CLASS: SYITM - IV - SEMESTER

INFORMATION SECURITY - (UNIT – 1)

Introduction to Information Security Administration:

Concepts and Principles, Security Equation, System Life Cycle - Security development life
cycle, Policies and practices, Access Control, Authentication, Auditing Monitoring

 SECURITY ADMINISTRATION: CONCEPT AND PRINCIPLES:

 Security administration is a vital function of any systems operation. Security

administration activities are performed not because of the size but the importance of
information. These activities are performed at various levels in an organization.

 Definition: Security administration encompasses the security principles, policies,

standards, procedures and guidelines used to identify and classify and ensure the
confidentiality, integrity and availability of an organization’s information assets. It also
includes roles and responsibilities, configuration management, change control, security
awareness and the application of accepted industry practices.

 Security administration is the set of functions and activities related to the security of
the system or enterprise and are typically performed by the security administrators.

 Actually the specific activities of security are performed by the system and network
administrators but the responsibility of planning and designing is with the security
administrator. It is not always that all the functions are accomplished e.g. auditing of
the systems. System administrator ensures that system security is maintained and all
the efforts to repair the security flaws are taken.

 The goal of security is CIA (Confidentiality, Integrity and Availability).Security

administration provides the effectiveness for the security mechanisms that are in place
to enforce the CIA objectives within the system.

 The security Administration can be divided into 3 broad functions:

1. Developing the plan towards information security for your system or enterprise.

UNIT – 1 - INFORMATION SECURITY

 2. Implementing it or making sure that somebody implements it.
3. Administering the implementation.

 A security administrator cannot administrator something that does not exist. For
administration, planning is the most important element whether it is security of system
network, corporate or any other type of asset. Lack of planning can result in
expenditure of funds which may lead to disastrous consequences.

 SECURITY EQUATION:

 The main issue for system security is risk.

 Definition (of risk): Risk is a function of the likelihood or possibility of a given threat
source exploiting a particular vulnerability and the resulting impact of that adverse
event on the organization.

 So, risk management is all about identifying, measuring and controlling risk.

 SYSTEM LIFE CYCLE:

 Definition: "System life cycle is the process of developmental changes through which a
system passes from its conception to the termination of its usefulness and its disposal."

 For large and complex systems considerable time, efforts and fund is allocated.
Generally systems development is cheaper than the maintenance phase. To reduce the
cost of maintenance, pre-planning for each of the phases is required. The systems are
always developed in phases and the outcome at each phase is checked with the
requirements to identify whether they are met or not.

 There are 7 stages in system development life cycle.

1. Identifying the requirements:

 For the new system or software.
2. System analysis:
 Studying the system which will be solved with the information system. This may
include the feasibility study i.e. can the system operate within the given
constraints?
 Feasibility study in terms of hardware and software is called technical
feasibility.
 Feasibility study in terms of cost and benefit is economic feasibility.
 Feasibility in terms of trained manpower is operational feasibility
2

UNIT – 1 - INFORMATION SECURITY

 3. System design:
 Developing a plan that meets the needs is performed at the stage. Logical
designing identifies what data will be entered or needed and Physical design
means where that data will be stored.
4. Programming phase:
 It deals with converting the design plan into the application code.
5. Testing phase:
 It includes creating a test plan and implementing it unit or module wise and on
the system as a whole. Once the system is tested by the developers, it is sent
for acceptance testing to the users.
6. Production and maintenance phase:
 The users constantly review the current system and identify the errors or new
requirements which are than implemented as corrections or changes during
maintenance.
7. Disposal phase:
 Once the system has been used for certain period, it is sometimes observed
that the maintenance cost is more than the cost that would be incurred if the
new system is developed. At this stage decision regarding the reuse of certain
parts of the old system may be taken.

 SECURITY DEVELOPMENT LIFE CYCLE:

 The Security Development Life Cycle uses the same traditional development cycle, with
the added activities performed by the security in charge to meet the security
requirements in parallel to SDLC. Security mechanism may be implemented from a
simple application to the entire network infrastructure. The security mechanisms
provide protection using components like encryption, public key infrastructure, etc.
Whenever new security mechanisms are added to the existing operational capabilities,
changes must be made throughout the infrastructure of the network.

