Professional Documents
Culture Documents
Security concerning IT and information is normally categorised in three categories to facilitate the
management of information.
theft
fraud/ forgery
unauthorized information access
interception or modification of data and
data management systems
The above concerns are materialised in the event of a breach caused by exploitation of vulnerability.
Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.
Threat agent or actor
of the vulnerability or a situation and method that may accidentally trigger the vulnerability.
threat vector actor uses to attack the target.
Threat targets
phone, online bank account or identity.
38
Student Handbook Security Analyst SSC/N0901
Threat classification
Microsoft has proposed a threat classification called STRIDE from the initials of threat categories:
Spoofing of user identity
Tampering
Repudiation
Information disclosure (privacy breach or data leak)
Denial of Service (D.o.S.)
Elevation of privilege
Types of attacks
Virus
Virus is a malicious program able to inject its code into other programs/ applications or data files
and the targeted areas become "infected". Installation of a virus is done without user's consent,
and spreads in form of executable code transferred from one host to another. Types of viruses
include Resident virus , non-resident virus; boot sector virus; macro virus; file-infecting virus (file-
infector); Polymorphic virus; Metamorphic virus; Stealth virus; Companion virus and Cavity virus.
Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to spread itself.
In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the viruses
though worms can reproduce/ duplicate and spread by itself. During this process worm does not
require to attach itself to any existing program or executable. Different types of worms based on
their method of spread are email worms; internet worms; network worms and multi-vector worms.
Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy. Trojans are a type of malware software that masquerades itself as
39
Student Handbook Security Analyst SSC/N0901
a not-malicious even useful application but it will actually do damage to the host computer after its
installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install.
Types of Virus
Depending on virus "residence", we can classify viruses in following way:
Resident virus - virus that embeds itself in the memory on a target host. In such way it becomes
activated every time the OS starts or executes a specific action.
Non-resident virus - when executed, this type of virus actively seeks targets for infections either
on local, removable or network locations. Upon further infection it exits. This way is not residing
in the memory any more.
Boot sector virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc.
documents. This type of virus is executed as soon as the document that contains it, is opened.
This corresponds to the macro execution within those documents which under normal
circumstances is automatic.
Another classification of viruses can result from their characteristics:
File-infecting virus (file-infector) this is a classic form of virus. When the infected file is being
executed, the virus seeks out other files on the host and infects them with malicious code. The
malicious code is inserted either at the beginning of the host file code (prepending virus), in the
middle (mid-infector) or in the end (appending virus). A specific type of viruses called "cavity
virus" can even inject the code in the gaps in the file structure itself. The start point of the file
execution is changed to the start of the virus code to ensure that it is run when the file is
executed. Afterwards the control may or may not be passed on to the original program in turn.
Depending on the infections routing the host file may become otherwise corrupted and
completely non-functional. More sophisticated viral forms allow through the host program
execution while trying to hide their presence completely (see polymorphic and metamorphic
viruses).
Polymorphic virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Metamorphic virus - this virus is capable of changing its own code with each infection. The
rewriting process may cause the infection to appear different each time but the functionality of
40
Student Handbook Security Analyst SSC/N0901
the code remains the same. The metamorphic nature of this virus type makes it possible to infect
executables from two or more different operating systems or even different computer
architectures as well. The metamorphic viruses are ones of the most complex in build and very
difficult to detect.
Stealth virus - memory resident virus that utilises various mechanisms to avoid detection. This
avoidance can be achieved for example, by removing itself from the infected files and placing a
copy of itself in a different location. The virus can also maintain a clean copy of the infected files
in order to provide it to the antivirus engine for scan while the infected version still remains
undetected. Furthermore, the stealth viruses are actively working to conceal any traces of their
activities and changes made to files.
Armored virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Multipartite virus this attempts to attack both the file executables as well as the master boot
record of the drive at the same time. This type may be tricky to remove as even when the file
executable part is clean it can re-infect the system all over again from the boot sector if it wasn't
cleaned as well.
Camouflage virus this virus type is able to report as a harmless program to the antivirus
software. In such cases where the virus has similar code to the legitimate non-infected files code
the antivirus application is being tricked that it has to do with the legitimate program as well.
This would work only but in case of basic signature based antivirus software. Nowadays, antivirus
solutions have become more elaborate whereas the camouflage viruses are quite rare and not a
serious threat due to the ease of their detection.
Companion virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of the
infected file but instead uses the empty spaces within the program files itself (that exists there
for variety of reasons). This way the length of the program code is not being changed and the
virus can more easily avoid detection. The injection of the virus in most cases is not impacting
the functionality of the host file at all. The cavity viruses are quite rare though.
41
Student Handbook Security Analyst SSC/N0901
us virus that
takes over a system until money is paid as ransom which has been detected by
cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family, say
experts, is notorious for infecting computers of gamers. The malicious program
is now targeting online consumers and businesses via email attachments which
block access to a computer system until a sum of money, specifically in dollars,
is paid as ransom. If the victim delays, the ransom is doubled. Detected in
February 2015, TeslaCrypt began infecting systems in the US, Europe and
Southeast Asian countries. It then occurred in Indian cities including Delhi and
Mumbai. Two businessmen from Agra were targeted this year, from whom the
extortionist demanded more than $10,000. In the last six months, two cases
were reported in Agra, where the malware locked down its victim's most
important files and kept them hostage in exchange for a ransom to unlock it.
Types of Worms
The most common categorization of worms relies on the method how they spread:
Email worms: spread through email messages, especially through those with attachments.
Internet worms: spread directly over the internet by exploiting access to open ports or system
vulnerabilities.
