CSE 3501: Information Security Analysis and

Audit
Module 3: Information Security Management
 Backup of Security Devices- Overview

• Backup is the activity of copying files or databases so that they

will be preserved in case of equipment failure or other
catastrophe.

• Backup is usually a routine part of the operation of large

businesses with mainframes as well as the administrators of
smaller business computers.

• For personal computer users, backup is also necessary but often

neglected.

• The retrieval of files you backed up is called restoring

them. (RESTORE)
 BACKUP
• Hardware and Software failures can take many forms, and may occur
over time, multiple generations of institutional data backups need to
be maintained.

• Backup is an additional copy of data that can be used for restore and
recovery purposes

• This Backup copy can be created by:

-Simply coping data (there can be one or more copies)

-Mirroring data (the copy is always updated with whatever is

written to the primary)
 WHY BACKUP?
• Data Loss Prevention
• Protection Against Cyber Threats
• Disaster Recovery
• Business Continuity
• Facilitating System Upgrades
Storage Media
 BACKUP DEVICES/SERVICES
• External Hard Drives
• Network-Attached Storage (NAS)
• USB Flash Drives
• Solid-State Drives (SSDs)
• Cloud Storage
• Optical Discs (CDs, DVDs, Blu-rays)
• Memory Cards (SD, microSD)
• Online Backup Services
• Off-site Storage
 Basic Types
• Full Backups ( Full and complete backup of entire system )
• Differential Backups
• Incremental Backups
• Mirror Backups
Full Backups
 Full Backups
Advantages

• Restores are fast and easy to manage as the entire list of files and folders are in
one backup set.

• Easy to maintain and restore different versions.

Disadvantages
• Backups can take very long as each file is backed up again every time the full
backup is run.

• Consumes the most storage space compared to incremental and differential

backups.

• The exact same files are be stored repeatedly resulting in inefficient use of
storage.
 Incremental backup
• Incremental backup is a backup of all changes made since the
last backup.
• With incremental backups, one full backup is done first and
subsequent backup runs are just the changed files and new
files added since the last backup.
 DIFFERENTIAL BACKUP

• Differential backups fall in the middle

between full backups and incremental
backup.
• A differential backup is a backup of all
changes made since the last full backup.
• With differential backups, one full
backup is done first and subsequent
backup runs are the changes made since
the last full backup.
 Example Scenario
• Monday: Perform a full backup of your system.
• Tuesday: Perform a differential backup. It will
back up all changes made since Monday.
• Wednesday: Perform another differential
backup. It will back up all changes made since
Monday, including those backed up on Tuesday.
• Thursday: If you need to restore your system,
you would use Monday's full backup and
Thursday's differential backup to restore all data
up to Thursday
Comparison
 Mirror backups

• Mirror backups are as the name suggests a mirror of the source being
backed up.

• With mirror backups, when a file in the source is deleted, that file is
eventually also deleted in the mirror backup.

• Because of this, mirror backups should be used with caution as a file

that is deleted by accident, sabotage or through a virus may also cause
that same file in mirror to be deleted as well. Some do not consider a
mirror to be a backup.

• Many online backup services offer a mirror backup with, a 30 days

delete. This means that when you delete a file on your source, that file
is kept on the storage server for at least 30 days before it is eventually
deleted.
 Backup Procedures
• The 3-2-1 Rule
• The simplest way to remember how to back up your
images safely is to use the 3-2-1 rule.

• Keeping 3 copies of any important file (a primary and two

backups).

• Files on 2 different media types (such as hard drive and

optical media), to protect against different types of
hazards.

• 1 copy should be stored offsite (or at least offline).

 Data backup procedures
• Frequency
• Data backup Retention
• Testing
• Media Replacement
• Recovery Time
• Roles and responsibilities
BACKUP ARCHITECTURE AND PROCESS
 Policy – Procedure – Standard -
Guidelines

Policies are high-level guidelines that define the

culture of an organization by shaping decisions
and providing a framework for daily activities

Procedures, on the other

hand, enumerate lower-
level processes and Policies act as a
Guidelines are
provide steps your statement of intent,
general, non-
employees need to take while Standards functio
mandatory
to adhere to n as rules to achieve
recommendations
your policies or that intent
complete a process.
Policies Standards Practices
 Policy – Procedure –
Standard - Guidelines
 Information Security
Policies
• Security policies are the foundation of your security
infrastructure.

