trusted people on the 172.16.57.0 network.
The work done by the employees on these networks must not be disrupted by Cisco IOS Firewall IDS,
so attack signatures in the AUDIT.1 audit rule now will only alarm on a match.
For sessions that originate from the outside network, any attack signature matches (other than the
false positive ones that are being filtered out) are to be dealt with in the following manner: send an
alarm, drop the packet, and reset the TCP session.
This dual-tier method of signature response is accomplished by configuring two different audit
specifications and applying each to a different ethernet interface, as illustrated in the following
example:
ip audit smtp spam 25
ip audit notify nr-director
ip audit notify log
ip audit po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1
ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.2 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
410
Student Handbook – Security Analyst SSC/N0903
This network intrusion detection and prevention system works through traffic analysis and packet
logging on IP networks. Through protocol analysis, content searching, and various pre-processors,
Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious
behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass,
and a modular detection engine.
- sniffer mode: snort will read the network traffic and print them to the screen.
- packet logger mode: snort will record the network traffic on a file
- IDS mode: network traffic matching security rules will be recorded (mode used in our tutorial)
Another tool is needed to display the logs generated by the Snort IDS and sent into the database.
This tool is BASE for Basic Analysis and Security Engine. It is in fact a php script displaying alerts on a
web interface.
In order to install and configure Snort access the Snort Manual available at http://manual.snort.org/.
411
Student Handbook – Security Analyst SSC/N0903
IDS/IPS
Suricata is a rule-based ID/PS engine that utilises externally developed rule sets to monitor network
traffic and provide alerts to the system administrator when suspicious events occur. Designed to be
compatible with existing network security components, Suricata features unified output
functionality and pluggable library options to accept calls from other applications.
The initial release of Suricata runs on a Linux 2.6 platform that supports inline and passive traffic
monitoring configuration capable of handling multiple gigabit traffic levels. Linux 2.4 is supported
with reduced configuration functionality, such as no inline option. Available under Version 2 of the
General Public License, Suricata eliminates the ID/PS engine cost concerns while providing a scalable
option for the most complex network security architectures.
Multi-threading
As a multi-threaded engine, Suricata offers increased speed and efficiency in network traffic analysis.
In addition to hardware acceleration (with hardware and network card limitations), the engine is
built to utilize the increased processing power offered by the latest multi-core CPU chip sets.
Suricata is developed for ease of implementation and accompanied by a step-by-step getting started
documentation and user manual.
By engaging the open source community and the leading ID/PS rule set resources available, OISF has
built the Suricata engine to simplify the process of maintaining optimum security levels. Through
strategic partnerships, OISF is leveraging the expertise of Emerging Threats
(www.emergingthreats.net) and other prominent resources in the industry to provide the most
current and comprehensive rule sets available. The HTP Library is an HTTP normalizer and parser
written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced
processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be
used independently in a range of applications and tools.
412
Student Handbook – Security Analyst SSC/N0903
Configuring Suricata
Basic Setup
When using Debian or FreeBSD, make sure you enter all commands as root/super-user because for these
operating systems it is not possible to use 'sudo' without installing and configuring it first.
The next step is to copy classification.config, reference.config and suricata.yaml from the base
build/installation directory (ex. from git it will be the oisf directory) to the /etc/suricata directory. Do so by
entering the following:
Note: if you have experience with Snort or have an existing Snort setup, check out the Snort.conf to
Suricata.yaml guide.
Auto setup
You can also use the available auto setup features of Suricata:
ex:
The make install-conf option will do the regular "make install" and then automatically create/setup all the
necessary directories and suricata.yaml.
The make install-rules option will do the regular "make install" and it automatically downloads and sets up
the latest ruleset from Emerging Threats available for Suricata.
The make install-full option combines everything mentioned above (install-conf and install-rules) - and will
present you with a ready to run (configured and set up) Suricata
413
Student Handbook – Security Analyst SSC/N0903
Setting variables
Make sure every variable of the vars, address-groups and port-groups in the yaml file is set correctly for
your needs. A full explanation is available in the Rule vars section of the yaml. You need to set the ip-
address(es) of your local network at HOME_NET. It is recommended to set EXTERNAL_NET to
!$HOME_NET. This way, every ip-address but the one set at HOME_NET will be treated as external. It is
also possible to set EXTERNAL_NET to 'any', only the recommended setting is more precise and lowers
the chance that false positives will be generated. HTTP_SERVERS, SMTP_SERVERS, SQL_SERVERS,
DNS_SERVERS and TELNET_SERVERS are by default set to HOME_NET. AIM_SERVERS is by default set at
'any'. These variables have to be set for servers on your network. All settings have to be set to let it have
a more accurate effect.
Next, make sure the following ports are set to your needs: HTTP_PORTS, SHELLCODE_PORTS,
ORACLE_PORTS and SSH_PORTS.
Finally, set the host-os-policy to your needs. See Host OS Policy in the yaml for a full explanation.
windows:[]
bsd: []
bsd-right: []
old-linux: []
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
Note that bug #499 may prevent you from setting old-linux, bsd-right and old-solaris right now.
or just download and untar the ruleset in a directory of your choosing (or yaml config setting) from here:
http://rules.emergingthreats.net/open/suricata/
It is recommended to update your rules frequently. Emerging Threats is modified daily, VRT is updated
weekly or multiple times a week.
414
Student Handbook – Security Analyst SSC/N0903
Interface cards
ifconfig
Now you can see which one you would like Suricata to use.
To start the engine and include the interface card of your preference, enter:
Tests for errors rule Very recommended --init-errors-fatal
Instead of wlan0, you can enter the interface card of your preference.
To see if the engine is working correctly and receives and inspects traffic, enter:
cd /var/log/suricata
Followed by:
tail http.log
And:
tail -n 50 stats.log
To make sure the information displayed is up-dated in real time, use the -f option before http.log and
stats.log:
Source: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
415
Student Handbook – Security Analyst SSC/N0903
Summary
The Cisco IOS Firewall IDS feature supports intrusion detection technology for midrange and
high-end router platforms with firewall support. It is ideal for any network perimeter, and
especially for locations in which a router is being deployed and additional security between
network segments is required. It also can protect intranet and extranet connections where
additional security is mandated, and branch-office sites connecting to the corporate office or
Internet.
The Cisco IOS Firewall IDS feature identifies 59 of the most common attacks using "signatures"
to detect patterns of misuse in network traffic. The intrusion-detection signatures included in
the Cisco IOS Firewall were chosen from a broad cross-section of intrusion-detection signatures.
The signatures represent severe breaches of security and the most common network attacks and
information-gathering scans.
In Cisco IOS Firewall IDS, signatures are categorized into four types:
o Info Atomic
o Info Compound
o Attack Atomic
o Attack Compound
The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets and
sessions as they flow through the router, scanning each to match any of the IDS signatures.
IDS monitors packets and send alarms when suspicious activity is detected.
IDS logs the event through Cisco IOS syslog or the Cisco Secure Intrusion Detection System (Cisco
Secure IDS, formerly known as NetRanger) Post Office Protocol.
The network administrator can configure the IDS system to choose the appropriate response to
various threats.
When packets in a session match a signature, the IDS system can be configured to take these
actions:
o Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management
interface)
o Drop the packet
o Reset the TCP connection
416
Student Handbook – Security Analyst SSC/N0903
Practical activities:
Activity 1:
List the various kinds of IDS products in the market and the various vendors for the same.
Compare the features, benefits and limitations of various kind of IDS products offered. Share
with your fellow students.
Activity 2:
Configure an IDS product or first job shadow someone who installs an IDS. List down the
various steps of the same, then configure it on your own.
417
Student Handbook – Security Analyst SSC/N0903
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
418
Student Handbook – Security Analyst SSC/N0903
UNIT VI
IPS Configuration
Lesson Plan
6.1 Understanding IPS Network Sensing
6.2 Overview of IPS Configuration
419
Student Handbook – Security Analyst SSC/N0903
LESSON PLAN
420
Student Handbook – Security Analyst SSC/N0903
421
Student Handbook – Security Analyst SSC/N0903
Lesson
422
Student Handbook – Security Analyst SSC/N0903
The command and control interface is always Ethernet. This interface has an assigned IP address,
which allows it to communicate with the manager workstation or network devices (Cisco switches,
routers, and firewalls). Because this interface is visible on the network, you should use encryption to
maintain data privacy. SSH is used to protect the CLI and TLS/SSL is used to protect the manager
workstation. SSH and TLS/SSL are enabled by default on the manager workstations.
When responding to attacks, the sensor can do the following:
Insert TCP resets via the sensing interface.
You should select the TCP reset action only on signatures associated with a TCP-based service. If
selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets are not
guaranteed to tear down an offending session because of limitations in the TCP protocol.
Make ACL changes on switches, routers, and firewalls that the sensor manages. ACLs may block
only future traffic, not current traffic.
Generate IP session logs, session replay, and trigger packets display.
IP session logs are used to gather information about unauthorized use. IP log files are written
when events occur that you have configured the appliance to look for.
Implement multiple packet drop actions to stop worms and viruses.
423
Student Handbook – Security Analyst SSC/N0903
424
Student Handbook – Security Analyst SSC/N0903
– You can configure the sensor to allow these alerts and then use Event Viewer to filter out
the false positives.
Filter the Informational alerts.
These low priority events notifications could indicate that another device is doing
reconnaissance on a device protected by the IPS. Research the source IP addresses from these
Informational alerts to determine what the source is.
Analyse the remaining actionable alerts:
– Research the alert.
– Fix the attack source.
– Fix the destination host.
– Modify the IPS policy to provide more information.
425
Student Handbook – Security Analyst SSC/N0903
Step 1. Install and connect the device to your network. Install the device software and
perform basic device configuration. Install the licenses required for all of the services running
on the device. The amount of initial configuration that you perform influences what you will
need to configure in Security Manager.
Follow the instructions in the Installing Cisco Intrusion Prevention System Appliances and
Modules document for the IPS version you are using.
Step 2. Add the device to the Security Manager device inventory. You can discover router
and Catalyst switch modules when adding the device in which the module is installed. For
ASA devices, you must add the service module separately.
Step 3. Configure the interfaces as described in Configuring Interfaces. You must enable
the interfaces connected to your network for the device to function.
For certain types of service module, there are additional policies to configure:
Router-hosted service modules—Configure the IPS Module interface settings policy on
the router. IDSM—Configure the IDSM Settings Catalyst platform policy.
IPS modules on ASA devices—Configure the Platform > Service Policy Rules > IPS, QoS,
and Connection Rules policy on the host ASA to specify the traffic that should be
inspected.
Step 4. Use the Virtual Sensors policy to assign interfaces to the virtual sensors, including
the base vs0 virtual sensor that exists for all IPS devices.
If the device supports it, and you have a need for it, you can also create user-defined virtual
sensors so that a single device acts like multiple sensors. Most of the IPS configuration is
done on the parent device, but you can configure unique settings per virtual sensor for
signatures, anomaly detection, and event actions.
Step 5. Configure basic device access platform policies. These policies determine who can
log into the device:
AAA —Configure this policy if you want to use a RADIUS server to control access to the
device. You can use AAA control in conjunction with local user accounts defined in the
User Accounts policy.
Allowed Hosts —The addresses of hosts who are allowed access. Ensure that the
Security Manager server is included as an allowed host, or you cannot configure the
device using Security Manager.
SNMP —Configure this policy if you want to use an SNMP application to manage the
device.
Password Requirements —You can define the acceptable characteristics of a user
password.
User Accounts —The user accounts defined on the device.
426
Student Handbook – Security Analyst SSC/N0903
Step 6. Configure basic server access platform policies. These policies identify the servers
to which the device can connect:
External Product Interface —If you use Management Centre for Cisco Security Agents,
configure this policy to allow the sensor to download host postures from the application.
NTP —Configure this policy if you want to use a Network Time Protocol server to control
the device time.
DNS, HTTP Proxy —The DNS and HTTP Proxy policies are required only if you configure
global correlation. They identify a server that can resolve DNS names to IP addresses.
Use the HTTP Proxy policy if your network requires the use of a proxy to make Internet
connections; otherwise, use the DNS policy.
Step 7. Configure the Logging policy if you want non-default logging.
Step 8. Configure IPS signatures and event actions. Event action policies are easier to
configure than creating custom signatures, so try to use event action filters and overrides to
modify signature behaviour before trying to edit specific signatures.
Step 9. If you use any of the Request Block or Request Rate Limit event actions, configure
blocking or rate limiting hosts.
Step 10. Configure other desired advanced IPS services.
Step 11. Maintain the device:
Update and redeploy configurations as necessary.
Apply updated signature and engine packages.
Manage the device licenses. You can update and re-deploy licenses, or automate license
updates.
Manage the certificates required for SSL (HTTPS) communication. These certificates
expire, so you need to regenerate them approximately every 2 years.
Step 12. Monitor the device:
Use the Event Viewer application to view alerts generated from the device. You can open
Event Viewer from the Launch menu in Configuration Manager or Report Manager, or
from the Windows Start menu.
Use the Report Manager application to generate reports on IPS usage, including
comparisons of inline vs. promiscuous mode, and global correlation vs. traditional
inspection. You can also analyse top attackers, victims, signatures, blocked signatures,
and perform target analysis.
427
Student Handbook – Security Analyst SSC/N0903
Configuring SNMP
SNMP is an application layer protocol that facilitates the exchange of management information
between network devices. SNMP enables network administrators to manage network performance,
find and solve network problems, and plan for network growth.
SNMP is a simple request/response protocol. The network-management system issues a request,
and managed devices return responses. This behaviour is implemented by using one of four protocol
operations: Get, GetNext, Set, and Trap.
You can configure the sensor for monitoring by SNMP. SNMP defines a standard way for network
management stations to monitor the health and status of many types of devices, including switches,
routers, and sensors.
You can configure the sensor to send SNMP traps. SNMP traps enable an agent to notify the
management station of significant events by way of an unsolicited SNMP message.
Trap-directed notification has the following advantage—if a manager is responsible for a large
number of devices, and each device has a large number of objects, it is impractical to poll or request
information from every object on every device. The solution is for each agent on the managed
device to notify the manager without solicitation. It does this by sending a message known as a trap
of the event.
After receiving the event, the manager displays it and can take an action based on the event. For
example, the manager can poll the agent directly, or poll other associated device agents to get a
better understanding of the event.
Trap-directed notification results in substantial savings of network and agent resources by
eliminating frivolous SNMP requests. However, it is not possible to totally eliminate SNMP polling.
SNMP requests are required for discovery and topology changes. In addition, a managed device
agent cannot send a trap if the device has had a catastrophic outage.
This procedure describes how to configure SNMP on an IPS sensor so that you can manage the
sensor with an SNMP management station, including the configuration of traps.
428
Student Handbook – Security Analyst SSC/N0903
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy
selector.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one.
Step 2 On the General Configuration tab, configure at least the following options.
Enable SNMP Gets/Sets —Select this option to enable the SNMP management workstation
to obtain (get) information, and to modify (set) values on the IPS sensor. If you do not enable this
option, the management workstation cannot manage this sensor.
Read-Only Community String —The community string required for read-only access to the
sensor. SNMP get requests from the management station must supply this string to get
responses from the sensor. This string gives access to all SNMP get requests.
Read-Write Community String —The community string required for read-write access to
the sensor. SNMP set requests from the management station must supply this string to get
responses from the sensor; it can also be used on get requests. This string gives access to all
SNMP get and set requests.
Step 3 If you want to configure SNMP traps, click the SNMP Trap Configuration tab and
configure at least the following options.
Enable Notifications —Select this option to allow the sensor to send SNMP traps.
Trap Destinations —Add the SNMP management stations that should be trap destinations.
Click the Add Row (+) button to add a new destination, or select a destination and click the Edit
Row (pencil) button to change its configuration.
When adding or editing a trap destination, the trap community string that you enter overrides
the default community string entered on the SNMP Trap Configuration tab. The community
string appears in the traps sent to this destination and is useful if you are receiving multiple
types of traps from multiple agents. For example, a router or sensor could be sending the traps,
and if you put something that identifies the router or sensor specifically in your community
string, you can filter the traps based on the community string.
To remove a destination, select it and click the Delete Row (trash can) button.
Step 4 If you configure trap destinations, you must also ensure that the desired alerts
include the Request SNMP Trap action. You have the following options for adding
this action:
(Easy way.) Create an event action override to add the Request SNMP Trap action to all
alerts of a specified risk rating (IPS > Event Actions > Event Action Overrides policy). For
example, you could generate traps for all alerts with a risk rating between 85-100. Event action
overrides let you add an action without individually editing each signature.
(Precise way.) Edit the Signatures policy (IPS > Signatures > Signatures) to add the Request
SNMP Trap action to the signatures for which you want to send trap notifications. Traps are sent
only for signatures that you configure to send traps.
If the signature has Default for the source, you have to change the source to the Local source
before you can change the action. However, if you right-click the Action cell in the signatures
table and select Edit Actions, then select Request SNMP Trap (along with any other desired
action) and click OK, the source is automatically changed to Local.
429
Student Handbook – Security Analyst SSC/N0903
Step 5 Add the SNMP management stations to the Allowed Hosts policy. The management
stations must be allowed hosts to access the sensor.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy
selector. Select the General Configuration tab.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one. Select the General Configuration tab.
Field Reference
Element Description
Enable SNMP Whether to enable the SNMP management workstation to obtain (get)
Gets/Sets information, and modify (set) values on the IPS sensor. If you do not enable
this option, the management workstation cannot manage this sensor; the
sensor will not respond to SNMP requests.
Read-Only The community string required for read-only access to the sensor. SNMP get
Community String requests from the management station must supply this string to get
responses from the sensor. This string gives access to all SNMP get requests.
Use the string to help identify the sensor.
Read-Write The community string required for read-write access to the sensor. SNMP
Community String set requests from the management station must supply this string to get
responses from the sensor; it can also be used on get requests. This string
gives access to all SNMP get and set requests. Use the string to help identify
the sensor.
Sensor Contact The network administrator or contact point who is responsible for this
sensor.
Sensor Location The physical location of the sensor, such as building address, name, and
room number.
Sensor Agent Port The port to use for SNMP get/set communication with the sensor. The
default is 161. The valid range is 1 to 65535.
Enter a port number or the name of a port list object, or click Select to
select a port list object from a list or to create a new object. The port list
object must identify a single port.
SNMP Agent Protocol The protocol you are using for SNMP, either UDP (the default) or TCP. Select
the protocol used by your SNMP management station.
430
Student Handbook – Security Analyst SSC/N0903
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy
selector. Select the SNMP Trap Configuration tab.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one. Select the SNMP Trap Configuration tab.
Field Reference
Element Description
Enable Whether to enable the sensor to send trap notifications to the trap destinations
Notifications whenever a specific type of event occurs in a sensor. If you do not select this
option, the sensor does not send traps.
Tip To have the sensor send SNMP traps, you must also select Request SNMP
Trap as the event action when you configure signatures. Traps are sent only for
signatures that you configure to send traps.
Error Filter The type of events that will generate SNMP traps based on the severity of the
event: fatal, error, or warning. Select all severities that you want; use Ctrl + click
to select multiple values.
The sensor sends notifications of events of the selected severities only.
Enable Detail Whether to include the full text of the alert in the trap. If you do not select this
Traps option, sparse mode is used. Sparse mode includes less than 484 bytes of text
for the alert.
Default Trap The community string used for the traps if no specific string has been set for the
Community trap destination in the Trap Destinations table.
String
Tip All traps carry a community string. By default, all traps that have a community
string identical to that of the destination are taken by the destination. All other
traps are discarded by the destination. However, you can configure the
destination to determine which trap strings to accept.
Trap Destinations The SNMP management stations that will be sent trap notifications. The table
table shows the IP address of the management station, the community string added
to traps from this sensor, and the port to which traps are sent.
To add a destination, click the Add Row button and fill in the Add SNMP
Trap Communication dialog box
To edit a destination, select it, click the Edit Row button and make your
changes.
To delete a destination, select it and click the Delete Row button.
431
Student Handbook – Security Analyst SSC/N0903
Navigation Path
Go to the IPS Platform > Device Admin > Device Access > SNMP policy, select the SNMP Trap
Configuration tab, and click the Add Row button beneath the Trap Destinations table, or select a
destination in the table and click the Edit Row button.
Field Reference
Element Description
IP Address The IP address of the SNMP management station that should receive trap
notifications. Enter the IP address or the name of a network/host object, or
click Select to select the object from a list or to create a new object. The
network/host object must specify a single host IP address.
Trap The community string of the trap. If you do not enter a trap string, the default trap
Community string defined on the SNMP Trap Communication tab is used for traps sent to this
String destination.
Trap Port The port used by the SNMP management station to receive traps. Enter the port
number or the name of a port list object, or click Select to select the object from a
list or to create a new one. The port list object must identify a single port.
432
Student Handbook – Security Analyst SSC/N0903
The following topics describe IPS user accounts, and Security Manager discovery and
deployment considerations, in more detail:
Operator —Users can view everything and they can modify the following options:
– Signature tuning (priority, disable or enable).
– Virtual sensor definition.
– Managed routers.
– Their user passwords.
Administrator —Users can view everything and they can modify all options that Operators can
modify in addition to the following:
– Sensor addressing configuration.
– List of hosts allowed to connect as configuration or viewing agents.
– Assignment of physical sensing interfaces.
– Enable or disable control of physical interfaces.
– Add and delete users and passwords.
– Generate new SSH host keys and server certificates.
Service —Only one user with service privileges can exist on a sensor. The service user cannot log
in to IDM or IME. The service user logs in to a bash shell rather than the CLI. The service role is a
special role that allows you to bypass the CLI if needed.
The purpose of the Service account is to provide Cisco Technical Support access to troubleshoot
unique and unusual problems. It is not needed for normal system configuration and
troubleshooting. You should carefully consider whether you want to create a service account.
The service account provides shell access to the system, which makes the system vulnerable.
However, you can use the service account to create a password if the administrator password is
lost. Analyse your situation to decide if you want a service account existing on the system.
433
Student Handbook – Security Analyst SSC/N0903
434
Student Handbook – Security Analyst SSC/N0903
– Locked —This state indicates that logins to the account have been disabled due to too
many failed authentication attempts. You should update the password for these accounts.
Deployment —You are warned if any deployed user accounts are in the Expired or Locked
state. Any unmanaged passwords are not deployed to the device. Also, keep in mind the
following points:
– If you make changes to any user account on the device, all user accounts with managed
passwords are reconfigured. If you also changed the Password Requirements policy, all
passwords are compared to the new policy and must meet the new requirements.
– If you change the password of the user account you defined in the device’s properties for
Security Manager to use when configuring the device, after successful deployment, Security
Manager updates the password in the device properties to the new password. You do not
need to manually update the password. To see device properties, select Tools > Device
Properties.
This behaviour assumes that you selected Security Manager Device Credentials for the
Connect to Device Using option on the Tools > Security Manager Administration > Device
Communication page. If you are using the logged-in users’ credentials for deployment, after
successful deployment, the overall deployment is marked as failed, and a message explains
how to re-establish connection.
– If you use out-of-band change detection, changes to passwords are not detected. However,
changes to usernames and roles are detected.
– When previewing configurations, you can see changes to the user accounts by selecting to
IPS(Delta – User Passwords). However, passwords are masked.
– If you are rolling back configurations, the user accounts are never rolled back. The current
status and configuration of user accounts does not change.
The IPS sensor can accept public keys for RSA authentication when logging into the device
through an SSH client. Each user has an associated list of authorized keys. Users can use
these keys instead of passwords. Security Manager ignores these keys during discovery and
deployment. Thus, if keys are configured, Security Manager does not remove the
configuration.
435
Student Handbook – Security Analyst SSC/N0903
Cisco IOS IPS devices use the same user accounts that are defined for the router. This
procedure does not apply to Cisco IOS IPS configurations.
If you change the password for the user defined in the device properties, which Security
Manager uses to deploy configurations to the device, Security Manager uses the existing
credentials defined in the device properties to log into the device and deploy changes. After
successful deployment, the device properties are then changed to use your new settings.
All password changes must meet the requirements of the Password Requirements policy. If you
change the requirements policy, all new user accounts, or edited accounts, are tested against the
new requirements. Although the passwords for existing unedited user accounts are not tested, they
too must meet the password requirements if you change any user account defined in this policy,
because Security Manager will deploy all of the accounts during the next configuration deployment.
Passwords are checked for conformity when you validate policies, which typically happen when you
submit changes to the database.
Add User and Edit User Credentials Dialog Boxes
Use the Add User or Edit User Credentials dialog boxes to add or edit IPS device user accounts.
Table 4: Add or Edit User Dialog Box
Navigation Path
From the IPS platform User Accounts policy, click the Add Row (+) button to create a new account, or
select an existing account and click the Edit Row (pencil) button.
Field Reference
Element Description
User The username for the account. The name can be 1 to 64 characters, including
Name uppercase and lowercase letters and numbers, plus the special characters
436
Student Handbook – Security Analyst SSC/N0903
() + :, _ / - ] + $.
You cannot change the username when editing an account.
Password The password for this user account. Enter the password in both fields.
Confirm The password must conform to the Password Requirements policy for IPS devices;
Role The role for this user. For an explanation of these roles
When editing a user account, you cannot select the Service role. When editing an
account assigned to the Service role, you cannot change the role.
Use the IPS platform Password Requirements policy to configure the rules for passwords for local IPS
device user accounts. All user-created sensor passwords must conform to the requirements defined
in this policy. You can configure password requirements for sensor running IPS software version 6.0
or higher.
The requirements you define here determine what is considered an acceptable password in the User
Accounts policy. If you change this policy, it can be applied even to unchanged user accounts.
(Device view) Select Platform > Device Admin > Device Access > Password
Requirements from the Policy selector.
(Policy view) Select IPS > Platform > Device Admin > Password Requirements from the
Policy Type selector, then select an existing policy or create a new one.
The following table explains the password requirement options that you can configure.
Element Description
Attempt Limit How many times a user is allowed to try to log into the device before you lock the
user account due to excessive failed attempts.
The default is 0, which indicates unlimited authentication attempts. For security
purposes, you should change this number.
Size Range The minimum and maximum size allowed for user passwords; separate the
minimum and maximum with a hyphen. The range is 6 to 64 characters; the
default is 8-64.
Tip If you configure non-zero values for any of the minimum characters options, the
minimum size you enter in the Size Range field must be equal to or greater than
the sum of those values. For example, you cannot set a minimum password size of
eight and also require that passwords must contain at least five lowercase and five
uppercase characters.
Minimum Digit The minimum number of numeric digits that must be in a password.
437
Student Handbook – Security Analyst SSC/N0903
Characters
Minimum The minimum number of uppercase alphabet characters that must be in a
Uppercase password.
Characters
Minimum The minimum number of lowercase alphabet characters that must be in a
Lowercase password.
Characters
Minimum The minimum number of non-alphanumeric printable characters that must be in a
Other password.
Characters
Number of The number of historical passwords that you want the sensor to remember for
Historical each account. Any attempt to change the password of an account fails if the new
Passwords password matches any of the remembered passwords. If you specify 0, no
previous passwords are remembered.
Use the AAA policy to configure AAA access control for your IPS devices. The device must use IPS
Software release 7.0(4) to configure AAA.
You can configure the IPS device to use a RADIUS AAA server to authenticate user access to the
device. By configuring AAA, you can reduce the number of local users defined on the device and take
advantage of your existing RADIUS setup. If you configure a AAA server, you can configure the device
to allow local user accounts as a Fallback mechanism if the RADIUS servers are unavailable.
When configuring AAA, you identify the RADIUS server using a AAA server policy object. You can
create the object while configuring the policy, or you can create it in the Policy Object Manager.
When you configure the AAA server object, you must adhere to the following restrictions:
Host —You must specify the IP address; you cannot use a DNS name.
Timeout —If you enter a timeout value, it must be from 1 to 512 seconds. The generic AAA
server object allows higher numbers, but IPS has a more limited timeout range. The default is 3.
Protocol —RADIUS is the only supported protocol.
Key — You must specify the shared secret key that is defined on the RADIUS server.
Although this field is optional for a generic AAA server object, IPS requires a key.
Port —Ensure that the RADIUS Authentication/Authorization port is correct. Note that the
default port in the AAA server object is different from the IPS default, which is 1812. You will
need to change the port if you want to use the IPS default.
You must ensure that the user account configured in the device properties exists in the RADIUS
server or as a local user account, depending on the authorization method that you use. If you switch
between local and AAA modes, or change AAA servers, you must ensure that the account is defined
in whatever user account database you are using. If you are using AAA with local Fallback, the
account should be defined in all databases. This account must exist, with the same password defined
in the Security Manager device properties for the device, or deployment to the device will fail. The
user account used for discovery and deployment must have administrator privileges.
438
Student Handbook – Security Analyst SSC/N0903
User role configuration is very important. If you do not assign a role to the user, either through the
default user role or in the RADIUS server, the sensor prevents user login even if the RADIUS server
accepted the username and password.
To assign roles specifically to users on the RADIUS server, you configure the Accept Message for
those accounts as either ips-role=administrator, ips-role=operator, ips-role=viewer, or ips-
role=service. You configure the Accept Message individually for each user account. An example of a
Reply attribute for a given user could be configured to return “Hello <user> your ips-role=operator.”
439
Student Handbook – Security Analyst SSC/N0903
If you configure a service account in the RADIUS server, you must also configure an identical service
account locally on the device. For service accounts, both the RADIUS and Local accounts are checked
during login.
(Device view) Select Platform > Device Admin > Server Access > NTP from the Policy
selector.
(Policy view) Select IPS > Platform > Device Admin > Server Access > NTP, then select an
existing policy or create a new one.
Step 2 In the NTP Server IP Address field, enter the IP address of the NTP server. You can also enter
the name of a network/host object that identifies the single host address of the server, or
click Select to select the object from a list or to create a new one.
Step 3 If the NTP server does not require authentication, deselect the Authenticated NTP checkbox.
The key and key ID are configured on the NTP server; you must obtain them from the NTP server
configuration.
440
Student Handbook – Security Analyst SSC/N0903
(Device view) Select Platform > Device Admin > Server Access > DNS from the Policy
selector.
(Policy view) Select IPS > Platform > Device Admin > Server Access > DNS, then select
an existing policy or create a new one.
Step 2 Specify the IP addresses of up to three DNS servers in the Primary, Secondary, and
Tertiary Address fields. The sensor uses the servers in the order listed ; if one server does not
respond, the next server is contacted.
You can enter an IP address or the name of a network/host object that contains a server address.
Click Select to select a network/host object from a list or to create a new one. The network/host
object must specify a single host address.
441
Student Handbook – Security Analyst SSC/N0903
communicate with the IPS. At most two Management Centre for Cisco Security Agents servers can
be configured per IPS device.
Management Centre for Cisco Security Agents is no longer an active product. Configure this policy
only if you are still using that application. For more information, see About CSA MC in Installing and
Using Cisco Intrusion Prevention System Device Manager
6.0 and http://www.cisco.com/en/US/products/sw/cscowork/ps5212/index.html.
Management Centre for Cisco Security Agents enforces a security policy on network hosts. It has two
components:
Agents that reside on and protect network hosts.
A management console, which is an application that manages agents. It downloads security
policy updates to agents and uploads operational information from agents.
(Device view) Select Platform > Device Admin > Server Access > External Product Interface
from the Policy selector.
(Policy view) Select IPS > Platform > Device Admin > Server Access > External Product
Interface, then select an existing policy or create a new one.
To add a server, click the Add Row (+) button. This opens the External Product Interface dialog box.
Enter the information required to identify the server and configure the posture ACLs.
To edit a server, select it and click the Edit Row (pencil) button and make the required
changes in the External Product Interface dialog box.
To delete a server, select it and click the Delete Row (trash can) button.
Navigation Path
From the External Product Interface IPS platform policy, click Add Row or select an entry and
click Edit Row.
442
Student Handbook – Security Analyst SSC/N0903
Field Reference
Element Description
External The IP address, or the network/host policy object that contains the address, of
Product’s IP the external product. Enter the IP address or object name, or click Select to
Address select an object from a list or to create a new one.
Interface Type Identifies the physical interface type, which is always Extended SDEE.
Enable receipt of Whether information is allowed to be passed from the external product to the
information sensor.
SDEE URL The URL on the CSA MC the IPS uses to retrieve information using SDEE
communication. You must configure the URL based on the software version of
the CSA MC that the IPS is communicating with as follows:
For CSA MC version 5.0—/csamc50/sdee-server.
For CSA MC version 5.1—/csamc51/sdee-server.
For CSA MC version 5.2 and higher—/csamc/sdee-server (the default
value).
Port The port, or the port list object that identifies the port, being used for
communications. Enter the port or port list name, or click Select to select the
object from a list or to create a new object.
User name A username and password that can log into the external product.
Password
Enable receipt of Whether to allow the receipt of host posture information from CSA MC. The host
host postures posture information received from a CSA MC is deleted if you disable this option.
Allow Whether to allow the receipt of host posture information for hosts that are not
unreachable reachable by the CSA MC.
hosts’ postures A host is not reachable if the CSA MC cannot establish a connection with the host
on any IP addresses in the host’s posture. This option is useful in filtering the
postures whose IP addresses may not be visible to the IPS sensor or that might
be duplicated across the network. This filter is most applicable in network
topologies where hosts that are not reachable by the CSA MC are also not
reachable by the IPS, for example if the IPS and CSA MC are on the same network
segment.
Posture ACL Posture ACLs are network addresses for which host postures are allowed or
table denied. Use posture ACLs to filter postures that have IP addresses that might not
be visible to the IPS or that might be duplicated across the network.
To add a posture ACL, click the Add Row (+) button. This opens the Add
Posture ACL dialog box. For information on configuring the Posture ACL,
see Posture ACL Dialog Box.
To edit a posture ACL, select it and click the Edit Row (pencil) button.
To delete a posture ACL, select it and click the Delete Row (trash
can) button.
To change the priority of an ACL, select it and click the Up or Down
button. ACLs are processed in order, and the action associated with the first
443
Student Handbook – Security Analyst SSC/N0903
match is applied.
Enable receipt of Whether to allow the receipt of the watch list information from CSA MC. The
watch listed watch list information received from a CSA MC is deleted if you disable this
addresses option.
Manual Watch The percentage of the manual watch list risk rating (RR). The default is 25, and
List RR increase the valid range is 0 to 35.
Session-based The percentage of the session-based watch list risk rating. The default is 25, and
Watch List RR the valid range is 0 to 35.
Increase
Packed-based The percentage of the packet-based watch list risk rating. The default is 10, and
Watch List RR the valid range is 0 to 35.
Increase
Navigation Path
From the External Product Interface dialog box, click the Add Row (+) button underneath the
Posture ACL table, or select a posture ACL and click the Edit Row (pencil) button.
444
Student Handbook – Security Analyst SSC/N0903
Navigation Path
Device view) Select Platform > Logging from the Policy selector.
(Policy view) Select IPS > Platform > Logging, then select an existing policy or create a new one.
Field Reference
Element Description
445
Student Handbook – Security Analyst SSC/N0903
Summary
Sensors are network devices that perform real-time monitoring of network traffic for suspicious
activities and active network attacks. The IPS sensor analyses network packets and flows to
determine whether their contents appear to indicate an attack against your network.
They do this by looking for anomalies and misuse on the basis of network flow validation, an
extensive embedded signature library, and anomaly detection engines. However, these
platforms differ in how they can respond to perceived intrusions.
The sensor can operate in either promiscuous or inline mode. The following illustration shows
how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous
(IDS) modes to protect your network.
When responding to attacks, the sensor can do the following:
o Insert TCP resets via the sensing interface.
o You should select the TCP reset action only on signatures associated with a TCP-
based service. If selected as an action on non-TCP-based services, no action is taken.
Additionally, TCP resets are not guaranteed to tear down an offending session
because of limitations in the TCP protocol.
o Make ACL changes on switches, routers, and firewalls that the sensor manages. ACLs
may block only future traffic, not current traffic.
o Generate IP session logs, session replay, and trigger packets display.
o IP session logs are used to gather information about unauthorized use. IP log files
are written when events occur that you have configured the appliance to look for.
o Implement multiple packet drop actions to stop worms and viruses.
You should always position the IPS sensor behind a perimeter-filtering device, such as a firewall
or adaptive security appliance. The perimeter device filters traffic to match your security policy
thus allowing acceptable traffic in to your network. Correct placement significantly reduces the
number of alerts, which increases the amount of actionable data you can use to investigate
security violations.
Tuning the IPS ensures that the alerts you see reflect true actionable information. Without
tuning the IPS, it is difficult to do security research or forensics on your network because you will
have thousands of benign events, also known as false positives.
There are a wide variety of devices on which you can configure the Intrusion Prevention System.
From a configuration point-of-view, you can separate the devices into two groups: dedicated
appliances and service modules (for routers, switches, and ASA devices) that run the full IPS
software; and IPS-enabled routers
446
Student Handbook – Security Analyst SSC/N0903
Practical activities:
Activity 1:
List the various vulnerabilities in any organisation and various activities to check those
vulnerabilities.
Activity 2:
Conduct an audit of your surroundings, of things such as cleanliness, safety and security,
hygiene, etc. Share your report in class, detailing the approach and the various aspects of
auditing.
a. ________________________________________
b. ________________________________________
c. ________________________________________
__________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
447
Student Handbook – Security Analyst SSC/N0903
c. Previous security incidents are not important in a security audit, the auditors are only
concerned about what the situation is at the present time of the audit. ( )
d. Information Security Audit is carried out by an audit team which usually has a representative
from the team which has been involved in the development of the IT configuration to be
audited. ( )
e. A key purpose of the Audit team is to correct and modify practices followed in the
organisation while conducting the audit so as to make the system less vulnerable. (
)
f. AAR is another term used for the audit, it stands for After Attack Responsibility. (
)
g. IS Auditing Standards developed by Information Systems Audit and Control Association
(ISACA) is already in circulation.
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
448
Student Handbook – Security Analyst SSC/N0903
UNIT VII
Anti-virus and Antispam Software
Lesson Plan
7.1 Antivirus Software
7.2 Antispam Software
449
Student Handbook – Security Analyst SSC/N0903
LESSON PLAN
450
Student Handbook – Security Analyst SSC/N0903
451
Student Handbook – Security Analyst SSC/N0903
Lesson
Most antivirus programs include both automatic and manual scanning capabilities.
The automatic scan may check files that are downloaded from the Internet, discs that are inserted
into the computer, and files that are created by software installers. The automatic scan may also
scan the entire hard drive on a regular basis.
The manual scan option allows you to scan individual files or your entire system whenever you feel it
is necessary.
Since new viruses are constantly being created by computer hackers, antivirus programs must keep
an updated database of virus types. This database includes a list of "virus definitions" that the
antivirus software references when scanning files. Since new viruses are frequently distributed, it is
important to keep your software's virus database up-to-date. Fortunately, most antivirus programs
automatically update the virus database on a regular basis.
While antivirus software is primarily designed to protect computers against viruses, many antivirus
programs now protect against other types of malware, such as spyware, adware, and rootkits as
well. Antivirus software may also be bundled with firewall features, which helps prevent
unauthorized access to your computer. Utilities that include both antivirus and firewall capabilities
are typically branded "Internet Security" software or something similar.
While antivirus programs are available for Windows, Macintosh, and Unix platforms, most antivirus
software is sold for Windows systems. This is because most viruses are targeted towards Windows
computers and therefore virus protection is especially important for Windows users. If you are a
Windows user, it is smart to have at least one antivirus program installed on your computer.
Examples of common antivirus programs include Norton Antivirus, Kaspersky Anti-Virus, and
ZoneAlarm Antivirus.
The most important thing to remember about virus protection is that no system is infallible. No
matter how good your anti-virus (AV) software is, and how stringent your security processes are,
there is still the chance that a completely new virus will enter your organization and disrupt
operations. Of course, completely isolating your systems from the Internet and removing them from
external e-mail will greatly minimize your exposure; however, in today's digital economy that is no
longer a practical option.
452
Student Handbook – Security Analyst SSC/N0903
Organizations now recognize the importance of providing dedicated virus protection for their e-mail
systems.
The thought was that any virus being carried by an e-mail would simply enter the network as an
attachment that could either be detected as it came through the Internet SMTP gateway or by the
end-user desktop AV scanner. However, over the past few years, e-mail systems have evolved
significantly from simple message distribution to providing collaborative stores, Web-based user
interfaces, and access from wireless devices.
In order to properly select, configure, and maintain virus protection solutions, your organization
must clearly define what levels of protection and countermeasures it needs. This necessitates
specifying the types of data that will be permitted, what content should be filtered or barred, who is
responsible for each aspect of the implementation, how communications with end-users will take
place, and what actions to take in the event of virus outbreaks and hoax alerts.
453
Student Handbook – Security Analyst SSC/N0903
Always keep your operating system, Web browser, e-mail, and application programs up-to-date.
Periodically review the security sections of your key software vendors and subscribe to any
applicable electronic newsletters to notify you of any new security vulnerabilities and fixes.
Subscribe to an e-mail alert service that issues warnings of new virus threats
Many different organizations provide this service, but the most important one will be your anti-virus
vendor. The reason is that due to differences in each AV vendor's capabilities, new viruses will be
rated differently and the action necessary will vary. For instance, one vendor may have already
provided generic virus detection in a past update that provides protection against a new virus and so
they would rate a particular virus as a low threat for their customers. However, other vendors who
may not be able to provide immediate protection would rate the same virus alert as a "high" risk.
454
Student Handbook – Security Analyst SSC/N0903
must also adequately protect the whole PC that the user is using - whether they are using a local
copy of an e-mail application or a remotely-hosted thin client e-mail front-end.
The following is a list of recommended steps that organizations can take to protect end users.
Figure 3: Changing Outlook Express Preview pane settings from the View, Layout menu
455
Student Handbook – Security Analyst SSC/N0903
Don't pass along virus warnings from others unless you have verified that it is applicable to your
organization
Due to the large number of viruses and hoaxes, unnecessary time and e-mail traffic can be wasted
by people forwarding virus warnings that may not be legitimate. Before passing along warnings to
others, first check your virus protection vendor's Web site to determine if your systems are already
protected or if it is just a hoax.
456
Student Handbook – Security Analyst SSC/N0903
The following is a list of recommendations that organizations should follow to secure their e-mail
servers.
457
Student Handbook – Security Analyst SSC/N0903
Antivirus software has options, some of which may not be enabled by default. It is
recommended to enable them all.
Enable heuristics options if they're user-configurable (if several levels are offered, use
Maximum)
Enable scanning within compressed files and archives wherever the option exists
If possible, remove the error-prone human element, by having infected stuff auto-quarantined
or auto-deleted upon detection. Shoot first, ask questions later.
Configure the virus-definition updates to run daily or more often, if the schedule is under your
control
Set up a daily scan of all hard-drive data, to catch stuff that slipped in before the antivirus
software recognized it as a threat.
458
Student Handbook – Security Analyst SSC/N0903
Email Spam is the electronic version of junk mail. It involves sending unwanted messages,
often unsolicited advertising, to a large number of recipients. Spam is a serious security
concern as it can be used to deliver Trojan horses, viruses, worms, spyware, and targeted
phishing attacks.
What to Do
Install Spam filtering/blocking software
If you suspect an email is Spam, do not respond, just delete it
Consider disabling the email’s preview pane and reading emails in plain text
Reject all Instant Messages from persons who are not on your Buddy list
Do not click on URL links within IM unless from a known source and expected
Keep software and security patches up to date
When your service is activated, all types of spam are typically filtered at a uniform level of
aggressiveness. One group of users, however, might have its own idea about what constitutes spam,
or how aggressively to filter it. A travel agency might have a zero-tolerance policy for adult content,
for example, but want to receive special offers, such as “trips to Hawaii.” Another group might want
to change its spam disposition, by changing how its spam is quarantined, or not quarantining it at all.
Filtering aggressiveness affects how the protection service handles messages that may or may not be
spam. More aggressive spam filter levels will quarantine messages that are borderline cases. This will
cause more spam to be caught, but may increase false positives. More lenient spam filters will allow
borderline messages through, which reduces false positives but potentially lets more spam through.
For each of your organisations, you can adjust the overall aggressiveness of filtering, filter specific
categories of spam more aggressively, and choose a spam disposition. Some of these settings are
made at the organisation level, and some for a Default User. You can also adjust individual user’s
filtering, or allow users to do this themselves at the Message Centre.
459
Student Handbook – Security Analyst SSC/N0903
Organisation level Enable Blatant Spam Blocking for users in the organisation, and choose
a spam disposition—the method of disposing of filtered spam, for example, by changing how
it’s quarantined, or by not quarantining it at all. Configure Null Sender Disposition to dispose
of messages that do not contain an SMTP-envelop sender address.
If your service is provisioned with Outbound Services, then you also have the option to turn on Null
Sender Header Tag Validation.
Default User Define user-level spam settings that will apply to new users added to the
organisation. This includes enabling spam filtering in the first place, adjusting how
aggressively to filter spam, and filtering specific spam categories even more aggressively.
Making these settings for a Default User is how you apply a single filtering policy across an
organisation.
Specific User You can modify user-level spam settings for an individual user, as well. But this
isn’t recommended if you want to maintain spam filtering policies across an organisation.
Message Centre You can optionally allow users to modify their own filter levels by granting
them appropriate User Access permissions to the Message Centre.
If Blatant Spam Blocking is enabled for the user’s organisation, the user’s most obvious spam is
bounced or blackholed (deleted), before it reaches your email servers. This eliminates more than
half of users’ spam, so neither you nor they ever have to deal with it.
Each user (and Default User) has a Bulk Email filter that sets a base level of aggressiveness for
filtering the remaining spam, which is typically sent to a separate Quarantine for review.
Each user (and Default User) can also optionally adjust four additional Category filters to filter
spam containing particular content even more aggressively (sexually explicit content, special
commercial offers, racially insensitive material, or get-rich-quick schemes).
Null Sender Disposition lets you choose how to dispose of messages that do not include an
SMTP-envelope sender address. These types of messages are usually Non-Delivery Reports
(NDRs). When the system receives an inbound message, it checks for the SMTP-envelope sender
address. If there is no sender address, the message is disposed of according to the Null Sender
Disposition settings.
Null Sender Header Tag Validation is the process by which the system examines each inbound
message for the presence of an SMTP-envelope sender address and for the message security
service’s digital signature. If your message security service has been provisioned with Outbound
Services and you have them configured for your mail server, then the system tags the Received
field on outbound messages with a digital signature. When this filter is on and the system
460
Student Handbook – Security Analyst SSC/N0903
receives an inbound message, it checks for the SMTP-envelope sender address and for the digital
signature. If there is no sender address and the message doesn’t have the system signature,
then the message is disposed of according to the Null Sender Disposition settings. If the system
signature is present, then the message bypasses this filter, and is evaluated by the others.
Spam category filters are applied after all other filtering, including Content Manager filters, and any
applicable Approved Senders list (the user’s own list, or one defined for the organisation). Blatant
Spam Blocking occurs before most filters, but doesn’t block messages from approved senders. That
means:
Specifically, a Bulk Email filter sets a base level for filtering all types of spam, and individual category
filters can be adjusted to filter a specific category of spam even more aggressively. The Bulk Email
filter and category filters work independently of each other, but parameters from all filters
collectively provide the final spam score, which can categorize the message as spam. A category
filter thus multiplies the Bulk Email level and increases the number of messages that get identified as
spam.
461
Student Handbook – Security Analyst SSC/N0903
You can see a message’s spam score, whether or not it’s tagged as spam, by looking at the message
header.
As we make adjustments, you might notice slight variances in catch rates for certain spam
categories. Or you might see an increase in falsely quarantined messages. If this happens, you might
want to increase or decrease your own spam filter levels accordingly: Increase sensitivity to catch
more spam, or decrease levels to prevent false quarantines.
If the objectionable content is limited to a few words and the other content does not score as spam,
then the message would not trigger the spam filters. To stop these types of messages, you can
create content filters that look for exactly the offending language you wish to prohibit.
You will enable spam filtering and set filter levels for the default user (the template use for an
organisation).
Specifically, BSB calculates the message’s spam score. If the score is below 0.00001 (a perfectly valid
message has a score of 100), the message is overwhelmingly deemed spam, and blocked.
Blatant Spam Blocking applies to all users in an organisation, but works only for users whose Filter
Status is On.
The Reports page has statistics regarding how many messages are caught by Blatant Spam Blocking.
462
Student Handbook – Security Analyst SSC/N0903
Note: Depending on your service package, Blatant Spam Blocking might always be set to a Blackhole
disposition.
1. Enable Blatant Spam Blocking for the organisation, with either the Bounce or Blackhole
Disposition.
3. For the organisation’s Default User (and any existing users), make sure the Filter Status is On
(go to Spam Filters on the user’s Overview page).
All obvious spam will be eliminated without reaching the data Centre or your server. Any remaining
spam detected by the filters is tagged with a spam score written in the Header, and then delivered
to users.
Ignore: Let the message bypass this filter. Other filters still apply.
User Quarantine: Send the message to the recipient’s quarantine.
Blackhole: Delete the message.
Bounce: Return the message to the sender.
You can enter text to serve as the bounce message. If you enter text, it must begin with 4 or 5,
followed by two digits, a space, and your text. This structure follows the format of SMTP reply codes.
For example: 554 Transaction failed.
463
Student Handbook – Security Analyst SSC/N0903
Note: In order to deliver valid messages that do not include an SMTP-envelope sender address, like
voicemail or vacation responders, use Content Manager to create a custom filter.
Null Sender Header Tag Validation is the process by which the system examines NDRs for the
presence of an SMTP-envelope sender address and for the message security service’s digital
signature.
While this filter is an aspect of spam filtering, it runs at the very beginning of the message filtering
process to immediately dispose of messages like invalid NDRs.
Whether or not you have configured Outbound Services for your mail server, we recommend that
you turn this filter on. When the filter is on and it catches a message, the system looks ahead to
Content Manager to see whether it is configured to let messages bypass the junk filters and allow
valid email that does not have an SMTP-envelope sender address. Under these circumstances, you
can let valid messages pass through to their recipients’ inboxes.
If this filter is off, then the system does not look ahead to Content Manager and you do not have the
option to let valid null-sender-address messages pass through to their recipients’ inboxes.
Use the following options to turn Null Sender Header Tag Validation on or off, and to set the length
of time during which the system can accept the digital signature:
On/Off: Select On or Off to turn Null Sender Header Tag Validation on or off.
On: Any message that does not include an SMTP-envelope sender address, but does include the
message security service’s digital signature bypasses this filter. All other messages that do not
include an SMTP-envelope sender address are disposed of according to your Null Sender Disposition
settings, and according to how Content Manager is configured.
