INFORMATION SECURITY

CS T83

B.Tech./ CSE /VIII SEMESTER

Prof. P. ELUMALAI
AP/CSE - ACET

Achariya College of Engineering Technology

(Approved by AICTE and affiliated to Pondicherry University)
An ISO 9001:2008 Certified Institution
Achariyapuram, Villianur, Puducherry – 605 110.
www.acet.edu.in

(For internal circulation only)

 SYLLABUS

INFORMATION SECURITY
Course Objectives:
1 To provide an understanding of principal concepts, major issues, technologies and basic
approaches in information security.
2 Develop an understanding of information assurance as practiced in computer operating
systems, distributed systems, networks and representative applications.
3 Gain familiarity with prevalent network and distributed system attacks, defenses against
them and forensics to investigate the aftermath.
4 Develop a basic understanding of cryptography, how it has evolved and some key
encryption techniques used today.
5 Develop an understanding of security policies (such as authentication, integrity and
confidentiality), as well as protocols to implement such policies in the form of message
exchanges.

UNIT – I
FUNDAMENTALS: Introduction to Information Security - Critical Characteristics of
Information - NSTISSC Security Model - Components of an Information System - Securing
the Components - Balancing Security and Access - SDLC - Security SDLC.
UNIT – II
SECURITY INVESTIGATION: Need for Security - Business Needs - Threats - Attacks -
Legal, Ethical and Professional Issues.
UNIT – III
SECURITY ANALYSIS: Risk Management: Identifying and Assessing Risk - Assessing
and Controlling Risk - Trends in Information Risk Management - Managing Risk in an
Intranet Environment.
UNIT – IV
LOGICAL DESIGN: Blueprint for Security - Information Security Policy - Standards and
Practices - ISO 17799/BS 7799 - NIST Models - VISA International Security Model - Design
of Security Architecture - Planning for Continuity.
UNIT – V
PHYSICAL DESIGN: Security Technology - IDS, Scanning and Analysis Tools -
Cryptography - Access Control Devices - Physical Security - Security and Personnel issues.
Text Books:
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security”, Vikas
Publishing House, New Delhi, 2003.
Reference Books:
1. Micki Krause, Harold F. Tipton, “Handbook of Information Security Management”, Vol 1-
3 CRC Press LLC, 2004.
2. Stuart Mc Clure, Joel Scrambray, George Kurtz, “Hacking Exposed”, Tata McGraw- Hill,
2003
3. Matt Bishop, “Computer Security Art and Science”, Pearson/PHI, 2002.
Website:
1. http://www.cryptography.com/
2. https://www.schneier.com/cryptography.html
3. http://www.information-security-policies-and-standards.com/
4. www.jhuapl.edu/ourwork/nsa/

i
Chapter I 1
1.1 HISTORY 1
1.1.1 The 1960s 1
1.1.2 The 1970s and 80s 1
1.1.3 The 1990s 1
1.1.4 The Present 1
1.2 INTRODUCTION 2
1.2.1 What is security? 2
1.3 CRITICAL CHARACTERISTICS OF INFORMATION 4
1.4 NSTISSC SECURITY MODEL 6
1.5 COMPONENTS OF AN INFORMATION SYSTEM 7
1.6 SECURING COMPONENTS 8
1.7 BALANCING INFORMATION SECURITY AND ACCESS 9
1.7.1 Approaches to Information Security Implementation 9
1.8 THE SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC) 10
1.8.1 SDLC Waterfall Methodology 10
1.9 THE SECURITY SYSTEMS DEVELOPMENT LIFE CYCLE 11
1.9.1 Security Professionals and the organization 13
1.9.2 Key Terms in Information Security Terminology 14

Chapter 2 16
2.1 NEEDS OF SECURITY 16
2.2 BUSINESS NEEDS FIRST 16
2.3 THREATS 17
2.3.1 Types of threats 17
2.3.2 Virus & Worm Hoaxes 23
2.3.3 Internet Service Issues 24
2.4 ATTACKS 26
2.4.1 Malicious code 26
2.4.2 Attack Replication Vectors 26
2.4.3 Denial –of- Services (DOS) & Distributed Denial –of- Service 28
2.4.4 Spoofing 28
2.4.5 Man-in-the –Middle 29
2.4.6 SPAM 29
2.5 LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN IS 30

ii
 2.5.1 Types of Law 30
2.5.2 International Laws and Legal Bodies 30

Chapter 3 34
3.1 RISK MANAGEMENT 34
3.1.1 Components of Risk Management 34
3.1.2 Overview of Risk Management 34
3.2 RISK IDENTIFICATION 35
3.2.1 Asset Identification & Valuation 36
3.2.2 People, Procedures & Data Asset Identification 37
3.2.3 Hardware, Software, and Network Asset Identification 37
3.2.4 Automated Risk Management Tools 38
3.2.5 Data Classification 39
3.2.6 Threat Identification 40
3.3 RISK ASSESSMENT 41
3.3.1 Identify Possible Controls 42
3.3.2 Access Controls 42
3.3.3 Documenting the Results of Risk Assessment 43
3.4 RISK CONTROL STRATEGIES 43
3.4.1 Selecting a Risk Control Strategy 45

Chapter 4 53
4.1 PLANNING FOR SECURITY 53
4.1.1 Enterprise Information Security Policy (EISP) 54
4.1.2 Issue-Specific Security Policy (ISSP) 54
4.1.3 Systems-Specific Policy (SysSP) 55
4.2 THE INFORMATION SECURITY BLUEPRINT 56
4.3 SECURITY MODELS 56
4.3.1 ISO 17799/BS 7799 56
4.3.2 NIST Security Models 57
4.4 VISA INTERNATIONAL SECURITY MODEL 60
4.4.1 Baselining & Best Business Practices 60
4.4.2 Hybrid Framework for a Blueprint of an Information Security System 61
4.5 DESIGN OF SECURITY ARCHITECTURE 62
4.5.1 Key Technology Components 64

iii
4.6 CONTINGENCY PLANNING (CP) 67
4.6.1 Components of Contingency Planning 67
4.6.2 Incident response plan (IRP) 68
4.6.3 Disaster Recovery Plan (DRP) 69
4.6.4 Business Continuity Plan (BCP) 70

Chapter 5 72
5.1 PHYSICAL SECURITY 72
5.1.1 Electronic access control 72
5.1.2 Closed-circuit television sign 73
5.2 FIREWALLS 74
5.2.1 Different generations of firewalls. 74
5.2.3 Firewalls are categorized by processing modes 75
5.2.3 The factors to be considered while selecting a right firewall? 78
5.3 INTRUSION DETECTION SYSTEMS (IDSS) 78
5.3.1 Different types of IDSs? 79
5.3.2 Honey Pots, Honey Nets, and Padded Cell Systems? 80
5.4 SCANNING AND ANALYSIS TOOLS 81
5.4.1 Foot printing and finger printing 81
5.4.2 Different types of the Scanning and Analysis tools available. 82
5.5 CRYPTOGRAPHY 82
5.5.1 Basic Encryption Definitions. 83
5.5.2 Data Encryption Standard (DES) 83
5.5.3 Triple DES (3DES) 83
5.5.4 Digital Signatures 84
5.6 PHYSICAL SECURITY 85
5.6.1 Seven Major Sources of Physical Loss 85
5.6.3 Controls used in a Secure Facility 85

iv
 Chapter 1

1.1 HISTORY
 Persons desiring secure communications have used wax seals.
 Julius Caesar-Caesar Cipher c50 B.C., which was created in order to
prevent his secret messages from being, read should a message fall into
the wrong hands.
 The end of the 20th century and early years of the 21st century saw rapid
advancements in telecommunications, computing hardware and software,
and data encryption.
1.1.1 The 1960s
 During the 1960s, the Department of Defense’s Advanced Research
Procurement Agency (ARPA) began examining the feasibility of a
redundant networked communications system designed to support the
military’s need to exchange information.
 Larry Roberts, known as the Founder of the Internet, developed the project
from its inception.
1.1.2 The 1970s and 80s
 ARPANET grew in popularity as did its potential for misuse
 Fundamental problems with ARPANET security were identified
o
No safety procedures for dial-up connections to ARPANET
o
Nonexistent user identification and authorization to system
o
Late 1970s: microprocessor expanded computing capabilities and
security threats
 Information security began with Rand Report R-609 (paper that started the
study of computer security)
 Scope of computer security grew from physical security to include:
o
Safety of data
o
Limiting unauthorized access to data
o
Involvement of personnel from multiple levels of an organization
1.1.3 The 1990s
 Networks of computers became more common; so too did the need to
interconnect networks
 Internet became first manifestation of a global network of networks
 In early Internet deployments, security was treated as a low priority
 The Internet brings millions of computer networks into communication with
each other— many of them unsecured
 Ability to secure a computer‘s data influenced by the security of every
computer to which it is connected
1.1.4 The Present
 The Internet brings millions of computer networks into communication with
each other—many of them unsecured
 Ability to secure a computer’s data influenced by the security of every
computer to which it is connected

1
1.2 INTRODUCTION
 Information technology is the vehicle that stores and transports
information—a company’s most valuable resource—from one business unit
to another.
 But what happens if the vehicle breaks down, even for a little while?
 As businesses have become more fluid, the concept of computer security
has been replaced by the concept of information security.
 Because this new concept covers a broader range of issues, from the
protection of data to the protection of human resources, information
security is no longer the sole responsibility of a discrete group of people in
the company; rather, it is the responsibility of every employee, and
especially managers.
Organizations must realize that information security funding and planning
decisions involve more than just technical managers:
Rather, the process should involve three distinct groups of decision
makers, or communities of interest:
 Information security managers and professionals
 Information technology managers and professionals
 Nontechnical business managers and professionals
These communities of interest fulfill the following roles:
 The information security community protects the organization’s information
assets from the many threats they face.
 The information technology community supports the business objectives of
the organization by supplying and supporting information technology
appropriate to the business’ needs.
 The nontechnical general business community articulates and
communicates organizational policy and objectives and allocates resources
to the other groups.
1.2.1 What is security?
Security: protecting the values, information or assets from unauthorized person.
Understanding the technical aspects of information security requires that
you know the definitions of certain information technology terms and concepts.
In general, security is defined as “the quality or state of being secure—to
be free from danger.” Security is often achieved by means of several strategies
usually undertaken simultaneously or used in combination with one another.
Specialized areas of security
 Physical security, which encompasses strategies to protect people,
physical assets, and the workplace from various threats including fire,
unauthorized access, or natural disasters
 Personal security, which overlaps with physical security in the protection
of the people within the organization
 Operations security, which focuses on securing the organization’s ability
to carry out its operational activities without interruption or compromise

2
  Communications security, which encompasses the protection of an
organization’s communications media, technology, and content, and its
ability to use these tools to achieve the organization’s objectives
 Network security, which addresses the protection of an organization’s
data networking devices, connections, and contents, and the ability to use
that network to accomplish the organization’s data communication
functions
 Information security includes the broad areas of information security
management, computer and data security, and network security.
Where it has been used?
 Governments, military, financial institutions, hospitals, and private
businesses.
 Protecting confidential information is a business requirement.
Information Security components are
 Confidentiality
 Integrity
 Availability(CIA)
CIA Triangle
The C.I.A. triangle - confidentiality, integrity, and availability - has expanded
into a more comprehensive list of critical characteristics of information.
At the heart of the study of information security is the concept of policy.
Policy, awareness, training, education, and technology are vital concepts for the
protection of information and for keeping information systems from danger.

Figure 1.1 Components of Information Security

3
1.3 CRITICAL CHARACTERISTICS OF INFORMATION
 Confidentiality
 Integrity
 Availability
 Privacy
 Identification
 Authentication
 Authorization
 Accountability
 Accuracy
 Utility
 Possession
Confidentiality
Confidentiality of information ensures that only those with sufficient
privileges may access certain information. When unauthorized individuals or
systems can access information, confidentiality is breached. To protect the
confidentiality of information, a number of measures are used:
 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians and end users
Example, a credit card transaction on the Internet.
 The system attempts to enforce confidentiality by encrypting the card
number during transmission, by limiting the places where it might appear
(in data bases, log files, backups, printed receipts, and so on), and by
restricting access to the places where it is stored.
 Giving out confidential information over the telephone is a breach of
confidentiality if the caller is not authorized to have the information, it could
result in a breach of confidentiality.
Integrity
Integrity is the quality or state of being whole, complete, and uncorrupted.
The integrity of information is threatened when it is exposed to corruption,
damage, destruction, or other disruption of its authentic state. Corruption can
occur while information is being compiled, stored, or transmitted.
 Integrity means that data cannot be modified without authorization.
 Eg: Integrity is violated when an employee deletes important data files,
when a computer virus infects a computer, when an employee is able to
modify his own salary in a payroll database,
 When an unauthorized user vandalizes a website, when someone is able to
cast a very large number of votes in an online poll, and so on.

4
Availability
Availability is the characteristic of information that enables user access to
information without interference or obstruction and in a required format. A user in
this definition may be either a person or another computer system.
 Availability does not imply that the information is accessible to any user;
rather, it means availability to authorized users.
 For any information system to serve its purpose, the information must be
available when it is needed.
 Eg: High availability systems aim to remain available at all times,
preventing service disruptions due to power outages, hardware failures,
and system upgrades.
Privacy
The information that is collected, used, and stored by an organization is to
be used only for the purposes stated to the data owner at the time it was
collected. This definition of privacy does focus on freedom from observation (the
meaning usually associated with the word), but rather means that information will
be used only in ways known to the person providing it.
Identification
An information system possesses the characteristic of identification when it
is able to recognize individual users. Identification and authentication are essential
to establishing the level of access or authorization that an individual is granted.
Authentication
Authentication occurs when a control provides proof that a user possesses
the identity that he or she claims.
 In computing, e-Business and information security it is necessary to ensure
that the data, transactions, communications or documents(electronic or
physical) are genuine(i.e. they have not been forged or fabricated)
Authorization
After the identity of a user is authenticated, a process called authorization
provides assurance that the user (whether a person or a computer) has been
specifically and explicitly authorized by the proper authority to access, update, or
delete the contents of an information asset.
Accountability
The characteristic of accountability exists when a control provides
assurance that every activity undertaken can be attributed to a named person or
automated process. For example, audit logs that track user activity on an
information system provide accountability.
Accuracy
Information should have accuracy. Information has accuracy when it is free
from mistakes or errors and it has the value that the end users expects. If
information contains a value different from the user’s expectations, due to the
intentional or unintentional modification of its content, it is no longer accurate.
Utility
Information has value when it serves a particular purpose. This means that
if information is available, but not in a format meaningful to the end user, it is not
useful. Thus, the value of information depends on its utility.

5
Possession
The possession of Information security is the quality or state of having
ownership or control of some object or item.

1.4 NSTISSC SECURITY MODEL

‘National Security Telecommunications & Information systems security committee’
document.
It is now called the National Training Standard for Information security
professionals.
The NSTISSC Security Model provides a more detailed perspective on
security.
 While the NSTISSC model covers the three dimensions of information
security, it omits discussion of detailed guidelines and policies that direct
the implementation of controls.
 Another weakness of using this model with too limited an approach is to
view it from a single perspective.
 The 3 dimensions of each axis become a 3x3x3 cube with 27 cells
representing areas that must be addressed to secure today’s Information
systems.
 To ensure system security, each of the 27 cells must be properly
addressed during the security process.
 For ex, the intersection between technology, Integrity & storage areas
requires a control or safeguard that addresses the need to use technology
to protect the Integrity of information while in storage.

Fig 1.2 NSTISSC Security Model

6
1.5 COMPONENTS OF AN INFORMATION SYSTEM
 Software
 Hardware
 Data
 People
 Procedures
 Networks
Software
 The software components of IS comprises applications, operating systems,
and assorted command utilities.
 Software programs are the vessels that carry the lifeblood of information
through an organization.
 These are often created under the demanding constraints of project
management, which limit time, cost, and manpower.
Hardware
 Hardware is the physical technology that houses and executes the
software, stores and carries the data, and provides interfaces for the entry
and removal of information from the system.
 Physical security policies deal with hardware as a physical asset and with
the protection of these physical assets from harm or theft.
 Applying the traditional tools of physical security, such as locks and keys,
restricts access to and interaction with the hardware components of an
information system.
 Securing the physical location of computers and the computers themselves
is important because a breach of physical security can result in a loss of
information.
 Unfortunately, most information systems are built on hardware platforms
that cannot guarantee any level of information security if unrestricted
access to the hardware is possible.
Data
 Data stored, processed, and transmitted through a computer system must
be protected.
 Data is often the most valuable asset possessed by an organization and is
the main target of intentional attacks.
 The raw, unorganized, discrete(separate, isolated) potentially-useful facts
and figures that are later processed(manipulated) to produce information.
People
There are many roles for people in information systems. Common ones include
 Systems Analyst
 Programmer
 Technician
 Engineer
 Network Manager

7
  MIS ( Manager of Information Systems )
 Data entry operator
Procedures
 A procedure is a series of documented actions taken to achieve something.
 A procedure is more than a single simple task.
 A procedure can be quite complex and involved, such as performing a
backup, shutting down a system, patching software.
Networks
 When information systems are connected to each other to form Local Area
Network (LANs), and these LANs are connected to other networks such as
the Internet, new security challenges rapidly emerge.
 Steps to provide network security are essential, as is the implementation of
alarm and intrusion systems to make system owners aware of ongoing
compromises.

