Professional Documents
Culture Documents
control system development Provide security training Control transaction processing Prepare for disaster
and modifications Maintain physical security Motivate efficient and effective
Control access to data, operation
computer and network Audit the system
Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B Engineering college. Karur
Tools of security management
1. Encryption
2. Firewalls
3. Denial of software defenses
4. E-mail monitoring
5. Virus defenses / antivirus
Other tools
1. Security code
2. Backup file
3. Security monitors
4. Biometric security
5. Computer failure controls
6. Fault, tolerant system
7. Disaster recovery
Encryption
The most widely used encryption method uses a pair of public and private keys
unique to each individual. For example, e-mail could be scrambled and encoded using a
unique public key for recipient that is known to the sender. After the e-mail is transmitted,
only the recipient’s secret private key could unscramble the message.
Firewalls
A firewall serves as a “gatekeeper” system that protects a company’s intranets and
other from the internet and other networks. It screens all network traffic for proper passwords
or other security code, and only allows authorized transmissions in and out of the network.
Denial of service assaults via the internet depend on three layers of networked
computer systems;
1. At the zombie machines: set and enforce security policies. Scan regularly fro
‘Trojan horse’ programs and vulnerabilities. Close unused ports. Remind users
not to open .exe mail attachments.
2. At the ISP: Monitor and block traffic spikes. filter spoofed IP addresses.
Coordinate security with network providers.
3. At the victim’s website: create backup servers and network connections. Limit
connections to each server. Install multiple intrusion-detection systems and
multiple routers for incoming traffic to reduce choke points.
e-mail monitoring
The tide is turning toward systematic monitoring of corporate e-mail traffic using
content-monitoring software that scans for troublesome words that might compromise
corporate security.
Virus defenses
Thus many companies are building defenses against the spread of viruses by
centralizing the distribution and updating of antivirus software as a responsibility of there IS
department. Other companies are outsourcing the virus protection responsibility to their
internet service providers.
Other tools
1. Security code
A multilevel password system is used for security management .first, an end user logs
on to the computer system by entering his or her unique identification code, or used ID. The
end user is then asked to enter a password in order to gain access into the system. Password
should be changed frequently and consist of unusual combinations of upper and lower case
letters and numbers.
2. Backup files
Which are duplicate files of data or programs, are another important security
measures? Files can also be protected by file retention measures that involve storing copies of
files from previous periods.
3. Security monitors
System security monitors are program that monitor the use of computer systems and
networks and protect them from unauthorized users to access the networks security monitors
also control the use of the hardware, software and data resources of a computer system.
Controls: All of the methods, policies, and procedures that ensure protection of the
organization’s assets, accuracy and reliability of its records, and operational adherence to
management standards.
General controls
Overall controls that establish a framework for controlling the design, security and
use of computer programs throughout an organization.
Types of general controls
Software controls
Hardware controls
Causes of vulnerability
1. Complexity: large, complex systems increase the probability of flaws and unintended
access points
2. Familiarity: using common, well-known code, software, operating systems, and
hardware increases the probability an attacker has or can find the knowledge and tools
to exploit the flaw.
3. Password management flaws: The computer user uses weak passwords that could be
discovered by brute force. The computer user stores the password on the computer
where a program can access it. Users re-use passwords between many programs and
websites.
4. Connectivity: More physical connections, privileges, ports, protocols, and services
and time each of those are accessible increase vulnerability.
5. Fundamental operating system design flaws: The operating system designer
chooses to enforce sub optimal policies on user management. For example operating
systems with policies such as default permit grant every program and every user full
access to the entire computer.
6. Internet website browsing: Some intranet website may contain harmful spyware
that can be installed automatically on the computer systems. After visiting those
websites, the computer system becomes infected and personal information will be
collected and passed on to third party individuals.
7. Software bugs: The programmer leaves an exploitable bug in a software program.
The software bug may allow an attacker to misuse an application.
