UNIT I

INTRODUCTION
Basic Concepts – Layers of cyber security, Attacks - Passive Vs
Active Attacks, Services, Mechanisms, Model - Cryptography
Basics - Symmetric Ciphers – Transposition, Substitution,
Rotor Machines – Block Cipher – Data Encryption Standard –
Confidentiality using Symmetric Encryption.
Basic Concepts of Cybersecurity
Cybersecurity encompasses a wide array of practices, technologies, and processes designed to protect systems,
networks, and data from cyber threats. Understanding its fundamental concepts is essential for safeguarding
digital assets and mitigating risks.
The foundation of cybersecurity is often summarized by the CIA Triad, which includes:
Confidentiality: This principle ensures that sensitive information is only accessible to authorized users. Measures
such as encryption and access controls are implemented to prevent unauthorized access and data breaches.
Integrity: Integrity focuses on maintaining the accuracy and reliability of data. It ensures that information is not
altered or tampered with during storage or transmission. Techniques like hashing and digital signatures are
commonly used to verify data integrity.
Availability: This principle guarantees that systems and data are accessible when needed. Strategies to enhance
availability include redundancy, backups, and disaster recovery plans, which help mitigate the impact of attacks
like Distributed Denial of Service (DDoS)
Layers of
cyber
security
Layers of Cyber security
Cyber security employs a layered approach to protect systems and data from various threats. Here are the seven
key layers:

1. Mission-Critical Assets: This layer focuses on protecting essential data and systems that are crucial for business
operations, such as financial records or sensitive customer information.
2. Data Security: This involves implementing controls to safeguard data during storage and transmission. It
includes encryption, backups, and access controls to prevent unauthorized access.
3. Endpoint Security: This layer secures user devices such as laptops, mobile phones, and desktops from
exploitation. Endpoint security solutions can operate in both network and cloud environments.
4. Application Security: This encompasses the security measures designed to protect applications from
vulnerabilities. Regular updates and secure coding practices are essential to defend against threats.
5. Network Security: This layer protects the integrity of networks by preventing unauthorized access. It includes
firewalls, intrusion detection systems, and regular updates to network protocols.
6. Perimeter Security: This involves both physical and digital measures to protect the organizational boundary
from external threats. Techniques include firewalls, demilitarized zones (DMZ), and data encryption.
7. The Human Layer: Recognizing that humans are often the weakest link in cyber security, this layer focuses on
training employees to recognize threats like phishing and implement proper security protocols.
 In the cryptographic literature, there are two types of attacks namely
Passive and Active. The first is a passive adversary, who can eavesdrop on
all network communication, with the goal of learning as much confidential
information as possible. The other is an active intruder, who can Modify
messages at will, Introduce packets into the message stream, or Delete
messages.

Attacks
Attacks
 Active Attacks
Active attacks involve direct interaction with a target system, where the attacker aims to modify, disrupt, or
damage the system or its data. This type of attack is characterized by the following:
• Modification of Data: The attacker alters the content of messages or data in transit.
• Immediate Impact: Active attacks can cause noticeable disruptions, such as system crashes or data loss.
Types of Active Attacks:
• Denial-of-Service (DoS): Overwhelming a system with traffic to make it unavailable.
• Man-in-the-Middle (MitM): Intercepting and altering communications between two parties.
• Session Hijacking: Taking control of a user session after authentication.
• Ransomware: Encrypting files and demanding payment for decryption.
Detection: Active attacks are generally easier to detect due to their disruptive nature, often triggering alerts in
security systems.
 Passive Attacks
Passive attacks are characterized by the attacker monitoring or eavesdropping on communications without
altering any data. The goal is typically to gather information stealthily. Key features include:
• No Data Modification: The attacker collects data without changing it, making these attacks less detectable.
• Stealthy Approach: Passive attacks aim to exploit vulnerabilities without alerting the target.
Types of Passive Attacks:
• Traffic Analysis: Monitoring patterns of communication to infer information.
• Eavesdropping: Listening in on private communications without detection.
Detection: These attacks are more challenging to identify since they do not disrupt normal operations. They may
require sophisticated monitoring tools to detect anomalies.
 SECURITY SERVICES
The classification of security services are as follows:
• Confidentiality: Ensures that the information in a computer system a n d transmitted information are accessible
only for reading by authorized parties.
E.g. Printing, displaying and other forms of disclosure.
• Authentication: Ensures that the origin of a message or electronic document is correctly identified, with an
assurance that the identity is not false.
• Integrity: Ensures that only authorized parties are able to modify computer system assets and transmitted
information. Modification includes writing, changing status, deleting, creating and delaying or replaying of
transmitted messages.
• Non repudiation: Requires that neither the sender nor the receiver of a message be able to deny the
transmission.
• Access control: Requires that access to information resources may be controlled by or the target system.
• Availability: Requires that computer system assets be available to authorized parties when needed.
 SECURITY MECHANISMS
• One of the most specific security mechanisms in use is cryptographic techniques. Encryption or encryption-like
transformations of information are the most common means of providing security. Some of the mechanisms are
1. Encipherment
2. Digital Signature
3. Access Control
SECURITY ATTACKS
There are four general categories of attack which are listed below.
Interruption
An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on availability
e.g., destruction of piece of hardware, cutting of a communication line or
Disabling of file management system.
Interception
An unauthorized party gains access to an asset. This is an attack on confidentiality. Unauthorized party could be a
person, a program or a computer. e.g., wire tapping to capture data in the network, illicit copying of files