Off: Any message without an SMTP-envelope sender address is disposed of according to your Null
Sender Disposition settings.
Validate reports up to ___ hours after message delivery: Enter the number of hours that the
digital signature is considered valid. After that number of hours, the signature expires, and
messages with an expired signature are treated the same as messages with no signature.
464
Student Handbook – Security Analyst SSC/N0903
User Quarantine: Filtered spam for each user in the organisation is sent to a separate User
Quarantine. Administrators can manage this Quarantine from the user’s Overview page.
If Quarantine Summary is also enabled for the organisation (under Notifications), each user receives
a periodic summary of recently quarantined messages. If User Access is enabled for the organisation,
as well, users can manage their own quarantined messages in the Message Centre.
Quarantine Redirect: Delivers all users’ filtered spam to a single administrator’s Quarantine—
the one associated with the address entered here. Enter the primary address (not an alias) of a
user who has been added to the message security service, has administrative privileges for this
organisation, and is located under the same email config as this organisation.
Select this option if you don’t want to sort quarantined spam by user, and if you don’t want users to
manage their own spam. The administrator must review and deliver all users’ legitimate messages
from the shared Quarantine—either from the administrator’s User Quarantine in the Administration
Console or from the administrator’s Message Centre. (The Administration Console can display 5,000
messages at once, Message Centre can display an unlimited number of messages, and Message
Centre Classic can display 500 messages.)
If Quarantine Summary is enabled for the organisation (under Notifications), this administrator
receives a periodic summary of recently quarantined messages for the entire organisation. If you
choose this disposition, make sure to disable User Access permissions to the Message Centre for all
users in the organisation.
WARNING: The administrator’s Quarantine should be checked regularly to forward any legitimate
messages that were accidentally quarantined.
Message Header Tagging: Sends filtered spam for this organisation to your email server with a
spam score written in the header. The message can then be processed at a dedicated location on
your server or on each user's email client. No spam messages are filtered. For this disposition to
be effective, you must set up rules on the receiving email server for processing spam based on
its spam score.
WARNING: With this disposition, all spam for users in this organisation is delivered to your email
server intact, along with “good” traffic. This is an advanced setting for administrators who want to
create their own rules for filtering spam, or who don’t want to filter spam beyond what is caught by
Blatant Spam Blocking. This setting is not otherwise recommended.
465
Student Handbook – Security Analyst SSC/N0903
Summary
An information security audit is one of the best ways to determine the security of an
organization's information without incurring the cost and other associated damages of a security
incident.
Information systems audit is a large, broad term that encompasses demarcation of
responsibilities, server and equipment management, problem and incident management,
network division, safety, security and privacy assurance etc.
Information security audit is only focused on security of data and information (electronic and
print) when it is in the process of storage and transmission. Both audits have many overlapping
areas.
Security audits are a formal process, carried out by certified auditing professionals to measure
an information system's performance against a list of criteria.
A vulnerability assessment, on the other hand, involves a comprehensive study of an entire
information system, seeking potential security weaknesses, usually carried out by industry
experts who may or may not be certified.
A good security audit may likely include the following:
o Clearly defined objectives
o Coverage is comprehensive and cross-cutting
o Audit team is experienced, independent and objective with verifiable credentials
o There is unrestricted right to obtain and view information.
o Important IS audit meetings such as the opening and the closing meetings as well as the
interviews should be conducted as a team.
o No member of the team should have participated directly in supporting or managing the
areas to be audited
o It should be ensured that actual operations in the organisation are not significantly
disrupted by the audit.
o The auditors never actively intervene in systems or provide change advice.
o Management should support the audit.
o Appropriate communication and appointment of central point of contact and other
support for the auditors.
o The execution is planned and carried out in a phase wise manner
Constraints of a security audit
o Time constraints
o Third party access constraints
o Business operations continuity constraints
o Scope of audit engagement
o Technology tools constraints
466
Student Handbook – Security Analyst SSC/N0903
Practical activities:
Activity 1:
List the various kinds of IPS products in the market and the various vendors for the same.
Compare the features, benefits and limitations of various kind of IPS products offered. Share
with your fellow students.
Activity 2:
Configure an IDS product or first job shadow someone who installs an IPS. List down the
various steps of the same, then configure it on your own.
467
Student Handbook – Security Analyst SSC/N0903
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
468
Student Handbook – Security Analyst SSC/N0903
UNIT VIII
Web Application Security
Configuration
Lesson Plan
8.1 Web Application Security Overview
8.2 Configuring Cisco Web Application Security Module
8.3 Configuring ModSecurity
469
Student Handbook – Security Analyst SSC/N0903
LESSON PLAN
470
Student Handbook – Security Analyst SSC/N0903
471
Student Handbook – Security Analyst SSC/N0903
Lesson
Web application security is highly configurable, and can protect against the following kinds
of application attacks:
• identity theft
• buffer overflow
• form exploitation
• cookie exploitation
• noncompliant HTTP
472
Student Handbook – Security Analyst SSC/N0903
1. Use the Traffic Class Maps command to define traffic class maps to classify web application
traffic according to various parameters such as hostname, URL, cookie name and value, and so on. A
traffic map specifies a set of traffic to which you want to apply a security policy.
2. Define web application security feature maps that configure security features. To define feature
maps, select the individual features (URL Normalization, Cookie Protection, ID Theft Protection,
Request Limits, Error/Redirect Pages, Web Cloaking, URL Tagging, Input Validation Checks, HTTP
Protocol Conformance) under the Web Application Security folder.
3. Use the Policy Maps command to define policy maps that associate a traffic class with a set of
security functions. A policy map defines a series of actions (functions) that you want to apply to a set
of classified traffic.
4. Use the System Utilities Service Policy command to choose the active policy map.
5. Use the System Utilities Commit Config command to commit the configuration.
6. If you have a cluster of application appliance nodes, use the System Utilities Publish
Configuration command to publish the configuration to all nodes in the cluster.
473
Student Handbook – Security Analyst SSC/N0903
The example in Figure shows the map summary that is displayed when you click on the Request
Limits command. Every other map summary looks similar and contains similar controls. The
following paragraphs describe how to use the controls on a map summary page.
Each row in the summary lists one defined map. Using the controls on a summary row you can view,
clone, edit, or delete the map.
To view the definition of a map, click its underlined name at the left end of the row. The displayed
page shows a read-only listing of the map definition.
To copy a map to use as the basis of a new map, click the Clone button next to the map that you
want to clone. AVS displays a map editing screen that is similar to the one shown when you are
adding a new map, except that all the settings are copied from the map that you cloned.
To edit a map, click the Edit button in the summary. AVS displays a map editing screen where you
can change the settings in the map.
To delete one or more maps, check the box in the Delete column for each map that you want to
delete. Then click the Delete Maps button to delete the checked maps.
To add a new map, click the Add New Map button to display a map editing screen where you can
define the map and give it a name. The sections throughout this chapter describe the unique map
editing screens for each feature.
You can click the links in the blue bar at the top of the frame to go directly to the screens identified
by name.
System Utilities
Various utilities let you manage web application security configuration, logging, and statistics.
Use the System Utilities command to display a page that contains links to the system utilities, as
shown in Figure below. To use a utility function, click on its link.
474
Student Handbook – Security Analyst SSC/N0903
The following sections describe the two groups of items listed on the System Utilities page:
• Display Utilities
• Configuration Utilities
Display Utilities
The utilities grouped under the Display Utilities heading let you display various information. The
following items are included:
• Startup Configuration
• Running Configuration
• New Configuration
• System Stats
• Traffic Level Stats
• Policy Level Stats
• Current Log
• Saved Log
• Show Version
• Show Tech Support
• Default Config
Startup Configuration
The Startup Configuration link displays the default web application security configuration. This
information is not relevant for users; it is for debugging only.
475
Student Handbook – Security Analyst SSC/N0903
Running Configuration
The Running Configuration link displays the web application security configuration that is currently
in effect. This information is not relevant for users; it is for debugging only.
New Configuration
The New Configuration link displays the web application security configuration that is being
configured, but not yet committed. This information is not relevant for users; it is for debugging
only.
System Stats
Click System Stats to display statistics related to the web application security operation and
features, as shown in Figure below.
The statistics are initially shown for the master node, which is the first AVS 3120 node that is added
to the cluster in the management console. To show statistics for a different node, click on the link
with the node name in the Nodes field at the top of the screen. You can click the links above the
table to jump directly to the section of the table that shows statistics for the feature named in the
link. For each item in the table, the statistic shows a number of bytes or the number of times the
event has occurred.
476
Student Handbook – Security Analyst SSC/N0903
You can scroll the log window to the right to see additional columns that include the URI, the feature
responsible for the log entry, the policy map, traffic class map, feature map, and the log message.
The policy map, traffic class map, and feature map names are hyperlinks, which when clicked will
take you to a screen where you can edit the named map.
477
Student Handbook – Security Analyst SSC/N0903
This page displays log entries from all web application security features by default. You can filter the
displayed log items by feature by choosing the feature from the Filter By Feature drop-down list.
Then click Refresh Saved Logs.
You can clear the current log file by using Clear Current Logs.
Saved Log
Click Saved Log to display the saved log, which looks similar to the Figure above. The saved log item
works differently, depending on your system configuration, as follows:
• If you have an AVS 3180 Management Station, then Saved Log displays the aggregate log file of
all AVS 3120 nodes that are part of the cluster in the management console. (In order to
aggregate log files from all nodes in the cluster, you must configure all nodes to send log
messages to the AVS 3180 Management Station.
• If you do not have an AVS 3180 Management Station, then Saved Log displays nothing and is
not useful.
The log filtering works the same as for Current Log.
Show Version
Click Show Version to display version information about the web application security software.
Show Tech Support
Click Show Tech Support to display information about the web application security software that can
be helpful for technical support.
Default Config
Click Default Config to display a page that controls the defaults for various web application security
features, as shown in the following Figure.
Figure 9:
Default
Configuration
478
Student Handbook – Security Analyst SSC/N0903
This page lists the web application security features and pattern definitions that can have default
configurations. A default configuration is the configuration that appears when you create a new map
for a feature.
To view the default configuration for a feature or pattern definition, click the View link next to its
name. To enable the feature or pattern definition to have a default configuration, check the Enable
check box.
If you make any changes to this screen, click Apply Changes at the top to save your changes, or click
another AVS command in the left-hand menu to exit this screen without saving your changes.
You can change the default configuration for a feature or pattern definition by creating a new map
for it, configuring the settings as needed, and clicking the Set As Default button. Creating a default in
this way will automatically enable the default configuration if it is not already enabled.
Configuration Utilities
The utilities grouped under the Configuration Utilities heading let you manage the global web
application security configuration and logging. The following items are included:
• System Settings
• Cluster Control
• Publish Configuration
• Service Policy
• Commit Config
• Force Commit
• Save Config
• Clear Config
479
Student Handbook – Security Analyst SSC/N0903
System Settings
Click System Settings to display a page that controls overall web application security system
operation, as shown in Figure below.
From the Mode of Operation drop-down list, choose one of the following operation modes for the
web application security module:
• Inline—This mode is used for web application security only; no other AVS features can be used
or should be configured, including destination mapping or SSL termination. In this mode, the
application appliance acts like a transparent bridge, monitoring traffic on incoming port 3,
checking security policies and taking action if necessary, then forwarding the traffic to the web
servers on outgoing port 4. Ports 3 and 4 do not have IP addresses and so do not terminate
TCP/IP connections. Port 1 is used for management console connectivity and port 2 is not used.
• Gateway—This mode is used when you want to operate other AVS features in addition to web
application security. For this mode, you must configure at least destination mapping in the
application appliance. In this mode, traffic enters and leaves the application appliance on port 1,
which is also used for management console connectivity. The other three ports are not used.
In gateway mode, SSL-encrypted HTTPS traffic that arrives at the application appliance is
decrypted and forwarded to the web servers as unencrypted HTTP traffic if the web application
firewall is in use. HTTPS traffic between the application appliance and the web servers is not
supported unless the web application firewall is disabled.
• Monitor—This mode is used for monitoring traffic only; no other AVS features can be used or
should be configured. No packets are modified by the web application security module, but
instead it only logs events that match security policies. You can use this mode of operation if you
want to passively examine your web application traffic for possible security threats. Connect
network traffic that you want to monitor to port 2 on the AVS 3120. For example, you can
connect port 2 to the monitor port or Switched Port Analyser (SPAN) port on a switch. Port 2
480
Student Handbook – Security Analyst SSC/N0903
does not have an IP address and so does not terminate TCP/IP connections. Port 1 is used for
management console connectivity and ports 3 and 4 are not used.
The port assignments for the various operating modes are summarized in the following Table.
Table 7: Port Assignments
If you change operating modes, for example from inline to gateway mode, you must restart the web
application security module. This is a major change that will likely also require you to reconfigure
your network routing.
In all of the operation modes, the application appliance inspects traffic that is going to and coming
from the web servers.
In the Software Auto Bypass drop-down list, choose Yes if you want to enable automatic bypass in
inline mode.
Automatic bypass causes the application appliance to bridge packets between the incoming and
outgoing ports if the web application security module fails, which allows clients to continue to access
the web servers without security checks.
If you choose No and the web application security module fails, client requests will not be forwarded
to the web servers.
In the Old Configuration Expires After field, enter the time in seconds to allow any HTTP sessions
that are in progress to finish before changing configuration when a new configuration is committed.
During this grace period, the old configuration still applies to active HTTP sessions.
When this period of time expires, any HTTP sessions that are still in progress are closed and the new
configuration is applied.
In the Servers to protect area, you must do as follows:
- Enter the IP addresses and ports of each web server that you want the web application
security module to protect.
- Enter the IP address of a web server in the IP address field, check the Add box, and
click Update Servers.
- Then you will see a Port field displayed under the IP address.
- Enter the port to protect, check the Add box next to the port, and click Update Servers.
- Repeat this procedure to add each port that you want to protect on the web server.
481
Student Handbook – Security Analyst SSC/N0903
Repeat entering the IP address and ports of each web server that you want to protect. To delete a
port or web server IP address, check the Delete check box next to the port or IP address and
click Update Servers.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the utilities main page without saving your changes.
Cluster Control
Click Cluster Control to display a page that allows you to stop, start or restart the web application
security firewall module on individual application appliance nodes, as shown in the following Figure.
This screen shows the status (Running or Stopped) of the web application security firewall module
for each node in the cluster.
You can run, stop, or restart the web application firewall module on the nodes in the cluster. Check
the check boxes next to the nodes that you want to control, and then click Run, Stop, or Restart to
perform that operation on the checked nodes.
You can use the Include All Nodes and Exclude All Nodes buttons at the top to check or clear all
check boxes.
If you want to control the status of both the Condenser and web application security firewall
modules, you can use the Cluster Control command under the cluster name in the left hand menu.
482
Student Handbook – Security Analyst SSC/N0903
Publish Configuration
Click Publish Configuration to display a page that allows you to publish a configuration to all nodes
in a cluster, as shown in Figure below.
In the Publish Configuration area of the form, click the Publish button to publish the running
configuration of the master AVS 3120 node to all other nodes in the same cluster. If there are no
other nodes in the cluster, the Publish button is not shown.
The master node is the first AVS 3120 node that is added to the cluster in the management console.
If that node is removed, then the next added node becomes the master node, and so on. The master
node is identified at the top of the Publish Configuration page.
To cancel the operation and go back to the System Utilities page click Back.
Use the Publish button in situations where the master node is stable and one of the other nodes
restarts or a new node is added to the cluster.
All AVS 3120 nodes in a cluster must have the same web application security running configuration.
If you are operating a cluster, you must publish the web application security configuration of the
master node to all other nodes.
In the Synchronize Configuration area of the form, click the Sync button to publish the configuration
that is saved on the management console to all nodes in the same cluster.
Use the Sync button in situations where the master node is restarted with a different configuration
and you want to resynchronize it and all other nodes with the saved configuration that is stored in
the management console.
To view the saved configuration that will be published to all nodes, click the View Last Committed
Configuration link.
483
Student Handbook – Security Analyst SSC/N0903
Service Policy
Click Service Policy to display a page that allows you to choose the active policy map, as shown
in the following Figure.
In the Select Policy Map drop-down list, choose the policy map that you want to be active. Then
click Apply Changes at the top to save your changes, or click Discard Changes to discard your
changes.
Only one policy map can be active at a time. The setting on this screen interacts with enabling a
policy map on the policy map summary screen shown in the following figure. Setting a policy to be
enabled in that screen will cause it to be the selected service policy in this service policy screen.
Click Clear System Config to clear the saved System Settings on the master AVS 3120 node. The
master node is the first AVS 3120 node that is added to the cluster in the management console. You
are asked in a confirmation dialog if you are sure that you want to clear the configuration.
Click OK to clear or Cancel to cancel.
This command clears only the system settings, not the policy configuration. To clear the policy
configuration, use Clear Config.
Commit Config
Configuration changes that you make to web application security policies must be committed before
they take effect and are applied to web traffic. Before they are committed, they are stored
temporarily by the management console but are not saved or applied to the AVS 3120 node where
the web application security module operates.
Click Commit Config to commit the configuration changes to the master AVS 3120 node and to save
them on the management console. The master node is the first AVS 3120 node that is added to the
cluster in the management console. You are asked in a confirmation dialog if you are sure that you
want to commit the configuration. Click OK to commit or Cancel to cancel.
If any HTTP sessions are in progress, they are given a grace period in which to finish, before the new
configuration takes effect. This grace period is configurable and is described in the "System Settings"
484
Student Handbook – Security Analyst SSC/N0903
section. During this period, you normally cannot commit a second new configuration. If you need to
commit another configuration before this interval has passed, use Force Commit.
After committing a configuration, we recommend that you save the configuration on the master
node by using Save Config. If you have a cluster of AVS 3120 nodes, you must also publish the
configuration to all nodes in the cluster by using Publish Configuration. The application appliance
does not support a cluster where the nodes have different web application security configurations.
Force Commit
Click Force Commit to immediately commit configuration changes, if you have recently committed
another configuration and the grace period for that commit has not yet expired. See the previous
section, Commit Config, for details.
You are asked in a confirmation dialog if you are sure that you want to force commit the
configuration. Click OK to commit or Cancel to cancel.
After committing a configuration, we recommend that you save the configuration by using Save
Config. If you have a cluster of AVS 3120 nodes, you must also publish the configuration to all nodes
in the cluster by using Publish Configuration.
The application appliance does not support a cluster where the nodes have different web application
security configurations.
Save Config
Click Save Config to save the running configuration on the master AVS 3120 node so that it will be
preserved across a reboot of that node. The master node is the first AVS 3120 node that is added to
the cluster in the management console.
You are asked in a confirmation dialog if you are sure that you want to save the configuration.
Click OK to save or Cancel to cancel.
After committing a configuration by using Commit Config, we recommend that you save the
configuration by using Save Config.
Clear Config
Click Clear Config to clear the saved policy configuration on the master AVS 3120 node. The master
node is the first AVS 3120 node that is added to the cluster in the management console. You are
asked in a confirmation dialog if you are sure that you want to clear the configuration. Click OK to
clear or Cancel to cancel.
Clearing the configuration clears only the saved copy of the configuration on the master AVS 3120
node. It does not clear the running configuration, so the node will continue to operate with its
running configuration.
If it is rebooted, that configuration will be lost because it is no longer saved.
485
Student Handbook – Security Analyst SSC/N0903
In the IP Address field, enter the IP address of a remote server to which AVS should send web
application security logs. Check the Add check box and click Update IP Addresses to add the address
to the list of remote log servers. Repeat these steps to add additional remote log servers. To delete a
log server from the list, check the Delete check box next to it and click Update IP Addresses.
The servers that you specify must have the syslog facility running and configured to receive
messages from the network.
If you are managing a cluster of AVS 3120 nodes with the AVS 3180 Management Station, you must
configure the AVS 3180 as one of the remote log servers. This allows the management console to
display aggregated logs from all nodes in the cluster. If you do not have an AVS 3180 Management
Station, you may still want to enter the IP address of at least one remote log server where logs will
be aggregated, though these will not be accessible through the management console interface.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to discard your changes.
486
Student Handbook – Security Analyst SSC/N0903
487
Student Handbook – Security Analyst SSC/N0903
Each row in the summary lists one defined traffic map. From here you can view, clone, edit, or delete
a traffic map, or add a new map.
To view the definition of a traffic map, click its underlined name. The displayed page shows a read-
only listing of the definition.
The Match column lists the matching policy of the map.
To copy a map to use as the basis of a new map, click the Clone button for the traffic map that you
want to copy.
To edit a traffic map, click the Edit button for the map that you want to edit. A form similar to that
shown in Figure below. is displayed where you can edit the traffic map.
To delete one or more traffic maps, check the box in the Delete column for each map that you want
to delete. Click Delete to delete the checked maps.
To add a new traffic map, use the Add Traffic Class area below the summary table. Give the map a
name in the Map Name field. To determine how the criteria in this map are to be applied, choose
one of the following radio buttons below this field:
• Match Any Criteria—This traffic map is applied if any one of the criteria is satisfied
• Match All Criteria—This traffic map is applied only if all of the criteria are satisfied
Then click the Add New Map button to create the traffic map. You are returned to the map
summary page where you will see the new traffic map listed. To continue the process of defining the
new map, click the Edit button for the map to display the screen shown in the Figure below. One
criteria line has already been added to this traffic map.
You can add criteria lines that describe one or more characteristics of the traffic that you want to
classify. From the Type drop-down list, select the traffic type: Request or Response. Next select the
type of HTTP data that you want to examine for a match in the Match Criteria drop-down list.
The match criteria choices are listed in the following Table.
Table 8: Traffic Class Match Criteria
488
Student Handbook – Security Analyst SSC/N0903
Next to the match criteria in the Parameter1 and Parameter2 fields, enter the values that are the
match criteria. Most match criteria items require only a single value, which you enter into the
Parameter1 field. A few of the match criteria items require both a name and a value, such as a
cookie name and value or a parameter name and value. Enter the name into the Parameter1 field
and the value into the Parameter2 field. If the Parameter2 field is not needed, then it is not shown.
For example, if you choose host for the Match Criteria, then the Parameter1 value would be a host
name such as www.cisco.com; the Parameter2 field is not used. If you choose param-name-value for
the Match Criteria, then the Parameter1 value would be the name of a request parameter, and the
Parameter2 value would be the value of the specified request parameter.
Regular expressions are allowed;
Click the check box in the Negate column if you want to match all traffic that does not meet the
criteria. For example, if you check Negate and enter www.cisco.com for host, this criterion matches
all requests where the host does not equal www.cisco.com.
Traffic maps that contain response criteria cannot be used to trigger a feature that is operating on a
request. For example, if you have a traffic map that uses the content-type criteria (a response
criteria), this traffic map cannot be used in a policy where it is associated with a request limits
feature map.
Many features can apply to both requests and responses. Such a feature can be associated with a
traffic map that contains response criteria only if it does not operate on request data. For example, if
you have a traffic map that uses the set-cookie-name criteria (a response criteria), this traffic map
can be used in a policy where it is associated with a cookie protection map, as long as the cookie
protection map operates only on response cookies. If the cookie protection map includes any
request cookie operations, then the policy is invalid.
489
Student Handbook – Security Analyst SSC/N0903
When you are finished entering one criteria line, click the Update Parameters button to update the
page and give you a new line on which to enter another criterion. To delete one or more criteria
lines, click the Delete check box on each line that you want to delete and then click Update
Parameters to delete all checked lines.
When you are finished with this form, click Apply Changes to save your changes, or click Discard
Changes to return to the summary page without saving your changes.
Policy Maps
A policy map allows you to implement specific web application security functions associated with a
traffic class. First you must create a traffic class map and one or more application security feature
maps, then you can create a policy map that applies the individual security functions to the traffic
class. Here is a summary of the steps required to create a policy map:
1. Create one or more traffic class maps and one or more application security feature maps that
you want to apply to the traffic classes.
2. Click the Policy Maps command and use the Add New Map button to name a new policy map.
3. In the policy map summary page, click the Edit button to add a traffic class to the policy map.
4. In the resulting page that lists traffic maps, click the Edit button next to the newly added traffic
map to associate individual security feature maps with the traffic map.
490
Student Handbook – Security Analyst SSC/N0903
Each row in the summary lists one defined policy map. From here you can view, clone, edit, delete,
or enable a policy map, or add a new map.
To view the definition of a policy map, click its underlined name. The displayed page shows a read-
only listing of the definition.
The Associated Traffic Maps column lists the traffic class maps that are associated with a policy. If no
traffic class maps are yet associated, it reads "No Maps Associated." The Match Criteria column lists
the matching policy of the map.
To copy a map to use as the basis of a new map, click the Clone button for the map that you want to
copy.
To edit a policy map and add traffic class maps, click the Edit button for the map that you want to
edit. A form similar to that shown in the following Figure is displayed where you can edit the policy
map.
To delete one or more policy maps, check the box in the Delete column for each map that you want
to delete. Click Delete to delete the checked maps.
To enable a policy map (make it active), click the radio button in the Enable column for the map that
you want to enable, then click the Enable button at the bottom of the column. You can only enable a
policy map that has associated traffic class maps, and you can only enable one policy map at a time.
This setting interacts with the policy map selected in the Service Policy screen of the System Utilities.
Selecting a policy to be active in that screen will cause it to be displayed as enabled in this policy
map summary screen.
To add a new policy map, use the Add Policy area below the summary table. Give the map a name in
the Map Name field. Choose when to execute the policy by clicking one of the following radio
buttons:
• First Match—Execute the policy only on the first traffic map that matches the traffic
• Match All—Execute the policy on all traffic maps that match the traffic
Then click Add New Policy Map to add the map to the summary. The new map is not yet configured,
and to do that click the Edit button for the map.
491
Student Handbook – Security Analyst SSC/N0903
When you choose First Match for the type of traffic map matching, it is important to understand the
order in which AVS matches traffic maps. Traffic matching is driven by the order in which the traffic
data arrives, which is: HTTP method, HTTP version, host, URL, cookie name, and cookie value. There
can be multiple cookies and they can arrive in any order, so the value of one cookie could cause a
match before the name of another cookie.
Say that you have a traffic map, url-class, that matches on a specific URL, and another traffic map,
cookie-class that matches on a cookie name. In an incoming request, the URL arrives before any
cookies, so if the URL matches url-class, then this will cause a First Match policy to fire (if it uses this
traffic map). The cookie-class might also match this request, but it is not invoked since the url-class
already triggered its policy.
The order in which traffic maps are listed in the traffic maps list (see Figure below) is irrelevant and
does not signify the order in which traffic maps are evaluated for a match.
When you first edit a new policy map, there are no traffic maps included in it. To begin defining a
policy, choose a traffic map from the Traffic Map Name drop-down list. Then click the Add check box
to put a check in it and click the Update List button to add the traffic map to the policy. For details
on the predefined default traffic maps. After the update, the screen looks like that shown in the
following figure.
492
Student Handbook – Security Analyst SSC/N0903
The newly added traffic map is shown in the first row under the Traffic Map Name heading. Each
row summarizes one traffic map that is part of this policy definition. The last row allows you to add a
new traffic map by selecting its name from the drop-down list of traffic maps, clicking the Add check
box, and clicking the Update List button.
Using the controls in the summary row for a traffic map, you can view the policy for the map, delete
it, or edit it.
To view the policy for a traffic map, click its underlined name. The displayed page shows a read-only
listing of the policy definition.
To delete one or more traffic maps from this policy definition, check the box in the Delete column
for each map that you want to delete. Click Update List to delete the checked maps.
To edit the policy for a traffic map, click the Edit button.
When you are finished adding or editing traffic map policies, click Apply Changes to save your
changes, or click Discard Changes to return to the summary page without saving your changes.
493
Student Handbook – Security Analyst SSC/N0903
• Error Page—Send an error page. Choose the error page to send from the next drop-down list to
the right. You define such error pages by using the send page feature.
Click the Log check box to log the event.
To apply a feature map to the traffic, choose a feature from the Feature drop-down list and then
from the Map Name drop-down list, choose one of the feature maps that you have defined for that
feature. Then click the Update List button to take you back to the screen shown in Figure above. You
can add multiple feature maps to be applied to this traffic map by editing the traffic map again and
following the same procedure.
Traffic maps that contain response criteria cannot be used to trigger a feature that is operating on a
request. For example, if you have a traffic map that uses the content-type criteria (a response
criteria), this traffic map cannot be used in a policy where it is associated with a request limits
feature map.
Many features can apply to both requests and responses. If such a feature operates only on
response data and not on request data, then it can be associated with a traffic map that contains
response criteria. For example, if you have a traffic map that uses the set-cookie-name criteria (a
response criteria), this traffic map can be used in a policy where it is associated with a cookie
protection map, as long as the cookie protection map operates only on response cookies. If the
cookie protection map includes any request cookie operations, then the policy is invalid and will not
be allowed.
The default traffic map class-default-request can be associated with feature maps that operate only
on request data. A policy map that contains the class-default-request traffic map cannot include
other traffic maps that contain the request-body matching criteria.
The default traffic map class-default-response can be associated with feature maps that operate
only on response data. A policy map that contains the class-default-response traffic map cannot
include other traffic maps that contain the response-body matching criteria.
To delete an associated feature map, check the Delete check box for the map and click Update List.
If you would rather cancel the changes that you made on this form, click the Discard
Changes button.
The following features are available in the Feature drop-down list:
• Cookie Protection—Protects against cookie tampering by using hashed cookies and provides
cookie privacy by encrypting cookies;
• HTTP Protocol conformance-MIME Type Controls—Validates that the content's MIME type
matches the MIME type specified in the HTTP Content-type header; This features operates only
on responses.
• HTTP Protocol conformance-Control HTTP Method—Filters traffic based on the HTTP method;
• HTTP Protocol conformance-Generic Pattern Matcher—Filters traffic based on any user-
definable criteria;
• HTTP Protocol conformance-Header Integrity Check—Checks headers for integrity;
• HTTP Protocol conformance-IM Controls—Filters instant messenger traffic;
• HTTP Protocol conformance-P2P Controls—Filters peer-to-peer file sharing traffic;
• HTTP Protocol conformance-Transfer Encoding—Filters traffic based on the HTTP Transfer-
Encoding header;
• HTTP Protocol conformance-Tunnelling Policies—Filters traffic that is tunnelled over HTTP, such
as ShoutCast, GoToMyPC and the like;
494
Student Handbook – Security Analyst SSC/N0903
Pattern Definitions
Pattern definitions define regular expression sets for matching strings used by other web security
features. For example, the identity theft protection feature uses regular expressions that match
social security numbers and credit card numbers.
Use the Pattern Definitions command to display a page that summarizes the pattern maps that are
defined and to view, delete, clone, edit or add new maps.
When you click the button to add a new map, AVS displays the screen shown in the Figure below.
495
Student Handbook – Security Analyst SSC/N0903
Give the new regular expression set a name in the Pattern Definition Name field.
In the Type drop-down list, select the type of regular expression set that you are defining, from the
following choices:
• Social Security Number—Regular expressions that describe social security numbers
• Credit Card—Regular expressions that describe credit card numbers
• Custom—Custom regular expression
• Cross Site Scripting—Regular expressions that describe cross site scripting strings
• SQL Injection—Regular expressions that describe SQL command strings
• Command Injection—Regular expressions that describe command strings
• LDAP Injection—Regular expressions that describe LDAP strings
• Meta Character Detection—Regular expressions that describe meta characters
• Format String Attacks—Regular expressions that describe format strings
Select one or more regular expressions that you want to use from the Standard Regular Expressions
list and add them to the Included Regular Expressions list on the right side of the page by clicking the
right arrow (-->) button. The list of standard regular expressions changes depending on the type you
choose. You can also add a custom regular expression by typing it into the Custom field and clicking
the right arrow (-->) button next to that field. For details on the regular expression syntax that is
allowed. If you enter a value into the Custom field, in the Size field you must also enter a maximum
number of characters to search for this expression in the target data. Size must be greater than 0 for
the custom expression to be added to the Included Regular Expressions list.
You can remove a regular expression from the Included Regular Expressions list by selecting it and
clicking the left arrow (<--) button.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes. If you want to
use the settings on this form as the default for new maps of this type, click Set As Default.
496
Student Handbook – Security Analyst SSC/N0903
This section describes the following security feature configuration items that appear under
the Web Application Security folder in the left hand menu of the Management Console:
• URL Normalization
• Cookie Protection
• ID Theft Protection
• Request Limits
• Error/Redirect Pages
• Web Cloaking
• URL Tagging
URL Normalization
The URL normalization feature lets you, secure web applications from attacks that use the URL in
HTTP requests, such as directory traversal.
To deobfuscate potential attacks, the application appliance first scans the URL in incoming requests
and normalizes it by decoding all encoded characters. It can detect the following encoding schemes:
escaped encoding, %U encoding, unicode encoding using UTF-8 (up to three bytes in length), and IP
address encoding. Additionally, it can handle a combination of encoding schemes and double
encoding of the same character.
Use the URL Normalization command to display a page that summarizes the URL normalization
maps that are defined and to view, delete, clone, edit or add new maps. For details on using the
summary page GUI.
When you click the button to add a new map, AVS displays the screen shown in the following Figure.
497
Student Handbook – Security Analyst SSC/N0903
Give the new map a name in the Map Name field. In the Normalize Case drop-down list, select True
to normalize the case of URLs or False to ignore case.
The following part of the form lists a number of conditions that may indicate a possible attack and
lets you determine what action to take if one of the following conditions is detected in a URL:
• Encoding—Any kind of character encoding
• Escape encoding—Escape character encoding
• Percent-U encoding—Percent-U character encoding
• Unicode encoding—Unicode character encoding
• Combination of encoding schemes—A combination of character encoding schemes
• Multiple levels of encoding—Multi-level character encoding
• Unsupported encoding—Unsupported character encoding
• Overlong unicode encoding—Overlong unicode character encoding
• Null encoding—Null character encoding
• Forward directory traversal—Forward directory traversal
• Backward directory traversal—Backward directory traversal
In the Action drop-down list for each item, choose one of the following actions to take if the
condition occurs:
• None—Take no action
• Reset server—Reset the server side of the connection
• Reset client—Reset the client side of the connection
• Reset server and client—Reset both the server and client sides of the connection
• Drop—Drop the connection silently
498
Student Handbook – Security Analyst SSC/N0903
• [SEND-PAGE] pagename—Send the error page identified by pagename. You define such error
pages by using the send page feature.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename. You define
such redirection pages by using the redirect page feature.
For each item you can also click the Log check box to log the event.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes. If you want to
use the settings on this form as the default for new maps of this type, click Set As Default.
Cookie Protection
Web applications store a variety of information in plain text cookies. The application appliance
protects against cookie tampering by using hashed cookies and provides cookie privacy by
encrypting cookies. The application appliance also supports adding and removing cookie attributes,
and filtering cookies based on user configurable attributes such as HTTP-only cookies, maximum age,
number of cookies, and others. The cookie protection features operate both on server cookies sent
to clients in HTTP responses and on client cookies that are sent back to servers in HTTP requests.
Use the Cookie Protection command to display a page that summarizes the cookie protection maps
that are defined and to view, delete, clone, edit or add new maps.
When you click the button to add a new map, AVS displays the screen shown in the following Figure.
499
Student Handbook – Security Analyst SSC/N0903
500
Student Handbook – Security Analyst SSC/N0903
501
Student Handbook – Security Analyst SSC/N0903
For each item you can also click the Log check box to log the event.
By using the next parts of the form, you can add rule-based processing to cookies that is based on
their values and attributes. These next form parts are described in the following sections:
• Response Attribute Rule Maps
• Response Rule Maps
• Request Rule Maps
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes. If you want to
use the settings on this form as the default for new maps of this type, click Set As Default.
From the Operation drop-down list, select the type of operation you want to perform, as follows:
• Insert—Insert an attribute with the specified name and value. If the attribute already exists, its
value is replaced with the specified value.
• Remove—Remove the attribute with the specified name and value. If the attribute exists but
the value is different from the specified value, it is not removed.
• Set—Set an existing attribute with the specified name to the specified value. If the attribute
does not exist, it is not added. To insert a new attribute, use Insert.
Enter the attribute name in the Attribute Name field and its value in the Attribute Value field. When
you are finished, click Create to add the operation or Close Window to cancel the operation.
When you add a new operation, it will be listed in the Response Attribute Rule Maps section of the
cookie protection map form.
502
Student Handbook – Security Analyst SSC/N0903
Enter a unique name for the rule map in the Rule Map Name field. You can specify a numeric priority
(from 1 to 65535) in the Numeric Priority field, which is used to order the rule maps. Rule maps are
applied to cookies in descending order of priority (highest number priority first). If the criteria in the
next priority rule map do not match the cookie, then the rule map with the next highest priority that
matches is applied.
Identify the cookie to which this rule map is to be applied by name and/or value in the Cookie Name
and Cookie Value fields. You can use regular expressions in these fields.
You can also identify cookies by attribute name and/or value by specifying one or more regular
expressions in the Attribute Name and Attribute Value fields. If you specify more than one
name/value pair, all specified attributes must be present in order for this rule to match a cookie.
In the Action drop-down list, select the action to apply to matched cookies, as follows:
• Encrypt—Encrypt all cookies
• Tamper proof—Hash all cookies to prevent tampering
• Encrypt and tamper proof—Encrypt and hash all cookies
If you want to log the event, click the Log check box next to the Action field.
When you are finished, click Create to add the rule map or Close Window to cancel the operation.
503
Student Handbook – Security Analyst SSC/N0903
Enter a unique name for the rule map in the Rule Map Name field. You can specify a numeric priority
(from 1 to 65535) in the Numeric Priority field, which is used to order the rule maps. Rule maps are
applied to cookies in descending order of priority (highest number priority first). If the criteria in the
next priority rule map do not match the cookie, then the rule map with the next highest priority that
matches is applied.
Identify the cookie to which this rule map is to be applied by name and/or value in the Cookie Name
and Cookie Value fields. You can use regular expressions in these fields.
In the Action drop-down list, select the action to apply to matched cookies, as follows:
• Drop—Drop the connection silently
• Reset—Reset the connection
If you want to log the event, click the Log check box next to the Action field.
When you are finished, click Create to add the rule map or Close Window to cancel the operation.
504
Student Handbook – Security Analyst SSC/N0903
ID Theft Protection
Identity theft protection guards against the unsolicited disclosure of social security and credit card
numbers in HTTP responses to clients. The web application firewall searches for numbers that
resemble social security or credit card numbers and performs a configurable action when it finds
them.
Use the ID Theft Protection command to display a page that summarizes the identity protection
maps that are defined and to view, delete, clone, edit or add new maps. For details on using the
summary page GUI.
When you click the button to add a new map, AVS displays the screen shown in the following figure.
505
Student Handbook – Security Analyst SSC/N0903
Request Limits
Many web sites use user-supplied input to create dynamic web pages. Improper validation of inputs
such as URL, URL query string, and HTTP headers, can lead to buffer overflow attacks. A buffer
overflow attack is when a program writes data beyond its allocated space. These attacks can cause
denial of service by crashing the server and/or injecting malicious code to alter program execution.
Execution of the malicious code facilitates exploit of downstream resources. Such attacks can be
prevented by enforcing boundary length checking on all inputs received from the client.
Use the Request Limits command to display a page that summarizes the request limit maps that are
defined and to view, delete, clone, edit or add new maps. For details on using the summary page
GUI.
When you click the button to add a new map, AVS displays the screen shown in the following figure.
506
Student Handbook – Security Analyst SSC/N0903
Error/Redirect Pages
Error obfuscation makes it more difficult for hackers to discover identifying information about the
web server and application by masking or mapping error messages that might normally be returned
to the user. Many security vulnerabilities are dependent on specific software versions and hiding this
information can increase the security of the system.
AVS implements the following techniques for error obfuscation:
• Mapping errors by sending custom configured error pages to clients;
• Masking errors by redirecting the client when an error occurs;
Error obfuscation can be triggered as the action to perform when one of the following web
application security features encounters an error: URL Normalization, Cookie Protection, Request
Limits, Input Validation Checks, and HTTP Protocol Conformance.
Use the Error/Redirect Pages command to configure this feature. Click this command to display a
page that summarizes the error obfuscation maps that you have configured, as shown in the
following figure.
507
Student Handbook – Security Analyst SSC/N0903
Each of the four summary sections of the page lists the maps configured for a sub-feature of error
obfuscation. Each defined map is summarized on one line. From here you can view, clone, edit, or
delete a map, or add a new map.
To view the definition of a map, click its underlined name. The displayed page shows a read-only
listing of the definition.
To copy a map to use as the basis of a new map, click the Clone button next to the map that you
want to clone.
To edit a map, click the Edit button in the summary. A form similar to that shown when adding a
map is displayed where you can edit the map.
To delete one or more maps, check the box in the Delete column for the map. Click Delete Maps to
delete the checked maps.
To add a new map or template, click the Add New Map or Add New Template button for the item
that you want to add.
508
Student Handbook – Security Analyst SSC/N0903
509
Student Handbook – Security Analyst SSC/N0903
Give the error page map a name in the Map Name field.
You can define two different sets of error codes, error phrases, and header templates that are to be
sent in response to HTTP requests that use HTTP versions 1.0 and 1.1. If you want to define an error
page that is to be sent in response to HTTP version 1.0 requests, check the HTTP Version 1.0 check
box and complete the fields on that line. To send this error page in response to HTTP version 1.1
requests, check the HTTP Version 1.1 check box and complete the fields on that line. To respond to
both versions of HTTP requests, check both check boxes. This error page is sent only if the HTTP
version setting matches the HTTP version of the request.
In the Error Code drop-down list, choose the error code that this error page should show to the
client. In the Error Phrase field, enter the phrase that should be used to describe this error. By
default, the Error Phrase field initially shows the standard error phrase that corresponds to the
selected error code, but you can change it.
In the Header Template drop-down list, select the name of the send page header template map that
you want to use for this error page. If no header templates are defined, only --Select-- is shown in
this list, and you must define a send page header template before you can define a send page map.
Go back to the summary page and use the Add New Template button to define a header template.
In the Include Date Header drop-down list, select Yes or No to include a date header or not in the
error page.
In the HTTP Body field, enter the HTML for the body of the error page.
In the Content Type drop-down list, select the MIME type of the page content: either text/plain or
text/html.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes. If you want to
use the settings on this form as the default for new maps of this type, click Set As Default.
510
Student Handbook – Security Analyst SSC/N0903
Give the redirect page map a name in the Map Name field.
You can define two different sets of error codes, error phrases, and header templates that are to be
sent in response to HTTP requests that use HTTP versions 1.0 and 1.1. If you want to define a
redirect page that is to be sent in response to HTTP version 1.0 requests, check the HTTP Version 1.0
check box and complete the fields on that line. To send this redirect page in response to HTTP
version 1.1 requests, check the HTTP Version 1.1 check box and complete the fields on that line. To
respond to both versions of HTTP requests, check both check boxes. This redirect page is sent only if
the HTTP version setting matches the HTTP version of the request.
In the Error Code drop-down list, choose the error code that this error page should show to the
client. In the Error Phrase field, enter the phrase that should be used to describe this error. By
default, the Error Phrase field initially shows the standard error phrase that corresponds to the
selected error code, but you can change it.
In the Header Template drop-down list, select the name of the redirect page header template map
that you want to use for this redirect page. If no header templates are defined, only --Select-- is
shown in this list, and you must define a redirect page header template before you can define a send
page map. Go back to the summary page and use the Add New Template button to define a header
template.
In the Location Header field, enter the absolute URI of the location to which the client should be
redirected.
511
Student Handbook – Security Analyst SSC/N0903
In the Include Date Header drop-down list, select Yes or No to include a date header or not in the
redirect page.
In the HTTP Body field, enter the HTML for the body of the redirect page.
In the Content Type drop-down list, select the MIME type of the page content: either text/plain or
text/html.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes. If you want to
use the settings on this form as the default for new maps of this type, click Set As Default.
Web Cloaking
Web cloaking makes it more difficult for hackers to discover identifying information about the web
server and application. Many security vulnerabilities are dependent on specific software versions
and hiding this information can increase the security of the system.
AVS focuses on the HTTP response headers and implements the following techniques for web server
cloaking:
• Changing the sequence of individual header fields in the response (web servers can be
fingerprinted based on the sequence of header fields in the response)
• Changing the case of header names (web servers can be fingerprinted based on the
capitalization of header names)
• Changing the value of a header based on its name and value
• Removing a header based on its name and value
512
Student Handbook – Security Analyst SSC/N0903
513
Student Handbook – Security Analyst SSC/N0903
URL Tagging
The URL tagging feature lets you add information to request URLs that can be used by other
downstream devices such as load balancers or application servers. You can search for a string in the
URL and if there is a match you can either replace the complete URL with another URL or replace
only the matched string. Additionally, you can insert or remove parameter name/value pairs.
Use the URL Tagging command to display a page that summarizes the URL tagging maps that are
defined and to view, delete, clone, edit or add new maps. When you click the button to add a new
map, AVS displays the screen shown in the following figure.
514
Student Handbook – Security Analyst SSC/N0903
When you are removing a parameter, regular expressions are allowed and there are no
character restrictions in the Parameter and Value fields.
• URL rewrite—By using the URL Rules area, you can search for a string in the URL and if there is a
match you can either replace the complete URL with another URL or replace only the matched
string with another string. Enter the string to search for in the Find field and enter the
replacement string or URL in the Replace field. From the Type drop-down list, choose either
Replace URL (to replace the whole URL with the URL entered in the Replace field) or Replace
matched string (to replace just the matched string in the URL with the string entered in the
Replace field). Click the Update URL Rule button to add the rule. Rewritten URLs are escape
encoded before being sent out.
Regular expressions and the following characters are mostly not allowed in the Find and Replace
fields: ?*{}[]()^$,
When you are replacing a complete URL, then regular expression are allowed and there are no
character restrictions in the Find field.
For details on the regular expression syntax that is allowed.
To delete an existing parameter or URL rewriting rule, click the Delete check box on the same line as
the rule, and when you click Update Parameter Rule (to delete parameter rules) or Update URL
Rule (to delete URL rewrite rules), the rule will be deleted.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes. If you want to
use the settings on this form as the default for new maps of this type, click Set As Default.
The following sections describe the HTTP Protocol Conformance menu commands:
1. IM Controls
2. P2P Controls
3. Tunnelling Policies
5. Transfer Encoding
515
Student Handbook – Security Analyst SSC/N0903
1. IM Controls
The IM controls feature allows you to control incoming and outgoing instant messaging traffic by
logging or denying it.
Use the IM Controls command to display a page that summarizes the instant messaging maps that
are defined and to view, delete, clone, edit or add new maps.
When you click the button to add a new map, AVS displays the screen shown in the following figure.
Use this form to define criteria for identifying instant messaging traffic in either requests or
responses.
Give the instant messaging map a name in the Map Name field.
If you are creating a new map, only the New Criteria section of the form is shown. As each criterion
for identifying instant messaging traffic is added, it is listed in a criteria section at the top of the
form.
In the New Criteria section, click the Add check box to indicate that you are adding a new criterion.
Then in the Message Type drop-down list, choose the message type that you want to examine:
either Request or Response messages. In the Search Type drop-down list, choose the part of the
request or response that you want to examine, and in the next three fields (Name, Value, and Max
No of bytes to search), enter the criteria that must be matched to consider the traffic to be instant
messenger related. For each message type/search type pair, only certain criteria fields are used, and
these are described in Table below.
516
Student Handbook – Security Analyst SSC/N0903
The Obfuscation Option check box is available in certain cases. Checking this box deobfuscates the
URL before performing regular expression matching with the specified criteria. Deobfuscation
decodes encoded URLs. For example, a URL might contain the string "%20", which is decoded to a
space character.
Table 9: Instant Messaging Criteria
517
Student Handbook – Security Analyst SSC/N0903
2. P2P Controls
The P2P controls feature allows you to control incoming and outgoing peer-to-peer application
traffic by logging or denying it. Use the P2P Controls command to configure peer-to-peer application
control. This command works exactly like the IM Controls command.
3. Tunnelling Policies
The tunnelling policies feature allows you to control incoming and outgoing tunnelled application
traffic by logging or denying it. Use the Tunnelling Policies command to configure tunnelling
application control. This command works exactly like the IM Controls command.
5. Transfer Encoding
The transfer encoding feature allows you to control incoming and outgoing traffic that has a specific
Transfer-Encoding header by logging or denying it.
518
Student Handbook – Security Analyst SSC/N0903
Use the Transfer Encoding command to display a page that summarizes the transfer encoding maps
that are defined and to view, delete, clone, edit or add new maps.
When you click the button to add a new map, AVS displays the screen shown in the following figure.
Give the transfer encoding map a name in the Map Name field.
In the next part of the form, you can add criteria lines that describe one or more transfer encodings
of the traffic that you want to act on. First choose the type of transfer encoding in the Transfer
Encoding drop-down list. The following choices are available:
• Custom—an encoding other than those listed; enter the encoding type in the field below the list
• Identity—no transfer encoding used
• Gzip—gzip encoding
• Chunked—chunked encoding
• Deflate—deflate encoding
• Compress—compress encoding
In the Type drop-down list, choose whether you want to act on request or response traffic. In the
Action drop-down list, choose one of the following actions:
• None—Take no action
• Deny—Block the traffic
• [SEND-PAGE] pagename—Send the error page identified by pagename. You define such error
pages by using the send page feature.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename. You define
such redirection pages by using the redirect page feature.
If you want to log the event, click the Log check box next to the Action drop-down list. Finally, check
the Add check box and click Update to add the criteria to this form and give you a new line on which
to enter another criterion. To delete one or more criteria lines, click the Delete check box on each
line that you want to delete and then click Update to delete all checked lines.
519
Student Handbook – Security Analyst SSC/N0903
There is another Action drop-down list at the bottom of the form, labelled Action for Nonmatching
Traffic. This action applies to all traffic that has a transfer encoding that does not match any of the
criteria on this form. You can choose the same actions as on the other Action list. Also, you can click
the Log check box next to this drop-down list if you want to log such traffic. When you are finished
with this form, click Apply Changes at the top to save your changes, or click Discard Changes to
return to the summary page without saving your changes.
520
Student Handbook – Security Analyst SSC/N0903
If you want to log the event, click the Log check box next to the Action drop-down list.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes.
Give the URL black listing map a name in the Map Name field.
In the next part of the form, you can add regular expressions for URLs that you want to block traffic
to. In the URL field, enter a regular expression that is used to match part of a URL string in incoming
requests. The regular expression is matched against only the URL and not the query parameters. If
the regular expression matches any part of the URL, the match is considered successful.
Check the Obfuscation check box to deobfuscate the URL before performing regular expression
matching. Deobfuscation decodes encoded URLs. For example, a URL might contain the string "%20",
which is decoded to a space character.