1.6 SECURING COMPONENTS

 Protecting the components from potential misuse and abuse by
unauthorized users.
Subject of an attack – Computer is used as an active tool to conduct the attack.
Object of an attack – Computer itself is the entity being attacked
1.6.1 Two types of attacks
- Direct attack
- Indirect attack

Fig 1.3 Computer as the Subject and Object of an Attack

Direct attack
When a Hacker uses his personal computer to break into a system.[Originate
from the threat itself]
Indirect attack
When a system is compromised and used to attack other system. [Originate
from a system or resource that itself has been attacked, and is malfunctioning or
working under the control of a threat].

8
 A computer can, therefore, be both the subject and object of an attack when,
for example, it is first the object of an attack and then compromised and used to
attack other systems, at which point it becomes the subject of an attack.

1.7 BALANCING INFORMATION SECURITY AND ACCESS

o Has to provide the security and is also feasible to access the information
for its application.
o Information Security cannot be an absolute: it is a process, not a
goal.Should balance protection and availability.

Fig 1.4 Balancing Information Security and Access

1.7.1 Approaches to Information Security Implementation
o Bottom- up- approach.
o Top-down-approach
o Has higher probability of success.
o Project is initiated by upper level managers who issue policy &
procedures & processes.
o Dictate the goals & expected outcomes of the project.
o Determine who is suitable for each of the required action.

o
Fig 1.5 Approaches to Information Security Implementation

9
1.8 THE SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC)

Fig. 1.6 Systems Development Life Cycle (SDLC)

1.8.1 SDLC Waterfall Methodology
SDLC-is a methodology for the design and implementation of an information
system in an organization.
 A methodology is a formal approach to solving a problem based on a
structured sequence of procedures.
 SDLC consists of 6 phases.
Investigation
 It is the most important phase and it begins with an examination of the
event or plan that initiates the process.
 During this phase, the objectives, constraints, and scope of the project are
specified.
 At the conclusion of this phase, a feasibility analysis is performed, which
assesses the economic, technical and behavioral feasibilities of the
process and ensures that implementation is worth the organization’s time
and effort.
Analysis
 It begins with the information gained during the investigation phase.
 It consists of assessments (quality) of the organization, the status of current
systems, and the capability to support the proposed systems.
 Analysts begin by determining what the new system is expected to do, and
how it will interact with existing systems.
 This phase ends with the documentation of the findings and an update of
the feasibility analysis.
Logical Design
 In this phase, the information gained from the analysis phase is used to
begin creating a systems solution for a business problem.

10
  Based on the business need, applications are selected that are capable of
providing needed services.
 Based on the applications needed, data support and structures capable of
providing the needed inputs are then chosen.
 In this phase, analysts generate a number of alternative solutions, each
with corresponding strengths and weaknesses, and costs and benefits.
 At the end of this phase, another feasibility analysis is performed.
Physical design
 In this phase, specific technologies are selected to support the solutions
developed in the logical design.
 The selected components are evaluated based on a make-or-buy decision.
 Final designs integrate various components and technologies.
Implementation
 In this phase, any needed software is created.
 Components are ordered, received and tested.
 Afterwards, users are trained and supporting documentation created.
 Once all the components are tested individually, they are installed and
tested as a system.
 Again a feasibility analysis is prepared, and the sponsors are then
presented with the system for a performance review and acceptance test.
Maintenance and change
 It is the longest and most expensive phase of the process.
 It consists of the tasks necessary to support and modify the system for the
remainder of its useful life cycle.
 Periodically, the system is tested for compliance, with business needs.
 Upgrades, updates, and patches are managed.
 As the needs of the organization change, the systems that support the
organization must also change.
 When a current system can no longer support the organization, the project
is terminated and a new project is implemented.

1.9 THE SECURITY SYSTEMS DEVELOPMENT LIFE CYCLE (SEC SDLC )

 The same phases used in the traditional SDLC can be adapted to support
the implementation of an information security project.
Investigation
 This phase begins with a directive from upper management, dictating the
process, outcomes, and goals of the project, as well as its budget and other
constraints.
 Frequently, this phase begins with an enterprise information security policy,
which outlines the implementation of a security program within the
organization.
 Teams of responsible managers, employees, and contractors are
organized.

11
  Problems are analyzed.
 Scope of the project, as well as specific goals and objectives, and any
additional constraints not covered in the program policy, are defined.
 Finally, an organizational feasibility analysis is performed to determine
whether the organization has the resources and commitment necessary to
conduct a successful security analysis and design.
Analysis
 In this phase, the documents from the investigation phase are studied.
 The developed team conducts a preliminary analysis of existing security
policies or programs, along with that of documented current threats and
associated controls.
 The risk management task also begins in this phase.
o Risk management is the process of identifying, assessing, and
evaluating the levels of risk facing the organization, specifically the
threats to the organization’s security and to the information stored
and processed by the organization.
Logical design
 This phase creates and develops the blueprints for information security,
and examines and implements key policies.
 The team plans the incident response actions.
 Plans business response to disaster.
 Determines feasibility of continuing and outsourcing the project.
Physical design
 In this phase, the information security technology needed to support the
blueprint outlined in the logical design is evaluated.
 Alternative solutions are generated.
 Designs for physical security measures to support the proposed
technological solutions are created.
 At the end of this phase, a feasibility study should determine the readiness
of the organization for the proposed project.
 At this phase, all parties involved have a chance to approve the project
before implementation begins.
Implementation
 Similar to traditional SDLC
 The security solutions are acquired ( made or bought ), tested,
implemented, and tested again
 Personnel issues are evaluated and specific training and education
programs are conducted.
 Finally, the entire tested package is presented to upper management for
final approval.
Maintenance and change
 Constant monitoring, testing, modification, updating, and repairing to meet
changing threats have been done in this phase.

12
1.9.1 Security Professionals and the organization
Senior management
 Chief information Officer (CIO) is the responsible for
o Assessment
o Management
o And implementation of information security in the organization
Information Security Project Team
 Champion
o Promotes the project
o Ensures its support, both financially & administratively.
 Team Leader
o Understands project management
o Personnel management
o And information Security technical requirements.
 Security policy developers
o individuals who understand the organizational culture, existing policies
o Requirements for developing & implementing successful policies.
 Risk assessment specialists
o Individuals who understand financial risk assessment techniques.
o The value of organizational assets, and the security methods to be
used.
 Security Professionals
o Dedicated
o Trained, and well educated specialists in all aspects of information
security from both a technical and non technical stand point.
 System Administrators
o Administrating the systems that house the information used by the
organization.
 End users

Data Owners
 Responsible for the security and use of a particular set of information.
 Determine the level of data classification
 Work with subordinate managers to oversee the day-to-day
administration of the data.

13
Data Custodians
 Responsible for the storage, maintenance, and protection of the
information.
 Overseeing data storage and backups
 Implementing the specific procedures and policies.
Data Users (End users)
 Work with the information to perform their daily jobs supporting the
mission of the organization.
 Everyone in the organization is responsible for the security of data, so
data users are included here as individuals with an information security
role.
1.9.2 Key Terms in Information Security Terminology
Asset
 An asset is the organizational resource that is being protected.
 An Asset can be logical ,such as
o Website, information or data
 Asset can be physical, such as
o person , computer system
Attack
 An attack is an intentional or unintentional attempt to cause damage to or
otherwise compromise the information and /or the systems that support it.
 If someone casually reads sensitive information not intended for his use,
this is considered a passive attack.
 If a hacker attempts to break into an information system, the attack is
considered active.
Risk
 Risk is the probability that something can happen. In information security,
it could be the probability of a threat to a system.
Security Blueprint
 It is the plan for the implementation of new security measures in the
organization. Sometimes called a frame work, the blueprint presents an
organized approach to the security planning process.
Security Model
 A security model is a collection of specific security rules that represents
the implementation of a security policy.
Threats
 A threat is a category of objects, persons, or other entities that pose a
potential danger to an asset. Threats are always present.
 Some threats manifest themselves in accidental occurrences, while others
are purposeful.
 For example, all hackers represent potential danger or threat to an
unprotected information system. Severe storms are also a threat to
buildings and their contents.

14
Threat agent
 A threat agent is the specific instance or component of a threat.
 For example, you can think of all hackers in the world as a collective
threat, and Kevin Mitnick, who was convicted for hacking into phone
systems, as a specific threat agent.
 Likewise, a specific lightning strike, hailstorm, or tornado is a threat agent
that is part of the threat of severe storms.
Vulnerability
 Weaknesses or faults in a system or protection mechanism that expose
information to attack or damage are known as vulnerabilities.
 Vulnerabilities that have been examined, documented, and published are
referred to as well-known vulnerabilities.
Exposure
 The exposure of an information system is a single instance when the
system is open to damage.
 Vulnerabilities can cause an exposure to potential damage or attack from
a threat.
 Total exposure is the degree to which an organization’s assets are at risk
of attack from a threat..

15
 Chapter 2

2.1 NEEDS OF SECURITY

 Increasing threat of attacks.
 Availability of number of tools and resources on internet that may be used
to attack systems.
 Fast growth of computer networking for information sharing.
 Enterprise systems connected in network share confidential information.
 Products launched in the internet concentrate more on ease of use than on
security in computing.
 Lack of specialized resources that may be allotted for security systems.
Methods available to solve the problem:
 Examine the risk of security in computing
 Consider available countermeasures or controls
 Stimulate though about uncovered vulnerabilities
 Identify areas where more work is needed.

2.2 BUSINESS NEEDS FIRST

Information security performs four important functions for an organization:
o Protects the organization’s ability to function
o Enables the safe operation of applications implemented on the
organization’s IT systems.
o Protects the data the organization collects and uses.
o Safeguards the technology assets in use at the organization.
1. Protecting the functionality of an organization
 Management (general and IT) responsible for implementation
 Information security is both management issue and people issue
 Organization should address information security in terms of business
impact and cost
2. Enabling the safe operation of applications
 Organizations must create integrated, efficient, and capable applications
 Organization need environments that safeguard applications
 Management must not abdicate to the IT department its responsibility to
make choices and enforce decisions
3. Protecting Data
 One of the most valuable assets is data
 Without data, an organization loses its record of transactions and/or its
ability to deliver value to its customers.
 An effective information security program is essential to the protection of
the integrity and value of the organization’s data the value of data
motivates attackers to seal, sabotage, or corrupts it.

16
  It is essential for the protection of integrity and value of the organization’s
data
Safeguarding Technology Assets
 Organizations must have secure infrastructure services based on the size
and scope of the enterprise
 Additional security services may have to be provided
 More robust solutions may be needed to replace security programs the
organization has outgrown
o Organizational growth could lead to the need for public key
infrastructure, PKI, an integrated system of software, encryption
methodologies.

2.3 THREATS
To protect the organization’s information, one should be familiar with the
information to be protected, and the systems that store, transport, and process it;
and the threats to be identified.
To make sound decisions about information security, create policies, and
enforce them, management must be informed of the various kinds of threats
facing the organization, its applications, data and information systems.
Threats
 A threat is an object, person, or other entity that represents a constant
danger to an asset
 Management must be informed of the various kinds of threats facing the
organization its application, data and information systems.
 To better understand the numerous threats facing the organization, a
categorization scheme has been developed allowing us to group threats by
their respective activities.
 By examining each threat category in turn, management can most
effectively protect its information through policy, education and training, and
technology controls.
 The 2004 CSI/FBI survey found:
 79 percent of organizations reported cyber security breaches within the last
12 months
 54 percent of those organizations reported financial losses totaling over
$141 million
2.3.1 Types of threats:
o Interception: some authorized party has gained access to an asset.
o Interruption: an asst of the system becomes lost, unavailable or
unusable.
o Modification: an unauthorized party not only accesses but tampers with
an asset
o Fabrication: an unauthorized party might create or fabrication of the
counterfeit objects on a computer system.

17
 Table 2.1 Threats to Information Security

1. Acts of Human Error or Failure:

 Acts performed without intent or malicious purpose by an authorized user.
 This category includes the possibility of acts performed without intent or
malicious purpose by an individual who is an employee of an organization.
 Inexperience, improper training, the making of incorrect assumptions, and
other circumstances can cause problems
 Making of incorrect assumptions.
One of the greatest threats to an organization’s information security is the
organization’s own employees.
 Entry of erroneous data
 accidental deletion or modification of data
 storage of data in unprotected areas.
 Failure to protect information can be prevented with
o Training
o Ongoing awareness activities
o -Verification by a second party
o Many military applications have robust, dual- approval controls built
in .

18
 Fig 2.1 Acts of Human Error or failure
2. Compromises to Intellectual Property
 Intellectual property is “the ownership of ideas and control over the tangible
or virtual representation of those ideas”
 Many organizations are in business to create intellectual property
o trade secrets
o copyrights
o trademarks
o patents
 Most common IP breaches involve software piracy
 Watchdog organizations investigate:
o Software & Information Industry Association (SIIA)
o Business Software Alliance (BSA)
Protective measures
 Enforcement of copyright has been attempted with technical security
mechanisms, such as using digital watermarks and embedded code.
 The most common reminder of the individual’s obligation to fair and
responsible use is the license agreement window that usually pops up
during the installation of new software.
3. Deliberate Acts of Espionage or Trespass
Espionage/Trespass
 Electronic and human activities that can breach the confidentiality of
information.

19
  When an unauthorized individual’s gain access to the information an
organization is trying to protect is categorized as act of espionage or
trespass.
 Attackers can use many different methods to access the information stored
in an information system.
 Broad category of activities that breach confidentiality
o Unauthorized accessing of information
o Competitive intelligence vs. espionage
o Shoulder surfing can occur any place a person is accessing
confidential information
 Controls implemented to mark the boundaries of an organization’s virtual
territory giving notice to trespassers that they are encroaching on the
organization’s cyberspace
 Hackers uses skill, guile, or fraud to steal the property of someone else

Fig 2.2 Shoulder Surfing

Trespass
 Can lead to unauthorized real or virtual actions that enable information
gatherers to enter premises or systems they have not been authorized to
enter.
 Sound principles of authentication & authorization can help organizations
protect valuable information and systems.
Hackers
 The classic perpetrator of deliberate acts of espionage or trespass is the
hacker.
 Hackers are “people who use and create computer software [to] gain
access to information illegally”
Expert hacker vs unskilled hacker
 Generally two skill levels among hackers:
o Expert hacker
 develops software scripts and codes exploits
 usually a master of many skills

20
  will often create attack software and share with others
o unskilled hacker(Script kiddies)
 hackers of limited skill
 use expert-written software to exploit a system
 do not usually fully understand the systems they hack
 Other terms for system rule breakers:
o Cracker - an individual who “cracks” or removes protection designed
to prevent unauthorized duplication
o Phreaker - hacks the public telephone network

Fig 2.3 Hacker Profiles

4. Deliberate Acts of information Extortion (obtain by force or threat)
 Information extortion is an attacker or formerly trusted insider stealing
information from a computer system and demanding compensation for its
return or non-use
 Extortion found in credit card number theft(A Russian hacker named
Maxus, who hacked the online vendor and stole everal hundred thousand
credit card numbers.
o He posted the credit card numbers to a web site, when the company
refused to pay the $100,000 blackmail)
5. Deliberate Acts of sabotage or Vandalism
Attack on the image of an organization can be serious like defacing a web
site.
 Individual or group who want to deliberately sabotage the operations of a
computer system or business, or perform acts of vandalism to either
destroy an asset or damage the image of the organization
 These threats can range from petty vandalism to organized sabotage
 Organizations rely on image so Web defacing can lead to dropping
consumer confidence and sales
 Rising threat of hacktivist or cyber-activist operations – the most extreme
version is cyber-terrorism
 Cyber terrorism-Cyber terrorists hack systems to conduct terrorist
activities through network or internet pathways.

21
6. Deliberate Acts of Theft
 Illegal taking of another’s property - physical, electronic, or intellectual
 The value of information suffers when it is copied and taken away without
the owner’s knowledge
 Physical theft can be controlled - a wide variety of measures used from
locked doors to guards or alarm systems
 Electronic theft is a more complex problem to manage and control -
organizations may not even know it has occurred
7. Deliberate Software Attacks
 Because of malicious code or malicious software or sometimes
malware.
 These software components are designed to damage, destroy or deny
service to the target system.
 More common instances are
o Virus
o Worms
o Trojan horses
o Logic bombs
o Backdoors.
 “The British Internet Service Provider Cloudnine” be the first business
“hacked out of existence”
Virus
 Segments of code that performs malicious actions.
 Virus transmission is at the opening of Email attachment files.
 Macro virus-> Embedded in automatically executing macrocode common
in word processors, spreadsheets and database applications.
 Boot Virus-> infects the key operating files located in the computer’s boot
sector.
Worms
 A worm is a malicious program that replicates itself constantly, without
requiring another program to provide a safe environment for replication.
 Worms can continue replicating themselves until they completely fill
available resources, such as memory, hard drive space, and network
bandwidth.
 Eg: MS-Blaster, MyDoom, Netsky, are multifaceted attack worms.
 Once the worm has infected a computer , it can redistribute itself to all e-
mail addresses found on the infected system.
 Furthermore, a worm can deposit copies of itself onto all Web servers that
the infected systems can reach, so that users who subsequently visit
those sites become infected.
Trojan Horses
 Are software programs that hide their true nature and reveal their designed
behavior only when activated.

