SECURITY

“Security refers to the policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to information systems.”

-Laudon

CHALLENGES/THREATS TO IS SECURITY:
Threats to computerized information systems include hardware and software failure; user
errors; physical disasters such as fire or power failure; theft of data, services, and
equipment; unauthorized use of data; and telecommunications disruptions. On-line
systems and telecommunications are especially vulnerable because data and files can be
immediately and directly accessed through computer terminals or at points in the
telecommunications network.

Viruses

A computer virus is a software code that can multiply and propagate itself. A virus can
spread into another computer via e-mail, downloading files from the Internet, or opening
a contaminated file. It is almost impossible to completely protect a network computer
from virus attacks;

Programmed threats are computer programs that can create a nuisance, alter or damage
data, steal information, or cripple system functions. Programmed threats include,
computer viruses, Trojan horses, logic bombs, worms, spam, spyware, and adware.

Spyware is a computer program that secretly gathers users’ personal information and
relays it to third parties, such as advertisers. 

Adware is a program that can display advertisements such as pop-up windows or

advertising banners on webpages.

Insider Abuse of Internet Access:

 e-mail and Internet connections are available in almost all offices to improve
productivity, but employees may use them for personal reasons, such as online shopping,
playing games, and sending instant messages to friends during work hours.
Denial of Service

A denial of service (DoS) attack is specifically designed to interrupt normal system

functions and affect legitimate users’ access to the system. DoS attacks can result in
significant server downtime and financial loss for many companies.

Unauthorized Access to Information

To control unauthorized access to information, access controls, including passwords and

a controlled environment, are necessary. Computers installed in a public area, such as a
conference room or reception area, can create serious threats and should be avoided if
possible. Any computer in a public area must be equipped with a physical protection
device to control access when there is no business need. The LAN should be in a
controlled environment accessed by authorized employees only. Employees should be
allowed to access only the data necessary for them to perform their jobs.

System Penetration

Hackers penetrate systems illegally to steal information, modify data, or harm the system.
The following factors are related to system penetration:

 System holes: the design deficiency of operating systems or application systems

that allow hijacking, security bypass, data manipulation, privilege escalation, and
system access.

 Port scanning: a hacking technique used to check TCP/IP ports to reveal the
services that are available and to identify the weaknesses of a computer or network
system in order to exploit them.

 Network sniffing: a hardware and software program to collect network (traffic)

data in order to decipher passwords with password-cracking software, which may
result in unauthorized access to a network system.

 IP spoofing: a technique used to gain unauthorized access to computers, whereby

hackers send messages to a computer with a deceived IP address as if it were
coming from a trusted host.

 Back door/trap door: a hole in the security of a computer system deliberately left
in place by designers or maintainers.

 Tunneling: a method for circumventing a firewall by hiding a message that would

be rejected by the firewall inside another, acceptable message.
Telecom Fraud

In the past, telecom fraud involved fraudulent use of telecommunication (telephone)

facilities. Intruders often hacked into a company’s private branch exchange (PBX) and
administration or maintenance port for personal gains, including free long-distance calls,
stealing (changing) information in voicemail boxes, diverting calls illegally, wiretapping,
and eavesdropping

Theft of Proprietary Information

Information is a commodity in the e-commerce era, and there are always buyers for
sensitive information, including customer data, credit card information, and trade secrets.
Data theft by an insider is common when access controls are not implemented. Outside
hackers can also use “Trojan” viruses to steal information from unprotected systems

Technologies and Tools for protecting IS:

Various tools and technologies used to help protect against or monitor information
system include authentication tools, firewalls, intrusion detection systems, and antivirus
and encryption software.

Access control consists of all the policies and procedures a company uses to prevent
improper access to systems by unauthorized insiders and outsiders.

Authentication refers to the ability to know that a person is who he or she claims to be.
Access control software is designed to allow only authorized persons to use systems or to
access data using some method for authentication.

New authentication technologies include:

 Token: A physical device similar to an identification card that is designed to

prove the identity of a single user.

 Smart card: A device about the size of a credit card that contains a chip formatted
with access permission and other data.

 Biometric authentication: Compares a person's unique characteristics, such as

fingerprints, face, or retinal image, against a stored set profile.
Firewall is a combination of hardware and software that controls the flow of incoming
and outgoing network traffic and prevents unauthorized communication into and out of
the network. The firewall identifies names, Internet Protocol (IP) addresses, applications,
and other characteristics of incoming traffic. It checks this information against the access
rules programmed into the system by the network administrator.

A CORPORATE FIREWALL
The firewall is placed between the firm’s private network and the public Internet or
another distrusted network to protect against unauthorized traffic.