• A security policy is a document or set of documents

that describes, at a high level, the security controls
that will be implemented by the company.

• Without them, you cannot protect your company from

possible lawsuits, lost revenue and bad publicity, not
to mention basic security attacks.
 Important Points on Policy
• Reduce or eliminate legal liability to employees
and third parties.

• Protect confidential, proprietary information

from theft, misuse, unauthorized disclosure or
modification.

• Prevent waste of company computing

resources.
 Basic security policies
• Technical security policies: these include how
technology should be configured and used.

• Administrative security policies: these include

how people (both end users and
Management) should behave/ respond to
security.
Basic rules to follow when
shaping policy
– Never conflict with law
– Stand up in court
– Properly supported and administered
– Contribute to the success of the
organization
– Involve end users of information systems
 Guidelines for Effective
Policy
• Developed using industry-accepted practices
• Distributed using all appropriate methods
• Reviewed or read by all employees
• Understood by all employees
• Formally agreed to by act or assertion
• Uniformly applied and enforced
 Policy Content
• A security policy should be no longer than absolutely
necessary.

• A security policy should be written in “plain English.”

• Clarity must be a priority in security policies so that a policy

isn’t misunderstood during a crisis or otherwise misapplied,
which could lead to a critical vulnerability.

• A security policy must be consistent with applicable laws and

regulations.

• A security policy should be reasonable & enforceable.

 Key Elements of Security
Policy
• Overview – background information of what issue the policy addresses.

• Purpose – why the policy is created.

• Scope – what areas this policy covers.

• Targeted audience – whom the policy is applicable for.

• Policy – a detailed description of the policy.

• Definitions – a brief introduction of the technical jargon used in the policy.

• Version – number to control the changes made to the document.

 Security Policy
• Encryption mechanisms
• Access control devices
• Authentication systems
• Firewalls
• Anti-virus systems https://purplesec.us/resources/cyber-
security-policy-templates/#CleanDesk
• Websites
• Gateways
• Routers and switches
• Necessity of a security policy
Security Policy
 Acceptable Usage Policy
• Acceptable Usage Policy (AUP) is the policy that one
should adhere to while accessing the network.

• Some of the assets that this policy covers are mobile,

wireless, desktop, laptop and tablet computers,
email, servers, internet etc.

• For each asset, we need to look at how we can

protect it, manage it, authorised persons to use and
administer the asset, accepted methods of
communication in these assets etc.
 Country’s laws
• Once a reasonable security policy has been developed, an engineer has to look at
the country’s laws, which should be incorporated in security policies
• The PCI Data Security Standard (PCIDSS)

• The Health Insurance Portability and Accountability Act

(HIPAA)

• The Sarbanes-Oxley Act (SOX)

• The ISO family of security standards

• The Graham-Leach-Bliley Act (GLBA)

 Developing Information Security Policy
• Investigation Phase
• Analysis Phase
• Design Phase
• Implementation Phase
• Maintenance Phase
 Investigation Phase
• Support from senior management
• Support and active involvement of IT
management
• Clear articulation of goals
• Participation by the affected communities of
interest
• Detailed outline of the scope of the policy
development project
 Analysis Phase
• The analysis phase should produce the
following:
– A new or recent risk assessment or IT audit
documenting the information security needs of
the organization.
– Gathering of key reference materials – including
any existing policies
 Design Phase
• Users or organization members acknowledge
they have received and read the policy
– Signature and date on a form
– Banner screen with a warning
 Implementation Phase
• Policy development team writes policies
• Resources:
– The Web
– Government sites such as NIST
– Professional literature
– Peer networks
– Professional consultants
 Maintenance Phase
• Policy development team responsible for
monitoring, maintaining, and modifying the
policy.
 Policy Distribution
• Hand policy to employees
• Post policy on a public bulletin board
• E-mail
• Intranet
• Document management system
• Hand policy to employees
 Policy Comprehension
• Language
– At a reasonable reading level
– With minimal technical jargon and management
terminology
• Understanding of issues
– Quizzes
 Policy Compliance
• Policies must be agreed to by act or
affirmation
• Corporations incorporate policy confirmation
statements into employment contracts,
annual evaluations.
 Bull’s Eye Model
• Framework used to describe the different
levels of policy in an information security
program.
• It provides a visual representation of the
layers of policies that organizations should
have in place to protect their information
assets.
• Structured approach to designing, analyzing,
and implementing security measures within
an organization.
Bull’s Eye Model
 Bull’s Eye Model
• By focusing on the policy layer first, organizations can ensure
that all subsequent layers are aligned with a coherent set of
rules and procedures.

