Information Security & Risk Management

Saini Das
Vinod Gupta School of Management, IIT Kharagpur

Session 6: Organizational Security Environment - Technical Countermeasures

1
Organizational Security Environment

2
Technology Solutions

3
 Cryptography & Encryption
• Encryption is using a mathematics based program and a secret key to produce
a string of characters that is unintelligible.

• Cryptography is the science and art that studies encryption. It is the ‘umbrella
word used to describe the entire field of secret communications’. It includes
the methods used to ‘ensure the secrecy and/or authenticity of messages’.

• Plaintext is the original, understandable message.

• Cipher is a method or algorithm to transform a plain text into something that

is difficult to understand.

• Ciphertext is the result of the application of the cipher to the plaintext.

4
 Cryptography & Encryption (contd..)
• Cryptographic key is some additional secret information used in
conjunction with the cipher algorithm to perform the
cryptographic process.

5
 Use of Keys for Data Encryption
• Keys are used to encrypt information; only a person with the appropriate key can make it readable
again.
• Suppose there is a student called Babu living in a college hostel who also works part-time. Let us say,
he has been given two keys. One of Babu’s keys is called a public key; the other is called a private
key. Babu has some hostel mates: Pamila, D’Souza and Sushant who also work for some other
organizations. Babu’s public key is available to anyone but he keeps his private key to himself. Any
one of Babu’s two keys can encrypt data and the other key can decrypt those data.

6
Use of Keys for Data Encryption

7
 Digital Signature
• Digital signature is a ‘stamp’ placed on the data that is unique and is very difficult to forge. In
addition, the signature assures that any changes made to the data that have been signed cannot go
undetected.
• A hash function is defined as the process that can take an arbitrary-length message and return a
fixed-length value from that message.
• These few lines as a result of hashing are called a message digest.
• The software then encrypts the message digest with the private key. The result is the digital
signature .

8
 Digital Signature (contd..)
• The software appends the digital signature to the document. All of the data that were hashed have
been signed.

9
 Digital Signature (contd..)

• A digital signature is created from a message digest and is used to cryptographically

sign a message.
• A message digest is a number that is created algorithmically from a file and
represents that file uniquely.
• To create a digital signature, you sign the message with your private key. The digital
signature then becomes a part of the message. This has two effects:
• Any changes to the message can be detected, owing to the message digest algorithm.
• You cannot deny signing the message, because it was signed with your private key.

• These two features, message integrity and non-repudiation, make digital signatures a
very useful component for e-commerce applications.

10
 Digital Certificates
• A digital certificate is a program embedded in a Web page or email that verifies that the sender
or Web site is who or what it claims to be
• A certificate is signed code or message that provides proof that the holder is the person identified by the
certificate.
• Certification Authority(CA) issues digital certificates: Verisign, RapidSSL, GeoTrust
• Main elements of a digital certificate are:
• Certificate owner’s identifying information
• Certificate owner’s public key
• Dates between which the certificate is valid
• Number of the certificate
• Digital signature of the certificate issuer

11
Digital Certificates (contd..)

12
Information Protection

13
 Firewall

• Firewalls are filtering and protection devices - usually a combination of hardware and
software
• Packet-level filtering are used to protect an intranet by blocking certain packets – they are
also called filtering routers or screening routers.
• Firewalls are hardware and software combinations that block intruders from access to an
intranet while still allowing people on the intranet to access the resources of the Internet.

14
 Demilitarized Zone (DMZ)
• The area separated between the two firewalls is called the ‘DMZ’ .
• DMZ is a subnetwork that is protected from the Internet by one or more firewalls. An
internal network, such as an intranet, is also protected from the DMZ subnet by one or
more firewalls.
• Basically, a DMZ is a subnetwork that is located neither inside the internal network nor
outside as part of the Internet.
• Technically, a demilitarized area is any area where access is controlled, but not entirely
prevented by firewall technology.

15
 Policies for Firewalls
 Firewalls provide several types of protection:
• They can block unwanted traffic;
• They can direct incoming traffic to more trustworthy internal systems;
• They hide vulnerable systems that are difficult to secure from the Internet;
• They can log traffic to and from the private network;
• They can hide critical information such as system names, network topology, network device
types and internal user IDs from the Internet ;
• When used along with an IDS, firewalls can provide robust authentication.