Intrusion detection systems feature full-time monitoring tools placed at the most
vulnerable points of corporate networks to detect and deter intruders continually.

Antivirus software is designed to check computer systems and drives for the presence of
computer viruses. However, to remain effective, the antivirus software must be
continually updated.
Encryption is the coding and scrambling of messages to prevent their access by
unauthorized individuals.

Data is encrypted by applying a secret numerical code, called an encryption key, so that
the data are transmitted as a scrambled set of characters. To be read, the message must be
decrypted (unscrambled) with a matching key. There are two alternative methods of
encryption:

 Symmetric key encryption: The sender and receiver create a single encryption
key that is shared.

 Public key encryption: A more secure encryption method that uses two different
keys, one private and one public.

Digital signatures and digital certificates help with authentication.

Digital signature is a digital code attached to an electronically transmitted message that

is used to verify the origin and contents of a message.

Digital certificates are data files used to establish the identity of users and electronic
assets for protection of online transactions. A digital certificate system uses a trusted third
party known as a certificate authority (CA) to validate a user's identity.

SECURITY TESTING
Security testing is a process to determine that an information system protects data and
maintains functionality as intended.

“The exhaustive and thorough process that determines whether the system produces the
desired results under known conditions.”- laudon

Techniques in security testing:

 Security Auditing: Security Auditing includes direct inspection of the application

developed and Operating Systems & any system on which it is being developed.
This also involves code walk-through.
 Security Scanning: It is all about scanning and verification of the system and
applications. During security scanning, auditors inspect and try to find out the
weaknesses in the OS, applications and network(s).
 Vulnerability Scanning: Vulnerability scanning involves scanning of the
application for all known vulnerabilities. This scanning is generally done through
various vulnerability scanning software.
 Risk Assessment: Risk assessment is a method of analyzing and deciding the risk
that depends upon the type of loss and the possibility/probability of loss
occurrence. Risk assessment is carried out in the form of various interviews,
discussions and analysis of the same. It helps in finding out and preparing possible
backup-plan for any type of potential risk, hence contributing towards the security
conformance.
 Posture Assessment & Security Testing: This is a combination of Security
Scanning, Risk Assessment and Ethical Hacking in order to reach a conclusive
point and help your organization know its stand in context with Security.
 Penetration Testing: In this type of testing, a tester tries to forcibly access and
enter the application under test. In the penetration testing, a tester may try to enter
into the application/system with the help of some other application or with the
help of combinations of loopholes that the application has kept open unknowingly.
Penetration test is highly important as it is the most effective way to practically
find out potential loopholes in the application.
 Ethical Hacking: It’s a forced intrusion of an external element into the system &
applications that are under Security Testing. Ethical hacking involves number of
penetration tests over the wide network on the system under test.
Roles and Responsibilities:

Because security testing provides input into and can be a part of multiple system
development life cycle phases, a number of IT and system security staff may be
interested in its execution and result. This section provides a list of those roles and
identifies their responsibilities related to security testing. These roles
may vary with the organization, however, and not all organizations will have the
identical roles described here.

2.3.1 Senior IT Management/Chief Information Officer (CIO)

The Senior IT Management/CIO ensures that the organization’s security posture is

adequate. The Senior IT Management provides direction and advisory services for the
protection of information systems for the entire organization. The Senior IT
Management/CIO is responsible for the following activities that are associated with
security testing:
 Coordinating the development and maintenance of the organization's
information security policies, standards, and procedures,
 Ensuring the establishment of, and compliance with, consistent security
evaluation processes throughout the organization, and
 Participating in developing processes for decision-making and
prioritization of systems for security testing.

2.3.2 Information Systems Security Program Managers (ISSM)

The Information Systems Security Program Managers (ISSMs) oversee the

implementation of, and compliance with the standards, rules, and regulations
specified in the organization's security policy. The ISSMs are responsible for the
following activities associated with security testing:
 Developing and implementing standard operating procedures (security policy),
 Complying with security policies, standards and requirements, and

 Ensuring that critical systems are identified and scheduled for periodic testing
according to the security policy requirements of each respective system.
2.3.3 Information Systems Security Officers (ISSO)

Information Systems Security Officers (ISSOs) are responsible for overseeing all
aspects of information security within a specific organizational entity. They ensure
that the organization's information security practices comply with organizational and
departmental policies, standards, and procedures. ISSOs are responsible for the
following activities associated with security testing:

 Developing security standards and procedures for their area of responsibility,

 Cooperating in the development and implementation of security tools and
mechanisms,
 Maintaining configuration profiles of all systems controlled by the organization,
including but not limited to, mainframes, distributed systems, microcomputers,
and dial access ports, and
 Maintaining operational integrity of systems by conducting tests and ensuring that
designated IT professionals are conducting scheduled testing on critical systems.