Check the Add check box and click Update to add the URL to this form and give you a new line on
which to enter another URL. To delete one or more URL lines, click the Delete check box on each line
that you want to delete and then click Update to delete all checked lines.
After you have defined the URLs to black list, you can configure the action to apply when such traffic
is observed. In the first Action drop-down list, choose one of the following items:
• Match All—All criteria must be matched to apply the action
• Match Any—Any single criteria must be matched to apply the action
521
Student Handbook – Security Analyst SSC/N0903
Click the Not check box if you want to match all traffic that does not meet the criteria. If Not is
checked, the match criteria are interpreted as follows:
• Match All—Fewer than all criteria must be matched to apply the action
• Match Any—None of the criteria must be matched to apply the action
In the second drop-down list, choose one of the following actions:
• None—Take no action
• Deny—Block the traffic
• [SEND-PAGE] pagename—Send the error page identified by pagename. You define such error
pages by using the send page feature.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename. You define
such redirection pages by using the redirect page feature.
If you want to log the event, click the Log check box next to the Action drop-down lists.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes.
URL black listing can also be done directly in a policy map by defining the traffic to black list in a
traffic map, then setting a general policy to drop the connection when such traffic is encountered.
522
Student Handbook – Security Analyst SSC/N0903
lines, click the Delete check box on each line that you want to delete and then click Update to delete
all checked lines.
After you have defined the HTTP methods to look for, you can configure the action to apply when
such traffic is observed. In the first Action drop-down list, choose one of the following items:
• Match All—All criteria must be matched to apply the action
• Match Any—Any single criteria must be matched to apply the action
Click the Not check box if you want to match all traffic that does not meet the criteria. If Not is
checked, the match criteria are interpreted as follows:
• Match All—Fewer than all criteria must be matched to apply the action
• Match Any—None of the criteria must be matched to apply the action
In the second drop-down list, choose one of the following actions:
• None—Take no action
• Deny—Block the traffic
• [SEND-PAGE] pagename—Send the error page identified by pagename.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename.
If you want to log the event, click the Log check box next to the Action drop-down lists.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes.
Give the header integrity check map a name in the Map Name field.
523
Student Handbook – Security Analyst SSC/N0903
In the next part of the form, you can configure actions to take when the following problems are
found in a header:
• Null Encoding—Transfer-encoding header has no encodings listed
• Non ASCII Characters—Non-ASCII characters are found in a header
• Illegal Content Length—Content-length header contains non-numeric characters
• Illegal Chunk Encoding—Chunk encoding is not valid
• Multiple Length Headers—Multiple content-length headers appear in the request
For each listed header integrity problem, select one of the following actions from the Action drop-
down list:
• None—Take no action
• Reset server—Reset the server side of the connection
• Reset client—Reset the client side of the connection
• Reset server client—Reset both the server and client sides of the connection
• Drop—Drop the connection silently
• [SEND-PAGE] pagename—Send the error page identified by pagename. You define such error
pages by using the send page feature.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename. You define
such redirection pages by using the redirect page feature.
If you want to log a problem, click the Log check box next to the Action drop-down list.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes. If you want to
use the settings on this form as the default for new maps of this type, click Set As Default.
• SQL Injection
• OS Command Injection
• LDAP Injection
All input validation checks use regular expression sets that have been defined with the Pattern
Definitions command.
524
Student Handbook – Security Analyst SSC/N0903
525
Student Handbook – Security Analyst SSC/N0903
Set the Type to Scan All Parameters. Choose a regular expression pattern set from the Pattern
Set drop-down list that lists regular expressions that you want to exclude from form input. The
regular expression patterns that are listed here are those that are defined in the Pattern
Definitions page where the type is Cross Site Scripting. If you see the message "No Pattern Set of
this type is defined," you must define at least one pattern map of the Cross Site Scripting type
before you can complete this form.
In the Parameter field enter the name of an exception parameter in which you want to allow
input that might otherwise be flagged by the Pattern Set regular expression set. In the Allow
Pattern Set drop-down list, choose a regular expression pattern set that lists regular expressions
that you want to allow in the value of the exception parameter. Check the Add check box to the
right of the Allow Pattern Set drop-down list and click Update Parameters. You can enter as
many exception parameters as you want by repeating this procedure. Each parameter can have
its own associated regular expression that defines the values that are allowed. To delete a
parameter, click the Delete check box to the right of the Allow Pattern Set drop-down list and
click Update Parameters.
Any form input that contains a string that matches one of the regular expressions in the Pattern
Set is flagged for the action specified in the Action drop-down list. If an exception parameter
value contains a string that matches both the Pattern Set and Allow Pattern Set regular
expressions, then it is allowed rather than being flagged for action.
• Scan the values of a one or more specific form parameters within the input data.
Set the Type to Scan Specific Parameters. Choose a regular expression pattern set from the
Pattern Set drop-down list and enter the name of a form parameter to scan in the Parameter
field. Check the Add check box to the right of the parameter name and click Update Parameters.
You can enter as many parameters as you want by repeating this procedure. To delete a
parameter, click the Delete check box to the right of the parameter name and click Update
Parameters. If any of the specified parameter values contain a string that matches one of the
regular expressions in the specified pattern set, the request is flagged for the action specified in
the Action drop-down list.
Check the Ignore Case check box if you do not need to match the case of a parameter specified in
the Parameter field. If you do need to match the case exactly, leave this check box unchecked.
In the Action drop-down list, choose the action to apply if a form input string that matches this map
is detected. Actions include these:
526
Student Handbook – Security Analyst SSC/N0903
• None—Take no action
• Reset server client—Reset both the server and client sides of the connection
• Drop—Drop the connection silently
• [SEND-PAGE] pagename—Send the error page identified by pagename..
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename.
If you want to log the event, click the Log check box below the Action drop-down list.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes.
SQL Injection
A SQL injection attack appends or modifies SQL commands in form input with the intention of
gathering information regarding the application and obtaining access to unauthorized data.
Use the SQL Injection command to display a page that summarizes the SQL injection maps that are
defined and to view, delete, clone, edit or add new maps. When you click the button to add a new
map, AVS displays the screen shown in the following figure.
Give the map a name in the Map Name field.
In the map, you can configure protection in three ways:
• Scan all of the form input data.
Set the Type to Scan All Parameters. Choose a regular expression pattern set from the Pattern
Set drop-down list that lists regular expressions that you want to exclude from form input. The
regular expression patterns that are listed here are those that are defined in the Pattern
Definitions page where the type is SQL Injection. If you see the message "No Pattern Set of this
type is defined," you must define at least one pattern map of the SQL Injection type before you
can complete this form. Any form input that contains a string that matches one of the regular
expressions in the specified pattern set is flagged for the action specified in the Action drop-
down list. Leave the Parameter field empty and make no selection from the Allow Pattern Set
drop-down list.
• Scan all of the form input data except for the values of one or more specific form parameters, in
which certain expressions are allowed.
Set the Type to Scan All Parameters. Choose a regular expression pattern set from the Pattern
Set drop-down list that lists regular expressions that you want to exclude from form input. The
regular expression patterns that are listed here are those that are defined in the Pattern
Definitions page where the type is SQL Injection. If you see the message "No Pattern Set of this
type is defined," you must define at least one pattern map of the SQL Injection type before you
can complete this form.
In the Parameter field enter the name of an exception parameter in which you want to allow
input that might otherwise be flagged by the Pattern Set regular expression set. In the Allow
Pattern Set drop-down list, choose a regular expression pattern set that lists regular expressions
that you want to allow in the value of the exception parameter. Check the Add check box to the
right of the Allow Pattern Set drop-down list and click Update Parameters. You can enter as
many exception parameters as you want by repeating this procedure. Each parameter can have
its own associated regular expression that defines the values that are allowed. To delete a
parameter, click the Delete check box to the right of the Allow Pattern Set drop-down list and
click Update Parameters.
Any form input that contains a string that matches one of the regular expressions in the Pattern
Set is flagged for the action specified in the Action drop-down list. If an exception parameter
527
Student Handbook – Security Analyst SSC/N0903
value contains a string that matches both the Pattern Set and Allow Pattern Set regular
expressions, then it is allowed rather than being flagged for action.
• Scan the values of a one or more specific form parameters within the input data.
Set the Type to Scan Specific Parameters. Choose a regular expression pattern set from the
Pattern Set drop-down list and enter the name of a form parameter to scan in the Parameter
field. Check the Add check box to the right of the parameter name and click Update Parameters.
You can enter as many parameters as you want by repeating this procedure. To delete a
parameter, click the Delete check box to the right of the parameter name and click Update
Parameters. If any of the specified parameter values contain a string that matches one of the
regular expressions in the specified pattern set, the request is flagged for the action specified in
the Action drop-down list.
Check the Ignore Case check box if you do not need to match the case of a parameter specified in
the Parameter field. If you do need to match the case exactly, leave this check box unchecked.
In the Action drop-down list, choose the action to apply if a form input string that matches this map
is detected. Actions include these:
• None—Take no action
• Reset server client—Reset both the server and client sides of the connection
• Drop—Drop the connection silently
• [SEND-PAGE] pagename—Send the error page identified by pagename.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename.
If you want to log the event, click the Log check box below the Action drop-down list.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes.
OS Command Injection
An OS command injection attack inserts OS commands into form input with the intention to gain
elevated privileges to access a web server.
Use the OS Command Injection command to display a page that summarizes the command injection
maps that are defined and to view, delete, clone, edit or add new maps.
When you
click the
button to
add a new
map, AVS
displays the
screen
shown in the
following
figure.
528
Student Handbook – Security Analyst SSC/N0903
529
Student Handbook – Security Analyst SSC/N0903
• Reset server client—Reset both the server and client sides of the connection
• Drop—Drop the connection silently
• [SEND-PAGE] pagename—Send the error page identified by pagename.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename.
If you want to log the event, click the Log check box below the Action drop-down list.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes.
LDAP Injection
Lightweight Directory Access Protocol (LDAP) is widely used to query and manipulate X.500 directory
services. Web applications may use form input to create custom LDAP statements for dynamic web
page requests. An LDAP injection attack modifies an LDAP statement, letting the process run with
the same permissions as the component that executed the command, and can let the attacker
obtain unauthorized information from the database.
Use the LDAP Injection command to display a page that summarizes the LDAP injection maps that
are defined and to view, delete, clone, edit or add new maps. When you click the button to add a
new map, AVS displays the screen shown in the following Figure.
530
Student Handbook – Security Analyst SSC/N0903
type is defined," you must define at least one pattern map of the LDAP Injection type before you
can complete this form. Any form input that contains a string that matches one of the regular
expressions in the specified pattern set is flagged for the action specified in the Action drop-
down list. Leave the Parameter field empty and make no selection from the Allow Pattern Set
drop-down list.
• Scan all of the form input data except for the values of one or more specific form parameters, in
which certain expressions are allowed.
Set the Type to Scan All Parameters. Choose a regular expression pattern set from the Pattern
Set drop-down list that lists regular expressions that you want to exclude from form input. The
regular expression patterns that are listed here are those that are defined in the Pattern
Definitions page where the type is LDAP Injection. If you see the message "No Pattern Set of this
type is defined," you must define at least one pattern map of the LDAP Injection type before you
can complete this form.
In the Parameter field enter the name of an exception parameter in which you want to allow
input that might otherwise be flagged by the Pattern Set regular expression set. In the Allow
Pattern Set drop-down list, choose a regular expression pattern set that lists regular expressions
that you want to allow in the value of the exception parameter. Check the Add check box to the
right of the Allow Pattern Set drop-down list and click Update Parameters. You can enter as
many exception parameters as you want by repeating this procedure. Each parameter can have
its own associated regular expression that defines the values that are allowed. To delete a
parameter, click the Delete check box to the right of the Allow Pattern Set drop-down list and
click Update Parameters.
Any form input that contains a string that matches one of the regular expressions in the Pattern
Set is flagged for the action specified in the Action drop-down list. If an exception parameter
value contains a string that matches both the Pattern Set and Allow Pattern Set regular
expressions, then it is allowed rather than being flagged for action.
• Scan the values of a one or more specific form parameters within the input data.
Set the Type to Scan Specific Parameters. Choose a regular expression pattern set from the
Pattern Set drop-down list and enter the name of a form parameter to scan in the Parameter
field. Check the Add check box to the right of the parameter name and click Update Parameters.
You can enter as many parameters as you want by repeating this procedure. To delete a
parameter, click the Delete check box to the right of the parameter name and click Update
Parameters. If any of the specified parameter values contain a string that matches one of the
regular expressions in the specified pattern set, the request is flagged for the action specified in
the Action drop-down list.
Check the Ignore Case check box if you do not need to match the case of a parameter specified in
the Parameter field. If you do need to match the case exactly, leave this check box unchecked.
In the Action drop-down list, choose the action to apply if a form input string that matches this map
is detected. Actions include these:
• None—Take no action
• Reset server client—Reset both the server and client sides of the connection
• Drop—Drop the connection silently
• [SEND-PAGE] pagename—Send the error page identified by pagename..
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename.
If you want to log the event, click the Log check box below the Action drop-down list.
531
Student Handbook – Security Analyst SSC/N0903
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes.
532
Student Handbook – Security Analyst SSC/N0903
Set the Type to Scan All Parameters. Choose a regular expression pattern set from the Pattern
Set drop-down list that lists regular expressions that you want to exclude from form input. The
regular expression patterns that are listed here are those that are defined in the Pattern
Definitions page where the type is Meta Character Detection. If you see the message "No
Pattern Set of this type is defined," you must define at least one pattern map of the Meta
Character Detection type before you can complete this form.
In the Parameter field enter the name of an exception parameter in which you want to allow
input that might otherwise be flagged by the Pattern Set regular expression set. In the Allow
Pattern Set drop-down list, choose a regular expression pattern set that lists regular expressions
that you want to allow in the value of the exception parameter. Check the Add check box to the
right of the Allow Pattern Set drop-down list and click Update Parameters. You can enter as
many exception parameters as you want by repeating this procedure. Each parameter can have
its own associated regular expression that defines the values that are allowed. To delete a
parameter, click the Delete check box to the right of the Allow Pattern Set drop-down list and
click Update Parameters.
Any form input that contains a string that matches one of the regular expressions in the Pattern
Set is flagged for the action specified in the Action drop-down list. If an exception parameter
value contains a string that matches both the Pattern Set and Allow Pattern Set regular
expressions, then it is allowed rather than being flagged for action.
Scan the values of a one or more specific form parameters within the input data.
Set the Type to Scan Specific Parameters. Choose a regular expression pattern set from the
Pattern Set drop-down list and enter the name of a form parameter to scan in the Parameter
field. Check the Add check box to the right of the parameter name and click Update Parameters.
You can enter as many parameters as you want by repeating this procedure. To delete a
parameter, click the Delete check box to the right of the parameter name and click Update
Parameters. If any of the specified parameter values contain a string that matches one of the
regular expressions in the specified pattern set, the request is flagged for the action specified in
the Action drop-down list.
Check the Ignore Case check box if you do not need to match the case of a parameter specified in
the Parameter field. If you do need to match the case exactly, leave this check box unchecked.
In the Action drop-down list, choose the action to apply if a form input string that matches this map
is detected. Actions include these:
• None—Take no action
• Reset server client—Reset both the server and client sides of the connection
• Drop—Drop the connection silently
• [SEND-PAGE] pagename—Send the error page identified by pagename.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename.
If you want to log the event, click the Log check box below the Action drop-down list.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes.
533
Student Handbook – Security Analyst SSC/N0903
Use the Format String Attacks command to display a page that summarizes the format string attack
maps that are defined and to view, delete, clone, edit or add new maps.
When you click the button to add a new map, AVS displays the screen shown in the following Figure.
534
Student Handbook – Security Analyst SSC/N0903
Check the Ignore Case check box if you do not need to match the case exactly of a parameter
specified in the Parameter field. If you do need to match the case exactly, leave this check box
unchecked.
In the Action drop-down list, choose the action to apply if a form input string that matches this map
is detected. Actions include these:
• None—Take no action
• Reset server client—Reset both the server and client sides of the connection
• Drop—Drop the connection silently
• [SEND-PAGE] pagename—Send the error page identified by pagename.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename.
If you want to log the event, click the Log check box that is below the Action drop-down list.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the summary page without saving your changes.
Metacharacter Description
. Matches any single character, except for the new line character (0x0A). For
example, the regular expression r.t matches the strings rat, rut, r t, but not root.
^ Matches the beginning of a line. For example, the regular expression ^When
in matches the beginning of the string "When in the course of human events"
but not the string "What and When in the"
* Matches zero or more occurrences of the character immediately preceding. For
example, the regular expression * means match any number of any characters.
\ This is the quoting character; use it to treat the following meta character as an
ordinary character. For example, \^ is used to match the caret character (^)
rather than the beginning of a line. Similarly, the expression \. is used to match
the period character rather than any single character.
[] Matches any one of the characters between the brackets. For example, the
[c1-c2] regular expression r[aou]t matches rat, rot, and rut, but not ret. Ranges of
characters are specified by a beginning character (c1), a hyphen, and an ending
[^c1-c2] character (c2). For example, the regular expression [0-9] means match any digit.
Multiple ranges can be specified as well. The regular expression [A-Za-z] means
match any upper or lower case letter. To match any character except those in
the range (that is, the complement range), use the caret as the first character
after the opening bracket. For example, the expression [^269A-Z] matches any
characters except 2, 6, 9, and uppercase letters.
() Treat the expression between ( and ) as a group, limiting the scope of other
535
Student Handbook – Security Analyst SSC/N0903
meta characters.
| Logical OR two conditions together. For example, (him|her) matches the line "it
belongs to him" and matches the line "it belongs to her" but does not match the
line "it belongs to them."
+ Matches one or more occurrences of the character or regular expression
immediately preceding. For example, the regular expression9+ matches 9, 99,
and 999.
? Matches 0 or 1 occurrence of the character or regular expression immediately
preceding.
{i} Matches a specific number (i) or minimum number (i,) of instances of the
{i,} preceding character. For example, the expression A[0-9]{3} matches "A"
followed by exactly 3 digits. That is, it matches A123 but not A1234. The
expression [0-9]{4,} matches any sequence of 4 or more digits.
\r Matches the carriage return character (0x0D).
\n Matches the new line character (0x0A).
\t Matches the tab character (0x09).
536
Student Handbook – Security Analyst SSC/N0903
OWASP is a group of security communities that develops and maintains a free set of application
protection rules, which is called the OWASP ModSecurity Core Rules Set (CRS). You can think of
OWASP as an enhanced core rule set that the ModSecurity will follow to prevent attacks on the
server.
ModSecurity is a hybrid web application firewall engine that relies on the host web server for some
of the work. The only supported web server at the moment is Apache 2.x, but it is possible, in
principle, to integrate ModSecurity with any other web server that provides sufficient integration
APIs.
Parsing: ModSecurity tries to make sense of as much data as available. The supported data formats
are backed by security-conscious parsers that extract bits of data and store them for use in the rules.
Buffering: In a typical installation, both request and response bodies will be buffered. This means
that ModSecurity usually sees complete requests before they are passed to the application for
processing, and complete responses before they are sent to clients. Buffering is an important
feature, because it is the only way to provide reliable blocking. The downside of buffering is that it
requires additional RAM to store the request and response body data.
Logging: Full transaction logging (also referred to as audit logging) is a big part of what ModSecurity
does. This feature allows you to record complete HTTP traffic, instead of just rudimentary access log
information. Request headers, request body, response header, response body—all those bits will be
available to you. It is only with the ability to see what is happening that you will be able to stay in
control.
Rule engine: The rule engine builds on the work performed by all other components. By the time the
rule engine starts operating, the various bits and pieces of data it requires will all be prepared and
ready for inspection. At that point, the rules will take over to assess the transaction and take actions
as necessary.
To know more about Modsecurity and its configuration please visit https://www.modsecurity.org
and use the following https://www.feistyduck.com/library/modsecurity-handbook-free/online/ to
know more about installation and configuration.
537
Student Handbook – Security Analyst SSC/N0903
Summary
The web application security feature enables the application appliance to act as an application
firewall and provide web application security and intrusion protection.
To configure web application security, follow these basic steps:
o Use the Traffic Class Maps command to define traffic class maps to classify web
application traffic according to various parameters such as hostname, URL, cookie name
and value, and so on. A traffic map specifies a set of traffic to which you want to apply a
security policy.
o Define web application security feature maps that configure security features. To define
feature maps, select the individual features (URL Normalization, Cookie Protection, ID
Theft Protection, Request Limits, Error/Redirect Pages, Web Cloaking, URL Tagging, Input
Validation Checks, HTTP Protocol Conformance) under the Web Application Security
folder.
o Use the Policy Maps command to define policy maps that associate a traffic class with a
set of security functions. A policy map defines a series of actions (functions) that you want
to apply to a set of classified traffic.
o Use the System Utilities Service Policy command to choose the active policy map.
o Use the System Utilities Commit Config command to commit the configuration.
o If you have a cluster of application appliance nodes, use the System Utilities Publish
Configuration command to publish the configuration to all nodes in the cluster.
Practical activities:
Activity 1:
List the various kinds of Web Application Security products in the market and the various
vendors for the same. Compare the features, benefits and limitations of various kind of Web
Application Security products offered. Share with your fellow students.
Activity 2:
Configure an IDS product or first job shadow someone who installs a Web Application Security
product. List down the various steps of the same, then configure it on your own.
538
Student Handbook – Security Analyst SSC/N0903
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
539
Student Handbook – Security Analyst SSC/N0903
UNIT IX
Patch Management
Lesson Plan
9.1 Patch Management Overview
9.2 The Patch Management Process
9.3 Windows Patch Management Tools
540
Student Handbook – Security Analyst SSC/N0903
LESSON PLAN
541
Student Handbook – Security Analyst SSC/N0903
KA8. Presentation of
the customized
templates by peer
groups and validation
of them by faculty
542
Student Handbook – Security Analyst SSC/N0903
Lesson
Patch management is an area of systems management that involves acquiring, testing, and installing
multiple patches (code changes) to an administered computer system. Patch management tasks
include: maintaining current knowledge of available patches, deciding what patches are appropriate
for particular systems, ensuring that patches are installed properly, testing systems after installation,
and documenting all associated procedures, such as specific configurations required.
A number of products are available to automate patch management tasks, including RingMaster's
Automated Patch Management, PatchLink Update, and Gibraltar's Everguard.
Develop and automate a patch management process that includes each of the following:
Detect. Use tools to scan your systems for missing security patches. The detection should be
automated and will trigger the patch management process.
Assess. If necessary updates are not installed, determine the severity of the issue(s) addressed by
the patch and the mitigating factors that may influence your decision. By balancing the severity of
the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current
environment.
Acquire. If the vulnerability is not addressed by the security measures already in place, download
the patch for testing.
Test. Install the patch on a test system to verify the ramifications of the update against your
production configuration.
Deploy. Deploy the patch to production computers. Make sure your applications are not affected.
Employ your rollback or backup restore plan if needed.
Maintain. Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the
patch management process again.
To learn more about Patch Management, please visit the following
543
Student Handbook – Security Analyst SSC/N0903
References :
https://ics-cert.us-
cert.gov/sites/default/files/recommended_practices/PatchManagementRecommendedPractice_Fina
l.pdf
https://www.sans.org/reading-room/whitepapers/bestprac/practical-methodology-implementing-
patch-management-process-1206
https://support.symantec.com/en_US/article.HOWTO3124.html
You can find that situation in environments where a branch office or division of a company is moved
or acquired. Suddenly, what worked before is not what works for the new parent. In this and almost
all other cases, the best approach is to pick one system and consolidate on it as aggressively as
possible.
Reporting tools
Microsoft's HFNETCHK tool
These tools scan local machines or computers on a network, audit whatever's in reach and then
produce detailed summaries or digests about what is installed where as well as what might need to
be installed or updated. They do the research and make recommendations, but they don't make any
actual changes.
These programs do the actual work of downloading and applying patches to local or remote
machines. In many cases, they are also reporting tools -- they audit computers to see what's
installed and what's needed, then download the needed updates and push them out according to an
administrator's directives.
544
Student Handbook – Security Analyst SSC/N0903
If you use multiple auditing or reporting tools, one caveat is that if there are inconsistencies
between the depth or breadth of reporting provided by each tool, you should be aware of that
ahead of time so you're not thrown off. If you are using multiple patch management or deployment
tools, the problem isn't so much that one tool duplicates or undoes the work of another, but that
the administrator (or administrators) becomes confused by the presence of multiple tools to get the
same job done.
Additional features: Third-party patch management systems often have additional features that
aren't present in the standard Microsoft way of doing things. For instance, Service Pack Manager
2000 allows the administrator to create multiple arbitrary groups of computers to better govern who
gets what updates.
Automation: Some third-party applications have automated functions that are above and beyond
what's available by default, and they don't require scripting to be effective.
Additional coverage and information: Many of these tools have detailed reporting and research
functions -- for instance, the ability to automatically generate a summary of what's installed on a
given machine and relevant details from Microsoft Knowledge Base articles that apply to each fix.
Internal consistency: If you have one department that's using a third-party tool and another that's
using the standard Microsoft patch deployment methods, it can become confusing for people trying
to maintain standards across organizations -- and it might not be convenient or politically possible to
get everyone to use the same tools. In such a case it might be best to fall back on Microsoft
standards.
Retraining: When people come in from another company or department where no such third-party
tools are in use, you'll need to retrain them. If this happens often, it can be a drain on time and
energy.
Unneeded additional features: Not every organization needs the advanced features offered by third-
party products. Sometimes the defaults work just fine.
These are not the only reasons to use or not use third-party tools for patching. If you need more
convincing on either side of the topic, check out security expert Serdar Yegulalp's article on third-
party patch management tools.
545
Student Handbook – Security Analyst SSC/N0903
Numara™ Patch Manager is the complete patch management solution that scans, updates and
downloads patches for Microsoft Operating Systems and applications across your entire network —
directly from your desktop.
PatchLink is a security patch and vulnerability management solution that combines vulnerability
assessment, patch management, network access control and reporting to help organizations address
the emerging security threats while minimizing costs and complexity.
UpdateEXPERT Premium
546
Student Handbook – Security Analyst SSC/N0903
Summary
Patch, also called a service patch, is a fix to a program bug.
A patch is an actual piece of object code that is inserted into (patched into) an executable
program. Patches typically are available as downloads over the Internet.
Patch management is an area of systems management that involves acquiring, testing, and
installing multiple patches (code changes) to an administered computer system.
Patch management tasks include: maintaining current knowledge of available patches,
deciding what patches are appropriate for particular systems, ensuring that patches are
installed properly, testing systems after installation, and documenting all associated
procedures, such as specific configurations required.
A number of products are available to automate patch management tasks, including
RingMaster's Automated Patch Management, PatchLink Update, and Gibraltar's Everguard.
Patch management is a circular process and must be ongoing. The reality about software
vulnerabilities is that, after you apply a patch today, a new vulnerability must be addressed
tomorrow.
Developing and automating a patch management process will include each of the following:
o Detect. Use tools to scan your systems for missing security patches. The detection
should be automated and will trigger the patch management process.
o Assess. If necessary updates are not installed, determine the severity of the issue(s)
addressed by the patch and the mitigating factors that may influence your decision.
By balancing the severity of the issue and mitigating factors, you can determine if
the vulnerabilities are a threat to your current environment.
o Acquire. If the vulnerability is not addressed by the security measures already in
place, download the patch for testing.
o Test. Install the patch on a test system to verify the ramifications of the update
against your production configuration.
o Deploy. Deploy the patch to production computers. Make sure your applications are
not affected. Employ your rollback or backup restore plan if needed.
o Maintain. Subscribe to notifications that alert you to vulnerabilities as they are
reported. Begin the patch management process again.
Practical Activities:
Activity 1:
Learn how to down load a patch from the internet. Work with an expert to download and fix
a patch.
Activity 2:
Browse the internet to research sources of patches and make a list of sites that intimate
about the latest patches available for various requirements.
Activity 3:
Collect information about various automated patch management tools from the internet
and their service providers and compare these products to understand their application,
features, benefits and limitations.
547
Student Handbook – Security Analyst SSC/N0903
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
548
Student Handbook – Security Analyst SSC/N0904/N0905
SSC/ N 0904:
SSC/ N 0905:
Contribute to information security audits
Support teams to prepare for and
undergo information security audits
551
Student Handbook – Security Analyst SSC/N0904/N0905
Description This unit is about carrying out specific audit tasks as part of information security
audits.
Scope This unit/task covers the following:
Appropriate people:
line manager
members of the security team
subject matter experts
Information security audits may cover:
Identify and Access Management (IdAM)
networks (wired and wireless)
devices
endpoints/edge devices
storage devices
servers
software
application hosting
application security
application support
application penetration
application testing
content management
messaging
web security
security of infrastructure
infrastructure devices (e.g. routers, firewall services)
computer assets, server s and storage networks
messaging
intrusion detection/prevention
security incident management
third party security management
personnel security requirements
physical security
risk assessment
business continuity
disaster recovery planning
552
Student Handbook – Security Analyst SSC/N0904/N0905
553
Student Handbook – Security Analyst SSC/N0904/N0905
554
Student Handbook – Security Analyst SSC/N0904/N0905
Unit Title
Support teams to prepare for and undergo information security audits
(Task)
Description This unit is about supporting functional teams to prepare for and undergo information
security audits carried out by internal or external auditors.
PC1. establish the nature and scope of information security audits and your role
and responsibilities in preparing for them
PC2. identify the procedures/guidelines/checklists that will be used for
information security audits
PC3. identify the requirements of information security audits and prepare for
audits in advance
PC4. liaise with appropriate people to gather data/information required for
information security audits
555
Student Handbook – Security Analyst SSC/N0904/N0905
Knowledge KB1. different information systems that may require audit tasks:
servers and storage devices
infrastructure, assets and networks
application hosting, testing, penetration and support
content management
communication routes such as messaging
physical security
556
Student Handbook – Security Analyst SSC/N0904/N0905
557
Student Handbook – Security Analyst SSC/N0904/N0905
THE UNITS
The module for this NOS is divided in 8 Units based on the learning objectives as given below.
UNIT I: Information Security Audit
1.1. Information Systems Audit versus Information Security Audit
1.2. What is an Information Security Audit?
1.3. Scope of the Audit
1.4. What makes a good security audit?
1.5. Constraints of a security audit
UNIT II: Security Audits Features
2.1. Types of Security Audits
2.2. Phases of Information Security Audit
2.3. Information Security Audit Methodology
2.4. Security Testing Frameworks
2.5. Audit Process and Audit Security Practices
2.6. Testing Security Technology and Templates
UNIT III: Information Security Auditor
3.1 Role of an Auditor
3.2 Hiring an Information Security Auditor
3.3 Required Skills Sets of an Information Security Auditor
3.4 Ethics of an Information Security Auditor
3.5 What Makes an Information Security Auditor
UNIT IV: Vulnerability Analysis
4.1. What Is Vulnerability Assessment?
4.2. Vulnerability Classification
4.3. Types of Vulnerability Assessment
4.4. How to Conduct a Vulnerability Assessment
4.5. Vulnerability Analysis Tools
UNIT V: Penetration Testing
5.1. About penetration testing
5.2. Penetration testing stages
UNIT VI: Information Security Audit Tasks
6.1 Pre-audit tasks
6.2 Information Gathering
6.3 External Security Audit
6.4 Internal Network Security Auditing
6.5 Firewall Security Auditing
6.6 IDS Security Auditing
UNIT VII: Audit Reports and Actions
558
Student Handbook – Security Analyst SSC/N0904/N0905
UNIT I
Information Security Audit
559
Student Handbook – Security Analyst SSC/N0904/N0905
LESSON PLAN
560
Student Handbook – Security Analyst SSC/N0904/N0905
Lesson
An information security audit is one of the best ways to determine the security of an organization's
information without incurring the cost and other associated damages of a security incident.
____________________________________________________________________________
____________________________________________________________________________
_________________________________________________________________________
561
Student Handbook – Security Analyst SSC/N0904/N0905
Security audits are a formal process, carried out by certified auditing professionals to measure
an information system's performance against a list of criteria.
A Vulnerability Assessment is
_____________________________________________________________________________
_____________________________________________________________________________
____________________________________________________________________________
Computer security auditors work with the full knowledge and support of the organization, in order
to carry out the audit. This usually includes receiving documentation and access by the organization
representative. A security analyst may be assigned to support and facilitate the audit.
Computer security auditors perform their work though personal interviews, reviewing policies,
vulnerability scans, examination of operating system settings, analyses of network shares, and
historical data and logs.
562
Student Handbook – Security Analyst SSC/N0904/N0905
e. Time available
563
Student Handbook – Security Analyst SSC/N0904/N0905
564
Student Handbook – Security Analyst SSC/N0904/N0905
There are a number of key questions that security audits attempt to answer which include but
are not limited to:
The duration of the cross-cutting audit depends on the size as well as the complexity of the
organization. The size of the organization is determined by the number of employees and locations.
• What does the system landscape look like (number of systems and level of heterogeneity
of the systems used)?
• How many network gateways are there?
• Which and how many IT applications are used in the organization? Are they used to
support critical business processes?
• Are higher-level procedures used that may affect realms outside of the organization?
• How high is the protection requirement for the infrastructure, systems, and IT
applications?
Is the organization active in areas critical to security (for example, is it a security agency)?
565
Student Handbook – Security Analyst SSC/N0904/N0905
The development and dissemination of the IS Auditing Standards by Information Systems Audit
and Control Association (ISACA) is already in circulation for further information.
A good security audit is part of a regular and comprehensive framework of information security.
Audit team is experienced, independent and objective. Every audit team should consist of
at least two auditors to guarantee the independence and objectivity of the audit (” two -
person rule”). There credentials should be verifiable.
Important IS audit meetings such as the opening and the closing meetings as well as the
interviews should be conducted as a team. This procedure ensures objectivity,
thoroughness, and impartiality.
No member of the audit team, for reasons of independence and objectivity, should have
participated directly in supporting or managing the areas to be audited, e.g. they must not
have been involved in the development of concepts or the configuration of the IT systems.
It should be ensured that actual operations in the organization are not significantly
disrupted by the audit when initiating the audit. The auditors never actively intervene in
systems, and therefore should not provide any instructions for making changes to the
objects being audited.
Management responsibility for supporting the conduct of a fair and comprehensive audit.
566
Student Handbook – Security Analyst SSC/N0904/N0905
Functions in an Audit
All audits have common functions that must be performed if they are to be successful. These usually
include:
Determine how intensive the audit is going to be. Are all facets of the organization to be
examined, or is this to be a common ‘security’ audit based on the IT infrastructure.
Detail how intrusive the audit is. It is important to avoid adversely impacting the production
environment during the audit process; whether this is by equipment downtime or personnel
being taken away from their primary duties to participate in the audit.
Does the corporation have existing methodologies to actively mitigate risk on an ongoing
basis?
Assemble a detailed list of the components within the security perimeter. While this is not
an exhaustive list, these devices often include:
o Computing equipment (main frames, servers, desktops, laptops, terminals).
o Networking equipment (firewalls, routers, and switches, hubs, and UPS devices).
o Communications equipment (PBX, phones, cell/smart phones, PDA’s, fax machines).
o Input / Output devices (printers, copiers, scanners, cameras, web-cams, tablets).
o Data storage (databases: sales, customer, employee, other; email, voicemail, files on
server, files in cabinets, customer and employee information, log files).
o Common security items (passwords, access scanners / cards and ID cards, physical
security, data diagrams, daily schedules and employee activity charts).
o Internet exposure (company websites: internet and intranet, collaborative sites,
outbound access availability and restrictions, open ports and other visible devices).
Generate a list of threat vectors based on the scope of the audit. i.e.: if physical security is
beyond the scope of the audit you won’t have to check to see if the server room is locked.
Examine each type of device on the components list for known vulnerabilities.
D. Delineate the available tools – what documents and tools are in use or need to be created?
Assemble the various documents and datagrams of the systems under audit.
Gather the tools already in use to mitigate risk
o Determine if the existing tools are functional.
o Determine if new tools are needed.
E. Reporting mechanism – how will you show progress and achieve validation in all areas?
567
Student Handbook – Security Analyst SSC/N0904/N0905
Determine what threats existed in the past and determine if those have been mitigated.
Interview members of the institution to determine if any known threats exist.
G. Determine Network Access Control list – who really needs access to this?
Develop a matrix of all personnel that need access to each device on the component chart.
Develop a matrix of all devices that need access to other devices on the component chart.
Each device on the component list should have a minimal set of entry points.
How much privilege is required for each person or system to perform their functions?
Given the list of possible threats, what are the possibilities a given threat will materialize.
If a threat were to materialize, how great would its impact be?
Establish the greatest pain points for the company. Determine if the approach is to work on
the big stuff first, or get all of the minor issues out of the way before making any major
changes.
I. Delineate mitigation plan – what are the exact steps required to minimize the threats?
Generate a detailed project plan to reach the goal. Include tasking, timelines, costs,
reporting methods, checkpoints – all the components of a successful project plan are
necessary.
Ensure that the organization is in agreement with the plan to mitigate risks.
Begin the mitigation process, using the priority decided upon by the stakeholders.
K. Review results – perform an After Action Review (AAR) on the audit process
Risks that are extremely unlikely happen but that have the potential to cause catastrophic damage
are called ‘Black Swans’. These risks are often not cost effective to address, so a formal acceptance
from management for these risks may the only strategy available. Every audit needs to have
management’s participation to be completely successful.
568
Student Handbook – Security Analyst SSC/N0904/N0905
Summary
An information security audit is one of the best ways to determine the security of an
organization's information without incurring the cost and other associated damages of a
security incident.
Information systems audit is a large, broad term that encompasses demarcation of
responsibilities, server and equipment management, problem and incident management,
network division, safety, security and privacy assurance etc.
Information security audit is only focused on security of data and information (electronic and
print) when it is in the process of storage and transmission. Both audits have many
overlapping areas.
Security audits are a formal process, carried out by certified auditing professionals to measure
an information system's performance against a list of criteria.
A vulnerability assessment, on the other hand, involves a comprehensive study of an entire
information system, seeking potential security weaknesses, usually carried out by industry
experts who may or may not be certified.
A good security audit may likely include the following:
o Clearly defined objectives
o Coverage is comprehensive and cross-cutting
o Audit team is experienced, independent and objective with verifiable credentials
o There is unrestricted right to obtain and view information.
o Important IS audit meetings such as the opening and the closing meetings as well as
the interviews should be conducted as a team.
o No member of the team should have participated directly in supporting or managing
the areas to be audited
o It should be ensured that actual operations in the organization are not significantly
disrupted by the audit.
o The auditors never actively intervene in systems or provide change advice.
o Management should support the audit.
o Appropriate communication and appointment of central point of contact and other
support for the auditors.
o The execution is planned and carried out in a phase wise manner
Constraints of a security audit
o Time constraints
o Third party access constraints
o Business operations continuity constraints
o Scope of audit engagement
o Technology tools constraints
569
Student Handbook – Security Analyst SSC/N0904/N0905
Practical activities:
Activity 1:
List the various vulnerabilities in any organisation and various activities to check those
vulnerabilities.
Activity 2:
Conduct an audit of your surroundings, of things such as cleanliness, safety and security,
hygiene, etc. Share your report in class, detailing the approach and the various aspects of
auditing.
a. ________________________________________
b. ________________________________________
c. ________________________________________
__________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
570
Student Handbook – Security Analyst SSC/N0904/N0905
a. Previous security incidents are not important in a security audit; the auditors are only
concerned about what the situation is at the present time of the audit. ( )
b. Information Security Audit is carried out by an audit team which usually has a representative
from the team which has been involved in the development of the IT configuration to be
audited. ( )
c. A key purpose of the Audit team is to correct and modify practices followed in the
organization while conducting the audit so as to make the system less vulnerable. (
)
d. AAR is another term used for the audit, it stands for After Attack Responsibility. (
)
e. IS Auditing Standards developed by Information Systems Audit and Control Association
(ISACA) is already in circulation.
571
Student Handbook – Security Analyst SSC/N0904/N0905
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
572
Student Handbook – Security Analyst SSC/N0904/N0905
UNIT II
Security Audit Features
Lesson Plan
2.1. Planning Work and Work environment
2.2. Types of Security Audits
2.3. Phases of Information Security Audit
2.4. Information Security Audit Methodology
2.5. Security Testing Frameworks
2.6. Audit Process and Audit Security Practices
2.7. Testing Security Technology and Templates
573
Student Handbook – Security Analyst SSC/N0904/N0905
LESSON PLAN
Work Environment / Lab
Outcomes Performance Ensuring Measures Requirement
To be competent, you must 1. Identify and access sources for PCs/Tablets/Laptops
be able to: standard checklists, guidelines and Labs availability (24/7)
templates for carrying out different Internet with Wi-Fi (Min
PC2. identify the types of audits 2 Mbps Dedicated)
procedures/guidelines/chec
Access to all security
klists for the audit tasks you
are required to carry out sites like ISO, PCI DSS,
(0904/0905) Centre for Internet
Security
PC5. organize
data/information required Security Templates
for information security from ITIL, ISO
audits using standard
templates and tools (0905)
You need to know and 1. Research and list the various types PCs/Tablets/Laptops
understand: of security audits, their purpose Labs availability (24/7)
KA4. /KA9. different types of and requirements Internet with Wi-Fi (Min
information/security audits 2 Mbps Dedicated)
(0904/0905) 2. Research and list the process for Access to all security
using and carrying out various sites like ISO, PCI DSS,
KA10. different approaches audit techniques
Centre for Internet
and ways of working for
internal and external Security
information security audits Security Templates
(0905) from ITIL, ISO
KB5. common audit
techniques and how to
record and report audit
tasks (0904)
KA11. the range of standard 1. Going through security standards, PCs/Tablets/Laptops
tools, templates and benchmarks like ISO 27001, PCI Labs availability (24/7)
checklists available and how DSS, Centre for Internet Security Internet with Wi-Fi (Min
to use these (0904) and understand the implications 2 Mbps Dedicated)
of non-maintenance of such Access to all security
KB6. methods and standards. sites like ISO, PCI DSS,
techniques for testing 2. Collate and compare audit
Centre for Internet
compliance against your templates from various sources
organizations security and discuss the requirements, Security
criteria, legal and regulatory advantages and disadvantages of Security Templates
requirements (0904) each. from ITIL, ISO
3. Going through latest threats and
breaches in cyberspace to
understand implications of non-
compliance to security standards.
574
Student Handbook – Security Analyst SSC/N0904/N0905
Lesson
External audits are commonly conducted by independent, certified parties in an objective manner.
They are scoped in advance, finally limited to identifying and reporting any implementation and
control gaps based on stated policies and standards such as the COBIT (Control Objectives for
Information and related Technology). At the end the objective is to lead the client to a source of
accepted principles and sometimes correlated to current best practices
Internal audits usually are conducted by experts linked to the organization, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide
advice in a limited fashion. They differ from the external audit in allowing the auditor to discuss
mitigation strategies with the owner of the system that is being audited.
There is a large variety of audit types based on standards followed. Some examples include SSAE 16
audits (Type I or II), audits of ISO 9001, ISO/IEC 17799, ISO/IEC 27001, ISO 27018 cloud security
standard and audits of Industry specific standards such as HIPPA controls.
Within the broad scope of auditing information security there are multiple types of audits, multiple
objectives for different audits, etc. Audits can be broken down into a number of types, from the
simple analysis of security architecture based on opinion, to a full-blown, end-to-end audit against a
security framework such as ISO27001. Auditing information security covers topics from auditing the
physical security of data centres to auditing the logical security of databases and highlights key
components to look for and different methods for auditing these areas. When centred on the IT
aspects of information security, it can be seen as a part of an information technology audit. It is
often then referred to as an information technology security audit or a computer security audit.
However, information security encompasses much more than IT.
Security Review
A security review is when the security posture of an organization is examined based on
professional experience and opinion. In this type of examination, issues that stand out are
sought as a way to help define the starting point for further activities. Running a vulnerability
scanner such as Nessus would fall under this category. The tool generates a list of potential
security issues, but the data must be analysed further to determine on what needs to be acted
on. This is the most basic form of security analysis and the primary output is in the form of an
opinion. Examples include: Penetration test, Vulnerability scan, Architecture review, Policy
review, Compliance review, Risk analysis
575
Student Handbook – Security Analyst SSC/N0904/N0905
Security Assessment
Security assessments utilize professional opinion and expertise, but they also analyse the
output for relevancy and criticality to the organization. The analysis aspect of an
assessment attempts to quantify the risk associated with the items discovered to
determine the extent of the problem. If you an organisation has two servers with the same
vulnerability, but one is the financial server, and the other operates as a print server a
security assessment would rank the financial server as a high risk and the print server as a
lower risk based on the severity and damage potential. The biggest differentiator between
an assessment and a review is the depth to which the auditor examines the system and
analyses the results. Examples include: Vulnerability assessment, Risk assessment,
Architecture assessment, Policy assessment
Security Audit
A security Audit examines the organization’s security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies. Audits take into account people, processes, and
technologies, and it compares them to a benchmark in a standardized and repeatable way.
Examples include: Compliance audit, Policy audit, Procedure audit, Risk audit.
Some of the specific audits that can be included in the above categories are:
• Penetration Test
• Vulnerability Audit
• Web Application Security Audit
• Mobile Application Security Audit
• Audit Overall Concept
• IT-Risk Analyses
• Audit Access Control / Social Engineering
• Architecture, Design and Code Review
• Wireless Systems Audit
• Embedded Systems Audit
• Information Protection Audit
• Roles and Rights Audit
• Endpoint Audit (clients)
• Digital Guard Service
• Configuration Audit (firewalls, servers, etc.)
576
Student Handbook – Security Analyst SSC/N0904/N0905
577
Student Handbook – Security Analyst SSC/N0904/N0905
Audits need to be planned and have a certain methodology to cover the total material risks of an
organization. A planned methodology is also important as this clarifies the way forward to all in the
organization and the audit teams. Which methodology and technique is used is less important than
having all the participants within the audit approach the subject in the same manner.
Audit methodologies
There are two primary methods by which audits are performed. Start with the overall view of the
corporate structure and drill down to the minutiae; or begin with a discovery process that builds up
a view of the organization.
Audit methods may also be classified according to type of activity. These include three types
a. Testing – Pen tests and other testing methodologies are used to explore
vulnerabilities. In other words, exercising one or more assessment objects to
compare actual and expected behaviors.
b. Examination and Review – This include reviewing policies, processes, logs, other
documents, practices, briefings, situation handling, etc. In other words, checking,
inspecting, reviewing, observing, studying, or analyzing assessment objects
c. Interviews and Discussion – This involves group discussions, individual interviews,
etc.
The three methods combine together to form an effective methodology for an overall audit.
578
Student Handbook – Security Analyst SSC/N0904/N0905
Auditing techniques:
Organizations use a combination of these techniques to ensure effectiveness and meeting the
objectives of the audit.
579
Student Handbook – Security Analyst SSC/N0904/N0905
All of these frameworks provide a detailed, process-oriented manner in which to conduct a security
test, and each has its particular strengths and weaknesses. Most auditors and penetration testers
use these frameworks as a starting point to create their own testing process, and they find a lot of
value in referencing them.
OSSTMM
OSSTMM manual highlights the systems approach to security testing by dividing assessment areas
into six interconnected modules:
ISSAF
The ISSAF is one of the largest free-assessment methodologies available. Each control test has
detailed instruction for operating testing tools and what results to look for. It is split into two
primary documents. One is focused on the business aspect of security, and the other is designed as a
penetration test framework. The level of detailed explanation of services, security tools to use, and
potential exploits is high and can help an experienced security auditor and someone getting started
in auditing.
580
Student Handbook – Security Analyst SSC/N0904/N0905
NIST 800-115
The NIST 800-115, Technical Guide to Information Security Testing, provides guidance and a
methodology for reviewing security that is required for the U.S. government's various departments
to follow. Like all NIST-created documents, 800-115 is free for use in the private sector. It includes
templates, techniques, and tools that can be used for assessing many types of systems and
scenarios. It is not as detailed as the ISSAF or OSSTMM, but it does provide a repeatable process for
the conduction of security reviews. The document includes guidance on the following:
OWASP
The OWASP testing guide was created to assist web developers and security practitioners to better
secure web applications. A proliferation of poorly written and executed web applications has
resulted in numerous, easily exploitable vulnerabilities that put the Internet community at risk to
malware, identity theft, and other attacks. The OWASP testing guide has become the standard for
web application testing and has helped increase the awareness of security issues in web applications
through testing and better coding practices.
Information gathering
Configuration management
Authentication testing
Session management
Authorization testing
Business logic testing
Data validation testing
Denial of service testing
Web services testing
AJAX testing
The OWASP project also has a subproject called WEBGOAT that enables one to load a vulnerable
website in a controlled environment to test these techniques against a live system.
Whatever the approach is to testing security controls, it must be ensured that it is consistent,
repeatable, and based on best practices.
581
Student Handbook – Security Analyst SSC/N0904/N0905
Security controls are selected and implemented because of security policies or security
requirements mandated by law.
Security is a service provided by IT to the business, so measuring it as such enables you to see many
of the connections to the various functions of the business. There are standards, laws, and
benchmarks that you can use as your baseline to compare against.
Normally, you include content from multiple areas, as businesses may have more than one
regulation with which they must comply. It is easiest to start with the organization’s policies and
build your security auditing plan from there. Some criteria you can use to compare the service of
security against are:
Evaluation against the organization’s own security policy and security baselines
Regulatory/industry compliance—Health Insurance Portability and Accountability Act
(HIPAA), Sarbanes-Oxley Act (SOX), Grahmm-Leach-Bliley Act (GLBA), and Payment Card
Industry (PCI)
Evaluation against standards such as NIST 800 or ISO 27002
Governance frameworks such as COBIT or Coso
After you have identified the security audit criteria that the organization needs to comply with, the
next phase is to perform assessments to determine how well they achieve their goals. A number of
assessments are usually required to determine appropriate means for referring back to the scope,
which defines the boundaries of the audit. The following are types of assessments that might be
performed to test security controls:
582
Student Handbook – Security Analyst SSC/N0904/N0905
This section covered evaluation techniques for auditing security practices within an organization.
Many of the security practices used to protect a company are process- and policy-focused. They
represent the primary drivers for technology purchases and deployment. Technology can automate
many of these processes and policies and needs a different approach to testing effectiveness. The
remainder of this chapter covers tools that can be used to test security technologies.
583
Student Handbook – Security Analyst SSC/N0904/N0905
There are generally two distinct levels of security testing commonly performed today:
Vulnerability assessment:
Penetration test:
The penetration test is intended to assess the prevention, detection, and correction controls of a
network by attempting to exploit vulnerabilities and gain control of systems and services.
