Unit-III Subject: Information Security

UNIT-III

Syllabus:
Planning for Security: Security policy, Standards and practices, Security blueprint, Security
education, Continuity strategies.
Security Technology: Firewalls and VPNs: Physical design, firewalls, protecting remote
connections.
Objective:
• Define management’s role in the development, maintenance, and enforcement of
information security policy, standards, practices, procedures, and guidelines
• Describe what an information security blueprint is, identify its major components, and
explain how it supports the information security program
Outcome:

Introduction
Organization’s information security effort will succeed only if it operates in
conjunction with the organization’s information security policy. An information
security program begins with policy, standards, and practices, which are the
foundation for the information security architecture and blueprint. The creation and
maintenance of these elements require coordinated planning.

Planning for Security

Information Security Planning and Governance
Strategic planning is the long-term direction taken by the whole organization and by
each of its associates. Strategic planning should guide organizational efforts and
focus resources toward specific, clearly defined goals

Planning Levels
First organization develops a general strategy and translated it into strategic plans
for each major division or operation. Next step is to translate these plans into tactical
objectives that move toward reaching specific, measurable, achievable, and time-
bound accomplishments. The process of strategic planning seeks to transform broad,
general, sweeping statements into more specific and applied objectives. Strategic
plans are used to create tactical plans, which are in turn used to develop operational
plans.

To execute this broad strategy and to convert general strategy into action, the
executive team (sometimes called the C-level of the organization, as in CEO, COO,
CFO, CIO, and so on) must first define individual responsibilities. The conversion of
goals from one strategic level to the next lower level is perhaps more art than science.

Tactical planning focuses on shorter-term undertakings that will be completed

within one or two years. The process of tactical planning breaks each strategic goal
into a series of incremental objectives. Each objective in a tactical plan should be
specific and should have a delivery date within a year of the plan’s start. Budgeting,
resource allocation, and personnel are critical components of the tactical plan.

Managers and employees use operational plans to organize the ongoing, day-to-day
performance of tasks.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Planning and the CISO: The first priority of the CISO and the information security
management team is the creation of a strategic plan to accomplish the organization’s
information security objectives.

Information Security Governance

Governance is “the set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction, ensuring that
objectives are achieved, ascertaining that risks are managed appropriately and
verifying that the enterprise’s resources are used responsibly.”

Governance describes the entire process of governing, or controlling, the processes

used by a group to accomplish objectives.

Information Security Governance Outcomes

The five goals of information security governance are:
• Strategic alignment of information security with business strategy to support
organizational objectives
• Risk management by executing appropriate measures to manage and mitigate
threats to information resources
• Resource management by utilizing information security knowledge and
infrastructure efficiently and effectively
• Performance measurement by measuring, monitoring, and reporting
information security governance metrics to ensure that organizational
objectives are achieved
• Value delivery by optimizing information security investments in support of
organizational objectives

Governance Framework: In order to effectively implement security governance, the

Corporate Governance Task Force (CGTF) recommends that organizations follow an
established framework.
Example: IDEAL framework from the Carnegie Mellon University Software
Engineering Institute.

Standards and Practices

Information Security Policy, Standards, and Practices
Management from all communities of interest, including general staff, information
technology, and information security, must make policies which are the basis for all
information security planning, design, and deployment.
• Quality security programs begin and end with policy.
• Policy is a management tool that obliges personnel to function in a manner that
preserves the security of information assets.
• Security policies are the least expensive control to execute, but the most
difficult to implement properly.

Creating/Drafting/shaping policy is difficult because policy must:

• Never conflict with laws

• Stand up in court, if challenged
• Be properly administered through dissemination and documented acceptance

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Security Policy
Definition: A policy is a plan or course of action that conveys instructions from an
organization’s senior management to those who make decisions, take actions, and
perform other duties.

• Policies are organizational laws in that they dictate acceptable and

unacceptable behavior within the organization.
• Like laws, policies define what is right, what is wrong, what the penalties are
for violating policy, and what the appeal process is.
• Standards, on the other hand, are more detailed statements of what must be
done to comply with policy.

Policies are put in place to support the mission, vision, and strategic planning of an
organization.

An information security policy provides rules for the protection of the information
assets of the organization.

According to the National Institute of Standards and Technology’s Special Publication

800-14, Every management must define three types of security policy.
1. Enterprise information security policies
2. Issue-specific security policies
3. Systems-specific security policies

For a policy to be effective and legally enforceable, it must meet the following criteria:
• Dissemination (distribution)
• Review (reading)
• Comprehension (understanding)
• Compliance (agreement)
• Uniform enforcement

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Enterprise Information Security Policy (EISP)

An enterprise information security policy (EISP) is also known as a general security
policy, organizational security policy, IT security policy, or information security
policy. The EISP is based on the mission, vision, and direction of the organization
and sets the strategic direction, scope, and tone for all security efforts.

The EISP is an executive level document, usually drafted by Chief Information Officer
(CIO) of the organization. This policy is usually two to ten pages long and shapes the
philosophy of security in the IT environment. The EISP usually needs to be modified
only when there is a change in the strategic direction of the organization.

The EISP guides the development, implementation, and management of the security
program.

• It defines the requirements that must be met by the information security

blueprint or framework.
• It defines the purpose, scope, constraints, and applicability of the security
program.
• It assigns responsibilities for various security areas like systems
administration, maintenance of the information security policies, and the
practices and responsibilities of the users.
• It addresses legal compliance.

According to the NIST, EISP typically addresses compliance in the following two areas:

1. General compliance to ensure meeting the requirements to establish a program

and the responsibilities assigned therein to various organizational components.
2. The use of specified penalties and disciplinary action

When the EISP has been developed, the CISO forms the security team and initiating
the necessary changes to the information security program.

EISP Elements
Although EISP document may vary from organization to organization, most EISP
documents should include the following elements:
• An overview of the corporate philosophy on security
• Information on the structure of the information security organization and
individuals who fulfill the information security role
• Fully articulated responsibilities for security that are shared by all members of
the organization (employees, contractors, consultants, partners, and visitors)
• Fully articulated responsibilities for security that are unique to each role within
the organization

Components of a good EISP

Component Description
Statement of “What is this policy for?” Provides a framework that helps the
Purpose reader to understand the intent of the document. Can
include text such as the following:

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

“This
document will:
•Identify the elements of a good security policy
•Explain the need for information security
•Specify the various categories of information security
•Identify the information security responsibilities and
roles
• Identify appropriate levels of security through
standards and guidelines
This document establishes an comprehensive security policy
and direction for the company. Individual departments are
expected to establish standards, guidelines, and operating
procedures that adhere to and reference this policy while
addressing their specific and
individual needs.”
Information Defines information security. For example:
Security Elements “Protecting the confidentiality, integrity, and availability of
information while in processing, transmission, and storage,
through the use of policy, education and training, and
technology…”
This section can also lay out security definitions or
philosophies to clarify the policy.
Need for Provides information on the importance of information
Information security in the organization and the obligation (legal and
Security ethical) to protect critical information, whether regarding
customers, employees, or markets.
Information Defines the organizational structure designed to support
Security information security within the organization. Identifies
Responsibilities categories of individuals with responsibility for information
and Roles security (IT department, management, users) and their
information security responsibilities, including maintenance
of this document.
Reference to Other Lists other standards that influence and are influenced by
Information this policy document, perhaps including relevant laws
Standards and (federal and state) and other policies.
Guidelines

Issue-Specific Security Policy (ISSP)

Organization executes various technologies and processes to support routine
operations. It must instruct employees on the proper use of these technologies and
processes.

Issue-specific security policy, or ISSP

• It addresses specific areas of technology as listed below.
• It requires frequent updates.
• It contains a statement on the organization’s position on a specific issue.

An ISSP may cover the following topics, among others:

• E-mail
• Use of the Internet

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

• Specific minimum configurations of computers to defend against worms and

viruses
• Prohibitions against hacking or testing organization security controls
• Home use of company-owned computer equipment
• Use of personal equipment on company networks
• Use of telecommunications technologies (fax and phone)
• Use of photocopy equipment

There are a number of approaches for creating and managing ISSPs within an
organization.