8. Unchecked user input: The program assumes that all user input is safe. Programs
that do not check user can allow unintended direct execution of commands
Identify vulnerabilities:
Antivirus 96%
Virtual private network 86%
Intrusion detection system 85%
Content filtering / monitoring 77%
Public key infrastructure 45%
Smart card 43%
Biometrics 19%
Security management:
Hacking:
Hackers can be outsiders or company employees who use the internet and other
networks to steal or damage data and programs. Hackers can monitor email, web server
access, or file transfers to extract passwords or steal network file or to plant data that will
cause a system to welcome intruders. A hacker may also use remote services that allow one
computer on a network to execute program on another computer to gain privileged access
within a network.
Cyber theft:
Many computer crimes involve that theft of money. In the majority of cases, they are
“inside jobs” that involve unauthorized network entry and fraudulent alteration of computer
The unauthorized use of computer system and networks can be called time and
resource theft. A common example is unauthorized use of computer-owned computer
networks b employees. This may range from doing private consulting or personal fiancé, or
playing video games, to unauthorized use of the internet or company networks. Network
monitoring software, called sniffers, is frequently used to monitoring network traffic to
evaluate network capacity, as well as reveal evidence of improper use.
Software piracy:
Computer programs are valuable property and thus are the subject of theft from
computer system. However, unauthorized copying of software, or software piracy, is also a
major form of software theft. Widespread unauthorized copying of software by company
employees is a major form of software piracy. Unauthorized copying is illegal because
software is intellectual property that is protected by copyright law and user licensing
agreements.
One of the most examples of computer crime involves the creation of computer
viruses or worms. Virus is the most popular term but, technically, a virus is a program code
that cannot work without being inserted into another program. A worm is a distinct program
that can run unaided.
Biometric security:
A variety of controls can prevent such computer failure or minimize its effects.
Computer system fail for several reasons - power failure, electronic circuitry malfunctions,
telecommunications network problems, hidden programming errors, computer viruses,
computer operator errors and electronic vandalism.
This may provide a failsafe capability where the computer system continues to
operate at the same level even if there is a hardware or software failure. However, many fault
tolerant computer systems offer a fail soft capability where the computer system can continue
the operate at a reduces but acceptable level in the event of a major system failure.
i. Firewalls
ii. IDS
iii. Antivirus software
iv. Physical security
v. Using managed security service provider
i. Firewalls:
ii. IDS: An IDS works like a burglar alarm in that it detects a violation of its configuration
and activates an alarm. This alarm can be audible or visual or it can be silent
Why use IDS
a) To prevent problem behaviors by increasing the perceived risk of discovery and
punishment for those who would attack or otherwise abuse the system
b) To detect attacks and other security violations that are not prevented by other
security measures
c) To detect and deal with the preambles to attacks (commonly experienced as
network probes and other doorknob rattling activities)
d) To document the existing threat to an organization
e) To act as quality control for security design and administration, especially of
large and complex enterprises.
f) To provide useful information about intrusions that do take place, allowing
improved diagnosis, recovery and correction of causative factors.
iii. Antivirus software: Is designed to check computer system and drives for the
presence of computer viruses, often the software can eliminate the virus from the
infected area.
INTERNET: The internet transmits data from one computer to another. If the receiving
computer is on a network to which the first computer is directly connected, it can sent the
message directly. Is a collection of interconnected network, all freely exchanging
information.
Affiliation ID Affiliation
.com Business organization
.edu Educational sites
.gov Government sites
.net Networking organizations
.org organisations
INTRANET: is a internal corporate network built using internet and world wide web
technology employees of an organization use it to gain access to corporate information
Benefits:
People are already familiar with internet technology, so they need little or no training
to make effective use of their corporate network
Reduce paper work
Is an inexpensive and powerful alternative to other forms of internal communications
EXTRANET: Is a network that links selected resources of the intranet of a company with its
customers, suppliers, or other business partners. Again, an extranet is built around web
technologies.
Web browsers: creates a unique, hypermedia-based menu on your computer screen that
provides a graphical interface to the web. The menu consists of graphics, titles and text with
hypertext links. The hypermedia menu links you to internet resources, including text
document, graphics, and sounds files and newsgroups servers.
Search engines and web research: Looking for information on the web is like browsing in a
library—without the alphabetic listing of books in the card catalog, it is difficult to find
information.
Encryption
Authentication
Message integrity
Digital signature
Digital certificate
Encryption
The coding and scrambling of message to prevent their being read or accessed without
authorization.