Modification
An unauthorized party not only gains access to but tampers with an asset. This is an attack on integrity. e.g.,
changing values in data file, altering a program, modifying the contents of messages being transmitted in a
network.

Fabrication
An unauthorized party inserts counterfeit objects into the system. This is an attack on authenticity. e.g., insertion
of spurious message in a network or addition of records to a file.
 Cryptography Basics
Cryptography is the practice and study of techniques for securing communication and information from
unauthorized access. It transforms readable data (plaintext) into an unreadable format (ciphertext) through
various algorithms, ensuring that only authorized parties can access the original information.
Key Concepts in Cryptography
1. Encryption and Decryption:
• Encryption: The process of converting plaintext into ciphertext using an encryption algorithm and a key.
• Decryption: The reverse process, where ciphertext is converted back into plaintext using the same or a
different key.
2. Keys:
A key is a piece of information used in the encryption and decryption processes. The security of cryptographic
systems often relies on the secrecy and complexity of these keys.
3. Ciphertext:
This is the output of the encryption process, which appears as random data to anyone who does not possess the
appropriate key.
 Types of Cryptography
1. Symmetric Key Cryptography:
• Uses the same key for both encryption and decryption.
• Examples include AES (Advanced Encryption Standard), DES (Data Encryption Standard), and Blowfish.
• Key management is crucial, as both parties must securely share the key.
2. Asymmetric Key Cryptography:
• Utilizes a pair of keys: a public key for encryption and a private key for decryption.
• Widely used in secure communications over the internet, such as SSL/TLS protocols.
• An example is RSA (Rivest-Shamir-Adleman) algorithm.
3. Hash Functions:
• These functions take input data and produce a fixed-size string of characters, which appears random.
• Hashing does not use keys; instead, it ensures data integrity by generating unique hash values for different inputs.
• Common hash functions include SHA-256 and MD5.
Principles of Cryptography
• Confidentiality: Ensures that information is accessible only to those authorized to have access.
• Integrity: Guarantees that data has not been altered in transit.
• Authentication: Verifies the identities of the parties involved in communication.
• Non-repudiation: Ensures that a sender cannot deny sending a message.
Applications of Cryptography
Cryptography is widely used in various applications, including:
• Secure Communications: Protecting emails, messages, and calls from eavesdroppers.
• Data Protection: Securing sensitive information stored on devices or transmitted over networks.
• Digital Signatures: Providing authenticity and integrity to digital documents.
• Secure Transactions: Ensuring safety in online banking and e-commerce.
 Symmetric Ciphers
Symmetric ciphers are a fundamental aspect of cryptography, utilizing the same key for both encryption and
decryption processes. This method is efficient and widely used in various applications, particularly for bulk data
encryption.
Key Characteristics
1. Single Key Usage: Both the sender and receiver share a secret key, which must be kept confidential. This key is
used to convert plaintext into ciphertext and vice versa.
2. Types of Symmetric Ciphers:
• Block Ciphers: Encrypt data in fixed-size blocks (e.g., AES, DES). Each block of plaintext is transformed into a block
of ciphertext.
• Stream Ciphers: Encrypt data one bit or byte at a time, often using a key stream (e.g., RC4, Salsa20).
3. Efficiency: Symmetric ciphers are generally faster than asymmetric ciphers due to their simpler mathematical
operations, making them suitable for encrypting large volumes of data.
Common Symmetric Ciphers
• AES (Advanced Encryption Standard): A widely used block cipher that supports key sizes of 128, 192, and 256
bits. It is known for its security and efficiency.
• DES (Data Encryption Standard): An older standard that uses a 56-bit key. While historically significant, it is now
considered insecure due to its short key length.
• ChaCha20: A modern stream cipher known for its speed and security, particularly in mobile devices.
• Twofish: A block cipher that supports variable key lengths up to 256 bits, known for its flexibility and
performance.
Encryption Process
The symmetric encryption process involves several steps:
1. Plaintext Input: The original message that needs to be encrypted.
2. Secret Key: The shared key used for both encryption and decryption.
3. Encryption Algorithm: A mathematical function that transforms plaintext into ciphertext using the secret key.
4. Ciphertext Output: The encrypted data that is transmitted or stored securely.
The decryption process reverses this operation using the same secret key.
 Transposition
Transposition ciphers are a fundamental method of encryption used to secure data by rearranging the positions of
characters in the plaintext without altering the characters themselves. This technique is essential in various