22
 Trojan horse releases
Trojan horse Trojan horse is its payload, monitors
arrives via E- activated when computer activity,
mail or the software or installs back door, or
software such attachment is transmits information
as free games executed. to hacker

Fig 2.4 Trojan horse Attack

Logic Bomb
A logic bomb is a class of malicious code that "detonates" or goes off
when a specified condition occurs.
Back Door or Trap Door
 A Virus or Worm has a payload that installs a backdoor or trapdoor
component in a system, which allows the attacker to access the system at
will with special privileges.
Eg: Back Orifice
Polymorphism
 A Polymorphic threat is one that changes its apparent shape over time,
making it undetectable by techniques that look for preconfigured
signatures.
 These viruses and Worms actually evolve, changing their size, and
appearance to elude detection by antivirus software programs.
2.3.2 Virus & Worm Hoaxes
Types of Trojans
o Data Sending Trojans
o Proxy Trojans
o FTP Trojans
o Security software disabler Trojans
o Denial of service attack Trojans(DOS)
Virus
A program or piece of code that be loaded on to your computer, without
your knowledge and run against your wishes.
Worm
A program or algorithm that replicates itself over a computer network and
usually performs malicious actions.
Trojan Horse
A destructive program that masquerade on beginning application, unlike
viruses, Trojan horse do not replicate themselves.
Blended threat
Blended threats combine the characteristics of virus, worm, Trojan horses
& malicious code with server and Internet Vulnerabilities.
Antivirus Program
A Utility that searches a hard disk for viruses and removes any that found.

23
Forces of Nature
 Forces of nature, force majeure, or acts of God are dangerous because
they are unexpected and can occur with very little warning
 Can disrupt not only the lives of individuals, but also the storage,
transmission, and use of information
 Include fire, flood, earthquake, and lightning as well as volcanic eruption
and insect infestation
Fire: Structural fire that damages the building. Also encompasses smoke
damage from a fire or water damage from sprinkles systems.
Flood: Can sometimes be mitigated with flood insurance and/or business
interruption Insurance.
Earthquake: Can sometimes be mitigated with specific causality insurance
and/or business interruption insurance, but is usually a separate policy.
Lightning: An Abrupt, discontinuous natural electric discharge in the
atmosphere.
Landslide/Mudslide: The downward sliding of a mass of earth & rocks
directly damaging all parts of the information systems.
 Since it is not possible to avoid many of these threats, management must
implement controls to limit damage and also prepare contingency plans for
continued operations
o Tornado/Severe Windstorm:
o Huricane/typhoon:
o Tsunami:
o Electrostatic Discharge (ESD):
o Dust Contamination:
Since it is not possible to avoid force of nature threats, organizations must
implement controls to limit damage.
 They must also prepare contingency plans for continued operations, such
as disaster recovery plans, business continuity plans, and incident
response plans, to limit losses in the face of these threats.
Deviations in Quality of Service
 A product or service is not delivered to the organization as expected.
 The Organization’s information system depends on the successful
operation of many interdependent support systems.
 It includes power grids, telecom networks, parts suppliers, service vendors,
and even the janitorial staff & garbage haulers.
 This degradation of service is a form of availability disruption.
2.3.3 Internet Service Issues
 Internet service Provider(ISP) failures can considerably undermine the
availability of information.
 The web hosting services are usually arranged with an agreement
providing minimum service levels known as a Service level Agreement
(SLA).

24
  When a Service Provider fails to meet SLA, the provider may accrue fines
to cover losses incurred by the client, but these payments seldom cover the
losses generated by the outage.
Communications & Other Service Provider Issues
 Other utility services can affect the organizations are telephone, water,
waste water, trash pickup, cable television, natural or propane gas, and
custodial services.
 The loss of these services can impair the ability of an organization to
function.
 For an example, if the waste water system fails, an organization might be
prevented from allowing employees into the building.
 This would stop normal business operations.
Power Irregularities
 Fluctuations due to power excesses.
 Power shortages &
 Power losses
This can pose problems for organizations that provide inadequately
conditioned power for their information systems equipment.
 When voltage levels spike (experience a momentary increase),or surge (
experience prolonged increase ), the extra voltage can severely damage or
destroy equipment.
 The more expensive uninterruptible power supply (UPS) can protect
against spikes and surges.
Technical Hardware Failures or Errors
 Technical hardware failures or errors occur when a manufacturer
distributes to users equipment containing flaws
 These defects can cause the system to perform outside of expected
parameters, resulting in unreliable service or lack of availability
 Some errors are terminal, in that they result in the unrecoverable loss of the
equipment
 Some errors are intermittent, in that they only periodically manifest
themselves, resulting in faults that are not easily repeated
Technical software failures or errors
 This category of threats comes from purchasing software with unrevealed
faults
 Large quantities of computer code are written, debugged, published, and
sold only to determine that not all bugs were resolved
 Sometimes, unique combinations of certain software and hardware reveal
new bugs
 Sometimes, these items aren’t errors, but are purposeful shortcuts left by
programmers for honest or dishonest reasons
Technological obsolescence
 When the infrastructure becomes antiquated or outdated, it leads to
unreliable and untrustworthy systems

25
  Management must recognize that when technology becomes outdated,
there is a risk of loss of data integrity to threats and attacks
 Ideally, proper planning by management should prevent the risks from
technology obsolesce, but when obsolescence is identified, management
must take action

2.4 ATTACKS
 An attack is an act of or action that takes advantage of a vulnerability to
compromise a controlled system.
 An attack is the deliberate act that exploits vulnerability
 It is accomplished by a threat-agent to damage or steal an organization’s
information or physical asset
o An exploit is a technique to compromise a system
o A vulnerability is an identified weakness of a controlled system
whose controls are not present or are no longer effective
o An attack is then the use of an exploit to achieve the compromise of
a controlled system
2.4.1 Malicious code
 The malicious code attack includes the execution of viruses, worms, Trojan
horses, and active Web scripts with the intent to destroy or steal
information.
 The state –of-the-art malicious code attack is the polymorphic or
multivector, worm.
 These attack programs use up to six known attack vectors to exploit a
variety of vulnerabilities in commonly found information system devices.
2.4.2 Attack Replication Vectors
1. IP scan & attack
2. Web browsing
3. Virus
4. Unprotected shares
5. Mass mail
6. Simple Network Management Protocol(SNMP)
1. IP scan & attack
The infected system scans a random or local range of IP addresses and
targets any of several vulnerabilities known to hackers.
2. Web browsing
If the infected system has write access to any Web pages, it makes all Web
content files (.html,.asp,.cgi & others) infectious, so that users who browse to
those pages become infected.
3. Virus
Each infected machine infects certain common executable or script files on
all computers to which it can write with virus code that can cause infection.

26
4. Unprotected shares
Using vulnerabilities in file systems and the way many organizations
configure them, the infected machine copies the viral component to all locations it
can reach.
5. Mass Mail
By sending E-mail infections to addresses found in the address book, the
infected machine infects many users, whose mail -reading programs also
automatically run the program & infect other systems.
6. Simple Network Management Protocol (SNMP)
 By using the widely known and common passwords that were employed in
early versions of this protocol, the attacking program can gain control of
the device. Most vendors have closed these vulnerabilities with software
upgrades.
Hoaxes
 A more devious approach to attacking the computer systems is the
transmission of a virus hoax with a real virus attached.
 Even though these users are trying to avoid infection, they end up sending
the attack on to their co-workers.
Backdoors
 Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource
through a back door.
 Sometimes these entries are left behind by system designers or
maintenance staff, and thus referred to as trap doors.
 A trap door is hard to detect, because very often the programmer who puts
it in place also makes the access exempt from the usual audit logging
features of the system.
Password Crack
 Attempting to reverse calculate a password is often called cracking.
 A password can be hashed using the same algorithm and compared to the
hashed results, If they are same, the password has been cracked.
 The (SAM) Security Account Manager file contains the hashed
representation of the user’s password.
Brute Force
 The application of computing & network resources to try every possible
combination of options of a password is called a Brute force attack.
 This is often an attempt to repeatedly guess passwords to commonly used
accounts, it is sometimes called a password attack.
Dictionary
 This is another form of the brute force attack noted above for guessing
passwords.
 The dictionary attack narrows the field by selecting specific accounts to
attack and uses a list of commonly used passwords instead of random
combinations.

27
2.4.3 Denial –of- Services (DOS) & Distributed Denial –of- Service(DDOS)
o attacker sends a large number of connection or information requests
to a target
o so many requests are made that the target system cannot handle
them successfully along with other, legitimate requests for service
o may result in a system crash, or merely an inability to perform
ordinary functions
 DDOS is an attack in which a coordinated stream of requests is launched
dagainst a target from many locations at the same.

Fig 2.5 Denial of Service Attacks

2.4.4 Spoofing

Fig 2.6 IP spoofing

28
  It is a technique used to gain unauthorized access to computers, where in
the intruder sends messages to a computer that has an IP address that
indicates that the messages are coming from a trusted host.
2.4.5 Man-in-the –Middle
 Otherwise called as TCP hijacking attack.
 An attacker monitors packets from the network, modifies them, and inserts
them back into the network.
 This type of attack uses IP spoofing.
 It allows the attacker to change, delete, reroute, add, forge or divert data.
 TCP hijacking session, the spoofing involves the interception of an
encryption key exchange.

Fig. 2.7 Man in the middle attack

2.4.6 SPAM
 Spam is unsolicited commercial E-mail.
 It has been used to make malicious code attacks more effective.
 Spam is considered as a trivial nuisance rather than an attack.
 It is the waste of both computer and human resources it causes by the flow
of unwanted E-mail.
Mail Bombing
 Another form of E-mail attack that is also a DOS called a mail bomb.
 Attacker routes large quantities of e-mail to the target.
 The target of the attack receives unmanageably large volumes of
unsolicited e-mail.
 By sending large e-mails, attackers can take advantage of poorly
configured e-mail systems on the Internet and trick them into sending many
e-mails to an address chosen by the attacker.

29
  The target e-mail address is buried under thousands or even millions of
unwanted e-mails.
Sniffers
 A sniffer is a program or device that can monitor data traveling over a
network.
 Unauthorized sniffers can be extremely dangerous to a network’s security,
because they are virtually impossible to detect and can be inserted almost
anywhere.
 Sniffer often works on TCP/IP networks, where they are sometimes called
“packet Sniffers”.
Social Engineering
 It is the process of using social skills to convince people to reveal access
credentials or other valuable information to the attacker.
 An attacker gets more information by calling others in the company and
asserting his/her authority by mentioning chief’s name.
Buffer Overflow
 A buffer overflow is an application error that occurs when more data is sent
to a buffer than it can handle.
 Attacker can make the target system execute instructions.
Timing Attack
 Works by exploring the contents of a web browser’s cache.
 These attacks allow a Web designer to create a malicious form of cookie,
that is stored on the client’s system.
 The cookie could allow the designer to collect information on how to
access password- protected sites.

2.5 LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION

SECURITY
• Laws: rules that mandate or prohibit certain societal behavior
• Ethics: define socially acceptable behavior
• Cultural mores: fixed moral attitudes or customs of a particular group;
ethics based on these
• Laws carry sanctions of a governing authority; ethics do not
2.5.1 Types Of Law
• Civil law represents a wide variety of laws that are recorded in volumes of
legal “code” available for review by the average citizen.
• Criminal law addresses violations harmful to society and is actively
enforced through prosecution by the state.
• Tort law allows individuals to seek recourse against others in the event of
personal, physical, or financial injury.
• Private law regulates the relationship between the individual and the
organization, and encompasses family law, commercial law, and labor law.
• Public law regulates the structure and administration of government
agencies and their relationships with citizens, employees, and other

30
 governments, providing careful checks and balances. Examples of public
law include criminal, administrative, and constitutional law.
Privacy
• The issue of privacy has become one of the hottest topics in information.
• The ability to collect information on an individual, combine facts from
separate sources, and merge it with other information has resulted in
databases of information that were previously impossible to set up.
• The aggregation of data from multiple sources permits unethical
organizations to build databases of facts with frightening capabilities.
Privacy of Customer Information
• Privacy of Customer Information Section of common carrier regulation
• Federal Privacy Act of 1974
• Electronic Communications Privacy Act of 1986
• Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka
Kennedy-Kassebaum Act
• Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
State & Local Regulations
• In addition to the national and international restrictions placed on an
organization in the use of computer technology, each state or locality may
have a number of laws and regulations that impact operations.
• It is the responsibility of the information security professional to understand
state laws and regulations and insure the organization’s security policies
and procedures comply with those laws and regulations.
2.5.2 International Laws And Legal Bodies
• Recently the Council of Europe drafted the European Council Cyber-Crime
Convention, designed to create an international task force to oversee a
range of security functions associated with Internet activities, and to
standardize technology laws across international borders.
• It also attempts to improve the effectiveness of international investigations
into breaches of technology law.
• This convention is well received by advocates of intellectual property rights
with its emphasis on copyright infringement prosecution.
CSI - Computer Security Institute
• The Computer Security Institute (www.gocsi.com) provides information and
certification to support the computer, networking, and information security
professional.
• While CSI does not promote a single certification certificate like the CISSP
or GISO, it does provide a range of technical training classes in the areas
of Internet Security, Intrusion Management, Network Security, Forensics,
as well as technical networking.
OTHER SECURITY ORGANIZATIONS
• The Information Systems Security Association (ISSA)® (www.issa.org) is a
non-profit society of information security professionals.

31
 • As a professional association, its primary mission is to bring together
qualified practitioners of information security for information exchange and
educational development.
• The Internet Society or ISOC (www.isoc.org) is a non-profit, non-
governmental, international organization for professionals.
• It promotes the development and implementation of education, standards,
policy, and education and training to promote the Internet.
• The Computer Security Division (CSD) of the National Institute for
Standards and Technology (NIST), contains a resource center known as
the Computer Security Resource Center (CSRC) which is a must know for
any current or aspiring information security professional.
• This Web site (csrc.nist.gov) houses one of the most comprehensive sets
of publicly available information on the entire suite of information security
topics.
• The CERT/CC studies security issues and provides publications and alerts
to help educate the public to the threats facing information security. The
center also provides training and expertise in the handling of computer
incidents.
• The Computer Professionals for Social Responsibility (CPSR) is a
public organization for technologists and anyone with a general concern for
the impact of computer technology on society.
• CPSR promotes ethical and responsible development and use of
computing, and seeks to inform public and private policy and lawmakers on
this subject. It acts as an ethical watchdog for the development of ethical
computing.
Key U.S Laws of Interest to Information Security Professionals

ACT SUBJECT DATE DESCRIPTION

Communications Act Telecommunicat 1934 Regulates interstate and
of 1934,updated by ions foreign Telecommunications.
Telecommunications
Deregulation &
Competition Act
Computer Fraud & Threats to 1986 Defines and formalizes laws
Abuse Act computers to counter threats from
computer related acts and
offenses.
Computer Security Federal Agency 1987 Requires all federal computer
Act of 1987 Information systems that contain
Security classified information to have
surety plans in place, and
requires periodic security
training for all individuals who
operate, design, or manage
such systems.
Economic Trade secrets. 1996 Designed to prevent abuse of
Espionage Act of information gained by an

32
1996 individual working in one
company and employed by
another.
Electronic Cryptography 1986 Also referred to as the
Communications Federal Wiretapping Act;
Privacy Act of 1986 regulates interception and
disclosure of electronic
information.
Federal Privacy Act Privacy 1974 Governs federal agency use
of 1974 of personal information.
Gramm-Leach-Bliley Banking 1999 Focuses on facilitating
Act of 1999 affiliation among banks,
insurance and securities
firms; it has significant impact
on the privacy of personal
information used by these
industries.
Health Insurance Health care 1996 Regulates collection, storage,
Portability and privacy and transmission of sensitive
Accountability Act personal health care
information.
National Information Criminal intent 1996 Categorized crimes based on
Infrastructure defendant’s authority to
protection Act of access computer and
1996 criminal intent.
Sarbanes-Oxley Act Financial 2002 Affects how public
of 2002 Reporting organizations and accounting
firms deal with corporate
governance, financial
disclosure, and the practice
of public accounting.
Security and Use and sale of 1999 Clarifies use of encryption for
Freedom through software that people in the United states
Encryption Act of uses or enables and permits all persons in the
1999 encryption. U.S. to buy or sell any
encryption product and states
that the government cannot
require the use of any kind of
key escrow system for
encryption products.
U.S.A. Patriot Act of Terrorism 2001 Defines stiffer penalties for
2001 prosecution of terrorist
crimes.

33
 CHAPTER 3

3.1 RISK MANAGEMENT

The formal process of identifying and controlling the risks facing an
organization is called risk management. It is the probability of an undesired event
causing damage to an asset. There are three steps
1. Risk Identification.
2. Risk Assessment
3. Risk Control
Risk Identification: It is the process of examining and documenting the security
posture of an organization’s information technology and the risk it faces.
Risk Assessment: It is the documentation of the results of risk identification.
Risk Control: It is the process of applying controls to reduce the risks to an
organization’s data and information systems.
To keep up with the competition, organizations must design and create
safe environments in which business process and procedures can function.
These environments must maintain Confidentiality & Privacy and assure
the integrity of organizational data-objectives that are met through the application
of the principles of risk management
3.1.1 Components of Risk Management

Fig 3.1 Components of Risk Management

3.1.2 Overview of Risk Management
Over 2,400 years ago by Chinese General Sun Tzu said
1. If you know the enemy & know yourself, you need not fear the result of a
hundred battles.

34
 2. If you know yourself but not the enemy, for every victory gained you will
also suffer a defeat.
3. If you know neither the enemy nor yourself, you will succumb in every
battle”
Know Yourself
 Identify, Examine & Understand the information systems.
 To protect assets, you must understand what they are? How they add
value to the organization, and to which vulnerabilities they are susceptible.
 The policies, Education and training programs, and technologies that
protect information must be carefully maintained and administered to
ensure that they are still effective.
Know the Enemy
 Identifying, Examining & Understanding the threats facing the organization.
The Roles of the Communities of Interest
 It is the responsibility of each community of interest to manage the risks
that organization encounters.
Information Security
 Understand the threats and attacks that introduce risk into the organization.
 Take a leadership role in addressing risk.
Management & Users
 Management must ensure that sufficient resource are allocated to the
information security & Information technology groups to meet the security
needs of the organization.
 Users work with the systems and the data and are therefore well positioned
to understand the value of the information assets.
Information Technology
 Must build secure systems and operate them safely.
Three communities of interest are also responsible for the following
o Evaluating the risk controls.
o Determining which control options are cost effective.
o Acquiring or installing the needed controls.
o Overseeing that the controls remain effective.
Important Risk Factors of information Security are
1) Understand the threats and attacks that introduce risk into the organization.
2) Taking asset inventory.
3) Verify the threats and vulnerabilities that have been identified as dangerous
to the asset inventory, as well as the current controls and mitigation
strategies.
4) Review the cost effectiveness of various risk control measures.