Penetration testers (also known as PenTesters) scan for vulnerabilities as part of the process just
like a vulnerability assessment, but the primary difference between the two is that a PenTester
also attempts to exploit those vulnerabilities as a method of validating that there is an exploitable
weakness. Successfully taking over a system does not show all possible vectors of entry into the
network, but can identify where key controls fail. If someone is able to exploit a device without
triggering any alarms, then detective controls need to be strengthened so that the organization
can better monitor for anomalies.
Security control testing is an art form in addition to a technical security discipline. It takes a certain
type of individual and mind-set to figure out new vulnerabilities and exploits. Penetration testers
usually fit this mould, and they must constantly research new attack techniques and tools. Auditors,
on the other hand, might not test to that degree and will more than likely work with a penetration
tester or team if a significant level of detailed knowledge in required for the audit.
When performing these types of engagements, four classes of penetration tests can be conducted
and are differentiated by how much prior knowledge the penetration tester has about the system.
The four types are:
584
Student Handbook – Security Analyst SSC/N0904/N0905
Gray-box
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
■ Red Team/Blue Team assessment: The terms Red and Blue Team come from the military where
combat teams are tested to determine operational readiness. In the computer world, a Red and Blue
Team assessment is like a war game, where the organization being tested is put to the test in as real
a scenario as possible. Red Team assessments are intended to show all of the various methods an
attacker can use to gain entry. It is the most comprehensive of all security tests. This assessment
method tests policy and procedures, detection, incident handling, physical security, security
awareness, and other areas that can be exploited. Every vector of attack is fair game in this type of
assessment. This is used to simulate attacks and test the ability to develop defences for these
attacks. The Red team designate as the attacker and the Blue team as the defence mechanism
builder.
The two teams sharpen an organization’s detection and response capability. This is through sharing
of intelligence data, understanding threat actors' TTPs, mimicking these TTPs through a series of
scenarios and configuring, tuning and improving the detection and response capability.
Penetration tests as part of auditing can be conducted in several ways. The most common difference
is the amount of knowledge of the implementation details of the system being tested that are
available to the testers.
585
Student Handbook – Security Analyst SSC/N0904/N0905
This assumes no prior knowledge of the infrastructure to be tested. The testers must first
determine the location and extent of the systems before commencing their analysis.
This provides the testers with complete knowledge of the infrastructure to be tested, often
including network diagrams, source code, and IP addressing information.
These are the several variations in between the white and the black box, where the testers
have partial information.
Penetration tests can also be described as "full disclosure" (white box), "partial disclosure"
(grey box), or "blind" (black box) tests based on the amount of information provided to the
testing party.
Black box testing simulates an attack from someone who is unfamiliar with the system.
White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive
information, where the attacker has access to source code, network layouts, and possibly even some
passwords.
White box techniques involve direct analysis of the application’s source code, and black box
techniques are performed against the application’s binary executable without source code
knowledge.
Most assessments of custom applications are performed with white box techniques, since source
code is usually available—however, these techniques cannot detect security defects in interfaces
between components, nor can they identify security problems caused during compilation, linking, or
installation-time configuration of the application.
White box techniques still tend to be more efficient and cost-effective for finding security defects in
custom applications than black box techniques.
Black box techniques should be used primarily to assess the security of individual high-risk compiled
components; interactions between components; and interactions between the entire application or
application system with its users, other systems, and the external environment. Black box
techniques should also be used to determine how effectively an application or application system
can handle threats.
Auditors should have a base knowledge of testing tools and techniques. Using testing frameworks is
a useful way to develop a technical testing planning.
586
Student Handbook – Security Analyst SSC/N0904/N0905
587
Student Handbook – Security Analyst SSC/N0904/N0905
Summary
Broadly, there are two types of Audit, internal and external.
External audits are commonly conducted by independent, certified parties in an objective
manner.
Internal audits usually are conducted by experts linked to the organization, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide
advice in a limited fashion. They differ from the external audit in allowing the auditor to discuss
mitigation strategies with the owner of the system that is being audited.
Within the broad scope of auditing information security there are multiple types of audits,
multiple objectives for different audits, etc. Audits can be broken down into a number of types,
from the simple analysis of security architecture based on opinion, to a full-blown, end-to-end
audit against a security framework such as ISO27001.
A security review is when the security posture of an organization is examined based on
professional experience and opinion. In this type of examination, issues that stand out are
sought as a way to help define the starting point for further activities.
Security assessments utilize professional opinion and expertise, but they also analyse the output
for relevancy and criticality to the organization. The analysis aspect of an assessment attempts
to quantify the risk associated with the items discovered to determine the extent of the
problem.
A security Audit examines the organization’s security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies.
Auditing Techniques include
o Documentation review
o Log review
o Ruleset and system configuration review
o Network sniffing
o File integrity checking
Four of the most common standard frameworks are as follows:
Open Source Security Testing Methodology Manual (OSSTMM)
Information Systems Security Assessment Framework (ISSAF)
NIST 800-115
Open Web Application Security Project (OWASP)
Red Teaming is a process designed to detect network and system vulnerabilities and test security
by taking an attacker-like approach to system/network/data access. This process is also called
"ethical hacking" since its ultimate purpose is to enhance security. Red Teams are third-party
entities hired to make an impartial assessment of the network or system.
Blue team’s responsibility is designed to detect, respond and mitigate the attacks of the
offensive red teams. Blue teams need access to log data, SIEM data, threat intelligence data and
to network traffic capture data. The blue team needs to be able to analyze vast swathes of data
to detect the attacked vulnerability.
Black box testing: This assumes no prior knowledge of the infrastructure to be tested. The
testers must first determine the location and extent of the systems before commencing their
analysis.
White box testing: This provides the testers with complete knowledge of the infrastructure to be
tested, often including network diagrams, source code, and IP addressing information.
Grey box testing: These are the several variations in between the white and the black box, where
the testers have partial information.
588
Student Handbook – Security Analyst SSC/N0904/N0905
Practical activities:
Activity 1:
Search various Information Security Service Audit Organizations on the internet and prepare
a list of services they offer and the process or methodology followed. Present the same in
class.
Activity 2:
Go through various organizations’ websites and understand the various security policies and
guidelines. Prepare a descriptive write-up on the subject.
Activity 3:
Go through various security benchmarks, research and learn to conduct security audits and
the creation of reports and audit templates. Present in a group the audit approach.
Activity 4:
Go through security benchmarks like ISO 27001, PCI DSS, and Centre for Internet Security
and understand the implications of non-maintenance of such standards.
589
Student Handbook – Security Analyst SSC/N0904/N0905
Q. A security professional is testing the functionality of an application, but does not have any
knowledge about the internal coding of the application. What type of test is this tester performing?
a) White box
b) Black box
c) Gray box
d) Black hat
Q. Testers are analysing a web application your organization is planning to deploy. They have full
access to product documentation, including the code and data structures used by the application.
What type of test will they MOST likely perform?
a) Gray box
b) White box
c) Black box
d) White hat
Q. The which of the following is NOT one of the four most common security auditing frameworks?
a) Open Source Security Testing Methodology Manual (OSSTMM)
b) NIST 800-115
c) National Cyber Awareness System (NCAS)
d) Information Systems Security Assessment Framework (ISSAF)
Q. Log review is part of which of the following categories of auditing techniques?
a) Target Vulnerability Validation Techniques
b) Examination review techniques
c) Target Identification and Analysis Techniques
d) Interviews and discussions
Q. Arrange the following audit stages in the order of execution, starting from 1 to 6.
A. Data collection and field work ______
B. Follow-through ______
C. Pre-audit agreement stage ______
D. Initiation and Planning stage ______
E. Reporting ______
F. Analysis ______
Q. The test phase is part of which of the following audit stages?
a) Analysis
b) Pre-audit agreement stage
c) Data collection and fieldwork
d) Initiation and planning
590
Student Handbook – Security Analyst SSC/N0904/N0905
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
591
Student Handbook – Security Analyst SSC/N0904/N0905
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
592
Student Handbook – Security Analyst SSC/N0904/N0905
UNIT III
Information Security Auditor
593
Student Handbook – Security Analyst SSC/N0904/N0905
LESSON PLAN
594
Student Handbook – Security Analyst SSC/N0904/N0905
Lesson
Auditors ask the questions, test the controls, and determine whether the security policies are
followed in a manner that protects the assets the controls are intended to secure by measuring
the organization’s activities versus its security best practices.
The auditor is responsible for planning and conducting audits in a manner that is fair and
consistent to the people and processes that are examined.
The auditing charter or engagement letter defines the conduct and responsibilities of an auditor.
Depending on how a company’s auditing program is structured, ultimate accountability for the
auditor is usually to senior management or the Board of Directors.
Auditors are usually required to present a report to management about the findings of the audit
and also make recommendations about how to reduce the risk identified.
Inspect and evaluate financial and information systems, management procedures and
security controls
Weigh the relevancy, accuracy and perspective of conclusions against audit evidence
595
Student Handbook – Security Analyst SSC/N0904/N0905
Collaborate with departments to improve security compliance, manage risk and bolster
effectiveness
596
Student Handbook – Security Analyst SSC/N0904/N0905
Auditing the information asset management process will verify that the critical assets are
being managed in accordance with the IT/IS policies.
The auditor audits the information security and privacy policies and standards. The auditor
begins with policies and standards related to access control, data classification and network
security. In addition, they focus on other policies and standards such as vendor
management, vulnerability management and data leakage prevention.
One of the important roles of audit is to verify that the policies and standards are not just
documented but are actually being implemented by users across the enterprise. This
verification can be accomplished by performing an audit of the security training and
awareness program
Instead of focusing on the actual access of each user, the auditor focuses on the IAM process
and verify that the IAM process is working as designed. Auditing an automated IAM process
ensures the integrity of the process. The audit also focuses on the workflow, which includes
the approval hierarchy. Several IAM vendors are starting to provide mechanisms to
incorporate segregation of duties (SoD) checks within the workflow. If an organization has
incorporated the SoD checks in the workflow, it is important to include this process within its
audit scope.
During the audit of policies and standards, the auditor should understand how the policies
and standards are being communicated across the enterprise. Every organization has a
communication method (e-mail, posting on an intranet web page, periodic security
seminars, monthly security awareness training, lunch-n-learns, etc.).
The responsible auditor should determine if logging is enabled in critical systems. Where
logs are enabled, the auditor verifies that there is a process for monitoring. The auditor also
verifies that the process has been assigned to a person and that this person is executing this
process. The focus here is on data leakage prevention (DLP). Besides verifying that the
proper access is granted to each individual, the auditor focuses on how the approved users
are using the data assets. Are data being encrypted properly before they are sent outside of
the organization? Depending on an organization’s DLP policy, the SIEM system can
potentially help the auditor determine if the data are being copied on USB drives and leaving
the organization.
597
Student Handbook – Security Analyst SSC/N0904/N0905
The internal auditor should identify how the organization is connected to the outside, and
who on the outside is connected to the organization. There is a total reliance by some
organizations on Statement on Auditing Standards No. 70 (SAS 70) Type II reports for review
of external vendors. While SAS 70 is good, it is not final. The auditor first verifies that there is
a policy in place to address third-party connections. In addition to the SAS 70 report, the
organization should periodically perform its own audit of the vendor to certify that its
policies and security needs are being adequately addressed (the organization may have to
ensure that the vendor contracts allow for this audit). Changes performed by the third-party
vendor on systems affecting the organization should follow the organization’s normal
change management process.
Also, the auditor should follow the entire process within the extended enterprise where the
critical data assets reside. For example, an enterprise may do an exceptional job of
protecting critical data assets within the enterprise, but an unencrypted backup tape can fall
off a vendor’s truck and expose critical information and put the enterprise at risk. An audit
of the entire process will definitely reduce the risks associated with the extended enterprise.
This extended enterprise may exist globally and could add more complexity to the audit
plans.
The auditor verifies that a business continuity plan exists and is maintained and tested
periodically. The auditor should also make sure that the plan covers all the risks associated
with the business and that it is enough to keep the business in operation in times of
disruption. The IT auditor should understand the difference between business continuity and
disaster recovery and make sure that each is adequately addressed and periodically tested.
The auditor identifies a catalog of IT initiatives, reviews the business reasons for the project
and identifies the executive sponsor for the project. The auditor obtains and reviews the
management reports from IT to executive management and verifies that sufficient
information is provided to management. The auditor verifies that IT initiatives are
adequately aligned with business objectives.
598
Student Handbook – Security Analyst SSC/N0904/N0905
• Management
• Technical
• Forensic
The first step in hiring a reliable consultant is to define the requirements of the job. Does it
involve the analysis of risk, implementation of security systems, regulatory compliance,
management consulting, training or defence of an inadequate security claim? Only after the
requirements of the job are defined can you select the right type of consultant to complete
the work.
A consultant should be independent and not affiliated with a product or service. If your
consultant is not independent, you should know about his or her relationship with a product
or service line and understand that it may result in a conflict of interest.
599
Student Handbook – Security Analyst SSC/N0904/N0905
The following things has to be borne in mind before hiring of an audit company as auditors:
Does the consultant organization offer a comprehensive suite of services, tailored to specific
requirements?
Does the consulting organization have a track record of having handled a similar assignment for
security consulting?
Are the organization’s security professional having certificates like CISSP, CISA, CSM and CIPP?
Is the organization recognized contributor within the security industry in terms of research and
publication etc.?
600
Student Handbook – Security Analyst SSC/N0904/N0905
A good auditor requires the following skills and knowledge in the various areas listed below:
Organization wide security program planning and management
Knowledge of the legislative requirements for an agency security program
Knowledge of the sensitivity of data and the risk management process through risk
assessment and risk mitigation
Knowledge of the risks associated with a deficient security program
Knowledge of the elements of a good security program
Ability to analyse and evaluate an organization’s security policies and procedures and
identify their strengths and weaknesses
Access control
Knowledge across platforms of the access paths into computer systems and of the
functions of associated hardware and software providing an access path
Knowledge of access level privileges granted to users and the technology used to provide
control to them
Knowledge of the procedures, tools, and techniques that provide for good physical,
technical, and administrative controls over access
Knowledge of the risks associated with inadequate access controls
Ability to analyse and evaluate an organization’s access controls and identify the strengths
and weaknesses
Skills to review security software reports and identify access control weaknesses
Skills to perform penetration testing of the organization’s applications and supporting
computer systems
Application software development and change control
Knowledge of the concept of a system life cycle and of the System Development Life Cycle
(SDLC) process
Knowledge of the auditor’s role during system development and of federal guidelines for
designing controls into systems during development
Knowledge of the procedures, tools, and techniques that provide control over application
software development and modification
Knowledge of the risks associated with the development and modification of application
software
Ability to analyse and evaluate the organization’s methodology and procedures for system
development and modification and identify the strengths and weaknesses
System software
Knowledge of the different types of system software and their functions
Knowledge of the risks associated with system software
Knowledge of the procedures, tools, and techniques that provide control over the
implementation, modification, and use of system software
Ability to analyse and evaluate an organization’s system software controls and identify the
strengths and weaknesses
Skills to use software products to review system software integrity
Segregation of duties
Knowledge of the different functions involved with information systems and data
processing and incompatible duties associated with these functions
601
Student Handbook – Security Analyst SSC/N0904/N0905
Service continuity
Knowledge of the procedures, tools, and techniques that provide for service continuity
Knowledge of the risks that exist when measures are not taken to provide for service
continuity
Ability to analyse and evaluate an organization’s program and plans for service continuity
and identify the strengths and weaknesses
Application controls
Knowledge about the practices, procedures, and techniques that provide for the
authorization, completeness, and accuracy of application data
Knowledge of typical applications in each business transaction cycle
Ability to analyse and evaluate an organization’s application controls and identify the
strengths and weaknesses
Skills to use a generalized audit software package to conduct data analyses and tests of
application data, and to plan, extract, and evaluate data samples
Auditors performing tasks in two of the above areas, access controls (which includes penetration
testing) and system software, require additional specialized technical skills. Such technical
specialists should have skills in one or more of the categories listed below:
Network analyst
Advanced knowledge of network hardware and software
Understanding of data communication protocols
Ability to evaluate the configuration of routers and firewalls
Ability to perform external and internal vulnerability tests with manual and automated
tools
Knowledge of the operating systems used by servers
Windows/Novell analyst
Detailed understanding of microcomputer and network architectures
Ability to evaluate the configuration of servers and the major applications hosted on
servers
Ability to perform internal vulnerability tests with manual and automated tools
Unix analyst
Detailed understanding of the primary variants of the Unix architectures
Ability to evaluate the configuration of servers and the major applications hosted on
servers
Ability to perform internal vulnerability tests with manual and automated tools
Database analyst
Understanding of the control functions of the major database management systems
Understanding of the control considerations of the typical application designs that use
database systems
Ability to evaluate the configuration of major database software products
Mainframe system software analyst
Detailed understanding of the design and function of the major components of the
operating system
Ability to develop or modify tools necessary to extract and analyse control information
from mainframe computers
Ability to use audit software tools
602
Student Handbook – Security Analyst SSC/N0904/N0905
The Information Systems Audit and Control Association (ISACA) set forth a code governing the
professional conduct and ethics of all certified IS auditors and members of the association. As a
CISA, they expect them to be bound to uphold this code. The following points form part of this
code:
Support the implementation of, and encourage compliance with, appropriate standards and
procedures for the effective governance and management of enterprise information systems and
technology, including: audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professional care, in accordance with
professional standards.
Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of
conduct and character, and not discrediting their profession or the Association.
Maintain the privacy and confidentiality of information obtained in the course of their activities
unless disclosure is required by legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities they
can reasonably expect to complete with the necessary skills, knowledge and competence.
Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the results.
The failure of a CISA to comply with this code of professional ethics may result in an investigation
with possible sanctions or disciplinary measures.
603
Student Handbook – Security Analyst SSC/N0904/N0905
Ethics statements are necessary to demonstrate the level of honesty and professionalism expected
of every auditor. Overall, the profession requires them to be honest and fair in all representations
they make. The goal is to build trust with clients. Their behaviour should reflect a positive image on
their profession. All IS auditors are depending on them to help maintain the high quality and
integrity that clients expect from a CISA.
ABOUT CISA
The CISA designation is awarded to individuals with an interest in Information Systems auditing,
control and security who meet the following requirements:
It is important to note that many individuals choose to take the CISA exam prior to meeting the
experience requirements. This practice is acceptable and encouraged although the CISA designation
will not be awarded until all requirements are met.
ABOUT CISSP
604
Student Handbook – Security Analyst SSC/N0904/N0905
Summary
The role of the auditor is to identify, measure, and report on risk. The auditor is not tasked to fix
the problem, but to give a snapshot in time of the effectiveness of the security program. The
objective of the auditor is to report on security weakness.
Auditors ask the questions, test the controls, and determine whether the security policies are
followed in a manner that protects the assets the controls are intended to secure by measuring
the organization’s activities versus its security best practices.
The auditor audits the information security and privacy policies and standards.
A consultant should be independent and not affiliated with a product or service. If your
consultant is not independent, you should know about his or her relationship with a product or
service line and understand that it may result in a conflict of interest.
Ethics statements are necessary to demonstrate the level of honesty and professionalism
expected of every auditor. Overall, the profession requires them to be honest and fair in all
representations they make. The goal is to build trust with clients.
ISACA has an auditor code of ethics which auditors should comply with.
While the minimum qualifications required for an auditor is a Bachelor’s degrees, an auditor can
get CISA and CISSP recognized certification to enhance their value.
605
Student Handbook – Security Analyst SSC/N0904/N0905
Practical Activities:
Activity 1:
Identify some of the organisations offering audit services and to list down and compare
the offering, features, benefits and limitations of at least three of these.
Activity 2:
Collect information of various qualifications for data security auditors and consultants
Activity 3:
Collect through the internet and various other sources various cases where mishandling
of audits or security audit failures have caused damage to organisations. Present one
such interesting case in class.
606
Student Handbook – Security Analyst SSC/N0904/N0905
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
607
Student Handbook – Security Analyst SSC/N0904/N0905
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
608
Student Handbook – Security Analyst SSC/N0904/N0905
UNIT IV
VULNERABILITY ANALYSIS
Lesson Plan
4.1. What Is Vulnerability Assessment?
4.2. Why to carry out Vulnerability Assessment?
4.3. Vulnerability Classification
4.4. Types of Vulnerability Assessment
4.5. How to Conduct a Vulnerability Assessment
4.6. Vulnerability Analysis Tools
609
Student Handbook – Security Analyst SSC/N0904/N0905
LESSON PLAN
610
Student Handbook – Security Analyst SSC/N0904/N0905
Lesson
A vulnerability assessment system, will look at the network and pinpoint the weaknesses that need
to be fixed/patched – before they ever get breached. With ever growing new vulnerabilities being
announced each week, a company’s network is only as secure as its latest vulnerability assessment.
An ongoing vulnerability assessment process, in combination with proper remediation, will help
ensure that the network is fortified to withstand the latest attacks.
611
Student Handbook – Security Analyst SSC/N0904/N0905
CERT/CC (the federally funded research and development centre operated by Carnegie Mellon
University) reports that nearly 99% of all intrusions resulted from exploitation of known
vulnerabilities or configuration errors.
The following are categories of vulnerabilities commonly recognised. Even though classification is
an ongoing discussion that has not yet been fully agreed by various stakeholders:
1. Misconfigurations
2. Default installations
3. Buffer overflows
4. Unpatched servers
5. Default passwords
6. Open services
7. Application flaws
8. Open system flaws
9. Design flaws
612
Student Handbook – Security Analyst SSC/N0904/N0905
exploitable bugs in server applications and publish the information on bug tracking and security-
related websites such as the Bugtraq mailing list (http://www.securityfocus.com) or the Computer
Emergency Response Team (CERT) website (http://www.cert.org).
Buffer overflows
A buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold. Since buffers are created to contain a
finite amount of data, the extra information - which has to go somewhere - can overflow into
adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur
accidentally through programming error, buffer overflow is an increasingly common type of
security attack on data integrity. In buffer overflow attacks, the extra data may contain codes
designed to trigger specific actions, in effect sending new instructions to the attacked computer
that could, for example, damage the user's files, change data, or disclose confidential information.
Unpatched servers
According to Wikipedia, a patch is a piece of software designed to update a computer program or
its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs,
with such patches usually called bugfixes or bug fixes, and improving the usability or performance.
Although meant to fix problems, poorly designed patches can sometimes introduce new
problems. Server applications which languish unpatched by developers or administrators who fail
to patch their systems leave this as one of the most exploited vulnerabilities.
Default passwords
Another common error is to leave the default passwords or keys in services that have such
authentication methods built into them. For example, some databases leave default
administration passwords under the assumption that the system administrator will change this
immediately upon configuration. Even an inexperienced cracker can use the widely-known default
password to gain administrative privileges to the database.
613
Student Handbook – Security Analyst SSC/N0904/N0905
Active Assessment: Scans the network using any network scanner to find hosts, services and
vulnerabilities.
Passive Assessment: This is a technique that sniffs the network traffic to find out active systems,
network services, applications and vulnerabilities present.
Host based Assessment: This is a sort of security check carried out through a configuration level
test through command line.
Internal Assessment: This is a technique to scan the internal infrastructure to find out the exploit
and vulnerabilities.
External Assessment: This is used to assess the network from a hacker point of view to find out
what exploits and vulnerabilities are available to the outside world.
Application Assessment: This tests the web server infrastructure for any misconfiguration,
outdated content and known vulnerabilities.
Network Assessment: This determines the possible network security attacks that may occur on
the organization system.
Wireless network Assessment: This determines and tracks all the wireless network prevalent at
the client side.
614
Student Handbook – Security Analyst SSC/N0904/N0905
Pre-assessment phase
• Describes the scope of the Assessment
• Creates proper information protection procedures such as effective planning, scheduling,
coordination and logistics
• Identifies and ranks the critical assets
Assessment phase
• Examines the network architecture
• Evaluates the threat environment
• Carries out penetration testing
• Examines and evaluates physical security
• Performs a physical asset analysis
• Observes policies and procedures
• Conducts and impact analysis
• Performs a risk characterization
615
Student Handbook – Security Analyst SSC/N0904/N0905
This phase refers to identifying areas where vulnerability exists. This entails performing vulnerability
analysis and listing of areas that need testing and penetration.
• Locating nodes
Now that auditors have identified and verified the vulnerabilities, they must perform in-depth
analysis of all the assembled data. The goal here is to identify systemic causes, and then they
formulate plans to remedy each cause. These plans are the basis of the strategic recommendations
that they bring before the business’ executives. Once the auditors have completed their assessment,
the IT department or the consultants work alongside the executives to fix those problem areas. Once
the business rectifies vulnerabilities, they can direct their attention to upgrading or transitioning the
network.
616
Student Handbook – Security Analyst SSC/N0904/N0905
These tools find and identify previously unknown vulnerabilities in a system, and include ‘Fuzzers’.
A Fuzzer is a program that attempts to discover security vulnerabilities by sending random input
to an application. If the program contains a vulnerability that can leads to an exception, crash or
server error (in the case of web apps), it can be determined that a vulnerability has been
discovered. Fuzzers are often termed Fault Injectors for this reason, they generate faults and send
them to an application.
Active/passive tools
Active scanners perform vulnerability checks on the network that consumes resources on the
network. Passive scanners do not materially affect system resources, these only observe system
data and performs data processing in a separate analysis machine
Tools may also be classified based on data examined or location. For example, Network-based
scanner, agent based scanner, proxy scanner or cluster scanner.
While new vulnerabilities are discovered every day and new tools are required to tackle
these, a list of available tools are listed below:
617
Student Handbook – Security Analyst SSC/N0904/N0905
With hundreds of new operating system and application vulnerabilities announced each month
the need to establish vulnerability testing as an ongoing, continuous process has become
essential. Like automated antivirus and patching, an automated, ongoing vulnerability
assessment and management solution is now a genuine option.
Real-World Security The concept of Automated Vulnerability Detection can be described in this
simplified analogy: Say your building has a high perimeter wall and a motion detection alarm
system. Like network perimeter security products (antivirus, firewalls and IPS/IDS) you are likely
to be alerted that someone is approaching. But it does not tell you that your back door was left
unlocked by the last person leaving – or worse yet, left standing wide open. If a hacker or thief
sees a known vulnerability, or unlocked door, there isn't a high enough fence or alarm system in
the world that will keep them from trying to get in. They will get very inventive as to
618
Student Handbook – Security Analyst SSC/N0904/N0905
how they will scale the wall so as to not set off the alarm – if there is an open door beckoning!
Automated VA/VM consists of assessing the mechanical condition of your network's doors and
windows, the relative merit of their locks and reporting on their state of readiness in near real
time.
AVDS (Automated Vulnerability Detection System) is a series of hardware appliances that run
dedicated online connected software; capable of simulating both internal and external hacker
attacks for networks of 200 to 2 million nodes. AVDS performs a comprehensive vulnerability
assessment on the network and produces a detailed report that contains:
Differential reporting mechanisms that shows the difference from previous scans,
allowing you to track both infrastructure changes (figure 2) as well as the vulnerabilities
Data mining allows you to target specific hosts, vulnerability types or services and
export these results in multiple formats
AVDS is updated with new attack profiles on a daily basis using information from the
www.securiteam.com security portal, which is one of the largest and most respected
security information gathering portals on the Internet.
The DMZ and the external network (from the Internet and outside world)
Anything that talks “IP” on a network including VoIP network elements and endpoint
devices.
619
Student Handbook – Security Analyst SSC/N0904/N0905
Includes built-in data mining capabilities, allowing on-the-fly generation of statistical and
historical information about your network posture.
Distributes vulnerability scanning tasks and reports to stakeholders. This provides distant
administrators access to the scanning system for use in their network segment.
Allows tracking of all vulnerabilities across an entire network and multiple sites.
Generates a network map, detailing what servers and services exist, or alternatively, have
been added, removed or changed since the last scan.
Export results for external reference in multiple formats: HTML, PDF, CSV and XML.
Source:
620
Student Handbook – Security Analyst SSC/N0904/N0905
Summary
Vulnerability analysis, also known as vulnerability assessment, is a process that defines,
identifies, and classifies the security holes (vulnerabilities) in a computer, network, or
communications infrastructure.
The deliverable for the assessment is, most importantly, a prioritized list of discovered
vulnerabilities (and often how to remediate). The findings are classified into categories of high,
medium, and low risk.
Virtually all attacks come from already known vulnerabilities.
The following are categories of vulnerabilities commonly recognised:
o Misconfigurations
o Default installations
o Buffer overflows
o Unpatched servers
o Default passwords
o Open services
o Application flaws
o Open system flaws
o Design flaws
Developers and system administrators often find exploitable bugs in server applications and
publish the information on bug tracking and security-related websites such as the Bugtraq
mailing list (http://www.securityfocus.com) or the Computer Emergency Response Team (CERT)
website (http://www.cert.org).
Types of Vulnerability Assessment
o Active Assessment
o Passive Assessment
o Host based Assessment
o Internal Assessment
o External Assessment
o Application Assessment
o Network Assessment
o Wireless network Assessment
Types of tools available for vulnerability assessment are classified as follows:
o Host based VA tools
o Application-layer VA tools
o Scope assessment tools
o Depth assessment tools
o Active/passive tools
Tools may also be classified based on data examined or location. For example, Network-based
scanner, agent based scanner, proxy scanner or cluster scanner.
Nessus, NMap, Whisker, Fire walk and Enum are free scanners available on the internet.
Some of the other available tools include Qualys Vulnerability Scanner, Cycorp CycSecure
Scanner, Eye Retina Network Security Scanner, Foundstone Professional Scanner, GFI LANguard
Network Security Scanner, ISS Network Scanner, Saint Vulnerability Scanner, Symantec
NetRecon Scanner, Shadow Security Scanner, Microsoft Baseline Security Analyzer, SPIKE Proxy
Foundstone’s ScanLine, Cerebrus Internet Scanner
621
Student Handbook – Security Analyst SSC/N0904/N0905
Practical Activity:
Activity 1:
Go through the latest threats and breaches in cyberspace to understand the
implications of non-compliance to security standards. List such sources from which
information can be had.
Activity 2:
Search and list various VA tools offered by various organizations and note down their
features, uses, benefits and limitations. Also research reviews of these tools available
online.
Activity 3:
Search for examples of incidents reported for each of the categories of the
vulnerability listed in this unit. Share this with your class.
622
Student Handbook – Security Analyst SSC/N0904/N0905
a) ___________________________________
b) ___________________________________
c) ___________________________________
a) Host based
b) Application based
c) Scope Assessment
d) Firewall based
Scans the network using any network scanner to find hosts, services and Wireless network
vulnerabilities. Assessment
Sniffs the network traffic to find out active systems, network services, Host based
applications and vulnerabilities present. Assessment
A sort of security checks carried out through a configuration level test Active Assessment
through command line.
This determines and tracks all the wireless network prevalent at the client Application
side. Assessment
Assesses the network from a hacker point of view to find out what External Assessment
exploits and vulnerabilities are available to the outside world.
Tests the web server infrastructure for any misconfiguration, outdated Passive Assessment
content and known vulnerabilities.
Determines the possible network security attacks that may occur on the Internal Assessment
organization system.
Scans the infrastructure inside the company to find out the exploit and Network Assessment
vulnerabilities.
Q. State whether the following statements are TRUE or FALSE
623
Student Handbook – Security Analyst SSC/N0904/N0905
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
624
Student Handbook – Security Analyst SSC/N0904/N0905
UNIT V
PENETRATION TESTING
Lesson Plan
5.1. About penetration testing
5.2. Penetration testing stages
625
Student Handbook – Security Analyst SSC/N0904/N0905
LESSON PLAN
626
Student Handbook – Security Analyst SSC/N0904/N0905
Lesson
Reduce an organization's IT security costs and provide a better Return on IT Security Investment
(ROSI) by identifying and resolving vulnerabilities and weaknesses
For testing and validating the efficiency of security protections and controls
Providing indisputable information usable by audit team’s gathering data for regulatory
compliance
Providing comprehensive approach of preparation steps that can be taken to prevent upcoming
exploitation
Evaluating the efficiency of network security devices such as firewalls, routers, and web servers
627
Student Handbook – Security Analyst SSC/N0904/N0905
An organization should conduct a risk assessment operation before the penetration testing that
will help to identify the main threats, such as:
Pre-attack
Attack Phase
Post-attack phase
Penetration (or external assessment) testing usually starts with three pre-test phases:
• Footprinting
• Scanning
• Enumerating
Together, the three pre-test phases are called reconnaissance.
Pre-attack phase
This process seeks to gather as much information about the target network as possible, following
these seven steps:
STEP 1. Gather initial information
STEP 2. Determine the network range
STEP 3. Identify active machines
STEP 4. Discover open ports and access points
STEP 5. Fingerprint the operating system
STEP 6. Uncover services on ports
STEP 7. Map the network
628
Student Handbook – Security Analyst SSC/N0904/N0905
Malicious hackers also value reconnaissance as the first step in an effective attack. Keep in mind
that the penetration test process is more organic than these steps would indicate. These pre-test
phases entail the process of discovery, and although the process is commonly executed in this order,
a good tester knows how to improvise and head in a different direction, depending upon the
information found.
There are two different reconnaissance methods to discover information on the hosts in your
target network:
• Passive reconnaissance
• Active reconnaissance
b. Active reconnaissance
Active reconnaissance, in contrast, involves using technology in a manner that the target might
detect. This could be by doing DNS zone transfers and lookups, ping sweeps, traceroutes, port
scans, or operating system fingerprinting. Some of the tools that are useful in active host
reconnaissance include the following:
• NSLookup/Whois/Dig lookups
• SamSpade
• Visual Route/Cheops
• Pinger/WS_Ping_Pro
629
Student Handbook – Security Analyst SSC/N0904/N0905
Footprinting
Footprinting is the active blueprinting of the security profile of an organization. It involves gathering
information about your customer's network to create a unique profile of the organization's networks
and systems. It's an important way for an attacker to gain information about an organization
passively, that is, without the organization's knowledge.
Footprinting employs the first two steps of reconnaissance, gathering the initial target
information and determining the network range of the target. Common tools/resources used in
the footprinting phase are:
• Whois
• SmartWhois
• NsLookup
• Sam Spade
Footprinting may also require manual research, such as studying the company's Web page for useful
information, for example:
You can also get more active with Footprinting. For example, you can call the organization's help
desk, and by employing social engineering techniques, get them to reveal privileged information.
Scanning
The next four information-gathering steps -- identifying active machines, discovering open ports and
access points, fingerprinting the operating system, and uncovering services on ports -- are
considered part of the scanning phase. The goal here is to discover open ports and applications by
performing external or internal network scanning, pinging machines, determining network ranges
and port scanning individual systems.
630
Student Handbook – Security Analyst SSC/N0904/N0905
Although this is still information gathering mode, scanning is more active than footprinting, it
provides a more detailed picture of the customer operations.
• NMap
• Ping
• Traceroute
• Superscan
• Netcat
• NeoTrace
• Visual Route
Enumerating
In enumeration, a tester tries to identify valid user accounts or poorly-protected resource shares
using active connections to systems and directed queries. The type of information sought by testers
during the enumeration phase can be users and groups, network resources and shares, and
applications.
Remember that during a penetration test, you'll need to document every step and finding, not only
for the final report, but also to alert the organization immediately to serious vulnerabilities that may
exist. This is also known as the Discovery phase.
The next phase is the Vulnerability Analysis. This involves comparing the services, applications,
and operating systems of scanned hosts against vulnerability databases (a process that is
automatic for vulnerability scanners) and the testers’ own knowledge of vulnerabilities. Human
testers can use their own databases—or public databases such as the National Vulnerability
Database (NVD) — to identify vulnerabilities manually. Manual processes can identify new or
obscure vulnerabilities that automated scanners may miss, but are much slower than an
automated scanner.
631
Student Handbook – Security Analyst SSC/N0904/N0905
Attack Phase
The next phase is the attack phase, where if an attack is successful, the vulnerability is verified and
safeguards are identified to mitigate the associated security exposure. In many cases, exploits that
are executed do not grant the maximum level of potential access to an attacker. They may instead
result in the tester’s learning more about the targeted network and its potential vulnerabilities, or
induce a change in the state of the targeted network’s security.
Some exploits enable testers to escalate their privileges on the system or network to gain access to
additional resources. If this occurs, additional analysis and testing are required to determine the true
level of risk for the network, such as identifying the types of information that can be gleaned,
changed, or removed from the system. In the event an attack on a specific vulnerability proves
impossible, the tester should attempt to exploit another discovered vulnerability.
If testers are able to exploit a vulnerability, they can install more tools on the target system or
network to facilitate the testing process. These tools are used to gain access to additional systems or
resources on the network, and obtain access to information about the network or organization.
Testing and analysis on multiple systems should be conducted during a penetration test to
determine the level of access an adversary could gain.
While vulnerability scanners check only for the possible existence of a vulnerability, the attack phase
of a penetration test exploits the vulnerability to confirm its existence.
Most vulnerabilities exploited by penetration testing fall into the following categories:
Misconfigurations
Misconfigured security settings, particularly insecure default settings, are usually easily
exploitable.
Kernel Flaws
Kernel code is the core of an OS, and enforces the overall security model for the system—so any
security flaw in the kernel puts the entire system in danger.
Buffer Overflows
A buffer overflow occurs when programs do not adequately check input for appropriate length.
When this occurs, arbitrary code can be introduced into the system and executed with the
privileges—often at the administrative level—of the running program.
Insufficient Input Validation
Many applications fail to fully validate the input they receive from users. An example is a Web
application that embeds a value from a user in a database query. If the user enters SQL commands
instead of or in addition to the requested value, and the Web application does not filter the SQL
commands, the query may be run with malicious changes that the user requested—causing what
is known as a SQL injection attack.
Symbolic Links
A symbolic link (symlink) is a file that points to another file. Operating systems include programs
that can change the permissions granted to a file. If these programs run with privileged
permissions, a user could strategically create symlinks to trick these programs into modifying or
listing critical system files.
632
Student Handbook – Security Analyst SSC/N0904/N0905
The perimeter layer of a network starts when and where an outside connection is established and
ends with access to a private network. A private network will be at risk from many threats because
of the need to establish connections to other networks, especially the Internet. An IDS (Intrusion
Detection System) or IPS (Intrusion Prevention System) is usually included in the perimeter to detect
and stop any malicious activity on a private network. The overall network perimeter complexity will
depend on the services provided over the Internet. The router and firewall separate the Internet
from a private network, the IDS or IPS monitors all traffic, and the VPN (Virtual Private Network)
provides remote access; all of which provide the necessary defence-in-depth features for the
perimeter.
Complex configurations of various organizations make it very difficult to secure the perimeter 100%.
A sound network security perimeter architecture requires multiple layers of defence, up-to-date and
hardened policies and controls and segmentation. All of these things make it harder for an attacker
to gain access to the critical data assets and easier for the organization to isolate and respond to
breaches when they occur.
Audits performed for the purpose of determining the security stance of a private network are known
as perimeter security tests.
A channel is the means of interaction with an asset and an asset is what has value to the owner.
Channels are classified as
• Physical security
• Spectrum security
• Communications security
633
Student Handbook – Security Analyst SSC/N0904/N0905
The definition of the scope will determine the costs associated with third-party audits.
The scope consists of targets as determined by the selection of channel, test type, and
vectors.
These targets are then indexed to allow for unique identification by the test vector.
The more channels and vectors in a scope, the longer it will take to complete an audit.
Performing an external security assessment on the perimeter at least annually is recommended and
should be affordable since only the external vector is tested.
Audits could be used to verify rules configured for firewall, IDS and spam filtering devices. The audit
needs to be performed independently from whoever installs, configures, and manages the perimeter
to ensure impartiality.
Documenting the effectiveness of perimeter security measures is an important audit activity. The
auditors have to ensure these are established properly as many organizations use perimeter security
as their main line of defence against external threats.
Common problems during and after the perimeter security implementation process include:
Management and IT staff believe that once a firewall is in place, they have sufficient security and
no further checks and controls are needed on the internal network.
Analog lines and modems are provided to connect to an Internet service provider or have dial-in
access to the desktop system, thus bypassing perimeter security measures.
Internal host network services are passed through security perimeter control points unscreened.
Firewalls, hosts, or routers accept connections from multiple hosts on the internal network and
from hosts on the DMZ network.
The organization allows incorrect configuration of access lists, which results in allowing unknown
and dangerous services to pass through the network freely.
The details of logged user activities are not reviewed regularly or are insufficient, thus
deteriorating the effectiveness of the monitoring system.
Hosts on the DMZ or those running firewall software also are using unnecessary services.
Support personnel use unencrypted protocols to manage firewalls and other DMZ devices.
Employees are allowed to run encrypted tunnels through the organization's perimeter device
without fully validating the tunnel's end-point security.
The company uses unsecured or unsupported wireless network applications.
634
Student Handbook – Security Analyst SSC/N0904/N0905
Organizations purchase security tools to help evaluate the IT network's strength and detect network
vulnerabilities and risk areas. Some of the tools available for different activities include host-based
audit software, network traffic analysis and intrusion detection system tools, security management
and improvement programs, and network-based audit and encryption software. The auditors will
check the effectiveness of these tools and their application.
635
Student Handbook – Security Analyst SSC/N0904/N0905
Web applications are subject to security assessments based on the following criteria:
Web Application Audit Tools: Burp Suite, fuzzing tool, dotDefender, IBM Security AppScan, HP
WebInspect, SQL Block Monitor, Microsoft Source Code Analyzer, Acunetix Web Vulnerability
Scanner, WebCruiser, GreenSQL, Microsoft UrlScan, Absinthe, CORE IMPACT Pro, Safe3SI,
BSQLHacker, SQL Power Injector, Havij, BobCat, Sqlninja, sqlmap, Pangolin – Automatic SQL
Injection Penetration Testing Tool, NGSSQuirreL
Wireless network security audits provide information concerning the actual security level of the
examined infrastructure.
636
Student Handbook – Security Analyst SSC/N0904/N0905
Application security testing and examination help an organization determine whether its custom
application software—for example, Web applications—contains vulnerabilities that can be
exploited, and whether the software behaves and interacts securely with its users, other
applications (such as databases), and its execution environment.
Application security can be assessed in a number of ways, ranging from source code review to
penetration testing of the implemented application. Many application security tests subject the
application to known attack patterns typical for that application’s type. These patterns may directly
target the application itself, or may attempt to attack indirectly by targeting the execution
environment or security infrastructure.
Examples of attack patterns are information leakage (e.g., reconnaissance, exposure of sensitive
information), authentication exploits, session management exploits, subversion (e.g., spoofing,
impersonation, command injections), and denial of service attacks.
Application security assessment should be integrated into the software development life cycle of the
application to ensure that it is performed throughout the life cycle.
For example, code reviews can be performed as code is being implemented, rather than waiting until
the entire application is ready for testing.
Tests should also be performed periodically once an application has gone into production; when
significant patches, updates, or other modifications are made; or when significant changes occur in
the threat environment where the application operates.
Assessors performing application security assessments should have a certain baseline skill set.
Guidelines for the minimum skill set include knowledge of specific programming languages and
protocols; knowledge of application development and secure coding practices; understanding of the
vulnerabilities introduced by poor coding practices; the ability to use automated software code
review and other application security test tools; and knowledge of common application
vulnerabilities.
Application Security Assessments provide assurance that mobile applications, external applications,
internal applications and APIs are secure. Security consultants test the state of applications and
provide actionable recommendations to enhance an organization’s security posture.
637
Student Handbook – Security Analyst SSC/N0904/N0905
An enterprise's network includes computers and workstations, routers, bridges, modems, etc. as
well as the operating, executive, communications, and application software that govern how these
components operate. Most components have some built in automated (technical) security
mechanisms. These mechanisms provide protection services for the information that the
components process, store, or transmit. These services are usually referred to as technical security
controls. The environment that surrounds the network also has protective mechanisms. Security
controls within the environment (nontechnical security controls) reinforce protection afforded by
the component. Physical, procedural, and administrative security mechanisms like back-up power,
door locks, badge systems, policies, operational procedures, location, trusted users, etc., are all
examples of security mechanisms present in the network’s environment. Although the component
and environment offer security mechanisms to protect information, the protection is not absolute —
both can have weaknesses.
Unauthorized individuals use the weaknesses to gain access to critical or sensitive information
stored, processed, or transmitted by the network. An authorized user may exploit a weakness to
misuse the network. The security mechanisms that protect the network can fail, be improperly
configured, or not be implemented at all.
The network security assessment process is used to identify technical and environmental
weaknesses in a network. Network security assessment also identifies real and potential threats to
the network. Real versus theoretical threats must be effectively addressed and over-protecting
marginally valuable assets at the expense of under-protecting critical assets must be avoided.
The network security assessment identifies errors in the configuration and operation of the
network. It assesses the enterprise's capabilities to detect external and internal attacks on the
network. Audit reports identified threats and vulnerabilities to management with recommendations
concerning their seriousness and possible impacts on the enterprise. These recommendations and
ways are provided, sometimes at added expense, to either mitigate or remove identified
638
Student Handbook – Security Analyst SSC/N0904/N0905
vulnerabilities. Management makes the final judgement on the cost-benefit trade-offs of added
security expense against mitigating these risks to the Enterprise.
When a company's network infrastructure security is assessed some of this things assessed
include:
• Where devices such as a firewall or IPS are placed on the network and how they
are configured
• What hackers see when they perform port scans, and how they can exploit
vulnerabilities in the network hosts
• Network design, such as Internet connections, remote access capabilities, layered
defenses and placement of hosts on the network
• Interaction of installed security devices such as firewalls, IDSs, antivirus and so on
• What protocols are in use
• Commonly attacked ports that are unprotected
• Network host configuration
• Network monitoring and maintenance
If a hacker exploits a vulnerability in one of the items above or anywhere in your network's security,
bad things can happen:
• A hacker can use a DoS attack, which can take down your Internet connection -- or even
your entire network.
• A malicious employee using a network analyser can steal confidential information in emails
and files being transferred on the network.
• A hacker can set up backdoors into your network.
• A hacker can attack specific hosts by exploiting local vulnerabilities across the network.
Before moving forward with assessing your network infrastructure security, remember to do the
following:
• Test your systems from the outside in, the inside out and the inside in (that is, between
internal network segments and DMZs).
• Obtain permission from partner networks that are connected to your network to check for
vulnerabilities on their ends that can affect your network's security, such as open ports, the
lack of a firewall or a misconfigured router.
External Penetration Testing Tools: Network Topology Mapper, VisualRoute, Visual Trace Route,
nslookup, NetInspector, SmartWhois, Nmap, Hping3, IDA Pro, Httprint, Netcat, Acunetix Web
Vulnerability Scanner, HP WebInspect, HTTPTunnel.
Internal Network Penetration Testing Tools: Angry IP Scanner, SuperScan, TCPView, GFI
LANguard, Winfingerprint, Wireshark, Tcpdump, Power Spy 2013, L0phtCrack, Arpspoof, Cain and
Able, Activity Monitor, Active@ Password Changer, Netcat, SMAC, Metasploit, Nessus, Retina
Network Security Scanner.
639
Student Handbook – Security Analyst SSC/N0904/N0905
(SSID is short for service set identifier. SSID is a case sensitive, 32 alphanumeric character unique
identifier attached to the header of packets sent over a wireless local-area network (WLAN) that
acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a
component of the IEEE 802.11 WLAN architecture. The SSID differentiates one WLAN from
another, so all access points and all devices attempting to connect to a specific WLAN must use
the same SSID to enable effective roaming. As part of the association process, a wireless network
interface card (NIC) must have the same SSID as the access point or it will not be permitted to join
the BSS.)
Exploit Vulnerabilities and Access Other Networks, auditors use the previously discovered
vulnerabilities to obtain access to other network segments. If the team is successful, they will test
different methods to exploit that access. This phase will determine which network segments and
systems the wireless network infrastructure can access, the security controls that separate the
wireless network from other network segments and if the wireless network can be used as a
launching point to attack other systems.
Database management system (DBMS) is a complex set of software programs that control the
organization, storage and retrieval of data in a database. It also controls the security and integrity of
the database
When auditing the controls of a database, the auditor would check to see that the following controls
have been implemented and maintained to ensure database integrity and availability:
o Definition standards
o Data backup and recovery procedures
o Access controls
o Only authorized personnel can update the database
o Controls to handle concurrent access problems such as multiple users trying to update the
same record at the same time
640
Student Handbook – Security Analyst SSC/N0904/N0905
o Controls to ensure the accuracy, completeness and consistency of data elements and
relationships.
o Checkpoints to minimize data loss
o Database re-organizations
o Monitoring database performance
o Capacity planning
o Who can access the database without going through the application?
One of the major audit concerns is what access does the DBA have? A DBA basically has the access
to everything and can do (read, write, change, delete) anything. Supervising and monitoring the DBA
is of critical importance. The monitoring (logging) of actions of the DBA along with not having the
ability to de-activate the log nor having access to the log are prime requirements.
It goes without saying that Access Control is the number one issue with database management
systems. Apart from that audit disaster recovery and restoration, patch management, change
management, incident logging and all the other issues an auditor would usually look for.
There is another issue that auditors need to deal with when auditing DBMS and that is to perform
some type of data integrity testing. Data integrity testing is a set of substantive tests (NOTE:
Substantive not Compliance testing) that examines accuracy, completeness, consistency and
authorization of data presently held in a system.
File integrity monitoring is critical for security and compliance. To minimize the risk to sensitive data,
detection of unmanaged changes in file servers and storage appliances is necessary. File integrity
monitoring tools are deployed to alert personnel to unauthorized modifications of critical system or
content files, and for performing file comparisons if the process can be automated.”
File integrity monitoring ensures that program and operating system files have not been
compromised. Using file integrity monitoring technology is important to verify that malicious code
has not been inserted into sensitive system, configuration and/or content files. Knowledge of exactly
who modified the file, what the change was, when and where the change was made in order to
prevent possible security and business impact is critical.
641
Student Handbook – Security Analyst SSC/N0904/N0905
Tools provide protection of critical data by providing the following file integrity details:
• file size
• when it was created
• when the change was made
• what exactly was changed
• who made the change
• where the change was made
• previous and current values for the change
• its attributes (e.g., read-only, hidden, system, etc.)
Be aware of all changes, protect sensitive data, significantly reduce audit preparation time and
maintain compliance with the regulations requiring file integrity monitoring.
It is very difficult to compromise a system without altering a system file, so file integrity checkers are
an important capability in intrusion detection. A file integrity checker computes a checksum for
every guarded file and stores this. At a later time, you can compute a checksum again and test the
current value against the stored value to determine if the file has been modified. A file integrity
checker is a capability that you should expect to receive with any commercial host based intrusion
detection system.