Network worms: spread over open and unprotected network shares.
Multi-vector worms: having two or more various spread capabilities.
Types of Trojans
Computer Trojans or Trojan horses are named after the mythological Trojan horse from Trojan War,
in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the
horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city
gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar
to such strategy - it is a type of malware software that masquerades itself as not-malicious even useful
application but it will actually do damage to the host computer after its installation.
Trojans do not self-replicate since its key difference to a virus and require often end user intervention
to install itself - which happens in most scenarios where user is being tricked that the program he is
installing is a legitimate one (this is very often connected with social engineering attacks on end users).
One of the other common method is for the Trojan to be spammed as an email attachment or a link
in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging
42
Student Handbook Security Analyst SSC/N0901
client. Trojans can be spread as well by means of drive-by downloads or downloaded and dropped by
other Trojans itself or legitimate programs that have been compromised.
The results of Trojan activities can vary greatly - starting from low invasive ones that only change the
wallpaper or desktop icons through Trojans which open backdoors on the computer and allow other
threats to infect the host or allow a hacker remote access to the targeted computer system. It is up to
Trojans to cause serious damage on the host by deleting files or destroying the data on the system
using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not
advertise their presence on the computer.
The Trojan classification can be based upon performed function and the way they breach the systems.
An important thing to keep in mind is that many Trojans have multiple payload functions so any such
classification will provide only a general overview and not a strict boundary. Some of the most
common Trojan types are:
Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor on the
targeted system to allow the attacker remote access to the system or even complete control
over it. This kind of Trojan is most widespread type and often has as well various other functions.
It may be used as an entry point for DOS attack or for allowing worms or even other Trojans to
the system. A computer with a sophisticated backdoor program installed may also be referred
to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see
part 3 of the Security 1:1 series). Backdoor. Trojans are generally created by malware authors
who are organized and aim to make money out of their efforts. These types of Trojans can be
highly sophisticated and can require more work to implement than some of the simpler malware
seen on the Internet.
Trojan-DDoS - this Trojan is installed simultaneously on a large number of computers in order to
create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack
on a particular target.
Trojan-Proxy -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Trojan-FTP this Trojan is designed to open FTP ports on the targeted machine allow remote
attacker access to the host. Furthermore, the attacked can access as well network shares or
connections to further spread other threats.
Destructive Trojan this is designed to destroy or delete data. It is much like a virus.
Security Software Disabler Trojan this is designed to stop security programs like antivirus
solutions, firewalls or IPS either by disabling them or killing the processes. This kind of Trojan
functionality is often combined with destructive Trojan that can execute data deletion or
corruption only after the security software is disabled. Security Software Disablers are entry
Trojans that allow next level of attack on the targeted system.
Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide attacker with
confidential or sensitive information from compromised host and send it to a predefined location
(attacker). The stolen data comprise of login details, passwords, PII, credit card information etc.
43
Student Handbook Security Analyst SSC/N0901
Data sending Trojans can be designed to look for specific information only or can be more generic
like Key-logger Trojans. Nowadays more than ever before attackers are concentrating on
compromising end users for financial gain. The information stolen with use of Info stealer Trojan
is often sold on the black market. Info stealers gather information by using several techniques.
The most common techniques may include log key strokes, screen shots and web cam images,
monitoring internet activity often for specific financial websites. The stolen information may be
stored locally so that it can be retrieved later or it can be sent to a remote location where it can
be accessed by an attacker. It is often encrypted before posting it to the malware author.
Keylogger Trojan this is a type of data-sending Trojan that is recording every keystroke of the
end user. This kind of Trojan is specifically used to steal sensitive information from targeted host
and send it back to attacker. For these Trojans, the goal is to collect as much data as possible
without any direct specification what the data will be.
Trojan-PSW (Password Stealer) this is a type of data-sending Trojans designed specifically to
steal passwords from the targeted systems. In its execution routine, the Trojan will very often
first drop a keylogging component onto the infected machine.
Trojan-Banker a Trojan designed specifically to steal online banking information to allow
attacker further access to bank account or credit card information.
Trojan-IM a type of data-sending Trojan designed specifically to steal data or account
information from instant messaging programs like MSN, Skype etc.
Trojan-Game Thief a Trojan designed to steal information about online gaming account.
Trojan Mail Finder a Trojan used to harvest any emails found on the infected computer. The
email list is being then forwarded to the remote attacker.
Trojan-Dropper -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Trojan-Downloader a Trojan that can download other malicious programs to the target
computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders
that are encountered will attempt to download content from the internet rather than the local
network. In order to successfully achieve its primary function, a downloader must run on a
computer that is inadequately protected and connected to a network.
Trojan-FakeAV
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
44
Student Handbook Security Analyst SSC/N0901
This type of Trojan can be either targeted to extort money for "non-existing" threat removal or
in other cases the installation of the program itself injects other malware to the host machine.
FakeAV applications can perform fake scans with variable results, but always detect at least one
is
constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and
appear very professional to the end users.
Trojan-Spy this Trojan has a similar functionality to the Info stealer or Trojan-PSW and its
purpose is to spy on the actions executed on the target host. These can include tracking data
entered via keystrokes, collecting screenshots, listing active processes/ services on the host or
stealing passwords.
Trojan-ArcBomb -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
45
Student Handbook Security Analyst SSC/N0901
46
Student Handbook Security Analyst SSC/N0901
Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They
are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.
Rootkit are malicious software designed to hide certain processes or programs from detection.
Usually acquires and maintains privileged system access while hiding its presence in the same
time. It acts as a conduit by providing the attacker with a backdoor to a system
Spyware is a software that monitors and collects information about a particular user, computer
or organisation without knowledge. There are different types of spyware, namely system
monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc.
