Fundamentals of Information Systems

Security
Information security means protecting information (data) and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction.

Information Security management is a process of defining the security controls in order to

protect the information assets.

Information asset is any object

Core Information Security Principles

The three fundamental principles of security are availability, integrity, and confidentiality and
are commonly referred to as CIA triad which also form the main objective of any security
program.

The level of security required to accomplish these principles differs per company, because
each has its own unique combination of business and security goals and requirements.

All security controls, mechanisms, and safeguards are implemented to provide one or more of
these principles.

All risks, threats, and vulnerabilities are measured for their potential capability to
compromise one or all of the CIA principles

Confidentiality

 Ensures that the necessary level of secrecy is enforced at each junction of data
processing and prevents unauthorized disclosure. This level of confidentiality should
prevail while data resides on systems and devices within the network, as it is
transmitted and once it reaches its destination.

 Threat sources
o Network Monitoring
o Shoulder Surfing- monitoring key strokes or screen
o Stealing password files
o Social Engineering- one person posing as the actual
 Countermeasures
o Encrypting data as it is stored and transmitted.
o By using network padding
o Implementing strict access control mechanisms and data classification
o Training personnel on proper procedures.

1
Integrity

 Integrity of data is protected when the assurance of accuracy and reliability of

information and system is provided, and unauthorized modification is prevented.

 Threat sources
o Viruses

 Countermeasures
o Strict Access Control
o Intrusion Detection
o Hashing

Availability

 Availability ensures reliability and timely access to data and resources to authorized
individuals.
 Threat sources
o Device or software failure.
o Environmental issues like heat, cold, humidity, static electricity, and
contaminants can also affect system availability.
o Denial-of-service (DoS) attacks
 Countermeasures
o Maintaining backups to replace the failed system
o IDS to monitor the network traffic and host system activities
o Use of certain firewall and router configurations

Definition of some Security Terms

Vulnerability

 It is a software, hardware, or procedural weakness that may provide an attacker the

open door he is looking for to enter a computer or network and have unauthorized
access to resources within the environment.
 Vulnerability characterizes the absence or weakness of a safeguard that could be
exploited.
 E.g.: a service running on a server, unpatched applications or operating system
software, unrestricted modem dial-in access, an open port on a firewall, lack of
physical security etc.

2
Threat

 Any potential danger to information or systems.

 A threat is a possibility that someone (person, s/w) would identify and exploit the
vulnerability.
 The entity that takes advantage of vulnerability is referred to as a threat agent. E.g.: A
threat agent could be an intruder accessing the network through a port on the firewall

Risk

 Risk is the likelihood of a threat agent taking advantage of vulnerability and the
corresponding business impact.
 Reducing vulnerability and/or threat reduces the risk.
 E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder
will use one to access the network in an unauthorized method.

Exposure

 An exposure is an instance of being exposed to losses from a threat agent.

 Vulnerability exposes an organization to possible damages.
 E.g.:If password management is weak and password rules are not enforced, the
company is exposed to the possibility of having users' passwords captured and used in
an unauthorized manner.

Countermeasure or Safeguard

 It is an application or a s/w configuration or h/w or a procedure that mitigates the risk.

 E.g.: strong password management, a security guard, access control mechanisms
within an operating system, the implementation of basic input/output system (BIOS)
passwords, and security-awareness training.

The Relation Between the Security Elements

 Example: If a company has antivirus software but does not keep the virus signatures
up-to-date, this is vulnerability. The company is vulnerable to virus attacks.
 The threat is that a virus will show up in the environment and disrupt productivity.
 The likelihood of a virus showing up in the environment and causing damage is the
risk.
 If a virus infiltrates the company's environment, then vulnerability has been exploited
and the company is exposed to loss.
 The countermeasures in this situation are to update the signatures and install the
antivirus software on all computers

Alternative Description:
A threat agent causes the realisation of a threat by exploiting a vulnerability. The
measurement of the extent that this exploitation causes damage is the exposure. The

3
organisational loss created within the exposure is the impact. Risk is the probability that a
threat event will generate loss and be realised within the organisation.

Example:

 Target: A bank contains money.

 Threat: There are individuals who want, or need, additional money.
 Vulnerability: The bank uses software that has a security flaw.
 Exposure: 20% of the bank's assets are affected by this flaw.
 Exploit: By running a small snippet of code (malware), the software can be accessed
illegally.
 Threat Agent: There are hackers who have learned how to use this malware to control
the bank's software.
 Exploitation: The hackers access the software using the malware and steal money.
 Impact: The bank loses monetary assets, reputation, and future business.
 Risk: The likelihood that a hacker will exploit the bank's software vulnerability and
impact the bank's reputation and monetary resources.

Security Controls

Security Controls can be classified into three categories

Administrative controls are commonly referred to as “soft controls” because they are more
management-oriented. Examples of administrative controls are security documentation, risk
management,
personnel security, and training.

Administrative Controls which include

 Developing and publishing of policies, standards, procedures, and guidelines.

 Screening of personnel.
 Conducting security-awareness training and
 Implementing change control procedures.

Technical controls (also called logical controls) are software or hardware components, as in
firewalls, IDS, encryption, identification and authentication mechanisms.

Technical or Logical Controls which include

 Implementing and maintaining access control mechanisms.

 Password and resource management.
 Identification and authentication methods
 Security devices and
4
  Configuration of the infrastructure.

Physical controls are items put into place to protect facility, personnel, and resources.
Examples of physical controls are security guards, locks, fencing, and lighting.

Physical Controls which include

 Controlling individual access into the facility and different departments

 Locking systems and removing unnecessary floppy or CD-ROM drives
 Protecting the perimeter of the facility
 Monitoring for intrusion and
 Environmental controls.

Information Security Management Governance

Security Governance

Governance is the set of responsibilities and practices exercised by the board and executive
management with the goal of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's
resources are used responsibly.

Information Security Governance or ISG, is a subset discipline of Corporate Governance

focused on information Security systems and their performance and risk management.

Security Policies, Procedures, Standards, Guidelines, and Baselines

Policies

A security policy is an overall general statement produced by senior management (or a

selected policy board or committee) that dictates what role security plays within the
organization.

A well designed policy addresses:

1. . What is being secured? - Typically an asset.

2. . Who is expected to comply with the policy? - Typically employees.
3. . Where is the vulnerability, threat or risk? - Typically an issue of integrity or
responsibility.

Types of Policies

5
  Regulatory: This type of policy ensures that the organization is following standards
set by specific industry regulations. This policy type is very detailed and specific to a
type of industry. This is used in financial institutions, health care facilities, public
utilities, and other government-regulated industries. E.g.: TRAI.
 Advisory: This type of policy strongly advises employees regarding which types of
behaviors and activities should and should not take place within the organization. It
also outlines possible ramifications if employees do not comply with the established
behaviors and activities. This policy type can be used, for example, to describe how to
handle medical information, handle financial transactions, or process confidential
information.
 Informative: This type of policy informs employees of certain topics. It is not an
enforceable policy, but rather one to teach individuals about specific issues relevant to
the company. It could explain how the company interacts with partners, the
company's goals and mission, and a general reporting structure in different situations.