Three of the most common are:

1. Independent ISSP documents, each tailored to a specific issue
The independent ISSP document typically a disorganized document. Each
department responsible for a particular application of technology creates a policy
governing its use, management, and control. This approach may fail to cover all of
the necessary issues and can lead to poor policy distribution, management, and
enforcement.
2. A single comprehensive ISSP document covering all issues
The single comprehensive ISSP contains formal procedures for management of
policy, and it is centrally managed and controlled. Comprehensive policy approach
establishes guidelines for overall coverage of necessary issues and clearly identifies
processes for the dissemination, enforcement, and review of these guidelines.
3. A modular ISSP document that unifies policy creation and administration,
while maintaining each specific issue’s requirements
Modular ISSP is an optimal balance between the independent and
comprehensive ISSP. It is also centrally managed and controlled but is tailored to the
individual technology issues. The modular approach provides a balance between
issue orientation and policy management.

Components of ISSP
1 Statement of policy
a. Scope and applicability
b. Definition of technology addressed
c. Responsibilities
2 Authorized access and usage of equipment
a. User access
b. Fair and responsible use
c. Protection of privacy
3 Prohibited usage of equipment
a. Disruptive use or misuse
b. Criminal use
c. Offensive or harassing materials
d. Copyrighted, licensed, or other intellectual property
e. Other restrictions
4 Systems management
a. Management of stored materials
b. Employer monitoring
c. Virus protection
d. Physical security

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

e. Encryption
5 Violations of policy
a. Procedures for reporting violations
b. Penalties for violations
6 Policy review and modification
a. Scheduled review of policy procedures for modification
b. Legal disclaimers
7 Limitations of liability
a. Statements of liability
b. Other disclaimers as needed

Systems-Specific Policy (SysSP)

SysSPs often function as standards or procedures to be used when configuring or
maintaining systems.
This document contains:
• A statement of managerial intent.
• Guidance to network engineers on the selection, configuration, and operation
of firewalls.
• An access control list that defines levels of access for each authorized user.

SysSPs can be separated into two general groups, managerial guidance and technical
specifications, or they can be combined into a single policy document.
Managerial Guidance SysSPs
Created by management to guide implementation and configuration of technology as
well as to regulate behavior of people in the organization.

Technical Specifications SysSPs

Technical policy or set of configurations to implement managerial policy. Each type
of equipment requires its own set of policies, which are used to translate the
management intent on technical control into an enforceable technical approach.
Technical SysSPs are further divided into:
1. Access control lists (ACLs): It consist of access control lists, matrices, and
capability tables that governs the rights and privileges of a particular user to a
particular system.
ACLs can control access to file storage systems, software components, or network
communications devices.
A capabilities table specifies which subjects and objects users, or groups can access;
in some systems, capabilities tables are called user profiles or user policies.
The access control matrix includes a combination of tables and lists, such that
organizational assets are listed along the column headers, while users are listed along
the row headers.

2. Configuration rule policies:

Configuration rule policies are the specific instructions that dictates how a security
system reacts to the data it receives.
Rule-based policies are more specific to the operation of a system than ACLs are, and
they may or may not deal with users directly.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Many security systems, for example firewalls, intrusion detection and prevention
systems (IDPSs), and proxy servers, use specific configuration scripts that represent
the configuration rule policy to determine how the system handles each data element
they process.

Policy Management
Policies are living documents that must be managed. After drafting polices if they are
stored in shelve without implementing them is a loss.
• So, these documents must be properly disseminated (distributed, read,
understood, agreed to, and uniformly applied) and managed.
• Management of policy documents are specified in ISSP.
• Good management practices for policy development and maintenance helps an
organization to withstand in market.
• Special considerations should be made for organizations undergoing mergers,
takeovers and partnerships.

In order to remain viable, these policies must have:

• An individual responsible for reviews
The policy champion and manager is called the policy administrator. He is a
midlevel staff member responsible for the creation, revision, distribution, and
storage of the policy.
• Schedule of reviews
Policies must be periodically reviewed for currency and accuracy and modified
accordingly in accordance with current environment and trends. If not, they
may bring some liabilities. So, a properly organized schedule of reviews should
be defined and published as part of the document. Typically, a policy should
be reviewed at least annually to ensure that it is still an effective control.
• A method for making recommendations for reviews
To review any policy, policy manager should implement a mechanism so that
every individual can suggest their recommendation. Anonymous submission of
recommendations must be encouraged. Once the policy has come up for review,
all comments should be examined, and management-approved improvements
should be implemented.
• An indication of policy and revision date.
When policies are drafted and published without dates, confusion can arise. If
members of the organization are following undated versions, disastrous results
and legal headaches can arise. Therefore, policy must contain the date of origin,
along with the date(s) of any revisions. Some policies may also need a sunset
clause indicating their expiration date.
Automated Policy Management:
New software’s are available for management of information security policies.
Automation can streamline the steps of drafting policies, tracking the workflow of
policy approvals, publishing policies and acceptance by individuals. Organization can
use computer-based training to staff members.

Information Security Blueprint

Once an organizations information security policies and standards are developed, the
information security community starts developing the blueprint for the information
security program.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Security Blueprint is the base for the design, selection, and implementation of all
security program elements including policy implementation, ongoing policy
management, risk management programs, education and training programs,
technological controls, and maintenance of the security program.

• It is built on top of the organization’s information security policies.

• It is a scalable, upgradeable, comprehensive plan to meet the organization’s
current and future information security needs.
• It is a detailed version of the organization’s security framework, which outlines
the overall information security strategy and a roadmap for planned changes
to the information security environment.

Security blueprint specifies the tasks and the order in which they are to be
accomplished.

To develop Information Security blueprint for an organization, there are number of

published information security models or frameworks are available.

Most widely referenced security models are

• The ISO 27000 Series
• NIST Security Models
• IETF Security Architecture

The ISO 2700 Series:

One of the most widely referenced security models is the Information Technology—
Code of Practice for Information Security Management, which was originally published
as British Standard BS7799. In 2000, this code of practice was adopted as an
international standard framework for information security by the International
Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC) as ISO/IEC 17799. The document was revised in 2005 (becoming
ISO 17799:2005), and it was then renamed to ISO 27002 in 2007 in align with ISO
27001.

ISO/IEC 27002 “gives recommendations for information security management for use
by those who are responsible for initiating, implementing, or maintaining security in
their organization.

ISO/IEC 27002 is focused on a broad overview of the various areas of security,

providing information on 127 controls over ten broad areas.

ISO/IEC 27001 provides information on how to implement ISO/IEC 27002 and how
to set up an information security management system (ISMS).

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Major steps of information security management system are specified in the below
figure.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

ISO/IEC 27001:2005
ISO/IEC 27001 provides implementation details using a Plan-Do-Check-Act cycle

Plan
1 Define the scope of the ISMS
2 Define an ISMS policy
3 Define the approach to risk assessment
4 Identify the risks
5 Assess the risks
6 Identify and evaluate options for the treatment of risk
7 Select control objectives and controls
8 Prepare a statement of applicability (SOA)
Do
9 Formulate a risk treatment plan
10 Implement the risk treatment plan
11 Implement controls
12 Implement training and awareness programs
13 Manage operations
14 Manage resources
15 Implement procedures to detect and respond to security incidents
Check
16 Execute monitoring procedures
17 Undertake regular reviews of ISMS effectiveness
18 Review the level of residual and acceptable risk
19 Conduct internal ISMS audits
20 Undertake regular management review of the ISMS
21 Record actions and events that impact an ISMS
Act
22 Implement identified improvements
23 Take corrective or preventive action
24 Apply lessons learned
25 Communicate results to interested parties
26 Ensure improvements achieve objectives

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Although ISO/IEC 27001 provides some implementation information, it simply

specified what must be done, but not how to do it.

NIST Security Models

Many documents available from the Computer Security Resource Center of the
National Institute for Standards and Technology.

The following NIST documents can assist in the design of a security framework:

• SP 800-12: An Introduction to Computer Security: The NIST Handbook

• SP 800-14: Generally Accepted Security Principles and Practices for Securing
Information Technology Systems
• SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information
Systems
• SP 800-26: Security Self-Assessment Guide for Information Technology
Systems (removed from active list but still available in archives)
• SP 800-30: Risk Management Guide for Information Technology Systems

NIST Special Publication SP 800-12

An Introduction to Computer Security: The NIST Handbook, is an excellent reference

and guide for the security manager or administrator in the routine management of
information security.