Tracking cookies are a specific type of cookies that are distributed, shared and read across two
or more unrelated websites for the purpose of gathering information or potentially to present
customized data to you.
Riskware is a term used to describe potentially dangerous software whose installation may pose
a risk to the computer.
Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV
software. Also well known, under the names "Rogue Security Software" or "Misleading
Software". This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the "fake" infection.
Spam is the term used to describe unsolicited or unwanted electronic messages, especially
advertisements. The most widely recognized form of spam is email spam.
Creepware is a term used to describe activities like spying others through webcams (very often
combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.
Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the severity
of the damage causes and as well the speed of spreading. Blended threat defines an exploit that
combines elements of multiple types of malware components. Usage of multiple attack vectors
and payload types targets to increase the severity of the damage causes and as well the speed of
spreading.
47
Student Handbook Security Analyst SSC/N0901
A. COHEN B. NORTON
C. SMITH D. McAfee
ANSWER
Network attacks
Network attack is usually defined as an intrusion on the network infrastructure that will first analyse
the environment and collect information in order to exploit the existing open ports or vulnerabilities.
This may include unauthorized access to organisation resources.
Passive attacks: they refer to attack where the purpose is only to learn and get some
information from the system, but the system resources are not altered or disabled in any way.
Active attacks: in this type of network attack, the perpetrator accesses and either alters,
disables or destroys resources or data.
Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
Inside attack: if an attack is performed from within the company by an "insider" that already
has certain access to the network it is considered to be an inside attack.
Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their
widespread occurrences.
48
Student Handbook Security Analyst SSC/N0901
Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing
Buffer
DoS attack ICMP smurf Man-in-the-
overflow Botnet
& DDoS attack Denial of serv middle attack
attack
Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
49
Student Handbook Security Analyst SSC/N0901
remains the same to obtain confidential information and gain access to personal files. The
means of the attack are bit different though and include special links or posts posted on the
social media sites that attract the user with their content and convince them to click on them.
The link redirects then to malicious website or similar harmful content. The websites can mirror
the legitimate Facebook pages so that unsuspecting user does not notice the difference. The
website will require user to login with his real information. At this point, the attacker collects the
credentials gaining access to compromised account and all data on it. Other scenario includes
fake apps. Users are encouraged to download the apps and install them, apps that contain
malware used to steal confidential information.
Facebook Phishing attacks are often much more laboured. Consider the following scenario - link
posted by an attacker can include some pictures or phrase that will attract the user to click on it.
The user clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the
post first before even viewing it. User not suspecting any harm, clicks on the "like" button but
doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the
fake app to access user's personal information. At this point, data is collected and account is
compromised.
Spear phishing attack this is a type of phishing attack targeted at specific individuals, groups
of individuals or companies. Spear phishing attacks are performed mostly with primary purpose
of industrial espionage and theft of sensitive information while ordinary phishing attacks are
directed against wide public with intent of financial fraud. It has been estimated that in last
couple of years targeted spear phishing attacks are more widespread than ever before.
The recommendations to protect your company against phishing and spear phishing include:
1. Never open or download a file from an unsolicited email, even from someone you know
(you can call or email the person to double check that it really came from them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentication whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking for a
reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted.
Watering hole attack this is a more complex type of a phishing attack. Instead of the usual way
of sending spoofed emails to end users in order to trick them into revealing confidential
information, attackers use multiple staged approach to gain access to the targeted information.
In first steps, attacker is profiling the potential victim, collecting information about his or her s
internet habits, history of visited websites etc. In next step attacker uses that knowledge to
inspect the specific legitimate public websites for vulnerabilities. If any vulnerabilities or
loopholes are found, the attacker compromises the website with its own malicious code. The
50
Student Handbook Security Analyst SSC/N0901
compromised website then awaits for the targeted victim to come back and then infects them
with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at
the watering hole for his prey.
Whaling it is a type of phishing attack specifically targeted at senior executives or other high
profile targets within a company.
Vishing (Voice Phishing or VoIP Phishing) it is a use of social engineering techniques over
telephone system to gain access to confidential information from users. This phishing attack is
often combined with caller ID spoofing that masks the real source phone number and instead of
it displays the number familiar to the phishing victim or number known to be of a real banking
institution. General practices of Vishing include pre-recorded automated instructions for users
requesting them to provide bank account or credit card information for verification over the
phone.
Port scanning an attack type where the attacker sends several requests to a range of ports to
a targeted host in order to find out what ports are active and open, which allows them to exploit
known service vulnerabilities related to specific ports. Port scanning can be used by the malicious
attackers to compromise the security as well by the IT professionals to verify the network
security.
Spoofing it is a technique used to masquerade a person, program or an address as another by
falsifying the data with purpose of unauthorized access.
A few of the common spoofing types include:
IP Address spoofing process of creating IP packets with forged source IP address to
impersonate legitimate system. This kind of spoofing is often used in DoS attacks
(Smurf Attack).
ARP spoofing (ARP Poisoning) process of sending fake ARP messages in the network.
The purpose of this spoofing is to associate the MAC address with the IP address of
another legitimate host causing traffic redirection to the attacker host. This kind of
spoofing is often used in man-in-the-middle attacks.
DNS spoofing (DNS Cache Poisoning) an attack where the wrong data is inserted into
DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP
addresses as results for client queries.
Email spoofing a process of faking the email's sender "from" field in order to hide
real origin of the email. This type of spoofing is often used in spam mail or during
phishing attack.