2.3.4 System and Network Administrators

System and network administrators must address the security requirements of the
specific system(s) for which they are responsible on a daily basis. Security issues and
solutions can originate from either outside (e.g., security patches and fixes from the
vendor or computer security incident response teams) or within the organization (e.g.,
the Security Office). The administrators are responsible for the following activities
associated with security testing:

 Monitoring system integrity, protection levels, and security related events,

 Resolving detected security anomalies associated with their information system
resources,
 Conducting security tests as required, and
 Assessing and verifying the implemented security measures.

2.3.5 Managers and Owners

Managers and owners of a system oversee the overall compliance of their assets
with their defined/identified security requirements. They are also responsible for
ensuring that test results and recommendations are adopted as appropriate.

CONCEPT:
The six basic security concepts that need to be covered by security testing are:

  Confidentiality

 Integrity

 Authentication

 Authorization

 Availability

 Non-repudiation

Confidentiality

 A security measure which protects against the disclosure of information to parties

other than the intended recipient that is by no means the only way of ensuring the
security.

Integrity

 A measure intended to allow the receiver to determine that the information which
it is providing is correct.

 Integrity schemes often use some of the same underlying technologies as

confidentiality schemes, but they usually involve adding additional information to
a communication to form the basis of an algorithmic check rather than the
encoding all of the communication.

Authentication

 The process of establishing the identity of the user.

 Authentication can take many forms including but not limited to:
passwords, biometrics, radio frequency identification, etc.

Authorization

 The process of determining that a requester is allowed to receive a service or

perform an operation.

 Access control is an example of authorization.

Availability

 Assuring information and communications services will be ready for use when
expected.

 Information must be kept available to authorized persons when they need it.

Non-repudiation

 A measure intended to prevent the later denial that an action happened, or a

communication that took place etc.

 In communication terms this often involves the interchange of authentication

information combined with some form of provable time stamp.

VULNERABILITY
The term vulnerability is a weakness which allows an attacker to reduce a
system's Information Assurance. Vulnerability is the intersection of three elements: a
system susceptibility or flaw, attacker access to the flaw, and attacker capability to
exploit the flaw .

A security risk may be classified as a vulnerability. A vulnerability with one or more

known instances of working and fully-implemented attacks is classified as an exploit.
The window of vulnerability is the time from when the security hole was introduced or
manifested in deployed software, to when access was removed, a security fix was
available/deployed, or the attacker was disabled.

Causes:

 Complexity: Large, complex systems increase the probability of flaws and

unintended access points

 Familiarity: Using common, well-known code, software, operating systems,

and/or hardware increases the probability an attacker has or can find the
knowledge and tools to exploit the flaw

 Connectivity: More physical connections, privileges, ports, protocols, and

services and time each of those are accessible increase vulnerability

 Password management flaws: The computer user uses weak passwords that

could be discovered by brute force. The computer user stores the password on the
computer where a program can access it. Users re-use passwords between many
programs and websites.

 Fundamental operating system design flaws: The operating system designer

chooses to enforce sub optimal policies on user/program management. For
example operating systems with policies such as default permit grant every
program and every user full access to the entire computer. This operating system
flaw allows viruses and malware to execute commands on behalf of the
administrator. 

 Internet Website Browsing: Some internet websites may contain

harmful Spyware or Adware that can be installed automatically on the computer
systems. After visiting those websites, the computer systems become infected and
personal information will be collected and passed on to third party individuals.
  Software bugs: The programmer leaves an exploitable bug in a software program.
The software bug may allow an attacker to misuse an application.

 Unchecked user input: The program assumes that all user input is safe. Programs
that do not check user input can allow unintended direct execution of commands
or SQL statements (known as Buffer overflows, SQL injection or other non-
validated inputs).

Identification and removal:

Many software tools exist that can aid in the discovery (and sometimes removal) of
vulnerabilities in a computer system. Though these tools can provide an auditor with a
good overview of possible vulnerabilities present, they can not replace human judgment.
Relying solely on scanners will yield false positives and a limited-scope view of the
problems present in the system.
Vulnerabilities have been found in every major operating
system including Windows, Mac OS, various forms of Unix and Linux, OpenVMS, and
others. The only way to reduce the chance of a vulnerability being used against a system
is through constant vigilance, including careful system maintenance (e.g. applying
software patches), best practices in deployment (e.g. the use of firewalls and access
controls) and auditing (both during development and throughout the deployment
lifecycle).