• It provides little guidance on design and implementation of new security

systems.
• 800-12 lays out the NIST philosophy on security management by identifying 17
controls organized into three categories:
• The Management Controls section addresses security topics that can be
characterized as managerial.
• The Operational Controls section addresses security controls that focus on
controls that are, broadly speaking, implemented, and executed by people (as
opposed to systems).
• The Technical Controls section focuses on security controls that the computer
system executes.

NIST Special Publication 800-14

It is a Generally Accepted Principles and Practices for Securing Information

Technology Systems.

• It provides best practices and security principles that can direct the security
team in the development of a security blueprint.
• It provides philosophical principles that the security team should integrate into
the entire information security process.

The scope of NIST SP 800-14 is broad. some of the more significant points of NIST
800-14 are

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

1.Security Supports the Mission of the Organization

2.Security Is an Integral Element of Sound Management
3.Security Should Be Cost-Effective
4.Systems Owners Have Security Responsibilities Outside Their Own Organizations
5.Security Responsibilities and Accountability Should Be Made Explicit
6.Security Requires a Comprehensive and Integrated Approach
7.Security Is Constrained by Societal Factors

NIST Special Publication 800-18 Rev. 1

The Guide for Developing Security Plans for Federal Information Systems.

• It provides detailed methods for assessing, designing, and implementing

controls and plans for various sized applications.
• It serves as a guide for the activities described in this chapter, and for the
overall information security planning process.
• It includes templates for major application security plans.

IETF Security Architecture

The Security Area Working Group acts as an advisory board for the protocols and
areas developed and promoted by the Internet Society and the Internet Engineering
Task Force (IETF).
• This group endorses no specific information security architecture but provides
RFC 2196: Site Security Handbook.
• RFC 2196 provides a good functional discussion of important security issues
and covers five basic areas of security with detailed discussions on development
and implementation

Baselining and Best Business Practices

• Baselining and best practices are solid methods for collecting security practices
but can have the drawback of providing less detail for the design and
implementation of all the practices needed by an organization, than would a
complete methodology.
• However, it is possible to gain information by baselining and using best
practices, to piece together the desired outcome of the security process, and
thus work backwards to an effective design.
• The Federal Agency Security Practices Site (fasp.nist.gov) is designed to provide
best practices for public agencies but can be adapted easily to private
institutions. The documents found in this site include specific examples of key
policies and planning documents, implementation strategies for key
technologies, and outlines of hiring documents for key security personnel.
• Professional societies often provide information on best practices for their
members.

Design of Security Architecture

Information security program architecture illustrate industry best practices and a few
key security architectural components required to meet an organization’s needs.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Spheres of Security
It is the foundation of the security framework. The spheres of security illustrate how
information is under attack from a variety of sources.
• The sphere of use illustrates the ways in which people access information.
• The sphere of protection illustrates that between each layer of the sphere of
use there must exist a layer of protection.

“Policy and law” and “Education and training” are placed between people and the
information. Controls are also implemented between systems and the information,
between networks and the computer systems, and between the Internet and internal
networks.

This reinforces the concept of defense in depth. A variety of controls can be used to
protect the information.

Information security is designed and implemented in three layers: policies, people

(education, training, and awareness programs), and technology, commonly referred
to as PPT. Each of the layers contains controls and safeguards that protect the
information and information system assets.

Levels of Controls
Information security safeguards provide three levels of control:
1. Managerial Controls
Management Controls are security processes that are designed by strategic planners
and implemented by the security administration of the organization.
• Set the direction and scope of the security process
• Provide detailed instructions for its conduct
• Address the design and implementation of the security planning process and
security program management.
• Address risk management and security control reviews.
2. Operational Controls

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

They are the lower-level planning functions that deal with the operational
functionality of security in the organization, such as disaster recovery and incident
response planning.
• Address personnel security, physical security, and the protection of production
inputs and outputs.
• Guide the development of education, training, and awareness programs for
users, administrators, and management.
• Address hardware and software systems maintenance and the integrity of data.
3. Technical Controls
Tactical and technical implementations of security in the organization.
• These are the components put in place to protect an organization’s information
assets.
• Includes logical access controls such as identification, authentication,
authorization, accountability (including audit trails), cryptography, and the
classification of assets and users.

Defense in Depth
Layered implementation of security is called defense in depth.

To achieve defense in depth, an organization must establish multiple layers of

security controls and safeguards, which can be organized into policy, training and
education, and technology.

Security Perimeter
A security perimeter defines the boundary between the outer limit of an organization’s
security and the beginning of the outside world. It is the level of security that protects
all internal systems from outside threats.

There can be both an electronic security perimeter, usually at the organization’s

exterior network or Internet connection, and a physical security perimeter, usually at
the entrance to the organization’s offices.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

The perimeter does not protect against internal attacks from employee threats or
onsite physical threats.

The security perimeter is an essential element of the overall security framework, and
its implementation details are the core of the security blueprint. The key components
of the security perimeter are firewalls, DMZs, proxy servers, and IDPSs.

Firewalls:
A firewall is a device that selectively discriminates against information flowing into or
out of the organization.
• It is usually a computing device or a specially configured computer that allows
or prevents access to a defined area based on a set of rules.
• Usually placed on the security perimeter, just behind or as part of a gateway
router.
• A firewall can be a single device or a firewall subnet, which consists of multiple
firewalls creating a buffer between the outside and inside networks.

Packet filtering, Stateful packet filtering, Proxy, and Application level are different
types of firewalls.

DMZs:
A buffer against outside attacks is referred as a demilitarized zone (DMZ). The DMZ
is a no-man’s-land between the inside and outside networks.

It is also the place where some organizations place Web servers. These servers provide
access to organizational Web pages, without allowing Web requests to enter the
interior networks.

Proxy Servers:

An alternative to firewall subnets or DMZs is a proxy server, or proxy firewall.

• A proxy server performs actions on behalf of original server system.
• When deployed, a proxy server is configured to look like a Web server and is
assigned the domain name which is used to find the system and its services.
When an outside client requests a particular Web page, the proxy server
receives the request as if it were the subject of the request, then asks for the

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

same information from the true Web server (acting as a proxy for the requestor),
and then responds to the request.

Intrusion Detection and Prevention Systems (IDPSs)

To detect unauthorized activity within the inner network or on individual machines,
organizations can implement intrusion detection and prevention systems (IDPSs).

Two types of IDPS are available.

• Host-based IDPSs are usually installed on the machines they protect to monitor
the status of various files stored on those machines.
• Network-based IDPSs look at patterns of network traffic and attempt to detect
unusual activity based on previous baselines.
We can also create a hybrid IDPS by combining the above two types.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Security Education, Training, and Awareness Program

(SETA)
Once an organization has defined the polices, selected an overall security model and
a detailed implementation blueprint, it is time to implement a security education,
training, and awareness (SETA) program.

CISO is the responsible person to implement SETA, and it is a control measure

designed to reduce the incidences of accidental security breaches by employees.

Employee errors are among the top threats to information assets, so it is good to
provide proper education and training to employees.

The SETA program consists of three elements: security education, security

training, and security awareness.

Organization may outsource the SETSA to local educational institutions if they are
not capable of or willing to undertake them.

The purpose of SETA is to enhance security by:

• Improving awareness of the need to protect system resources

• Developing skills and knowledge so computer users can perform their jobs more
securely
• Building in-depth knowledge, as needed, to design, implement, or operate
security programs for organizations and systems.
Security Education
• Everyone in an organization needs to be trained and aware of information
security, but not every member of the organization needs a formal degree or
certificate in information security
• When formal education in security is needed, an employee can identify
curriculum available from local institutions of higher learning or continuing
education
• A number of universities have formal coursework in information security
• (See, for example, http://infosec.kennesaw.edu)

Security Training
• Security training provides detailed information and hands-on instruction to
employees to perform their duties securely.
• Management of information security can develop customized in-house training
or outsource the training program.
• Alternatives to formal training programs are industry training conferences and
programs offered through professional agencies such as SANS (www.sans.org),
(ISC) (www.isc2.org), ISSA (www.issa.org), and CSI (www.gocsi.com).