• The network layer secures the data flowing between systems

and applications, protecting the organization’s broader
infrastructure.

• The systems layer ensures that each individual system within

the network is protected against vulnerabilities and threats.

• The applications layer, although on the outermost edge, must

also be secured to protect against external threats and misuse
by users.
 VigilEnt Policy Center
• Automated Tool- a centralized policy approval
and implementation center
– Manage the approval process
– Reduces need to distribute paper copies
– Manage policy acknowledgement forms
VigilEnt Policy Center Architecture
 Persons responsible for the
implementation

• Director of Information Security

• Chief Security Officer
• Director of Information Technology
• Chief Information Officer
 Security Policy Implementation
• Once a policy has been created, perhaps the hardest part of the process is
rolling it out to the organization.

• This step must be well planned and undertaken thoughtfully.

• First and most importantly, a security policy must be backed by the company’s
senior management team.

• Without their support, the cooperation needed across departments will likely
doom the implementation.

• Department heads must be involved, and specifically, Human Resources and

Legal Services must play an integral part.

• If the position doesn’t already exist, an Information Security Officer or IT

Security Program Manager should be designated at your company who is
responsible for implementing and managing the security policy.
 Security Policy Implementation

• Remember that your security policy must be officially adopted as

company policy.

• It should be signed and recorded in the same way your company

makes any major decision, including full senior management
approval.

• Make sure that the tools are in place to conform to the policy. For
example, if the policy specifies that a certain network be monitored,
make sure that monitoring capabilities exist on that network
segment.

• If a policy specifies that visitors must agree to the Acceptable Use

Policy before using the network, make sure that there is a process in
place to provide visitors with the Acceptable Use Policy.
 Security Policy Implementation

• You will need to carefully consider the necessary security processes and
procedures after you have your policy finished.

• For example, the Backup Policy may detail the schedules for backups and off-site
rotation of backup media, however it won’t say exactly how these tasks are to be
accomplished.

• Additionally, certain procedures must be created to support the policies. For

example, how should your users respond if they suspect a security incident? How
will you notify your users if they are noncompliant with a specific policy?

• User education is critical to a successful security policy implementation.

• A training session should be held to go over the policies that will impact users as
well as provide basic information security awareness training.

• Coordinate with HR
 Review the security policy
• Create a process so that the policy is periodically reviewed by the
appropriate persons.

• This should occur both at certain intervals (i.e. once per year), and
when certain business changes occur (i.e. the company opens in a
new location).

• When changes need to be made, be sure to: update the revision

history section of the document to differentiate the new document
from past versions; and distribute any modified user level policies to
your users.

• Clearly communicate the policy changes to any affected parties.

 Policy Management
• Policy administrator
• Review schedule
• Review procedures and practices
• Policy and revision dates
 Policy Administrator
• Policy administrator
– Champion
– Mid-level staff member
– Solicits input from business and information
security communities
– Makes sure policy document and subsequent
revisions are distributed
 Review Schedule
• Periodically reviewed for currency and
accuracy, and modified to keep current
– Organized schedule of review
– Reviewed at least annually
– Solicit input from representatives of all affected
parties, management, and staff
 Review Procedures and
Practices
• Easy submission of recommendations
• All comments examined
• Management approved changes implemented
 Policy and Revision Date
• Often published without a date
– Legal issue – are employees “complying with an
out-of-date policy
• Should include date of origin, revision dates
– don’t use “today’s date” in the document
• Sunset clause (expiration date)
 NIST
• The National Institute of Standards and Technology is a non-regulatory
government agency that develops technology, metrics, and standards to
drive innovation and economic competitiveness at U.S.-based
organizations in the science and technology industry. As part of this
effort, NIST produces standards and guidelines to help federal agencies
meet the requirements of the
Federal Information Security Management Act (FISMA).