 A firewall policy is a statement of how a firewall is to work – the configuration rules by which
incoming and outgoing traffic should be allowed or rejected.
 Failing to create and update a firewall policy for each firewall results in gaps between
expectations and the actual function of the firewall.
 Example: https://www.subr.edu/assets/subr/NetworkSecurity/Firewall_Policy_and_Form.pdf

16
 Virtual Private Network (VPN)
• A technology that enables clients or employees of an organisation, who
are outside the network, to connect securely to the organisation on the
public Internet.
• They provide the capability to securely convey information across the
public network into the corporate network.
• It creates a 'tunnel' relying on authentication and encryption.

17
 Virtual Private Network (VPN) (contd..)
• The two most popular types of VPN are:
1. Remote Access VPN or User VPN
• A remote access VPN or a user VPN is a VPN between an individual user machine and an
organization site or network.

• In this type of VPN, the user connects to the Internet via a local ISP dial-up, digital
subscriber line (DSL) or cable modem and initiates a VPN to the organization site via the
Internet.

• A remote access VPN offers two primary benefits:

• Mobile employees, can have access to e-mails, information assets on an organization’s network and other
internal systems wherever they are without the need for expensive long-distance calls to dial-up servers.

• Employees who work from home can have the same access to network services as employees who work
from the organization facilities without the requirements for expensive leased lines. 18
 Virtual Private Network (VPN) (contd..)
2.Site-to-Site VPN
• This is also known as the intranet site-to-site VPN. It is useful when an organization may
not have a need for ‘go-anywhere-dial-up access’ to the network, but instead wants
satellite offices, perhaps even in other countries, to be able to communicate and share
data with offices in other countries and the home office.

• Site-to-site VPNs can be one of the following two types:

1. Intranet-based VPN: If a company has one or more remote locations that they wish to
join in a single private network, they can create an intranet VPN to connect one LAN to
another LAN.

2. Extranet-based VPN: When a company has a close relationship with another company
they can build an extranet VPN that connects LAN to LAN and that allows all of the
various companies to work in a shared environment.
19
Site-to-Site VPN

20
 Intrusion Detection Systems
• An IDS is a system that monitors network traffic or monitors host audit logs in
order to determine whether any violations of an organization’s security policy
have taken place. An IDS can detect intrusions that pass through a firewall or
those occurring within the local area network (LAN) behind the firewall.

• The IDS can be hardware- or software-based security service that monitors and
analyses system events for the purpose of finding and providing real-time or near
real-time warning of events that are identified by the network configuration to
be attempts to access system resources in an unauthorized manner.

21
 Intrusion Detection Systems
• Intrusion detection systems feature full-time monitoring tools placed at
the most vulnerable points or “hot spots” of corporate networks to
detect and deter intruders continually.
• The system generates an alarm if it finds a suspicious or anomalous
event.
• Scanning software looks for patterns indicative of known methods of
computer attacks and sends warnings of vandalism or system
administration errors.
• Monitoring software examines events as they are happening to discover
security attacks in progress.
• The intrusion detection tool can also be customized to shut down a
particularly sensitive part of a network if it receives unauthorized traffic.

22
 Phishing Attack Countermeasures

• Most important step that companies can take today is to

educate web site users
• Many companies contract consulting firms that specialize in
anti-phishing filters
• Report Phishing emails
www.millersmiles.co.uk
https://cybercrime.gov.in/
https://www.cert-in.org.in/

23
 Antivirus and Antispyware Software
• Antivirus software is designed to check computer systems
and drives for the presence of computer viruses.
• Often the software eliminates the virus from the infected
area.
• However, most antivirus software is effective only against
viruses already known when the software was written.
• To remain effective, the antivirus software must be
continually updated.
• Leading antivirus software vendors, such as McAfee,
Symantec, and Trend Micro, have enhanced their products
to include protection against spyware.

24
 Unified Threat Management Systems
• A comprehensive appliance having various security tools, including
firewalls, virtual private networks, intrusion detection systems, and anti-
spam software.

• Helps businesses reduce costs and improve manageability.

• Although initially aimed at small and medium-sized businesses, UTM

products are available for all sizes of networks

• Leading UTM vendors include Crossbeam, Fortinent, and Check Point.