Security Awareness
• One of the least frequently implemented but most beneficial programs is the
security awareness program.
• Designed to keep information security at forefront of users’ minds
• Need not be complicated or expensive.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

• Good programs can include newsletters, security posters, videos, bulletin

boards, flyers, and trinkets.
• Security slogans printed on mouse pads, coffee cups, T-shirts, pens, or any
object frequently used during the workday that reminds employees of security.
• The security newsletter is the most cost-effective method of disseminating
security information and news to the employee. Newsletters can be distributed
via hard copy, e-mail, or intranet.

If program is not actively implemented, employees begin to ‘tune out,’ and the risk
of employee accidents and failures increases.

Continuity strategies
Managers in the IT and information security communities are supposed to provide
strategic planning to ensure the continuous availability of information systems.

So, managers require a contingency plan to react on when a successful attack occurs
from inside or outside, intentional or accidental, human or nonhuman, annoying or
catastrophic.

A contingency plan is prepared by the organization to anticipate, react to, and

recover from events that threaten the security of information and information assets
in the organization and, to restore the organization to normal modes of business
operations after a successful attack.

Incident response, disaster recovery, and business continuity planning are

components of contingency plan.

Components of Contingency Planning

An incident is any clearly identified attack on the organization’s information assets
that would threaten the assets’ confidentiality, integrity, or availability.

An incident response (IR) plan addresses the identification, classification, response,

and recovery from an incident.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

• The IR plan focuses on immediate response, but if the attack escalates or is

disastrous (e.g., fire, flood, earthquake, or total blackout) the process moves
on to disaster recovery and the BC plan.

A disaster recovery (DR) plan addresses the preparation for and recovery from a
disaster, whether natural or man-made.
• The DR plan typically focuses on restoring systems at the original site after
disasters occur, and as such is closely associated with the BC plan.
A business continuity (BC) plan ensures that critical business functions continue if
a catastrophic incident or disaster occurs.
• The BC plan occurs concurrently with the DR plan when the damage is
major or ongoing, requiring more than simple restoration of information and
information resources. The BC plan establishes critical business functions
at an alternate site.

The above figure shows a sample sequence of events and the overlap between when
each plan comes into play.

Disaster recovery activities typically continue even after the organization has resumed
operations at the original site.

To implement contingency planning, CMPT (contingency planning management

team) is to be formed with a champion, project manager and team members. this
team assemble together and starts the plan.
Champion - A high-level manager to support, promote, and endorse the findings of
the project.
Project Manager - Leads the project and makes sure a sound project planning
process is used, a complete and useful project plan is developed, and project
resources are prudently managed.
Team Members - Should be the managers or their representatives from the various
communities of interest like Business, IT, and Information Security.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

The CPMT is responsible for the following tasks:

• Obtaining commitment and support from senior management
• Writing the contingency plan document
• Conducting the business impact analysis (BIA), which includes:
• Assisting in identifying and prioritizing threats and attacks
• Assisting in identifying and prioritizing business functions
• Organizing the subordinate teams, such as:
• Incident response
• Disaster recovery
• Business continuity
• Crisis management
The [CP] document expands the above mentioned four elements into a seven-step
contingency process that an organization may apply to develop and maintain a viable
contingency planning program for their IT systems. The below Seven progressive steps
are designed to be integrated into each stage of the system development life cycle
related to contingency plan are:

1. Develop the contingency planning policy statement: It guides the CPMT.

2. Conduct the BIA: The BIA helps to identify and prioritize critical IT systems and
Components.
3. Identify preventive controls: to reduce the effects of system disruptions.
4. Develop recovery strategies: to recover the system quickly and effectively.
5. Develop an IT contingency plan: detailed guidance and procedures for restoring
a damaged system.
6. Plan testing, training, and exercises: to improve plan effectiveness and overall
preparedness.
7. Plan maintenance: The plan should be a living document that is updated
regularly to remain current with system enhancements

Major project work modules performed by the contingency planning project team are
shown in the below figure.

Major Steps in Contingency Planning

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

1. Business Impact Analysis (BIA)

It is first phase in the development of the contingency planning.

A BIA is an investigation and assessment of the impact that various attacks can have
on the organization.

It begins with the prioritized list of threats and vulnerabilities identified in the risk
management process and adds information about the criticality of the systems
involved and a detailed assessment of the threats and vulnerabilities to which they
are subjects.

The BIA is a crucial component of the initial planning stages, as it provides detailed
scenarios of the potential impact each attack could have on the organization.

The BIA therefore helps to determine what the organization must do to respond to the
attack, minimize the damage from the attack, recover from the effects, and return to
normal operations.

The contingency planning team conducts the BIA in the following stages
1. Threat attack identification and prioritization
2. Business unit analysis
3. Attack success scenario development
4. Potential damage assessment
5. Subordinate plan classification

1. Threat attack identification and prioritization

• Organizations have to update the threat list with new developments and add
additional piece of information to the existing attack profile.
• An attack profile is a detailed description of the activities that occur during an
attack.
• These profiles must be developed for every serious threat the organization faces,
natural or man-made, deliberate or accidental.
• The attack profile is useful in later planning stages to provide indicators of
attacks. It is used to determine the extent of damage that could result to a
business unit if a given attack were successful.
2. Business unit analysis
• It is the analysis and prioritization of the business functions within the
organization to determine which are most vital to continued operations.
• Each organizational unit must be evaluated to determine how important its
functions are to organization.
• This is useful to recover from an attack quickly.
• For example, IT systems and networking elements recovery is more important
than personal restoring.
• Reinstating a manufacturing company’s assembly line than the maintenance
tracking system.
3. Attack success scenario development

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

• Once the threat attack profiles have been developed and the business functions
prioritized, the BIA team must create a series of scenarios depicting the impact
of a successful attack from each threat on each prioritized functional area.
• Attack profiles should include scenarios depicting a typical attack with details
on the method, the indicators, and the broad consequences of the attack.
4. Potential damage assessment
• BIA planning team must estimate the cost of the best, worst, and most likely
cases for each attack success scenarios.
• Identifying what must be done to recover from each possible case.
• Costs include the actions of the response team(s), as they act to recover quickly
and effectively from an incident or disaster, and it didn’t include the cost of
protecting assets.
• The final result of the assessment is referred to as an attack scenario end case.
5. Subordinate plan classification
• Once the potential damage has been assessed, and each scenario and attack
scenario end case has been evaluated, a subordinate plan must be developed
or identified from among the plans already in place.
• These subordinate plans consider the identification of, reaction to, and recovery
from each attack scenario.

An attack scenario end case is categorized as disastrous or not disastrous. Most

attacks are not disastrous and therefore fall into the category of incident. They need
incident recovery plan. Disastrous are addressed in the disaster recovery plan

In a typical disaster recovery operation, the lives and welfare of the employees are
the most important priority during the attack, as most disasters are fires, floods,
hurricanes, and tornadoes. Please note that there are attacks that are not natural
disasters that fit this category

• Electrical blackouts
• Attacks on service providers that result in a loss of communications to the
organization (either telephone or Internet)
• Massive malicious code attacks that sweep through an organization before
they can be contained.

The bottom line is that each scenario should be classified as a probable incident or
disaster, and then the corresponding actions required to respond to the scenario
should be built into either the IR or DR plan.

2. Incident Response Plan

Incident response planning includes identification, classification, and response to an
incident. It contains activities that are to be performed when an incident has been
identified.

The philosophical approach to incident response planning is to know:

What is an incident?
An incident is an attack against an information asset that poses a clear threat to
the confidentiality, integrity, or availability of information resources.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

What is incident response?

Incident response (IR) is therefore the set of activities taken to plan for, detect, and
correct the impact of an incident on information assets.