Types of Security Policies

 Organizational
o Management establishes how a security program will be set up, lays out the
program's goals, assigns responsibilities, shows the strategic and tactical value
of security, and outlines how enforcement should be carried out.
o Provides scope and direction for all future security activities within the
organization.
o This policy must address relative laws, regulations, and liability issues and
how they are to be satisfied.
o It also describes the amount of risk senior management is willing to accept.
o Characteristics
 Business objectives should drive the policy's creation, implementation,
and enforcement. The policy should not dictate business objectives.
 It should be an easily understood document that is used as a reference
point for all employees and management.
 It should be developed and used to integrate security into all business
functions and processes.
 It should be derived from and support all legislation and regulation
applicable to the company.
 It should be reviewed and modified as a company changes, such as
through adoption of a new business model, merger with another
company, or change of ownership.
 Each iteration of the policy should be dated and under version control.
 The units and individuals who are governed by the policy must have
access to the applicable portions and not be expected to have to read all
policy material to find direction and answers
 Issue-specific
o Addresses specific security issues that management feels need more detailed
explanation and attention to make sure a comprehensive structure is built and
all employees understand how they are to comply with these security issues
o E.g.: An e-mail policy might state that management can read any employee's
e-mail messages that reside on the mail server, but not when they reside on the
user's workstation
 System-specific

6
 o Presents the management's decisions that are specific to the actual computers,
networks, applications, and data.
o This type of policy may provide an approved software list, which contains a
list of applications that may be installed on individual workstations.
o E.g.: This policy may describe how databases are to be used and protected,
how computers are to be locked down, and how firewalls, IDSs, and scanners
are to be employed.

Standards

 Standards refer to mandatory activities, actions, rules, or regulations.

 Standards can give a policy its support and reinforcement in direction.
 Standards could be internal, or externally mandated (government laws and
regulations).

Procedures

 Procedures are detailed step-by-step tasks that should be performed to achieve a

certain goal.
 E.g.: we can write procedures on how to install operating systems, configure security
mechanisms, implement access control lists, set up new user accounts, assign
computer privileges, audit activities, destroy material, report incidents, and much
more.
 Procedures are considered the lowest level in the policy chain because they are closest
to the computers and users (compared to policies) and provide detailed steps for
configuration and installation issues.
 Procedures spell out how the policy, standards, and guidelines will actually be
implemented in an operating environment.
 If a policy states that all individuals who access confidential information must be
properly authenticated, the supporting procedures will explain the steps for this to
happen by defining the access criteria for authorization, how access control
mechanisms are implemented and configured, and how access activities are audited

Baselines

 A baseline can refer to a point in time that is used as a comparison for future changes.
Once risks have been mitigated, and security put in place, a baseline is formally
reviewed and agreed upon, after which all further comparisons and development are
measured against it.
 A baseline results in a consistent reference point.
 Baselines are also used to define the minimum level of protection that is required.
 In security, specific baselines can be defined per system type, which indicates the
necessary settings and the level of protection that is being provided. For example, a
company may stipulate that all accounting systems must meet an Evaluation
Assurance Level (EAL) 4 baseline.

Guidelines

 Guidelines are recommended actions and operational guides to users, IT staff,

operations staff, and others when a specific standard does not apply.

7
  Guidelines can deal with the methodologies of technology, personnel, or physical
security.

Putting It All Together

 A policy might state that access to confidential data must be audited. A supporting
guideline could further explain that audits should contain sufficient information to
allow for reconciliation with prior reviews. Supporting procedures would outline the
necessary steps to configure, implement, and maintain this type of auditing.
 policies are strategical(long term) while standards, guidelines and procedures are
tactical(medium term).

Organizational Security Models

Some of the best practices that facilitate the implementation of security controls include
Control Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS
7799, Information Technology Infrastructure Library (ITIL), and Operationally Critical
Threat, Asset and Vulnerability Evaluation (OCTAVE).

COSO

Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S.

private-sector initiative, formed in 1985. Its major objective is to identify the factors that
cause fraudulent financial reporting and to make recommendations to reduce its incidence.
COSO has established a common definition of internal controls, standards, and criteria
against which companies and organizations can assess their control systems.

Key concepts of the COSO framework

 Internal control is a process. It is a means to an end, not an end in itself.

 Internal control is affected by people. It’s not merely policy manuals and forms, but
people at every level of an organization.
 Internal control can be expected to provide only reasonable assurance, not absolute
assurance, to an entity's management and board.
 Internal control is geared to the achievement of objectives in one or more separate but
overlapping categories.

The COSO framework defines internal control as a process, effected by an entity's board of
directors, management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:

 Effectiveness and efficiency of operations

 Reliability of financial reporting
 Compliance with applicable laws and regulations.

COSO Internal Control Framework: the five components

According to the COSO framework, internal control consists of five interrelated components.
These components provide an effective framework for describing and analyzing the internal
control system implemented in an organization. The five components are the following:

8
  Control Environment: The control environment sets the tone of an organization,
influencing the control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure. Control
environment factors include the integrity, ethical values, management's operating
style, delegation of authority systems, as well as the processes for managing and
developing people in the organization.

 Risk assessment: Every entity faces a variety of risks from external and internal
sources that must be assessed. A precondition to risk assessment is establishment of
objectives and thus risk assessment is the identification and analysis of relevant risks
to achievement of assigned objectives. Risk assessment is a prerequisite for
determining how the risks should be managed.

 Control activities: Control activities are the policies and procedures that help ensure
management directives are carried out. They help ensure that necessary actions are
taken to address risks to achievement of the entity's objectives. Control activities
occur throughout the organization, at all levels and in all functions. They include a
range of activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets and Separation of
duties/segregation of duties.

 Information and communication: Information systems play a key role in internal

control systems as they produce reports, including operational, financial and
compliance-related information, that make it possible to run and control the business.
In a broader sense, effective communication must ensure information flows down,
across and up the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and shareholders.

 Monitoring: Internal control systems need to be monitored--a process that assesses

the quality of the system's performance over time. This is accomplished through
ongoing monitoring activities or separate evaluations. Internal control deficiencies
detected through these monitoring activities should be reported upstream and
corrective actions should be taken to ensure continuous improvement of the system.

ITIL

The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques
for managing information technology (IT) infrastructure, development, and operations.

ITIL is published in a series of books, each of which cover an IT management topic

Overview and Benefits

ITIL provides a systematic and professional approach to the management of IT service

provision. Adopting its guidance offers users a huge range of benefits that include:

 reduced costs;
 improved IT services through the use of proven best practice processes;
 improved customer satisfaction through a more professional approach to service
delivery;

9
  standards and guidance;
 improved productivity;
 improved use of skills and experience; and
 improved delivery of third party services through the specification of ITIL or ISO
20000 as the standard for service delivery in services procurements.