Authentication
The ability of each party in a transaction to ascertain the identity of the other party
Message integrity
The ability to ascertain that a transmitted message has not been copied or altered.
Digital signature
A digital code that can be attached to an electronically transmitted message to
uniquely identify its contents and the sender.
Digital certificate
An attachment to an electronic message to verify the identity of the sender and to
provide the receiver with means to encode a reply.
Software audit: software audit is a regular investigation of the software installed on all
computers in an organization to ensure that it is authorized or licensed. Software audits
minimize the risk of prospection for software theft, minimize the risk of viruses through
uncontrolled software coping and ensure technical support is available to all users.
1. To identify critical security issues before they are exploited be malicious attackers
2. To perform extensive, regular security audit on the installed software or systems, in
order the vulnerabilities of software and minimize the correction of requirements
needed after a product or an update gets live.
3. To locate the most problematic crashes of the application, and train the team into
cognitive debugging for future improving their debugging capabilities
4. To restore compromised network to their previous security level.
5. To conduct software vulnerability assessment
1. The initiator
2. The lead auditor
3. The recorder
4. The auditors
5. The audited organization
1. The initiator: who must be a manager in the audited organization, a customer or user
representative of the audited organization, or a third party, decides upon the need for an
audit, establishes its purpose and scope, specifies the evaluation criteria, identifies the
audit personnel, decides what follow-up actions will be required and distributes the audit
report.
2. The lead auditor: Who must be someone free from bias and influence that could reduce
his ability to make independent, objective evaluations. Is responsible for administrative
tasks such as preparing the audit plan and assembling and managing the audit team, and
for ensuring that the audit meets its objectives
3. The recorder: Documents anomalies, action items, decisions and recommendation made
by the audit team.
4. The auditors: Who must be, like the lead auditor, free from bias, examine products
defined in the audit plan, document their observations and recommend corrective actions.
5. The audited organization: Provides a liaison to the auditors and provides all information
requested by a auditors. When the audit is completed, the audited organization should
implement corrective actions and recommendations.
An external auditor is a corporate outside. This type of auditor reviews the find-ings of the
internal audit and the inputs, processing and outputs of information system. The external
audit of information system is frequently a part of the overall external auditing performed by
a certified public accounting firms
BASIC CONCEPTS:
Responsibility:
Accepting the potential costs, duties and obligations for the decisions one makes.
Accountability:
The mechanisms for assessing responsibility for decisions made and actions taken.
Liability:
The existence of laws that permit individuals to recover the damages done to them by
other actors, systems, or organizations.
Due Process:
A process in which laws are well-known and understood and there is an ability to
appeal to higher authorities to ensure that laws are applied correctly.
Identify and describe clearly the facts: Find out who did what to whom, and where, when,
and how. In many instances we can sort out the errors at the initial stages of reported facts
and this helps in clearly defining the solution.
Define the conflict or Dilemma and identify the higher order values involved: Ethical,
social, and Political issues always reference higher values. The parties to a dispute all claim
to be pursuing higher values.(eg.,freedom, privacy and protection of intellectual property).
For instance, the use of NORA technology to find out the hidden connections between people
or other entities.
Identify the Stakeholders: Every ethical, social, and political issue has stakeholders: players
in the game who have an interest in the outcome, who have invested in the situation, and
usually who have vocal opinions. Finding the identity of these groups will better help in
designing a solution.
Identify the options that you can reasonably take: You may find that none of the options
satisfy all the parties involved but some options do a better job than others.
Identify the potential consequences of your options: Some options may be ethically
correct but disastrous from other points of view. Other options may work at some instances
and not in all other situations.
PROPERTY RIGHTS:
Intellectual Property
Intangible property created by individuals or corporations that is subject to protections
under trade secret, copyright, and patent law.
Trade Secrets
Any intellectual property work or product used for a business purpose that can be
classified as belonging to that business, provided it is not based on information in the public
domain.
Copyright
A statutory grant that protects creators of intellectual property against copying by others
for any purpose for a minimum of 70 years.
Patent
A legal document that grants the owner an exclusive monopoly on the ideas behind an
invention for 20 years : designed to ensure that inventors of new machines or methods are
rewarded for their labour while making wide-spread use of their inventions.