The primary checksum that was used for this was a 32 bit CRC (Cyclic Redundancy Check). Attackers
have demonstrated the ability to modify a file in ways the CRC checksum could not detect, so
stronger checksums known as cryptographic hashes are recommended. Example of cryptographic
hashes include MD5, and snefru.
Auditors check the file integrity monitoring reports and logs, to evaluate effectiveness and use.
Organizations often spend a great deal of money on Log Management and Security Information and
Event Management (SIEM). While there are any number of compliance regulations and auditors
follow various standards, there are a few common core elements to success.
By defining which events are of interest and what should be done about them, security and log
analysis not only aids in compliance, but becomes proactive. Log analysis used in this manner can be
used to detect emerging threats and trends, and even to tune and improve overall security. It is easy
to become overwhelmed by the millions of events generated by firewalls, authentication logs,
intrusion logs, and other logs ad nauseum, however certain anomalous behavioural patterns, and
repeat events are common relatively easy to detect signs of malware.
Log management (LM) comprises an approach to dealing with large volumes of computer-generated
log messages (also known as audit records, audit trails, event-logs, etc.).
642
Student Handbook – Security Analyst SSC/N0904/N0905
LM covers:
• log collection
• centralized aggregation
• long-term retention
• log rotation
• log analysis (in real-time and in bulk after storage)
• log search and reporting
Concerns about security, system and network operations (such as system or network administration)
and regulatory compliance drive log management.
Effectively analysing large volumes of diverse logs can pose many challenges — such as:
• huge log-volumes (reaching hundreds of gigabytes of data per day for a large organization)
• log-format diversity
• undocumented proprietary log-formats (that resist analysis)
• the presence of false log records in some types of logs (such as intrusion-detection logs)
Logs can contain a wide variety of information on the events occurring within systems and networks.
Security software logs primarily contain computer security-related information. Operating system
logs and application logs typically contain a variety of information, including computer security-
related data.
Under different sets of circumstances, many logs created within an organization could have some
relevance to computer security. For example, logs from network devices such as switches and
wireless access points, and from programs such as network monitoring software, might record data
that could be of use in computer security or other information technology (IT) initiatives, such as
operations and audits, as well as in demonstrating compliance with regulations.
Log management infrastructures, which are typically based on either syslog-based centralized
logging software or security information and event management software, usually use a three-
tiered design.
The first tier encompasses the hosts that generate the original log data.
The second tier includes centralized log servers, which perform consolidation and data
storage.
The third tier contains consoles that are used to monitor and review log data, and optionally
may also be used to manage the log servers and clients.
Communications between the tiers usually occur over the organization’s regular networks, but may
be routed over a separate logging network instead. Organizations may also have log-generating
hosts that cannot actively participate in the log management infrastructure, such as computers that
are not network connected, legacy systems, and appliance-based devices; administrators can either
transfer data manually to the infrastructure from these hosts through removable media, or manage
and analyse the data locally.
Syslog
643
Student Handbook – Security Analyst SSC/N0904/N0905
In a syslog-based centralized logging infrastructure, each log generator uses the same standard log
format and forwards its log entries to a centralized log server. Because syslog is a simple standard
protocol, it can be used by many OSs, security software programs, and applications. The original
syslog standard does not offer much granularity in handling different types of events. Also, because
it has few data fields, it can be very difficult to extract the meaning of the data logged for each event
when multiple log sources are generating events. Syslog was developed when log security was not a
major concern; the original syslog standard offers no features for preserving the confidentiality,
integrity, and availability of logs.
To improve the security of syslog deployments, a new proposed standard has been created that
offers stronger security capabilities, and various syslog implementations have added features such
as reliable log delivery; transmission encryption, integrity protection, and authentication; robust
filtering; automated event responses; log file encryption; and event rate limiting. Organizations using
syslog should consider using secure syslog implementations, paying particular attention to
interoperability because many syslog clients and servers offer features not specified in current
standards.
SIEM
Unlike syslog-based infrastructures, which are based on a single standard, security information and
event management (SIEM) software primarily uses proprietary data formats. SIEM products have
centralized servers that perform log analysis and database servers for log storage. Most SIEM
products require agents to be installed on each log generating host; the agents perform filtering,
aggregation, and normalization for a particular type of log. The agents are also responsible for
transferring log data from the individual hosts to a centralized SIEM server on a real-time or near-
real-time basis. Other SIEM products are agentless and rely on an SIEM server to pull data from the
logging hosts and perform the functions that agents normally perform.
SIEM products usually support several dozen types of log sources, including generic formats such as
syslog. Because the SIEM products typically understand the meaning of each logged field for specific
log source formats, an SIEM-based log management infrastructure is usually superior to a syslog-
based infrastructure in performing normalization, analysis, and correlation of log data from multiple
log sources.
SIEM products can analyse data from many sources, identify significant events, and initiate
automated responses if desired. SIEM products may also include analysis GUIs, security knowledge
bases, incident tracking and reporting capabilities, and asset information storage and correlation
capabilities. SIEM products also usually offer capabilities to protect the confidentiality, integrity, and
availability of log data.
Although SIEM software typically offers more robust and broad log management capabilities than
syslog, SIEM software is usually much more complicated and expensive to deploy than a centralized
syslog implementation. Also, SIEM software is often more resource-intensive for individual hosts
than syslog because of the processing that agents perform.
In addition to syslog and SIEM software, there are several other types of software that may be
helpful for log management. Host-based intrusion detection systems (IDS) monitor the
characteristics of a host and the events occurring within it, which might include OS, security
software, and application logs. Host based IDS products are often part of a log management
infrastructure, but they cannot take the place of syslog and SIEM software. Other utilities that are
644
Student Handbook – Security Analyst SSC/N0904/N0905
helpful for log management include visualization tools, log rotation utilities, and log conversion
utilities.
Auditors check for these logs and their management as part of the Information Security Audit. A
security analyst may be directly involved in log monitoring and following established log
management processes and therefore can be directly be interviewed for this.
VoIP and Telephony assessment is a significant concern ever more so in light of recent development
with the convergence of voice, data, and video. The robustness of the telephony system in isolation
is a significant concern; there are a range of threats to the confidentiality, availability and integrity of
the telephony system and testing evaluates all of these. VoIP and Telephony Assessment Testing
typically includes reviewing handsets, soft-phones, the telephony servers and a range of network
layer activities to fully understand whether the telephony system can be considered secure and
reliable.
The need to segregate voice services from the traditional corporate network is well publicised and
this is the second area of attention. The method of segregation (commonly VLANs) will be subject to
review, as will any servers that bridge both data and voice networks to ensure that they are capable
of maintaining the required level of segregation.
The type of testing conducted will be dictated by the nature of the solution and in addition to
telephony specific skills, tests may include elements of wireless testing, infrastructure penetration
testing, application testing, build reviews, remote access testing and more. The mission critical
nature of voice services and the challenges of the multipartite ownership of voice services cannot be
undermined or ignored. Auditors test these services and related infrastructure to establish -
government and industry regulatory compliance requirements; discover Telephony network
vulnerabilities and risks to business systems; validate the effectiveness of current security
safeguards; identify remediation steps to help prevent network compromise.
Data leakage audits are conducted to establish the loss of data from various parts of the
organizations. Auditors usually examine outbound e-mail, FTP and Web communications. They
explore leaks of general financial information, corporate plans and strategies, employee and other
personal identifiable information, intellectual property and proprietary processes. Usually auditors
may place taps between the corporate LAN and the firewall and between the external e-mail
gateway and the firewall. They would also use software on servers to monitor unencrypted traffic.
Then they analyse the traffic with respect to company policy.
l. Social Engineering
Social engineering is an attempt to trick someone into revealing information (e.g., a password) that
can be used to attack systems or networks. It is used to test the human element and user awareness
of security, and can reveal weaknesses in user behaviour—such as failing to follow standard
procedures. Social engineering can be performed through many means, including analog (e.g.,
conversations conducted in person or over the telephone) and digital (e.g., e-mail, instant
messaging). One form of digital social engineering is known as phishing, where attackers attempt to
steal information such as credit card numbers, Social Security numbers, user IDs, and passwords.
Phishing uses authentic-looking emails to request information or direct users to a bogus Web site to
645
Student Handbook – Security Analyst SSC/N0904/N0905
collect information. Other examples of digital social engineering include crafting fraudulent e-mails
and sending attachments that could mimic worm activity.
Social engineering may be used to target specific high-value individuals or groups in the
organization, such as executives, or may have a broad target set. Specific targets may be identified
when the organization knows of an existing threat or feels that the loss of information from a person
or specific group of persons could have a significant impact. For example, phishing attacks can be
targeted based on publicly available information about specific individuals (e.g., titles, areas of
interest). Individual targeting can lead to embarrassment for those individuals if testers successfully
elicit information or gain access. It is important that the results of social engineering testing are used
to improve the security of the organization and not to single out individuals. Testers should produce
a detailed final report that identifies both successful and unsuccessful tactics used. This level of
detail will help organizations to tailor their security awareness training programs.
The reporting phase occurs simultaneously with the other three phases of the penetration test. In
the planning phase, the assessment plan—or ROE—is developed. In the discovery and attack phases,
written logs are usually kept and periodic reports are made to system administrators and/or
management. At the conclusion of the test, a report is generally developed to describe identified
vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered
weaknesses.
Case Study
This is a case study of an external network penetration test that Dionach performed on one office of
a large UK organization. Some of the information has been changed or omitted to maintain
confidentiality.
BACKGROUND
The client had most of their web servers at a single office and wished to understand their
current level of external risk. They commissioned Dionach to carry out an external penetration
test and supplied Dionach with the external IP address range to be tested.
Dionach then proceeded with the four stages of the penetration test:
Information gathering
646
Student Handbook – Security Analyst SSC/N0904/N0905
INFORMATION GATHERING
Dionach first verified that the IP address range supplied was assigned to the organisation by querying
the RIPE Whois Database. This also starts the information gathering process, as emails, telephone
numbers and addresses are available from RIPE. DNS servers were then queried for more information
such as registration details and mail servers. Internet, forum and newsgroup searches on key
individuals did not reveal much information that would be useful in penetrating the network, for
example any information about the technology that the organisation has used, or the skills of
individuals. An internally developed tool was used on search engines to find DNS names with IP
addresses within the IP range. This turned up 19 different web sites on 5 different IP addresses. It was
assumed that there were other web sites hosted by the organisation that hadn't been indexed by
search engines.
Note that this information is all publicly available, and was discovered without any or very little direct
contact with the organisation's network.
The services banners showed that the web and FTP services were all Microsoft IIS based, with a
mixture of IIS 4.0 (Windows NT) and IIS 5.0 (Windows 2000). Four of the service banners disclosed
internal computer names or private IP addresses.
647
Student Handbook – Security Analyst SSC/N0904/N0905
Dionach then looked at the web sites identified in the information gathering exercise, and also
the port scanning. Some of these were dynamic sites, with some using CGI applications with
.exe extensions, and others using ASP pages. Using open source scripts and tools, as well as in-
house developed tools and a manual process, the dynamic web sites were checked for web
application vulnerabilities. Common problems were discovered, the most serious of which was
that some of the pages on the web sites were vulnerable to SQL injection that allowed
arbitrary SQL statements to be executed and also commands on the server itself, giving full
control of the server. The proxy server identified in the port scan appeared to allow access to
an intranet, although limited internal information was available.
648
Student Handbook – Security Analyst SSC/N0904/N0905
REPORTING
The issues listed above and other issues not mentioned were compiled and put into the final report. The
report noted the dates the test was carried out on, and the IP address range. The issues were graded into
the following risk levels: critical, high, medium, low and informational. The executive summary specified
that the overall security represented critical risk, and highlighted that although firewall configuration was
well maintained, application and operating system security allowed remote intruders to gain access and
control to a number of servers. The number of issues identified at each risk level (critical, high, medium,
low and informational) was presented graphically and key issues starting with the most critical were
listed with recommendations given for resolution of each.
There then followed the technical part of the report, which detailed:
Information gathered: RIPE Whois information, DNS information and web site domain names.
Exploit tests carried out, such as mail relay and DNS zone transfer.
Summary walkthroughs and locations of the exploited web server and web application
vulnerabilities.
Technical, in depth list of issues discovered and recommendations on reducing the risk starting
with the most critical.
PRESENTATION
Dionach then presented the report to the organisation face to face, which ensured that the organisation
got the most value out of the report and a good understanding of the issues. Following this, the
organisation rebuilt the previously compromised web server, reviewed the web applications, and then
requested Dionach to carry out a follow-up penetration test.
Source : https://www.dionach.com/library/network-penetration-test-case-study
649
Student Handbook – Security Analyst SSC/N0904/N0905
Summary
A penetration test is the process of actively evaluating company’s information security
measures. Security measures are Security measures are actively analysed for actively analysed
for design weaknesses, technical flaws and vulnerabilities. The results are delivered
comprehensively in a report, to executive, management, and technical audiences.
Testing should be performed on all hardware and software components of a network security
system.
According to one classification, there are three stages in penetration testing
o Pre-attack
o Attack Phase
o Post-attack phase
The three stages of reconnaissance are:
o Footprinting
o Scanning
o Enumerating
Types of Reconnaissance
o Active Reconnaissance
o Passive Reconnaissance
Reconnaissance process seeks to gather as much information about the target network as
possible, following these seven steps:
o Gather initial information
o Determine the network range
o Identify active machines
o Discover open ports and access points
o Fingerprint the operating system
o Uncover services on ports
o Map the network
The next phase is the attack phase, where if an attack is successful, the vulnerability is verified
and safeguards are identified to mitigate the associated security exposure.
Attack phase activities include: perimeter auditing, web application auditing, wireless auditing,
application security auditing, network security auditing, wireless/remote access auditing,
database auditing, file integrity checking, log management auditing, telephone security, data
leakage auditing, social engineering auditing
At the conclusion of the test, a report is generally developed to describe identified
vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered
weaknesses.
650
Student Handbook – Security Analyst SSC/N0904/N0905
Practical Activity:
Activity 1:
Collate data from various sources and list the various types of penetration testing
based on the object of testing. List down steps and considerations for each type of
testing including the various tools that are available in the market for the particular
testing.
Activity 2:
Compare various data security companies and their offerings for penetration testing.
Compare their features, benefits and value propositions, also research reviews of
various clients /independent reviewers of their products and services.
Activity 3:
Study from various sources and discuss in class the legal and ethical concerns of
penetration testing. Also to explore the advantages and disadvantages of penetration
testing.
651
Student Handbook – Security Analyst SSC/N0904/N0905
Q. A security tester is sending random data to a program. What does this describe?
a) Fuzzing
b) Buffer overflow
c) Integer overflow
d) Command injection
Q. Your organization wants to improve the security posture of internal database servers. Of the
following choices, what provides the BEST solution?
a) Opening ports on a server’s firewall
b) Disabling unnecessary services
c) Keeping systems up to date with current patches
d) Keeping systems up to date with current service packs
a) ___________________________________
b) ___________________________________
c) ___________________________________
d) ___________________________________
e) ___________________________________
652
Student Handbook – Security Analyst SSC/N0904/N0905
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
653
Student Handbook – Security Analyst SSC/N0904/N0905
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
654
Student Handbook – Security Analyst SSC/N0904/N0905
UNIT VI
Information Security Audit
Tasks
Lesson Plan
6.1. Pre-audit tasks
6.2. Information gathering
6.3. External Security Audit
6.4. Internal Network Security Auditing
6.5. Firewall Security Auditing
6.6. IDS Security Auditing
6.7. Social Engineering Audit
655
Student Handbook – Security Analyst SSC/N0904/N0905
LESSON PLAN
657
Student Handbook – Security Analyst SSC/N0904/N0905
A security analyst may contribute to activities during the audit process which includes the following
task.
The auditors should ensure that the scope ‘makes sense’ in relation to the organization. The audit
scope should normally match the scope of the Information Security Management System (ISMS)
being certified. For example, large organizations with multiple divisions or business units may have
separate ISMS's, an all-encompassing enterprise-wide ISMS, or some combination of local and
centralized ISMS. If the ISMS certification is for the entire organization, the auditors may need to
review the ISMS in operation at all or at least a representative sample of business locations, such as
the headquarters and a selection of discrete business units chosen by the auditors.
The auditors should pay particular attention to information security risks and controls associated
with information conduits to other entities (organizations, business units etc.) that fall outside the
scope of the ISMS, for example checking the adequacy of information security-related clauses in
Service Level Agreements or contracts with IT service suppliers. This process should be easier where
the out-of-scope entities have been certified compliant with ISO/IEC 27001.
During the pre-audit survey, the ISMS auditors identify and ideally make contact with the
main stakeholders in the ISMS such as the ISM manager/s, security architects, ISMS
developers, ISMS implementers and other influential figures such as the CIO and CEO, taking
the opportunity to request pertinent documentation etc. that will be reviewed during the
audit. The organization normally nominates one or more audit "escorts", individuals who are
responsible for ensuring that the auditors can move freely about the organization and rapidly
find the people, information etc. necessary to conduct their work, and act as management
liaison points.
The primary output of this phase is an agreed ISMS audit scope, charter, engagement letter or
similar. Contact lists and other preliminary documents are also obtained and the audit files are
opened to contain documentation (audit working papers, evidence, reports etc.) arising from the
audit. The pre-audit questionnaire is used to assist the audit manager in gathering pertinent
information prior to the on-site visit. Information gathered from the pre-audit questionnaire is used
to formulate additional questions to be answered during the on-site visit and to assist in determining
policy compliance. Additionally, the pre-audit questionnaire is used as a tool by audit managers to
prepare information sheets for local auditors, outlining/summarizing the CSAs audit program and
procedures.
658
Student Handbook – Security Analyst SSC/N0904/N0905
Information gathering is essentially using the Internet to find all the information you can about
the target (company and/or person) using both technical (DNS/WHOIS) and non-technical
(search engines, news groups, mailing lists etc.) methods.
Information gathering does not require that the assessor establishes contact with the target system.
Information is collected (mainly) from public sources on the Internet and organizations that hold
public information (e.g. tax agencies, libraries, etc.) Information gathering section of the penetration
test is important for the penetration tester. Assessments are generally limited in time and resources.
Therefore, it is critical to identify points that will be most likely vulnerable, and to focus on them.
Even the best tools are useless if not used appropriately and in the right place and time. That’s the
reason why experienced testers invest an important amount of time in information gathering.
Information Gathering is a necessary step of a penetration test. This task can be carried out in many
different ways. By using public tools (search engines), scanners, sending simple HTTP requests, or
specially crafted requests, it is possible to force the application to leak information, e.g., disclosing
error messages or revealing the versions and technologies used. And it includes the following steps:
1. Spiders, Robots and Crawlers: This phase of the Information Gathering process consists of
browsing and capturing resources related to the application being tested.
3. Identify application entry points: Enumerating the application and its attack surface is a key
precursor before any attack should commence. This section will help you identify and map out every
area within the application that should be investigated once your enumeration and mapping phase
has been completed.
4. Testing Web Application Fingerprint: Application fingerprint is the first step of the Information
Gathering process; knowing the version and type of a running web server allows testers to
determine known vulnerabilities and the appropriate exploits to use during testing.
6. Analysis of Error Codes: During a penetration test, web applications may divulge information that
is not intended to be seen by an end user. Information such as error codes can inform the tester
about technologies and products being used by the application. In many cases, error codes can be
659
Student Handbook – Security Analyst SSC/N0904/N0905
easily invoked without the need for specialist skills or tools, due to bad exception handling design
and coding. Clearly, focusing only on the web application will not be an exhaustive test. It cannot be
as comprehensive as the information possibly gathered by performing a broader infrastructure
analysis
Phase One
Network survey: A network survey is like an introduction to the system that is tested. By doing that,
you will have a “network map”, using which you will find the number of reachable systems to be
tested without exceeding the legal limits of what you may test. But usually more hosts are detected
during the testing, so they should be properly added to the “network map”. The results that the
tester might get using network surveying are: - Domain Names - Server Names - IP Addresses -
Network Map - ISP / ASP information - System and Service Owners Network surveying can be done
using TTL modulation(traceroute), and record route (e.g. ping -R), although classical 'sniffing' is
sometimes as effective method
Phase Two
Phase Three
Port scanning: Port scanning is the invasive probing of system ports on the transport and network
level. Included here is also the validation of system reception to tunnelled, encapsulated, or routing
protocols. Testing for different protocols will depend on the system type and services it offers.
However, it is not always necessary to test every port for every system. This is left to the discretion
of the test team. Port numbers that are important for testing according to the service are listed with
the task. Additional port numbers for scanning should be taken from the Consensus Intrusion
Database Project Site. The results that the tester might get using Port scanning are: - List of all Open,
closed or filtered ports - IP addresses of live systems - Internal system network addressing - List of
discovered tunnelled and encapsulated protocols - List of discovered routing protocols supported.
Methods include SYN and FIN scanning, and variations thereof e.g. fragmentation scanning.
660
Student Handbook – Security Analyst SSC/N0904/N0905
Phase Four
Services identification: This is the active examination of the application listening behind the service.
In certain cases, more than one application exists behind a service where one application is the
listener and the others are considered components of the listening application. The results of service
identification are: - Service Types - Service Application Type and Patch Level - Network Map
The methods in service identification are same as in Port scanning. There are two ways using which
one can perform information gathering:
1. 1st method of information gathering is to perform information gathering techniques with a 'one
to one' or 'one to many' model; i.e. a tester performs techniques in a linear way against either one
target host or a logical grouping of target hosts (e.g. a subnet). This method is used to achieve
immediacy of the result and is often optimized for speed, and often executed in parallel
2. Another method is to perform information gathering using a 'many to one' or 'many to many'
model. The tester utilizes multiple hosts to execute information gathering techniques in a
random, rate-limited, and in non-linear way. This method is used to achieve stealth. (Distributed
information gathering)
661
Student Handbook – Security Analyst SSC/N0904/N0905
662
Student Handbook – Security Analyst SSC/N0904/N0905
An External Intrusion Audit and Analysis identifies strengths and weaknesses of a client system and
network as they appear from the outside the client’s security perimeter, usually from the internet.
Why Is It Done?
This is done to demonstrate the existence of known vulnerabilities in the client system and network
that could be exploited by an external hacker.
Client Benefits
The client benefits by anticipating external attacks, that might cause security breaches and to
proactively reduce risks to information, system and networks. It also improves the security of the
client’s networked resources. This provides improved e-commerce and e-business operations with
increased confidence in their ability to protect data, information and resources.
• Inventory the company’s external infrastructure and create a topological map of the
network
• Identify the IP address of the targets
• Locate the traffic route that goes to the web servers
• Locate TCP and UDP traffic path to the destination
• Identify the physical location of the target servers
• Examine the use of IPV6 at the remote location
• Lookup domain registry for IP information, find IP block information about the target
• Locate the ISP servicing the client
• List open and closed ports
• List suspicious ports that are half open/close
• Port scan every port on the target’s network
• Use SYN scan and connect scan on the target and see the response
• Use XMAS scan, FIN scan and NULL scan on the target and see the response
• Firewalk on the router’s gateway and guess the access-list
• Examine TCP sequence number prediction
• Examine the use standard and non-standard protocols
• Examine IPID sequence number prediction
• Examine the system uptime of target
• Examine the operating system used for different targets
• Examine the applied patch to the operating system
663
Student Handbook – Security Analyst SSC/N0904/N0905
What if a casual guest visitor walks by the company and steals data from one of the isolated
machines? Internal network penetration test process will test and validate the level of internal
security on the client network. Based on statistics maintained by the Federal Bureau of
Investigations (FBI), fifty percent of companies reporting break-ins to their networks and/or business
applications state they were compromised by internal attacks. Internal network security is, more
often than not, underestimated by administrators. Very often, such security does not even exist,
allowing one user to easily access another user’s machine using well-known exploits, trust
relationships and default settings. Most of these attacks require little or no skill, putting the integrity
of a network at stake.
Most employees do not need and should not have access to each other’s machines, administrative
functions, network devices and so on. However, because of the amount of flexibility needed for
normal operation, internal networks cannot afford maximum security. On the other hand, with no
security at all, internal users can be a major threat to many corporate internal networks. A user
within the company already has access to many internal resources and does not need to bypass
firewalls or other security mechanisms which prevent non-trusted sources, such as Internet users, to
access the internal network. Poor network security also means that, should an external hacker break
into a computer on your network, he/she can then access the rest of the internal network more
easily. This would enable a sophisticated attacker to read and possibly leak confidential emails and
documents; trash computers, leading to loss of information; and more. Not to mention that they
could then use your network and network resources to start attacking other sites, that when
discovered will lead back to you and your company, not the hacker.
Most attacks, against known exploits, could be easily fixed and, therefore, stopped by administrators
if they knew about the vulnerability in the first place. During an Internal Network Security
Assessment, security experts scan the entire internal local-area and wide-area networks for known
vulnerabilities. These scans include all servers, workstations, and network devices.
• Examining the internal configuration and setup of the organizations computing resources.
• Users’ accounts & password policies and practices
• Access privileges and levels
• File, directory, event log and registry permissions
• Audit logs
• Software Patch management
• Physical network cabling
• Backup methodology & disaster recovery plans
Internal testing involves testing computers and devices within the company. The internal
penetration testing involves:
665
Student Handbook – Security Analyst SSC/N0904/N0905
Internal testing which is a critical part of this includes the following steps:
• Map the internal network
• Scan the network for live hosts
• Port scan individual machines
• Try to gain access using known vulnerabilities
• Attempt to establish null sessions
• Enumerate users/identify domains on the network
• Sniff the network using Wireshark
• Sniff POP3/FTP/Telnet passwords
• Sniff email messages
• Attempt replay attacks
• Attempt ARP poisoning
• Attempt MAC flooding
• Conduct a man-in-the middle attack
• Attempt DNS poisoning
• Try a login to a console machine
• Boot the PC using alternate OS and steal the SAM file
• Attempt to plant a software keylogger to steal passwords
• Attempt to plant a hardware keylogger to steal passwords
• Attempt a plant a spyware on the target machine
• Attempt to plant a Trojan on the target machine
• Attempt to create a backdoor account on the target machine
• Attempt to bypass anti-virus software installed on the target machine
• Attempt to send virus using the target machine
• Attempt to plant rootkits on the target machine
• Hide sensitive data on target machines
• Hide hacking tools and other data on target machines
• Use various Steganography techniques to hide files on target machine
• Escalate user privileges
• Capture POP3/SMTP/IMAP email traffic
• Capture the communications between the FTP client and FTP server
• Capture HTTP/HTTPS/RDP/VoIP traffic
• Run Wireshark with the filter -ip.src == ip_address
• Run Wireshark with this filter - ip.dst == ip_address
• Run Wireshark with this filter - tcp.dstport == port_no
• Run Wireshark with this filter - ip.addr == ip_address
• Spoof the MAC address
• Poison the victim’s IE proxy server
• Attempt session hijacking on Telnet/FTP/HTTP traffic
Continue to compromise every machine in the network and perform the previous steps. Make sure
you can undo your actions based on the pen-test process you had conducted.
666
Student Handbook – Security Analyst SSC/N0904/N0905
667
Student Handbook – Security Analyst SSC/N0904/N0905
A firewall is a set of related programs, located at a network gateway server that protects the
resources of a private network from users from other networks. A firewall sits at the junction point
or gateway between the two networks, usually a private network and a public network, such as the
Internet. Firewalls protect against hackers and malicious intruders. It is a combination of hardware
and software that separates a LAN into two or more parts for security purposes
Firewalls are top on the list of critical security devices that businesses use to protect their assets.
Firewalls come in all shapes and sizes, they operate on the same basic principle that you should limit
the exposure of computer systems to only those protocols and ports necessary to provide services,
thus reducing the size of the attack surface of the system. The auditing of a firewall primarily
revolves around inspecting the firewall rules to make sure that they are accurately enforcing security
policy, and providing as high a degree of protection as feasible.
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. It
routes packets between the networks. It filters both inbound and outbound traffic. It manages
public access to private networked resources such as host applications. It logs all attempts to enter
the private network and triggers alarms when hostile or unauthorized entry is attempted. Firewalls
block unauthorized traffic, but if an organization wants to follow good practices, then it needs to
layer on other security countermeasures to defend against attacks that firewalls are not designed to
prevent.
Address filtering:
• Firewalls can filter packets based on their source and destination addresses and port numbers.
Network filtering:
• Firewalls can also filter specific types of network traffic. The decision to forward or reject traffic is
dependent upon the protocol used, for example HTTP, FTP, or Telnet.
If you have an attack against an authorized port and service, and your server is compromised, it isn’t
the firewall that failed but the lack of defence in depth. Of course the concept of what a firewall is
just isn’t as clear as it used to be in the days of single purpose firewalls. We live in a unified threat
management world, and today’s firewalls perform a great many security tasks. IPS and VPN has
been integrated into the firewall line. Unified Threat Management (UTM) devices operate as a
combined threat management device, but the foundational elements of the firewall are central to
how the device operates.
A firewall may allow all traffic through unless it meets certain criteria, or it may deny all traffic unless
it meets certain criteria. The type of criteria used to determine whether traffic should be allowed
through varies from one type of firewall to another. Firewalls may be concerned with the type of
traffic, or with source or destination addresses and ports. They may also use complex rule bases that
analyse the application data to determine if the traffic should be allowed through.
668
Student Handbook – Security Analyst SSC/N0904/N0905
Types of firewall
• Packet filters
• Circuit level gateways
• Application level gateways
• Stateful multilayer inspection firewalls
Packet filtering firewalls work at the network level of the OSI model (or the IP layer of TCP/IP).
They are usually part of a router. In a packet filtering firewall, each packet is compared to a set of
criteria before it is forwarded.
Rules can include source and destination IP address, source and destination port number and
protocol used.
The advantage of packet filtering firewalls is their low cost and low impact on network performance.
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They
monitor TCP handshaking between packets to determine whether a requested session is legitimate.
Information passed to remote computer through a circuit level gateway appears to have originated
from the gateway. Circuit level gateways are relatively inexpensive. They have the advantage of
hiding information about the private network they protect. Circuit level gateways do not filter
individual packet
Application level gateways are also called proxies. They can filter packets at the application layer of
the OSI model. Incoming or outgoing packets cannot access services for which there is no proxy. In
plain terms, an application level gateway that is configured to be a web proxy will not allow any FTP,
gopher, Telnet or other traffic through. Because they examine packets at application layer, they can
filter application specific commands such as http:post and get.
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls.
They filter packets at the network layer, determine whether session packets are legitimate and
evaluate contents of packets at the application layer. They are expensive and require competent
personal to administer the device.
669
Student Handbook – Security Analyst SSC/N0904/N0905
Simple Firewall
The simple firewall design is common for small or branch networks and involves a firewall or
router (configured as a firewall) between the Internet and the internal network. NAT is typically
used, and providing Internet access is the primary function of the firewall. There might be port
forwarding configured to internal servers for e-mail delivery or limited web hosting. These
designs typically suffer from minimal layered security, but are by far the least expensive
deployment method to connect a very small remote office or mobile worker situation.
Screening Router and Firewall
A screening router provides frontline defence at the network edge. Not only does this router act
as a basic firewall, but can also perform services such as routing, Netflow collection, quality of
service, and anti-spoofing. The point of a screening router is to provide defence in depth and
another place where access rules can be applied.
670
Student Handbook – Security Analyst SSC/N0904/N0905
Firewall testing
The steps involved in firewall penetration testing include:
• Locate the firewall and traceroute to identify the network range
• Port scan the router
• Grab the banner
• Create custom packets and look for firewall responses
• Test access control enumeration
• Test to identify firewall architecture
• Test the firewall policy
• Test firewall using firewalking tool
• Test for port redirection
• Testing the firewall from both sides
• Overt firewall test from outside
• Test covert channels
• Covert firewall test from outside
• Test HTTP tunnelling
• Test firewall specific vulnerabilities
• Firewall logs.
• Tools output
• The analysis
• Recommendations (if any).
Firewall Auditing Tools: HTTPORT, HTTHOST, Firewall Test Agent, Hping3, Netfilter, fragroute,
IP Filter, Ftester, Fwanalog, Fpipe, Firewall Builder, Port Test/ Firewall Tester, VisualRoute,
datapipe, firewalking;
671
Student Handbook – Security Analyst SSC/N0904/N0905
Source: https://www.manageengine.com/products/firewall/firewall-security-audit-configuration-
analysis.html
672
Student Handbook – Security Analyst SSC/N0904/N0905
IDS is a software/hardware that detects and logs inappropriate, incorrect, or anomalous activity.
IDSes are typically characterized based on the source of the data they monitor.
• Host-based: A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity.
A network intrusion detection system (NIDS) is a system that tries to detect malicious activity such as
denial of service attacks, port-scans or even attempts to crack into computers by monitoring
network traffic.
A host-based IDS monitors individual hosts on the network for malicious activity; for example, Cisco
Security Agent. Host systems are more accurate than network-based IDS because they analyse the
server's log files and not just network traffic patterns. The host monitors the system and reports its
activities to a centralized server. They are expensive and resource intensive.
An application-based IDS is like a host-based IDS designed to monitor a specific application (similar
to antivirus software designed specifically to monitor your mail server). An application-based IDS is
extremely accurate in detecting malicious activity for the applications it protects.
mIDS integrates many layers of IDS technologies into a single monitoring and analysis engine. It
aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a single
monitoring and analysis source.
Benefits:
673
Student Handbook – Security Analyst SSC/N0904/N0905
WIDS monitor and evaluate user and system activities, identify known attacks, determine abnormal
network activity, and detect policy violations for WLANs.
• DoS attacks.
• MAC spoofing.
• RF interference.
• Isolates an attacker's physical location
• Identifies non-encrypted traffic.
674
Student Handbook – Security Analyst SSC/N0904/N0905
675
Student Handbook – Security Analyst SSC/N0904/N0905
The term social engineering is used to describe the various tricks used to fool people (employees,
business partners, or customers) into voluntarily giving away information that would not normally be
known to the general public.
Examples:
• Attempt social engineering techniques using phone, vishing, telephone, email, traditional
mail, in person, dumpster diving, insider accomplice, shoulder surfing, desktop information,
extortion and blackmail, websites, theft and phishing attacks, satellite imagery and building
blue prints, details of an employee from social networks sites, telephone monitoring device
to capture conversation, video recording tools to capture images, vehicle/asset tracking
system to monitor motor vehicles, identified “disgruntled employees” and engage in
conversation to extract sensitive information
• Document everything including approach, response, information sought and retrieved
Web application vulnerabilities generally stem from improper handling of client requests and/or a
lack of input validation checking on the part of the developer. A web application is an application,
generally comprising a collection of scripts that resides on a web server and interacts with databases
or other sources of dynamic content.
Case Study
Case Study : Here are a few case studies to review how information was socially engineered,
the type of social engineering used, and the results or mitigating steps each company took to
combat it.
Company A is a widget manufacturing company with several plants across the country. The IT
staff is located at the corporate headquarters and performs most of their technical support
remotely. A man who calls himself Joe Admin contacts a remote user on the telephone. He
introduces himself as a new system security administrator supporting Company A’s UNIX
systems and network. He mentions that he works for the IT manager, and that he is part of a
new security initiative to harden the systems and network. Joe informs the user that her
password has been cracked as part of a routine security audit.
677
Student Handbook – Security Analyst SSC/N0904/N0905
Joe explains the types of characters and length the user’s password must be to meet the new minimum
security criteria. He recommends that the user review the new security policy’s password guidelines
section, detailing the systems to which she has access. Joe then asks the user for her password to
critique it and point out why it wasn’t good enough. The duped user willingly communicates her
password to Joe, believing that he is a member of the security team. Upon closing the conversation, Joe
lets the user know that she is not alone—that there are numerous users who don’t meet the minimum
criteria. He encourages her to pick something a little stronger next time she’s prompted to change her
password. This user’s account was compromised and, although no sensitive information was contained
on the systems she had access to, her account was used to download hacker tools and the systems
were used as a jump point for additional hacking. In this instance, a savvy system administrator noticed
an unusual traffic pattern coming from the compromised system and decided to investigate. During the
investigation, multiple hidden hacking tools were found. At first it was believed that the user was
responsible for this activity and a case was being built to take disciplinary action against her.
However, further investigation revealed that the activity occurred during times when the user wasn’t
working on the system, and it was identified that her account was logging in from a modem connection.
The Telecom group identified the phone number where the call was originated. Through a long and
arduous process, it was determined that the phone line was an outbound modem connection on a
system which had also been compromised from several IP addresses located in Europe. During the
investigation review it was determined that the user didn’t follow the security policy guidelines and
protect her own password. No information had been lost, so the users’ disciplinary action amounted to
the proverbial slap on the wrist. However, the end result was the implementation of a security
awareness program launched to keep users informed of the current security policies and to audit users’
awareness of the security policies. The audits were successful because they were required in order to
receive quarterly bonuses. Employees were required to log onto their Intranet accounts, review the
security policies, and take a 5-question multiple-choice quiz in order to receive their checks. The
questions were relatively easy and a little common sense would allow them to pass, however the
information was critical as a means to measure the effectiveness of the security awareness program,
and determine what areas would need the most focus over the next year. In addition, every employee
was required to attend an annual security policy review meeting. Changes to security policies were
posted on the company’s internal web site, and notices were sent to everyone through e-mail, and
memos attached to their paychecks.
678
Student Handbook – Security Analyst SSC/N0904/N0905
1.0 Purpose
This document describes the password requirements and how they should be handled.
2.0 Scope
All Company A personnel with access to any of Company A’s computer systems.
2. Passwords must contain alpha, numerical and at least one special character such as @ # $ % ^ & * (
)!.
4. Passwords are considered property of each individual and disclosure or sharing of passwords for any
reason is not acceptable.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
5.0 Definitions
Terms Definitions
Computers Systems located in Company A’s computer rooms used to support file and print
sharing, e-mail, applications, etc. These systems include remote access servers.
679
Student Handbook – Security Analyst SSC/N0904/N0905
They both thought the schedule was aggressive but agreed it could be done. Jim and Bill gather all
the material and lock themselves in a conference room to review all the prospective companies’
security postures. They are making a lot of progress, but there is still a lot of work needed to finish
their assessment. Both colleagues are getting hungry, which is causing them to lose their focus. Bill
suggests they go to the new trendy restaurant around the corner from the office—it’s close and
there are some quiet areas perfect for working while they eat. Jim reluctantly agrees. They finish
their dinner and their assessment and leave the restaurant. Bill takes the document, saying that he
will review their work on his train ride out of the city. The two part company feeling they have just
pulled a rabbit out of a hat. Bill would not have normally taken work like this out of the office;
however with such an aggressive deadline, and the fact that he is planning to take tomorrow
afternoon off to play golf, he goes against his better judgment. The train is full because a local
sporting event has just ended. Bill begins to review the spreadsheet they produced, entitled
“Company B’s Prospective Acquisitions—A Security Assessment.” Listed in the document are each
potential company’s name, security equipment, and an estimate of what it would cost to bring them
to Company B’s minimum security requirements. Bill is so focused on reviewing the document he
doesn’t notice the person sitting next to him reading it as well. It turns out that his fellow passenger
is a manager at a competing financial institute, who brings the news of Company B’s potential
acquisitions to his management. Company B’s competitor undermines their acquisition of these
companies and forces Company B to pay more than they should have. Company B personnel should
have followed their security policy regarding the handling of sensitive information. Company B
implemented a security awareness program stressing points on the handling of sensitive information.
Every employee was required to addend a yearly training session including taking a test to assess
their level of security awareness. 70% was passing grade and employees were required to pass the
test. Personnel who had failing grades were required to sit through the security aware program
again. The tests consisted of multiple choice questions and matching policy violation situation to the
policies they violated.
680
Student Handbook – Security Analyst SSC/N0904/N0905
Summary
Pre audit tasks: During this phase, the auditors determine the main area/s of focus for the
audit and any areas that are explicitly out-of-scope, based normally on an initial risk-based
assessment plus discussion with those who commissioned the audit.
An External Intrusion Audit and Analysis identifies strengths and weaknesses of a client
system and network as they appear from the outside the client’s security perimeter, usually
from the internet.
Internal testing involves testing computers and devices within the company. It is more like
white-box testing. What if an employee of the company penetrates the network with the
amount of IT knowledge he knows? What if a hacker breaks-in to the internal network that
houses employees’ PC and databases and steals sensitive information?
Internal testing involves testing computers and devices within the company. The internal
penetration testing involves:
o Performing port scanning on individual machines and establishing null sessions.
o Attempting replay attacks, ARP poisoning, MAC flooding.
o Conducting man-in-the-middle attack and trying to login to a console machine.
o Attempting to plant keylogger, Trojan, and Rootkit on target machine.
o Attempting to send virus using target machine.
o Hiding sensitive data and hacking tools in target machine.
o Escalating user privileges.
Firewall auditing includes testing the firewall after establishing the types of firewall and their
configuration in the company
Firewalls fall into four broad categories:
o Packet filters
o Circuit level gateways
o Application level gateways
o Stateful multilayer inspection firewalls
There are 2 types of IDS:
o Host-based: A host-based IDS uses system log files and other electronic audit data to
identify suspicious activity.
o Network-based: A network-based IDS uses a sensor to monitor packets on the
network to which it is attached.
mIDS integrates many layers of IDS technologies into a single monitoring and analysis engine.
It aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a
single monitoring and analysis source.
WIDS monitor and evaluate user and system activities, identify known attacks, determine
abnormal network activity, and detect policy violations for WLANs.
Other audits in Penetration testing include Social Engineering and Web Application testing.
681
Student Handbook – Security Analyst SSC/N0904/N0905
Practical Activities:
Activity 1:
Gather as much information and the various sources of information, you can gather of
the training institute without crossing boundaries of law. Share the same in class and
debate on the security considerations for each type of information being out there and
the authorised or unauthorised sources of information.
Activity 2:
Make a list of precautions, security measures and legal options your institute has to
enhance the security of their organisation’s information assets?
Activity 3:
Study and deliberate on the varying needs, concerns, limitations and challenges of an
internal and external information security audits.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
a) ___________________________________________________
b) ___________________________________________________
c) ___________________________________________________
d) ___________________________________________________
682
Student Handbook – Security Analyst SSC/N0904/N0905
a) ___________________________________________________
b) ___________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List down at least four types of firewall designs an auditor is likely to find in organizations?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
683
Student Handbook – Security Analyst SSC/N0904/N0905
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
684
Student Handbook – Security Analyst SSC/N0904/N0905
UNIT VII
Audit Reports and Actions
Lesson Plan
7.1. Audit Reports and Actions
685
Student Handbook – Security Analyst SSC/N0904/N0905
LESSON PLAN
686
Student Handbook – Security Analyst SSC/N0904/N0905
Lesson
The auditor report’s goal is to show the organization that the team honestly wants to improve the
company’s security posture this is to be borne in mind when writing the report.
Documentation report should contain the final result and recommendations to rectify the problem if
occurred during the penetration testing process.
After documentation, submit the document to the client and get the signature from them and keep
a copy of the report.
The summary should provide a short, high-level overview of the test. It should contain the client’s
name, testing firm, date of test, and so on. Information about the targeted systems and applications.
End-user test results. Examine all exploits performed. The summary should include details of
discovered vulnerabilities.
Scope of the project should include the IP address ranges that are tested and mentioned in the
contract.
• Examining whether social engineering was employed or not.
• Examining whether public or private networks are tested or not.
• Examining whether Trojans and backdoor software applications are permitted or not.
If one would simply run a handful of tools and provide a report, then the company will never want to
see you again. Recommendations to their security is very important for the report to be accepted by
the customer.
687
Student Handbook – Security Analyst SSC/N0904/N0905
High criticality findings: Loss could result in the unauthorized release of information that
could have a significant impact on the organization’s mission or financial assets or result in
loss of life
Medium criticality findings: Loss could result in the unauthorized release of information that
could have an impact on the organization’s mission or financial assets or result in harm to an
individual
Low criticality findings: Loss could result in the unauthorized release of information that
could have some degree of impact on the organization’s mission or financial assets or result in
Recommendations:
harm to an individual
688
Student Handbook – Security Analyst SSC/N0904/N0905
Focus on high priority security concerns first. Develop strategies to achieve short term and long term
security postures. Decide on required and available resources to maintain a consistent level of
information security.
Organizations should develop an action plan to:
• Address the security concerns on time and systematically.
• Reduce the misuse or threat of attacks on the organization.
• Create a configuration management process.
• Create or use configuration checklists available from the product vendors and security
organizations such as NIST and NSA.
• Improve the level of control for the purchased software's by checking for updates and
patches from the vendors.
• Create a policy for applying patches in a timely manner.
• Create guidelines for best practices to be followed based on the recommendations of pen
test report.
• Regular auditing of organization reduces exposure to vulnerabilities.
Conduct training for analysing security posture of a network. Technical security training programs for
people managing information technology. Training for application developers to develop secure
code.
Security education and awareness programs need to be implemented, such as:
• General security awareness for new employees in the organization
• Awareness program through e-learning.
• Provide training on social engineering to each and every employee.
• An introduction: A simple statement of your qualifications, the purpose of the audit and
what was in scope.
• Findings: This section will contain your findings and will list the vulnerabilities or issues that
should be re-mediate. This listing should be ordered by critical levels, of which are hopefully
defined by internal policies (i.e. if your vulnerability scanner finds a high critical vulnerability,
based upon how that vulnerability is implemented in your environment, it may not be a true
high critical, so internal policies should assist in defining the critical levels)
• Methodologies: Here you will discuss tools used, how false positives were ruled out, what
processes completed this audit. This is to provide consistency and allow your audits to be
repeatable in the event a finding is disputed or deemed not worthy of fixing by
management.
• Conclusion: Basic conclusion, summarize the information you have already put together.
• Appendices: This will be any extra attachments needed for reference.
The final report should be delivered personally and the report should not be sent by emails or CD-
ROM. A printed report is the best format. The pen-test information is very sensitive. One should only
store it for a certain period of time (30–45 days is typical). One should be able to answer questions
during this period. After the 30–45 days, one should destroy the information from the storage. This
clause is usually mentioned in the contract with the customer before the engagement begins.
Pentest reports on discovered vulnerabilities, available options, recommendations, and suggestions.
Recommendations make the most important part of the report for the user to implement for
improving the network security. A pen tester should hand over the sensitive information within 45
days or should destroy from the storage. Create a final report, documenting the test findings. Deliver
the report to the concerned officer.
690
Student Handbook – Security Analyst SSC/N0904/N0905
Summary
The auditor report’s goal is to show the organization that the team honestly wants to improve
the company’s security posture this is to be borne in mind when writing the report.
The document report includes:
o Summary of the test execution
o Scope of the project
o Result analysis
o Recommendations
o Appendixes
The results analyzed should include:
o Domain name and IP address of the host.
o TCP and UDP ports.
o Description of the service.
o Details of the test performed.
o Vulnerability analysis.
Appendices should include:
o Contact information
o Screen shots
o Log output
Divide the reports into sessions as follows:
o Network test reports
o Client side test reports
o Web application test reports
Findings are categorized as:
o High
o Medium
o Low
Organizations should develop an action plan as a result of the audit
The report should help in creating and strengthening information security policies
Practical Activities:
Activity 1:
Collate various audit report templates and sources which provide guidance on audit
reports. These should be compared and the considerations and requirements for their
preparation should be discussed in class.
691
Student Handbook – Security Analyst SSC/N0904/N0905
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
692
Student Handbook – Security Analyst SSC/N0904/N0905
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
693
Student Handbook – Security Analyst SSC/N0904/N0905
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
694
Student Handbook – Security Analyst SSC/N0904/N0905
UNIT VIII
Audit Support Activities
Lesson Plan
7.1. Audit Support Activities
695
Student Handbook – Security Analyst SSC/N0904/N0905
LESSON PLAN
697
Student Handbook – Security Analyst SSC/N0904/N0905
Lesson
Assisting the auditors
Security Analyst: A security analyst may be assigned responsibilities to carry out activities supporting
the audit team or independently carrying out a set of security auditing activities. It is important for
the security analyst to clarify and understand their scope of responsibilities and work within these
limits. In case they are not clear about any aspect of their limits of authority, or scope of
responsibilities they should speak to their supervisor and clarify the same. It always helps to get
written clarifications for eliminating the scope of confusion later on.
Auditors need organizational support, such as having access to certain data or staff. The Security
analyst often assists and supports the information audit. This support often includes actions such as
obtaining access to copies of policies or system configuration data. These expectations should be
clarified or directed by seniors to the security analyst and the auditors. The security analyst should
also get clear information about units whose systems will be audited. The security analyst would
communicate the same to co-workers and other users in the organization to ensure a least
disruptive and smooth audit. For this purpose, business and IT unit managers of the audited systems
should be involved in the process early in the process. This will ensure there are no disputes and
delays regarding auditor's access to areas and information.
The various responsibilities of the Security Analyst in supporting the auditors can include the
following:
As stated, a security audit is essentially an assessment of how effectively the organization's security
policy is being implemented. Of course, this assumes that the organization has a security policy in
place which, unfortunately, is not always the case. A Security Analyst will support the auditors in
getting the necessary information by getting them access to policies and procedures documents or
explaining the processes where such documents are not available.
Facilitating access
Natural tensions frequently exist between workplace culture and security policy. Even with the best
of intentions, employees often choose convenience over security. Sometimes teams and individuals
need to be spoken to and auditors need to be helped in gaining access to the facilities required for
auditing. This may also be the case with getting time with individuals to get their time for auditing.
Pre-Audit Homework
Before the computer security auditors even begin an organizational audit, there's a fair amount of
homework that should be done. Auditors need to know what they're auditing. In addition to
reviewing the results of any previous audits that may have been conducted, there may be several
tools they will use or refer to before. The first is a site survey. This is a technical description of the
system's hosts. It also includes management and user demographics. This information may be out of
date, but it can still provide a general framework. Security questionnaires may be used as to follow
up the site survey. These questionnaires are, by nature, subjective measurements, but they are
useful because they provide a framework of agreed-upon security practices. The respondents are
698
Student Handbook – Security Analyst SSC/N0904/N0905
usually asked to rate the controls used to govern access to IT assets. These controls include:
management controls, authentication/access controls, physical security, outsider access to systems,
system administration controls and procedures, connections to external networks, remote access,
incident response, and contingency planning.
A security analyst may be called upon to assist in conducting site surveys and administering security
questionnaires. Accompanying communication may be required to acquire the specific responses of
specific requirements.
Auditors, review previous security incidents at the client organization to gain an idea of historical
weak points in the organization's security profile. It may require the support of organizational staff
to support auditors examine current conditions to ensure that repeat incidents cannot occur. If
auditors are asked to examine a system that allows Internet connections, they may also want to
know about IDS/Firewall log trends. Do these logs show any trends in attempts to exploit
weaknesses? A security analyst may be called upon to provide such support to auditors.