ITIL v3

The ITIL v3 which was published in May 2007, comprises 5 key volumes:

1. . Service Strategy
2. . Service Design
3. . Service Transition
4. . Service Operation
5. . Continual Service Improvement

COBIT 4.X

The Control Objectives for Information and related Technology (COBIT 4.X) is a set of best
practices (framework) for information technology (IT) management created by the
Information Systems Audit and Control Association (ISACA), and the IT Governance
Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of
generally accepted measures, indicators, processes and best practices to assist them in
maximizing the benefits derived through the use of information technology and developing
appropriate IT governance and control in a company.

Overview

 COBIT has 34 high level processes that cover 210 control objectives categorized in
four domains:
o Planning and Organization
o Acquisition and Implementation
o Delivery and Support
o Monitoring
 COBIT provides benefits to managers, IT users, and auditors
o Managers benefit from COBIT because it provides them with a foundation
upon which IT related decisions and investments can be based. Decision
making is more effective because COBIT aids management in defining a
strategic IT plan, defining the information architecture, acquiring the
necessary IT hardware and software to execute an IT strategy, ensuring
continuous service, and monitoring the performance of the IT system.
o IT users benefit from COBIT because of the assurance provided to them by
COBIT's defined controls, security, and process governance.
o COBIT benefits auditors because it helps them identify IT control issues
within a company's IT infrastructure. It also helps them corroborate their audit
findings.

COBIT structure

10
  Plan and Organize: The Planning and Organization domain covers the use of
information & technology and how best it can be used in a company to help achieve
the company's goals and objectives. It also highlights the organizational and
infrastructural form IT is to take in order to achieve the optimal results and to
generate the most benefits from the use of IT.
 Acquire and Implement: The Acquire and Implement domain covers identifying IT
requirements, acquiring the technology, and implementing it within the company's
current business processes. This domain also addresses the development of a
maintenance plan that a company should adopt in order to prolong the life of an IT
system and its components.
 Delivery and Support: The Delivery and Support domain focuses on the delivery
aspects of the information technology. It covers areas such as the execution of the
applications within the IT system and its results, as well as, the support processes that
enable the effective and efficient execution of these IT systems. These support
processes include security issues and training.
 Monitor and Evaluate: The Monitoring and Evaluation domain deals with a
company's strategy in assessing the needs of the company and whether or not the
current IT system still meets the objectives for which it was designed and the controls
necessary to comply with regulatory requirements. Monitoring also covers the issue of
an independent assessment of the effectiveness of IT system in its ability to meet
business objectives and the company's control processes by internal and external
auditors.

ISO/IEC 27000 Series (Formerly BS 7799/ISO 17799)

Tracking the history of the ISO/IEC 27000-series of standards is somewhat of a challenge.

This section provides the history of the ISO standard for information security management
that began with BS 7799 and later resulted in ISO 17799 and eventually the ISO 27000
"family of standards" for Information Security Management Systems (ISMS). Like the other
control and governance models, the ISO 27000 series provides a set of guidelines and best
practices for information security management. The standards are the product of ISO/IEC
JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an international body that
meets in person twice a year. The International Standards Organization (ISO) also develops
standards for quality control, environmental protection, product usability, manufacturing, etc.

BS 7799

The BS 7799 is basically divided into 3 Parts

 BS 7799 Part 1 was a standard originally published as BS 7799 by the British

Standards Institute (BSI) in 1995.
o It was eventually adopted by ISO as ISO/IEC 17799, "Information
Technology - Code of practice for information security management." in 2000.
o ISO/IEC 17799 was most recently revised in June 2005 and was renamed to
ISO/IEC 27002 in July 2007.
 BS 7799 Part 2 of BS7799 was first published by BSI in 1999, known as BS 7799
Part 2, titled "Information Security Management Systems - Specification with
guidance for use." It is focused on how to implement an Information security
management system (ISMS)

11
 o The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA)
(Deming quality assurance model), aligning it with quality standards such as
ISO 9000.
o BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
 BS 7799 Part 3 was published in 2005, covering risk analysis and management. It
aligns with ISO/IEC 27001.

ISO 17799

 Derived from BS 7799

 It is an internationally recognized ISM standard that provide high level, conceptual
recommendations on enterprise security
 ISO 17799 has 2 parts
o Part-I is an implementation guide with guidelines on how to build a
comprehensive information security infrastructure.
o Part-II is an auditing guide based on requirements that must be met for an
organization to be deemed complaint with ISO 17799
 ISO 17799 domains
o Information security policy for the organization: Map of business objectives to
security, management's support, security goals, and responsibilities.
o Creation of information security infrastructure: Create and maintain an
organizational security structure through the use of security forum, security
officer, defining security responsibilities, authorization process, outsourcing,
and independent review.
o Asset classification and control: Develop a security infrastructure to protect
organizational assets through accountability and inventory, classification, and
handling procedures.
o Personnel security: Reduce risks that are inherent in human interaction by
screening employees, defining roles and responsibilities, training employees
properly, and documenting the ramifications of not meeting expectations.
o Physical and environmental security: Protect the organization's assets by
properly choosing a facility location, erecting and maintaining a security
perimeter, implementing access control, and protecting equipment.
o Communications and operations management: Carry out operations security
through operational procedures, proper change control, incident handling,
separation of duties, capacity planning, network management, and media
handling.
o Access control: Control access to assets based on business requirements, user
management, authentication methods, and monitoring.
o System development and maintenance: Implement security in all phases of a
system's lifetime through development of security requirements, cryptography,
integrity, and software development procedures.
o Business continuity management: Counter disruptions of normal operations by
using continuity planning and testing.
o Compliance: Comply with regulatory, contractual, and statutory requirements
by using technical controls, system audits, and legal awareness.

ISO 27000 Series

12
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for
short) comprises information security standards published jointly by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC).

The series provides best practice recommendations on information security management,

risks and controls within the context of an overall Information Security Management System
(ISMS), similar in design to management systems for quality assurance (the ISO 9000 series)
and environmental protection (the ISO 14000 series).

The series is deliberately broad in scope, covering more than just privacy, confidentiality and
IT or technical security issues. It is applicable to organizations of all shapes and sizes. All
organizations are encouraged to assess their information security risks, then implement
appropriate information security controls according to their needs, using the guidance and
suggestions where relevant. Given the dynamic nature of information security, the ISMS
concept incorporates continuous feedback and improvement activities, summarized by
Deming's "plan-do-check-act" approach, that seek to address changes in the threats,
vulnerabilities or impacts of information security incidents.

The following are the currently published 27000-series standards:

 ISO 27000 Overview and vocabulary overview and glossary of terms.

 ISO 27001 Information security management systems -- Requirements. This is the
specification/requirements for an information security management system (an ISMS)
which replaced the old BS7799-2 standard
 ISO 27002 Code of practice for information security management. This is the 27000
series standard number of what was originally the ISO 17799 standard (which itself
was formerly known as BS7799-1).
 ISO 27003 Information security management system implementation guidance.This
will be the official number of a new standard intended to offer guidance for the
implementation of an ISMS (IS Management System) .
 ISO 27004 Information security management -- Measurement. This standard covers
information security system management measurement and metrics, including
suggested ISO27002 aligned controls..
 ISO 27005 Information security risk management.This is the methodology
independent ISO standard for information security risk management..
 ISO 27006 Requirements for bodies providing audit and certification of information
security management systems. This standard provides guidelines for the accreditation
of organizations offering ISMS certification.