3.2 RISK IDENTIFICATION

 IT professionals to know their organization’s information assets through
identifying, classifying and prioritizing them.

35
  Assets are the targets of various threats and threat agents, and the goal is
to protect the assets from the threats.
 Once the organizational assets have been identified, a threat identification
process is undertaken.
 The circumstances and settings of each information asset are examined to
identify vulnerabilities.
 When vulnerabilities are found, controls are identified and assessed as to
their capability to limit possible losses in the eventuality of attack.
 The process of Risk Identification begins with the identification of the
organization’s information assets and an assessment of their value.
 The Components of this process are shown in figure

Fig 3.2 Components of Risk Identification

3.2.1 Asset Identification & Valuation
 Includes all the elements of an organization’s system, such as people,
procedures, data and information, software, hardware, and networking
elements.
 Then, you classify and categorize the assets, adding details.

Fig 3.3 Risk management and the SecSDLC

36
 Table 3.1 Categorizing the components of an Information System

 People include employees and nonemployees. There are two

categories of employees: those who hold trusted roles and have
correspondingly greater authority and accountability, and other staff who
have assignments without special privileges. Nonemployees include
contractors and consultants, members of other organizations with which the
organization has a trust relationship, and strangers.
 Procedures fall into two categories: IT and business standard
procedures, and IT and business sensitive procedures. The business
sensitive procedures are those that may assist a threat agent in crafting an
attack against the organization or that have some other content or feature
that may introduce risk to the organization.
3.2.2 People, Procedures & Data Asset Identification
People : Position name/number/ID: Supervisor; Security clearance level;
special skills.
Procedures : Description/intended purpose/relationship to software / hardware
and networking elements: storage location for update; storage location for
reference.
Data : Classification; owner; Creator; Manager; Size of data structure; data
structure used; online/offline/location/backup procedures employed.
3.2.3 Hardware, Software, and Network Asset Identification
Depends on the needs of the organization and its risk management efforts.
 Name: Should adopt naming standards that do not convey information to
potential system attackers.
 IP address: Useful for network devices & Servers. Many organizations use
the dynamic host control protocol (DHCP) within TCP/IP that reassigns IP
numbers to devices as needed, making the use of IP numbers as part of
the asset identification process problematic.
 Media Access Control (MAC) address: Electronic serial numbers or
hardware addresses. All network interface hardware devices have a unique

37
 number. The MAC address number is used by the network operating
system as a means to identify a specific network device.
 Element Type: Document the function of each Element by listing its type.
For hardware, a list of possible element types, such as servers, desktops,
networking devices or test equipment.
 Serial Number: For hardware devices, the serial number can uniquely
identify a specific device.
 Manufacturer Name: Record the manufacturer of the device or software
component.
 Manufacturer’s Model No or Part No: Record the model or part number
of the element. This record of exactly what the element is can be very
useful in later analysis of vulnerabilities, because some vulnerability
instances only apply to specific models of certain devices and software
components.
 Software Version, Update revision, or FCO number: Document the
specific software or firmware revision number and, for hardware devices,
the current field change order (FCO) number. An FCO is an authorization
issued by an organization for the repair, modification, or update of a piece
of equipment. Documenting the revision number and FCO is particularly
important for networking devices that function mainly through the software
running on them.
 Physical location: Note where this element is located physically
(Hardware)
 Logical Location: Note where this element can be found on the
organization’s network. The logical location is most useful for networking
devices and indicates the logical network where the device is connected.
 Controlling Entity: Identify which organizational unit controls the element.
3.2.4 Automated Risk Management Tools
 Automated tools identify the system elements that make up the hardware,
software, & network components.
 Many organizations use automated asset inventory systems.
 The inventory listing is usually available in a data base.
 Once stored, the inventory listing must be kept current, often by means of a
tool that periodically refreshes the data.
Information Asset Classification
 In addition to the categories, it is advisable to add another dimension to
represent the sensitivity & Security priority of the data and the devices that
store, transmit & process the data.
 Eg: Kinds of classifications are confidential data, internal data and public
data.
Information Asset Valuation
As each asset is assigned to its category, posing a number of questions
assists in developing the weighting criteria to be used for information asset
valuation or impact evaluation. Before beginning the inventory process, the

38
organization should determine which criteria can best be used to establish the
value of the information assets. Among the criteria to be considered are:
o Which information Asset is the most critical to the success of the
organization.
o Which information asset generates the most revenue?
o Which information asset generates the most probability?
o Which Information asset would be the expensive to replace?
3.2.5 Data Classification
1. Confidential
2. Internal
3. External
Confidential: Access to information with this classification is strictly on a need-to-
know basis or as required by the terms of a contract.
Internal: Used for all internal information that does not meet the criteria for the
confidential category and is to be viewed only by authorized contractors, and other
third parties.
External: All information that has been approved by management for public
release.
The military uses five level classifications
1. Unclassified data
2. Sensitive But Unclassified data (SBU)
3. Confidential data
4. Secret data
5. Top Secret data
Unclassified data: Information that can generally be distributed to the public
without any threat to U.S. National interests.
Sensitive But Unclassified data (SBU) : Any information of which the loss,
misuse, or unauthorized access to, or modification of might adversely affect U.S.
national interests, the conduct of Department of Defense(DoD) programs, or the
privacy of DoD personnel.
Confidential data: Any information or material the unauthorized disclosure of
which reasonably could be expected to cause damage to the national security.
Secret: Any information or material the unauthorized disclosure of which
reasonably could be cause serious damage to the national security.
Top Secret Data: Any information or material the unauthorized disclosure of
which reasonably could be expected to cause exceptionally grave damage to the
national security.
Organization may have
1. Research data
2. Personnel data
3. Customer data
4. General Internal Communications

39
Some organization may use
1. Public data
2. For office use only
3. Sensitive data
4. Classified data
 Public: Information for general public dissemination, such as an
advertisement or public release.
 For Official Use Only: Information that is not particularly sensitive, but not
for public release, such as internal communications.
 Sensitive: Information important to the business that could embarrass the
company or cause loss of market share if revealed.
 Classified: Information of the utmost secrecy to the organization,
disclosure of which could severely impact the well-being of the
organization.
Security Clearances
 The other side of the data classification scheme is the personnel security
clearance structure.
 Each user of data must be assigned a single authorization level that
indicates the level of classification he or she is authorized to view.
o Eg: Data entry clerk, development Programmer, Information Security
Analyst, or even CIO.
o Most organizations have a set of roles and the accompanying
security clearances associated with each role.
o Overriding an employee’s security clearance is the fundamental
principle of “need-to-know”.
Management of classified data
 Includes its storage, distribution, portability, and destruction.
 Military uses color coordinated cover sheets to protect classified
information from the casual observer.
 Each classified document should contain the appropriate designation at the
top and bottom of each page.
 A clean desk policy requires that employees secure all information in
appropriate storage containers at the end of each day.
 When Information are no longer valuable, proper care should be taken to
destroy them by means of shredding, burning or transferring to a service
offering authorized document destruction.
 Dumpster diving to retrieve information that could embarrass a
company or compromise information security.
3.2.6Threat Identification
After identifying the information assets, the analysis phase moves on to an
examination of the threats facing the organization.

40
Identify and Prioritize Threats and Threat Agents
Table 3.2 Threats to Information Security

 This examination is known as a threat assessment. You can address each

threat with a few basic questions, as follows:
 Which threats present a danger to an organization’s assets in the given
environment?
 Which threats represent the most danger to the organization’s information?
 How much would it cost to recover from a successful attack?
 Which of the threats would require the greatest expenditure to prevent?
Vulnerability Identification:
 Create a list of Vulnerabilities for each information asset.
 Groups of people work iteratively in a series of sessions give best result.
 At the end of Identification process, you have a list of assets and their
vulnerabilities.

3.3 RISK ASSESSMENT

 Assigns a risk rating or score to each Information asset.
 It is useful in gauging the relative risk to each Vulnerable asset.
Valuation of Information assets
 Assign weighted scores for the value to the organization of each
Information asset.
 National Institute of Standards & Technology (NIST) gives some standards.
 To be effective, the values must be assigned by asking he following
questions.
 Which threats present a danger to an organization’s assets in the given
environment?
 Which threats represent the most danger to the organization’s Information?
 How much would it cost to recover from a successful attack?
 Which of the threats would require the greatest expenditure to prevent?

41
 Fig 3.4 Major Stages of Risk Assessment
3.3.1 Identify Possible Controls ( For Residual Risk)
 Residual risk is the risk that remains to the information asset even after the
existing control has been applied.
 Three general categories of controls
1. Policies
2. Programs
3. Technologies
1. Policies
 General Security Policy
 Program Security Policy
 Issue Specific Policy
 Systems Specific Policy
2. Programs
 Education
 Training
 Awareness
3. Security Technologies
o Technical Implementation Policies
3.3.2 Access Controls
o Specially addresses admission of a user into a trusted area of the
organization.
o Eg: Computer rooms, Power Rooms.
o Combination of policies , Programs, & Technologies

42
Types of Access controls
Mandatory Access Controls (MACs)
o Give users and data owners limited control over access to information
resources.
Nondiscretionary Controls
o Managed by a central authority in the organization; can be based on
individual’s role (role-based controls) or a specified set of assigned tasks
(task-based controls)
Discretionary Access Controls ( DAC)
o Implemented at discretion or option of the data user
Lattice-based Access Control
o Variation of MAC - users are assigned matrix of authorizations for
particular areas of access.
3.3.3 Documenting the Results of Risk Assessment
By the end of the Risk Assessment process, you probably have a collection
of long lists of information assets with data about each of them. The goal of this
process is to identify the information assets that have specific vulnerabilities and
list them, ranked according to those most needing protection. You should also
have collected some information about the controls that are already in place. The
final summarized document is the ranked vulnerability risk worksheet, a sample of
which is shown in the following table.

3.4 RISK CONTROL STRATEGIES

Four basic strategies to control each of the risks that result from these
vulnerabilities.
1. Apply safeguards that eliminate the remaining uncontrolled risks for the
vulnerability [Avoidance]
2. Transfer the risk to other areas (or) to outside entities[transference]
3. Reduce the impact should the vulnerability be exploited[Mitigation]
4. Understand the consequences and accept the risk without control or
mitigation[Acceptance]
Avoidance
It is the risk control strategy that attempts to prevent the exploitation of the
vulnerability, and is accomplished by means of
a) Countering threats
b) Removing Vulnerabilities in assets
c) Limiting access to assets
d) Adding protective safeguards.
Three common methods of risk avoidance are
1. Application of policy
2. Application of Training & Education
3. Application of Technology

43
Transference
 Transference is the control approach that attempts to shift the risk to other
assets, other processes, or other organizations.
 It may be accomplished through rethinking how services are offered,
revising deployment models, outsourcing to other organizations,
purchasing Insurance, Implementing Service contracts with providers.
Top 10 Information Security mistakes made by individuals.
1. Passwords on Post-it-Notes
2. Leaving unattended computers on.
3. Opening e-mail attachments from strangers.
4. Poor Password etiquette
5. Laptops on the loose (unsecured laptops that are easily stolen)
6. Blabber mouths ( People who talk about passwords)
7. Plug & Play[Technology that enables hardware devices to be
installed and configured without the protection provided by people
who perform installations]
8. Unreported Security Violations
9. Always behind the times.
10. Not watching for dangers inside the organization
Mitigation
 It is the control approach that attempts to reduce the impact caused by the
exploitation of vulnerability through planning & preparation.
o Mitigation begins with the early detection that an attack is in
progress and the ability of the organization to respond quickly,
efficiently and effectively.
 Includes 3 types of plans.
1. Incident response plan (IRP) -Actions to take while incident is in
progress
2. Disaster recovery plan (DRP) - Most common mitigation procedure.
3. Business continuity plan (BCP) - Continuation of business activities if
catastrophic event occurs.
Incident Response Plan (IRP)
This IRP Plan provides answers to questions such as
1. What do I do now?
2. What should the administrator do first?
3. Whom should they contact?
4. What should they document?
The IRP Supplies answers.
For example, a system’s administrator may notice that someone is copying
information from the server without authorization, signaling violation of policy by a
potential hacker or an unauthorized employee.

44
 The IRP also enables the organization to take coordinated action that is
either predefined and specific or ad hoc and reactive.
Disaster Recovery Plan (DRP)
 Can include strategies to limit losses before and during the disaster.
 Include all preparations for the recovery process, strategies to limit losses
during the disaster, and detailed steps to follow when the smoke clears, the
dust settles, or the floodwater recede.
 DRP focuses more on preparations completed before and actions taken
after the incident, whereas the IRP focuses on intelligence gathering,
information analysis, coordinated decision making, and urgent, concrete
actions.
Business Continuity Plan (BCP)
 BCP is the most strategic and long term of the three plans.
 It encompasses the continuation of business activities if a catastrophic
event occurs, such as the loss of an entire database, building or operations
center.
 The BCP includes planning the steps necessary to ensure the continuation
of the organization when the scope or scale of a disaster exceeds the
ability of the DRP to restore operations.
 Many companies offer this service as a contingency against disastrous
events such as fires. Floods, earthquakes, and most natural disasters.
Acceptance
 It is the choice to do nothing to protect a vulnerability and do accept the
outcome of its exploitation.
 This strategy occurs when the organization has:
o Determined the level of risk.
o Assessed the probability of attack.
o Estimated the potential damage that could occur from attacks.
o Performed a thorough cost benefit analysis.
o Evaluated controls using each appropriate type of feasibility.
o Decided that the particular function, service, information, or asset did
not justify the cost of protection.
3.4.1 Selecting a Risk Control Strategy
 Level of threat and value of asset play major role in selection of strategy
 Rules of thumb on strategy selection can be applied:
o When vulnerability (flaw or weakness) exists: Implement security
controls to reduce the likelihood of a vulnerability being exercised.
o When vulnerability can be exploited: Apply layered protections,
architectural designs, and administrative controls to minimize the risk.
o When the attacker’s cost is less than his potential gain: Apply
protections to increase the attacker’s cost.
o When potential loss is substantial: Apply design principles, architectural
designs, and technical and non-technical protections to limit the extent
of the attack, thereby reducing the potential for loss.

45
 Fig 3.5 Risk Handling Decision points
Evaluation, Assessment & Maintenance of Risk Controls
 Once a control strategy has been implemented, it should be monitored, &
measured on an ongoing basis to determine the effectiveness of the
security controls and the accuracy of the estimate of the Residual risk
 There is no exit from this cycle; it is a process that continues for as long as
the organization continues to function.

Fig 3.6 Risk cibtrik cycle

46
Categories of Controls
 Controlling risk through avoidance, Mitigation or Transference may be
accomplished by implementing controls or safeguards.
 Four ways to categorize controls have been identified.
o Control function
• Preventive or detective
o Architectural layer
• One or more layers of technical architecture
o Strategy layer
• Avoidance, mitigation …
o Information security principle
Control Function
 Safeguards designed to defend systems are either preventive or detective.
 Preventive controls stop attempts to exploit a vulnerability by implementing
a security principle, such as authentication, or Confidentiality.
 Preventive controls use a technical procedure, such as encryption, or some
combination of technical means and enforcement methods.
 Detective controls – warn organizations of violations of security principles,
organizational policies, or attempts to exploit vulnerabilities.
 Detective controls use techniques such as audit trails, intrusion detection
and configuration monitoring.
Architectural Layer
 Controls apply to one or more layers of an organization’s technical
architecture.
 The following entities are commonly regarded as distinct layers in an
organization’s Information architecture.
1. Organizational policy.
2. External Networks.
3. Extranets ( or demilitarized zones )
4. Intranets ( WANs and LANs )
5. Network devices that interface network zones.(Switches,
Routers, firewalls and hubs)
6. Systems [ Mainframe, Server, desktop]
7. Applications.
Strategy Layer
Controls are sometimes classified by the risk control strategy they
operate within:
1. Avoidance
2. Mitigation
3. transference

47
Characteristics of Secure Information
1. Confidentiality
2. Integrity
3. Availability
4. Authentication
5. Authorization
6. Accountability
7. Privacy
Confidentiality:
 The control assures the confidentiality of data when it is stored, processed,
or transmitted.
 An example of this type of control is the use of Secure Sockets Layer (SSL)
encryption technology to secure Web content as it moves from Web server
to browser.
Integrity:
 The control assures that the information asset properly, completely, and
correctly receives, processes, stores, and retrieves data in a consistent and
correct manner .
 Ex: Use of parity or cyclical redundancy checks in data transmission
protocols.
Availability:
 The control assures ongoing access to critical information assets.
 Ex: Deployment of a network operations center using a sophisticated
network monitoring toolset.
Authentication:
 The control assures that the entity (person or computer) accessing
information assets is in fact the stated entity.
 Ex: The use of cryptographic certificates to establish SSL connections, or
the use of cryptographic hardware tokens such as SecurID cards as a
second authentication of identity.
Authorization:
 The control assures that a user has been specifically and explicitly
authorized to access, update, or delete the contents of an information
asset.
 Ex: Use of access control lists and authorization groups in the Windows
networking environment.
 Another example is the use of a database authorization scheme to verify
the designated users for each function.
Accountability:
 The control assures that every activity undertaken can be attributed to a
specific named person or automated process.
 Ex: Use of audit logs to track when each user logged in and logged out of
each computer.