 The steps listed below may not apply to all the organizations and few other steps may
also be performed as per organizational requirements.

1. Conceptual analysis:
 It is performed with the system analysis phase to identify the security
mechanisms which could meet the security requirements. A security policy is
developed as a result during this phase. This phase includes activities like:
 User's and Owner's analysis
 Data analysis
 Threat analysis
 Vulnerability analysis
 Risk analysis and assessment
3

UNIT – 1 - INFORMATION SECURITY

  Defining the security policy
 Collecting all the system security requirements
 Preparing the security control's list
 The set of steps listed and performed by an organization defines the roadmap
of security for that organization.
2. System design phase:
 During the design phase of the system development, the system security
controls are design to develop security architecture that meets the
requirements specified prepared in the security policy in the previous phase.
The process is design to meet the security objectives. An agreement with the
ISP's service provider, Data provider, Network resources provider is also
obtained at this phase.

 Definition: "An AGREEMENT defines the terms of the connectivity of resources

like whom to contact for support, availability of resources and services, etc."

 The steps performed at this phase include:

 Selection of controls
 Obtain connectivity agreements
 Developing a plan
 Developing a security user's guide
 Developing a security administration guide
 Designing security training and awareness program.
 Developing a security architecture

3. Programming / building Phase:

 During this phase of system development, the security mechanisms within an
application are programmed to meet the requirements identified in the design
phase.
 Step 1: Co-ordinate the security activities with the programming activity of
the system development life cycle.
 Step 2: Obtain all the facility information which includes software,
hardware, network infrastructure, users' access point, etc.
 Step 3: Develop the implementation plan.
4. Test phase:
 To evaluate the effectiveness of the security measures tests are performed to
determine whether security mechanisms are implemented correctly. After the
tests are performed a report is prepared which lists the results of these tests
which are then used to recommend modification in the security mechanism
and fix the errors so that the system operates correctly. The following steps are
preformed:
4

UNIT – 1 - INFORMATION SECURITY

  Develop a test procedure
 Perform the security test
 Prepare the security test report
 Prepare an official recommendation for the implementation
 Finalize the document and handover to the in charge

5. Production and maintenance:

 Security as well as operational training is conducted during this phase. Periodic
security reviews are done to ensure continued protection of system resources
and data. Reviews must be conducted whenever the system changes in terms
of hardware or software or new security mechanisms have been incorporated
in the existing system. Steps performed are:
 Giving security training
 Conducting periodic reviews
 Operations maintenance
 Periodic security training and review

 POLICIES AND PRACTICES:

 In the organization regardless of its size, its business area has policies and practices
that direct the organization businesses and personnel. The policies have been broadly
categorized as Employment policy and Security policy from a security perspective.
1. Employment Policy:
 Every employer has explicit policies and practices regarding the employees
hiring, termination, acceptable behavior, work profile, authorization and access
to information system. The security personnel while devising the security
mechanisms should also consider the employees to provide a secured
environment. The security personnel need to identify and check the
background of the employee whether there has been any criminal activities
performed by him in the past, to identify whether security has been integrated
in the employment procedure, study the orientation material and training
material to find whether the security responsibilities regarding the system use
have been mentioned and what they are? The security personnel has to study
the process which is used to give authorization information and system's access
training. He is also responsible for identifying the procedure about an
employee's termination with regards to his system access and account.

 While hiring an employee, he must be asked to read, understand and sign an

acceptable use policy. Once a position has been defined, the supervisor should
determine the type of computer access needed for the position. Two general
security rules apply when granting the access:

UNIT – 1 - INFORMATION SECURITY

  Separation of Duty: It refers to dividing the roles and responsibilities so that
no single individual can threaten a critical process.
 Least privileges: It refers to the security objective of granting users only that
access that they need to perform a official duty.
 The employment policy is basically required for the control and protection of all
company assets of which information system is one.
2. Security Policy:
 Policy exists at several levels in system security. i.e.:
 Organizational policy:
- A policy at this level is a statement of support or concern relating to
information and security and has to be placed in order for the lower
levels of the organization to implement the vision of the senior
management and those responsible for the security of its resources.
- Overall Security Policy: It is concerned with the development and
implementation of the vision and direction identified by the
organization’s policy. For Example:
- Acceptable use of corporate systems may define those activities that
are not approved for corporate asset use. E.g. Downloading music,
chatting, surfing etc may not be allowed.
- New user training policy may be defined which identifies when, how
and what must be informed to the new user before access to the
system is provided. E.g. User ID and password and personal folder to
which user has full access. Also information about various business
processes may be given to the new user.
3. System Level Policy:
 It is the enforcement of the security policy which is defined in the overall
security policy by using the people, processes and technology associated with
the system. E.g. Attachment of more than 2MB not allowed, Maximum storage
of 5MB should not be exceeded, denying the download of MP3 or MPEG is
control by firewall, login after 6pm is denied, etc.

 WHY CONTROL ACCESS?

 Introduction: Access Control:

 Definition: Access control permits management to specify what users can do, which
resources they can access, and what operations they can perform on a system.

 Access control provides system managers with the ability to limit and monitor
who has access to a system and to restrain or influence the user's behavior on
that system.
6

UNIT – 1 - INFORMATION SECURITY

  Access control systems define what level of access that individual has to the
information contained within that system based upon predefined conditions as
authority level or group membership.
 Access control systems are based upon varying technologies including
passwords, hardware tokens, biometrics etc.
 Each access control system offers different levels of CIA to the user, system and
stored information.
 The access control domain includes all of the mechanisms that enable a system
manager to specify what users and process can do, which resources they can
access, and which operations they can perform.
 Information system security is not just technical point solutions implemented on
a system. Any realistic security solution consists of many security mechanisms
from the various security disciplines, woven into layers of security around a
system or enterprise-all in support of the confidentiality, integrity and availability
needs of the information and system.

 WHY CONTROL ACCESS:

 With access to your system, an adversary can do almost anything. Access controls
place a level of accountability on authorized users.
 Access controls support all 3 of the security objectives:
1. Confidentiality: through controls protect access based on authorization.
2. Integrity: through access controls to the data and processes.
3. Availability: through the proper implementation and administration of controls
so that they do not deny services to authorized users.
 Although access controls are fundamentally easy concept, a fully integrated
solution of complementary access control techniques is often difficult to achieve.
They must be consistent with your organization’s policy, minimize the likelihood of
unauthorized access, disclosure, and modification, and be user-friendly enough so
that authorized users do not seek to circumvent them. Policies for the protection of
information must include a method for determining what must be protected and to
what extent. It should also specify handling, marking and disposal procedures for
all information.

 REASONS WHY CONTROL ACCESS:

1. Protection of Assets and Resources:
 Most damage to computer system and data does not come from outside
attacks but from simple mistakes or the unauthorized or unintended actions of
legitimate users of the system. Often, security comes down to a matter of cost.
Security measures have direct costs in terms of equipment and administrative
expenses. A basic goal of information security is to protect resources and assets
from loss.
7

UNIT – 1 - INFORMATION SECURITY

  Resources may include:
 Information including information in transmission like e-mails, research data,
etc.
 Services like applications, user softwares, etc
 Equipment like computers, networking component, etc.

 Each resource has several assets that require protection. The assets also include
confidentiality, integrity, authenticity, availability.

2. Assurance Of Accountability:
 Accountability is the integrity objective sub-element that provides the system
security practitioner personnel with the ability to know who has been on the
system and what they did. When systems are set up with unique identification
and authentication for users, the users can be held accountable for their
actions while logged on to the systems. Accountability also provides a way to
detect whether an attack has taken place.

3. Prevention Of Unauthorized Access:

 When authorized users gain access to a system, they might pass through
several types of access controls. But for an unauthorized user, access controls
can minimize and even prevent most attacks like:
 Denial of Service / DoS attacks
 Spamming
 Brute force attacks

 AUTHENTICATION:

 Definition: Authentication is the process used to prove the identity of someone or

something that wants access.

 All authentication processes follow the same basic principle that we need to prove who
we are or who the individual or service or process is before we allow them to use our
resources. Authentication allows sender and receiver of information to validate each
other as the appropriate entities with which they want to work. The simplest form of
authentication is the transmission of a shared password between entities wishing to
authenticate each other.
 There are a few authentication methods which are followed as given below.