Other 27000-series ISO publications:

 ISO 27011 Information security management guidelines for telecommunications

organizations based on ISO/IEC 27002
 ISO 27033 Network security -- Part 1: Overview and concepts
 ISO 27799 Health informatics -- Information security management in health using
ISO/IEC 27002

Although the list of ISO 27000-series standards for information security management
continues to grow in number. ISO/IEC 27002 and ISO/IEC 27001 remain the most used

13
standards, because they provide the most basic guidance for an enterprise information
security program practices and processes and also because they are the most current versions
of their popular predecessors (BS 7799 and ISO 17799).

Organizational Behavior
Job Rotation

Job Rotation is an approach to management development where an individual is moved

through a schedule of assignments designed to give him or her a breath of exposure to the
entire operation.

Job rotation is also practiced to allow qualified employees to gain more insights into the
processes of a company and to increase job satisfaction through job variation.

Separation of Duties

Separation of duties (SoD) is the concept of having more than one person required to
complete a task. It is alternatively called segregation of duties or, in the political realm,
separation of powers.

This approach can lead to a high level of difficulty when trying to determine what the
underlying causes of errors or failures in large scale entity's production automation as no
person will be able to view the information flow process from the "big picture" and how an
automated program starts an application that is not creating the correct output data but not
clearly failing to an error message alert running on a Virtual Server client that transports the
data file that is created to an outside client and etc. etc. etc. Especially as each separated
department individual will just glance at their application software used to manage their
specified section on their monitor screen and seeing no obvious errors assume the unknown
error causing complete system or process failure problem is not within their section and go
back to the practice of effective communicating while writing all the great accomplishments
they delivered that furthered the entity's stated goals to have available for their next review
with management because that's what HR told them to do. (Not that this behavior is faulty or
wrong in any sense and it is actually doing what the entity's incentives are geared to
encourage not only for advancement but to keep a job as well.)

Without those few and far between expert level techs who can have (or get) the
administration rights to view all aspects of any given production process it will be nearly
impossible to determine the underlying cause and can lead to outrageous decisions as to what
the problem must of been. (For example: deciding to quit using all virtual servers and go back
to multiple actual server machines with each connected to it's on monitor all because no error
handling was encoded in the in-house written .net program.) (Or nobody realizing the
automated software machine was running into RAM issues because every automated job was
set to auto start at exactly 6:00 and MS Windows has a built in limit of a maximum of 10

14
network connections at one time even at the enterprise level and so forth.) ***These SOD
positions are of no interest to those high level technical experts who seek to be constantly
challenged.***

Overview

 SoD in basic terms that is no single individuals should have controls over two or more
phases of a transaction or operation, so that a deliberate fraud is more difficult to
occur because it requires collusion of two or more individuals or parties.
 With the concept of SoD, business critical duties can be categorized into four types of
functions, authorization, custody, record keeping and reconciliation. In a perfect
system, no one person should handle more than one type of function.
 In information systems, segregation of duties helps reduce the potential damage from
the actions of one person. IS or end-user department should be organized in a way to
achieve adequate separation of duties

Control Mechanisms to enforce SoD

There are several control mechanisms that can help to enforce the segregation of duties:

 Audit trails enable IT managers or Auditors to recreate the actual transaction flow
from the point of origination to its existence on an updated file. Good audit trails
should be enabled to provide information on who initiated the transaction, the time of
day and date of entry, the type of entry, what fields of information it contained, and
what files it updated.
 Reconciliation of applications and an independent verification process is ultimately
the responsibility of users, which can be used to increase the level of confidence that
an application ran successfully.
 Exception reports are handled at supervisory level, backed up by evidence noting that
exceptions are handled properly and in timely fashion. A signature of the person who
prepares the report is normally required.
 Manual or automated system or application transaction logs should be maintained,
which record all processed system commands or application transactions.
 Supervisory review should be performed through observation and inquiry and the
trust built with directory one-level up managers.
 To compensate repeated mistakes or intentional failures by following a prescribed
procedure, independent reviews are recommended. Such reviews can help detect
errors and irregularities but are usually expensive can raise questions as to how much
can an outside independent review once a quarter know about your processes
compared to people within and what level of trust can be built with those independent
reviewers.

Least Privilege (Need to Know)

The principle of least privilege, also known as the principle of minimal privilege or just least
privilege, requires that in a particular abstraction layer of a computing environment every
module (such as a process, a user or a program on the basis of the layer we are considering)

15
must be able to access only such information and resources that are necessary to its legitimate
purpose.

Note: This principle is a useful security tool, but it has never been successful at enforcing
high assurance security on a system.

Benefits

 Better system stability. When code is limited in the scope of changes it can make to a
system, it is easier to test its possible actions and interactions with other applications.
In practice for example, applications running with restricted rights will not have
access to perform operations that could crash a machine, or adversely affect other
applications running on the same system.
 Better system security. When code is limited in the system-wide actions it may
perform, vulnerabilities in one application cannot be used to exploit the rest of the
machine. For example, Microsoft states “Running in standard user mode gives
customers increased protection against inadvertent system-level damage caused by
"shatter attacks" and malware, such as root kits, spyware, and undetectable viruses.”
 Ease of deployment. In general, the fewer privileges an application requires the easier
it is to deploy within a larger environment. This usually results from the first two
benefits, applications that install device drivers or require elevated security privileges
typically have addition steps involved in their deployment, for example on Windows a
solution with no device drivers can be run directly with no installation, while device
drivers must be installed separately using the Windows installer service in order to
grant the driver elevated privileges

Mandatory Vacations

Mandatory vacations of one to two weeks are used to audit and verify the work tasks and
privileges of employees. This often results in easy detection of abuse, fraud, or negligence.

Job Position Sensitivity

Security Roles and Responsibilities

Levels of Responsibilities

 Senior management and other levels of management understand the vision of the
company, the business goals, and the objectives.
 Functional management, whose members understand how their individual
departments work, what roles individuals play within the company, and how security
affects their department directly.
 Operational managers and staff. These layers are closer to the actual operations of the
company. They know detailed information about the technical and procedural
requirements, the systems, and how the systems are used. The employees at these
layers understand how security mechanisms integrate into systems, how to configure
them, and how they affect daily productivity.

Classification of Roles and their Responsibilities

16
Data Owner

 The data owner (information owner) is usually a member of management, in charge of

a specific business unit, and is ultimately responsible for the protection and use of a
specific subset of information.
 The data owner decides upon the classification of the data that he is responsible for
and alters that classification if the business needs arise.
 This person is also responsible for ensuring that the necessary security controls are in
place, ensuring that proper access rights are being used, defining security
requirements per classification and backup requirements, approving any disclosure
activities, and defining user access criteria.
 The data owner approves access requests or may choose to delegate this function to
business unit managers. And it is the data owner who will deal with security
violations pertaining to the data he is responsible for protecting.
 The data owner, who obviously has enough on his plate, delegates responsibility of
the day-to-day maintenance of the data protection mechanisms to the data custodian.