• NIST also assists those agencies in protecting their information and

information systems through cost-effective programs.

• Specifically, NIST develops Federal Information Processing Standards

(FIPS) in congruence with FISMA. The Secretary of Commerce approves
FIPS, with which federal agencies must comply – federal agencies may
not waive the use of the standards.
NIST Cybersecurity
Framework
 NIST Cybersecurity
Framework
• Identify: Identify all software solutions and systems.
• Protect: Focused on reducing the number of cybersecurity
events that could occur within your organization and
limiting the impact if one does occur.
• Detect: How you can develop and implement measures that
will help you detect the occurrence of a cybersecurity event.
• Respond: Offers guidelines on how to develop and
implement processes to follow when a cybersecurity event
is detected.
• Recover: Involves the steps that should be taken in the
aftermath of a cybersecurity event.
 Root Cause Analysis (RCA)
• Root Cause Analysis (RCA) in Information Security is a
systematic process to identify the underlying cause of
security incidents, vulnerabilities, or failures in an
organization's IT infrastructure.

• RCA goes beyond addressing the symptoms of security

issues to uncover the fundamental reasons behind them.

• By resolving the root cause, organizations can prevent

the recurrence of incidents, improve their security
posture, and minimize the risk of future threats.
 Key Steps in Root Cause
Analysis
• Identify and Define the Security Incident
• Collect and Analyze Data
• Identify Immediate Causes
• Determine the Root Cause
• Implement Corrective Actions
• Verify the Effectiveness of the Solution
• Document the RCA Process
• Monitor and Review
 Identify and Define the
Security Incident
• Clearly define the security incident, breach, or system
failure, including its symptoms, scope, and impact.

Example questions to ask:

• What happened (e.g., data breach, malware infection,

insider attack)?
• When did the incident occur, and how long did it last?
• What systems, applications, or data were affected?
• What was the impact on operations, finances, or
reputation?
 Collect and Analyze Data
• Gather all relevant information and evidence to understand the incident
better. This can include:

• Logs: System, application, firewall, and network logs to identify abnormal

activity.

• Security Alerts: Alerts from intrusion detection/prevention systems

(IDS/IPS), security information and event management (SIEM) systems, or
antivirus software.

• Traffic Analysis: Monitoring of network traffic to spot any anomalies, such

as unusual inbound/outbound traffic or patterns.

• User Reports: Incident reports from employees or users who might have
noticed suspicious activity.
 Identify Immediate Causes
• Identify the immediate technical cause(s) of the incident,
such as:

• A malware infection.
• An exploited vulnerability in outdated software.
• Misconfigurations in firewall or security controls.
• Unauthorized access due to weak authentication
mechanisms.

• Example: A data breach might be traced to a vulnerable

application that allowed attackers to gain unauthorized
access to sensitive information.
 Determine the Root Cause
• RCA Key Techniques:

• The 5 Whys: Ask “Why” repeatedly until you identify the underlying cause.

• Fishbone (Ishikawa) Diagram: Categorize and map out potential causes

related to people, processes, technology, or environment

• Fault Tree Analysis: Create a logical diagram to map out possible causes
leading to the incident.

• Example: While the immediate cause of a malware infection might be a

user clicking on a phishing link, the root cause could be inadequate user
training or lack of advanced email filtering.
 Example
• Scenario: A company experiences a data breach where customer records were accessed
and exfiltrated by an external attacker.
• Incident Identification: Customer data was accessed without authorization.
• Data Collection: Logs show an external IP accessing the database through a web
application.
• Immediate Cause: The attacker exploited an SQL injection vulnerability in the
application.
• Root Cause: The web application was not regularly tested for vulnerabilities, and the
development team did not follow secure coding practices.
• Corrective Actions:
 Implement web application firewalls (WAF) to block malicious requests.
 Conduct regular vulnerability scans and penetration tests.
 Provide secure coding training for developers.
• Verification: Perform penetration tests to confirm that the SQL injection vulnerability is
no longer exploitable.
• Documentation: Document the findings and update the organization's security policies
to ensure future security testing of applications.
• Monitoring: Continue monitoring for abnormal activity and ensure patches and secure
coding practices are consistently applied.