Search engine poisoning attackers take advantage of high profile news items or
popular events that may be of specific interest for certain group of people to spread
malware and viruses. This is performed by various methods that have in purpose
achieving highest possible search ranking on known search portals by the malicious
sites and links introduced by the hackers. Search engine poisoning techniques are often
used to distribute rogue security products (scareware) to users searching for legitimate
security solutions for download.
51
Student Handbook Security Analyst SSC/N0901
Network sniffing (Packet Sniffing) a process of capturing the data packets travelling in the
network. Network sniffing can be used both by IT professionals to analyse and monitor the traffic
for example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect
data send over clear text that is easily readable with use of network sniffers (protocol analysers).
Best counter measure against sniffing is the use of encrypted communication between the hosts.
Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack)
an attack designed to cause an interruption or suspension of services of a specific host/ server
by flooding it with large quantities of useless traffic or external communication requests. When
the DoS attack succeeds the server is not able to answer even to legitimate requests anymore,
this can be observed in numbers of ways slow response of the server, slow network
performance, unavailability of software or web page, inability to access data, website or other
resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or
infected systems (botnet) flood a particular host with traffic simultaneously.
DoS (denial-of-service) attack
Few of the most common DoS attack types:
ICMP flood attack (Ping Flood) the attack that sends ICMP ping requests to the victim host
without waiting for the answer in order to overload it with ICMP traffic to the point where the
host cannot answer to them any more either because of the network bandwidth congestion
with ICMP packets (both requests and replies) or high CPU utilization caused by processing
the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is
either to disable propagation of ICMP traffic sent to broadcast address on the router or disable
ICMP traffic on the firewall level.
Ping of Death (PoD) this attack involves sending a malformed or otherwise corrupted
malicious ping to the host machine for example, PING having size bigger than usual which can
cause buffer overflow on the system that lead to a system crash.
Smurf attack this works in the same way as Ping Flood attack with one major difference that
the source IP address of the attacker host is spoofed with IP address of other legitimate non
malicious computer. Such attack will cause disruption both on the attacked host (receiving
large number of ICMP requests) as well as on the spoofed victim host (receiving large number
of ICMP replies).
ICMP Smurf Denial of Service
SYN flood attack this attack exploits the way the TCP 3-way handshake works during the
TCP connection is being established. In normal process, the host computer sends a TCP SYN
packet to the remote host requesting a connection. The remote host answers with a TCP
SYN-ACK packet confirming the connection can be made. As soon as this is received by the
first local host it replies again with TCP ACK packet to the remote host. At this point the TCP
socket connection is established. During the SYN flood attack, the attacker host or more
commonly several attacker hosts send SYN packets to the victim host requesting a
connection, the victim host responds with SYN-ACK packets but the attacker host never
respond with ACK packets as a result the victim host is reserving the space for all those
connections still awaiting the remote attacker hosts to respond, which never happens. This
52
Student Handbook Security Analyst SSC/N0901
keeps the server with dead open connections and in the end effect prevent legitimate host
to connect to the server any more.
Buffer overflow attack in this type of attack the victim host is being provided with traffic/ data
that is out of range of the processing specs of the victim host, protocols or applications,
overflowing the buffer and overwriting the adjacent memory. One example can be the
mentioned Ping of Death attack where malformed ICMP packet with size exceeding the normal
value can cause the buffer overflow.
Botnet a collection of compromised computers that can be controlled by remote perpetrators
to perform various types of attacks on other computers or networks. A known example of botnet
usage is within the distributed denial of service attack where multiple systems submit as many
request as possible to the victim machine in order to overload it with incoming packets. Botnets
can be otherwise used to send out span, spread viruses and spyware and as well to steal personal
and confidential information which afterwards is being forwarded to the botmaster.
Man-in-the-middle attack
connections and communication between victim hosts. This form of attack includes interaction
between both victim parties of the communication and the attacker. This is achieved by attacker
intercepting all part of the communication, changing the content of it and sending back as
legitimate replies. Both parties are not aware of the attacker presence and believing the replies
they get are legitimate. For this attack to be successful, the perpetrator must successfully
impersonate at least one of the endpoints. This can be the case if there are no protocols in place
that would secure mutual authentication or encryption during the communication process.
Session hijacking attack this attack is targeted as exploit of the valid computer session in order
to gain unauthorized access to information on a computer system. The attack type is often
referred to as cookie hijacking as during its progress, the attacker uses the stolen session cookie
to gain access and authenticate to remote server by impersonating legitimate user.
Cross-side scripting attack (XSS attack) the attacker exploits the XSS vulnerabilities found in
web server applications in order to inject a client side script onto the webpage that can either
point the user to a malicious website of the attacker or allow attacker to steal the user's session
cookie.
SQL injection attack the attacker uses existing vulnerabilities in the applications to inject a
code/ string for execution that exceeds the allowed and expected input to the SQL database.
Bluetooth related attacks
Bluesnarfing this kind of attack allows the malicious user to gain unauthorized access to
information on a device through its bluetooth connection. Any device with bluetooth
turned on and set to "discoverable" state may be prone to bluesnarfing attack.
Bluejacking this kind of attack allows the malicious user to send unsolicited (often spam)
messages over bluetooth enabled devices.
53
Student Handbook Security Analyst SSC/N0901
Few recent cyberattacks (or Network attacks) that shook some big businesses around the
globe:
March 2015
54
Student Handbook Security Analyst SSC/N0901
Anthem
February 2015
The company added that hackers were able to breach a database that
contained as many as 80 million records of current and former customers,
as well as employees. The information accessed included names, Social
Security numbers, birthdays, addresses, email and employment information,
including income data.