Data Custodian

 The data custodian (information custodian) is responsible for maintaining and

protecting the data.
 This role is usually filled by the IT department, and the duties include performing
regular backups of the data, periodically validating the integrity of the data, restoring
data from backup media, retaining records of activity, and fulfilling the requirements
specified in the company's security policy, standards, and guidelines that pertain to
information security and data protection.

Security Administrator

 A security administrator's tasks are many, and include creating new system user
accounts, implementing new security software, testing security patches and
components, and issuing new passwords.
 The security administrator role needs to make sure that access rights that are given to
users support the policies and data owner directives.

Security Analyst

 This role works at a higher, more strategic level than the previously described roles
and helps to develop policies, standards, and guidelines and set various baselines.
 Whereas the previous roles are "in the weeds" and focusing on their pieces and parts
of the security program, a security analyst helps define the security program elements
and follows through to ensure that the elements are being carried out and practiced
properly. This person works more at a design level than at an implementation level.

Application Owner

 An application owner, usually the business unit managers, are responsible for
dictating who can and cannot access their applications, like the accounting software,
software for testing and development etc.

17
Supervisor

 This role, also called user manager, is ultimately responsible for all user activity and
any assets created and owned by these users like ensuring that all his employees
understand their responsibilities with respect to security, distributing initial
passwords, making sure that the employees' account information is up-to-date, and
informing the security administrator when an employee is fired, suspended, or
transferred.

Change Control Analyst

 The change control analyst is responsible for approving or rejecting requests to make
changes to the network, systems, or software.
 This role needs to make sure that the change will not introduce any vulnerability, that
it has been properly tested, and that it is properly rolled out.
 The change control analyst needs to understand how various changes can affect
security, interoperability, performance, and productivity.

Data Analyst

 The data analyst is responsible for ensuring that data is stored in a way that makes the
most sense to the company and the individuals who need to access and work with it.
 The data analyst role may be responsible for architecting a new system that will hold
company information or advising in the purchase of a product that will do this.
 The data analyst works with the data owners to help ensure that the structures that are
set up coincide with and support the company's business objectives.

Process Owner

 Security should be considered and treated like just another business process. The
process owner is responsible for properly defining, improving upon, and monitoring
these processes.
 A process owner is not necessarily tied to one business unit or application. Complex
processes involve a lot of variables that can span across different departments,
technologies, and data types.

Solution Provider

 This role is called upon when a business has a problem or requires that a process be
improved upon.
 A solution provider works with the business unit managers, data owners, and senior
management to develop and deploy a solution to reduce the company's pain points.

User

 The user is any individual who routinely uses the data for work-related tasks.
 The user must have the necessary level of access to the data to perform the duties
within their position and is responsible for following operational security procedures
to ensure the data's confidentiality, integrity, and availability to others.

18
Product Line Manager

 Responsible for explaining business requirements to vendors and wading through

their rhetoric to see if the product is right for the company
 Responsible for ensuring compliance to license agreements
 Responsible for translating business requirements into objectives and specifications
for the developer of a product or solution
 Decides if his company really needs to upgrade their current systems
 This role must understand business drivers, business processes, and the technology
that is required to support them.
 The product line manager evaluates different products in the market, works with
vendors, understands different options a company can take, and advises management
and business units on the proper solutions that are needed to meet their goals.

Responsibilities of the Information Security Officer

 Communicate Risks to Executive Management

 Budget for Information Security Activities
 Ensure Development of Policies, Procedures, Baselines, Standards, and Guidelines
 Develop and Provide Security Awareness Program
 Understand Business Objectives
 Maintain Awareness of Emerging Threats and Vulnerabilities
 Evaluate Security Incidents and Response
 Develop Security Compliance Program
 Establish Security Metrics
 Participate in Management Meetings
 Ensure Compliance with Government Regulations
 Assist Internal and External Auditors
 Stay Abreast of Emerging Technologies

Reporting Model

 Business Relationships
 Reporting to the CEO
 Reporting to the Information Technology (IT) Department
 Reporting to Corporate Security
 Reporting to the Administrative Services Department
 Reporting to the Insurance and Risk Management Department
 Reporting to the Internal Audit Department
 Reporting to the Legal Department
 Determining the Best Fit

Enterprise-wide Security Oversight

Personnel Security

19
There are many facets of personnel responsibilities that fall under management's umbrella
and several of these facets have a direct correlation to the overall security of the environment
such as

 Hiring the most qualified individuals

 Performing background checks of the personnel using detailed job descriptions
 Providing necessary training
 Enforcing strict access controls, and
 Terminating individuals in a way that protects all parties involved.

Hiring Practices

Depending on the position that needs to be filled, a level of screening should be done by
human resources to ensure that the company hires the right individual for the right job.

 Skills should be tested and evaluated, and the caliber and character of the individual
should be examined.
 Nondisclosure agreements need to be developed and signed by new employees to
protect the company and its sensitive information.
 Any conflicts of interests need to be addressed, and there should be different
agreements and precautions taken with temporary and contract employees.
 References should be checked, military records should be reviewed, education should
be verified, and if necessary, a drug test should be administered.
 Many times, important personal behaviors can be concealed, and that is why hiring
practices should include scenario questions, personality tests, and observations of the
individual, instead of just looking at a person's work history.

Employee Controls

 A management structure must be in place to make sure that everyone has someone to
report to and that the responsibility for another person's actions is spread equally and
intelligently.
 Consequences for noncompliance or unacceptable behavior must be communicated
before an event takes place.
 Proper supervisory skills need to be acquired and used to ensure that operations go
smoothly and any out-of-the-ordinary activities can be taken care of before they get
out of control.
 Rotation of duties should be employed in order keep control of each department in a
healthy and productive state. No one person should stay in one position for a long
period of time because they may end up having too much control over a segment of
the business thus resulting in a fraud, data modification, and misuse of resources.
 Employees in sensitive areas should be forced to take their vacation, which is known
as a mandatory vacation policy, giving the scope for the other individual in his place
who can usually detect any fraudulent errors or activities.
 Two variations of separation of duties and control are split knowledge and dual
control.
o In both cases, two or more individuals are authorized and required to perform
a duty or task.
o In the case of split knowledge, no one person knows or has all the details to
perform a task.

20
 o In the case of dual control, two individuals are again authorized to perform a
task, but both must be available and active in their participation to complete
the task or mission.

Termination

 Companies should have a specific set of procedures to follow with each and every
termination.

21
Access Control
Access controls are security features that control how users and systems communicate and
interact with other systems and resources.

Access is the flow of information between a subject and an object.

A subject is an active entity that requests access to an object or the data within an object. e.g.:
user, program, process etc.

An object is a passive entity that contains the information. e.g.: Computer, Database, File,
Program etc.

Access controls give organization the ability to control, restrict, monitor, and protect
resource availability, integrity and confidentiality

Access Control Principles

Principle of Least Privilege: States that if nothing has been specifically configured for an
individual or the groups, he/she belongs to, the user should not be able to access that
resource i.e.Default no access

Separation of Duties: Separating any conflicting areas of responsibility so as to reduce

opportunities for unauthorized or unintentional modification or misuse of
organizational assets and/or information.