IR consists of the following four phases:

1. Planning
2. Detection
3. Reaction
4. Recovery

Attacks are classified as incidents if they have the following characteristics:

• They are directed against information assets.
• They have a realistic chance of success.
• They could threaten the confidentiality, integrity, or availability of information
resources.
1. Incident Planning: Planning team can develop a series of predefined responses
that guide the organization’s incident response (IR) team and information security
staff.
• It enables the organization to react quickly and effectively detect incident.
• If the Organization has IR team
• If the Organization can detect incident
• IR team consists of individuals needed to handle systems and functional
areas in which incident takes place.
• Planners should develop guidelines for reacting to and recovering from
incident
Incident response plan
• Planner should develop a set of documents that direct the actions of each
involved individual who reacts to and recovers from the incident.
• These plans must be properly organized and stored to be available when and
where needed, and in a useful format.
Format and content
• Quick and easy access to required information.
• Create a directory of incidents with tabbed sections for each incident.
• To respond to an incident, the responder simply opens the respective
directory and follows the clearly outlined procedures for an assigned role.
• Planners must develop the detailed procedures necessary to respond to each
incident.
• Procedures that must include both the actions to take during the incident, as
well as the actions to take after the incident.
Storage
• Information in the IR plan is sensitive and should be protected.
• Information readily available to those who must respond to the incident.
Testing
• A plan untested is not a useful plan. “Train as you fight, and fight as you
train.”
• Procedures may be ineffective unless the plan has been practiced or tested.

Five testing strategies are:

1. Checklist

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

2. Structured walk-through
3. Simulation
4. Parallel test: Individuals act as if an actual incident occurred
5. Full interruption: Realistic test is to react to a mock incident as if it were real

2. Incident Detection: Most common occurrence is giving complaints about

technology support to help desk.

• Complaints often includes

• the system is acting unusual
• programs are slow
• my computer is acting weird
• data is not available
• Careful training needed to quickly identify and classify an incident
• Once attack is properly identified, organization can respond

Incident Indicators

The following four types of events are possible incident indicators:

• Presence of unfamiliar files:

• Presence or execution of unknown programs or processes
• Unusual consumption of computing resources
• Unusual system crashes

The following four types of events are probable indicators of incidents

• Activities at unexpected times

• Presence of new accounts
• Reported attacks
• Notification from IDPS

The following five types of events are definite indicators of incidents

• Use of dormant accounts

• Changes to logs
• Presence of hacker tools
• Notifications by partner or peer
• Notification by hacker

There are also several other situations that are definite incident indicators.

1. Loss of availability: Information or information systems become unavailable.

2. Loss of integrity: Users report corrupt data files, garbage where data should
be, or data that just look wrong.
3. Loss of confidentiality: You are notified of sensitive information leaks, or that
information you thought was protected has been disclosed.
4. Violation of policy: Organizational policies addressing information or
information security have been violated.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

5. Violation of law: The law has been broken, and the organization’s information
assets are involved.

3. Incident Reaction Consists of actions that guide organization to stop incident,

mitigate the impact of incident, and provide information for recovery from incident

Notification of key personnel

An alert roster is a document containing contact information for the people to be

notified in the event of an incident.

There are two types of alert rosters: sequential and hierarchical.

• A sequential roster is activated as a contact person calls each person on the

roster.
• A hierarchical roster is activated as the first person calls a few other people
on the roster, who in turn call a few other people.

The alert message is a scripted description of the incident, contains information for
individual to knows what portion of the IR plan to implement.

Documentation of incident

• As soon as an incident or disaster has been declared, key personnel must be

notified and start documenting events.
• It helps to learn what happened, how it happened, and what actions were
taken.
• The documentation records the who, what, when, where, why, and how of the
event.

Incident Containment Strategy: First priority is to stop the incident or contain its
scope or impact.

• But “cutting the wire,” is often not an option for an organization.

It depends on the incident and on the amount of damage it causes or may cause. To
contain, determine which information and information systems have been affected
and select the best containment strategy for the systems or networks.

Organization can stop the incident and attempt to recover through number of
strategies:

• If the incident originates outside the organization, straightforward approach is

to stop the affected communication circuits. But if the life blood of the
organization is running through that circuit, we cannot stop them.
So, it is more feasible to monitor the incident and contain it in another
way.
• If the incident is using compromised accounts, disable them.
• If the incident is bypassing a firewall, reconfigure it to block that traffic
• If the incident is using a particular service/process, disable it temporarily.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

• If the incident is using the organization’s e-mail system to propagate itself,

the application or server that supports e-mail can be taken down.

The ultimate containment option, reserved for only the most drastic of scenarios,
involves a full stop of all computers and network devices in the organization.

Incident Recovery:
Once incident has been contained and control of systems regained, the next stage is
recovery.
• First task is to identify human resources needed
• Full extent of the damage must be assessed.
• Perform computer forensics to determine how the incident occurred and what
happened.
• Organization repairs vulnerabilities, addresses any shortcomings in
safeguards, and restores data and services of the systems

Damage Assessment:
Determination of the scope of the breach of the confidentiality, integrity, and
availability of information and information assets. It may take mere moments, or it
may take days or weeks, depending on the extent of the damage.

Computer forensics is the process of collecting, analysing, and preserving computer-

related evidence. Evidence is a physical object or documented information that
proves an action occurred or identifies the intent of a perpetrator.

Several sources of information can be used to determine the type, scope, and extent
of damage, including system logs, intrusion detection logs, configuration logs.

Recovery Once the extent of the damage has been determined, the recovery process
can begin in earnest. Full recovery from an incident requires that you perform the
following:

1. Identify the vulnerabilities that allowed the incident to occur and spread.
Resolve them.
2. Address the safeguards that failed to stop or limit the incident. Install, replace,
or upgrade them.
3. Evaluate monitoring capabilities (if present). Improve their detection and
reporting methods, or simply install new monitoring capabilities.
4. Restore the data from backups.
5. Restore the services and processes in use.
6. Continuously monitor the system.
7. Restore the confidence of the organization’s communities of interest

Before returning to routine duties, the IR team must conduct an after-action review
(AAR). The after-action review is a detailed examination of the events that occurred
from first detection to final recovery. All key players review their notes and verify that
the IR documentation is accurate and precise.

Backup Media

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

It is called as backup management process. Most common types of backup media

include digital audio tapes (DAT), quarter-inch cartridge drives (QIC), 8mm tape, and
digital linear tape (DLT). Each type of tape has its restrictions and advantages.
Backups can also be performed to CD-ROM and DVD options (CD-R, CD-RW, and
DVD-RW), specialized drives (Zip, Jaz, and Bernouli), or tape arrays.

Automated Response: New technologies are emerging in the field of incident

response, some of which build on existing technologies and extend their capabilities
and functions.

Although traditional systems were configured to detect incidents and then notify a
human administrator, new systems can respond to the incident threat autonomously,
based on preconfigured options.

3. Disaster Recovery Plan

An event can be categorized as a disaster when
(1) the organization is unable to mitigate the impact of an incident during the incident
(2) the level of damage or destruction is so severe that the organization is unable to
recover quickly.

The difference between an incident and a disaster is decided by the contingency

planning team.
• It may not be possible to make this distinction until an attack occurs. Often an
event that is initially classified as an incident is later determined to be a
disaster.
Disaster recovery (DR) planning is the process of preparing an organization to
handle and recover from a disaster, whether natural or man-made.
• The key emphasis of a DR plan is to reestablish operations at the location at
which the organization performs its business.
• The goal is to make things whole, or as they were before the disaster.

The Disaster Recovery Plan provides detailed guidance in the event of a disaster.
• It is organized by the type or nature of the disaster and specifies the recovery
procedures during and after each type of disaster.
• Priorities must be clearly established. The first priority is always the
preservation of human life.
• Roles and responsibilities must be clearly delineated. Ever individual of the DR
team should be aware of his or her expected actions during a disaster.
• Someone must initiate the alert roster and notify key personnel. Those to be
notified may be the fire, police, or medical authorities mentioned earlier.
• Someone must be tasked with the documentation of the disaster.
• If and only if it is possible, attempts must be made to mitigate the impact of the
disaster on the operations of the organization.

Recovery Operations:

• Disaster recovery team should begin the restoration of systems and data to
reestablish full operational capability.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

• If the organization’s facilities do not survive, alternative actions must be taken

until new facilities can be acquired.
• When a disaster threatens the viability of the organization at the primary site,
the disaster recovery process transitions into the process of business continuity
planning.