The auditors develop an audit plan. This plan will cover how will audit be executed, with which
personnel, and using what tools. They will then discuss the plan with the requesting agency. Next
they discuss the objective of the audit with site personnel along with some of the logistical details,
such as the time of the audit, which site staff may be involved and how the audit will affect daily
operations. The security analyst may be called upon to coordinate and smoothen the audit
execution.
When the auditors arrive at the site, their aim is to not to adversely affect business transactions
during the audit. They should conduct an entry briefing where they again outline the scope of the
audit and what they are going to accomplish. Any questions that site management may have should
be addressed and last minute requests considered within the framework of the original audit
proposal. This communication may be further passed on with the help of the security analyst.
During the audit, they will collect data about the physical security of computer assets and perform
interviews of site staff. They may perform network vulnerability assessments, operating system and
application security assessments, access controls assessment, and other evaluations. Throughout
this process, the auditors should follow their checklists, but also keep eyes open for unexpected
problems. Here they get their noses off the checklist and start to sniff the air. They should look
beyond any preconceived notions or expectations of what they should find and see what is actually
there. In this case the security analyst may be of immense help providing the auditors with
background information and facilitating ad-hoc activities that may not be registered in the original
plan.
After the audit is complete, the auditors will conduct an outgoing briefing, ensuring that
management is aware of any problems that need immediate correction. Questions from
management are answered in a general manner so as not to create a false impression of the audit's
outcome. It should be stressed that the auditors may not be in a position to provide definitive
answers at this point in time. Any final answers will be provided following the final analysis of the
audit results. The security analyst may be the conduit for channelling the information and supporting
interim measures for strengthening security.
699
Student Handbook – Security Analyst SSC/N0904/N0905
Once back in the home office, the auditors will begin to comb their checklists and analyse data
discovered through vulnerability assessment tools. There should be an initial meeting to help focus
the outcome of the audit results. During this meeting, the auditors can identify problem areas and
possible solutions. They may require some pending information or call for information to fill in some
gaps. This may be provided by the Security Analyst.
Post-recommendation stage
Finally, the audit staff should prepare the report as speedily as accuracy allows so that the site staff
can correct the problems discovered during the audit. Depending on company policy, auditors
should be ready to guide the audited site staff (Security Analysts) in correcting deficiencies and help
them measure the success of these efforts. Management should continually supervise deficiencies
that are turned up by the audit until they are completely corrected.
It must be kept in mind that as organizations evolve, their security structures will change as well.
With this in mind, the computer security audit is not a one-time task, but a continual effort to
improve data protection.
Security analysts learn with each audit and testing activity and can carry on evaluation of the
strength of the organizations security policy and its implementation. The analyst makes ongoing
efforts to help refine the policy and correct deficiencies that are discovered through the audit
process. Whereas tools are an important part of the audit process, the audit is less about the use of
the latest and greatest vulnerability assessment tool, and more about the use of organized,
consistent, accurate, data collection and analysis to produce findings that can be measurably
corrected. This is where the security analyst continues to contribute to.
700
Student Handbook – Security Analyst SSC/N0904/N0905
Summary
A security analyst may be assigned responsibilities to carry out activities supporting the audit
team or independently carrying out a set of security auditing activities.
It is important for the security analyst to clarify and understand their scope of responsibilities
and work within these limits.
In case they are not clear about any aspect of their limits of authority, or scope of
responsibilities they should speak to their supervisor and clarify the same.
Auditors need organizational support, such as having access to certain data or staff. The
Security analyst often assists and supports the information audit.
This support often includes actions such as obtaining access to copies of policies or system
configuration data. These expectations should be clarified or directed by seniors to the
security analyst and the auditors.
Security Analyst in supporting the auditors can include the following:
o Security Analyst will support the auditors in getting the necessary information by
getting them access to policies and procedures
o Helping Auditors in gaining access to the facilities required for auditing. This may also
be the case with getting time with individuals to get their time for auditing.
o A security analyst may be called upon to assist in conducting site surveys and
administering security questionnaires. Accompanying communication may be
required to acquire the specific responses of specific requirements.
o Auditors on site need help in site management
o Security analyst may be of immense help providing the auditors with background
information and facilitating ad-hoc activities that may not be registered in the original
plan.
o Security analysts learn with each audit and testing activity and can carry on evaluation
of the strength of the organizations security policy and its implementation. The
analyst makes ongoing efforts to help refine the policy and correct deficiencies that
are discovered through the audit process.
Q. List down various assistance auditors require at various stages of the audit, that the Security
Analysts may be called upon to assist with.
Pre-audit stage
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
701
Student Handbook – Security Analyst SSC/N0904/N0905
On-site
_______________________________________________________________________
________________________________________________________________________
Post audit
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
702
Student Handbook – Security Analyst SSC/N9001
SSC/ N 9001:
Manage your work to meet requirements
703
Student Handbook – Security Analyst SSC/N9001
Description This unit is about planning and organizing your work in order to complete it to the
required standards on time.
Scope This unit/task covers the following:
Work requirements:
line manager
the person requesting the work
members of the team/department
members from other teams/departments
Resources:
equipment
materials
information
Performance Criteria(PC) w.r.t. the Scope
704
Student Handbook – Security Analyst SSC/N9001
company / KA5. how to prioritize your workload according to urgency and importance and
organization the benefits of this
and its KA6. the organization’s policies and procedures for dealing with confidential
information and the importance of complying with these
processes)
KA7. the purpose of keeping others updated with the progress of your work
KA8. who to obtain guidance from and the typical circumstances when this may
be required
KA9. the purpose and value of being flexible and adapting work plans to reflect
change
B. Technical The user/individual on the job needs to know and understand:
KB1. the importance of completing work accurately and how to do this
Knowledge KB2. appropriate timescales for completing your work and the implications of
not meeting these for you and the organization
KB3. resources needed for your work and how to obtain and use these
705
Student Handbook – Security Analyst SSC/N9001
THE UNITS
The module for this NOS is divided in 3 Unit based on the learning objectives as given below.
706
Student Handbook – Security Analyst SSC/N9001
UNIT I
Understanding scope of work and
working within limits of authority
Lesson Plan
Resource Material
1.1. Scope of work
1.2. Seeking and providing clarity, assistance and support
1.3. Seeking feedback and approvals
1.4. Change and Flexibility
707
Student Handbook – Security Analyst SSC/N9001
LESSON PLAN
708
Student Handbook – Security Analyst SSC/N9001
Scope of work refers to the range of tasks and activities to be performed or expected to be performed
by someone or within a project or contract, as agreed. This is usually a result of division or defining
and limiting of work and responsibilities. This usually is understood to be performed within agreed
timelines and rules or standards of performance.
It is important to understand clearly one’s own and others’ scope of work and responsibilities clearly
and commonly between co-workers for the following reasons:
Discuss and state the importance (advantages and disadvantages) of doing work with as per the
following:
agreeing work requirements with appropriate people before commencing work
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
purpose of having policies and procedures and working as per these
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
knowing job limits and working within one’s span of responsibility
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
709
Student Handbook – Security Analyst SSC/N9001
Every worker needs to know what they are meant to do at work and the limits of their work and
authority. This helps everyone in planning and organising their own work better as it reduces
uncertainty and the need to constantly clarify with seniors and others the expectations of work, as
to what to do and what not to.
Also if it everyone is clear about their and their co-workers work then there is clarity of expectations
around performance of each other and it helps everyone know and rely on others to do their part,
especially where there are interdependencies involved. If co-workers do their part as expected or
required then there is development of trust between co-workers. Where co-workers do not deliver
performance as expected or required there is disappointment and lack of trust.
A clear division of work and responsibilities also helps plan and carry out work in a manner that no
work is left unassigned or erroneously assigned duplicitously to multiple people causing lack of clarity
on who is responsible and accountable for carrying out that work.
The main difference between responsibility and accountability is that responsibility can be shared
while accountability cannot.
710
Student Handbook – Security Analyst SSC/N9001
Research the internet to list various policies and their purpose in companies.
Policies for awareness of role and responsibilities
1. _______________________________________________________________________________
2. _______________________________________________________________________________
3. _______________________________________________________________________________
4. _______________________________________________________________________________
5. _______________________________________________________________________________
IT related policies
6. _______________________________________________________________________________
7. _______________________________________________________________________________
8. _______________________________________________________________________________
9. _______________________________________________________________________________
10. _______________________________________________________________________________
711
Student Handbook – Security Analyst SSC/N9001
collaborate,
assist and
support
each other,
participate in
planning and
Executing the work well may require decision
people to: making, etc.
The organisation being divided into hierarchies, departments, divisions and teams to use and develop
people’s expertise in accordance with capability requirements of organisations.
It is important to involve, seek assistance and support from those who are designated in the
organisations as authorities for decision making over their remit of work, where required. It is
important that people respect other people’s authority and expertise over their areas of work.
It is important to know one’s own limits of decision making. When one is unclear about it or needs to
execute or make decisions about work that extends beyond one’s remit and authority, it is important
to secure formal permissions, advice and assistance from those designated for the same.
Information on whom to secure permissions, advice or assistance from may be derived from the
following sources:
712
Student Handbook – Security Analyst SSC/N9001
Organisational chart
Organisation policies
depicting hierarchy and Employee handbook
and procedures
reporting relationships
Designated person
from the designated or
Own manager or
relevant department or others
supervisor
Division such as Human
Resources Department
All tasks at work must be performed accurately as per instructions and within the time
limit while demonstrating the following principles.
It is important in many contexts to inform others of work related issues, problems and progress. Any
work being assigned also comes with a set of expectations of customers, co-workers, supervisors or
managers, other departments, etc. These expectations are around:
volume of work,
quality of work
time within which the work needs to be completed.
Since others are usually depending on the work being completed as per expectations, it is important
that they are made aware of progress and any problems that may arise during execution of work.
713
Student Handbook – Security Analyst SSC/N9001
Seeking feedback and getting work quality checked by appropriate persons is important for various
reasons including:
Internal
Customers
Department External
head, etc. customers
Feedback
is sought
from
Own
Team these:
direct
members
supervisor
Fellow Team
leader or
co-workers manager
The person providing the feedback should be thanked for taking the time to do so.
Feedback must be analysed and used to improve our work and achieve better. Feedback sought and
not worked on is wasted feedback and often can cause disappointment to the person providing the
feedback. Usually once feedback is used to improve or change work processes and performance, the
person providing the feedback must be informed of the same. This gets greater support, generates
positivity in the mind of the person providing the feedback and usually gets greater buy-in from them.
To incorporate feedback may sometimes require change of work processes and methods, which may
require approval of others. This may be a formal requirement with set processes that may need to
be followed to affect the change.
714
Student Handbook – Security Analyst SSC/N9001
This is important because of the dynamic environment that we work within and the ever evolving
nature of our work, work environment, customer expectations and related policies and procedures.
The field of Information security is an evolving and rapidly changing field. The greatest challenge for a
security analyst will be to keep abreast and be in sync with the changes.
Our professional, social and personal lives also will undergo changes that we have to accept and make
the best use of.
However, to effect change in work practices or policies It is important to follow protocol and go
through the right channels and procedures. This is particularly important as any change has many
facets of impact and in organisations it usually impacts others, also that the original practices and
processes were made for a purpose and served some need.
Those people and organisations which are not willing to change often fail to improve and adapt to
newer conditions and environments, which may make them redundant.
Change must be communicated to all those who are impacted by it and often their views must be
collected regarding the same in a timely manner, in order to ensure that the change is not causing
undesired impact that can escalate into larger problems.
715
Student Handbook – Security Analyst SSC/N9001
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
716
Student Handbook – Security Analyst SSC/N9001
UNIT II
Work and Work Environment
Lesson Plan
2.1 Planning Work and Work environment
2.2 Cleanliness and Tidiness
717
Student Handbook – Security Analyst SSC/N9001
LESSON PLAN
You need to know and understand: Ask each individual to write a note (Inclusive of Hardware /
keeping their work area clean. Software Specifications)
KA4. the importance of having a
tidy work area and how to do this All learners to listen to all the tips Standard Environment PLUS
and list 5 best ideas for Create Discussion forums at
KA5. how to prioritize your prioritization that they would college level
workload according to urgency and practice. Create contacts in LinkedIn and
importance and the benefits of this other social media sites.
718
Student Handbook – Security Analyst SSC/N9001
Work planning
To-Do List
10
719
Student Handbook – Security Analyst SSC/N9001
Prioritizing
2. 2.
3. 3.
4. 4.
5. 5.
Planning work and work environment can have a substantial impact on the quality and
quantity of work and contributes towards efficiency and productivity.
6. Mechanisms for
5. Anticipating events and
checking accuracy and
issues impacting work
quality of work
Defining goals and sub-goals includes breaking the overall objective into measureable and well
defined constituent results, that can help in planning, implementation and tracking achievement
and progress. It is important that these are further evaluated in terms of realistic and required
time frames and time available is allocated in such a manner that these goals are achieved within
optimal time frames.
720 | P a g e
Student Handbook – Security Analyst SSC/N9001
Sequencing activities right is also of great importance in efficient and effective working. Factors
that need to be considered while sequencing activities include:
o Dependencies on interim outputs
o Availability of resources
o Space design
o Schedule of deliverables and urgencies
o Work styles, interests and preferences
o Capabilities
Resources required can be identified by analysing the work, tasks and sub-tasks involved and the
volume of work required.
Most organisations have standard procedures for requisitioning for resources. For eg. the IT
supplies team may have IT equipment that the user department may requisition through a formal
request approved by a designated level of authority (authorised person).
Organisations also have procedures to request for purchase of new resources and materials that
may not be available within the organisation. This has to be routed as per procedure through the
authorised department and personnel and requires necessary approvals.
One also has to plan for foreseen and unforeseen events or occurrences that may impact the work
and ensure to factor these in for timelines, costs, material and human resource requirements, etc.
It is very important to check one’s work for accuracy, completeness and quality.
As a security analyst this is particularly important as your work is very detailed and a minor omission
may result in vulnerabilities being ignored and causing greater damage.
It is also important to meet time commitments and agreed deadlines.
1. Loss of reputation and being recognised as incompetent or unprofessional.
2. Not being able to meet time commitments also means that it impinges on further commitments
of other work that has to follow. There might be others depending on the output of work done.
3. Delays can also cause financial losses, as there may be penalty clauses on delayed delivery.
4. Also time spent on the job is budget at a certain cost any delay means increases in costs
721 | P a g e
Student Handbook – Security Analyst SSC/N9001
In order to maintain a clean and tidy work area the following practices may need to be followed:
1. Ensure routine cleanliness done by housekeeping or designated staff is carried out. Bring to their
notice or report areas which require cleanliness or have not been done so.
2. Ensure that food and beverage items and other organic materials are not brought into the work
area, where avoidable.
3. Ensure windows and doors are kept closed, especially in environments where there is risk of
dust accumulation.
4. Identify places for all materials and objects used in work and return these to their rightful place
after use.
5. Do not litter trash and use the appropriate dustbin for disposing waste. Follow organisational
waste disposal procedures if specified.
6. Ensure surfaces are not damaged, scratched or dampened. It looks bad and at the same time
cause further deterioration and accumulation of harmful microbes or pest infestation.
7. Ensure that papers and files are not strewn around.
8. Encourage others to follow the same practices, in a polite and respectful manner.
Try this:
Visit their own work area and see what can be done to make it clean and tidy.
722 | P a g e
Student Handbook – Security Analyst SSC/N9001
UNIT III
Maintaining Confidentiality
Lesson Plan
3.1. Treating confidential information
3.2. Policies and procedures for confidential information
723
Student Handbook – Security Analyst SSC/N9001
LESSON PLAN
Privacy is having control over the extent, timing, and circumstances of sharing oneself with others,
physically, behaviorally, or intellectually
Confidentiality is the treatment of information that an individual has disclosed in trust and with the
expectation that it will not be given away to others in ways that are inconsistent with the
understanding of the original disclosure without permission.
Confidential information refers to items that should be kept private. This can include:
Audio
Documents, Images,
materials, etc
In today’s increasingly litigious and highly competitive workplace, confidentiality is important for a
host of reasons:
Sharing confidential information is often a professional violation and a legal violation. There
are a wide range of consequences including financial damages, loss of reputation, litigation,
etc.
Failure to properly secure and protect confidential business information can lead to the loss
of business/clients.
In the wrong hands, confidential information can be misused to commit illegal activity (e.g.,
fraud or discrimination), which can in turn result in costly lawsuits for the employer.
There are laws protecting the confidentiality of certain information in the workplace.
The disclosure of sensitive employee and management information can lead to a loss of
employee trust, confidence and loyalty. This will almost always result in a loss of productivity.
724
Student Handbook – Security Analyst SSC/N9001
Restricted Information or Data: "Restricted information" is UC's term for the most sensitive
confidential information. Restricted information or data is any confidential or personal information
that is protected by law or policy and that requires the highest level of access control and security
protection, whether in storage or in transit.
Confidential workplace information can generally be broken down into three categories:
1) employee information,
2) management information,
3) business information.
725
Student Handbook – Security Analyst SSC/N9001
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
To Better Protect Confidential Information, organisations can develop written confidentiality policies
and procedures.
Every business/organization should have a written confidentiality policy (typically in its employee
handbook) describing both the type of information considered confidential and the procedures
employees must follow for protecting confidential information. At the very least, we recommend
employers adopt the following procedures for protecting confidential information:
All confidential documents should be stored in locked file cabinets or rooms accessible only
to those who have a business “need-to-know.”
All electronic confidential information should be protected via firewalls, encryption and
passwords.
Employees should clear their desks of any confidential information before going home at the
end of the day.
Employees should refrain from leaving confidential information visible on their computer
monitors when they leave their work stations.
All confidential information, whether contained on written documents or electronically,
should be marked as “confidential.”
All confidential information should be disposed of properly (e.g., employees should not print
out a confidential document and then throw it away without shredding it first.)
Employees should refrain from discussing confidential information in public places.
Employees should avoid using e-mail to transmit certain sensitive or controversial
information.
Limit the acquisition of confidential client data (e.g., social security numbers, bank accounts,
or driver’s license numbers) unless it is integral to the business transaction and restrict access
on a “need-to-know’ basis.
Before disposing of an old computer, use software programs to wipe out the data contained
on the computer or have the hard drive destroyed.
726
Student Handbook – Security Analyst SSC/N9001
This is one of the most important steps a business/organization can take to protect its confidential
information, and unfortunately, it’s oftentimes the one step that is ignored. All the policies,
procedures and training in the world will not matter if those policies and procedures are not enforced.
In order for a confidentiality policy to have “teeth,” employees who violate the policy must be
disciplined in accordance with an employer’s corrective action procedures.
These agreements go by many names. Sometimes they are called “non-disclosure agreements,” and
other times they are called “proprietary information agreements.” Regardless of title, these
agreements are contracts designed to protect the confidential “business information” described
above (e.g., “trade secrets”). These agreements are vital to most businesses today, especially
considering the ease in which employees can now electronically transfer large amounts of
information, much of which would be incredibly damaging in the hands of a competitor.
727
Student Handbook – Security Analyst SSC/N9001
Summary
It is important to understand clearly one’s own and others’ scope of work and responsibilities
and the limits of their work and authority.
When one is unclear about what to do or needs to execute or make decisions about work that
extends beyond one’s remit and authority, it is important to secure formal permissions,
advice and assistance from those designated for the same.
All tasks at work must be performed accurately as per instructions and within the time limit
while demonstrating the following principles.
o establish and agree your work requirements with appropriate people
o work in line with organization’s policies / procedures and within limits of your job role
o obtain guidance from appropriate people, where necessary
o ensure your work meets the agreed requirements
o Provide feedback in the end to each group with respect to the same.
Since others are usually depending on the work being completed as per expectations, it is
important that they are made aware of progress and any problems that may arise
The person providing the feedback should be thanked for taking the time to do so.
Feedback must be analyzed and used to improve our work and achieve better.
To incorporate feedback may sometimes require change of work processes and methods,
which may require approval of others.
The field of Information security is an evolving and rapidly changing field. The greatest
challenge for a security analyst will be to keep abreast and be in sync with the changes.
Flexibility to change is required to incorporate new and improved methods of working;
adjusting to environmental changes; supporting others; refining goals and objectives
However, to effect change in work practices or policies It is important to follow protocol and
go through the right channels and procedures.
Keep your immediate work area clean and tidy, utilize your time effectively and use
resources correctly and efficiently
Decide as per goals which work is important and needs to be prioritize and what can be
avoided, delegated or negotiated.
Ensure routine cleanliness done by housekeeping or designated staff is carried out. Bring to
their notice or report areas which require cleanliness or have not been done so.
Ensure that food and beverage items and other organic materials are not brought into the
work area, where avoidable.
Identify places for all materials and objects used in work and return these to their rightful
place after use.
Do not litter trash and use the appropriate dustbin for disposing waste. Follow organizational
waste disposal procedures if specified.
Confidential information is often generated in client-professional, or employee-employer
relationships and could also be conversations.
Sharing confidential information is often a professional violation and a legal violation. There
are a range of consequences including financial damages, loss of reputation, litigation, etc.
Failure to properly secure and protect confidential business information can lead to the loss of
business/clients.
In the wrong hands, confidential information can be misused to commit illegal activity (e.g.,
fraud or discrimination), which can in turn result in costly lawsuits for the employer.
The disclosure of sensitive employee and management information can lead to a loss of
employee trust, confidence and loyalty. This will almost always result in a loss of productivity.
Confidential workplace information can generally be broken down into three categories -
employee information, management information, business information.
728
Student Handbook – Security Analyst SSC/N9001
All confidential documents should be stored in locked file cabinets or rooms accessible only to
those who have a business “need-to-know.”
All electronic confidential information should be protected via firewalls, encryption and
passwords.
Employees should clear their desks of any confidential information before going home at the
end of the day.
Employees should refrain from leaving confidential information visible on their computer
monitors when they leave their work stations.
All confidential information, whether contained on written documents or electronically,
should be marked as “confidential.”
729
Student Handbook – Security Analyst SSC/N9001
2.
3.
4.
5.
3) State 3 benefits of having a tidy work area and 3 things that you can do to achieve this
Benefits
1. _____________________________________________________________________________
2. _____________________________________________________________________________
3. _____________________________________________________________________________
4. _____________________________________________________________________________
5. _____________________________________________________________________________
6. _____________________________________________________________________________
730
Student Handbook – Security Analyst SSC/N9001
7. Feedback and approvals are often and actively sought from external
customers and own direct supervisor. Internal customers, team members
can also give their feedback sometimes
731
Student Handbook – Security Analyst SSC/N9001
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
732
Student Handbook – Security Analyst SSC/N9002
SSC/ N 9002:
Work effectively with colleagues
733
Student Handbook – Security Analyst SSC/N9002
33Description This unit is about working effectively with colleagues, either in your own work
group or in other work groups within your organization.
Scope This unit/task covers the following:
Colleagues:
line manager
members of your own work group
people in other work groups in your organization
Communicate:
face-to-face
by telephone
in writing
734
Student Handbook – Security Analyst SSC/N9002
processes) KA5. the importance of creating an environment of trust and mutual respect in
an environment where you have no authority over those you are working
with
KA6. where you do not meet your commitments, the implications this will have
on individuals and the organization
B. Technical The user/individual on the job needs to know and understand:
KB1. different types of information that colleagues might need and the
Knowledge importance of providing this information when it is required
KB2. the importance of understanding problems from your colleague’s
perspective and how to provide support, where necessary, to resolve
these
735
Student Handbook – Security Analyst SSC/N9002
THE UNITS
The module for this NOS is divided in 3 Unit based on the learning objectives as given below.
736
Student Handbook – Security Analyst SSC/N9002
UNIT I
Effective Communication
Lesson Plan
Resource Material
1.1. What is Communication?
1.2. Barriers to Effective Communication
1.3. Communicating Effectively at work
737
Student Handbook – Security Analyst SSC/N9002
LESSON PLAN
Reading Skills
You need to know and understand how
to: SA3. Quiz, Document
SA3.read instructions, guidelines review by peer group
/procedures and Faculty.
738
Student Handbook – Security Analyst SSC/N9002
Communication
Any activity that involves exchange of information between two or more persons to meet a
desired objective, is known as communication.
Types of Communication
Verbal Communication- Verbal communication refers to the form of communication in which
the message is transmitted verbally. An important aspect of verbal communication is to
ensure that the person who is listening is also on the same page. Sometimes what the speaker
intends to say is not what the listener hears. Hence, the former has to make sure that he
communicates clearly. Some examples of oral communication:
Virtual
Face-to-face Telephonic
Video Radio communication Television
interactions conversations
like Skype chats
Giving a
Frowning at Nodding of head Smiling in
disapproving look
someone in agreement appreciation
to someone
PowerPoint
Reports Manuals
Presentations
739
Student Handbook – Security Analyst SSC/N9002
740
Student Handbook – Security Analyst SSC/N9002
Email Etiquettes
Research has found that on average, IT
professionals spend about a quarter of their time
at work combing through the numerous emails
and other digital messages one sends and
receives each day.
Here are some considerations that one needs to take care while communicating through
emails or other digital messaging options:
Include a subject line that is crisp and clear and matches the content of the message.
Remember, people often decide whether to open an email based on the subject line.
Use your official email address/account to conduct all official messaging. However if you
have to use some other address/name/account due to pressing reasons, then choose one
that is appropriate for the workplace.
Avoid using "reply all" unless there is a reason everyone on the list needs to receive the
email. Check before sending the message that it is being sent to all the people it is meant
for, and there is no-one who will find the message a waste of their time.
Use professional salutations.
Avoid emoticons as far as possible and use exclamation points sparingly. If you choose
to use an exclamation point, use only one to convey excitement. While emoticons are fun,
you don’t know how the recipient will take them. It's better to spell it out and write what
you mean.
Make your message easy to read. Don’t use long sentences. Use bullets to set off points
you want to make. If it is an important or complex content, have someone trusted read it
and let you know where was it difficult to understand, so that you may correct it.
Keep it short and get to the point. The long e-mail is a thing of the past. Write concisely,
with lots of white space, so as to not overwhelm the recipient. Make sure when you look
at what you're sending it doesn't look like a burden to read.
Do not sound abrupt or harsh. "Read your message out loud. If it sounds harsh to you, it
will sound harsher to the reader. Any emotion when passed in a written message will
seem heightened.
Know that people from different cultures speak and write differently. Tailor your message
depending on the receiver's cultural background or how well you know them.
741
Student Handbook – Security Analyst SSC/N9002
It's better to leave humour out of emails unless you know the recipient well. Something
that you think is funny might not be funny to someone else.
Reply to your emails — even if the email wasn't intended for you. It's difficult to reply to
every email message ever sent to you, but you should try to. Even if the email was
accidentally sent, you can reply informing the sender of the same so that it can be sent to
correct person on time.
Proofread every message. Don't rely only on spell-checkers. Read and re-read your email
a few times, preferably aloud, before sending it off.
Be cautious with colour or All capitals in the message. It's distracting and may be
perceived the wrong way. Writing in all capitals can convey that you are shouting in your
message, and nobody likes to be yelled at.
Don't use email to discuss Confidential Information. Email messages are easy to copy,
print and forward.
Your e-mail greeting and sign-off should be consistent with the level of respect and
formality of the person you're communicating with.
Always include a signature. You never want someone to have to look up how to get in
touch with you. If you're social media savvy, include all of your social media information
in your signature as well.
“Remember - Your e-mail is a reflection of you. Every e-mail you send adds to, or detracts
from your reputation.”
742
Student Handbook – Security Analyst SSC/N9002
UNIT II
Working Effectively
Lesson Plan
Resource Material
2.1. Working Effectively
743
Student Handbook – Security Analyst SSC/N9002
LESSON PLAN
744
Student Handbook – Security Analyst SSC/N9002
The Information Security Analyst of a company has been entrusted with the task of upgrading the
organization’s security systems. You have been able to upgrade the system, but you cannot be sure of
its success till you test the system. For that, you would need help from all the people in the
organization who use computer systems.
You need their feedback to ascertain if they are getting any technical glitches. Also, you need to test
the systems on Saturdays, when the company has a weekly off, but some employees do come to work
overtime. You need to convince them that they cannot work overtime one of the Saturdays as testing
is important for you. Getting approval from all the colleagues and departments and zeroing in on a
date would be a challenge.
Such tasks are only possible when you have a good relationship with your colleagues and they
understand the importance of your job.
745
Student Handbook – Security Analyst SSC/N9002
One important aspect of inter-dependence is mutual respect and trust. This is as much true in
professional relationships and as it is in personal relationships. Consider this example:
Example-2
A new colleague joins an organisation in the Finance department. He is not able to understand the
networking system of the organisation. He calls you, the Information Security Analyst, and asks for
help. You give him the Help Manual and ask him to refer to it. He calls you back and says that he is not
able to understand much from the Manual and needs some time with you. You tell him this way
beyond your scope of work.
After a few months, your company’s CEO asks you to install special security systems for the Finance
department as the data with them was more vulnerable than that of the other departments. For this,
you need to understand the workings of the department and come up with a plan that would be
approved by the department representative. As luck may have it, the department representative turns
out to be that very person whom you had refused to help earlier.
Example-3
746
Student Handbook – Security Analyst SSC/N9002
other, which means giving access to each other’s systems. For Reena, this means that she will have to
share the details of the firewalls and other security systems that she has installed on the network with
the other two sub-departments.
Jai handles the Hardware part, while Amit handles the Software part.
Both, Amit and Reena have been in the organisation for over two years and have therefore reached a
point where they can trust each other with their confidential information. On the other hand, Jai is
new to the organisation. Reena is uncomfortable sharing all the details with him. Jai, however, trusts
her and share his information freely.
After a while, he realises that Reena is not reciprocating and is hiding some crucial information from
him. At one instance, Jai had to make a Hardware Procurement Plan for the coming year, for which he
needed to understand Reena’s system requirements for the coming year. Reena did not share all the
information with Jai because of which Jai’s plan suffered. Because Reena and Amit were friends, Jai
started mistrusting Amit as well.
As a result, the entire IT department’s plans suffered.
Please comment on this scenario and discuss what steps could the organisation, or Reena and Amit
have taken to prevent the trust gap.
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
Some of the benefits of an environment of trust and mutual respect are as follows:
747
Student Handbook – Security Analyst SSC/N9002
Example-4
The Information Security department of a bank was entrusted with the task of upgrading the anti-
virus software of all the computers at the bank over the weekend. The Information Security
department had only two employees who were responsible for this.
One of them had his annual leave planned for that weekend, which he availed.
And, the other fell sick.
As a result, the task could not be completed over the weekend. As luck may have it, there was a virus
attack on the systems on Monday morning as a result of which some financial transactions of some
customers were leaked to some unauthorised people.
The customers got to know of this and as a result, there was a huge backlash against the bank. The
company’s senior management and the Public Relations department had to work overtime to allay
the fears of the customers. Some other employees too had to work overtime to ensure that no
unauthorised transactions were performed from the leaked data. In short, the whole company
suffered.
Do see how important is the role of an Information Security Analyst and the ripple effect it can have
on an organization if the Analyst does not perform his duties properly?
The performance of the entire team suffers, which has an impact on the performance of the
department and organization as a whole.
Customers get annoyed and the organization’s reputation gets tarnished.
Remedial action eats up resources that could have been used for more productive activities
748
Student Handbook – Security Analyst SSC/N9002
Summary
Communication is an activity that involves exchange of information between two or more
persons to meet a desired objective, is known as communication.
Types of Communication are Verbal Communication, Non-Verbal Communication and Written
Communication
Some impediments that can come in the way of communicating effectively with others are
Physical barriers, Perceptual barriers, Emotional barriers, Cultural barriers and Language
barriers
The following are some ways to communicate effectively:
Be clear about what you want to say before communicating.
Modify your message according to the recipient, if required. The background and need of
the recipient should be kept in mind.
Be careful about the language, tone and content of the message.
Take cues from the non-verbal messages that the receiver may be sending that may help
you understand whether he is getting your message, or is still interested.
Listen to the other person’s point of view during a communication.
Choose the medium of communication carefully.
Do not let your personal biases creep in.
Some considerations that one needs to take care while communicating through emails or
other digital messaging options are:
Include a subject line that is crisp and clear and matches the content.
Avoid using "reply all" unless there is a valid reason.
Use professional salutations.
Make your message easy to read. Keep it short and get to the point.
Do not sound abrupt or harsh. Tailor your message depending on the receiver's cultural
background or how well you know them. It's better to leave humour out of emails unless
you know the recipient well.
Be cautious with colour or all capitals in the message.
Don't use email to discuss Confidential Information.
The following are some benefits of developing productive relationships with colleagues:
Getting tasks done gets easier.
Colleagues are more likely to go along with the changes that you recommend.
Instead of spending time and energy on negative relationships, you can focus on
opportunities.
You can get ideas and feedback from others.
You can take help in hours of need, if required.
Your productivity increases.
Your performance gets appraised better.
You can learn from others and add to your existing skill-set.
One important aspect of inter-dependence is mutual respect and trust. This is as true in
professional relationships and as it is in personal relationships. Consider this example:
The performance of the entire team suffers, which has an impact on the performance of the
department and organisation as a whole.
Customers get annoyed and the organisation’s reputation gets tarnished.
Remedial action eats up resources that could have been used for more productive activities
749
Student Handbook – Security Analyst SSC/N9002
Key Points
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. Give 2 examples that highlight the importance of effective communication and establishing good
working relationships with colleagues.
1. ___________________________________________________________________________
___________________________________________________________________________
2. ___________________________________________________________________________
___________________________________________________________________________
Verbal 1.
___________________________________________________________________
2.
___________________________________________________________________
Non-Verbal 1.
___________________________________________________________________
2.
___________________________________________________________________
Written 1.
___________________________________________________________________
2.
___________________________________________________________________
750
Student Handbook – Security Analyst SSC/N9002
1. ___________________________________________________________________________
2. ___________________________________________________________________________
3. ___________________________________________________________________________
4. ___________________________________________________________________________
Explain the importance of creating an environment of trust and mutual respect in an environment
where you have no authority over those you are working with.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Explain the importance of understanding problems from your colleague’s perspective and how to
provide support, where necessary, to resolve these.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
751
Student Handbook – Security Analyst SSC/N9002
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
752
Student Handbook – Security Analyst SSC/N9003
SSC/ N 9003:
Maintain a healthy, safe and secure working
environment
753
Student Handbook – Security Analyst SSC/N9003
Unit Title (Task) Maintain a healthy, safe and secure working environment
Description This unit is about monitoring the working environment and making sure it meets
requirements for health, safety and security.
Emergency procedures:
illness
accidents
fires
other reasons to evacuate the premises
breaches of security
PC1. comply with your organization’s current health, safety and security policies
and procedures
PC2. report any identified breaches in health, safety, and security policies and
procedures to the designated person
PC3. identify and correct any hazards that you can deal with safely, competently
and within the limits of your authority
PC4. report any hazards that you are not allowed to deal with to the relevant
person in line with organizational procedures and warn other people who
may be affected
PC5. follow your organization’s emergency procedures promptly, calmly, and
efficiently
PC6. identify and recommend opportunities for improving health, safety, and
security to the designated person
PC7. complete any health and safety records legibly and accurately
754
Student Handbook – Security Analyst SSC/N9003
and its KA5. the organisation’s emergency procedures for different emergency
processes) situations and the importance of following these
KA6. the importance of maintaining high standards of health, safety and
security
KA1. implications that any non-compliance with health, safety and security
may have on individuals and the organization
B. Technical You need to know and understand:
Knowledge KB1. different types of breaches in health, safety and security and how and
when to report these
KB2. evacuation procedures for workers and visitors
KB3. how to summon medical assistance and the emergency
services, where necessary
KB4. How to use the health, safety and accident reporting
procedures and the importance of these
KB1. government agencies in the areas of safety, health and security and their
norms and services
755
Student Handbook – Security Analyst SSC/N9003
THE UNITS
The module for this NOS is divided in 4 Unit based on the learning objectives as given below.
756
Student Handbook – Security Analyst SSC/N9003
UNIT I
Need For Health and Safety at
Work
Lesson Plan
Resource Material
1.1. Need for Health and Safety at Work
757
Student Handbook – Security Analyst SSC/N9003
LESSON PLAN
758
Student Handbook – Security Analyst SSC/N9003
Since 1950, the International Labour Organisation (ILO) and the World Health Organisation
(WHO) have shared a common definition of occupational health. The definition reads:
(i) the maintenance and promotion of workers’ health and working capacity;
(ii) the improvement of working environment and work to become conducive to safety and
health, and
(iii) development of work organisations and working cultures in a direction which supports
health and safety at work, and in doing so also promotes a positive social climate and smooth
operation, and may enhance productivity of the undertakings.
The concept of working culture is intended in this context to mean a reflection of the essential
value systems adopted by the undertaking concerned. Such a culture is reflected in practice
in the managerial systems, personnel policy, principles for participation, training policies and
quality management of the undertaking."
Why is it important?
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
759
Student Handbook – Security Analyst SSC/N9003
Having a healthy, safe and secure working environment is important for the following reasons:
Examples:
Civil Liability for Nuclear Damage Act, 2010 - An Act to provide for civil liability for nuclear
damage and prompt compensation to the victims of a nuclear incident through a no-fault
liability regime channelling liability to the operator, appointment of Claims Commissioner,
establishment of Nuclear Damage Claims Commission and for matters connected therewith
or incidental thereto.
Atomic Energy (Factories) Rules 1996- Applies to all factories owned by the Central
Government engaged in activities under the Atomic Energy Act 1962 (33 of 1962). Regulates
health inspectors, workplace hygiene, safe use of machinery, manual labour, and protective
equipment. Chapter VI covers hours of work; Chapter VII forbids the employment of persons
under the age of 18. Provides for special working conditions for work involving lasers and toxic
substances. Repeals the Atomic Energy (Factories) Rules, 1984.
The Plantations Labour Act 1951- Provides for the welfare of labour and regulates the
conditions of work in plantations. Contains 43 sections and 8 chapters concerning registration
of plantations; inspection staff; health provisions; welfare; hours and limitation of
employment; leave with wages; accidents; and penalties and procedure.
Factories Act 1948- This Act contains 120 sections, and is divided into Chapters concerning
inspection staff, health, safety, hazardous processes, welfare, working hours of adults,
employment of young persons, annual leave with wage, and penalties and procedures.
Employer's Liability Act 1938- Provides that certain defences shall not be raised in suits for
damages in respect of injuries sustained by workmen.
Indian Boilers Act, 1923- Provides for the registration and certification of boilers, reporting of
boiler-related accidents, and duties of boiler owners at examination.
760
Student Handbook – Security Analyst SSC/N9003
Business case
Employers are recognizing the competitive advantage that a healthy workplace can provide to them,
in contrast to their competition, who would feel that a healthy and safe workplace is just a necessary
cost of doing business.
Global case
There is a widespread agreement among global agencies, including the World Health Organisation
(WHO) and the International Labour Organisation (ILO) that the health, safety and well-being of
workers, who make up nearly half the global population, is of paramount importance. Thus, in order
to comply with international standards and to have a good reputation globally, organisations in India
too need to maintain a healthy, safe and secure working environment.
This can be best explained with the help of the following diagram:
761
Student Handbook – Security Analyst SSC/N9003
3. Chemical hazards are present when you are exposed to any chemical preparation (solid, liquid, or
gas) in the workplace. For example, cleaning products and solvents, vapours and fumes, carbon
monoxide or other gases, gasoline or other flammable materials.
4. Biological hazards come from working with people, animals, or infectious plant material. For
example, blood or other bodily fluids, bacteria and viruses, insect bites, animal and bird droppings.
5. Electrical Hazards as there are many equipment in the workplace that are run by electricity, which
if due precautions are not taken can cause fire, electric shock, electrocution.
762
Student Handbook – Security Analyst SSC/N9003
reported that the area where UCIL had set up the plant, was still contaminated with toxic chemicals
including benzene hexa-chloride and mercury, which were stored in open containers and in some
cases spilled into the ground. In 2009 the same body also took samples from a commonly used hand
pump situated north of the plant and found that the water contained 1000 times the World Health
Organisation’s recommended maximum amount of Carbon tetrachloride, a known carcinogen.
Enlist some implications of not paying adequate attention to Health and Safety at work.
Discuss in groups and understand, summarize and articulate the hazards w.r.t. health, safety and
security. Prepare a report.
763
Student Handbook – Security Analyst SSC/N9003
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
764
Student Handbook – Security Analyst SSC/N9003
UNIT II
Security Analyst’s role
Lesson Plan
Lesson
2.1. Security Analyst’s Role
Summary
Check Your Understanding
765
Student Handbook – Security Analyst SSC/N9003
LESSON PLAN
766
Student Handbook – Security Analyst SSC/N9003
Understanding ‘Safety’
Accident is an unplanned and undesired occurrence, which may or may not result in injury, or damage
to self, others and/or property. Main causes of accidents are:
Unsafe Natural
Conditions, Calamities,
18% 2%
Unsafe
Actions,
80%
Thus lack of awareness about safety is the main cause of accidents.
Safety is freedom from accidents, injury or damage; it is a pro-active means to give protection from
known dangers. A safe workplace is free of risks and hazards.
Hazards are the potential to cause harm (accidents, injury or damage) e.g.
Naked wires
Heavy equipment and machines
Heat being generated in the computers, Servers, etc.
Sharp edges on furniture
Risks are the likelihood of harm (accidents, injury or damage) e.g.
Plugging equipment with naked wires
Lifting heavy equipment in a wrong posture
Working in a non-temperature regulated environment with Technology that heats up
Using duplicate parts in IT equipment that could pose a safety threat
767
Student Handbook – Security Analyst SSC/N9003
768
Student Handbook – Security Analyst SSC/N9003
How to control?
Entry/exits/blind turns should be clear of obstructions/faults at all times.
Cupboards and shelves should be neatly arranged, preferably supported by the wall or fixed
on the floor.
Warning signs should be placed if a physical hazard cannot be removed.
Always try to use a machine or tool if required to lift a heavy object.
If it is not possible then try to split the load and lift it in more than one turns. Can also take
help.
If one has to lift a heavy object, then follow right lifting practices while lifting or moving heavy
objects.
WARNING SIGNS
Danger – Watch your step Danger – Under construction Danger – Watch your step
769
Student Handbook – Security Analyst SSC/N9003
Electrical Risks:
Electricity is an amazing thing when used properly, but can very easily hurt, harm and even fatally
injury a person that comes in contact with it. Whenever one works with power tools or electrical
circuits there is a risk of electrical hazards, especially electrical shock.
One must pay special attention to electrical hazards because they work with electrical supplies and
circuits. Coming in contact with an electrical voltage can cause current to flow through the body,
resulting in electrical shock, burns or serious injury. Even death may occur.
Electric Shock: An electrical shock is received when electrical current passes through the body. One
gets an electrical shock if:
• touching a live wire and an electrical earth, or
• touching a live wire and another wire at a different voltage.
Electricity travels in closed circuits, and its normal route is through a conductor. Electric shock occurs
when the body becomes part of a circuit and works like a conductor. Earthing is a physical connection
to the earth, which is at zero volts.
Freeing a victim from electrocution
The first person to reach a shocked worker should cut off the current if this can be done
quickly.
If this is not possible, the victim should be removed from contact with the charged equipment.
Either the equipment/wire should be pulled away or the victim.
Bare hands should not be used, use a dry board, dry rope, leather belt, coat, overalls or some
other non-conductor.
Be sure to stand on a non-conducting surface when pulling – dry rubber slippers, dry wooden
board, etc.
Accident prevention is said to be everybody’s job. The security analyst can at least do the following:
observing all unsafe condition and warning people of potential hazards
reporting any violations of safety rules and
setting a good example by his or her own behaviour
Far too many accidents happen due to unsafe conditions that were not noted, reported, or corrected.
After finding an unsafe condition, the security analyst must either correct the condition or report it to
someone who can make the correction.
Safety is purely a matter of common sense. Corrective action should be taken when possible or the
proper authority called to handle the situation. It is important both to the guest and the people being
protected from injuries due to careless safety practice.
770
Student Handbook – Security Analyst SSC/N9003
Obtain the organization’s current health, safety and security policies and procedures
and list the key items that you would have to follow.
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Conduct a field study of the training institute and make a report of:
1. the items that are being followed and those that are being violated.
771
Student Handbook – Security Analyst SSC/N9003
Potential for severe injuries or illness- The consequences of the incident, hazardous
conditions, or exposure to harmful substances are potentially severe.
Newly established jobs- Due to lack of experience in these jobs, hazards may not be evident
or anticipated.
Modified jobs- New hazards may be associated with changes in job procedures.
Infrequently performed jobs- Employees may be at greater risk when undertaking non-
routine jobs, and an analysis provides a means of reviewing hazards.
Step 2- Break the job down into a sequence of steps. Ensure that each step is not too specific, or too
general. Steps should be kept in the correct sequence. Document using the company template. Make
notes on what is done, rather than how it is done.
Step 3- Identify the potential hazards. Based on observations of the job, knowledge of incident and
injury causes, and personal experience, list the things that could go wrong at each step. The following
is a list of questions that may be used to help identify potential hazards:
Is lighting a problem?
Step 4- Hazard Mitigation- Upon completion of the first three steps of the job hazard analysis,
determine the appropriate controls to overcome the hazards. You can remind the students that these
772
Student Handbook – Security Analyst SSC/N9003
steps have already been discussed in this chapter earlier: elimination, substitution, isolation,
engineering controls, administrative controls, and personal protective clothing and equipment.
From the websites of various organizations, understand the policies and guidelines for
health, safety and security.
Define a role and responsibilities relates to this in an employee context (Research &
report)
Complies with his organisation’s current health, safety and security policies and procedures.
Reports any identified breaches in health, safety and security policies and procedures to the
designated person.
Identifies and corrects any hazards that he can deal with safely, competently and within the limits
of your authority.
Reports any hazards that he is not competent to deal with to the relevant people in line with
organisational procedures.
o Warns others who may be affected.
Follows the emergency procedures promptly, calmly and efficiently.
Identifies and recommends opportunities for improving health, safety and security to the
designated person.
Completes any health and safety records legibly and accurately.
Coordinates with the appropriate people for his information needs.
Is reliable; gets information from reliable sources
Communicates with colleagues clearly, concisely and accurately.
Integrates his work effectively with others.
Shares essential information on time.
Takes help from the appropriate people when there are any problems in the information.
Follows the company rules while analysing data.
Keeps a track of the needs of the organisation.
Honours his commitments.
o If for some reason, he is unable to carry out his promises, he informs in advance and
suggests alternatives.
Maintains good relationships with colleagues.
o Sorts out problems with them, if any.
o Shows respect for others.
Follows the policies, procedures and culture of the organisation.
Keeps abreast with the technological developments.
Takes care of quality issues.
o Maintains the data in the required formats
o Keeps data up-to-date
o Provides accurate information
773
Student Handbook – Security Analyst SSC/N9003
Work in groups and fill the following table based on whatever they have learnt so far.
774
Student Handbook – Security Analyst SSC/N9003
UNIT III
Emergency Situations
Lesson Plan
Lesson
3.1. Emergency Situations
Summary
Check your Understanding
775
Student Handbook – Security Analyst SSC/N9003
LESSON PLAN
776
Student Handbook – Security Analyst SSC/N9003
777
Student Handbook – Security Analyst SSC/N9003
778
Student Handbook – Security Analyst SSC/N9003
How to use health, safety and accident reporting procedures and their
importance
The Information Security Analyst should be well conversant with the organisation’s policy for
emergency reporting procedures. Not only he should keep an eye for potential hazards, he should
report them to the line manager, or any other person designated for the same. If he fails to do so, big
disasters can happen that can cause harm to the employees and the company as a whole.
779
Student Handbook – Security Analyst SSC/N9003
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
780
Student Handbook – Security Analyst SSC/N9003
UNIT IV
Skills for maintaining Health and
Safety at Work
Lesson Plan
Lesson
3.1. Skills for maintaining Health and Safety at Work
Summary
Check your Understanding
781
Student Handbook – Security Analyst SSC/N9003
LESSON PLAN
782
Student Handbook – Security Analyst SSC/N9003
783
Student Handbook – Security Analyst SSC/N9003
Skills is the ability to use information, or knowledge acquired through education, or experience, to
accomplish a given task.
Types of skills
Technical Skills- The ability to do a specific type of activity or work.
Human Skills- The ability to work with people.
Conceptual Skills- The ability to work with ideas, or concepts.
Generic Skills- These are generic in nature that are common to most white collar jobs like reading,
writing, listening and speaking.
Professional Skills- These skills make a person more employable by giving the person the ability to
make logical decisions and the ability to solve problems judiciously. Some examples of professional
skills are decision making, planning and organising, customer centricity, problem solving, critical
thinking, attention to detail, and team work.
Core/ Generic Skills- As an Information Security Analyst, you should be able to communicate well
with colleagues, in writing. You should be able to write accurately with attention to detail. For
example, making plans for the department for upgrading the safety and security systems requires
writing skills. You should also be able to read instructions, guidelines, procedures and service level
agreements laid down by your organisation. For example, each organisation has certain guidelines for
maintaining a healthy and safe environment. As an Information Security Analyst, you should be aware
of those. Only then can you install the appropriate systems. Other than reading and writing, an
Information Security Analyst should also have oral skills like listening and speaking. For example, when
talking to your line manager, you need to listen to the instructions carefully. If at any stage, you do
not understand the instructions, you should be able to speak well and ask for clarifications.
Professional Skills- During the course of any career, one needs to be adept at professional skills like
problem solving, critical thinking, logical reasoning, etc. This is equally true for an Information Security
Analyst.
Decision Making- Many times, as an Information Security Analyst, you would need to take
decisions, and you should have the skills to be able to take the appropriate decisions. Also, you
should follow the company rules for the same. For example, what safety systems to install? How
to test them?
784
Student Handbook – Security Analyst SSC/N9003
Planning and Organising- These are basic skill sets of any role. To be able to accomplish any task,
one needs to first plan and then organise the sub-tasks. For example, making a Project Plan for
upgrading the safety and security systems.
Customer Centricity- As explained in the earlier chapter as well, here too you, the Instructor, will
have to explain that here the term, ‘customer’ refers to internal customers, i.e., colleagues. You
can tell the students that as an Information Analyst, they will need to work with colleagues from
across the organisation, as has been explained in the chapter on how to work effectively with
colleagues. When designing and installing the security systems, they will have to make sure that
they meet the requirements of their colleagues. In other words, their needs have to be considered
paramount. Not only should you strive to meet customer requirements, you should try and exceed
them.