Need to know : It is based on the concept that individuals should be given access only to the
information that they absolutely require in order to perform their job duties

Access Control Criteria

The criteria for providing access to an object include

 Roles
 Groups
 Location
 Time
 Transaction Type

Security Principles
 Identification
 Authentication
 Authorization
 Non Repudiation/Accountability

22
Identification, Authentication, and Authorization
Identification describes a method of ensuring that a subject is the entity it claims to be. e.g.:
A user name or an account no.

Authentication is the method of proving the subjects identity. E.g.: Password, Passphrase,
PIN

Authorization is the method of controlling the access of objects by the subject. E.g.: A user
cannot delete a particular file after logging into the system

Note: There must be a three step process of Identification, Authentication and Authorization
in order for a subject to access an object

Identification and Authentication

Identification Component Requirements

When issuing identification values to users or subjects, ensure that

 Each value should be unique, for user accountability

 A standard naming scheme should be followed
 The values should be non-descriptive of the users position or task
 The values should not be shared between the users.

Authentication Factors

There are 3 general factors for authenticating a subject.

 Something a person knows- E.g.: passwords, PIN- least expensive, least secure
 Something a person has – E.g.: Access Card, key- expensive, secure
 Something a person is- E.g.: Biometrics- most expensive, most secure

Note: For a strong authentication to be in process, it must include two out of the three
authentication factors- also referred to as two-factor authentication.

Access Control Types

Each of the access control categories – administrative, physical and technical work at
different levels, each at a different level of granularity and perform different functionalities
based on the type.

The different types of access control are

 Preventative- Avoid undesirable events from occurring

 Detective- Identify undesirable events that have occurred

23
  Corrective- Correct undesirable events that have occurred
 Deterrent- Discourage security violations
 Recovery- Restore resources and capabilities
 Compensative- Provide alternatives to other controls

Access Control Threats

Denial of Service (DoS/DDoS)

Overview

 A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS

attack) is an attempt to make a computer resource unavailable to its intended users.
Although the means to, motives for, and targets of a DoS attack may vary, it generally
consists of the concerted, malevolent efforts of a person or persons to prevent an
Internet site or service from functioning efficiently or at all, temporarily or
indefinitely.
 The purpose of DoS attacks is to force the targeted computer(s) to reset, or consume
its resources so that it can no longer provide its intended service

Types of DoS Attacks

A DoS attack can be perpetrated in a number of ways. There are five basic types of attack:

 Consumption of computational resources, such as bandwidth, disk space, or CPU

time;
 Disruption of configuration information, such as routing information;
 Disruption of state information, such as unsolicited resetting of TCP sessions;
 Disruption of physical network components.
 Obstructing the communication media between the intended users and the victim so
that they can no longer communicate adequately.

Countermeasures

Unfortunately, there are no effective ways to prevent being the victim of a DoS or DDoS
attack, but there are steps you can take to reduce the likelihood that an attacker will use your
computer to attack other computers:

 Install and maintain anti-virus software.

 Install a firewall, and configure it to restrict traffic coming into and leaving your
computer.
 Follow good security practices for distributing your email address. Applying email
filters may help you manage unwanted traffic.

Buffer Overflows

24
Overview

 A buffer overflow is an anomalous condition where a process attempts to store data

beyond the boundaries of a fixed-length buffer. The result is that the extra data
overwrites adjacent memory locations. The overwritten data may include other
buffers, variables and program flow data and may cause a process to crash or produce
incorrect results. They can be triggered by inputs specifically designed to execute
malicious code or to make the program operate in an unintended way. As such, buffer
overflows cause many software vulnerabilities and form the basis of many exploits.

Buffer Overflow Techniques

 Stack Buffer Overflow

o A stack buffer overflow occurs when a program writes to a memory address
on the program's call stack outside of the intended data structure; usually a
fixed length buffer.
o Stack buffer overflow bugs are caused when a program writes more data to a
buffer located on the stack than there was actually allocated for that buffer.
This almost always results in corruption of adjacent data on the stack, and in
cases where the overflow was triggered by mistake, will often cause the
program to crash or operate incorrectly.
o A technically inclined and malicious user may exploit stack-based buffer
overflows to manipulate the program in one of several ways:
 By overwriting a local variable that is near the buffer in memory on the
stack to change the behaviour of the program which may benefit the
attacker.
 By overwriting the return address in a stack frame. Once the function
returns, execution will resume at the return address as specified by the
attacker, usually a user input filled buffer.
 By overwriting a function pointer,or exception handler, which is
subsequently executed.

 Heap Buffer Overflow

o A heap overflow is another type of buffer overflow that occurs in the heap
data area. Memory on the heap is dynamically allocated by the application at
run-time and typically contains program data.
o Exploitation goes as follows: If an application copies data without first
checking to see if it fits into the chunk (blocks of data in the heap), the
attacker could supply the application with a piece of data that is too large,
overwriting heap management information (metadata) of the next chunk. This
allows an attacker to overwrite an arbitrary memory location with four bytes
of data. In most environments, this may allow the attacker control over the
program execution.

Countermeasure

 Choice of programming language

 Use of safe libraries

25
  Stack-smashing protection which refers to various techniques for detecting buffer
overflows on stack-allocated variables.The most common implementation being
StackGuard, and SSP
 Executable space protection which is the marking of memory regions as non-
executable, such that an attempt to execute machine code in these regions will cause
an exception. It makes use of hardware features such as the NX bit (Non Execute bit).
 Address space layout randomization: A technique which involves arranging the
positions of key data areas, usually including the base of the executable and position
of libraries, heap, and stack, randomly in a process' address space.
 Deep packet inspection:It is a form of computer network packet filtering that
examines the data and/or header part of a packet as it passes an inspection point,
searching for non-protocol compliance, viruses, spam, intrusions or predefined criteria
to decide if the packet can pass or if it needs to be routed to a different destination, or
for the purpose of collecting statistical information. It also called Content Inspection
or Content Processing.

Malicious Software

Password Crackers

Spoofing/Masquerading

Overview

 A spoofing attack is a situation in which one person or program successfully

masquerades as another by falsifying data and thereby gaining an illegitimate
advantage.
 Popular Spoofing Techniques
o Man-in-the-middle attack (MITM):An attack in which an attacker is able to
read, insert and modify at will messages between two parties without either
party knowing that the link between them has been compromised. The attacker
must be able to observe and intercept messages going between the two victims
o IP address Spoofing : refers to the creation of IP packets with a forged
(spoofed) source IP address with the purpose of concealing the identity of the
sender or impersonating another computing system.
o URL spoofing: A Spoofed URL describes one website that poses as another
o Phishing :An attempt to criminally and fraudulently acquire sensitive
information, such as usernames, passwords and credit card details, by
masquerading as a trustworthy entity in an electronic communication.
o Referrer spoofing:It is the sending of incorrect referrer information along with
an HTTP request, sometimes with the aim of gaining unauthorized access to a
web site. It can also be used because of privacy concerns, as an alternative to
sending no referrer at all.
o Spoofing of file-sharing Networks: Polluting the file-sharing networks where
record labels share files that are mislabeled, distorted or empty to discourage
downloading from these sources.