4. Business Continuity Plan

• Business continuity planning prepares an organization to reestablish critical
business operations during a disaster that affects operations at the primary
site.
• If the disaster makes the current location unusable, there must be a plan to
allow the business to continue at some other site.

Developing Continuity Programs: Once the incident response and disaster recovery
plans are in place, the organization needs to consider finding temporary facilities to
support the continued viability of the business in the event of a disaster.

• The development of the BC plan is somewhat simpler than that of the IR plan
or DR plan.
• It consists primarily of selecting a continuity strategy and integrating the offsite
data storage and recovery functions into this strategy.
• The first part of business continuity planning is performed when the joint
DR/BC plan is developed.

Continuity Strategies: There are a number of strategies from which an organization

can choose when planning for business continuity.

1. Hot Sites:
Hot site is a fully configured computer facility, with all services, communications
links, and physical plant operations including heating and air conditioning.

2. Warm Sites:
A warm site provides many of the same services and options of the hot site.
• Warm site frequently includes computing equipment and peripherals with
servers but not client workstations.
• Cost is low, requires hours to resume.
3. Cold Sites:
A cold site provides only rudimentary services and facilities. No computer hardware
or peripherals are provided. All communications services must be installed after the
site is occupied.
4. Time-shares: Leased site in conjunction with a business partner or sister
organization.
5. Service Bureaus: A service bureau is an agency that provides a service for a fee.
6. Mutual Agreements: A mutual agreement is a contract between two or more
organizations that specifies how each will assist the other in the event of a disaster.
7. Other Options:
• Rolling mobile site configured in the payload area of a tractor or trailer.
• Rental storage area containing duplicate or second-generation equipment to be
extracted in the event of an emergency

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

8. Offsite Disaster Data Storage:

Business continuity requires the data to be moved to new location/sites systems.
It can be done in the following ways:
• Electronic valuating: The transfer of large batches of data to an offsite facility
is called electronic vaulting.
• Remote Journaling: Transfer of live transactions to an offsite facility is called
remote journaling.
• Database Shadowing: Duplicates procedures, real-time data, and database.

Crisis Management:
The actions taken during and after a disaster are referred to as crisis management.
• It focuses first and foremost on the people involved.
• The disaster recovery team works closely with the crisis management team.
Responsibilities of crisis management team are:
• Supporting personnel and their loved ones during the crisis.
• Determining the event’s impact on normal business operations and, if
necessary, making a disaster declaration
• Keeping the public informed about the event and the actions being taken to
ensure the recovery of personnel and the enterprise
• Communicating with major customers, suppliers, partners, regulatory
agencies, industry organizations, the media, and other interested parties.

Some key areas of crisis management include the following:

• Verifying personnel head count:
• Checking the alert roster:
• Checking emergency information cards:
Crisis management must balance the needs of the employees with the needs of the
business in providing personnel with support for personal and family issues during
disasters.
Security Technology
Introduction
Technical controls are essential to a well-planned information security program.
Networks and computer systems make millions of decisions every second and operate
in ways and at speeds that people cannot control in real time. Technical controls,
properly implemented, can improve an organization’s ability to balance security and
availability by preserving the information’s confidentiality and integrity.

Access Control
Access control is the method by which systems determine how to admit a user into a
trusted area of the organization like information systems, restricted areas such as
computer rooms, and the entire physical location.
• Access control is achieved by means of a combination of policies, programs,
and technologies.
• Access controls can be mandatory, nondiscretionary, or discretionary.

Mandatory access controls (MACs): It uses data classification schemes. It is referred

as an access control list (ACL).
Nondiscretionary controls: Strictly enforced version of MACs that are managed by
a central authority.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

• role-based controls: tied to the role a user performs in an organization

• task-based controls: tied to a particular assignment or responsibility
Discretionary access controls (DACs): implemented at the discretion or option of
the data user.

Access control approaches rely on the following mechanisms:

• Identification
• Authentication
• Authorization
• Accountability

Identification: Identification is a mechanism whereby an unverified entity that seeks

access to a resource shows a label by which they are known to the system.
• Label given to an unverified entity (Supplicant) by which system recognizes.
• The label applied to the supplicant is called an identifier (ID)

Authentication: Authentication is the process of validating a supplicant’s identity.

There are three widely used authentication mechanisms, or authentication factors:
• Something a supplicant knows: for example, a password, passphrase, or other
unique authentication code, such as a personal identification number
Something a supplicant has
• Something a supplicant is: Dumb cards, ID cards, ATM cards, Smart cards,
token.
• Something a Supplicant is: Fingerprints, palm prints, hand topography or
geometry, retina or iris scan, voice patterns
Authorization: Matching of an authenticated entity to a list of information assets and
corresponding access levels.

In general, authorization can be handled in one of three ways:

• Authorization for each authenticated user
• Authorization for members of a group
• Authorization across multiple systems
Authorization credentials (sometimes called authorization tickets) are issued by an
authenticator and are honored by many or all systems within the authentication
domain.

Accountability: Known as auditability which logs all the actions on a system. It

ensures that all actions on a system authorized/unauthorized are attributed to an
authenticated identity.

Firewalls

A firewall in an information security program that prevents specific types of

information from moving between the outside world, known as the untrusted network
(for example, the Internet), and the inside world, known as the trusted network

The firewall may be a separate computer system, a software service running on an

existing router or server, or a separate network containing several supporting devices.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Firewalls can be categorized by

• Processing mode,
• Generation/Developing
• Structure.

Firewall Processing Modes

Firewalls fall into five major processing-mode categories:

• Packet-filtering firewalls,
• Application gateways,
• Circuit gateways,
• MAC layer firewalls, and
• Hybrids.

Packet Filtering Firewalls:

The packet-filtering firewall (filtering firewall) examines the header information of data
packets that come into a network.

In a TCP/IP- based network filtering firewall functions at the IP level and determines
whether to drop a packet (deny) or forward it to the next network connection based
on the rules programmed into the firewall.

Examines every incoming packet header and filter packets based on header
information such as destination address, source address, packet type, and other key
information.

Packet-filtering firewalls scan network data packets based on the rules of the
firewall’s database. If the device finds a packet that matches a restriction, it stops the
packet from traveling from one network to another.

The restrictions most commonly implemented in packet-filtering firewalls are based

on a combination of the following:
• IP source and destination address
• Direction (inbound or outbound)
• Protocol (for firewalls capable of examining the IP protocol layer)
• Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source
and destination port requests (for firewalls capable of examining the TCP/UPD
layer)

Simple firewall models examine two aspects of the packet header: the destination and
source address. It enforces rules designed to prohibit packets with certain addresses
or partial addresses

Rule: any connection attempt made by an external computer or network device in the
192.168.x.x address range (192.168.0.0–192.168.255.255) is allowed.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

There are three subsets of packet-filtering firewalls: static filtering, dynamic filtering,
and stateful inspection.

There are three subsets of packet-filtering firewalls: static filtering, dynamic filtering,
and stateful inspection.
• Static filtering requires filtering rules governing how the firewall decides which
packets are allowed and which are denied are developed and installed.
• Dynamic filtering allows the firewall to react to an emergent event and update
or create rules to deal with the event.
o While static filtering firewalls allow entire sets of one type of packet to
enter in response to authorized requests, the dynamic packet filtering
firewall allows only a particular packet with a particular source,
destination, and port address to enter through the firewall.
• Stateful inspection firewalls, or stateful firewalls, keep track of each network
connection between internal and external systems using a state table, which
tracks the state and context of each packet in the conversation by recording
which station sent what packet and when.

Application Gateways
The application gateway(application-level firewall or application firewall) is installed
on a dedicated computer, separate from the filtering router, but is commonly used in
conjunction with a filtering router.

The application firewall is also known as a proxy server since it runs special software
that acts as a proxy for a service request.

Example of an application-level firewall (or proxy server) is a firewall that blocks all
requests for and responses to requests for Web pages and services from the internal
computers of an organization, and instead makes all such requests and responses go
to intermediate computers (or proxies) in the less protected areas of the organization’s
network.