Sony Pictures
November 2014
A huge attack that essentially wiped clean several internal data centers and
led to cancellation of the theatrical release of "The Interview," a comedy
about the fictional assassination of the North Korean leader Kim Jong-un.
Contracts, salary lists, film budgets, entire films and Social Security numbers
were stolen, including -- to the dismay of top executives -- leaked emails
that included criticisms of Angelina Jolie and disparaging remarks about
President Obama.
Staples
October 2014
55
Student Handbook Security Analyst SSC/N0901
identified. This is important because standard IDs allow security administrators to quickly access
technical information about a specific threat across multiple CVE-compatible information sources.
CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance (OCSIA).
MITRE, a not-for-profit organization that operates research and development centres sponsored by
the U.S. federal government, maintains the CVE catalogue and public website. It also manages the CVE
Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE
Numbering Authorities (CNAs).
56
Student Handbook Security Analyst SSC/N0901
Summary
Information security analysts protect information stored on computer networks, applications,
etc., using special software that allows them to keep a track of those who can access and who
have accessed data.
There are three categories of Information technology and information security:
o confidentiality
o integrity
o availability
Keys concerns in information assets security are theft, fraud/ forgery, unauthorized information
access, interception or modification of data and data management systems.
Vulnerability is a weakness in an information system, system security procedures, internal
controls or implementation that could be exploited or triggered by a threat source.
Microsoft has proposed a threat classification called STRIDE from the initials of threat
categories.
Types of attacks: virus, worms, Trojans and others.
Network attack is usually defined as an intrusion on the network infrastructure that will first
analyse the environment and collect information in order to exploit the existing open ports or
vulnerabilities. This may include unauthorized access to organisation resources.
The recommendations to protect against Phishing and Spear Phishing include:
o Never open or download a file from an unsolicited email, even from someone you
know.
o Keep your operating system updated.
o Use a reputable anti-virus program.
o Enable two factor authentication whenever available.
o Confirm the authenticity of a website prior to entering login credentials.
o Look for HTTPS in the address bar when you enter any sensitive personal information
on a website.
57
Student Handbook Security Analyst SSC/N0901
Practical activities:
Activity 1:
List various types of attacks, and get examples of each type of virus, trojan, worm and
other malware from the internet. Compare the list with your fellow students.
Activity 2:
Find out and study cases of attacks over the years and impact of those attacks on the
organisations where these occurred. Share details of 2-3 most interesting ones in the
class.
Activity 3:
Access the CVE and list all the types of information that they can get. Present the same in
class and elaborate upon the various ways in which that information can be used.
58
Student Handbook Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. State the reason why a Cavity virus is difficult to detect unlike traditional viruses?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
59
Student Handbook Security Analyst SSC/N0901
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
60
Student Handbook Security Analyst SSC/N0901
UNIT II
Fundamentals of Information Security
Lesson Plan
2.1 Elements of information security
2.2 Principles and concepts data security
2.3 Types of controls
61
Student Handbook Security Analyst SSC/N0901
Performance Ensuring
Outcomes Measures Work Environment/ Lab Requirement
To be competent, you must be able QA session and a PCs/ tablets/ laptops
to: descriptive write-up on Availability of labs (24/7)
understanding. Internet with Wi-Fi
PC3. carry out security
(min 2 Mbps dedicated)
assessment of information security Peer group, faculty group Networking equipment (routers &
systems using automated tools and industry experts. switches)
PC8. provide inputs to root Firewalls and access points
cause analysis and the resolution of Access to all security sites like ISO, PIC
information security issues, where DSS etc.
required Commercial tools like HP Web
Inspect and IBM AppScan etc.
Open source tools like sqlmap,
Nessus etc.
You need to know and understand: KA6, KA7, KA8. Peer PCs/ tablets/ laptops
review with faculty with Availability of labs (24/7)
KA5. how to analyse root causes appropriate feedback. Internet with Wi-Fi
of information security issues (min 2 Mbps dedicated)
Networking equipment (routers &
KA6. how to carry out KB1 KB4. switches)
information security assessments Going through the security Firewalls and access points
standards over internet by Access to all security sites like ISO, PIC
KB4. how to identify and resolve visiting sites like ISO, PCI DSS etc.
information security vulnerabilities DSS etc., and understand
Commercial Tools like HP Web
and issues various methodologies and
Inspect and IBM AppScan etc.
usage of algorithms.
Open Source tools like sqlmap,
Nessus etc.
62
Student Handbook Security Analyst SSC/N0901
Lesson
Network Security
Network security refers to any activity designed to protect your network. Specifically, these activities
protect the usability, reliability, integrity and safety of your network and data. Effective network
security targets a variety of threats and stops them from entering or spreading on your network.
No single solution protects you from a variety of threats. You need multiple layers of security. If one
fails, others still stand. Network security is accomplished through hardware and software. The
software must be constantly updated and managed to protect you from emerging threats.
Wireless networks, which by their nature, facilitate access to the radio, are more vulnerable than
wired networks and need to encrypt communications to deal with sniffing and continuously checking
the identity of the mobile nodes. The mobility factor adds more challenges to security, namely
monitoring and maintenance of secure traffic transport of mobile nodes. This concerns both
homogenous and heterogenous mobility (inter-technology), the latter requires homogenization of the
security level of all networks visited by the mobile.
and ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to
f router and terminal.