26
 o Caller ID spoofing :This allows callers to lie about their identity, and present
false names and numbers, which could of course be used as a tool to defraud
or harass
o E-mail address spoofing:A technique commonly used for spam e-mail and
phishing to hide the origin of an e-mail message by changing certain
properties of the e-mail, such as the From, Return-Path and Reply-To fields.
o Login spoofing : A technique used to obtain a user's password. The user is
presented with an ordinary looking login prompt for username and password,
which is actually a malicious program, usually called a Trojan horse under the
control of the attacker. When the username and password are entered, this
information is logged or in some way passed along to the attacker, breaching
security.

Countermeasures

 Be skeptical of e-mails indicating that you need to make changes to your accounts or
warnings indicating that accounts will be terminated without you doing some type of
activity online.
 Call the legitimate company to find out if this is a fraudulent message.
 Review the address bar to see if the domain name is correct.
 When submitting any type of financial information or credential data, an SSL
connection should be set up, which is indicated in the address bar (https://) and a
closed-padlock icon in the browser at the bottom-right corner.
 Do not click on an HTML link within an e-mail. Type the URL out manually instead.
 Do not accept e-mail in HTML format.

Emanations

Overview

 All electronic devices emit electrical signals. These signals can hold important
information, and if an attacker buys the right equipment and positions himself in the
right place, he could capture this information from the airwaves and access data
transmissions as if he had a tap directly on the network wire.

Countermeasure

 Tempest: Tempest is the name of a program, and now a standardized technology that
suppresses signal emanations with shielding material. Vendors who manufacture this
type of equipment must be certified to this standard. In devices that are Tempest rated,
other components are also modified, especially the power supply, to help reduce the
amount of electricity that is used unlike the normal devices which have just an outer
metal coating, referred to as a Faraday cage. This type of protection is usually needed
only in military institutions, although other highly secured environments do utilize
this type of safeguard.
o Tempest Technologies: Tempest technology is complex, cumbersome, and
expensive, and therefore only used in highly sensitive areas that really need
this high level of protection. Two alternatives to Tempest exist

27
  White Noise: White noise is a uniform spectrum of random electrical
signals. It is distributed over the full spectrum so that the bandwidth is
constant and an intruder is not able to decipher real information from
random noise or random information.
 Control Zone: Some facilities use material in their walls to contain
electrical signals. This prevents intruders from being able to access
information that is emitted via electrical signals from network devices.
This control zone creates a type of security perimeter and is
constructed to protect against unauthorized access to data or
compromise of sensitive information.

Shoulder Surfing

Overview

 Shoulder surfing refers to using direct observation techniques, such as looking over
someone's shoulder, to get information. Shoulder surfing is particularly effective in
crowded places because it's relatively easy to observe someone as they:
o Fill out a form
o Enter their PIN at an automated teller machine or a POS Terminal
o Use a calling card at a public pay phone
o Enter passwords at a cybercafe, public and university libraries, or airport
kiosks.
o Enter a digit code for a rented locker in a public place such as a swimming
pool or airport.
 Shoulder surfing is also be done at a distance using binoculars or other vision-
enhancing devices. Inexpensive, miniature closed-circuit television cameras can be
concealed in ceilings, walls or fixtures to observe data entry. To prevent shoulder
surfing, it is advised to shield paperwork or the keypad from view by using one's body
or cupping one's hand.
 Recent automated teller machines now have a sophisticated display which discourages
shoulder surfers. It grows darker beyond a certain viewing angle, and the only way to
tell what is displayed on the screen is to stand directly in front of it.
 Certain models of credit card readers have the keypad recessed, and employ a rubber
shield that surrounds a significant part of the opening towards the keypad. This makes
shoulder-surfing significantly harder, as seeing the keypad is limited to a much more
direct angle than previous models. Taken further, some keypads alter the physical
location of the keys after each keypress. Also, security cameras are not allowed to be
placed directly above an ATM.

Object Reuse

Overview

 Object reuse issues pertain to reassigning to a subject media that previously contained
one or more objects.
 The sensitive information that may be left by a process should be securely cleared
before allowing another process the opportunity to access the object. This ensures that
information not intended for this individual or any other subject is not disclosed.

28
  For media that holds confidential information, more extreme methods should be taken
to ensure that the files are actually gone, not just their pointers.

Countermeasures

 Sensitive data should be classified by the data owners.

 How the data is stored and accessed should also be strictly controlled and audited by
software controls.
 Before allowing one subject to use media that was previously used, the media should
be erased or degaussed. If media holds sensitive information and cannot be purged,
there should be steps on how to properly destroy it so that there is no way for others to
obtain this information.

Data Remanence

Overview

 Data remanence is the residual representation of data that has been in some way been
nominally erased or removed. This residue may be due to data being left intact by a
nominal delete operation, or through physical properties of the storage medium.
 Data remanence may make inadvertent disclosure of sensitive information possible,
should the storage media be released into an uncontrolled environment.

Countermeasures

 Classes of Countermeasures
o Clearing
 Clearing is the removal of sensitive data from storage devices in such a
way that there is assurance, proportional to the sensitivity of the data,
that the data may not be reconstructed using normal system functions.
The data may still be recoverable, but not without unusual effort.
 Clearing is typically considered an administrative protection against
accidental disclosure within an organization. For example, before a
floppy disk is re-used within an organization, its contents may be
cleared to prevent their accidental disclosure to the next user.
o Purging
 Purging or sanitizing is the removal of sensitive data from a system or
storage device with the intent that the data can not be reconstructed by
any known technique.
 Purging is generally done before releasing media outside of control,
such as before discarding old media, or moving media to a computer
with different security requirements.
 Methods to Countermeasure
o Overwriting
 A common method used to counter data remanence is to overwrite the
storage medium with new data. This is often called a wiping or
shredding a file or disk. Because such methods can often be
implemented in software alone, and may be able to selectively target
only part of a medium, it is a popular, low-cost option for some
applications.

29
  The simplest overwrite technique writes the same data everywhere --
often just a pattern of all zeros. At a minimum, this will prevent the
data from being retrieved simply by reading from the medium again,
and thus is often used for clearing.
o Degaussing
 Degaussing is the removal or reduction of a magnetic field. Applied to
magnetic media, degaussing may purge an entire media element
quickly and effectively. A device, called a degausser, designed for the
media being erased, is used.
 Degaussing often renders hard disks inoperable, as it erases low-level
formatting which is only done at the factory, during manufacture.
Degaussed floppy disks can generally be reformatted and reused.
o Encryption
 Encrypting data before it is stored on the medium may mitigate
concerns about data remanence. If the decryption key is strong and
carefully controlled (i.e., not itself subject to data remanence), it may
effectively make any data on the medium unrecoverable. Even if the
key is stored on the medium, it may prove easier or quicker to
overwrite just the key, vs the entire disk.
 Encryption may be done on a file-by-file basis, or on the whole disk.
o Physical destruction
 Physical destruction of the data storage medium is generally
considered the most certain way to counter data remanence, although
also at the highest cost. Not only is the process generally time-
consuming and cumbersome, it obviously renders the media unusable.
Further, with the high recording densities of modern media, even a
small media fragment may contain large amounts of data.
 Specific destruction techniques include:
 Physically breaking the media apart, by grinding, shredding,
etc.
 Incinerating
 Phase transition (i.e., liquification or vaporization of a solid
disk)
 Application of corrosive chemicals, such as acids, to recording
surfaces
 For magnetic media, raising its temperature above the Curie
point