1. Username And Password:

 This combination has been used for authenticating users for many years. Most
operating systems have some form of local authentication that is used if the
8

UNIT – 1 - INFORMATION SECURITY

 operating system is designed to be used by multiple users. From a security
point of view, it is important to understand that the first line of defense of a
system is the creation and maintenance of a password policy that is enforced
and workable.
 Password policies requiring user created password less than 6 characters are
regarded as low security level. With 8 to 13 characters as medium security level
and with 14 or more as high security level. The passwords must contain
uppercase and lowercase alphabets, numbers, special characters, no dictionary
words, no portion of the user name in the password and no personnel
identifiers like birthdates, vehicle number, etc.
 To achieve the medium security level, use 8 characters with uppercase and
lowercase alphabets, numbers and a special character. For high security
implement the medium security settings with no dictionary words and no use
of username in the passwords. Be aware that higher the number of characters
or letters in a password, the more chance exists that the user will record the
password and leave it where it can be found.
2. Biometrics:
 Biometric devices can provide a higher level of authentication than many other
methods like the user name and password combination. Although biometric
can be used for mutual authentication and are relatively secure, they are not
completely secured against attacks. For instance in the case of fingerprints
usage for biometric identification, the devices must be able to interpret the
actual presence of the print. Early devices were fooled by fogging of the lenses
which provided a raised impression of the previous user's print or by subjecting
to silicon impressions or finger printing powders that raised the image. Current
devices may require a temperature or pulse sense as well as the finger print to
verify the presence of a user. Biometrics used in conjunction with smart cards
or other authentication methods leads to the highest level of security.
3. Mutual Authentication:
 Mutual authentication is a process where both the requestor and the target
entity must fully identify themselves before communication or access is
allowed. This can be accomplished in a number of ways. One of the methods
that can be used for mutual authentication is certificates. To verify the
identities, the certifying authority must be known to both parties and the public
keys for both must be available from a trusted KDC (key distribution center).
One area that uses the mutual authentication process is access of a user to a
network via remote authentication/access which requires the presence of a
valid certificate to verify that the machine is the entity that is allowed access to
the network. Early implementations of windows-based RAS servers had the
ability to request or verify a particular telephone number to try to verify the
machine location. With the development of call-forwarding technologies, it is
9

UNIT – 1 - INFORMATION SECURITY

 no longer sufficient. Mutual authentication allows you to be confident that
communication is not being intercepted by the man in the middle attacker or
being redirected in any way.

4. Multi-Factor Authentication:
 Multi-factor authentication is the process in which we expand on the traditional
requirements that exist in the single factor authentication like a password. Two
factor authentication occurs when 2 different factors are required to provide
authentication. To accomplish this it will use another item for authentication in
addition to or in place of the traditional password. There are 4 possible types of
factors that can be used for multi-factor authentication.
 A password or PIN can be defined as something your know factor.
 A token or a smart card can be defined as something you have factor.
 A thumbprint, retina, hand/any other biometrically identifiable item can be
defined as something you are.
 Voice/handwriting analysis can be defined something you do factor.
 The multi-factor authentication is more secure than other methods because it
adds steps that increase the layer of security. When 2 or more different factors
are employed, 2 or more different types/methods of attack must be successful
to collect all relevant authentication elements. But the disadvantage is that if
the number of steps required to achieve authentication becomes tedious to the
users, they may no longer use the process or may attempt to bypass the
necessary steps for authentication.
5. Tokens:
 Tokens are password generating devices that subjects must carry with them.
They are the physical devices used for randomization of a code that can be used
to assure the identity of the subject holding the token. It is more secure than
most forms of biometric authentications because impersonation and
falsification of the token value is extremely difficult.
 Token authentication can be provided by way of either hardware or software
based tokens. You must have a process to create and track random token
access values for which 2 components are used:
1. A hardware device that generates token values at specific intervals.
2. A software or server based component that tracks and verifies that these
codes are valid.
 To use this process, the token code is entered into the server system during
setup of the system. A user wishing to be authenticated must enter a PIN
number in place of the usual user logon password. They are then asked for the
randomly generated number currently present on their token. When entered,
this value is checked against the server system’s calculation of the token value.
10