The difficulty of designing security solutions that could address these challenges is not only to ensure
robustness faced with potential attacks or to ensure that it does not slow down communications, but
also to optimize the use of resources in terms of bandwidth, memory, battery, etc. More importantly,
in this open context the wireless network is to ensure anonymity and privacy, while allowing
traceability for legal reasons. Indeed, the growing need for traceability is now necessary for the fight
against criminal organizations and terrorists, but also to minimize the plundering of copyright. It is
therefore facing a dilemma of providing a network support of free exchange of information while
controlling the content of the communication to avoid harmful content. Actually, this concerns both
wired and wireless networks. All these factors influence the selection and implementation of security
tools that are guided by a prior risk assessment and security policy.
Finally, we are increasingly thinking about trust models in the design of secured systems, that should
offer higher level of trust than classical security mechanisms, and it seems that future networks should
implement both models: security and trust models.
In fact, if communication nodes will be capable of building and maintaining a predefined trust level in
the network, then the communication system will be trustable all the time, thus allowing a trusted
and secure service deployment. However, such trust models are very difficult to design and the trust
level is generally a biased concept presently. It is very similar to the human based trust model. Note
that succeeding in building such trust models will allow infrastructure based networks but especially
infrastructure-less or self-organized networks such as ad hoc sensors to be trusted enough to deploy
several applications. This will also have an impact on current business models where the economic
model would have to change in order to include new players in the telecommunication value chain
63
Student Handbook Security Analyst SSC/N0901
such as users offering their machines to build an infrastructure-less network. For example, in the
context of ad hoc networks, we could imagine that ad hoc users become distributors of content or
provide any other networked services1, being a sort of service providers. In this case, an appropriate
charging and billing system needs to be designed.
A network security system usually consists of many components. Ideally, all components work
together, which minimizes maintenance and improves security.
Communication security
Application Security
Application security (AppSec) is the use of software, hardware and procedural methods to protect
applications from external threats. AppSec is the operational solution to the problem of software risk.
AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application
irrespective of the function, language or platform.
As a best practice, AppSec employs proactive and preventative methods to manage software
risk,
three distinct elements:
A software vulnerability can be defined as a programmatic function that processes critical data
in an inse
cybercriminal as an entry point to steal sensitive, protected or confidential data.
64
Student Handbook Security Analyst SSC/N0901
The severity and frequency of cyber-attacks is increasing which is making the practice of AppSec
important. AppSec as a discipline is also becoming more complex the variety of business software
continues to proliferate. Here are some of the reasons why (and see if these sound familiar):
Software developers have an endless choice of programming languages to choose from Java, .NET,
C++, PHP and more.
Applications can be deployed across myriad platforms installed to operate locally, over virtual
servers and networks, accessed as a service in the cloud or run on mobile devices.
AppSec products must provide capabilities for managing security risk across all of these options as
each of these development and deployment options can introduce security vulnerabilities. An
effective software security strategy addresses both immediate and systemic risk.
The Application Security market has reached sufficient maturity to allow organizations of all sizes to
follow a well-established roadmap:
Begin with software security testing to find and assess potential vulnerabilities:
Testing and remediation form the baseline response to insecure applications, but the critical element
of a successful AppSec effort is ongoing developer training. Security conscious development teams
write bulletproof code, and avoid common errors. For example, data input validation the process of
ensuring that a program operates with clean, correct and useful data. Neglecting this important step,
When undertaken correctly, Application Security is an orderly process of reducing the risks associated
with developing and running business critical software. Properly managed, a good application security
program will move your organization from a state of unmanaged risk and reactive security to effective,
proactive risk mitigation.
65
Student Handbook Security Analyst SSC/N0901
Communications Security
Communications Security (COMSEC) ensures the security of telecommunications confidentiality and
integrity the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of
any information that is transmitted, transferred or communicated.
Emission Security (EMSEC): This prevents the release or capture of emanations from
equipment, such as cryptographic equipment, thereby preventing unauthorized
interception.
Physical Security: This ensures the safety of, and prevents unauthorized access to,
cryptographic information, documents and equipment.
66
Student Handbook Security Analyst SSC/N0901
Confidentiality
Integrity Availability
Information States
Information has three basic states, at any given moment, information is being transmitted, stored or
processed. The three states exist irrespective of the media in which information resides.
Transmission
Information
States
Processing Storage
Information systems security concerns itself with the maintenance of three critical characteristics of
information: confidentiality, integrity and availability. These attributes of information represent the
full spectrum of security concerns in an automated environment. They are applicable for any
organization irrespective of its philosophical outlook on sharing information.
67
Student Handbook Security Analyst SSC/N0901
refer to the familiar notation of email addresses. While many email accounts named Gaurav
may exist around the world, an email address Gaurav@company.com unambiguously refers
exactly to one such user in the company.com locality. Provided that the company in question
is a small one, and that only one employee is named Gaurav. His colleagues may refer to
that particular person by only using his first name. That would work because they are in the
same locality and only one Gaurav works there. However, if Gaurav were someone on the
other side of the world or even across town, to refer to Gaurav@company.com as simply
Gaurav would make no sense because user name Gaurav is not globally unique and refers
to different persons in different localities. This is one of the reasons why two user accounts
should never use the same name on the same system not only because you would not be
able to enforce access controls based on non-unique and ambiguous user names, but also
because you would not be able to establish accountability for user actions.