Vulnerability disclosure:

The method of disclosing vulnerabilities is a topic of debate in the computer security

community. Some advocate immediate full disclosure of information about
vulnerabilities once they are discovered. Others argue for limiting disclosure to the users
placed at greatest risk, and only releasing full details after a delay, if ever. Such delays
may allow those notified to fix the problem by developing and applying patches, but may
also increase the risk to those not privy to full details.

From the security perspective, a free and public disclosure is only successful if the
affected parties get the relevant information prior to potential hackers, if they did not the
hackers could take immediate advantage of the revealed exploit. The disadvantage here is
that there is a lower number of people with full knowledge of the vulnerability who can
aid in finding similar or related scenarios.
It should be unbiased to enable a fair dissemination of security critical information. Most
often a channel is considered trusted when it is a widely accepted source of security
information in the industry (e.g. CERT, SecurityFocus, and Secunia). Analysis and risk
rating ensure the quality of the disclosed information. The analysis must include enough
details to allow a concerned user of the software to assess his individual risk or take
immediate action to protect his or her assets.

Vulnerability disclosure date:

The time of disclosure of a vulnerability is defined differently in the security community

and industry. It is most commonly referred to as "a kind of public disclosure of security
information by a certain party". Usually, vulnerability information is discussed on a
mailing list or published on a security web site and results in a security advisory
afterward.

The time of disclosure is the first date a security vulnerability is described on a channel

where the disclosed information on the vulnerability has to fulfill the following
requirement:

 The information is freely available to the public

 The vulnerability information is published by a trusted and independent

channel/source

 The vulnerability has undergone analysis by experts such that risk rating
information is included upon disclosure

Examples of vulnerabilities
Vulnerabilities may result from weak passwords, software bugs, a computer virus or
other malware, a script code injection, a SQL injection or misconfiguration. Three
examples: an attacker finds and uses an overflow weakness to install malware to export
sensitive data; an attacker convinces a user to open a email message with attached
malware; an insider copies a hardened, encrypted program onto a thumb drive and cracks
it at home.

Common types of software flaws that lead to vulnerabilities include:

 Memory safety violations, such as:

 Buffer overflows

 Dangling pointers

 Input validation errors, such as:

 Format string bugs

 Improperly handling shell metacharacters so they are interpreted

 SQL injection

 Code injection

 E-mail injection

 Cross-site scripting in web applications

 HTTP header injection

 HTTP response splitting

 Privilege-confusion bugs, such as:

 Cross-site request forgery in web applications

 Clickjacking

 FTP bounce attack

CONTROL

Definition:
“All of the methods, policies, and procedures that ensure protection of the organization's
assets, accuracy and reliability of its records, and operational adherence to management
standards.”- Laudon

Two types of controls:

1.General Controls:

 A general controls review attempts to gain an overall impression of the controls

that are present in the environment surrounding the information systems. These
include the organizational and administrative structure of the IS function, the
existence of policies and procedures for the day-to-day operations, availability of
staff and their skills and the overall control environment. It is important for the IS
auditor to obtain an understanding of these as they are the foundation on which
other controls reside.
 A general controls review would also include the infrastructure and environmental
controls.

General controls usually include the following types of controls:

 Control Environment, or those controls designed to shape the corporate culture

or "tone at the top."
 Change management procedures - controls designed to ensure changes meet
business requirements and are authorized.
 Source code/document version control procedures - controls designed to
protect the integrity of program code
 Software development life cycle standards - controls designed to ensure IT
projects are effectively managed.
 Security policies, standards and processes - controls designed to secure access
based on business need.
 Incident management policies and procedures - controls designed to address
operational processing errors.
 Technical support policies and procedures - policies to help users perform more
efficiently and report problems.
 Hardware/software configuration, installation, testing, management standards,
policies and procedures.
 Disaster recovery/backup and recovery procedures, to enable continued
processing despite adverse conditions.
2.Application controls:

Application or program controls are fully-automated (i.e., performed automatically by

the systems) designed to ensure the complete and accurate processing of data, from input
through output. These controls vary based on the business purpose of the specific
application. These controls may also help ensure the privacy and security of data
transmitted between applications. Categories of application controls may include:

 Completeness checks - controls that ensure all records were processed from
initiation to completion.
 Validity checks - controls that ensure only valid data is input or processed.
 Identification - controls that ensure all users are uniquely and irrefutably
identified.
 Authentication - controls that provide an authentication mechanism in the
application system.
 Authorization - controls that ensure only approved business users have access to
the application system.
 Problem management - controls that ensure all application problems are recorded
and managed in a timely manner.
 Change management - controls that ensure all changes on production
environment are implemented with preserved data integrity.
 Input controls - controls that ensure data integrity fed from upstream sources into
the application system.