UNIT – 1 - INFORMATION SECURITY

 If they are same, the authentication is complete and the user can access the
resource.
 Using token authentication systems is a much stronger security measure then
using password authentication alone. Token systems use 2 or more factors to
establish identity and provide authentication. In addition to knowing the
username, password, PIN and so on, the subject must be in physical possession
of the token device.
6. Certificates:
 Certificates are systems that create, distribute, store and validate digitally
created signature and identify verification information about machines,
individuals and services. Digital certificates provide communicating parties with
the assurance that they are communicating with people who truly are who they
claim to be. Digital certificates are essentially endorsed copies of an individual’s
public key. This prevents malicious individuals from distributing false public
keys on behalf of another party and then convincing the 3rd parties that they
are communicating with someone else. A certificate from a reputable provider
indicates that the server being accessed is legitimate. The path for the
certificate should be verifiable and unbroken or the certificate may be viewed
as invalid. This indicates a high probability that the software has not been
tampered with since it was originally made available for download. They are
also used with data encryption or in network protocols requiring their use, such
as IPSec.
 Certificates are created by a trusted 3rd party called a certification authority /
certificate authority / a certifying authority (CA). Commercial CAs are VeriSign,
Thawte.

7. CHAP - Challenge Handshake Authentication Protocol:

 CHAP is a remote access authentication protocol used to provide security and
authentication to the users of remote resources by encrypting usernames and
password. It performs authentication using a Challenge-Response dialogue that
can be replayed. It is used to periodically verify and re-authenticate the remote
system throughout an establish communication session to verify persistent
identity of the remote client. This process is transparent to the user and may be
repeated upon initial link establishment and any time after the link is
established. A 3-way handshake is performed as follows:
1. After the link establishment is complete, the authenticator sends a
challenge message.
2. The client responds with a calculated value using the same function (“one-
way hash”) which the authenticator would use.

11

UNIT – 1 - INFORMATION SECURITY

 3. The authenticator checks the received authentication value with their own
value. If match then authentication is acknowledged otherwise the
connection should be terminated.
4. At random interval the authenticator sends a new challenge and then
repeats the steps 1 to 3.
 CHAP does not operate with encrypted password databases. The shared secrets
may be stored on both ends as a clear text item, making the secret vulnerable
to compromise or detection. CHAP may also be configured to store a password
using one-way reversible encryption, which uses the one-way hash. This
provides protection to the password, because the hash must match the client
wishing to authenticate with the server that has stored the password with the
hash value.

8. Kerberos:
 It is used as a network authentication protocol in many medium and large
enterprises to authenticate users and services requesting access to resources. It
is designed to centralize the authentication information for the user or service
requesting the resource. It allows authentication of the entities requesting
access by the host of the resource being accessed through the use of secure
and encrypted keys and tickets from the authenticating KDC (Key distribution
Center). It allows for cross-platform authentication. Kerberos uses time-
stamping of its tickets, to help ensure they are not compromised by other
entities and provide for non-repudiation objective. It also limits the possibility
of replay or spoofing of credentials. The initial time-stamp refers to any
communication between the entity requesting authentication and the KDC and
is normally not allowed to exceed 5 minutes otherwise the ST will be discarded.
Two events are occurring as credentials are presented to KDC for
authentication:
1. The authentication credentials are presented to the KDC.
2. The KDC issues a TGT (ticket granting ticket) that is associated with the
access token while you are actively logged in and authenticated. These TGT
expires when you or the service disconnects or logs off the network. The
TGT is stored locally during the active session.
 When a connection is requested by a user, it presents a previously granted TGT
to the authenticating KDC. The authenticating KDC returns a ST (session ticket)
to the entity wishing access to the resource. This ST is then presented to the
remote resource server which would authenticate the user and allows the
session to be established with the resource server and allows the
communication to start. Once the data communication is over, the session
ticket is destroyed and becomes invalid. So when again communication is
required, the TGT must sent be to KDC to fetch a new session ticket.