Problem Solving- You can tell the students that they would have to face many challenges as an
Information Security Analyst. They will have to develop problem solving skills to be able to handle
them. For example, if you have developed a system that mandates all employees to not use the
emergency evacuation doors under normal circumstances, and if you notice certain anomalies, it
would be your responsibility to bring this to the notice of your line manager.
Analytical Thinking- Another skill-set that is associated with an Information Security Analyst is that
he will need to have an analytical bent of mind. He will have to analyse data across the
organisation and also monitor the activities of all, before coming up with a security plan. He will
have to ensure that the relevant information reaches the concerned people on time.
Critical Thinking- This skill may be required by an Information Security Analyst time and again as
he may have to apply his judgments in a balanced manner in various situations. For example, he
may suggest a particular networking system that requires least maintenance and has very less
chances of getting fire-related shocks, but the senior management may not agree due it being too
expensive. Thus, he may have to apply his judgement to come up with a plan that keeps the
budgetary constraints in mind while not compromising on the safety.
Attention to Detail- Quality is a key criterion for any job and that of an Information Security Analyst
is no different. One aspect of it is to pay attention to detail. For example, emergency evacuation
route of an organisation may be different for the senior management as compared to that of the
others. The Information Security Analyst would need to be aware of this while designing his
policies. Also, he needs to ensure that his plan is error-free and complete. He can also take help
from his colleagues, if required.
Team Work- No job can be completed without interacting with others, within and outside the
organisation. Thus the ability to be able to work with others as a team is a key requirement. For
example, to be able to test his data backup systems, an Information Security Analyst would need
to coordinate with members of other teams. Hence, being able to work effectively in a team
environment is a must-have skill-set.
Technical Skills- Just like technical knowledge, technical skills too are equally important for any
Information Security Analyst to perform his job. For example, the ability to use information technology
efficiently; being able to input and extract safety data accurately; being able to validate and update
785
Student Handbook – Security Analyst SSC/N9003
safety data; being able to identify and refer anomalies in safety data; being up to date with changes,
procedures and practices in your role; being able to reach agreements with colleagues; etc.
Complies with his organisation’s current health, safety and security policies and procedures.
Reports any identified breaches in health, safety and security policies and procedures to the
designated person.
Identifies and corrects any hazards that he can deal with safely, competently and within the limits
of your authority.
Reports any hazards that he is not competent to deal with to the relevant people in line with
organisational procedures.
o Warns others who may be affected.
Identifies and recommends opportunities for improving health, safety and security to the
designated person.
Takes help from the appropriate people when there are any problems in the information.
If for some reason, he is unable to carry out his promises, he informs in advance and suggests
alternatives.
786
Student Handbook – Security Analyst SSC/N9003
Takes logical and practical approach to problems, keeping the constraints of the organisation in
mind.
Gives importance to the needs of the colleagues and responds to their feedback.
787
Student Handbook – Security Analyst SSC/N9003
SUMMARY
Maintaining Health and safety at work is import because:
Moral case - Ensuring safety and well-being of workers, and providing an environment
that causes no harm to mental, or physical health, is a moral obligation of organisations.
Ethical case - Exposing employees to toxic chemicals and other risk factors is unethical.
Hence, providing healthy, safe and secure working environment becomes an ethical
obligation of organisations.
Legal case - There are many laws in our country that mandate organisations to have a
healthy, safe and secure working environment.
Safety is freedom from accidents, injury or damage; it is a pro-active means to give protection
from known dangers. A safe workplace is free of risks and hazards.
Hazards are the potential to cause harm (accidents, injury or damage) e.g.
Risks are the likelihood of harm (accidents, injury or damage) e.g.
Some safety and health related hazards are as follows:
Surfaces/Places related Hazards & Risks:
Equipment/items related Hazards & Risk:
Materials & Chemical Hazards & Risks:
Physical Hazards & Risks:
Electrical Risks:
The first person to reach a shocked worker should cut off the current if this can be done
quickly.
If this is not possible, the victim should be removed from contact with the charged
equipment.
Far too many accidents happen due to unsafe conditions that were not noted, reported, or
corrected. After finding an unsafe condition, one must either correct the condition or report it
to someone who can make the correction.
The role and responsibilities of an Information Security Analyst related to maintaining a
healthy, safe and secure working environment would be defined in the organisation’s policy
on the same. Thus, he would have to ensure that he follows the rules.
Information Security Analyst vis-a-vis his ability to maintain a healthy, safe and secure working
environment should:
Comply with his organisation’s current health, safety and security policies and procedures.
Report any identified breaches in health, safety and security policies and procedures to
the designated person.
Identify and correct any hazards that he can deal with safely, competently and within the
limits of your authority.
Report any hazards that he is not competent to deal with to the relevant people in line
with organisational procedures.
Follow the emergency procedures promptly, calmly and efficiently.
Identifies and recommends opportunities for improving health, safety and security to the
designated person.
Completes any health and safety records legibly and accurately.
Coordinates with the appropriate people for his information needs.
788
Student Handbook – Security Analyst SSC/N9003
___________________________________________________________________________
___________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
2. State 5 actions that are your responsibility for dealing with hazards
I. ___________________________________________________________________________
II. ___________________________________________________________________________
III. __________________________________________________________________________
IV. __________________________________________________________________________
V. __________________________________________________________________________
3. State 5 actions that are not within the limits of your responsibility for dealing with hazards
VI. ___________________________________________________________________________
VII. ___________________________________________________________________________
VIII. __________________________________________________________________________
IX. __________________________________________________________________________
X. __________________________________________________________________________
789
Student Handbook – Security Analyst SSC/N9003
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
790
Student Handbook – SSC/ Q09004 – Security Analyst
SSC/ N 9004:
Provide data/information in standard formats
791
Student Handbook – SSC/ Q09004 – Security Analyst
Description This unit is about providing specified data/information related to your work in
templates or other standard formats.
Scope This unit/task covers the following:
Appropriate people:
line manager
members of your own work group
people in other work groups in your organization
subject matter experts
Data/information:
quantitative
qualitative
Sources:
within your organization
outside your organization
Formats:
paper-based
electronic
Performance Criteria(PC) w.r.t. the Scope
792
Student Handbook – SSC/ Q09004 – Security Analyst
793
Student Handbook – SSC/ Q09004 – Security Analyst
THE UNITS
The module for this NOS is divided in 4 Unit based on the learning objectives as given below.
794
Student Handbook – SSC/ Q09004 – Security Analyst
UNIT I
Information and Knowledge
Management
Lesson
1.1. Information and Knowledge Management
Summary
Check your understanding
795
Student Handbook – SSC/ Q09004 – Security Analyst
What is data?
Data is unprocessed facts, or figures without any added interpretation, or analysis. For example,
Asha’s salary is Rs. 10,000 per month.
What is information?
Information is data that has been interpreted, or analysed so as to give it some meaning. For example,
Asha’s salary is Rs. 10,000, which is 10% lesser than her peers.
What is knowledge?
Knowledge is the combination of information, experience and insight that is useful for deciding a
course of action. For example, if Asha develops her writing skills, her salary can reach at par with her
peers.
Enlist the kind of data, or information that an Information Security Analyst is likely to deal with.
796
Student Handbook – SSC/ Q09004 – Security Analyst
Knowledge Management
Knowledge management is the systematic management of an organisation’s knowledge assets for the
purpose of creating value, and meeting tactical and strategic requirements.
What kind of data, or information is required by an Information Security Analyst?
An Information Security Analyst usually has to deal with the following type of data and information,
to perform their job effectively:
Information about the current security systems, if any.
Computer hardware and software specifications
Information about the networking systems
Information about the latest security systems available in the market
Feedback of the users
Problems faced by the users
What type of people, is an Information Security Analyst likely to interact with, to manage data
effectively?
797
Student Handbook – SSC/ Q09004 – Security Analyst
798
Student Handbook – SSC/ Q09004 – Security Analyst
UNIT II
How to manage data/
information effectively
Lesson Plan
Lesson
2.1. How to Manage Data/Information Effectively
Summary
Check your understanding
799
Student Handbook – SSC/ Q09004 – Security Analyst
LESSON PLAN
800
Student Handbook – SSC/ Q09004 – Security Analyst
801
Student Handbook – SSC/ Q09004 – Security Analyst
What is a policy?
A policy is a statement of agreed intent that clearly sets out an organisation’s views with respect to a
particular matter.
What is a procedure?
A procedure/practice is a clear step-by-step method for implementing an organisation’s policy, or
responsibility.
2. Understand, summarize and articulate policies and procedures and specify the
importance of complying policies and procedures.
Not only does an Information Security Analyst need to understand the organisation’s policies and
procedures for the type of data and information that you can use, but also the procedures for how to
use them. Such policies clearly lay out the formats in which the data has to be stored, when and where.
Also, the way it has to be shared. For example, an organisation could have a policy to record every
system testing data in an online format that can be accessed by the senior management any time.
802
Student Handbook – SSC/ Q09004 – Security Analyst
Identifying the appropriate people to take advice from and to report to with
appropriate data/ information
The kind of data and information that an Information Security Analyst deals with is sensitive in nature,
so one needs to be aware of the company policy about whom one can share the data with, and whom
one can take advice from. For example, the R&D division of a company may not want to share the
details of its security systems with heads of other departments, so as an Information Security Analyst,
you will have to be careful about that.
What is CRM?
Evaluate open source CRM database. Download public datasets and do a validation check.
803
Student Handbook – SSC/ Q09004 – Security Analyst
What is a database?
A database is a collection of information that is organized so that it can easily be accessed, managed,
and updated. Microsoft Excel is an example of a very basic database.
An integral part of the job of an Information Security Analyst is to understand the CRM database of
an organisation to ensure that customer data is stored and accessed securely.
804
Student Handbook – SSC/ Q09004 – Security Analyst
805
Student Handbook – SSC/ Q09004 – Security Analyst
Consistent
Timely availability
Valid
Relevant
The following are some commonly used tools for data analysis:
MS Excel
SAS
SPSS
Minitab
As an Information Security Analyst, not only do you have to ensure that you store data properly, you
need to identify the anomalies, and report them. For example, if you find that data about your
company’s plans is being accessed by some IP address outside your organisation at odd hours, you
should verify the information and report it to your seniors immediately.
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
806
Student Handbook – SSC/ Q09004 – Security Analyst
UNIT III
Skills required to manage data
and information effectively
Lesson Plan
Lesson
3.1. Skills required to manage data and information effectively
Summary
Check your understanding
807
Student Handbook – SSC/ Q09004 – Security Analyst
LESSON PLAN
808
Student Handbook – SSC/ Q09004 – Security Analyst
809
Student Handbook – SSC/ Q09004 – Security Analyst
Types of skills
Technical Skills- The ability to do a specific type of activity or work.
Human Skills- The ability to work with people.
Conceptual Skills- The ability to work with ideas, or concepts.
Generic Skills- These are generic in nature that are common to most white collar jobs like reading,
writing, listening and speaking.
Professional Skills- These skills make a person more employable by giving the person the ability
to make logical decisions and the ability to solve problems judiciously. Some examples of
professional skills are decision making, planning and organising, customer centricity, problem
solving, critical thinking, attention to detail, and team work.
810
Student Handbook – SSC/ Q09004 – Security Analyst
they meet the requirements of their colleagues. In other words, their needs have to be considered
paramount. Not only should you strive to meet customer requirements, you should try and exceed
them.
Problem Solving- You would have to face many challenges as an Information Security Analyst. You
will have to develop problem solving skills to be able to handle them. For example, if you have
developed a system that does not permit employees to access data on Sundays, and if you notice
certain anomalies, it would be your responsibility to bring this to the notice of your line manager.
Analytical Thinking- Another skill-set that is associated with an Information Security Analyst is
that you will need to have an analytical bent of mind. He/she will have to analyse data across the
organisation and also monitor the activities of all, before coming up with a data security plan. You
will have to ensure that the relevant information reaches the concerned people on time.
Critical Thinking- This skill may be required by an Information Security Analyst time and again as
you may have to apply your judgment in a balanced manner in various situations. For example,
you may suggest a particular data security template, but the senior management may not agree
due it being too complex. Thus, you may have to apply your judgement to come up with a plan
that keeps the user friendliness in mind while not compromising on the security.
Attention to Detail- Quality is a key criterion for any job and that of an Information Security
Analyst is no different. One aspect of it is to pay attention to detail. For example, data usage policy
of an organisation may be different for the senior management as compared to that of the others.
The Information Security Analyst would need to be aware of this while designing policies. Also,
you need to ensure that the data is error-free and complete. You can also take help from
colleagues, if required.
Team Work- No job can be completed without interacting with others, within and outside the
organisation. Thus the ability to be able to work with others as a team is a key requirement. For
example, to be able to test database systems, an Information Security Analyst would need to
coordinate with members of other teams. Hence, being able to work effectively in a team
environment is a must-have skill-set.
Technical Skills- Just like technical knowledge, technical skills too are equally important for any
Information Security Analyst to perform their job. For example, the ability to use information
technology efficiently; being able to input and extract data accurately; being able to validate and
update data; being able to identify and refer anomalies in data; being able to store and share
information in standard formats; being up to date with changes, procedures and practices in your role;
etc.
811
Student Handbook – SSC/ Q09004 – Security Analyst
o If for some reason, the analyst is unable to carry out their promises, they inform in
advance and suggest alternatives.
Maintains good relationships with colleagues.
o Sorts out problems with them, if any.
o Shows respect for others.
Follows the policies, procedures and culture of the organisation.
Keeps abreast with the technological developments.
Reports any unresolved anomalies in the data to the appropriate people.
Takes care of quality issues.
Practical Exercises
For writing Skills: Documentation preparation as per specifications given. Story writing,
Handouts.
For Reading Skills: Download instructions, procedures and guidelines from internet and
do a Peer & Faculty discussions.
For Listening and speaking skills: Conduct a group discussion on a topic selected by the
faculty. Listen, Interpret and communicate between groups and Faculties.
For decision making skills: Discover and review data from public websites. Use various
supervised and unsupervised learning methods. Build models and find a decision making
process. Recommend groups to take different domains (data sets). Document entire
exercise and circulate across all the groups and publish in the forums.
For Planning and Organising skills: Assign task with a measurable target to be achieved
within a deadline. Divide the batch into groups. Share the steps involved in planning and
organising and them to perform the task in the given time, making sure all the steps for
planning and organising are done.
For Customer Centricity or focus: Check all previous exercises. Create a traceability
matrix for requirements Vs Outcomes. Compare with the customer expectation (faculty
is the customer or an industry expert). Submit the expectation in a standard template.
For Problem solving: Discuss with peers, groups, faculties and SME/industry SPOCs.
Come up with a solution document/architecture for a use case.
For Analytical Ability and Critical thinking: Discuss with peers, groups, faculties and
SME/industry SPOCs. Come up with a plan document for various situations in business
use cases.
For Attention to detail: Check and review the work of peers and share with faculty
For Team Work: Define roles and responsibilities amongst the groups.
For Technical Skills: Check for publicly available data sets by exploration and research.
Review and download data.
Store data into data bases using various methods like SQL/programming
languages/scripting etc. Find out anomalies and prepare report. Recommend to define
roles to perform tasks. Groups must take different domains (data sets).
Fill the following table based on your learnings so far. You can share one example with
them to explain what is expected out of them, if required.
812
Student Handbook – SSC/ Q09004 – Security Analyst
SUMMARY
Data is unprocessed facts, or figures without any added interpretation, or analysis.
Information is data that has been interpreted, or analysed so as to give it some meaning. For
example, Asha’s salary is Rs. 10,000, which is 10% lesser than her peers.
Knowledge is the combination of information, experience and insight that is useful for
deciding a course of action. For example, if Asha develops her writing skills, her salary can
reach at par with her peers.
To be able to work in any organisation, an employee, irrespective of the role he/she has been
assigned, needs to know about the organisation he/she is working with and the Technical
knowledge
An Information Security Analyst usually has to deal with the following type of data and
information, to perform their job effectively:
Information about the current security systems, if any.
Computer hardware and software specifications
Information about the networking systems
Information about the latest security systems available in the market
Feedback of the users
Problems faced by the users
A policy is a statement of agreed intent that clearly sets out an organisation’s views with
respect to a particular matter.
A procedure/practice is a clear step-by-step method for implementing an organisation’s
policy, or responsibility.
813
Student Handbook – SSC/ Q09004 – Security Analyst
Not only does an Information Security Analyst need to understand the organisation’s policies
and procedures for the type of data and information that he can use, but also the procedures
for how to use them.
The kind of data and information that an Information Security Analyst deals with is sensitive in
nature, so he/she needs to be aware of the company policy about whom to share it with
Customer Relationship Management (CRM) is an approach to managing a company's
interaction with current and future customers. It often involves using technology to organize,
automate, and synchronize sales, marketing, customer service, and technical support.
A database is a collection of information that is organized so that it can easily be accessed,
managed, and updated. Microsoft Excel is an example of a very basic database.
An organisation has unlimited amounts of data. Therefore, an Information Security Analyst
needs to understand what their scope of work is.
Information Security Analyst should have knowledge about the various data access techniques
that are available in the market, and the company policy for the same.
The Information Security Analyst should always ensure that the data and information
provided by him/her meets the quality standards set by the organisation. The following are
some parameters to be taken care of:
Error-free, Up-to-date, In the specified format, Easy to retrieve , During retrieval, data
shouldn’t get altered, Complete, Consistent, Timely availability, Valid, Relevant
The commonly used tools for data analysis are MS Excel, SAS, SPSS, Minitab
As an Information Security Analyst, not only do you have to ensure that you store data
properly, you need to identify the anomalies, and report them. For example, if you find that
data about your company’s plans is being accessed by some IP address outside your
organisation at odd hours, you should verify the information and report it to your seniors
immediately.
The criteria that would be used to evaluate the performance of an Information Security
Analyst with respect to their ability to manage data effectively could be as follows:
Coordinates with the appropriate people for data and information needs
Is reliable; gets data from reliable sources
Communicates with colleagues clearly, concisely and accurately.
Integrates work effectively with that of others.
Shares essential information on time.
Takes help from the appropriate people when there are any problems in the data
Follows the company rules while analysing data
Keeps a track of the needs of the organisation.
Honours commitments.
If for some reason, the analyst is unable to carry out their promises, he/she informs in
advance and suggests alternatives.
Maintains good relationships with colleagues.
Sorts out problems with them, if any.
Shows respect for others.
Follows the policies, procedures and culture of the organisation.
Keeps abreast with the technological developments.
Reports any unresolved anomalies in the data to the appropriate people.
Takes care of quality issues.
814
Student Handbook – SSC/ Q09004 – Security Analyst
815
Student Handbook – SSC/ Q09004 – Security Analyst
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
816
Student Handbook – Security Analyst SSC/N9005
SSC/ N 9005:
Develop knowledge, skills & competence
817
Student Handbook – Security Analyst SSC/N9005
Description This unit is about taking action to ensure you have the knowledge and skills you
need to perform competently in your current job role and to take on new
responsibilities, where required.
Competence is defined as: the application of knowledge and skills to perform to
the standards required.
Scope This unit/task covers the following:
line manager
human resources specialists
learning and development specialists
peers
Job role:
818
Student Handbook – Security Analyst SSC/N9005
819
Student Handbook – Security Analyst SSC/N9005
THE UNITS
The module for this NOS is divided in 4 Unit based on the learning objectives as given below.
820
Student Handbook – Security Analyst SSC/N9005
UNIT I
Importance of Self Development
Lesson Plan
1.1. Importance of Developing competence
1.2. Being Responsible for own Development
821
Student Handbook – Security Analyst SSC/N9005
LESSON PLAN
822
Student Handbook – Security Analyst SSC/N9005
There is probably no more important skill in life than learning to learn. This skill is especially important
IT professionals, because the field of Information technology changes more rapidly than any other
field.
“Change is so fast and frequent that it is almost impossible be a master of even one particular
framework or technology, let alone all the technology that a security analyst needs to know. This is
a feature of the new normal that a security analyst will live and work in. If one’s doesn’t keep pace
with the changes then he/she will get left behind.”
Thus in the field of Information technology, if there is truly a skill that will propel one’s career, then
that is to learn how to teach yourself and quickly acquire the knowledge needed for the task at hand.
Self-development is therefore, a continual process throughout one’s career.
Ask the students to list all the reasons they feel continual learning on the job is
important.
Have them research and see what professionals say about this.
Ask them to pose that question in Security Analyst Networking forums and bring the
responses they got. After the research, discuss in the class
823
Student Handbook – Security Analyst SSC/N9005
Are there reasons for continuing learning on the job, once you start working? If
yes, make a list of reasons for it.
Discuss this with working professionals especially people you look up to and
those who have achieved success and earned respect at work. Ask them what
their opinion is and what do they have to learn in order to do well.
Ask a Security Analyst if possible, as to what do they have to learn on the job to
remain productive and to deliver high quality work?
What is Competence?
Competence can be defined as the application of knowledge and skills to perform to the standards
required. In other words, it is the ability of a person to do a job properly. You can explain this to the
students with the help of the following diagram.
Types of Competencies
Competencies can be broadly classified into two categories:
Behavioural Competencies- These refer to the soft skills that affect a person’s performance. For
example, customer focus is a very popular behavioural competency expected of an Information
Security Analyst. He is expected to keeps the needs of his customers in mind and ensure their
satisfaction.
Technical Competencies- These refer to technical skills that help a person complete his job. For
example, project management is a very popular technical competency expected of an Information
Security Analyst
824
Student Handbook – Security Analyst SSC/N9005
Share this with others. Now discuss what all do you need to learn in order to
achieve the above. Reflect on the importance of learning and the multiple
things that one has to learn in order to achieve success.
825
Student Handbook – Security Analyst SSC/N9005
In a challenging business environment change is a fact of life. These new challenges, and rapid
changes, require new skills, knowledge and attitudes, that is why personal development is so
important. Most organisations recognize this and encourage their employees to continuously develop
themselves by providing various opportunities for learning as well as time out from work to avail of
the same. However, whether the organisation provides an encouraging atmosphere or not, one’s own
personal development, growth, and continuing learning is not the organisation’s responsibility; it is
one’s own responsibility.
To learn and perform at the highest level, to obtain greater mastery, one has to own the responsibility
self-development.
While the organisation would have the best interests of their employees at heart. Even if they care
deeply about their employees provide them with training and educational opportunities, it isn’t at all
the same as the employees taking responsibility for their own growth.
Personal performance depends on you and your motivation to succeed; no one can make it happen
for you, but you.
It’s about:
Self-awareness
Setting objectives
Gaining support
Most importantly, continually reviewing how you are performing.
You need to understand the importance of taking responsibility for your own learning and
development. For example, your manager may not have the time to ascertain areas where you may
need training. However, if you yourself take up this assessment and go up to him, he may consider
your request. In other words, you identified some sample/ potential problems and worked on their
solutions proactively.
826
Student Handbook – Security Analyst SSC/N9005
After you join work, who will be responsible for your learning?
What will happen if you get so involved in work that you are unable to learn further?
What if the organization you join provides no opportunities for learning?
What could be the obstacles that could hamper your learning and development, and
how to handle these?
827
Student Handbook – Security Analyst SSC/N9005
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
828
Student Handbook – Security Analyst SSC/N9005
UNIT II
Knowledge and Skills
Required for the Job
Lesson Plan
Lesson
2.1. Knowledge and Skills Required for the Job
Summary
Check your understanding
829
Student Handbook – Security Analyst SSC/N9005
LESSON PLAN
KB1. the knowledge and skills KB1 to KB2. Standard Environment PLUS
required in your job role Access to online forums.
Quiz and descriptive exam.
KB2. your current learning and
development needs in relation to Group and Faculty evaluation.
your job role
Document review.
830
Student Handbook – Security Analyst SSC/N9005
You can explain to the students that to be able to work in any organisation, an employee, irrespective
of the role he has been assigned, needs to know about the organisation he is working with. This
includes knowledge about the company’s policies, procedures, structure, culture, your role and
responsibilities, overview of other departments, information needs of other departments, key contact
points, etc.
Technical Knowledge
Technical knowledge helps a person understand a field of work. This section would be the easiest to
explain to the students as it would be obvious to them that to perform any task, they would need the
technical know-how for the same. If the Information Security Analyst does not know what a gateway
is, or what a multiplexer is, or what a hub is, or how they function; how can he be expected to install
them?
One also has to plan for foreseen and unforeseen events or occurrences that may impact the work
and ensure to factor these in for timelines, costs, material and human resource requirements, etc.
These may include things causing distractions, time delays, wastage, change of environmental
conditions and assumptions, resource availability, etc.
Skills is the ability to use information, or knowledge acquired through education, or experience, to
accomplish a given task.
Human Skills- The ability to work with people.
Conceptual Skills- The ability to work with ideas, or concepts.
Core/ Generic Skills- These are generic in nature that are common to most white collar jobs like
reading, writing, listening and speaking.
As an Information Security Analyst, you should be able to communicate well with colleagues, in
writing. For example, making plans for the department for upgrading the security systems required
writing skills.
You should also be able to read instructions, guidelines and procedures laid down by your
organisation. For example, each organisation has certain guidelines for data security.
As an Information Security Analyst, you should be aware of those. Only then can you install the
appropriate security systems.
831
Student Handbook – Security Analyst SSC/N9005
Other than reading and writing, an Information Security Analyst should also have oral skills like
listening and speaking. For example, when talking to your line manager, you need to listen to the
instructions carefully. If at any stage, you do not understand the instructions, you should be able
to speak well and ask for clarifications.
Professional Skills- These skills make a person more employable by giving the person the ability to
make logical decisions and the ability to solve problems judiciously. Some examples of professional
skills are decision making, planning and organising, customer centricity, problem solving, critical
thinking, attention to detail, and team work. During the course of any career, one needs to be adept
at professional skills like problem solving, critical thinking, logical reasoning, etc. This is equally true
for an Information Security Analyst.
Decision Making- Many times, as an Information Security Analyst, you would need to take
decisions, and you should have the skills to be able to take the appropriate decisions. Also, you
should follow the company rules for the same. For example, what security systems to install? How
to test them?
Planning and Organising- These are basic skill sets of any role. To be able to accomplish any task,
one needs to first plan and then organise the sub-tasks. For example, making a Project Plan for
upgrading the data security systems.
Customer Centricity or focus- The term, ‘customer’ refers to not only external but internal
customers, i.e., colleagues. As an Information Analyst, you will need to work with colleagues from
across the organisation, as has been explained in the chapter on how to work effectively with
colleagues. When designing and installing the security systems, you will have to make sure that
they meet the requirements of their colleagues. In other words, their needs have to be considered
paramount. Not only should you strive to meet customer requirements, you should try and exceed
them.
Problem Solving- You would have to face many challenges as an Information Security Analyst. You
will have to develop problem solving skills to be able to handle them. For example, if you have
developed a system that does not permit employees to access data on Sundays, and if you notice
certain anomalies, it would be your responsibility to bring this to the notice of your line manager.
Analytical Thinking- Another skill-set that is associated with an Information Security Analyst is
that you will need to have an analytical bent of mind. He/she will have to analyse data across the
organisation and also monitor the activities of all, before coming up with a data security plan. You
will have to ensure that the relevant information reaches the concerned people on time.
Critical Thinking- This skill may be required by an Information Security Analyst time and again as
you may have to apply your judgment in a balanced manner in various situations. For example,
you may suggest a particular data security template, but the senior management may not agree
due it being too complex. Thus, you may have to apply your judgement to come up with a plan
that keeps the user friendliness in mind while not compromising on the security.
Attention to Detail- Quality is a key criterion for any job and that of an Information Security
Analyst is no different. One aspect of it is to pay attention to detail. For example, data usage policy
of an organisation may be different for the senior management as compared to that of the others.
The Information Security Analyst would need to be aware of this while designing policies. Also,
you need to ensure that the data is error-free and complete. You can also take help from
colleagues, if required.
Team Work- No job can be completed without interacting with others, within and outside the
organisation. Thus the ability to be able to work with others as a team is a key requirement. For
example, to be able to test database systems, an Information Security Analyst would need to
832
Student Handbook – Security Analyst SSC/N9005
coordinate with members of other teams. Hence, being able to work effectively in a team
environment is a must-have skill-set.
Technical Skills- The ability to do a specific type of activity or work. Just like technical knowledge,
technical skills too are equally important for any Information Security Analyst to perform his job. For
example, the ability to use information technology efficiently; being up-to-date with changes,
procedures and practices in your role; and agreeing to objectives and work requirements.
833
Student Handbook – Security Analyst SSC/N9005
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
834
Student Handbook – Security Analyst SSC/N9005
UNIT III
Avenues for Self-Development
Lesson Plan
3.1. Formal Avenues of Self Development in an organisation
3.2. Different types of learning styles and methods
835
Student Handbook – Security Analyst SSC/N9005
LESSON PLAN
836
Student Handbook – Security Analyst SSC/N9005
Develop Your Own Pet Projects: If there is some technology that you really want to learn and if
you do not have the opportunity to apply this technology at work, then you should invent your
own project to use it and develop this project during your free time.
Learn from Online Courses: Today there is a great diversity of free online courses. Sites such as
Coursera, Udacity and edX offer many interesting courses organized by known professors of some
of the best Universities in the world. These courses are completely free, and besides material such
as videos and slides they may include real home works and assignments.
837
Student Handbook – Security Analyst SSC/N9005
Go to Technical Meetings: Programmers like to meet to discuss new technologies and share their
experiences. You can search for meetings in sites such as Meetup and Eventbrite.
Participate in Online Forums: Online Forums are a great way to communicate with other
professionals that may be located very far from you, but even so they share exactly the same
interests.
Read Technical Blogs: follow software development gurus on Twitter, as well as enthusiastic
programmers that like to share their favourite posts.
See Presentation Slides: If you want to get some initial idea about a technology or platform, and
if you do not have much time to invest on it, then finding introductory slides is an easy and fast
solution. Sites such as SlideShare have a huge quantity of such professional slides.
Watch Videos: It is easy to find videos on YouTube or Vimeo on most popular subjects. These may
be recorded lectures in Universities, presentations in conferences or talks in group meetings. For
example, TED talks are known for their ability to provide inspiration and make watchers think.
Use Question-and-Answer Communities: If you have a technical problem, then it’s very probable
that someone before you already had the same problem. Thus, you should try Q&A Communities
such as StackOverflow to search for a solution. If you cannot find an existing question that fits
your needs, you can always ask a new question yourself.
List which are the different modes and avenues of learning you have used during this
course?
The list of various learning needs identified in the previous section, which are the
avenues you can use to forward your learning in those areas. Be realistic and explore
what avenues are available.
838
Student Handbook – Security Analyst SSC/N9005
The common characteristics of each learning style listed below can help you understand how you learn
and what methods of learning best fits you. Understanding how you learn can help maximize time you
spend studying by incorporating different techniques to custom fit various subjects, concepts, and
learning objectives. Each preferred learning style has methods that fit the different ways an individual
may learn best.
Visual Learners
CLUES LEARNING METHODS
Needs to see it to know it. Use graphics to reinforce learning -
Strong sense of color. films, slides, illustrations, diagrams.
May have artistic ability. Color coding to organize notes and
Difficulty with spoken directions. possessions.
Overreaction to sounds. Write out directions.
Trouble following lectures. Use flow charts / diagrams for note
Misinterpretation of words taking.
Visualizing spelling of words or
facts to be memorized.
Auditory Learners
CLUES LEARNING METHODS
Prefers to get information by listening and Use tapes for reading and for
needs to hear it to know it. class and lecture notes.
Difficulty following written directions. Learn by interviewing/participating
Difficulty with reading. in discussions.
Problems with writing. Have test questions or directions
Inability to read body language and read aloud or put on tape.
facial expressions
Kinesthetic Learners
CLUES LEARNING METHODS
Prefers hands-on learning. Experimental learning (making
Can assemble parts without reading models, doing lab work, and role
directions. playing)
Difficulty sitting still. Frequent breaks in study periods.
Learns better when physical activity is Trace letters and words to learn
involved. spelling and remember facts.
May be very well coordinated and have ath Use computer to reinforce learning
letic ability. through sense of touch.
Memorize or drill while walking or
exercising.
Express abilities through dance,
drama, or gymnastics
839
Student Handbook – Security Analyst SSC/N9005
The most used and researched models were developed by Kolb (1984) and Honey and Mumford
(1986), As per Honey and Mumford (1986), learners displayed the following learning styles:
Which are your own learning style preferences? Reflect, experiment and collect evidence for the
same, share it with others in your class, see if they agree. Also share the methodology used to
arrive at your preferences.
840
Student Handbook – Security Analyst SSC/N9005
UNIT IV
Planning for Self-Development
Lesson Plan
4.1. Planning for Self-Development
841
Student Handbook – Security Analyst SSC/N9005
LESSON PLAN
KA5. how to produce a plan to address your QA session and a Descriptive Online access for research
learning and development needs , who to agree write up on understanding. work
it with and the importance of undertaking the
planned activities
KA6. different types of support available to help Group presentation and
you plan and undertake learning and peer evaluation along with
development activities and how to access these Faculty.
KA7. why it is important to maintain records of
your learning and development
KB3. different types of learning styles and Performance evaluation
methods including those that help you learn from Faculty and Industry
best with reward points.
842
Student Handbook – Security Analyst SSC/N9005
843
Student Handbook – Security Analyst SSC/N9005
o Communication
o Customer focus
o Adaptability
o Decision making
o Fiscal management
o Global perspective
o Innovation
o Interpersonal skills
o Leadership
o Establishing objectives
o Risk management
o Persuasion and influence
o Teamwork
o Problem solving
o Project management
o Results orientation
o Technology
o Self-management
Performance Appraisals - One technique of identifying the training needs of employees is through
performance appraisals. Mangers are interviewed and performance data is analysed. Some
commonly used sources of performance data are:
o Absenteeism
o Performance appraisals
o Turnover
o Quality parameters
o Losses
o Accidents
o Safety incidents
o Grievances
o Returns
o Customer complaints
6) Understand the different types of learning and development activities available for your role and
the process of availing those. The following are some commonly used techniques in organisations:
o Instructor-led training
o Blackboard, or whiteboard
o Overhead projector
o Videos
o PowerPoint presentation
o Storytelling
o Interactive methods
o Quizzes
o Group discussions
o Case studies
844
Student Handbook – Security Analyst SSC/N9005
o Q&A sessions
o Role playing
o Hand-on training
o Coaching
o Mentorship
o Apprenticeship
o Demonstrations
o Computer Based Training
o CD-ROM
o Multimedia
o Virtual reality
o E-Learning
o Web-based training
o Webinars
o Video conferencing
o Blended learning- A combination of two, or more of the techniques given above.
7) Making a plan- Like with any activity, this too requires planning. The following are some major
steps:
o Identify the people who would help you make the plan, and those would approve it- for
example, your managers
o Understand what is at stake- for example, who would take care of your job in your absence
o Study the different types of tools available
o Study the documentation required and understand why it is important- for example,
would you need to make a report on what you have learnt, after the training? Can this
report be of help to your peers, who can probably learn from it?
o Identify whom to take feedback from and how to follow-up on it- for example, would your
managers review the changes in your work processes after the training? Also, you would
need to understand the various methods of obtaining feedback, and how to use it. Some
commonly used methods are:
Surveys
Feedback boxes
Face-to-face interaction
Peer assessment
8) Understand how and what future avenues would open up post the training. For example, if you
undergo social media training, you can add that as an additional skill-set in your resume that would
give you an edge over your peers.
9) Implement the plan, apply your new knowledge and skills in the workplace and take feedback. For
example, if you have taken training about a new data security system, you can make a proposal
to get it installed; after installation, you can use it and demonstrate the benefits to your peers and
managers.
845
Student Handbook – Security Analyst SSC/N9005
10) You need to make sure that you make this a process continuous.
Apply the above 10 step on yourselves and on the basis of this create a self-
development plan for yourself. Research each of the ten steps further on your own.
846
Student Handbook – Security Analyst SSC/N9005
SUMMARY
Change is so fast and frequent that it is almost impossible be a master of even one particular
framework or technology, let alone all the technology that a security analyst needs to know.
This is a feature of the new normal that a security analyst will live and work in. If one’s doesn’t
keep pace with the changes then he/she will get left behind.
The benefits of continual learning and self-development are also as follows:
It helps to stay relevant and up to date of the changing trends and directions in one’s
profession.
It helps in becoming more effective in the workplace
Builds a knowledge base that helps identify different types of problems and generate
solutions.
This assists in advancing one’s career and move into new positions
Can deliver a deeper understanding of what it means to be a professional, along with a
greater appreciation of the implications and impacts of your work.
Leads to increased self confidence
Helps to stay interested and interesting by stimulating the mind to stay inspired and
excited.
Opens you up to new possibilities, new knowledge and new skill areas.
Competence can be defined as the application of knowledge and skills to perform to the
standards required. In other words, it is the ability of a person to do a job properly.
Competencies can be broadly classified into two categories - Behavioural Competencies and
Technical Competencies
You need to understand the importance of taking responsibility for your own learning and
development.
One also has to plan for foreseen and unforeseen events or occurrences that may impact the
work and ensure to factor these in for timelines, costs, material and human resource
requirements, etc.
These may include things causing distractions, time delays, wastage, change of environmental
conditions and assumptions, resource availability, etc.
Skills is the ability to use information, or knowledge acquired through education, or
experience, to accomplish a given task. - Human Skills, Conceptual Skills, Core/ Generic Skills-
Knowledge,
Skills and attitudes can be developed through a range of methodologies - Education or
professional qualifications, Training by employers, On-the-job experience, Informal learning
from peers, seniors and others, Self-study and practice
Knowledge and skills required for a job changes over time and therefore a professional need
to ensure his or her employability over one’s working life, and needs to keep learning. High
achievers in any field and people who are recognised for their professionalism work very hard
to keep abreast of developments in their field and are life-long learners.
Life-long learning is very important for developing a successful and sustainable career.
Some more Avenues for Learning
Develop Your Own Pet Projects
Learn from Online Courses
Go to Technical Meetings
Participate in Online Forums
Read Technical Blogs
See Presentation Slides
847
Student Handbook – Security Analyst SSC/N9005
Watch Videos
Use Question-and-Answer Communities
Everyone processes and learns new information in different ways. There are three main
cognitive learning styles: visual, auditory, and kinesthetic.
Each organization has a set of guidelines for developing the skill-sets of its employees. Given
the nature of the job of an Information Security Analyst, it is important for him to keep
himself abreast with the latest technological developments.
848
Student Handbook – Security Analyst SSC/N9005
2. List 3 methods used by the organization to review skills and knowledge and how to use these
methods to review your knowledge and skills against your job role
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. List 7 different types of learning and development activities available for your job role and how to
access these
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. State the different types of learning styles and methods including those that help you learn best
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
5. Why should you take responsibility for your own learning and development
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
849
Student Handbook – Security Analyst SSC/N9005
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
850
Annexures
{CLIENT ORGANIZATION}
Security Assessment Report
{YOUR ORGANIZATION}
{YOUR MAILING ADDRESS}
EXECUTIVE SUMMARY 5
Top-Ten List 5
1. Information Security Policy 5
2. {Security Issue #2} 5
3. {Security Issue #3} 5
4. {Security Issue #4} 5
5. {Security Issue #5} 5
6. {Security Issue #6} 6
7. {Security Issue #7} 6
8. {Security Issue #8} 6
9. {Security Issue #9} 6
10. {Security Issue #10} 6
INTRODUCTION 7
Scope 7
Project Scope 7
In Scope 7
Out of Scope 7
BACKGROUND INFORMATION 8
{CLIENT ORGANIZATION} 8
ASSET IDENTIFICATION 9
THREAT ASSESSMENT 9
Vulnerabilities 10
The {CLIENT ORGANIZATION} has no information security policy 10
{State the Vulnerability} 10
PERSONNEL 11
Management 11
Operations 11
Development 11
Vulnerabilities 11
There is no information security officer 11
{State the Vulnerability} 11
NETWORK SECURITY 12
Vulnerabilities 12
The {CLIENT ORGANIZATION} systems are not protected by a network firewall 12
{State the Vulnerability} 13
SYSTEM SECURITY 13
Vulnerabilities 13
Users can install unsafe software 13
{State the Vulnerability} 14
APPLICATION SECURITY 14
Vulnerabilities 14
Sensitive information within the database is not encrypted 14
{State the Vulnerability} 14
OPERATIONAL SECURITY 15
Vulnerabilities 15
There is no standard for security management 15
{State the Vulnerability} 15
PHYSICAL SECURITY 15
Vulnerabilities 16
Building Vulnerabilities 16
Several key doors within the building are unlocked or can be forced open 16
{State the Vulnerability} 16
Security Perimeter Vulnerabilities 17
There is no entryway access control system 17
{State the Vulnerability} 17
Server Area Vulnerabilities 17
The backup media are not protected from fire, theft, or damage 17
{State the Vulnerability} 18
SUMMARY 18
Action Plan 18
REFERENCES 18
Executive Summary
Briefly describe the activities of the assessment.
Talk about the importance of information security at the client organization.
Discuss security efforts that the organization has under taken.
Highlight three major security issues discovered that could significantly impact the operations of
the organization.
Top-Ten List
A top-ten list is used to highlight the ten most urgent issues discovered during an assessment.
Clients unfamiliar with security may be overwhelmed by a long list of problems. Putting the
major issues together may allow the client to easily focus efforts on these problems first.
The list below contains the “top ten” findings, weaknesses, or vulnerabilities discovered during
the site security assessment. Some of the issues listed here are coalesced from more than one
section of the assessment report findings. Additional information about each is provided
elsewhere in the report.
It is recommended that these be evaluated and addressed as soon as possible. These should be
considered significant and may impact the operations of the {CLIENT ORGANIZATION}.
Introduction
Provide an overview of the report.
Scope
The scope is the boundaries of the project. It is used to describe the on-site activities.
Project Scope
In Scope
The following activities are within the scope of this project:
Interviews with key staff members in charge of policy, administration, day-to-
day operations, system administration, network management, and facilities
management.
A Visual Walk Through of the facilities with administrative and facilities
personnel to assess physical security.
A series of Network Scans to enumerate addressable devices and to assess each
systems available network services. (These Scans will be conducted from within
each center’s network and from the outside.)
A configuration and security assessment of at most ten key systems at each
center.
Out of Scope
The following activities are NOT part of this security assessment:
Penetration Testing of systems, networks, buildings, laboratories or facilities.
Social Engineering to acquire sensitive information from staff members.
Testing Disaster Recovery Plans, Business Continuity Plans, or Emergency
Response Plans.
First Day
Second Day
Third Day
Background Information
Use this section to talk about any relevant background information.
{CLIENT ORGANIZATION}
Describe the client organization.
Asset Identification
Describe the process of asset identification.
Tangible Assets
{List tangible assets.}
Intangible Assets
{List intangible assets.}
Each item on these lists also has value associated with it. Each item’s relative value changes over
time. In order to determine the current value, it is often best to think in terms of recovery costs.
What would it cost to restore or replace this asset in terms of time, effort, and money?
Threat Assessment
Describe the process of threat assessment.
Natural Threats
{List Natural Threats.}
Intentional Threats
{List Intentional Threats.}
Unintentional Threats
{List Unintentional Threats.}
Vulnerabilities
Listed below are the vulnerabilities discovered during the assessment relating to law, regulation,
and policy. These are considered significant and steps should be taken to address them.
Personnel
Describe the personnel at the client organization. Organize them into related groups.
In this example, we have Management, Operations, and Development.
Management
Describe the management group.
Operations
Describe the operations team.
Development
Describe the development team.
Vulnerabilities
Listed below are the staff vulnerabilities discovered during the interviews with the {CLIENT
ORGANIZATION} staff. These are considered significant and steps should be taken to address
them.
Risk
There are several risks in not having {this vulnerability}.
{Provide a list of risks.}
Recommendations
{Provide a list of recommendations}.
Network Security
Describe the state of network security at the client organization.
List public network resources and sites.
List partner connections and extranets.
Vulnerabilities
Listed below are the network security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.
System Security
Describe the state of system security at the client organization.
Vulnerabilities
Listed below are the system security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.
Application Security
Describe the state of application security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.
Recommendations
{Provide a list of recommendations}.
Operational Security
Describe the state of operational security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.
Physical Security
Describe the state of operational security at the client organization.
Specifically, list the building, security perimeter, and server room vulnerabilities.
Vulnerabilities
Listed below are the physical security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them. The list is divided into a list of
vulnerabilities that relate to the building, the security perimeter, and the server rooms. The
building group contains vulnerabilities within the {CLIENT ORGANIZATION} office. The
security perimeter group includes the exterior office windows, doors, alarm system, and the
surrounding area. The server room are specific to rooms containing server equipment.
Building Vulnerabilities
Several key doors within the building are unlocked or can be forced
open
Explanation
There are several important doors in the interior {CLIENT ORGANIZATION} office
area that are normally unlocked or can be forced open even when locked. The door to the
utility room is a hollow core wooden door with no lock. The utility room contains the
wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system
box. The room containing the modem pool is normally open and unlocked. The system
administrator’s office containing the office file and web server is usually unlocked and
open.
Risk
These doors protect valuable assets of the {CLIENT ORGANIZATION}. A determined
attacker, thief, or disgruntled employee could get through these important doors with
minimal effort to steal and/or destroy.
Recommendations
Replace current doors with stronger fire doors.
Replace existing door hardware with high security locks.
Weld exterior hinge pins in place.
The backup media are not protected from fire, theft, or damage
Explanation
The backup media are stored near the backup system on an open shelf in the server area.
The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a
fire. If a system or data must be recovered, the media may not be available or functional
when needed.
Risk
The operation of the {CLIENT ORGANIZATION} can be impacted if the backup media
are not available due to theft, damage, or fire.
Confidential and Proprietary Information: Need to Know
Page 17
{CLIENT ORGANIZATION}
Recommendations
Purchase and install a lockable, fireproof media safe. Secure it to the floor and/or
wall.
Summary
Summarize the report findings.
Action Plan
Provide an action plan that lists steps to be taken to improve security at the client organization.
References
Anderson, R. Security Engineering: A Guide to Building Dependable Distributed Systems.
Indianapolis: John Wiley & Sons, 2001.
Archer, Tom and Whitechapel. Andrew. Inside C#. Redmond: Microsoft Press, 2002.
Deraison, Renaud. The Nessus Security Scanner. http://www.nessus.com/
Garfinkel, Simson, Spafford, Eugene H., and Schwartz Alan. Practical Unix & Internet Security,
3rd Edition. Sebastapol: O’Reilly, 2003.
Gordon, Lawrence, Loeb, Martin, Lucyshyn, William and Richardson, Robert. “2004 CSI/FBI
Computer Crime and Security Survey,” San Francisco: Computer Security Institute, 2004.
International Standards Organization, International Electrotechnical Commission. Information
technology — Code of practice for information security management. ISO/IEC 17799:2000(E).
Switzerland: ISO/IEC, 2001.
Open Web Application Security Project. “The Ten Most Critical Web Application Security
Vulnerabilities – 2004 Update.” OWASP, 2004. http://www.wasp.org/documentation/topten.html
Peltier, Thomas R. Information Security Risk Analysis. Boca Raton: CRC Press, 2001.
Public Law No. 100-235. The Computer Security Act of 1987.
Stoneburner, Gary, Goguen, Alice, and Feringa, Alexis. “Risk Management Guide for
Information Technology Systems.” NIST Special Publication 800-30. National Institute of
Standards and Technology, 2001.
Confidential and Proprietary Information: Need to Know
Page 18
Security Assessment Report
Stoneburner, Gary, Hayden, Clark, and Feringa, Alexis. “Engineering Principles for Information
Technology Security (A Baseline for Achieving Security).” NIST Special Publication 800-27 Rev
A. National Institute of Standards and Technology, 2004.
Swiderski, Frank and Snyder, Window. Threat Modeling. Redmond: Microsoft Press, 2004.
United States Department of Agriculture. “USDA Information Systems Security Policy.” USDA
3140-001. Washington: USDA, 1996.
Viega, John and McGraw, Gary. Building Secure Software. Indianapolis: Addison-Wesley, 2002.
Wood, Charles C., Banks, William W., Guarro, Sergio B., Garcia, Abel A., Hampel, Victor E.,
and Sartorio, Henry P. Computer Security. New York: Wiley, 1987.
Zwicky, Elizabeth D., Cooper, Simon, and Chapman, D. Brent. Building Internet Firewalls, 2nd
Edition. Sebastapol: O’Reilly, 2000.
1 www.gov.uk/government/publications/information-security-breaches-survey-2014
2 www.gov.uk/government/publications/cyber-essentials-scheme-overview
3
‘When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities’, Tim Rains, 17 June 2014,
http://blogs.microsoft.com/cybertrust/2014/06/17/when-vulnerabilities-are-exploited-the-timing-of-first-known-exploits-for-remote-code-execution-vulnerabilities
‘Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World’, Leyla Bilge and Tudor Dumitras, CCS ’12, 16-18 October 2012,
http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
4 https://nvd.nist.gov/
5
Fixes such as applying software patches, removing detected malware and updating device configuration to address issues detected through vulnerability scanning
Stages of an attack
A number of attack models describe the stages of a cyber attack (the Cyber Kill Chain® produced by
Lockheed Martin is a popular example6). We have adopted a simplified model in this paper that describes the
four main stages present in most cyber attacks:
Survey - investigating and analysing available information about the target in order to identify
potential vulnerabilities
Delivery - getting to the point in a system where a vulnerability can be exploited
Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access
Affect - carrying out activities within a system that achieve the attacker’s goal
10
‘Metadata’ many programs automatically add metadata to files, including author, their username and the file save location
11
‘Online reconnaissance’, CPNI, May 2013, www.cpni.gov.uk/documents/publications/2013/2013007-online_reconnaissance.pdf?epslanguage=en-gb
12
An ‘iframe’ was inserted to point to malicious content
It has become a well cited truis, that these increasing threats do not stop at state borders.
On the other hand, international co-operation in fighting against cyber-attacks and
cyber-incidents appears to be in its infancy, compared to law enforcement efforts against
physical crime.
Frequently, both the actual perception of IT or cyber incident and the initial response to it
take place at a national level, either by private stakeholders or by state authorities. Hence,
the editors of this study consider it worthwhile to share with our readers reflections and
lessons learned of three cases from the Netherlands, Germany, and Sweden, which were
dealt with mainly, but not exclusively, within these countries.The cyber incidents
described, differ in scope, in the damage caused, and in many other aspects, but they
have in common that their impact on society was considerable. Even though, on a
technical level, these incidents were not very complex. Also, as a consequence of
networks, these incidents escalated quickly, which put great emphasis on incident
response. In two of the cases, the identities of the (possible) attackers have not as yet
been revealed (in the Tieto case there was no attack) .