Authentication happens right after identification and before authorization. It verifies the
authenticity of the identity declared at the identification stage. In other words, it is at the
authentication stage that you prove you are indeed the person or the system you claim to
be. The three methods of authentication are what you know, what you have and what you
are. Regardless of the particular authentication method used, the aim is to obtain
reasonable assurance that the identity declared at the identification stage belongs to the
party in communication. It is important to note that reasonable assurance may mean
different degrees of assurance, depending on the particular environment and application,
and therefore may require different approaches to authentication. Authentication
requirements of a national security critical system naturally differ from authentication
68
Student Handbook Security Analyst SSC/N0901
69
Student Handbook Security Analyst SSC/N0901
The following types of non-repudiation services are defined in international standard ISO
14516:2002 (guidelines for the use and management of trusted third party services).
o Approval: non-repudiation of approval provides proof of who is responsible for approval
of the contents of a message.
o Transport: non-repudiation of transport provides proof for the message originator that
a delivery agent has delivered the message to the intended recipient.
o Receipt: non-repudiation of receipt provides proof that the recipient received the
message.
70
Student Handbook Security Analyst SSC/N0901
71
Student Handbook Security Analyst SSC/N0901
Central to information security is the concept of controls, which may be categorized by their
functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane of
application (physical, administrative or technical).
By functionality:
Preventive controls
Preventive controls are the first controls met by an adversary. These try to prevent security
violations and enforce access control. Like other controls, these may be physical, administrative
or technical. Doors, security procedures and authentication requirements are examples of
physical, administrative and technical preventive controls respectively.
Detective controls
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs and similar mechanisms.
Corrective controls
Corrective controls try to correct the situation after a security violation has occurred. Although a
violation occurred, but the data remains secure, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.
Deterrent controls
Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls
include notices of monitoring and logging as well as the visible practice of sound information
security management.
Recovery controls
Recovery controls are somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and information processing
resources. Recovery controls may include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements and similar controls.
Compensating controls
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of controls addresses the same
threats that are addressed by another set of controls, it acts as a compensating control.
72
Student Handbook Security Analyst SSC/N0901
By plane of application:
Physical controls include doors, secure facilities, fire extinguishers, flood protection and air
conditioning.
Administrative controls
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems and file encryption among others.
The Discretionary Access Control model is the most widely used of the three models.
In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide
about and set access control restrictions on the object in question, which may, for example, be a file
or a directory. The advantage of DAC is its flexibility. Users may decide who can access information
and what they can do with it read, write, delete, rename, execute and so on. At the same time, this
flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access
control restrictions or maliciously set insecure or inappropriate permissions. Nevertheless, the DAC
model remains the model of choice for the absolute majority of operating systems today, including
Solaris.
Mandatory access control, as its name suggests, takes a stricter approach to access control. In systems
utilizing MAC, users have little or no discretion as to what access permissions they can set on their
information. Instead, mandatory access controls specified in a system-wide security policy are
enforced by the operating system and applied to all operations on that system. MAC based systems
use data classification levels (such as public, confidential, secret and top secret) and security clearance
labels corresponding to data classification levels to decide in accordance with the security policy set
by the system administrator what access control restrictions to enforce. Additionally, per group and/
73
Student Handbook Security Analyst SSC/N0901
or per domain access control restrictions may be imposed i.e. in addition to having the required
security clearance level, subjects (users or applications) must also belong to the appropriate group or
domain. For example, a file with a confidential label belonging only to the research group may not be
accessed by a user from the marketing group, even if that user has a security clearance level higher
than confidential (for example, secret or top secret). This concept is known as compartmentalization
or need to know .
Although MAC based systems, when used appropriately, are thought to be more secure than DAC
based systems, they are also much more difficult to use and administer because of the additional
restrictions and limitations imposed by the operating system. MAC based systems are typically used
in government, military and financial environments where higher than usual security is required and
where the added complexity and costs are tolerated. MAC is implemented in Trusted Solaris, a version
of the Solaris operating environment intended for high security environments.
In the role based access control model, rights and permissions are assigned to roles instead of
individual users. This added layer of abstraction permits easier and more flexible administration and
enforcement of access controls. For example, access to marketing files may be restricted only to the
marketing manager role, and users Ann, David, and Joe may be assigned the role of marketing
manager. Later, when David moves from the marketing department elsewhere, it is enough to revoke
his role of marketing manager, and no other changes would be necessary. When you apply this
approach to an organization with thousands of employees and hundreds of roles, you can see the
added security and convenience of using RBAC. Solaris has supported RBAC since release 8.
best-in-class solutions deliver comprehensive discovery and support the entire security vulnerability
management lifecycle.
A vulnerability can occur anywhere in the IT environment, and can be the result of many different root
causes. Security vulnerability management solutions gather comprehensive endpoint and network
intelligence, and apply advanced analytics to identify and prioritize the vulnerabilities that pose the
most risk to critical systems. The result is actionable data that enables IT security teams to focus on
74
Student Handbook Security Analyst SSC/N0901
the tasks that will most quickly and effectively reduce overall network risk with the fewest possible
resources.
Vulnerability assessment and management is an essential piece for managing overall IT risk
because:
Persistent threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.
Regulation
Risk management
Mature organizations treat it as a key risk management component. Organizations that follow
mature IT security principles understand the importance of risk management.
Properly planned and implemented threat and vulnerability management programs represent a key
hreat
mitigation that is proactive and business aligned, not just reactive and technology focused.
Vulnerability Assessment
Includes assessment the environment for known vulnerabilities, and to assess IT components, using
the security configuration policies (by device role) that have been defined for the environment. This
is accomplished through scheduled vulnerability and configuration assessments of the environment.
Network based vulnerability assessment (VA) has been the primary method employed to baseline
networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and
accurate vulnerability assessments can be accomplished for managed systems via credentialed access.
Unmanaged systems can be discovered and a basic assessment can be completed. The ability to
evaluate databases and web applications for security weaknesses is crucial, considering the rise of
attacks that target these components.
Database scanners check database configuration and properties to verify whether they comply with
database security best practices.