12

UNIT – 1 - INFORMATION SECURITY

 AUDITING:
 What Is Auditing?
 The audit function provides the ability to determine if the system is being operated
in accordance with accepted industry practices, and in compliance with specific
organizational policies, standards, and procedures. Auditing provides methods for
tracking and logging activities on the networks and systems and links these
activities to specific user's accounts or sources of activity. In the case of simple
mistakes or software failures, audit trails can be extremely useful in restoring data
integrity. They are also a requirement for trusted systems to ensure that the
activity of authorized individuals can be traced to their specific actions and that
those actions comply with the defined policies. They also allow for a method of
collecting evidence to support any investigation into improper or illegal activities.
Auditing refers to either the examination of the system or the act of performing the
examination. An audit trail is a historical record of events.

 Audit Characteristics:
 The term audit carries 2 meanings in the information system security field:
1. To collect, store and review system logs in order to gain an understanding of
what has happened through audit logs or audit trails.
2. To conduct a review of security (Auditing) of your system.
 A commonly accepted practice to ensure that the amount of data collected is
adequate is to log all activities that could be an indication that something is wrong.
Auditing can include the capture of all network traffic, login failures, last login and
so on. Organizations must define auditing standards which specify the most critical
audit requirements and those that are less critical. Automated tools greatly assist
with the reduction of audit data into comprehensible information. Some security
related reasons for which we do auditing are as follows:
1. To identify a potential breach in security.
2. To re-construct the events which led to the security breach?
3. To re-construct the activities performed during the breach.
4. To prove that something has happened.
 Auditing can be performed at the gateway, at the servers like emails, DBMS, file,
applications, firewall, routers and so on, within the applications, at the user
workstations or where ever possible.

 Components to Audit:
 Basically the accepted practice is to audit everything that has the capability to log
events.
 There are 4 components within the protection layers that can be audited:
1. External/Internal Network Boundary Auditing:
 Regardless of whether you have established a DMZ (De-Militarized Zone),
you need to audit the components at the outer edge of your network. At
13

UNIT – 1 - INFORMATION SECURITY

 that point, a dedicated firewall must be placed. The auditing of this device
should be performed based on the policies you have documented in your
roadmap towards security. This strategy is your first line of defense. The
process for establishing the audit trail would be:
- Use the roadmap to determine what security mechanisms you need to
provide
- Develop a matrix showing what you will implement and where
- Turn on the log functions for everything acceptable and not acceptable

2. Internal/Subnet Boundary Auditing:

 The DMZ consists of the boundary router, the main firewall, a VPN (Virtual
Private Network), gateway and proxy servers for HTTP, SMTP. The external
boundary auditing includes checking of all the connection request from
outside at the internal perimeter consisting of internal firewall placed
between the DMZ and internal network which takes care of all the inbound
traffic and would accept only that traffic which comes from the main
firewall excluding the possibility that some direct infiltration into the
network is performed from outside.
 This internal boundary would allow for all outbound traffic from the internal
systems only. At this internal boundary point, the outbound traffic can be
filtered for its type, size and kind of information being transmitted.

3. Server Audit:
 The majority of major functions in a system are distributed across several
hosts that provide dedicated support for that major application, often
referred to as servers. The server logs must be capable of collecting and
storing adequate data about the number of activities being performed on
the server. There can be servers like Mail, File, Web, Database, Print, etc,
each of which requires different kind of auditing mechanisms. Auditing
depends on the specific operating system being used and the capabilities of
the application itself. Server logs must be capable of collecting and storing
adequate data to assist you in any number of activities.

4. User Workstations:
 Auditing functions exists on workstations at differing levels according to the
operating system being used. Generally, a workstation auditing is co-related
to the server auditing to get a complete picture of security failure events
that may have occurred on a workstation or on a server through a
workstation. The log contains the following information about every event:
- Date and time, Source of Event, Type of Event, User ID, Account,
Computer name, Login and Logouts, Success or failure of the event,
Privileged activities it perform.
14