48
Privacy:
 The control assures that the procedures to access, update, or remove
personally identifiable information comply with the applicable laws and
policies for that kind of information.
Feasibility Studies and the Cost Benefit analysis
 Before deciding on the strategy for a specific vulnerability all information
about the economic and non-economic consequences of the vulnerability
facing the information asset must be explored.
 Fundamentally we are asking “What are the actual and perceived
advantages of implementing a control contrasted with the actual and
perceived disadvantages of implementing the control?”
Cost Benefit Analysis (CBA)
 The most common approach for a project of information Security controls
and safeguards is the economic feasibility of implementation.
 Begins by evaluating the worth of information assets are compromised.
 It is only common sense that an organization should not spend more to
protect an asset than it is worth.
 The formal process to document this is called a cost benefit analysis or an
economic feasibility study.
CBA: Cost Factors
 Some of the items that the cost of a control or safeguard include:
o Cost of Development or Acquisition
o Training Fees
o Cost of implementation.
o Service Costs
o Cost of Maintenance
CBA: Benefits
 Benefit is the value that the organization recognizes by using controls to
prevent losses associated with a specific vulnerability.
 This is usually determined by valuing the information asset or assets
exposed by the vulnerability and then determining how much of that value
is at risk.
CBA: Asset Valuation
 Asset Valuation is the process of assigning financial value or worth to each
information asset.
 The valuation of assets involves estimation of real and perceived costs
associated with the design, development, installation, maintenance,
protection, recovery, and defense against market loss and litigation.
 These estimates are calculated for each set of information bearing systems
or information assets.
 There are many components to asset valuation.
CBA: Loss Estimates
 Once the worth of various assets is estimated examine the potential loss
that could occur from the exploitation of vulnerability or a threat occurrence.

49
  This process results in the estimate of potential loss per risk.
 The questions that must be asked here include:
o What damage could occur, and what financial impact would it have?
o What would it cost to recover from the attack, in addition to the costs
above?
o What is the single loss expectancy for each risk?
Organizational Feasibility
 Organizational Feasibility examines how well the proposed information
security alternatives will contribute to the efficiency, effectiveness, and
overall operation of an organization.
 Above and beyond the impact on the bottom line, the organization must
determine how the proposed alternatives contribute to the business
objectives of the organization.
Operational feasibility
 Addresses user acceptance and support, management acceptance and
support, and the overall requirements of the organization’s stake holders.
 Sometimes known as behavioral feasibility, because it measures the
behavior of users.
 One of the fundamental principles of systems development is obtaining
user buy in on a project and one of the most common methods for
obtaining user acceptance and support is through user involvement
obtained through three simple steps:
o Communicate
o Educate
o Involve
Technical Feasibility
 The project team must also consider the technical feasibilities associated
with the design, implementation, and management of controls.
 Examines whether or not the organization has or can acquire the
technology necessary to implement and support the control alternatives.
Political feasibility
 For some organizations, the most significant feasibility evaluated may be
political
 Within Organizations, political feasibility defines what can and cannot occur
based on the consensus and relationships between the communities of
interest.
 The limits placed on an organization’s actions or a behavior by the
information security controls must fit within the realm of the possible before
they can be effectively implemented, and that realm includes the availability
of staff resources.
Risk Management Discussion Points
Not every organization has the collective will to manage each vulnerability
through the application of controls

50
  Depending on the willingness to assume risk, each organization must
define its risk appetite
 Risk appetite defines the quantity and nature of risk that organizations are
willing to accept as they evaluate the tradeoffs between perfect security
and unlimited accessibility
Residual Risk
 When we have controlled any given vulnerability as much as we can, there
is often risk that has not been completely removed or has not been
completely shifted or planned for this remainder is called residual risk.
 To express it another way, “Residual risk is a combined function of
1. A threat less the effect of some threat –reducing safeguards.
2. Vulnerability less the effect of some vulnerability- reducing
safeguards.
3. an asset less the effect of some asset value-reducing safeguards “

Fig 3.7 Risk Residual

Documenting Results
 At minimum, each information asset-vulnerability pair should have a
documented control strategy that clearly identifies any residual risk
remaining after the proposed strategy has been executed.
 Some organizations document the outcome of the control strategy for each
information asset-vulnerability pair as an action plan
 This action plan includes concrete tasks, each with accountability assigned
to an organizational unit or to an individual
Recommended Practices in Controlling Risk
 We must convince budget authorities to spend up to the value of the asset
to protect a particular asset from an identified threat
 Each and every control or safeguard implemented will impact more than
one threat-asset pair
Qualitative Measures
 The spectrum of steps described above was performed with real numbers
or best guess estimates of real numbers-this is known as a quantitative
assessment.

51
  However, an organization could determine that it couldn’t put specific
numbers on these values.
 Fortunately, it is possible to repeat these steps using estimates based on a
qualitative assessment.
 Instead of using specific numbers, ranges or levels of values can be
developed simplifying the process
Delphi Technique
 One technique for accurately estimating scales and values is the Delphi
Technique.
 The Delphi Technique, named for the Oracle at Delphi, is a process
whereby a group of individuals rate or rank a set of information
 The individual responses are compiled and then returned to the individuals
for another iteration
 This process continues until the group is satisfied with the result.

52
 CHAPTER 4

4.1 PLANNING FOR SECURITY

• Creation of information security program begins with creation and/or review
of organization’s information security policies, standards, and practices
• Then, selection or creation of information security architecture and the
development and use of a detailed information security blueprint creates
plan for future success
• Security education and training to successfully implement policies and
ensure secure environment
Why Policy?
• A quality information security program begins and ends with policy
• Policies are least expensive means of control and often the most difficult to
implement
• Some basic rules must be followed when shaping a policy:
o Never conflict with law
o Stand up in court
o Properly supported and administered
o Contribute to the success of the organization
o Involve end users of information systems
Definitions
• Policy: course of action used by an organization to convey instructions
from management to those who perform duties
o Organizational rules for acceptable/unacceptable behavior
o Penalties for violations
o Appeals process
• Standards: more detailed statements of what must be done to comply with
policy
• Practices, procedures and guidelines effectively explain how to comply
with policy
• Types
o Informal – de facto standards
o Formal – de jure standards
• For a policy to be effective it must be
o Properly disseminated
o Read
o Understood
o Agreed to by all members of organization
 Security Policy – set of rules that protects and organization's assets
 Information security policy – set of rules that protects an organization’s
information assets

53
 Fig 4.1 Policies, Standards and Practices
Types of Policies
• Enterprise information Security program Policy(EISP)
• Issue-specific information Security Policy ( ISSP)
• Systems-specific information Security Policy (SysSP)
4.1.1 Enterprise Information Security Policy (EISP)
• Also Known as a general Security policy, IT security policy, or information
security policy.
• Sets strategic direction, scope, and tone for all security efforts within the
organization
• Assigns responsibilities to various areas of information security
• Guides development, implementation, and management of information
security program
4.1.2 Issue-Specific Security Policy (ISSP)
• The ISSP:
o Addresses specific areas of technology
o Requires frequent updates
o Contains statement on position on specific issue
• Approaches to creating and managing ISSPs:
o Create number of independent ISSP documents
o Create a single comprehensive ISSP document
o Create a modular ISSP document
• ISSP topics could include:
o E-mail, use of Web, configurations of computers to defend against
worms and viruses, prohibitions against hacking or testing
organisation security controls, home use of company-owned
computer equipment, use of personal equipment on company
networks, use of telecommunications technologies(FAX and phone),
use of photocopiers

54
Components of the ISSP
• Statement of Policy
o Scope and Applicability
o Definition of Technology Addressed
o Responsibilities
• Authorized Access and Usage of Equipment
o User Access
o Fair and Responsible Use
o Protection of Privacy
• Prohibited Usage of Equipment
o Disruptive Use or Misuse
o Criminal Use
o Offensive or Harassing Materials
o Copyrighted, Licensed or other Intellectual Property
o Other Restrictions
• Systems Management
o Management of Stored Materials
o Employer Monitoring
o Virus Protection
o Physical Security
o Encryption
• Violations of Policy
o Procedures for Reporting Violations
o Penalties for Violations
• Policy Review and Modification
o Scheduled Review of Policy and Procedures for Modification
• Limitations of Liability
o Statements of Liability or Disclaimers
4.1.3 Systems-Specific Policy (SysSP)
 SysSPs are frequently codified as standards and procedures to be used
when configuring or maintaining systems
 Systems-specific policies fall into two groups:
 Access control lists (ACLs) consist of the access control lists, matrices,
and capability tables governing the rights and privileges of a particular user
to a particular system
 Configuration rules comprise the specific configuration codes entered into
security systems to guide the execution of the system
ACL Policies
 Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of
systems translate ACLs into sets of configurations that administrators use
to control access to their respective systems
 ACLs allow a configuration to restrict access from anyone and anywhere

55
  ACLs regulate:
o Who can use the system
o What authorized users can access
o When authorized users can access the system
o Where authorized users can access the system from
o How authorized users can access the system

4.2 THE INFORMATION SECURITY BLUEPRINT

• It is the basis for the design, selection, and implementation of all security
policies, education and training programs, and technological controls.
• More detailed version of security framework, which is an outline of overall
information security strategy for organization and a road map for planned
changes to the information security environment of the organization.
• Should specify tasks to be accomplished and the order in which they are to
be realized.
• Should also serve as a scalable, upgradeable, and comprehensive plan for
the information security needs for coming years.

4.3 SECURITY MODELS

4.3.1 ISO 17799/BS 7799
 One of the most widely referenced and often discussed security models is
the Information Technology – Code of Practice for Information Security
Management, which was originally published as British Standard BS 7799
 In 2000, this Code of Practice was adopted as an international standard
framework for information security by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission
(IEC) as ISO/IEC 17799.
Drawbacks of ISO 17799/BS 7799
 Several countries have not adopted 17799 claiming there are fundamental
problems:
o The global information security community has not defined any
justification for a code of practice as identified in the ISO/IEC 17799
o 17799 lacks “the necessary measurement precision of a technical
standard”
o There is no reason to believe that 17799 is more useful than any other
approach currently available
o 17799 is not as complete as other frameworks available
o 17799 is perceived to have been hurriedly prepared given the
tremendous impact its adoption could have on industry information
security controls
Objectives of ISO 17799
Organizational Security Policy is needed to provide management direction and
support.

56
Ten Sections of ISO/IEC 17799
a. Organizational Security Policy
b. Organizational Security Infrastructure
c. Asset Classification and Control
d. Personnel Security
e. Physical and Environmental Security
f. Communications and Operations Management
g. System Access Control
h. System Development and Maintenance
i. Business Continuity Planning
j. Compliance
Alternate Security Models available other than ISO 17799/BS 7799
4.3.2 NIST Security Models
 This refers to “The National Security Telecommunications and Information
systems Security Committee” document. This document presents a
comprehensive model for information security. The model consists of three
dimensions.
 Another possible approach available is described in the many documents
available from the Computer Security Resource Center of the National
Institute for Standards and Technology (csrc.nist.gov).
The following NIST documents can assist in the design of a security framework:
 NIST SP 800-12 : An Introduction to Computer Security: The NIST
Handbook
 NIST SP 800-14 : Generally Accepted Security Principles and Practices for
Securing IT Systems
 NIST SP 800-18 : The Guide for Developing Security Plans for IT Systems
 NIST SP 800-26: Security Self-Assessment Guide for IT systems.
 NIST SP 800-30: Risk Management for IT systems.
NIST Special Publication SP 800-12
 SP 800-12 is an excellent reference and guide for the security manager or
administrator in the routine management of information security.
 It provides little guidance, however, on design and implementation of new
security systems, and therefore should be used only as a valuable
precursor to understanding an information security blueprint.
NIST Special Publication SP 800-14
 Generally accepted Principles and practices for Security Information
Technology Systems.
 Provides best practices and security principles that can direct the security
team in the development of Security Blue Print.
 The scope of NIST SP 800-14 is broad. It is important to consider each of
the security principles it presents, and therefore the following sections
examine some of the more significant points in more detail:
 Security Supports the Mission of the Organization

57
  Security is an Integral Element of Sound Management
 Security Should Be Cost-Effective
 Systems Owners Have Security Responsibilities Outside Their Own
Organizations
 Security Responsibilities and Accountability Should Be Made Explicit
 Security Requires a Comprehensive and Integrated Approach
 Security Should Be Periodically Reassessed
 Security is Constrained by Societal Factors
 33 Principles enumerated
NIST SP 800-18
 The Guide for Developing Security plans for Information Technology
Systems can be used as the foundation for a comprehensive security
blueprint and framework.
 It provides detailed methods for assessing, and implementing controls and
plans for applications of varying size.
 It can serve as a useful guide to the activities and as an aid in the planning
process.
 It also includes templates for major application security plans.
 The table of contents for Publication 800-18 is presented in the following.
System Analysis
- System Boundaries
- Multiple similar systems
- System Categories
Plan Development- All Systems
- Plan control
- System identification
- System Operational status
- System Interconnection/ Information Sharing
- Sensitivity of information handled
- Laws, regulations and policies affecting the system
Management Controls
– Risk Assessment and Management
– Review of Security Controls
– Rules of behavior
– Planning for security in the life cycle
– Authorization of Processing (Certification and Accreditation)
– System Security Plan
Operational Controls
1. Personnel Security
2. Physical Security
3. Production, Input/Output Controls
4. Contingency Planning

58
 5. Hardware and Systems Software
6. Data Integrity
7. Documentation
8. Security Awareness, Training, and Education
9. Incident Response Capability
Technical Controls
– Identification and Authentication
– Logical Access Controls
– Audit Trails
NIST SP 800-26: Security Self-Assessment Guide for IT systems
NIST SP 800-26 Table of contents
Management Controls
1. Risk Management
2. Review of Security Controls
3. Life Cycle Maintenance
4. Authorization of Processing (Certification and Accreditation)
5. System Security Plan
Operational Controls
6. Personnel Security
7. Physical Security
8. Production, Input/Output Controls
9. Contingency Planning
10. Hardware and Systems Software
11. Data Integrity
12. Documentation
13. Security Awareness, Training, and Education
14. Incident Response Capability
Technical Controls
15. Identification and Authentication
16. Logical Access Controls
17. Audit Trails
Management controls
o Address the design and implementation of the security planning process
and security program management.
o They also address risk management and security control reviews.
o They further describe the necessity and scope of legal compliance and the
maintenance of the entire security life cycle.
Operational controls
o Deal with the operational functionality of security in the organization.
o They include management functions and lower level planning, such as
disaster recovery and incident response planning.
o They also address personnel security, physical security, and the protection
of production inputs and outputs.

59
 o They guide the development of education, training and awareness
programs for users, administrators, and management.
o Finally, they address hardware and software systems maintenance and the
integrity of data.
Technical controls
o Address the tactical and technical issues related to designing and
implementing security in the organization, as well as issues related to
examining and selecting the technologies appropriate to protecting
information.
o They address the specifics of technology selection and the acquisition of
certain technical components.
o They also include logical access controls, such as identification,
authentication, authorization, and accountability.
o They cover cryptography to protect information in storage and transit.
o Finally, they include the classification of assets and users, to facilitate the
authorization levels needed.
o Using the three sets of controls, the organization should be able to specify
controls to cover the entire spectrum of safeguards, from strategic to
tactical, and from managerial to technical.

4.4 VISA INTERNATIONAL SECURITY MODEL

 It promotes strong security measures in its business associates and has
established guidelines for the security of its information systems.
 It has developed two important documents
1. Security Assessment Process
2. Agreed Upon Procedures.
 Both documents provide specific instructions on the use of the VISA
Cardholder Information Security Program.
 The Security Assessment Process document is a series of
recommendations for the detailed examination of an organization’s systems
with the eventual goal of integration into the VISA systems.
 The Agreed upon Procedures document outlines the policies and
technologies required for security systems that carry the sensitive card
holder information to and from VISA systems.
 Using the two documents, a security team can develop a sound strategy for
the design of good security architecture.
 The only downside to this approach is the specific focus on systems that
can or do integrate with VISA’s systems with the explicit purpose of
carrying the aforementioned cardholder information.
4.4.1 Baselining & Best Business Practices
• Baselining and best practices are solid methods for collecting security
practices, but provide less detail than a complete methodology
• Possible to gain information by baselining and using best practices and
thus work backwards to an effective design

60
 • The Federal Agency Security Practices (FASP) site (fasp.nist.gov)
designed to provide best practices for public agencies and adapted easily
to private institutions.
• The documents found in this site include specific examples of key policies
and planning documents, implementation strategies for key technologies,
and position descriptions for key security personnel.
• Of particular value is the section on program management, which includes
the following:
o A summary guide: public law, executive orders, and policy documents
o Position description for computer system security officer.
o Position description for information security officer
o Position description for computer specialist.
o Sample of an information technology(IT) security staffing plan for a
large service application(LSA)
o Sample of an information technology(IT) security program policy
o Security handbook and standard operating procedures.
o Telecommuting and mobile computer security policy.
4.4.2 Hybrid Framework for a Blueprint of an Information Security System
 The framework of security includes philosophical components of the
Human Firewall Project, which maintain that people, not technology, are
the primary defenders of information assets in an information security
program, and are uniquely responsible for their protection.
 The spheres of security are the foundation of the security framework.
 The sphere of use, at the left in fig, explains the ways in which people
access information; for example, people read hard copies of documents
and can also access information through systems.
 The sphere of protection at the right illustrates that between each layer of
the sphere of use there must exist a layer of protection to prevent access to
the inner layer from the outer layer.
 Each shaded band is a layer of protection and control.
Sphere of Protection
 The “sphere of protection” overlays each of the levels of the “sphere of use”
with a layer of security, protecting that layer from direct or indirect use
through the next layer
 The people must become a layer of security, a human firewall that
protects the information from unauthorized access and use
 The sphere of protection, at the right of the figure, illustrates that between
each layer of the sphere of use there must exist a layer of protection to
prevent access to the inner layer from the outer layer.
 Each shaded band is a layer of protection and control.
 Information security is therefore designed and implemented in three layers
o policies
o people (education, training, and awareness programs)
o technology

61
 Fig 4.2 Sphere of Security
o As illustrated in the sphere of protection, a variety of controls can be used
to protect the information.
o The items of control shown in the figure are not intended to be
comprehensive but rather illustrate individual safeguards that can protect
the various systems that are located closer to the center of the sphere.
o However, because people can directly access each ring as well as the
information at the core of the model, the side of the sphere of protection
that attempt to control access by relying on people requires a different
approach to security than the side that uses technology.