Application firewalls work at the application layer, they are typically restricted to a
single application (e.g., FTP, Telnet, HTTP, SMTP, and SNMP).

Circuit Gateways:
The circuit gateway firewall operates at the transport layer. Connections are
authorized based on addresses.

Circuit gateway firewalls do not usually look at traffic flowing between one network
and another, but they do prevent direct connections between one network and
another.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Accomplished by creating tunnels connecting specific processes or systems on each

side of the firewall and allow only authorized traffic in the tunnels.

MAC Layer Firewalls

MAC layer firewalls are designed to operate at the media access control sublayer of
the data link layer (Layer 2) of the OSI network model.

These firewalls are able to consider specific host computer’s identity as represented
by its MAC or network interface card (NIC) address in its filtering decisions.

Hybrid Firewalls

Hybrid Firewalls Hybrid firewalls combine the elements of other types of firewalls i.e.,
the elements of packet filtering and proxy services, or of packet filtering and circuit
gateways.

A hybrid firewall system may consist of two separate firewall devices each is a
separate firewall system, but they are connected so that they work together.

Firewalls Categorized by Generation:

There are five generally recognized generations of firewalls:

First generation firewalls are static packet-filtering firewalls: They are simple
networking devices that filter packets according to their headers as the packets travel
to and from the organization’s networks.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Second generation firewalls are application-level firewalls or proxy servers: They

are dedicated systems that are separate from the filtering router and that provide
intermediate services for requestors.

Third generation firewalls are stateful inspection firewalls: They monitor network
connections between internal and external systems using state tables.

Fourth generation firewalls, which are also known as dynamic packet-filtering

firewalls: It allow only a particular packet with a particular source, destination, and
port address to enter.

Fifth generation firewalls include the kernel proxy: A specialized form that works
under Windows NT Executive, which is the kernel of Windows NT. This type of firewall
evaluates packets at multiple layers of the protocol stack, by checking security in the
kernel as data is passed up and down the stack.

Firewalls Categorized by Structure

Firewalls can also be categorized by the structures used to implement them. Most
commercial-grade firewalls are dedicated appliances. They are stand-alone units
running on fully customized computing platforms that provide both the physical
network connection and firmware programming necessary to perform their function.

• Commercial-Grade Firewall Appliances

o They are stand-alone, self-contained application with a combination of
hardware and software.
o The firewall rule sets are stored in nonvolatile memory.
• Commercial-Grade Firewall Systems
o This firewall system consists of application software that is configured
for the firewall application and run on a general-purpose computer.
• Small Office/Home Office (SOHO) Firewall Appliances
o Small Office/Home Office uses broadband gateways or DSL/Cable
modem routers to connect with internet.
o So, residential users must implement some form of firewall to prevent
loss, damage, or disclosure of personal information.
o To improve computer security, SOHO firewalls are needed.
• Residential-Grade Firewall Software
o To protect the residential user computers is to install a software firewall
directly on the user’s system.
o Residential-grade software-based firewalls also provide antivirus or
intrusion detection capabilities but, they may not provide full protection.

Firewall Architectures

Each firewall device can be configured in a number of network connection

architectures.

The firewall configuration that works best for a particular organization depends on
three factors: the objectives of the network, the organization’s ability to develop and
implement the architectures, and the budget available for the function.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

There are four common architectural implementations:

Packet-filtering Routers:
• Most organizations with Internet connection have a router serving as interface
to Internet.
• Many of these routers can be configured to reject packets that organization
does not allow into network.
• Drawbacks include a lack of auditing and strong authentication.

Screened Host Firewalls:

• Screened host firewalls combine the packet-filtering router with a dedicated
firewall called application proxy server.
• Routers prescreen packets to minimize the network traffic and load on the
internal proxy.
• The application proxy examines an application layer protocol, such as HTTP,
and performs the proxy services.
• Separate host is often referred to as a bastion host and it can be a rich target
for external attacks, should be very thoroughly secured.
• Since the bastion host stands as a sole defender on the network perimeter, it
is commonly referred to as the sacrificial host.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Dual-home Firewalls:

• In this firewall architecture, bastion host contains two NICs (network interface
cards) as in the bastion host configuration.
• One NIC is connected to the external network, and one is connected to the
internal network, providing an additional layer of protection.
• With two NICs, all traffic must physically go through the firewall to move
between the internal and external networks.
• Implementation of this architecture often makes use of NAT (Network Address
Translation).
• NAT is a method of mapping real, valid, external IP addresses to special ranges
of non-routable internal IP addresses.
• NAT prevents external attacks from reaching internal machines with addresses
in specified ranges.
• Dual-homed host can translate many different protocols at their respective
data link layers.

Reserved Non-routable Address Ranges

Screened subnet Firewalls:

Screened subnet firewall is the dominant architecture used today. Screened subnet
firewall provides a DMZ.

Subnet firewall consists of two or more internal bastion hosts behind packet filtering
router, with each host protecting trusted network.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Connections are routed as follows:

• Connections from outside (untrusted network) routed through external filtering
router
• Connections from outside (untrusted network) are routed into and out of
routing firewall to separate network segment known as DMZ
• Connections into trusted internal network allowed only from DMZ bastion host
servers
Screened subnet performs two functions:
• Protects DMZ systems and information from outside threats
• Protects the internal networks by limiting how external connections can gain
access to internal systems.

Another facet of DMZs: extranets. An extranet is a segment of the DMZ where

additional authentication and authorization controls are put into place to provide
services that are not available to the general public.

SOCKS Servers:
• It is another type of firewall implementation.
• SOCKS is the protocol for handling TCP traffic via a proxy server.
• The SOCKS system is a proprietary circuit-level proxy server that places special
SOCKS client-side agents on each workstation.
• It places the filtering requirements on the individual workstation
• A SOCKS system can require support and management resources beyond those
of traditional firewalls.

Selecting the Right Firewall

When selecting a best firewall for an organization, consider the following factors:

• Which firewall offers right balance between protection and cost for needs of
organization?
• Which features are included in base price? and What features are available at
extra cost?

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

• Ease of setup and configuration? How accessible are staff technicians who can
configure the firewall?
• Can firewall adapt to organization’s growing network?

Second most important issue is cost.

So, with all security decisions, certain compromises may be necessary in order to
provide a viable solution under the budgetary constraints stipulated by management.

Configuring and Managing Firewalls

Once the firewall architecture and technology are selected, the organization must
provide the guidelines for configuration and management of the firewall(s).

Good policy and practice dictates that each firewall device must have its own set of
configuration rules for their activities.

for example:

• Packet filtering-firewalls rules are made up of simple statements that identify

source and destination addresses and the type of requests a packet contains
based on the ports specified in the packet.

Configuration of firewall policies is usually a complex and difficult task. Because

finding a syntax error is easy then finding a logic error(denying a packet, specifying
wrong port, wrong switch).

Configuring firewall policies is both an art and a science. Each configuration rule
must be carefully crafted, debugged, tested, and placed into the ACL in proper
sequence.

The most important thing to remember is "when security rules conflict with the
performance of business, security often loses".

Best Practices for Firewalls

Some of the best practices for firewall usage:

• All traffic from the trusted network is allowed out. This allows members of the
organization to access the services they need.
• The firewall device is never directly accessible from the public network for
configuration or management purposes. Only authorized firewall
administrators access the device through secure authentication mechanism.
• Simple Mail Transport Protocol (SMTP) data is allowed to enter through the
firewall.
• All Internet Control Message Protocol (ICMP) data should be denied. ICMP is a
common method for hacker to exploit.
• Telnet (terminal emulation) access to all internal servers from the public
networks should be blocked.
• HTTP traffic should be blocked from internal networks through the use of some
form of proxy access or DMZ architecture.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

o Web servers for internal use on their desktops, the services are invisible
to the outside Internet. If the Web server is behind the firewall, allow
HTTP or HTTPS connections.
• All data that is not verifiably authentic should be denied.

Firewall Rules

Firewalls operate by examining a data packet and performing a comparison with some
predetermined logical rules.

• The logic is based on a set of guidelines programmed in by a firewall

administrator or created dynamically based on outgoing requests for
information.
• This logical set is commonly referred to as firewall rules, rule base, or firewall
logic.
• Most firewalls use packet header information to determine whether specific
packet should be allowed or denied.