75
Student Handbook Security Analyst SSC/N0901
application. Additional tools can be leveraged to perform more in-depth testing and analysis.
All three scanning technologies (network, application and database) assess a different class of security
weaknesses, and most organizations need to implement all three.
Risk assessment
Larger issues should be expressed in the language of risk (e.g. ISO 27005), specifically expressing
impact in terms of business impact. The business case for any remedial action should incorporate
considerations relating to the reduction of risk and compliance with policy. This incorporates the basis
of the action to be agreed on between the relevant line of business and the security team.
Risk analysis
the risk by applying remedial action, which could be anything from a configuration change to
implementing a new infrastructure (e.g. data loss prevention, firewalls, host intrusion prevention
software).
Elimination of the root cause of security weaknesses may require changes to user administration and
system provisioning processes. Many processes and often several teams may come into play (e.g.
configuration management, change management, patch management etc.). Monitoring and incident
management processes are also required to maintain the environment.
Vulnerability enumeration
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE Identifiers)
share data across separate network security databases and tools, and provide a baseline for
incorporates CVE identifiers, you may then quickly and accurately access fix information in one or
more separate CVE compatible databases to remediate the problem.
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating
the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable,
accurate measurement while enabling users to see the underlying vulnerability characteristics that
were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for
industries, organizations and governments that need accurate and consistent vulnerability impact
scores.
The Common Weakness Enumeration Specification (CWE) provides a common language of discourse
for discussing, finding and dealing with the causes of software security vulnerabilities as they are
found in code, design or system architecture. Each individual CWE represents a single vulnerability
type. CWEs are used as a classification mechanism that differentiates CVEs by the type of vulnerability
they represent. For more details see: Common Weakness Enumeration.
76
Student Handbook Security Analyst SSC/N0901
Remediation Planning
Prioritization
Vulnerability and security configuration assessments typically generate very long remediation work
lists, and this remediation work needs to be prioritized. When organizations initially implement
vulnerability assessment and security configuration baselines, they typically discover that a large
number of systems contain multiple vulnerabilities and security configuration errors. There is typically
more mitigation work to do than the resources available to accomplish it. Therefore, prioritization is
important.
It is important to analyse security and vulnerability assessments in order to determine the root cause.
In many cases, the root cause of a set of vulnerabilities lies within the provisioning, administration and
maintenance processes of IT operations or within their development or the procurement processes of
applications. Elimination of the root cause of security weaknesses may require changes to user
administration and system provisioning processes.
An RCA is an analysis of a failure to determine the first (or root) failure that cause the ultimate
condition in which the system finds itself. For example, in an application crash one should be thinking,
why did it crash this way?
Example: an application that had its database pilfered by hackers where the ultimate failure the
analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isn't what
caused the failure. Why did the SQL Injection happen? Was the root of the problem that the developer
responsible simply didn't follow the corporate policy for building SQL queries? Or was the issue a
failure to implement something like the OWASP ESAPI (ESAPI - The OWASP Enterprise Security API is
a free, open source web application security control library that makes it easier for programmers to
write lower-risk applications.) in the appropriate manner? Or maybe the cause was a vulnerable open-
source piece of code that was incorporated into the corporate application without passing it through
the full source code lifecycle process?
Your job when you're performing an RCA is to figure this out. Root cause analysis is super critical in
the software security world. A number of automated solutions are also available for various types of
RCA. For example, HP's web application security testing technology which can link XSS issues to a single
line of code in the application input handler.
Decision tree and algorithms may be used for further detailed analysis as tools. To learn more about
it, visit: https://www.sans.org/reading-room/whitepapers/detection/decision-tree-analysis-
intrusion-detection-how-to-guide-33678 .
77
Student Handbook Security Analyst SSC/N0901
5 4.4 4.7
4.5
4 3.5
3.5
3 2.8
2.5 1.9
2
1.5
1
0.5
0
78
Student Handbook Security Analyst SSC/N0901
Summary
Elements of information security include network security, application security and
communication security
Types of communication security are Cryptosecurity, Emission Security (EMSEC), Physical Security,
Traffic-Flow Security and Transmission Security (TRANSEC).
Critical information characteristics are Confidentiality, Integrity and Availability.
Information states include transmission, storage and processing.
Basic information security concepts:
o Identification
o Authentication
o Authorization
o Confidentiality
o Integrity
o Availability
o Non-repudiation
Types of control for information security can be classified into:
o Preventive
o Detective
o Corrective
o Deterrent
o Recovery
o Compensating
Three main access control models exist:
o Discretionary Access Control model
o Mandatory Access Control model
o Role Based Access Control model
A Root Cause Analysis is an analysis of a failure to determine the first (or root) failure that cause
the ultimate condition in which the system finds itself.
79
Student Handbook Security Analyst SSC/N0901
Practical activities:
Activity 1:
Investigate into the various types of threats to network security, application security
and, communication security and prepare a white paper on the same. Also, list the
various counter measures or security devices that may be used to address the same.
Present it in class.
Activity 2:
Activity 3:
Collect information about various categories of controls and state which various
controls are within each category? Discuss in groups the benefits and limitations of
examples of each type of control within a category.
Activity 4:
Collect information about various elements of a decision tree and an algorithm. Create
algorithms and decision trees for various situations in case of planning for security of
information assets.
80
Student Handbook Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Authentication
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Authorization
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Confidentiality
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Integrity
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Availability
__________________________________________________________________________________
__________________________________________________________________________________
81
Student Handbook Security Analyst SSC/N0901
__________________________________________________________________________________
__________________________________________________________________________________
Non-repudiation
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
______________________________________
______________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
82