Hence, one lesson to be learned, as it were a priori, is that coping with cyber-attacks and
cyber incidents always involves some degree of uncertainty. The publication of this case
study, therefore, aims at providing transparency of past events as a starting point for
preventive measures against future cyber threats. The report is a joint effort of three
authorities: the National Cyber Security Centre (NCSC) in the Netherlands, the Bundesamt
für Sicherheit in der Informationstechnik (BSI) in Germany, and the Swedish Civil
Contingencies Agency (Myndigheten för samhällsskydd och beredskap, MSB).
Wilma van Dijk, Director Cyber Security, Ministry of Security and Justice.
Andreas Könen, Vicepresident, Federal Office for Information Security.
Nils Svartz, Deputy Director-General, Swedish Civil Contingencies Agency.
All three cases share certain characteristics. They all focus on the vital infrastructure
of their country. They all affected not just one, but a whole network of organisations
in their country. In each case, trust was lacking or was lowered after the incident. The
Swedish case stands out because it focuses on non-intentional disturbance of vital
infrastructure. The German case is about a deliberate attack to deny the availability of a
telecommunications provider and the consequences of such an attack. The Dutch case,
the hack of DigiNotar, was a deliberate act, but it probably was not the ultimatel goal of
the attacker to hack into DigiNotar. The attacker used forged certificates from DigiNotar
to eavesdrop on other citizens in different countries.
It is hard to reach an effective level of trust in the digital domain. By moving so many
aspects of our lives to the digital realm, we automatically become potential victims of
extensive data breaches at digital service providers. Assurance reports, Service Level
Agreements and legal action can only do so much to reflect what is required from a digital
service provider: that they perform at a level which deserves the trust their clients place in
them.
We hope you will find benefit in reading this international publication which is the joint
effort of the national CERTs of the participating countries. Let it be a reminder of known
risks, and the medium for a message: that trust in the digital domain is not only hard to
come by, but also crucial to its success.
In these examples, the security breach at a provider was a first step in successfully
attacking targets which depended on this provider for their security.
The important role which DigiNotar fulfils in the Netherlands is threefold. First, DigiNotar
is one of the security certificate providers for the Dutch government. Second, DigiNotar
is an issuer of certificates for the Dutch national PKI (PKIoverheid). Third, DigiNotar
Response
When DigiNotar initially noticed the break-in into their systems, they decided to keep
it a secret from the general public and the authorities. In the Netherlands, there was no
explicit legal provision which required them to report such an incident. However, judging
from the consequences of keeping this incident secret, this course of action was probably
not in the publics best interest.
Once GovCERT1 had been notified, they were in charge of handling the incident. When it
became clear, a week later, that PKIoverheid certificates could also not be trusted, a full
crisis management plan was initiated. The Dutch crisis management structure (‘national
crisis structure’) was activated in accordance with existing procedures. The IRB (ICT
Response Board)2 is an advisor to the crisis organisation in case of a crisis involving an
IT component. The IRB convened twice, which helped to gain a quick insight into the
impact of revoking trust in DigiNotar certificates. Many parties cooperated in the crisis
management. Some examples are the Dutch national police, public prosecutor, ministry
of the interior, ministry of security and justice and IT security company Fox-IT.
Since January 2012 GovCERT has been included within the National Cyber Security Centre (NCSC).
1
The IRB is a private public advisory board, which advises the national crisis structure about the situation and
2
29 August 6 September
Mozilla also discovers attack. GovCERT, the At the explicit request of the Dutch
Dutch national computer emergency government, Microsoft decides to postpone
response team is notified of the attack by – only in the Netherlands – the update
CERT-BUND, their German equivalent. which will remove all support for DigiNotar
DigiNotar publicly admits having been certificates.
hacked.
14 September
1 September Dutch telecommunications authority OPTA
Dutch governmental organisation Logius announces that it revokes the licence of
circulates an email message in which it asks DigiNotar to issue certificates for qualified
other government bodies what the impact signatures. 300 Dutch government websites
would be of revoking DigiNotar certificates. still use DigiNotar certificates to encrypt
communications.
3 September
Dutch government officially renounces
DigiNotar as a trustworthy certificate
provider.
Final remarks
After the DigiNotar crisis, two measures were proposed:
• A legal obligation to notify a central authority of any significant data leaks or break-
ins within an organisation. For providers of qualified certificates, such an obligation
has since been introduced. In the case of DigiNotar, this would have led to an earlier
awareness and understanding of the extent of the problems.
• The creation of a department of digital firefighters, which could act on behalf of
the Dutch government in order to resolve a cybersecurity incident or crisis. Many
proposed formats for this closely matched the role which GovCERT already had within
the government. A discussion point within this concept was whether the government
should have the power to take over IT operations and exercise it in case of a cyber crisis
in order to protect the public interest.
Six days after the OPTA revoked DigiNotar’s licence to issue qualified certificates, the
company went bankrupt. Most of its property was auctioned off, but the hardware used to
protect the private keys of the revoked certificates is still kept locked away. The original
expiry date of the root certificates has not yet passed, which means it is possible some
software still accepts certificates issued by DigiNotar. After this expiry date, the DigiNotar
incident will be over.
The DigiNotar case has been evaluated extensively within all levels of the Dutch
government. Some important conclusions can be made:
• Apparently, the certificate authority/PKI system is part of the critical infrastructure of a
country. The DigiNotar case motivates one to re-evaluate whether his or her perception
of what constitutes the ‘critical infrastructure’ of a country is both correct and
complete. Also, in what way does any compromise involving such trust providers have a
significant impact on the physical world?
• In cybersecurity, the effectiveness of the measures taken by a provider greatly affect the
security stance of its clients. On the other hand, the insight and influence clients have
over the security measures taken by their provider is very limited. This means that there
will always be a residual risk associated with cooperating with providers of any kind.
DDoS attacks are very common on the internet. BSI is aware of about 1,800 DDoS attacks
in Germany during the first half of 2013. It means that on average at least ten DDoS
attacks are carried out daily. The real figure is probably much higher. Worldwide, several
companies report that they observe thousands of DDoS attacks per day. On average,
an attack lasts less than one hour. But in some cases it can last for several days or even
months.
Statistics show that the main targets of DoS attacks are governments, banks, and
e-commerce companies. Often adversaries attack a victim’s web-server to disrupt its
internet presence. But in some cases, other services, such as the Domain Name System4
(DNS), are targeted as well.
There are different motivations for DoS attacks, e.g. political and ideological motives,
competition, extortion. Adversaries can be government agencies, state-sponsored or
patriotic hackers, hacktivists, or criminals. Some examples for adversaries and their DDoS
attacks in the recent past are:
The DNS is a distributed system for computers, services, or any resource connected to the Internet or a private
4
network. It associates a variety of information with domain names assigned to each of the participating entities.
Most prominently, it translates easily memorised domain names to the numerical IP addresses needed for the
purpose of locating computer services and devices worldwide. An oft-used analogy to explain the Domain Name
System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames
into IP addresses. For more information, see e.g. http://en.wikipedia.org/wiki/Dns
DoS attacks lead to direct and indirect costs for the victim. They cause costs for DDoS
mitigation, direct revenue losses for e-commerce companies, reputational and brand
damage, and customer turnover. Studies and surveys suggest that an hour of DDoS attack
can cost a victim tens of thousands of euros. Attacks against critical infrastructure of a
state can even disrupt its supply of essential goods and services to its population.
From: y.y.y.y
To: z.z.z.z
Message: Requested Information: …
Fr o: Sen bou
M orm d
om y.y d t
es a om
in
T
: z .y me you
f
sa tio a
.z.
ge n in
z.z
:
. y
a
al r
l
Attacker
IP: x.x.x.x
The motivation for the attack is unclear. The attacker made no demands to Deutsche
Telekom. No information claiming responsibility for the attack was published. A possible
explanation could be a “proof of concept” or test by which the attackers try out their
capabilities, infrastructure and tools to carry out that kind of attack.
Response
Abuse messages sent to the web hosting provider to stop the attack were unsuccessful.
After a short delay the ISP was able to mitigate the attack by redirecting the malicious
traffic (see Timeline of events, above). The mitigation was possible, since the ISP
possessed the necessary equipment and skills to monitor and mitigate such attacks and
its network capacity was high enough not to collapse under the heavy traffic.
CERT-Bund was informed by Deutsche Telekom about the attack and helped it with the
analysis. While the attack against a provider’s infrastructure which provides services to
the broad population was new, the attack method itself was already known. Since benign
DNS queries need to be answered only once, repeated DNS queries were blocked by the
mitigation systems of Deutsche Telekom.
Also, the Federal Criminal Police Office was involved in the investigation of the attack
infrastructure. However, at first, it was not clear whether it was responsible in this case.
It started to act after the Telekom provided additional information about the attack and it
was recognised that the attack was targeting a critical infrastructure.
Final Remarks
For providers of Domain Name Services there are different technical advisories for
strengthening their own DNS servers in such a way that they cannot be misused for this
kind of attack. The DNS provider should be made aware of the threat and be forced to
implement the necessary counter measures. The problem here is that this should be
done by every single provider worldwide.
The internet is a critical infrastructure. Its availability is essential for the functioning of a
society and economy. Its outage can cause serious negative effects on almost all areas of
life and can even inflict real damage in the physical world. Therefore, its protection should
be an important goal for governments in every country.
Although the attack technique has been known for quite some time, its recent use for
launching DoS attacks of unprecedented scale has brought renewed interest in it. Similar
attacks are carried out against victims worldwide. A recent attack which made it into the
headlines was a DoS attack on the anti-spam organisation, The Spamhaus Project, in
March 2013.
The usage of internet servers – here DNS servers, in other cases also web, email, etc.
servers – instead of home PCs enables the attacker to generate higher network traffic,
since the internet connection of any such server is much faster than the connection of
a typical private PC. This threat changes the general situation and demands immediate
action for implementing appropriate counter measures.
An account of the disruption at the IT service provider Tieto in late 2011 is given below.
The disruption affected both public and private organisations, and was debated both in
the specialist press and in the general media. A similar event occurred in Sweden on New
Year’s Eve (January 1, 2014) as a fire in the server room of one of the Stockholm facilities of
the IT service provider Evry caused considerable problems for the Stockholm metro, for
railway traffic, and for postal and logistic services, among others. The fire extinguishing
system was empty due to a human error. No one had restored (re-loaded) the system after
a minor incident the day before. The fire resulted in a loss of power, and data storage
systems had to be re-started. During the re-start, a software failure complicated matters,
and Evry was not able to re-deploy several IT services. This incident started a chain
reaction with implications for the whole society.
The disruptions at Tieto and Evry emphasise an already known circumstance, namely that
increased concentration and integration create a new category of vulnerability where
technical and human errors can shut down a number of societal functions over vast
geographical areas in a short period of time. A disruption at a large IT service supplier
can affect an entire society and the consequences can be considerable. Modern society is
becoming more and more vulnerable when IT systems become unavailable.
The exact details of what happened have not been made public by Tieto, but data storage
for a large number of servers was suspended in a very short period of time. The disruption
affected about 50 of Tieto’s customers, including companies, governmental agencies and
municipalities. Exactly which clients were affected by the disruption has still not been
made public by Tieto. For some organisations, IT support nearly came to a complete
halt, while other organisations experienced disruptions of specific services. In addition,
several service suppliers seem to have been connected to the storage system, including
companies that deliver web-based tools for administration, travel management and
similar services. There were reports from several municipalities across the country about
malfunctioning administration of financial services and pension services following the
disruption at Tieto.
5 December
The 180 control stations of the motor-
vehicle inspection company Bilprovningen
This section focuses on responses related to the consequences of the disruption. Many
of the affected organisations had to resort to manual routines while Tieto was working
on restoring their IT services. This halted some processes, and slowed down others
considerably, due mainly to lack of personnel. Some organisations had frameworks and
plans for dealing with the loss of IT services; others had to solve the problems as they
emerged. A few organisations resorted to using old IT systems – systems that still existed,
or could be re-installed. There was also an example of a public organisation that used
Twitter and Facebook to communicate with people when their website and email systems
were down.
The Swedish Civil Contingencies Agency (MSB) started working on the event, formally,
on the morning of the 28th of November 2011. Regular meetings were held through the
Agency’s National Cybersecurity Coordination Function. Obtaining situational awareness
was the most important part of that work. In addition to this, MSB published information
on the Agency’s websites, including the national crisis portal which is the responsibility of
the Agency. On Tuesday, November 29, MSB completed an impact analysis and concluded
that no critical societal functions were affected in such a way that would seriously
threaten the functioning of society. This was followed by a status report to the Swedish
Ministry of Defence. MSB followed the progression of events through open sources,
its own contact networks, and contacts with affected parties as well as with Tieto. The
Agency quickly contacted Tieto, as well as many of the affected organisations. However,
it was difficult to gain a complete understanding of the situation through these channels
from the perspective of societal considerations as regards the widespread effects of the
disruption. Therefore, a request was drawn up on 6 December for the majority of agencies
specifically indicated in the Emergency Management and Heightened Alert Ordinance
(2006:942) to submit a situation report to the MSB regarding the disruption at Tieto. In
summary, however, it can be concluded that the MSB had difficulty in quickly forming a
comprehensive picture of how the event was affecting Swedish society. There is still no
single party with a complete picture of the societal impact. In February 2012, the Agency
submitted a formal report on the event to the Swedish Ministry of Defence.
Final remarks
It is difficult to assess fully the negative societal consequences of the disruption at Tieto.
For some organisations, IT services were unavailable for weeks, while others only suffered
minor problems. Apart from IT services becoming unavailable, there were also some
cases of data losses. In terms of financial cost, it is even more difficult to estimate the
The Swedish Civil Contingencies Agency (MSB) did not activate the national IT response
plan during the Tieto disruption. The consequences of the disruption at Tieto cannot
be considered a social emergency. However, the disruption clearly had serious negative
consequences for individuals and organisations, meaning that the event was very serious.
The analysis that followed the event was able to establish that several of the affected
parties did not have enough knowledge about their own dependencies, nor about their
need for cooperation. Had the disruption led to more extensive social problems, the
MSB would have had trouble coordinating the relief work and alleviating the effects
of the incident, as well as creating a satisfactory basis for collaboration. The affected
organisations (Tieto’s customers), have a great responsibility in terms of informing
their users and other stakeholders themselves. The event shows that this responsibility
is difficult for many organisations to comply with. Emergency preparedness and
contingency planning for long disruptions are requirements for most organisations, but
special needs arise when an organisation outsources IT operations or uses cloud services
for vital parts of the operation. The impression after the disruption at Tieto is that the
organisations’ contingency planning was of varying quality. Further, only a small number
of organisations had applied information classification or performed a risk analysis
before their procurement and outsourcing of services.
In the event of cyber incidents, warnings come at short-notice or not at all, the pace is
rapid and the incident is usually geographically independent. In order to prevent and
handle cyber incidents, an increased capability of all organisations in society at all levels
of responsibility and in all sectors is required. To this end, the MSB has identified four
areas in which further work is required:
• Strengthening preventive initiatives for cyber security (information security) throughout society.
• Procurement as a tool for better security: There is a great deal of potential in public
procurement, and all organisations need to develop further their competency in using
procurement as a means of controlling their cyber security (information security).
• Special focus on risk analysis and contingency planning: The disruption at Tieto shows that
there are shortcomings in the contingency planning and emergency preparedness
among several of the affected organisations.
• National and regional cyber security situational awareness: The increased concentration of
IT operations and other IT related services means that a large number of stakeholders
On a technical level, the incidents were not very complex, but the impact on society
was great. The Swedish case describes a relatively simple system failure; the German
story about the denial-of-service attack involves somewhat advanced but well-known
techniques; and the hack at DigiNotar was mostly possible because of the lack of proper
controls in place at DigiNotar.
In each case, the impact was large because of the role the target played in each country:
a national telecommunications provider, a signer of the national PKI infrastructure, and
an IT operations provider. All had many parties who depended on their cyber security.
Through network effects, these incidents escalated quickly.
1 New technology has created new opportunities as well as new risks in our society. New
technology and new business solutions have allowed a concentration of information,
services, communication and IT operations in society. This increased concentration,
along with new forms of operation and increased integration, can lead to a
vulnerability where small technical errors can shut down a number of societal functions
in a short period of time.
3 The internet is a critical infrastructure. Its availability is essential for the functioning
of a society and economy. Therefore, its protection should be an important goal for
4 The incidents in this report show that a large cyber incident can have an effect on an
entire society and that the impact can be considerable. In order to prevent and handle
major IT incidents, an increased capability of all participants in society at all levels
of responsibility and in all sectors is required. In this regard, the following areas are
particularly important:
a Procurement as a tool for better control of cyber security
b Special focus on risk analysis and contingency planning
c Implementation of the necessary processes for early detection and mitigation of IT
attacks
d National and regional situation status reports on cyber security.
5 In each of these cases, incident response plays a central role. Cooperation and
coordination around a major cyber security incident are crucial. The timing and
the quality of the initial response are both crucial in order to deal effectively with
all aspects of an incident or with a crisis at a later stage. The examples in this report
show that all participants must be able to act together and collaborate on decision-
making and operations in the event of an emergency. It is important that the affected
parties have developed processes for gathering and sharing information. This should
also include being able to communicate information to the public and to other
stakeholders. And finally the information should be coordinated.
7 Internet Service Providers (ISPs) are an important party in preventing cyber attacks.
The effectiveness of the measures taken by a provider greatly affects the security stance
of its clients. Any lack of security at a provider which is responsible for trust-related
services has a great impact.
November 2014
Cyber Case Studies:
The Traditional Security Nexus
Blu3
Introduction
As the lives of individuals and the daily operations of organizations increasingly use and depend upon
online networks and resources, the line between security incidents in the cyber and physical worlds has
become blurred. Traditional security definitions and boundaries no longer apply uniformly. While many
security professionals may still consider cyber security a technical problem, today’s reality is an
intertwined cyber-physical world wherein cyber security issues often affect and cross over into the
physical realm (and vice versa) with direct, tangible impact. Billions of people worldwide are now online; it
has become another, if not the primary, domain that individuals and organizations depend upon to
communicate, increase efficiency, engage in commerce, store and publish information, and reduce costs.
Criminals, spies, terrorists, and hacktivists (hacker activists) also take advantage of these same benefits.
The proliferation of intersections between cyber and physical is increasing as a function of computing
device connectivity. People use numerous communications protocols to connect multiple devices to
various networks at work, at home, and on the go. An organization’s sensitive and proprietary systems,
once closed-off networks, are now accessible or controllable via remote or Internet access. Furthermore,
low-cost “smart” technology has been introduced into departments not traditionally overseen by technical
staff. According to Gartner, 26 billion devices will be part of the “Internet of Things” (IoT) by 2020. IoT is
the interconnection of atypical, non-computing devices – everything from smart thermostats and alarm
systems to medical monitoring devices and automobiles – to the Internet using a myriad of wireless
technologies. This wave of ubiquitous automation will likely create a surge of security implications in both
the cyber and physical realms, especially considering security has historically lagged behind technology.
Defenders must cover all points of attack, while attackers only have to identify the weakest point. An
increasing number of traditional security incidents have occurred because of weak links that existed in the
cyber realm; the converse is also true. Through the examination of security incidents, including the
highlighted examples in Table 1, this white paper will demonstrate the interwoven nature of the two
realms, reveal who has been affected, and provide best practices and countermeasures.
Information Security • Syrian spy cameras and microphones surveil activists and journalists
Financial Security • Credit card breaches will continue after chip and PIN adoption
Personnel Security • Terrorist-linked software developers hired for critical infrastructure work
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Agreement on the categorization of traditional security disciplines is difficult because there is much
overlap among them; cyber security is no different. Several other security sub-categories could fall under
one or more security disciplines in Table 1, such as operations security (OPSEC). Facility security,
personal protection, and information security are all common sub-categories of physical security.
Physical security (defined as the physical protection of sensitive or proprietary information, people,
facilities, installations, or other sensitive materials, resources, or processes) is broad and multi-faceted. Its
key areas involve the physical protection of facilities, people, and information.
Facility Security
U.S. Steel
In May, a federal grand jury indicted five military officers in China’s People Liberation Army (PLA) Unit
61398 for computer hacking, economic espionage, identity theft, and other related offenses directed at six
U.S. private-sector organizations in the nuclear power, metals, and solar energy industries. This was the
first time the U.S. Government successfully brought criminal charges against nation-state actors for this
type of computer hacking. Most of the alleged criminal conduct involved information that was stolen while
the companies were in negotiations, partnerships, or trade litigations with Chinese state-owned
enterprises (SOEs).
One of the affected organizations, United States Steel Corporation (U.S. Steel), was involved in trade
cases with Chinese steel companies between 2009 and 2012. Shortly before the anticipated decision in
one of the cases, an indicted military hacker allegedly sent spear-phishing emails to U.S. Steel
employees – including those associated with the litigation. Some of the emails, which appeared to come
from the CEO, successfully tricked employees into clicking on malicious links, resulting in the installation
of malware and backdoor access on corporate computers. The hackers used more spear-phishing
emails, with the subject line “US Steel Industry Outlook,” to steal a list of about 1,700 company
computers, including servers that controlled physical access to the company’s facilities and emergency
response.
Although the indictment stated that vulnerable servers on that list were identified and exploited, it does
not confirm which ones were hacked or detail the extent of exploitation. Compromised facility access
systems could have enabled a Chinese competitor to target U.S. Steel’s business operations from a
physical security angle. However, most of the alleged activity conducted by the PLA 61398 hackers
resulted in intellectual property (IP) and trade secret theft.
Countermeasures
The U.S. Steel case study underscores the need for Spear-phishing is used
segmentation or compartmentalization of critical systems in over 90 percent of
from public-facing networks via physical and/or logical advanced economic
(software) means. espionage attacks by
nation-state or nation-
The case study also stresses the importance of cyber state-sponsored actors.
security education, especially to protect against spear-
phishing tactics.
o Spear-phishing is used in over 90 percent of
advanced economic espionage attacks by nation-state or nation-state-sponsored actors.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
o Spear-phishing was the predominant method allegedly used by the PLA 61398 hackers.
Segmentation and compartmentalization will likely become more important as the Internet of
Things expands, where thermostats, refrigerators, alarm systems, and security cameras could all
exist on the same network.
o A vulnerability in just one device could disclose the credentials to the entire network.
o Not only could an attacker turn off an alarm or security camera, but a threat actor could
use the cameras or smart meter readings to determine when a building is vacant in order
to break in.
o Manipulation of a thermostat to prompt a building evacuation could be the first step in a
plot to attack an organization’s physical security.
o In addition, networks that communicate without encryption, or with IoT devices that lack
physical protection, are exposed and vulnerable to attack.
Personal Protection
Social networking sites and social media sites have made collecting information on people and
organizations for social engineering, blackmail, and conducting traditional, economic, or industrial
espionage – in both the cyber and physical domains – much easier. However, information published on
these sites can also affect the physical security of people in an organization.
Mexican drug cartels and organized crime groups (OCG) often glean personally identifiable information
(PII) from social networking and media sites to add legitimacy to extortion and kidnapping threats. They
regularly monitor social media target individuals, such as journalists disseminating “unfavorable”
information about illicit OCG activities. OCGs may also search for secure communication channels to
avoid detection by government and security authorities, and they are likely trying to diversify revenue
streams through hacking, counterfeiting, and ATM skimming activities. As such, there have been media
reports of kidnappings, enslavements, bribes, and coercions of computer programmers, engineers, and
telecommunications experts since at least 2009.
A hacking group called the Lizard Squad attacked Sony Online Entertainment in August 2014, causing
denial-of-service disruptions to Sony’s PlayStation Network servers and tweeting a hoax to American
Airlines about “receiving reports that [Sony Online Entertainment CEO]’s plane #362 from DFW to SAN
has explosives on-board.” The hackers were a previously-unknown group who claimed links to terrorism
to add credence to the hoax; therefore, American Airlines diverted the flight and security authorities
checked for explosives. The Lizard Squad had obtained the CEO’s flight information from cross-
referencing flight schedules with travel information he had posted on Twitter (see Figure 2).
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Figure 2: Hacking group Lizard Squad devised a hoax using information gleaned from
Sony Online Entertainment CEO’s tweets
Information found on social networking and media sites can be used to defeat security questions used to
reset passwords on online sites and services. This, in addition to the use of weak passwords, use of
repeated passwords across multiple sites, a lack of two-factor authentication, and the allowance of
unlimited password guesses on a cloud back-up service, contributed to the highly-publicized leaks of
private celebrity photos in 2014. Using information on the Internet to humiliate, blackmail, bully, stalk,
surveil, and/or kidnap a person may be the most frightening ways someone’s personal safety can be
compromised by cyber-related means.
Kaspersky Kidnapping
The highest-profile cyber surveillance, stalking, and abduction case involved Ivan Kaspersky, son of the
chairman and CEO of Russia-based Kaspersky Lab, one of the most prominent cyber security firms in the
world. Ivan Kaspersky was kidnapped for ransom in 2011 while walking to work from his Moscow
apartment. According to Russian media sources, amateurs – an older indebted couple – orchestrated the
plot and enlisted their son and two of his friends as “muscle” for the plot. The abductors stalked
Kaspersky and his girlfriend for several months prior to the kidnapping, determining his behavioral
patterns and discovering that he did not have a protective security detail. The kidnappers reportedly
obtained all the needed information from Kaspersky’s user profile on Vkontakte, a popular Russian social
networking site. His profile contained publicly-posted personal information, such as his real name, photo,
current school and area of study, girlfriend, work location, and the addresses of his last two apartments.
With this information, even amateurs could track and abduct the son of a prominent billionaire.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Kaspersky was forced to call his father to relay the ransom demands. Fortunately, the cellphone he used
was tracked within six days, although there is conflicting reporting as to whether its location was tracked
by Russian security authorities or someone working directly for Kaspersky. The Russian System for
Operative Investigative Activities (SORM) lawfully enables authorities to monitor, record, analyze, and
retain all data that traverses Russian telephone and Internet networks, including all emails, telephone
calls, Internet browsing sessions, text messages, and fax transmissions. The abductors may have used
the same cellphone to make food deliveries, or had geolocation services enabled.
Countermeasures
The common thread in these personal safety attacks is the lack of operations security (OPSEC)
used in online interactions.
o Limiting the amount of publicly-available personal information online and turning off
geolocation services on social networking and media sites can go a long way in
preventing targeted attacks.
o Even in cases where permissions are set to limit the audience to online “friends,” it is
easy for the Internet savvy to use fake social networking site accounts to socially
engineer their way in.
o Potential targets should be made aware of what information about them is publicly
available online (or for a few dollars), to understand the ways they could be targeted.
o Posting information from wearable IoT devices with geolocation capabilities (GPS), like
fitness activity-monitoring devices, could also reveal regular routes or residential
addresses.
Only trusted third-party sites and services with stringent security measures should be used for
any off-site or cloud storage of sensitive files.
Other best practices to help counter attacks include separating work and personal accounts and
using fabricated information in password reset security questions.
Information Security
In addition to facilities and people, physical security protects sensitive or proprietary information from
sabotage or theft. Using cyber methods to destroy or steal information stored electronically is obvious, but
using cyber methods to obtain information that is not located on computer networks or electronic media is
less so. Stringent physical security measures and systems used in facilities to prevent adversaries from
overhearing information, gaining access to printed information, or discovering what physical security
systems or methods are in place, can be defeated by one compromised cellphone or computer.
Computers and cellphones contain cameras, microphones, and often tracking devices – the same
components that make up high-tech eavesdropping devices.
Violence from Syria’s civil war continues both on the ground and in the cyber realm. Pro-government
forces are circulating spyware to infiltrate, track, and gather intelligence against the opposition, which
often winds up in the hands of the Assad regime and results in arrests, raids, and attacks. In some cases,
suspected rebels have been rounded up and interrogated about activities they conducted on their
computers, without the interrogators needing to have physical access to the machines.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Pro-Assad hackers deploy malware that is usually in the form of a remote access toolkit (RAT), which
grants nearly full access to victim computers. Not only do the attackers have access to computer files, but
they can record everything that is typed or displayed on the screen, such as online communications,
emails, video calls, and chats on social networking sites. The spyware is able to obtain information not
normally in the cyber domain – it can turn on cameras to collect intelligence on locations, record sensitive
information posted within view, attribute online activities to specific users’ faces, and turn on microphones
to eavesdrop on conversations in the room.
The attackers use well-informed social engineering that is tailored to the interests, needs, and fears of the
opposition. For example, they have hidden malware in fake security tools, fake versions of privacy or
encryption software [such as virtual private network (VPN) clients and Skype encryption tools], bait
documents, and malicious links. One email promised documents and maps showing the movements of
fighting groups. Further, they compromised legitimate Facebook accounts, such as one belonging to the
head of the Transnational Syrian Opposition, to recommend the installation of malicious software.
When diplomatic efforts appeared to replace the possibility of U.S. military action in Syria, NGOs and
journalists working on the conflict were included as targets in the attackers’ phishing, social media, and
spear-phishing campaigns. In one instance, an NGO administrator received an email purporting to
contain video evidence of Syrian military abuses. The file played a video of a graphic execution while it
installed RAT malware.
Pro-government hacking campaigns followed similar methods until late last year, when security
researchers began to see attacks that they believed were “false flags.” The new campaigns seemed to
implicate pro-Assad hackers deliberately, but did not fit their techniques and tactics. For example, new
malware of unknown origin claimed to be from the Syrian Electronic Army, but specifically attacked
Mac computers, which are uncommon in the region. Mac computers are more popular with activists
and journalists covering Syrian issues from outside the country. Kaspersky Lab has attributed the
locations of attackers in recent Syria-related cyber attack campaigns to operations coming from Syria,
Lebanon, and Russia. This may indicate that Syrian government allies with significant hacking
capabilities, such as Hizballah, are secretly assisting in the attacks. Figure 3 shows the geographical
distribution of those targeted by recent cyber attacks.
Activists, journalists, and NGOs working on the Syrian conflict have become more knowledgeable of
the risks posed by these kinds of attacks. However, the attackers’ malware campaigns have become
increasingly innovative and sophisticated in 2014, with higher levels of social engineering. Analysis of
the cyber attacks, especially correlating new or resurging attack campaigns with current events, is
difficult.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Figure 3: Recent Syria-related cyber attacks mostly affected victims in Syria and nearby countries
(Source: Kaspersky Lab)
Countermeasures
Organizations should also be aware that there is a risk of surveillance or eavesdropping when
using computers and mobile electronic devices.
o Microphones can be physically switched off (not using software) or disconnected from
systems in sensitive areas.
o Covers or removable tape can be used to cover camera lenses when not in use.
o Cellphones can be left outside, or batteries can be temporarily removed, during
sensitive conversations in secure areas.
o Other best practices for safely using electronic devices abroad can be found in the
OSAC report on economic espionage trends.
An exploited vulnerability in cyber security does not always defeat physical security, but physical access
to computing devices nearly always defeats cyber security. Lack of access control, locks, temperature
control, and backup power for high-value networks or server rooms could easily result in data loss or
compromise.
Additionally, most attacks against cellphones and mobile electronic devices require one or more of the
following:
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
An unencrypted connection to an unsecure or Wi-Fi network;
Falling prey to a malicious link or attachment in an email, social networking or media site, or text
message;
Software that is unpatched or out of date; or
Having physical access to the device.
Physical access is the easiest way to compromise laptops and mobile electronic devices. Abroad,
especially in locations with aggressive technical collectors, most security experts assume devices that are
out of direct physical control are compromised.
Perhaps the greatest confluence of traditional and cyber security occurs in the finance industry, where
international commerce and financial services operate largely on a cashless framework. “Cyber” is losing
its place as a term in the finance industry vernacular. Excluding cash-only economies, monetary
exchanges and transactions are done electronically. Brazil was a pioneer in the adoption of electronic and
online financial systems 30 years ago and today has a large, robust banking community and e-commerce
sector. Even in several African countries, such as Kenya, mobile network penetration preceded that of
broadband Internet, and financial transactions by phone have become commonplace. With rapid
technological growth comes a general lag in implementing and enforcing cyber security legislations and
practices, usually creating lucrative environments for cyber criminals. As such, Brazil is a worldwide
hotspot for cyber crime, and in Africa, fraud conducted over mobile networks is prolific.
Especially in the United States, major data breaches seem to make the news headlines regularly,
contributing to the “Age of the Data Breach.” In 2014 alone, hackers have stolen over 500 million financial
records from the U.S. private sector. Of these, point-of-sale (POS) terminal malware exposed the financial
information of over 100 million credit cardholders, stealing the information while it was unencrypted in
memory or elsewhere in the transaction chain. EMV “chip and PIN” credit cards, wherein cards contain an
embedded microchip and are authenticated to bank servers using a personal identification number (PIN),
may be an answer. However, without end-to-end encryption of credit card data in a financial transaction
(including memory and storage), these breaches could still occur. Furthermore, stolen card information
still can be used fraudulently in online transactions, which cannot access the chip.
Credit card skimming, when criminals insert a rogue device into an ATM or POS terminal that copies
information stored on the magnetic strip, will likely decrease in countries that migrate fully to EMV chip
technology. However, chip and PIN cards are not immune to software flaws, incorrect implementation, or
more advanced skimming attacks that clone the chip or harvest the PIN.
As countries migrate to the EMV standard, payment networks have implemented liability shifts. In the
U.S., the card issuer is liable for fraudulent transactions, but in countries that have adopted EMV, liability
for fraudulent transactions has shifted to retailers and ATM owners who do not support it.
Countermeasures
Large credit card breaches will likely continue to occur because of the time required for a country to
completely adopt EMV technology, and as long as there are end-to-end encryption issues. However,
examination of the major credit card breaches in 2014 reveals other vulnerabilities that were involved in
the attacks.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Computers on the same network as those in the POS transaction chain (without physical or
logical separation):
o Were open to Internet access;
o Had remote administration software installed;
o Had user accounts with access to email and Internet browsing (susceptible to spear-phishing
and drive-by downloads that install malware); and/or
o Were connected to third-party vendors or services, such as payment processor companies or
HVAC companies, that employ less stringent security measures.
Even organizations that employed stringent security software and response teams missed alerts
and warnings. This can happen when multiple offices are responsible for an organization’s overall
security, but there is no standard operating procedure to delineate individual responsibilities, and
when no formal breach response plan exists.
Compliance with new PCI-DSS 3.0 security standards will help address some of the vulnerabilities
affecting credit card transactions.
Personnel security assures the loyalty, reliability, suitability, and trustworthiness of employees and others
who work with or have access to sensitive information and material. It is often concerned with insider
threat. Economic (nation state) and industrial (corporate) espionage threat actors use social engineering
techniques, both cyber and traditional, to specifically target employees who have any access to sensitive
or IP-related information. Some insiders may be state-sponsored threat actors already embedded in U.S.
private-sector organizations, but many are coerced with promises of financial reward. Both economic and
industrial espionage actors lure employees with lucrative job opportunities at either state-owned
enterprises or competitors. Employees can also be coerced by nation-state governments to help their
home countries out of patriotism or loyalty.
Disgruntled employees are prime targets for economic and industrial espionage actors, wherein as many
as 75 percent of departing employees are disgruntled. According to client statistics compiled by cyber
security firm Websense, 65 percent of malicious insiders have already accepted a new job, and 25
percent of them hand over proprietary information to a foreign company or government (see Figure 4).
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Jerome Kerviel and Societe General
For Jerome Kerviel, no encouragement or lure was needed in what became the biggest rogue trading
scandal in history. Kerviel, a trader for French multinational banking and financial services company
Societe Generale, was convicted in 2008 for breach of trust, forgery, and unauthorized use of the bank’s
computers. As an insider, he subverted controls and used an accumulation of privilege to go on a
gambling spree that resulted in a $7 billion loss for his employer. Since his release from prison in
September 2014, he was hired as an information systems and computer security consultant by Lemaire
Consultants and Associates.
Aum Shinrikyo
Aum Shinrikyo, a Japanese doomsday terrorist group, was responsible for many assassinations and the
1995 sarin gas nerve agent attacks on the Tokyo subway system that killed 12 people. Five years later,
security authorities realized that more than 80 Japanese companies and government organizations had
contracted computer companies affiliated with Aum Shinrikyo for software development. The Japanese
companies affected were major players in the electronics, food, banking, transportation, and metal
manufacturing fields, while some of the government agencies were responsible for construction,
education, postal services, and telecommunications.
Computer software development was a major source of revenue for Aum Shinrikyo. Many affected
organizations did not know they had ordered software from firms affiliated with the terrorist group because
their main suppliers had subcontracted the work. Additionally, most affiliates concealed their relationship
with Aum Shinrikyo. They developed about 100 different types of software, including customer
management, airline route management, and mainframe computer systems. The most prominent
corporate customer was Nippon Telegraph and Telephone (NTT), Japan’s main telephone and Internet
service provider, and the Defense Ministry of Japan. The concern that the terrorist group had inside
access to sensitive government and corporate computer systems became a widespread fear, as many
worried about acts of cyber terrorism and sabotage of vital communications and networks. Many affected
government agencies and companies were forced to suspend the use of purchased systems until they
could assure they were secure.
Countermeasures
The most effective countermeasure for insider threat is user education, especially as part of a
formalized insider threat program.
o The average employee is not aware that foreign governments, in addition to competitors,
attempt to recruit insiders.
o Coworkers have the best chance at identifying insider threat behavior in an organization.
o The CERT Insider Threat Center has published best practices for mitigating IP theft,
information systems sabotage, and fraud. Additionally, the FBI Counterintelligence
Division’s Insider Threat Program offers an extensive list of possible insider behavior and
risk indicators.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
o It often requires only one instance of human error, such as falling for a spear-phishing
scheme, for a major data breach or loss to occur in an organization.
The Aum Shinrikyo case stresses the importance of personnel security measures not only for
employees in the workplace, but also for all those who work with or have access to sensitive
information or systems in the entire supply chain.
Public safety involves the prevention of and protection from events that could endanger or cause injury,
harm, or damage to the general public. The Aum Shinrikyo case highlights a cyber-related incident that
overlaps multiple security disciplines; it could have had long-reaching effects on the public safety in
Japan. Other examples of cyber incidents that could impact public safety involve event security and
terrorism.
Hacktivists (hacker activists) have threatened mass disruptions at major events to publicize or bring
attention to their causes. Days before the opening ceremony at the London 2012 Summer Olympic
Games, British security services warned Olympics authorities about the threat of a cyber attack on the
stadium’s power supply. According to government investigations, the threat came from hacktivists that
were not credible. However, the threat led to checks on a back-up power system, including tests to
ensure functionality despite the strain from the stadium’s lighting and communications networks.
Hacktivists have also threatened to hack into traffic control systems at major events, such as the 2014
FIFA World Cup, using vulnerabilities in traffic control systems that were recently published in two
separate studies. The studies revealed that traffic control systems could be disrupted or rendered
inoperable. One researcher used a remote-control drone and cheap programmable hardware to launch
an attack on a traffic system and sent fake data to sensors – small wireless vehicle detection devices
embedded in the ground that transmit information about automobile location and movement. Traffic could
be impacted if the sensors were wirelessly linked to traffic lights. The other research team showed that it
was possible to break into the wireless communications of another system’s traffic controllers because
there were no passwords in use and no encryption used in the transmissions.
Terrorists could exploit traffic control system vulnerabilities to direct traffic toward (or restrict it to) a
planned attack location. While the products detailed in the studies are deployed primarily in the U.S.,
about 200,000 of the sensors in one system are in use worldwide – such as the UK, France, and
Australia. Experts believe that many traffic infrastructure devices created by various vendors have similar
security properties due to a lack of security consciousness in the traffic control systems field.
Countermeasures
There are several practical ways that transportation departments, traffic light operators, and
equipment manufacturers can increase the security of their infrastructure:
o Enabling encryption on wireless networks,
o Blocking non-essential traffic from being sent on the network, and
o Updating device firmware regularly.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
The simplest solutions with the greatest impact are to enable passwords and not rely on
default login credentials.
The vulnerabilities in the traffic sensor system have been patched, with planned upgrades for
older models. However, the identity of the other vendor has not been disclosed, and their
vulnerabilities are still exploitable.
National security refers to the protection of a nation through the use of economic power, political power,
military might, and diplomacy to ensure its survival. Accordingly, national security is dependent upon
military as well as non-military facets such as economic security, energy security, and environmental
security.
One of the most concerning national security issues with or without a cyber security nexus is the scale of
trade secret theft conducted against U.S. economic interests, especially those with foreign operations. In
addition, host country national security can affect the operations and welfare of U.S. private sector
organizations abroad. There are many possible attack vectors that could impact a country’s critical
infrastructure and therefore the operations of OSAC constituents. Furthermore, international and
intranational conflicts more frequently include cyber components.
Intellectual property theft, especially in the cyber domain, has been one of the most serious economic and
national security challenges the U.S. has faced over the past several years. The Commission on the Theft
of American Intellectual Property, in their 2013 IP Commission Report, estimated that the U.S. economy
is experiencing annual losses of over $300 billion a year to international trade secret theft. The report
concluded that better protection for IP, especially overseas, would add millions of jobs to the U.S.
economy, significantly bolster economic growth, encourage investment in research and development, and
improve innovation.
Threats to a host nation’s critical infrastructure include those against the financial services industry,
energy sector, water supply, transportation systems, public health services, and telecommunications
networks. Nation states have infiltrated or attacked critical infrastructures, often controlled and monitored
by industrial control systems (ICS), since at least 2003. Patching and updating ICS equipment can be
difficult because it is often old, sensitive, proprietary, or no longer supports software upgrades. Many
systems require continuous operation and cannot be rebooted after an update, especially if it takes
several hours to do so or there is a risk that the system may not work properly afterward.
Critical infrastructures that are accessible via the Internet are most vulnerable to attack. However, those
that isolate, or “air gap” their systems from the Internet are not impenetrable. Advanced nation-state
attacks on air-gapped systems have succeeded, e.g., the Stuxnet and Agent.btz campaigns, where
employees may have inserted malicious USB flash drives – planted outside targeted facilities – into
computers that were connected (or later connected) to the sensitive, isolated networks. The Stuxnet virus
destroyed nuclear centrifuges in Iran, and Agent.btz infiltrated both classified and unclassified U.S.
military networks. Other research suggests that the Stuxnet virus may have entered via hacked suppliers
of nuclear facility components. Additionally, the Shamoon virus, introduced by a disgruntled insider with
full systems access, destroyed 75 percent of the corporate data at Saudi Arabia’s national oil and natural
gas company.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Actors based in China, Russia, and Iran have allegedly conducted cyber probes of U.S. grid systems;
cyber attacks have occurred against critical infrastructure in several other countries as well. In 2013, a
senior Israeli official revealed a foiled hacking attempt to break into the computers of the water system in
Haifa and stated that critical infrastructures in Israel undergo hundreds of cyber attacks every minute. In
2013 and 2014, private security researchers set up fake industrial control systems (“honeypots”) on the
Internet that emulated water pumping stations. Analysis of one decoy system revealed intrusion and
system modification attempts originating from several countries, as shown in Figure 5. Further, targeted
attacks to obtain statistics, diagnostics, and protocol information included a spear-phishing attack from
China, a commonly-known malware attack from Vietnam, and an unknown malware attack from Russia.
Despite the vulnerabilities and reported intrusions of industrial control systems, it is rare for threat actors
to carry out significantly damaging or full-scale attacks. Many critical infrastructure systems in
technologically-advanced countries are air-gapping their most important systems from the Internet. Some
experts argue that a mass takeover of critical infrastructure is not likely because it is sufficiently
segmented, where only one component, area, or section could be affected at one time. Regardless, the
pervasiveness of cyber attacks on critical infrastructures and “cold war” tactics indicate that the definition
of national security has expanded to include a nation’s offensive and defensive cyber capabilities.
National governments use cyber tactics to help fight rebellions, oppositions, and terrorists internally (see
previous section on the Syrian civil war). However, they have also used cyber tactics as a component in
international conflicts. Cyber researchers have noted major spikes in malware traffic on corporate and
government networks preceding the Russia-Ukraine and Israel-Gaza conflicts, suggesting that conflict
occurring in the cyber realm could be used as a threat indicator or even a tripwire for kinetic attacks. Over
an 18-month period, as tensions rose between each pair of countries, so did the frequency of cyber
attacks between them. Attribution of the attacks becomes crucial, however, as a false flag or the
misidentification of a state-led cyber attack could lead to physical, armed conflict.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Russian Conflicts
Open-source reporting and private industry security research have accused Russia of conducting attacks
on telecommunications networks in its engagements with Estonia in 2007, Georgia in 2008, and Ukraine
in 2014. In a dispute that erupted over the Estonian removal of a Soviet war memorial in Tallinn, Russia
allegedly conducted a three-week cyber attack that took down Estonian systems that relied on Internet
technology – disabling voting, security, telephony, and 95 percent of banking operations. US-CERT
attributed the takedowns to distributed denial-of-service (DDoS) attacks. In 2008, the Russian invasion of
Georgia included disruption attacks that blocked Georgia’s banking, media, and government websites.
Internet connectivity within Georgia and to the outside world was impacted, and there were widespread
propaganda and website defacement campaigns against Georgian websites. In 2014, armed men raided
Ukrainian telecommunications facilities in Crimea, severing Internet and telephone services between the
region and the rest of Ukraine. However, this was accomplished by physically cutting telecommunications
lines, a military tactic that predates the Internet by decades. Russia also allegedly installed equipment
that blocked the mobile phones of Ukrainian members of parliament. Some Ukrainian government
agencies, including the Prime Minister’s office and at least 10 Ukrainian embassies abroad, were infected
with a Russian-linked cyber espionage campaign called the Snake malware, also referred to as
“Uroboros.” At least nine other countries’ embassies in Eastern Europe were also infected with the
malware, resulting in leaks of sensitive diplomatic information. And in September, the broadband network
of a major telecommunications provider in New Zealand ground to a halt for 36 hours when user
connections were co-opted to conduct a DDoS attack against websites in Ukraine and several large
international banks enforcing sanctions against Russia.
Predictably, the Russian government has denied state involvement in these attacks. Nonetheless,
investigations by private cyber security firms have determined that these attacks originated inside
Russia's borders. State-sponsored or Russian nationalist hackers could have been responsible for at
least some of the cyber campaigns. Cyber Berkut, a nationalist hacking group that emerged after the
dissolution of the “Berkut” Ukrainian special police force, took credit for the hacking of Ukraine’s electronic
election system prior to the 2014 presidential election. They took down the system via DDoS,
manipulated and destroyed data, and defaced the website to display fake election results.
Israel-Gaza Conflict
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Terrorist Groups
The Islamic State of Iraq and the Levant (ISIL or ISIS) and Al-Qa’ida have not exhibited the ability to
conduct sophisticated cyber attacks, thus far only using social media networks and other online resources
to communicate, post propaganda, and recruit. Just as governments, militant groups, and terrorists may
receive physical assistance and arms support from their allies, they may also receive offensive cyber
training. Based on open-source reporting and past attack attribution, Iran, Syria, Hamas, Hizballah, and to
a lesser extent, pro-Islamic hacktivists, are the only adversaries in the Middle East and North Africa
region that have exhibited offensive cyber capabilities.
Countermeasures
Critical infrastructures should isolate their most important systems from public networks. Many ICS
devices are not only Internet-facing, but do not have security mechanisms to prevent unauthorized
access.
o Web-based ICS equipment that cannot be isolated from the Internet should use encrypted
communications.
o System administrators should set appropriately secure and non-default log-in credentials,
implement two-factor authentication, and disable insecure or unnecessary remote access
communications protocols.
o Organizations with aging, fragile, or sensitive industrial control systems can employ real-time
network monitoring and incident response. Otherwise, administrators should keep ICS
equipment up to date with software patches and fixes.
o Physical and logical (software-based) access control can prevent unauthorized employees or
contractors from accessing important equipment.
Air-gapped systems may still be vulnerable to attack by advanced nation-state threat actors.
o Education and training is the best way to protect against both insider threat and the
connection of unauthorized devices or external electronic media.
o Disabling or restricting computer ports that accept external electronic devices or media can
prevent the introduction of malware.
o Suppliers are usually much easier for hackers to exploit than the corporations or government
agencies using them.
Shodan is an online search engine that allows users to search for publicly-accessible devices and
computer systems that are connected to the Internet.
o Shodan users can locate systems including security cameras; heating and security control
systems for banks, universities, and large corporations; medical devices; and industrial
control systems (see Figure 6) for water plants, power grids, and nuclear power facilities.
o Users are primarily cyber security professionals, researchers, and law enforcement agencies,
and it is a useful tool for conducting penetration tests on, or “red teaming,” network resources
and systems.
o While cyber criminals can use the website, they have other effective methods to accomplish
the same task without detection. One recent honeypot study revealed intrusion attempts from
China-based attackers within two hours of connecting the decoy ICS equipment to the
Internet, before the system appeared on Shodan.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Figure 6: A map of industrial control systems that are directly connected to the Internet (Source: Shodan)
Out of convenience, people and organizations have adopted technology into nearly every aspect of their
daily lives and operations. Physical devices are linking or connecting to the cyber realm at an exponential
rate. As atypical devices with “smart” functionalities and Internet capabilities become connected to the
Internet of Things, they also become hackable. Sharing or storing information on external networks also
relinquishes control of the data to third-party vendors and services. Even worse, technology adoption is
surpassing the ability to secure it. This is especially concerning as cyber security has become a
component of an organization’s overall security posture.
The convergence of traditional and cyber threats has created the need for integration of the security
disciplines. Adversaries have become more sophisticated in their exploits, often involving both traditional
and cyber attack vectors. Traditional security organizations and jobs are more frequently including cyber
security responsibilities as the line between cyber and real-world security incidents becomes indistinct.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Information security – traditionally the protection of sensitive or proprietary information – and financial
security have almost become synonymous with cyber security because most information and financial
data is now transmitted and stored on computer networks.
According to former DHS Secretary Michael Chertoff, “one of the biggest misconceptions is that cyber
security is a hardware or software problem; the reality is that it is a people problem.” Understanding
adversaries and addressing both technical and human vulnerabilities is critical. A strong security posture
depends upon a culture where security is everyone’s responsibility, especially when the actions of one
person, or one weak link, can compromise the entire enterprise.
Examination of the case studies presented in this white paper reveals countermeasures that OSAC
constituents could incorporate into their security strategies to prevent or lessen the impact of security
incidents with a cyber nexus:
Contact Information
For further information or inquiries, please contact OSAC’s Coordinator for Information Security & Cyber
Threats.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
OSAC constituents can confidentially report traditional or cyber security incidents abroad on the OSAC
website at https://www.osac.gov/Pages/IncidentSubmission.aspx or by directly contacting the OSAC
Research and Analysis Unit (RAU).
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.