It is important to note that separate rule lists are created for each interface on a
firewall.

Example: for dual-homed hosts, some of the rules are designed for inbound traffic,
from the untrusted to the trusted side of the firewall, and some are designed for
outbound traffic, from the trusted to the untrusted side.

Firewall can process information beyond the IP level (TCP/UDP) and thus can access
source and destination port addresses. Some firewalls can filter packets by protocol
name as opposed to protocol port number.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

The system (or well-known) ports are those from 0 through 1023, user (or registered)
ports are those from 1024 through 49151, and dynamic (or private) ports are those
from 49152 through 65535.

Rule Set 1: Responses to internal requests are allowed. In most firewall

implementations, it is desirable to allow a response to an internal request for
information.

Rule Set 2: The firewall device is never accessible directly from the public network. If
attackers can directly access the firewall, they may be able to modify or delete rules
and allow unwanted traffic through.

Rule Set 3: All traffic from the trusted network is allowed out. As a general rule it is
wise not to restrict outbound traffic, unless separate routers and firewalls are
configured to handle it, to avoid overloading the firewall.

Rule Set 4: The rule set for the SMTP data. Packets governed by this rule are allowed
to pass through the firewall but are all routed to a well-configured SMTP gateway.

Rule Set 5: All Internet Control Message Protocol (ICMP) data should be denied. Pings,
formally known as ICMP Echo requests, are used by internal systems administrators
to ensure that clients and servers can communicate. ICMP uses port 7 to request a
response to a query (e.g., “Are you there?”) and can be the first indicator of a malicious
attack.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Rule Set 6: Telnet (terminal emulation) access to all internal servers from the public
networks should be blocked.

Rule Set 7: When Web services are offered outside the firewall, HTTP traffic (and
HTTPS traffic) should be blocked from the internal networks via the use of some form
of proxy access or DMZ architecture.

Rule Set 8: The cleanup rule. As a general practice in firewall rule construction, if a
request for a service is not explicitly allowed by policy, that request should be denied
by a rule.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

External Firewall Rules

Internal Firewall Rules

Content Filters

• Utility that can help to protect an organization’s systems from misuse and
unintentional denial-of-service problems is the content filter.
• A content filter is a software filter that allows administrators to restrict access
to content from within a network.
• It is essentially a set of scripts or programs that restricts user access to certain
networking protocols and Internet locations.
• Primary focus is to restrict internal access to external material.
• Content filter has two components: rating and filtering.
• The rating is like a set of firewall rules for Web sites and is common in
residential content filters.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

• The filtering is a method used to restrict specific access requests to the

identified resources, which may be Web sites, servers, or whatever resources
the content filter administrator configures.
• The first content filters were systems designed to restrict access to specific Web
site and were stand-alone software applications.
• The most common content filters restrict users from accessing Web sites with
obvious non-business related material, such as pornography, or deny incoming
spam e-mail.

Protecting remote connections.

Employees working from homes, contract workers hired for specific assignments, or
other workers who are traveling seek to connect to an organization’s network(s)
requires a secured remote connectivity.
• In the past, remote connections are provided using dial-up services like
Remote Authentication Service (RAS).
Remote Access:
• Remote accessing is done by using dial-up or leased line connections.
• Unsecured, dial-up connection points represent a substantial exposure to
attack.
• Attacker can use a device called war dialer to locate connection points.
• War dialer: Automatic phone-dialing program that dials every number in a
configured range and records number if modem picks up.
• To protect dial-up connection, simple username and password schemes are
used for authentication.
• Some technologies (RADIUS systems; TACACS; CHAP password systems) have
improved authentication process.

RADIUS, TACACS, and Diameter

RADIUS and TACACS are systems that authenticate the credentials of users who are
trying to access an organization’s network via a dial-up connection.

The Remote Authentication Dial-In User Service (RADIUS) system centralizes the
management of user authentication by using central RADIUS server.

The Diameter protocol: It is an alternative authentication mechanism derived from

RADIUS.

It defines the minimum requirements for a system that provides authentication,

authorization, and accounting (AAA) services

The Terminal Access Controller Access Control System (TACACS) is another

remote access authorization system that is based on a client/server configuration.

It contains a centralized database, and it validates the user’s credentials at TACACS

server. There are three versions of TACACS: TACACS, Extended TACACS, and
TACACS+.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Securing Authentication with Kerberos SESAME

Kerberos and SESAME provides secure third-party authentication.

Kerberos:

• Named after the three-headed dog of Greek mythology that guards the gates to
the underworld.
• It uses symmetric key encryption to validate an individual user to various
network resources.
• Keeps database containing private keys of clients/servers
• Kerberos also generates temporary session keys, which are used to encrypt all
communications between these two parties.
• Consists of three interacting services:
• Authentication server (AS): A server that authenticates clients and servers.
• Key Distribution Center (KDC): Generates and issues session keys
• Kerberos ticket granting service (TGS): provides tickets to clients who request
services.

Kerberos is based on the following principles:

• The KDC knows the secret keys of all clients and servers on the network.
• The KDC initially exchanges information with the client and server by using
these secret keys.
• Kerberos authenticates a client to a requested service on a server through TGS
and by issuing temporary session keys for communications between the client
and KDC, the server and KDC, and the client and server.
• Communications then take place between the client and server using these
temporary session keys.

Kerberos may be obtained free of charge from MIT at http://web.mit.edu/Kerberos/

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Some fundamental problems with Kerberos are:

• In denial-of- service attack on kerberos, no client can request services.
• If Kerberos server is compromised, privacy of users is lost.

SESAME:

Secure European System for Applications in a Multivendor Environment (SESAME).

It is like Kerberos.

• User is first authenticated to authentication server and receives token.

• Token is sent to privilege attribute server as proof of identity to gain privilege
attribute certificate.
• Uses public key encryption to distribute secret keys.
• Adds additional and more sophisticated access control features.
• More scalable encryption systems.
• Improved manageability, auditing features, option is available for delegation of
responsibility for allowing access.

Virtual Private Networks (VPNs)

Virtual private networks are implementations of cryptographic technology.

A virtual private network (VPN) is a private and secure network connection between
systems that uses the data communication capability of an unsecured and public
network.

• Securely extends organization’s internal network connections to remote

locations beyond trusted network.

The Virtual Private Network Consortium (VPNC) (www.vpnc.org) defines a VPN as “a

private data network that makes use of the public telecommunication infrastructure,
maintaining privacy with tunneling protocol and security procedures.

Three VPN technologies defined:

• Trusted VPN: organization must trust the service provider

• Secure VPN: use security protocols and encrypted traffic
• Hybrid VPN (combines trusted and secure)

VPN must accomplish:

• Encapsulation of incoming and outgoing data

• Encryption of incoming and outgoing data
• Authentication of remote computer and remote user as well

A VPN allows a user to turn the Internet into a private network.

Transport Mode

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

In Transport Modem, data within IP packet is encrypted, but not header

information.

• Allows user to establish secure link directly with remote host, encrypting only
data contents of packet.

Two popular uses:

• End-to-end transport of encrypted data

• two end users can communicate directly, encrypting and decrypting
their communications as needed.
• Each machine acts as the end node VPN server and client.
• Remote access worker connects to office network over Internet by connecting
to a VPN server on the perimeter.
• This allows the teleworker’s system to work as if it were part of the local
area network.

This is especially useful for traveling or telecommuting employees.

Drawbacks are:

• The downside to this implementation is that packet eavesdroppers can still

identify the destination system.

Dept. of CSE, MEC 2022-2023

Unit-III Subject: Information Security

Tunnel Mode
Organization establishes two perimeter tunnel servers that encrypt all traffic.

• In tunnel mode, the entire client packet is encrypted and added as the data
portion of a packet addressed from one tunneling server to another.

• These servers act as encryption points, encrypting all traffic that will traverse
unsecured network.

• The receiving server decrypts the packet and sends it to the final address.

• Primary benefit to this model is that an intercepted packet reveals nothing

about true destination system.

• Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration

(ISA) Server.

Dept. of CSE, MEC 2022-2023