Backdoor/Trapdoor

Overview

 A backdoor is a malicious computer program or particular means that provide the

attacker with unauthorized remote access to a compromised system exploiting
vulnerabilities of installed software and bypassing normal authentication.
 A backdoor works in background and hides from the user. It is very similar to a virus
and therefore is quite difficult to detect and completely disable.
 A backdoor is one of the most dangerous parasite types, as it allows a malicious
person to perform any possible actions on a compromised computer. The attacker can
use a backdoor to

30
 o spy on a user,
o manage files,
o install additional software or dangerous threats,
o control the entire system including any present applications or hardware
devices,
o shutdown or reboot a computer or
o attack other hosts.
 Often a backdoor has additional harmful capabilities like keystroke logging,
screenshot capture, file infection, even total system destruction or other payload. Such
parasite is a combination of different privacy and security threats, which works on its
own and doesn’t require to be controlled at all.
 Most backdoors are autonomic malicious programs that must be somehow installed to
a computer. Some parasites do not require the installation, as their parts are already
integrated into particular software running on a remote host. Programmers sometimes
left such backdoors in their software for diagnostics and troubleshooting purposes.
Hackers often discover these undocumented features and use them to break into the
system.

Countermeasure

 Powerful antivirus and anti-spyware products

Dictionary Attacks

Overview

 Dictionary attacks are launched by programs which are fed with a lists (dictionaries)
of commonly used words or combinations of characters, and then compares these
values to capture passwords.
 Once the right combination of characters is identified, the attacker can use this
password to authenticate herself as a legitimate user.
 Sometimes the attacker can even capture the password file using this kind of activity.

Countermeasures

To properly protect an environment against dictionary and other password attacks, the
following practices should be followed:

 Do not allow passwords to be sent in cleartext.

 Encrypt the passwords with encryption algorithms or hashing functions.
 Employ one-time password tokens.
 Use hard-to-guess passwords.
 Rotate passwords frequently.
 Employ an IDS to detect suspicious behavior.
 Use dictionary cracking tools to find weak passwords chosen by users.
 Use special characters, numbers, and upper- and lowercase letters within the
password.
 Protect password files.

31
Bruteforce Attacks

Overview

 Brute force is defined as “trying every possible combination until the correct one is
identified.”
 The most effective way to uncover passwords is through a hybrid attack, which
combines a dictionary attack and a brute force attack
 A brute force attack is also known as an exhaustive attack.
 These are usually used for wardialing in hopes of finding a modem that can be
exploited to gain unauthorized access.

Countermeasures

For phone brute force attacks, auditing and monitoring of this type of activity should be in
place to uncover patterns that could indicate a wardialing attack:

 Perform brute force attacks to find weaknesses and hanging modems.

 Make sure only necessary phone numbers are made public.
 Provide stringent access control methods that would make brute force attacks less
successful.
 Monitor and audit for such activity.
 Employ an IDS to watch for suspicious activity.
 Set lockout thresholds.

Social Engineering

Overview

 Social engineering is a collection of techniques used for manipulation of the natural

human tendency to trust in order to obtain information that will allow a hacker to gain
unauthorized access to a valued system and the information that resides on that
system.
 Forms of a Social engineering attack
o Physical: the workplace, the phone, your trash(dumpster diving), and even on-
line
o Psychological: Persuasion
o Reverse Social Engineering

Common Social Engineering Attacks

 At work Place
o In the workplace, the hacker can simply walk in the door, like in the movies,
and pretend to be a maintenance worker or consultant who has access to the
organization. Then the intruder struts through the office until he or she finds a
few passwords lying around and emerges from the building with ample
information to exploit the network from home later that night

32
 o Another technique to gain authentication information is to just stand there and
watch an oblivious employee type in his password.
 On Phone/Help Desk
o It its the most prevalent type of social engineering attack.
o A hacker will call up and imitate someone in a position of authority or
relevance and gradually pull information out of the user.
o Help desks are particularly prone to this type of attack. Hackers are able to
pretend they are calling from inside the corporation by playing tricks on the
PBX or the company operator, so caller-ID is not always the best defense
o Help desks are particularly vulnerable because they are in place specifically to
help, a fact that may be exploited by people who are trying to gain illicit
information
 Dumpster Diving
o Dumpster diving, also known as trashing, is another popular method of social
engineering. A huge amount of information can be collected through company
dumpsters (trash can).
o The following items turn to be a potential security leaks in our trash:
 company phone books which can give the hackers names and numbers
of people to target and impersonate
 organizational charts contain information about people who are in
positions of authority within the organization
 memos provide small tidbits of useful information for creating
authenticity
 company policy manuals show hackers how secure (or insecure) the
company really is
 calendars of meetings may tell attackers which employees are out of
town at a particular time
 system manuals, printouts of sensitive data or login names and
passwords may give hackers the exact keys they need to unlock the
network.
 disks and tapes can be restored to provide all sorts of useful
information.
 company letterhead and memo forms
 Online
o One way in which hackers can obtain online passwords is through an on-line
form: they can send out some sort of sweepstakes information and ask the user
to put in a name (including e-mail address – that way, she might even get that
person’s corporate account password as well) and password.
o E-mail can also be used for more direct means of gaining access to a system.
For instance, mail attachments sent from someone of authenticity can carry
viruses, worms and Trojan horses
 Persuasion
o This a technique where the hackers themselves teach social engineering from a
psychological point-of-view, emphasizing how to create the perfect
psychological environment for the attack.
o Basic methods of persuasion include: impersonation, ingratiation, conformity,
diffusion of responsibility, and plain old friendliness.Regardless of the method
used, the main objective is to convince the person disclosing the information
that the social engineer is in fact a person that they can trust with that sensitive
information. The other important key is to never ask for too much information

33
 at a time, but to ask for a little from each person in order to maintain the
appearance of a comfortable relationship
 Impersonation generally means creating some sort of character and
playing out the role.Some common roles that may be played in
impersonation attacks include: a repairman, IT support, a manager, a
trusted third party or a fellow employee
 Conformity is a group-based behavior, but can be used occasionally in
the individual setting by convincing the user that everyone else has
been giving the hacker the same information requested. When hackers
attack in such a way as to diffuse the responsibility of the employee
giving the password away, that alleviates the stress on the employee.
 Reverse Social Engineering
o This is when the hacker creates a persona that appears to be in a position of
authority so that employees will ask him for information, rather than the other
way around. If researched, planned and executed well, reverse social
engineering attacks may offer the hacker an even better chance of obtaining
valuable data from the employees; however, this requires a great deal of
preparation, research, and pre-hacking to pull off.

Countermeasures

 Having proper security policies in place which addresses both physical and
psychological aspects of the attack
 Providing proper training to employees, helpdesk personnel

34