4.5 DESIGN OF SECURITY ARCHITECTURE

Defense in Depth
 One of the basic foundations of security architectures is the
implementation of security in layers. This layered approach is called
defense in depth.
 Defense in depth requires that the organization establish sufficient
security controls and safeguards, so that an intruder faces multiple layers
of controls.
 These layers of control can be organized into policy, training and
education and technology as per the NSTISSC model.
 While policy itself may not prevent attacks, they coupled with other layers
and deter attacks.
 Training and Education are similar.
 Technology is also implemented in layers, with detection equipment, all
operating behind access control mechanisms.
 Implementing multiple types of technology and thereby preventing the
failure of one system from compromising the security of the information is
referred to as redundancy.

62
  Redundancy can be implemented at a number of points throughout the
security architecture, such as firewalls, proxy servers, and access
controls.
 The figure shows the use of firewalls and intrusion detection systems(IDS)
that use both packet-level rules and data content analysis.
 A network-based IDS(NIDS) resides on a computer or an appliance
connected to a segment of an organization’s network and monitors traffic
on that network segment, looking for indications of ongoing or successful
attack

Fig. 4.3 Defense in Depth

Security Perimeter
 A Security Perimeter is the first level of security that protects all internal
systems from outside threats.
 Unfortunately, the perimeter does not protect against internal attacks from
employee threats, or on-site physical threats.
 Security perimeters can effectively be implemented as multiple
technologies that segregate the protected information from those who
would attack it.
 Within security perimeters the organization can establish security domains,
or areas of trust within which users can freely communicate.
 The presence and nature of the security perimeter is an essential element
of the overall security framework, and the details of implementing the
perimeter make up a great deal of the particulars of the completed security
blueprint.
 The key components used for planning the perimeter are presented in the
following sections on firewalls, DMZs, proxy servers, and intrusion
detection systems

63
 Fig 4.4 Security Perimeters and Domains
4.5.1 Key Technology Components
 Other key technology components
o A firewall is a device that selectively discriminates against information
flowing into or out of the organization.
o Firewalls are usually placed on the security perimeter, just behind or as
part of a gateway router.
o Firewalls can be packet filtering, stateful packet filtering, proxy, or
application level.
o A Firewall can be a single device or a firewall subnet, which consists
of multiple firewalls creating a buffer between the outside and inside
networks.
o The DMZ (demilitarized zone) is a no-man’s land, between the inside
and outside networks, where some organizations place Web servers
o These servers provide access to organizational web pages, without
allowing Web requests to enter the interior networks.
o Proxy server- An alternative approach to the strategies of using a
firewall subnet or a DMZ is to use a proxy server, or proxy firewall.
o When an outside client requests a particular Web page, the proxy
server receives the request as if it were the subject of the request, then
asks for the same information from the true Web server(acting as a
proxy for the requestor), and then responds to the request as a proxy
for the true Web server.
o For more frequently accessed Web pages, proxy servers can cache or
temporarily store the page, and thus are sometimes called cache
servers.

64
 Fig 4.5 Firewalls, proxy Servers, and DMZs
o Intrusion Detection Systems (IDSs). In an effort to detect
unauthorized activity within the inner network, or on individual
machines, an organization may wish to implement Intrusion Detection
Systems or IDS.
o IDs come in two versions. Host-based & Network-based IDSs.
o Host-based IDSs are usually installed on the machines they protect to
monitor the status of various files stored on those machines.
o Network-based IDSs look at patterns of network traffic and attempt to
detect unusual activity based on previous baselines.
o This could include packets coming into the organization’s networks with
addresses from machines already within the organization (IP spoofing).
o It could also include high volumes of traffic going to outside addresses
(as in cases of data theft) or coming into the network (as in a denial of
service attack).
o Both host-and network based IDSs require a database of previous
activity.

65
 Fig 4.6 Intrusion Detection Systems
Security Education, Training, and Awareness Program
• As soon as general security policy exists, policies to implement security
education, training and awareness (SETA) program should follow.
• SETA is a control measure designed to reduce accidental security
breaches by employees.
• Security education and training builds on the general knowledge the
employees must possess to do their jobs, familiarizing them with the way to
do their jobs securely
• The SETA program consists of three elements: security education; security
training; and security awareness
• The purpose of SETA is to enhance security by:
o Improving awareness of the need to protect system resources.
o Developing skills and knowledge so computer users can perform their
jobs more securely.
o Building in-depth knowledge, as needed, to design, implement, or
operate security programs for organizations and systems.
Security Education
 Everyone in an organization needs to be trained and aware of information
security, but not every member of the organization needs a formal degree
or certificate in information security.
 A number of universities have formal coursework in information security.
 For those interested in researching formal information security programs,
there are resources available, such as the NSA-identified Centers of
Excellence in Information Assurance Education.
Security Training
 It involves providing members of the organization with detailed information
and hands-on instruction to prepare them to perform their duties securely.

66
  Management of information security can develop customized in-house
training or outsource the training program.
Security Awareness
• One of the least frequently implemented, but most beneficial programs is
the security awareness program
• Designed to keep information security at the forefront of users’ minds
• Need not be complicated or expensive
• If the program is not actively implemented, employees may begin to “tune
out” and risk of employee accidents and failures increases

4.6 CONTINGENCY PLANNING (CP)

 Contingency Planning (CP) comprises a set of plans designed to ensure
the effective reaction and recovery from an attack and the subsequent
restoration to normal modes of business operations.
 Organizations need to develop disaster recovery plans, incident response
plans, and business continuity plans as subsets of an overall CP.
 An incident response plan (IRP) deals with the identification,
classification, response, and recovery from an incident, but if the attack is
disastrous(e.g., fire, flood, earthquake) the process moves on to disaster
recovery and BCP
 A disaster recovery plan (DRP) deals with the preparation for and
recovery from a disaster, whether natural or man-made and it is closely
associated with BCP.
 A Business continuity plan (BCP) ensures that critical business functions
continue, if a catastrophic incident or disaster occurs. BCP occurs
concurrently with DRP when the damage is major or long term, requiring
more than simple restoration of information and information resources.
4.6.1 Components of Contingency Planning

Contingency
Planning

Incident Disaster recovery Business

Response continuity
Plan

There are six steps to contingency planning. They are

1. Identifying the mission-or business-critical functions,
2. Identifying the resources that support the critical functions,
3. Anticipating potential contingencies or disasters,
4. Selecting contingency planning strategies,

67
 5. Implementing the contingencies strategies,
6. And Testing and revising the strategy.
4.6.2 Incident response plan (IRP)
 It is the set of activities taken to plan for, detect, and correct the impact of
an incident on information assets.
 IRP consists of the following 4 phases:
1. Incident Planning
2. Incident Detection
3. Incident Reaction
4. Incident Recovery
Incident Planning
 Planning for an incident is the first step in the overall process of incident
response planning.
 The planners should develop a set of documents that guide the actions of
each involved individual who reacts to and recovers from the incident.
 These plans must be properly organized and stored to be available when
and where needed, and in a useful format.
Incident Detection
 Incident Detection relies on either a human or automated system, which is
often the help desk staff, to identify an unusual occurrence and to classify it
properly as an incident.
 The mechanisms that could potentially detect an incident include intrusion
detection systems (both host-based and network based), virus detection
software, systems administrators, and even end users.
 Once an attack is properly identified, the organization can effectively
execute the corresponding procedures from the IR plan. Thus, incident
classification is the process of examining a potential incident, or incident
candidate, and determining whether or not the candidate constitutes an
actual incident.
 Incident Indicators- There is a number of occurrences that could signal
the presence of an incident candidate.
 Donald Pipkin, an IT security expert, identifies three categories of incident
indicators: Possible, Probable, and Definite Indicators.
 Possible Indicators- There are 4 types of possible indicators of events
,they are,
1. Presence of unfamiliar files.
2. Presence or execution of unknown programs or processes.
3. Unusual consumption of computing resources
4. Unusual system crashes
 Probable Indicators- The four types of probable indicators of incidents are
1. Activities at unexpected times.
2. Presence of new accounts
3. Reported attacks

68
 4. Notification from IDS
 Definite Indicators- The five types of definite indicators of incidents are
1. Use of Dormant accounts
2. Changes to logs
3. Presence of hacker tools
4. Notifications by partner or peer
5. Notification by hacker
Incident Reaction
 It consists of actions outlined in the IRP that guide the organization in
attempting to stop the incident, mitigate the impact of the incident, and
provide information for recovery from the incident.
 These actions take place as soon as the incident itself is over.
 In reacting to the incident there are a number of actions that must occur
quickly, including notification of key personnel and documentation of the
incident.
 These must have been prioritized and documented in the IRP for quick use
in the heat of the moment.
Incident Recovery
 The recovery process involves much more than the simple restoration of
stolen, damaged, or destroyed data files. It involves the following steps.
1. Identify the Vulnerabilities
2. Address the safeguards.
3. Evaluate monitoring capabilities
4. Restore the data from backups.
5. Restore the services and processes in use.
6. Continuously monitor the system
7. Restore the confidence of the members of the organization’s
communities of interest.
4.6.3 Disaster Recovery Plan (DRP)
 DRP provides detailed guidance in the event of a disaster and also
provides details on the roles and responsibilities of the various individuals
involved in the disaster recovery effort, and identifies the personnel and
agencies that must be notified.
 At a minimum, the DRP must be reviewed during a walk-through or talk-
through on a periodic basis.
Many of the same precepts of incident response apply to disaster recovery:
1. There must be a clear establishment of priorities
2. There must be a clear delegation of roles and responsibilities
3. Someone must initiate the alert roster and notify key personnel.
4. Someone must be tasked with the documentation of the disaster.
5. If and only if it is possible, attempts must be made to mitigate the impact of
the disaster on the operations of the organization.

69
4.6.4 Business Continuity Plan (BCP)
 It prepares an organization to reestablish critical business operations
during a disaster that affects operations at the primary site.
 If a disaster has rendered the current location unusable for continued
operations, there must be a plan to allow the business to continue to
function.
Developing Continuity Programs
 Once the incident response plans and disaster recovery plans are in
place, the organization needs to consider finding temporary facilities to
support the continued viability of the business in the event of a disaster.
 The development of the BCP is simpler than that of the IRP and DRP
,in that it consists of selecting a continuity strategy and integrating the
off-site data storage and recovery functions into this strategy.
Continuity Strategies
 There are a number of strategies from which an organization can choose
when planning for business continuity.
 The determining factor in selection between these options is usually cost.
 In general there are three exclusive options: Hot sites, Warm Sites, and
Cold sites; and three shared functions: Time-share, Service bureaus, and
Mutual Agreements.
 Hot sites: A hot site is a fully configured facility, with all services,
communications links, and physical plant operations including heating and
air conditioning. It is the pinnacle of contingency planning, a duplicate
facility that needs only the latest data backups and the personnel to
function as a fully operational twin of the original. Disadvantages include
the need to provide maintenance for all the systems and equipment in the
hot site, as well as physical and information security.
 Warm sites: A warm site includes computing equipment and peripherals
with servers but not client work stations. It has many of the advantages of a
hot site, but at a lower cost.
 Cold Sites: A cold site provides only rudimentary services and facilities, No
computer hardware or peripherals are provided. Basically a cold site is an
empty room with heating, air conditioning, and electricity. The main
advantage of cold site is in the area of cost.
 Time-shares: It allows the organization to maintain a disaster recovery and
business continuity option, but at a reduced overall cost. The advantages
are identical to the type of site selected(hot, warm, or cold). The
disadvantages are the possibility that more than one organization involved
in the time share may need the facility simultaneously and the need to
stock the facility with the equipment and data from all organizations
involved, the negotiations for arranging the time-share, and associated
arrangements, should one or more parties decide to cancel the agreement
or to sublease its options.

70
 Service bureaus: A service bureau is an agency that provides a service
for a fee. In the case of disaster recovery and continuity planning, the
service is the agreement to provide physical facilities in the event of a
disaster. These types of agencies also provide off-site data storage for a
fee. The disadvantage is that it is a service, and must be renegotiated
periodically. Also, using a service bureau can be quite expensive.
 Mutual Agreements: A mutual agreement is a contract between two or
more organizations that specifies how each will assist the other in the event
of a disaster.

71
 CHAPTER 5

5.1 PHYSICAL SECURITY

Physical security describes both measures that prevent or deter attackers
from accessing a facility, resource, or information stored on physical media, and
guidance on how to design structures to resist various hostile acts. [1] It can be as
simple as a locked door or as elaborate as multiple layers of armed security
guards and guardhouse placement.
Physical security is not a modern phenomenon. Physical security exists in
order to deter persons from entering a physical facility. Historical examples of
physical security include city walls, moats, etc.
The key factor is the technology used for physical security has changed
over time. While in past eras, there was no passive infrared (PIR) based
technology, electronic access control systems, or video surveillance system (VSS)
cameras, the essential methodology of physical security has not altered over time
The field of security engineering has identified the following elements to
physical security:
 explosion protection;
 obstacles, to frustrate trivial attackers and delay serious ones;
 alarms, security lighting, security guard patrols or closed-circuit television
cameras, to make it likely that attacks will be noticed; and
 Security responses, to repel, catches or frustrate attackers when an attack
is detected.
In a well designed system, these features must complement each other.
There are at least four layers of physical security:
 Environmental design
 Mechanical, electronic and procedural access control
 Intrusion detection
 Video monitoring
 Personnel Identification
The goal is to convince potential attackers that the likely costs of attack
exceed the value of making the attack.
The initial layer of security for a campus, building, office, or physical space
uses crime prevention through environmental design to deter threats. Some of the
most common examples are also the most basic - barbed wire, warning signs and
fencing, concrete bollards, metal barriers, vehicle height-restrictors, site lighting
and trenches.
5.1.1 Electronic access control
The next layer is mechanical and includes gates, doors, and locks. Key
control of the locks becomes a problem with large user populations and any user
turnover. Keys quickly become unmanageable forcing the adoption of electronic
access control. Electronic access control easily manages large user populations,
controlling for user lifecycles times, dates, and individual access points.

72
 For example a user's access rights could allow access from 0700 to 1900
Monday through Friday and expires in 90 days. Another form of access control
(procedural) includes the use of policies, processes and procedures to manage
the ingress into the restricted area. An example of this is the deployment of
security personnel conducting checks for authorized entry at predetermined points
of entry.
This form of access control is usually supplemented by the earlier forms of
access control (i.e. mechanical and electronic access control), or simple devices
such as physical passes.
An additional sub-layer of mechanical/electronic access control protection is
reached by integrating a key management system to manage the possession and
usage of mechanical keys to locks or property within a building or campus.
The third layer is intrusion detection systems or alarms. Intrusion detection
monitors for attacks. It is less a preventative measure and more of a response
measure, although some would argue that it is a deterrent. Intrusion detection has
a high incidence of false alarms. In many jurisdictions, law enforcement will not
respond to alarms from intrusion detection systems
5.1.2 Closed-circuit television sign
 The last layer is video monitoring systems. Security cameras can be a
deterren in many cases, but their real power comes from incident
verification and historical analysis.
 For example, if alarms are being generated and there is a camera in place,
the camera could be viewed to verify the alarms.
 In instances when an attack has already occurred and a camera is in place
at the point of attack, the recorded video can be reviewed.
 Although the term closed-circuit television (CCTV) is common, it is quickly
becoming outdated as more video systems lose the closed circuit for signal
transmission and are instead transmitting on computer networks.
 Advances in information technology are transforming video monitoring into
video analysis.
 For instance, once an image is digitized it can become data that
sophisticated algorithms can act upon.
 As the speed and accuracy of automated analysis increases, the video
system could move from a monitoring system to an intrusion detection
system or access control system.
 It is not a stretch to imagine a video camera inputting data to a processor
that outputs to a door lock.
 Instead of using some kind of key, whether mechanical or electrical, a
person's visage is the key. FST21, an Israeli company that entered the US
market this year, markets intelligent buildings that do just that.
 When actual design and implementation is considered, there are numerous
types of security cameras that can be used for many different applications.
 One must analyze their needs and choose accordingly.