UNIT – 1 - INFORMATION SECURITY

 Conducting Auditing/Security Review:
 An audit of your system requires planning, purposefulness and some skills. The
roadmap for conducting an audit includes 2 stages i.e. Planning and
Implementation.
1. PLANNING STAGE:
 What are you going to audit? You have to know that first and the planning
stage prepares you for the security review. Specific results should be
determined in any audit and ensuring that sufficient testing is conducted
requires proper planning. The audit toolbox should contain sufficient
resources to allow examination of security mechanisms to determine
compliance with the policies.
A. The policies:
- Remember that all security-related system components are on the
system to enforce some aspect of the policies. At this point the
security objectives have to be identified in terms of security services
and security mechanisms. There are certain tools from which
appropriate tools can be selected for the purpose of auditing.
a. Automated tools:
o Certain standard automated tools for auditing can be used to
make the job easy, quick and consistent. These tools include
the hardware and software that will be required to connect
to and evaluate systems. The tools chosen should reflect the
result to be achieved in performing the audit.
o Hardware like: Laptop with network interface, Wireless
network scanner, etc. Softwares like: Vulnerability scanner,
Operating system, Reporting software, Port scanner, etc.
b. Discovery tools:
o Discovery tools are used to assist the auditor in identifying
the system assets that the auditor must audit, such as the
hosts and other network resources. These types of tools
collect considerable information about the network-based
resources. This step is usually conducted because the
topology maps and architecture drawing are out of date. This
collection provides a new baseline of the system that can be
used for future security updates and security enhancements
to the network.
c. Documentation tools:
o These tools provide a way of documenting what is learnt or
found, which will give you a baseline against which you can
make audits at later times, making each subsequent audit
more clear. It includes tools like word processors, report
writers, etc.
15

UNIT – 1 - INFORMATION SECURITY

 d. Audit reduction tools:
o These are the tools that can manipulate the audit files from
several component types. You will need this type of tool to
review the audit logs for events and to make certain they are
being collected and reviewed and stored as defined by the
organizational policies.
e. Analysis tools:
o They are also known as vulnerability tools or Penetration
tools. These tools when launched against a target system
assess the vulnerability of that system from hundreds or
even thousands of threats. These programs have rule sets
that contain details about common vulnerabilities in
systems. This program acts as an adversary and tries to gain
access to your system based on rule set it contains. They
produce detailed reports and some offer technical
recommendations for remediation.
B. Reporting requirements:
- If you do not know what you need to report, how will you know
whether you have collected it, considered it, or analyzed it?
Reporting within an organization is required to provide a
documented account of any event that requires an action. Security
issue reporting should not be any different from other
organizational reporting. Reporting should start with an immediate
verbal communication of the event, and documentation should be
immediately started that captures events and actions to include
who, what and when. Who reported the call, to whom was the call
reported, what is the nature of the event, what was done to
respond to the event, when did the event occur, where did the
event occur, from where was the event initiated, when was the
action in response to the event and such other information must be
collected to properly document the event. Written reports are
periodically required to inform management and security personnel
of events and to keep them informed as to the progress made to
repair and prevent future events from occurring.
2. IMPLEMENTATION STAGE:
A. Review policies
Are the policies complete and understood?
B. Develop a security matrix.
C. Review security documentation.
Include system-related documentation.
What are the security features of all major components?

16

UNIT – 1 - INFORMATION SECURITY

 D. Review audit capability and use.
Are the security features of all major components utilized?
Compare the security features utilized to the matrix. Do they match?
Is the audit trail complete enough to reconstruct an event?
E. Review security patches and update releases for all components.
Compare releases to the current configuration.
F. Run the analysis tools
Host based, Network-based and Data-based.
G. Co-relate all the information
H. Develop a report
I. Make recommendations to correct problems.

 Basic Text and Reference Book:

 Michael Cross, Norris L Johnson; Security + Study Guide; Syngress Publication, Latest
Edition.
 Debra S. Isaac, Michael J. Isaac: The SSCP Prep Guide: Mastering the Seven Key Areas of
System Security: Wiley, Latest Edition.
 Ronald L. Krutz, Russell Dean Vines: The CISM Prep Guide: Mastering the Five Domains
of Information Security Management: Wiley, Latest Edition.
 William Stallings: Network Security Essentials: Applications and Standards, Pearson,
Latest Edition.
 William Stallings; Cryptography and Network Security - Principles and Practice, Pearson,
Latest Edition.
 Charles P. Pfleeger, Security in Computing, Pearson, Latest Edition.

ALL THE BEST…!!!

17

UNIT – 1 - INFORMATION SECURITY