25
 Security of Electronic Mail Systems
• Electronic Mail System Mechanism

• When a user sends an e-mail message, it is first broken up by the transmission control protocol (TCP)
into Internet protocol (IP) packets.
• Those packets are then sent to an internal router where the destination address is examined.
• Based on the address, it decides whether the mail is meant for someone on the same network or to
someone outside of the network.
• If the mail is addressed to someone outside the network, it may pass through a firewall which keeps
track of messages and data going in and out of the network to and from the Internet.
• A gateway at the receiving network gets the e-mail message and it uses TCP to reconstruct the IP
packets into a full message.
• The gateway then translates the message into the protocol understood by the target network and
sends it on its way.

26
 Security of Electronic Mail Systems (contd..)
• Security Threats posed by Electronic Mails
• Denial of service (DoS) attacks that are directed to the mail server or its supporting network that can deny
or hinder access to the mail server by valid users.
• Sensitive information on the mail server may be disclosed or changed in an unauthorized manner.
• Sensitive information that is transmitted unencrypted between a mail server and an e-mail client may be
intercepted.
• A successful attack on a mail server can be used to gain an unauthorized access to resources elsewhere in
the organization’s computer network.
• Attackers may use the organization’s mail server to send e-mail-based advertisements.
• A mail server that has been attacked can be used to attack another organization’s network, perhaps
creating liability for damages to the sending organization.
• Viruses and other types of malicious code or phishing messages may be distributed to computers
throughout an organization via an e-mail.
• Users may send inappropriate, proprietary or other sensitive information via an e-mail.

27
 Security of Electronic Mail Systems (contd..)

• Objectives of Email Security

• non-repudiation, that is, the sender cannot deny sending the message at a later date, and the
receiver cannot deny receiving it;
• messages are read only by their intended recipients;
• authentication of the source;
• verification of delivery;
• control of access (to e-mails).

28
 Security of Electronic Mail Systems
• Countermeasures (User Perspective)

• KRESV test

• The Know test

• The Received test
• The Expect Test
• The Sense Test
• The Virus Test

29
 Security of Electronic Mail Systems
• Countermeasures (Organizational perspective)

• Careful planning to address security aspects of mail server deployment

• Implementing appropriate security management practices and controls.
• Ensuring that the mail server OS is deployed, configured and managed to meet the security requirements of the
organization
• Ensuring that the mail server application is deployed, configured and managed to meet the security requirements of the
organization.
• Implementing and using cryptography to protect user authentication and mail data .
• Use of network infrastructure to protect the mail servers.
• Ongoing maintenance of mail server security.

• Email Policy Example : https://policy.arizona.edu/printpdf/165

30
 Penetration Testing

• A penetration test is a method of evaluating the security of a computer system or network by

simulating an attack by a ‘malicious user’, commonly known as a hacker.
• Reasons for performing a penetration test
• To find vulnerabilities and fix them before an attacker does.
• To provide official reporting of vulnerabilities by an external expert so that management will approve
the necessary resources required to fix them.
• To give the IT department a chance to respond to an attack.
• By performing penetration tests against your environment, you can actually replicate the types of
actions that a malicious attacker would take, giving you a more accurate representation of your
security posture at any given time.
• Having a second set of eyes check out a critical computer system is alwaysa good security
practice.

31
 Penetration Testing Approach

• The main aspect that separates a penetration tester from an attacker is permission. The
penetration tester will have permission from the owner of the computing resources that are
being tested and will be responsible to provide a report.

• Penetration tests can be conducted in several ways. It depends on the amount of knowledge
possessed by the tester and the implementation details of the system being tested that are
available to the testers.

• Penetration tests may also be described as ‘full disclosure’, ‘partial disclosure’ or ‘blind tests’
based on the amount of information provided to the testing party; of course, organizations must
get the non-disclosure agreement (NDA) signed by the testers to ensure that the system details
revealed to the testers will not be misused by them

32
 Penetration Testing Tools

There are a wide variety of tools that are used in penetration testing. These tools are of two main
types:

1. Reconnaissance tools:
Reconnaissance  refers to a set of processes and techniques, such as footprinting and scanning
and enumeration, that are used to gather and covertly discover as much information as possible
about a target system. Active and passive reconnaissance.

2. Exploitation tools:
Exploitation tools are used to verify that an actual vulnerability exists by exploiting it. It is one
thing to have vulnerability testing software or banners indicating the possibility of an exploitable
service, but quite another to exploit that vulnerability.

33
34