73
5.2 FIREWALLS
 A firewall is any device that prevents a specific type of information from
moving between the un trusted network outside and the trusted network
inside
 There are five recognized generations of firewalls
 The firewall may be:
o a separate computer system
o a service running on an existing router or server
o a separate network containing a number of supporting devices
5.2.1 Different generations of firewalls.
First Generation
 Called packet filtering firewalls
 Examines every incoming packet header and selectively filters packets
based on
o address, packet type, port request, and others factors
 The restrictions most commonly implemented are based on:
o IP source and destination address
o Direction (inbound or outbound)
o TCP or UDP source and destination port-requests
Second Generation
 Called application-level firewall or proxy server
 Often a dedicated computer separate from the filtering router
 With this configuration the proxy server, rather than the Web server, is
exposed to the outside world in the DMZ
 Additional filtering routers can be implemented behind the proxy server
 The primary disadvantage of application-level firewalls is that they are
designed for a specific protocol and cannot easily be reconfigured to
protect against attacks on protocols for which they are not designed
Third Generation
 Called stateful inspection firewalls
 Keeps track of each network connection established between internal and
external systems using a state table which tracks the state and context of
each packet in the conversation by recording which station sent what
packet and when
 If the stateful firewall receives an incoming packet that it cannot match in its
state table, then it defaults to its ACL to determine whether to allow the
packet to pass
 The primary disadvantage is the additional processing requirements of
managing and verifying packets against the state table which can possibly
expose the system to a DoS attack
 These firewalls can track connectionless packet traffic such as UDP and
remote procedure calls (RPC) traffic

74
Fourth Generation
 While static filtering firewalls, such as first and third generation, allow entire
sets of one type of packet to enter in response to authorized requests, a
dynamic packet filtering firewall allows only a particular packet with a
particular source, destination, and port address to enter through the firewall
 It does this by understanding how the protocol functions, and opening and
closing “doors” in the firewall, based on the information contained in the
packet header. In this manner, dynamic packet filters are an intermediate
form, between traditional static packet filters and application proxies
Fifth Generation
 The final form of firewall is the kernel proxy, a specialized form that works
under the Windows NT Executive, which is the kernel of Windows NT
 It evaluates packets at multiple layers of the protocol stack, by checking
security in the kernel as data is passed up and down the stack
5.2.3 Firewalls are categorized by processing modes
The five processing modes are
1) Packet filtering
2) Application gateways
3) Circuit gateways
4) MAC layer firewalls
5) Hybrids
Packet filtering Routers
 Most organizations with an Internet connection have some form of a router
as the interface at the perimeter between the organization’s internal
networks and the external service provider
 Many of these routers can be configured to filter packets that the
organization does not allow into the network

Fig 5.1 Packet Filtering Firewall

75
  This is a simple but effective means to lower the organization’s risk to
external attack
 The drawback to this type of system includes a lack of auditing and strong
authentication
 The complexity of the access control lists used to filter the packets can
grow and degrade network performance
Screened-Host Firewall Systems
 Combine the packet-filtering router with a separate, dedicated firewall such
as an application proxy server
 Allows the router to pre-screen packets to minimize the network traffic and
load on the internal proxy
 Application proxy examines an application layer protocol, such as HTTP,
and performs the proxy services
 This separate host is often referred to as a bastion-host, as it represents a
single, rich target for external attacks, and should be very thoroughly
secured

Fig 5.2 Screened Host Firewall

Dual-homed Host Firewalls
 The bastion-host contains two NICs (network interface cards)
 One NIC is connected to the external network, and one is connected to the
internal network
 With two NICs all traffic must physically go through the firewall to move
between the internal and external networks
 A technology known as network-address translation (NAT) is commonly
implemented with this architecture to map from real, valid, external IP
addresses to ranges of internal IP addresses that are non-routable

76
 Fig 5.3 Dual Homed Host Firewall
Screened-Subnet Firewalls (with DMZ)
 Consists of two or more internal bastion-hosts, behind a packet-filtering
router, with each host protecting the trusted network
 The first general model consists of two filtering routers, with one or more
dual-homed bastion-host between them

Fig 5.4 Screened Subnet(DMZ)

 The second general model involves the connection from the outside or
untrusted network going through this path:
o Through an external filtering router
o Into and then out of a routing firewall to the separate network
segment known as the DMZ

77
  Connections into the trusted internal network are allowed only from the
DMZ bastion-host servers
5.2.3 The factors to be considered while selecting a right firewall?
Selecting the Right Firewall
 What type of firewall technology offers the right balance of protection
features and cost for the needs of the organization?
 What features are included in the base price? What features are available
at extra cost? Are all cost factors known?
 How easy is it to set up and configure the firewall? How accessible are staff
technicians with the mastery to do it well?
 Can the candidate firewall adapt to the growing network in the target
organization?
SOCKS Servers
 The SOCKS system is a proprietary circuit-level proxy server that places
special SOCKS client-side agents on each workstation
 Places the filtering requirements on the individual workstation, rather than
on a single point of defense (and thus point of failure)
 This frees the entry router of filtering responsibilities, but then requires each
workstation to be managed as a firewall detection and protection device
 A SOCKS system can require additional support and management
resources to configure and manage possibly hundreds of individual clients,
versus a single device or set of devices
Firewall Recommended Practices
 All traffic from the trusted network is allowed out
 The firewall device is always inaccessible directly from the public network
 Allow Simple Mail Transport Protocol (SMTP) data to pass through your
firewall, but insure it is all routed to a well-configured SMTP gateway to
filter and route messaging traffic securely
 All Internet Control Message Protocol (ICMP) data should be denied
 Block telnet (terminal emulation) access to all internal servers from the
public networks
 When Web services are offered outside the firewall, deny HTTP traffic from
reaching your internal networks by using some form of proxy access or
DMZ architecture

5.3 INTRUSION DETECTION SYSTEMS (IDSS)

 IDSs work like burglar alarms
 IDSs require complex configurations to provide the level of detection and
response desired
 An IDS operates as either network-based, when the technology is focused
on protecting network information assets, or host-based, when the
technology is focused on protecting server or host information assets
 IDSs use one of two detection methods, signature-based or statistical
anomaly-based

78
 Fig 5.5 Intrusion Detection Systems (IDSs)
5.3.1 Different types of IDSs?
a. Network-based IDS
 A network-based IDS(NIDS) resides on a computer or an appliance
connected to a segment of an organization’s network and monitors
traffic on that network segment, looking for indications of ongoing or
successful attacks.
b. Host-based IDS
 A Host-based IDS(HIDS) works differently from a network-based
version of IDS.
 While a network-based-IDS resides on a network segment and
monitors activities across that segment, a host-based IDS resides on
a particular computer or server, known as the host and monitors
activity only on that system.
 HIDs are also known as System Integrity Verifiers as they
benchmark and monitor the status of key system files and detect when
an intruder creates modifies or deletes monitored files.
 A HIDs is also capable of monitoring system configuration databases,
such as windows registries, in addition to stored configuration files like
.ini,.cfg,and .dat files.
c. Application-based IDS
 A refinement of Host-based IDs is the application-based
IDS(AppIDS).
 Whereas the HIDs examines single system for file modification, the
application based IDs examines an application for abnormal
incidents.
 It looks for anomalous occurrences such as users exceeding their
authorization, invalid file executions etc.

79
 d. Signature-based IDS
 It is based on detection methods. A signature-based IDS(also called
Knowledge-based IDs) examines data traffic in search of patterns that
match known signatures – that is,preconfigured ,predetermined attack
patterns.
 Many attacks have clear and distinct signatures such as
o footprinting and fingerprinting activities,have an attack pattern
that includes the use of ICMP,DNS querying,and e-mail routing
analysis
o Exploits involve a specific attack sequence designed to take
advantage of a vulnerability to gain access to a system
o Denial of Service(DoS) and Distributed Denial of Service(DDoS)
attacks.
e. Statistical Anomaly-Based IDS(Also called Behaviour-based IDS)
 This approach is used for detecting intrusions based on the frequency
with which certain network activities takes place.
 Statistical Anomaly-Based IDS collects statistical summaries by
observing traffic that is known to be normal. A baseline is established
based on normal period.
 The Stats IDs periodically sample network activity,and using statistical
methods ,compares the sampled network activity to the baseline.
 When the measured activities are outside the baseline parameters,it
is said to be exceeding the clipping level;at this point,the IDS will
trigger an alert to notify the administrator.
f. Log File Monitors(LFM)
 Log File Monitor(LFM) is an approach to IDS that is similar to NIDS.
 Using LFm the system reviews the log files generated by
servers,network devices,and wven other IDSs.
 These systems look for patterns and signatures in the log files that
may indicate an attack or intrusion is in process or has already
succeeded.
5.3.2 Honey Pots, Honey Nets, and Padded Cell Systems?
A class of powerful security tools that go beyond routine intrusion detection
is known variously as honey pots, honey nets, and padded cell systems.
Honey pots are decoy systems designed to lure potential attackers away
from critical systems and encourage attacks against the themselves. These
systems are created for the sole purpose of deceiving potential attackers. In
Industry they are known as decoys,lures,and fly-traps.
When a collection of honey pots connects several honey pot systems on a
subnet,it may be called a honey net.
In sum, honey pots are designed to
i) Divert an attacker from accessing critical systems.
ii) Collect information about the attacker’s activity
iii) Encourage the attacker to stay on the system long enough for
administrators to document the event and, perhaps , respond.

80
A Padded Cell is a honey pot that has been protected so that it cannot be easily
compromised. In other words, a padded cell is a hardened honey spot..
The advantages and disadvantages of using honey pot or padded cell
approach
Advantages:
 Attackers can be diverted to targets that they cannot damage.
 Administrators have time to decide how to respond to an attacker.
 Attackers action can be easily and extensively monitored
 Honey pots may be effective at catching insiders who are snooping around
a network.
Disadvantages:
 The legal implication of using such devices are not well defined.
 Honey pots and Padded cells have not yet been shown to be generally
useful security technologies.
 An exper attacker,once diverted into a decoy system,may become angry
and launch a hostile attack againt an organization’s systems
 Admins and security managers will need a high level of expertise to use
these systems.

5.4 SCANNING AND ANALYSIS TOOLS

 Scanners, sniffers, and other analysis tools are useful to security
administrators in enabling them to see what the attacker sees
 Scanner and analysis tools can find vulnerabilities in systems
 One of the preparatory parts of an attack is known as footprinting –
collecting IP addresses and other useful data
 The next phase of pre-attack data gathering process is called fingerprinting
– scanning all known addresses to make a network map of the target
5.4.1 Foot printing and finger printing
The attack protocol is a series of steps or processes used by an attacker ,in
a logical sequence ,to launch an attack against a target system or netweok. One
of the preparatory part of the attack protocol is the collection of publicly available
information about a potential target,a process known as footprinting.
Footprinting is the organized research of the Internet addresses owned or
controlled by the target organization. The attacker uses public Internet data
sources to perform keyword searches to identify the network addresses of the
organization. This research ios augmented by browsing the organization’s web
pages.
The next phase of the attack protocol is a second intelligence or data-
gathering process called fingerprinting. This is systematic survey of all of the
target organization’s
Internet addresses(which are collected during the footprinting phase); the survey
is conducted to ascertain the network services offered by the hostsin that range.
Fingerprinting reveals useful information about the internal structure and
operational nature of the target system or network for the anticipated attack.

81
5.4.2 Different types of the Scanning and Analysis tools available.
Port Scanners
 Port scanners fingerprint networks to find ports and services and other
useful information
 Why secure open ports?
o An open port can be used to send commands to a computer, gain
access to a server, and exert control over a networking device
o The general rule of thumb is to remove from service or secure any
port not absolutely necessary for the conduct of business
Vulnerability Scanners
 Vulnerability scanners are capable of scanning networks for very detailed
information
 As a class, they identify exposed usernames and groups, show open
network shares, expose configuration problems, and other vulnerabilities in
servers
Packet Sniffers
 A network tool that collects copies of packets from the network and
analyzes them
 Can be used to eavesdrop on the network traffic
 To use a packet sniffer legally, you must be:
o on a network that the organization owns
o under direct authorization of the owners of the network
o have knowledge and consent of the content creators (users)
Content Filters
 Although technically not a firewall, a content filter is a software filter that
allows administrators to restrict accessible content from within a network
 The content filtering restricts Web sites with inappropriate content
Trap and Trace
 Trace: determine the identity of someone using unauthorized access
 Better known as honey pots, they distract the attacker while notifying the
administrator

5.5 CRYPTOGRAPHY
Cryptography ,which comes from the Greek work cryptos, meaning ―hidden,
and graphe in, meaning ―to write, is a process of making and using codes to
secure the transmission of information.
Cryptoanalysis is the process of obtaining the original message (called
plaintext) from an encrypted message (called the cipher ext) without knowing
the algorithms and keys used to perform the encryption.
Encryption is the process of converting an original message into a form that is
unreadable to unauthorized individuals-that is; to anyone without the tools to
convert the encrypted message back to its original format.

82
Decryption is the process of converting the cipher text into a message that
conveys readily understood meaning.
5.5.1 Basic Encryption Definitions.
Encryption Definitions
 Algorithm: the mathematical formula used to convert an unencrypted
message into an encrypted message.
 Cipher: the transformation of the individual components (characters, bytes,
or bits) of an unencrypted message into encrypted components.
 Ciphertext or cryptogram: the unintelligible encrypted or encoded
message resulting from an encryption.
 Code: the transformation of the larger components (words or phrases) of
an unencrypted message into encrypted components.
 Cryptosystem: the set of transformations necessary to convert an
unencrypted message into an encrypted message.
 Decipher: to decrypt or convert ciphertext to plaintext.
 Encipher: to encrypt or convert plaintext to ciphertext.
 Key or cryptovariable: the information used in conjunction with the
algorithm to create ciphertext from plaintext.
 Keyspace: the entire range of values that can possibly be used to
construct an individual key.
 Link encryption: a series of encryptions and decryptions between a
number of systems, whereby each node decrypts the message sent to it
and then re-encrypts it using different keys and sends it to the next
neighbor, until it reaches the final destination.
 Plaintext: the original unencrypted message that is encrypted and results
from successful decryption.
 Steganography: the process of hiding messages in a picture or graphic.
 Work factor: the amount of effort (usually in hours) required to perform
cryptanalysis on an encoded message.
5.5.2 Data Encryption Standard (DES)
 Developed in 1977 by IBM
 Based on the Data Encryption Algorithm (DEA)
 Uses a 64-bit block size and a 56-bit key
 With a 56-bit key, the algorithm has 256 possible keys to choose from (over
72 quadrillion)
 DES is a federally approved standard for non classified data
 DES was cracked in 1997 when RSA put a bounty on the algorithm offering
$10,000 to the team to crack the algorithm - fourteen thousand users
collaborated over the Internet to finally break the encryption
5.5.3 Triple DES (3DES)
 Developed as an improvement to DES
 Uses up to three keys in succession and also performs three different
encryption operations:

83
 o 3DES encrypts the message three times with three different keys,
the most secure level of encryption possible with 3DES
 In 1998, it took a dedicated computer designed by the Electronic Freedom
Frontier (www.eff.org) over 56 hours to crack DES
 The successor to 3DES is Advanced Encryption Standard (AES), based on
the Rijndael Block Cipher, a block cipher with a variable block length and a
key length of either128, 192, or 256 bits
 It would take the same computer approximately 4,698,864 quintillion years
to crack AES
5.5.4 Digital Signatures
 An interesting thing happens when the asymmetric process is reversed,
that is the private key is used to encrypt a short message
 The public key can be used to decrypt it, and the fact that the message was
sent by the organization that owns the private key cannot be refuted
 This is known as nonrepudiation, which is the foundation of digital
signatures
 Digital Signatures are encrypted messages that are independently verified
by a central facility (registry) as authentic
PKI or Public Key Infrastructure
 Public Key Infrastructure is the entire set of hardware, software, and
cryptosystems necessary to implement public key encryption
 PKI systems are based on public-key cryptosystems and include digital
certificates and certificate authorities (CAs) and can:
o Issue digital certificates
o Issue crypto keys
o Provide tools to use crypto to secure information
o Provide verification and return of certificates
PKI Benefits
 PKI protects information assets in several ways:
o Authentication
o Integrity
o Privacy
o Authorization
o Nonrepudiation
Securing E-mail
 Encryption cryptosystems have been adapted to inject some degree of
security into e-mail:
o S/MIME builds on the Multipurpose Internet Mail Extensions (MIME)
encoding format by adding encryption and authentication
o Privacy Enhanced Mail (PEM) was proposed by the Internet
Engineering Task Force (IETF) as a standard to function with the
public key cryptosystems
o PEM uses 3DES symmetric key encryption and RSA for key
exchanges and digital signatures

84
 o Pretty Good Privacy (PGP) was developed by Phil Zimmerman and
uses the IDEA Cipher along with RSA for key exchange

5.6 PHYSICAL SECURITY

5.6.1 Seven Major Sources of Physical Loss
 Temperature extremes
 Gases
 Liquids
 Living organisms
 Projectiles
 Movement
 Energy anomalies
Secure Facility
 A secure facility is a physical location that has been engineered with
controls designed to minimize the risk of attacks from physical threats
 A secure facility can use the natural terrain; traffic flow, urban development,
and can complement these features with protection mechanisms such as
fences, gates, walls, guards, and alarms
5.6.2 Controls for Protecting the Secure Facility
 Walls, Fencing, and Gates
 Guards
 Dogs, ID Cards, and Badges
 Locks and Keys
 Mantraps
 Electronic Monitoring
 Alarms and Alarm Systems
 Computer Rooms
 Walls and Doors
5.6.3 Controls used in a Secure Facility
ID Cards and Badges
 Ties physical security to information access with identification cards (ID)
and/or name badges
o ID card is typically concealed
o Name badge is visible
 These devices are actually biometrics (facial recognition)
 Should not be the only control as they can be easily duplicated, stolen, and
modified
 Tailgating occurs when unauthorized individuals follow authorized users
through the control

85
Locks and Keys
 There are two types of locks
o mechanical and electro-mechanical
 Locks can also be divided into four categories
o manual, programmable, electronic, and biometric
 Locks fail and facilities need alternative procedures for access
 Locks fail in one of two ways:
o when the lock of a door fails and the door becomes unlocked, that is
a fail-safe lock
o when the lock of a door fails and the door remains locked, this is a
fail-secure lock

Fig 5.6 Locks

Mantraps
 An enclosure that has an entry point and a different exit point
 The individual enters the mantrap, requests access, and if verified, is
allowed to exit the mantrap into the facility
 If the individual is denied entry, they are not allowed to exit until a security
official overrides the automatic locks of the enclosure

86
 Fig 5.7 Mantraps
Electronic Monitoring
 Records events where other types of physical controls are not practical
 May use cameras with video recorders
 Drawbacks:
o reactive and do not prevent access or prohibited activity
o recordings often not monitored in real time and must be reviewed to
have any value
Alarms and Alarm Systems
 Alarm systems notify when an event occurs
 Used for fire, intrusion, environmental disturbance, or an interruption in
services
 These systems rely on sensors that detect the event: motion detectors,
smoke detectors, thermal detectors, glass breakage detectors, weight
sensors, and contact sensors
Computer Rooms and Wiring Closets
 Computer rooms and wiring and communications closets require special
attention
 Logical controls are easily defeated, if an attacker gains physical access to
the computing equipment
 Custodial staff are often the least scrutinized of those who have access to
offices and are given the greatest degree of unsupervised access

87
Interior Walls and Doors
 The walls in a facility are typically either:
o standard interior
o firewall
 All high-security areas must have firewall grade walls to provide physical
security from potential intruders and improves the facility's resistance to
fires
 Doors that allow access into secured rooms should also be evaluated
 Computer rooms and wiring closets can have push or crash bars installed
to meet building codes and provide much higher levels of security than the
standard door pull handle
Fire Safety
 The most serious threat to the safety of the people who work in the
organization is the possibility of fire
 Fires account for more property damage, personal injury, and death than
any other threat
 It is imperative that physical security plans examine and implement strong
measures to detect and respond to fires and fire hazards
Fire Detection and Response
 Fire suppression systems are devices installed and maintained to detect
and respond to a fire
 They work to deny an environment of one of the three requirements for a
fire to burn: heat, fuel, and oxygen
o Water and water mist systems reduce the temperature and saturate
some fuels to prevent ignition
o Carbon dioxide systems rob fire of its oxygen
o Soda acid systems deny fire its fuel, preventing spreading
o Gas-based systems disrupt the fire’s chemical reaction but leave
enough oxygen for people to survive for a short time

Chief Information Security officer

 The top information security position in the organization, not usually an
executive and frequently reports to the Chief Information Officer
 The CISO performs the following functions:
o Manages the overall InfoSec program
o Drafts or approves information security policies
o Works with the CIO on strategic plans, develops tactical plans, and
works with security managers on operational plans
o Develops InfoSec budgets based on funding
o Sets priorities for InfoSec projects & technology
o Makes decisions in recruiting, hiring, and firing of security staff
o Acts as the spokesperson for the security team

88
Fig 5.8 Positions in Information Security

89
 PART A

UNIT I : INTRODUCTION
1. Define Information Security.
It is a well-informed sense of assurance that the information risks and
controls are in balance.
2. What is Security?
Security is “the quality or state of being secure-to be free from danger”.
3. What are the multiple layers of Security?
• Physical Security
• Personal Security
• Operations Security
• Communication Security
• Network Security
• Information Security
4. What are the characteristics of CIA triangle?
• Confidentiality
• Integrity
• Availability
5. What are the characteristics of Information Security?
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession
6. What is E-mail Spoofing?
It is the process of sending an e-mail with a modified field.
7. What is UDP Packet Spoofing?
User Data Protocol (UDP) Packet Spoofing enables the attacker to get
unauthorized access to data stored on computing systems.
8. What are the measures to protect the confidentiality of information?
• Information Classification
• Secure document storage
• Application of general Security Policies.
• Education of information end-users
9. What is Utility of information?
Utility of information is the quality or state of having value for some purpose or
end.
10. What are the components of information system?
• Software
• Hardware
• Data
• People
• Procedures
• Networks.
11. What are the functions of Locks & Keys?
Locks & Keys are the traditional tools of physical security, which restricts
access to, and interaction with the hardware components of an information system.

90
 12. What is Network Security?
It is the implementation of alarm and intrusion systems to make system owners
aware of ongoing compromises.
13. Differentiate Direct and Indirect attacks.
Direct Attack
1. It is when a hacker uses his personal computer to break into the system
2. Originate from the threat itself
Indirect Attack
1. It is when a system is compromised and used to attack other systems,
such as in a distributed denial of service attack.
2. Originate from a system or resource that itself has attacked & it is
malfunctioning or working under the control of a threat.
14. What is SDLC?
The Systems Development Life Cycle is a methodology for the
design and implementation of an information system in an organization.
15. What is a methodology?
Methodology is a formal approach to solve a problem based on a structured
sequence of procedures.
16. What are the phases of SDLC Waterfall method?
 Investigation
 Analysis
 Logical Design
 Physical Design
 Implementation
 Maintenance & change.
17. What is enterprise Information Security Policy?
This policy outlines the implementation of a security program within the
organization.
18. What is Risk Management?
It is the process of identifying, assessing and evaluating the levels of risk
facing the organization.
19. What are the functions of Information Security?
 Protects the organization’s ability to function
 Enables the safe operation of applications implemented on the organizations IT
systems.
 Protects the data the organization collects and uses.
 Safeguards the technology assets in use at the organization.
20. What is PKI?
Public Key Infrastructure is an integrated system of software, encryption
methodologies and legal agreements that can be used to support the entire information
infrastructure of an organization.
21. What is the use of Digital Certificates?
Digital Certificates are used to ensure the confidentiality of Internet
Communications and transactions.
UNIT II : SECURITY INVESTIGATION
1. What is a threat?
Threat is an object, person or other entity that represents a constant danger to an
asset.
2. What are Hackers?

91
 Hackers are people who use and create computer software for enjoyment or to
gain access to information illegally.
3. What are the levels of hackers?
• Expert Hacker
Develops software codes
• Unskilled Hacker
Uses the codes developed by the experts
4. What are script kiddies?
These are hackers of limited skills who expertly written software to exploit a
system but not fully understand or appreciate the systems they hack.
5. What is Malicious code?
These are programs, which are designed to damage, destroy, or deny service to
the target system
6. What are the types of virus?
• Macro virus
• Boot virus
7. What are Trojan horses?
They are software programs that hide their true nature and reveal their designed
behavior only when activated.
8. What is a polymorphic threat?
It is one that changes its apparent shape over time.
9. What is intellectual property?
It is the ownership of ideas and control over the tangible or virtual representation
of those ideas. 35. What is an attack?
It is a deliberate act that exploits vulnerability.
10. What vulnerability?
It is an identified weakness of a controlled system with controls that are not
present or no longer effective.
11. What are the attack replication vectors?
• Ip scan and attack
• Web browsing
• Virus
• Shares
• Mass mail
• SNMP
12. What is a brute force attack?
Trying every possible combination of options of password.
13. What are sniffers?
Sniffers are programs or device that can monitor data traveling over an network.
14. What is social engineering?
It is the process of using social skills to convince people to reveal access
credentials to the attackers.
15. What are the types of Laws?
• Civil Law
• Criminal Law
• Tort Law
16. Differentiate Private & Public Laws.
Private Laws:
• This Law regulates the relationship between the individual and the organization.
• Eg: Family Law, Commercial Law, Labor Law Public Law:

92
 • This Law regulates the structure and administration of government agencies
and their relationship with the citizens, employees and other governments.
• Eg: Criminal Law, Administrative Law, Constitutional Law.
17. What are the fundamental principles of HIPAA.
1. Consumer control of medical information.
2. Boundaries on the use of medical information.
3. Accountability for the privacy of private information.
4. Security of health information.
18. What are the general categories of unethical and illegal behavior?
• Ignorance
• Accident
• Intent
19. What is deterrence?
• It is the best method for preventing illegal or unethical activity.
• Examples are laws, Policies and technical controls.
20. What are the forces of Nature affecting information security?
Forces of Nature
 Forces of nature, force majeure, or acts of God are dangerous because
they are unexpected and can occur with very little warning
 Can disrupt not only the lives of individuals, but also the storage, transmission,
and use of information
 Include fire, flood, earthquake, and lightning as well as volcanic eruption
and insect infestation
 Since it is not possible to avoid many of these threats, management must
implement controls to limit damage and also prepare contingency plans for
continued operations
21. What are technical hardware failures or errors?
Technical Hardware Failures or Errors
 Technical hardware failures or errors occur when a manufacturer distributes
to users equipment containing flaws
 These defects can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability
 Some errors are terminal, in that they result in the unrecoverable loss of the
equipment
 Some errors are intermittent, in that they only periodically manifest themselves,
resulting in faults that are not easily repeated
22.What are technical software failures or errors?
Technical Software Failures or Errors
 This category of threats comes from purchasing software with unrevealed faults
 Large quantities of computer code are written, debugged, published, and sold
only to determine that not all bugs were resolved
 Sometimes, unique combinations of certain software and hardware reveal new bugs
 Sometimes, these items aren’t errors, but are purposeful shortcuts left by
programmers for honest or dishonest reasons
23. What is an attack?
Attacks
 An attack is the deliberate act that exploits vulnerability
 It is accomplished by a threat-agent to damage or steal an organization’s
information or physical asset

93
 o An exploit is a technique to compromise a system
o A vulnerability is an identified weakness of a controlled system whose
controls are not present or are no longer effective
o An attack is then the use of an exploit to achieve the compromise of a
controlled system
24. What is a malicious code?
Malicious Code
 This kind of attack includes the execution of viruses, worms, Trojan horses, and
active web scripts with the intent to destroy or steal information
 The state of the art in attacking systems in 2002 is the multi-vector worm using
up to six attack vectors to exploit a variety of vulnerabilities in commonly found
information system devices
UNIT III : SECURITY ANALYSIS

1. What is Risk Management?

Risk Identification is conducted within the larger process of identifying and
justifying risk control known as risk management.
2. What are the communities of interest?
• Information Security
• Management and users
• Information Technology
3. What are the responsibilities of the communities of interests?
• Evaluating the risk controls
• Determining which control options are cost effective for the organization
• Acquiring or installing the needed controls.
• Overseeing that the controls remain effective.
4. Write about MAC.
• It is also called as electronic serial number or hardware addresses.
• All network interface hardware devices have a unique number.
• The number is used by the network operating system as a
mechanism to identify a specific network device.
5. What is Public key infrastructure certificate authority?
It is a software application that provides cryptographic key management services.
6. What is clean desk policy?
This requires each employee to secure all information in its appropriate storage
container at the end of each day.
7. What is risk assessment?
It is the process of assessing the relative risk for each of the vulnerabilities.
8. What is Likelihood?
Likelihood is the overall rating of the probability that a specific vulnerability
within an organization will be successfully attacked.
9. What is Residual Risk?
It is the risk that remains to the information asset even after the existing control
has been applied.
10. What are Policies?
Policies are documents that specify an organization’s approach to security.
11. What are the types of security policies?
• General Security Policy
• Program Security Policy
• Issue-Specific Policies

94
12. What are the types of access controls?
• Mandatory Access Controls (MACs)
• Nondiscretionary controls
• Discretionary Controls (DAC)
13. What are the Risk Control Strategies?
• Avoidance – It is the risk control strategy that attempts to prevent the
exploitation of the vulnerability.
• Transference – It is the control approach that attempts to shift the risk
to other assets, other processes ,or other organizations.
• Mitigation – It is the control approach that attempts to reduce the impact
caused by the exploitation of vulnerability through planning and preparation.
• Acceptance. – It is the choice to do nothing to protect vulnerability and to
accept the outcome of an exploited vulnerability.
14. What are the common methods for Risk Avoidance?
• Avoidance through Application of Policy
• Avoidance through Application of training and education
• Avoidance through Application of technology
15. What are the types of plans in Mitigation strategy?
• The Disaster Recovery Plan (DRP)
• Incident Response Plan (IRP)
• Business Continuity Plan (BCP)
16. What is a hot site?
• It is also known as business recovery site.
• It is a remote location with systems identical or similar to the home site.
17. What are the ways to categorize the controls?
• Control function
• Architectural Layer
• Strategy Layer
• Information Security Principle.

UNIT IV : LOGICAL DESIGN

1. What are the commonly accepted information security Principles?
• Confidentiality
• Integrity
• Availability
• Authentication
• Authorization
• Accountability
• Privacy.
2. What is benefit?
It is the value that the organization recognizes by using controls to
prevent loses associated with a specific vulnerability.
3. What is asset valuation?
It is the process of assigning financial value or worth to each information asset.
4. What is a Policy?
It is a plan or course of action, as of a government, political party, intended to
influence and determine decisions, actions and other matters.
5. Differentiate mission & Vision.

Mission: Mission of an organization is a written statement of an organization’s

95
 purpose. Vision: Vision of an organization is a written statement of an

organization’s goals.
6. What is Strategic Planning?
It is the process of moving the organization towards its vision by
accomplishing its mission.
7. What are the general groups of System-Specific Policy?
• Access Control Lists
• Configuration Rules.
8. What is a Capability table?
• It is a list associated with users and groups
• Specifies which subjects and objects a user or group can access.
• These are frequently complex matrices rather than simple lists or tables.
9. What is “Agreed Upon Procedures”?
It is a document that outlines the policies and technologies necessary to security
systems that carry the sensitive cardholder information to and from from VISA
systems.
10. What is redundancy?
Implementing multiple types of technology and thereby preventing failure of one
system from compromising the security of the information is referred to as
redundancy.
11. What is a Firewall?
It is a device that selectively discriminates against information flowing into or
out of the organization.
12. What is Firewall Subnet?
It consists of multiple firewalls creating a buffer between the outside and inside
networks.
13. What is DMZs?
• A buffer against outside attack is referred to as Demilitarized Zone.
• It is a no-man’s-land between the inside and outside networks where some
organizations place Web Servers.
• The servers provide access to organizational Web pages without allowing Web
requests to enter the interior networks.
14. What are the phases of Incident Response?
• Planning
• Detection
• Reaction
• Recovery.
15. What is Contingency Planning?
It is the entire planning conducted by the organization to prepare for, react to, and
recover from events that threaten the security of information and information assets in
the organization.
16. Who are the members of the contingency team?
• Champion
• Project Manager
• Team Members.
17. What are the stages in the Business Impact Analysis Step?
• Threat attack identification
• Business unit analysis

96
 • Attack success scenarios
• Potential damage assessment
• Subordinate plan classification
18. What is an attack profile?
It is a detailed description of activities that occur during an attack.
19. What is an incident?
It is any clearly identified attack on the organization’s information assets
that would threaten the asset’s confidentiality, integrity, or availability.
UNIT V : PHYSICAL DESIGN
1. What is intrusion?
An intrusion is a type of attack on information assets in which the instigator
attempts to gain entry into a system or disrupt the normal operations of a system
with, almost always, the intent to do malicious harm.
2. What is IDS?
IDS stand for Intrusion Detection Systems. It works like a burglar alarm in
that it detects a violation of its configuration and activates and alarm. This alarm can
be audible and/or visual or it can be silent.
3. What is Signature based IDSs?
Signature based IDSs, also known as knowledge based IDSs, examine data
traffic for patterns that match signatures, which are pre-configured, predetermined
attack patterns.
4. What are Honey pots?
Honey pots are decoy systems, which mean they are designed to lure potential
attackers away from critical systems.
In the security industry, these systems are also known as decoys, lures, or flytraps.
5. What is the use of Scanning and analysis tools?
Scanning and analysis tools are used to pinpoint vulnerabilities in systems, holes
in security components, and unsecured aspects of the network. Although these tools
are used by attackers, they can also be used by an administrator not only to learn
more about his/her own system but also identify and repair system weaknesses before
they result in losses.
6. What are the factors of authentication?
• What a supplicant knows
• What a supplicant has
• Who a supplicant is
• What a supplicant produces
7. What is Hash function?
Hash functions are mathematical algorithms that generate a message summary
or digest that can be used to confirm the identity of a specific message and to
confirm that the message has not been altered.
8. What is PKI?
PKI – Public Key Infrastructure
It is an integrated system of software, encryption methodologies, protocols, legal
agreements and third party services that enables users to communicate securely. It
includes digital certificates and certificate authorities.
9. What is Steganography?
Steganography is the process of hiding information, and while it is not properly a
form of cryptography, it is related to cryptography in that both are ways of
transmitting information without allowing it to be revealed in transit.

97
10. What are the protocols used in Secure Internet Communication?
• S-HTTP(Secure Hypertext Transfer Protocol)
• SSL(Secure Socket Layer)
• SSL Record Protocol
• Standard HTTP
11. What is Physical security?
Physical security addresses the design, implementation, and maintenance of
countermeasures that protect the physical resources of an organization. This
means the physical protection of the people, the hardware, and the supporting system
elements and resources associated with the control of information in all its states:
transmission, storage and processing.
12. What are the controls of protecting the Secure Facility?
• Walls, Fencing, Gates
• Guards
• Dogs
• ID Cards and Badges
• Locks and keys
• Mantraps
• Electronic Monitoring
13. What are the basic types of Fire Detection Systems?
• Thermal Detection
• Smoke Detection
• Flame Detection
14. What is TEMPEST?
TEMPEST is a technology that prevents the loss of data that may result
from the emissions of electromagnetic radiation.
15. What are the conditions controlled by HVAC Systems?
 Temperature
 Filtration
 Humidity
 Static Electricity.
16. What are the relevant terms for electrical power influence?
• Fault: Momentary Interruption in power
• Blackout: Prolonged Interruption in power
• Sag: Momentary drop in power voltage levels
• Brown out: Prolonged drop in power voltage levels
• Spike: Momentary increase in power voltage levels
• Surge: Prolonged increase in power voltage levels

98