cryptographic applications and serves as a building block for more complex encryption systems.
Key Features of Transposition Ciphers
1. Rearrangement: In transposition ciphers, the plaintext characters are rearranged according to a specific system
or key, maintaining their original identity. Unlike substitution ciphers, which replace characters, transposition
ciphers simply shuffle their order.
2. Types of Transposition Ciphers:
• Rail Fence Cipher: A simple method where the plaintext is written in a zigzag pattern across multiple lines (rails)
and then read off row by row.
• Columnar Transposition Cipher: The plaintext is arranged into a grid or matrix, and columns are reordered based
on a keyword or key number.
• Route Cipher: Characters are placed in a geometric array, and the ciphertext is obtained by reading the characters
in a predetermined route.
3. Historical Context: Transposition ciphers have been used for centuries, with examples like the Spartan "scytale,"
where messages were written on a strip of parchment wrapped around a staff. Only someone with a staff of the
same diameter could read the message.
 Rail Fence Cipher
The Rail Fence Cipher is a simple transposition cipher that encrypts plaintext by rearranging the characters in a
zigzag pattern across multiple "rails" or rows. This method is easy to understand and implement, making it a
popular choice for basic encryption tasks.
How It Works
• Writing the Plaintext: The plaintext message is written diagonally down and up across the rails. When you reach
the bottom rail, you change direction and move back up.
• Reading the Ciphertext: After filling in all the characters, the ciphertext is formed by reading each row
sequentially.
 Columnar Transposition Cipher:
The Columnar Transposition Cipher is a type of transposition cipher that encrypts plaintext by rearranging the
characters into a grid format based on a keyword. This method enhances security by utilizing both the
arrangement of characters and the order defined by the keyword.
How It Works
• Choosing a Keyword: A keyword determines the number of columns and the order in which they will be read. For
example, if the keyword is "ZEBRAS," it has 6 letters, meaning the plaintext will be arranged in 6 columns.
• Writing the Plaintext: The plaintext is written out in rows, filling in each column sequentially. If there are leftover
spaces, they can be filled with null characters (or left blank).
• Reordering Columns: The columns are then reordered based on the alphabetical order of the letters in the
keyword. For "ZEBRAS," the order would be determined as follows:Z (6), E (3), B (2), R (4), A (1), S (5) → Order: 6 3
2415
• Reading Off Ciphertext: Finally, the ciphertext is read off column by column in the new order defined by the
keyword.
 Route Cipher
The Route Cipher is a type of transposition cipher that encrypts plaintext by writing it into a grid and then reading
the letters in a predetermined route. This method allows for various paths to be taken through the grid, adding
complexity to the encryption process.
How It Works
• Grid Formation: The plaintext is written into a rectangular grid. The dimensions of the grid (number of rows and
columns) can be determined by a key.
• Choosing a Route: The route defines how the letters will be read from the grid. Common routes include:Spiraling
inwards: Starting from a corner and moving inwards.
• Zigzagging: Moving back and forth across the rows or columns.
• Reading the Ciphertext: After filling in the grid, the ciphertext is generated by following the chosen route to read
off the letters.
 Substitution
Substitution ciphers are a fundamental type of encryption method in which each letter or symbol in the plaintext
is replaced with another letter or symbol according to a defined system or key. This technique has been used for
centuries and forms the basis of many modern cryptographic algorithms.
Key Features of Substitution Ciphers
• Replacement Mechanism: Each character in the plaintext is substituted with another character based on a fixed
rule. This can be a simple one-to-one mapping (monoalphabetic) or involve multiple mappings (polyalphabetic).
• Types of Substitution Ciphers:
1. Simple Substitution Cipher: Each letter is replaced with another letter consistently throughout the message
(e.g., Caesar Cipher).
2. Monoalphabetic Cipher: A fixed substitution is applied across the entire message.
3. Polyalphabetic Cipher: Uses multiple substitution alphabets, making it more complex and secure (e.g., Vigenère
Cipher).
• Encryption and Decryption: The process involves converting plaintext into ciphertext using a key for encryption,
and reversing the process to retrieve the original message.
• Historical Context: Substitution ciphers date back thousands of years and were used in various historical contexts,
including military communications.
 Simple Substitution Cipher
A simple substitution cipher is a basic encryption technique where each letter in the plaintext is replaced with
another letter according to a fixed system or key. This method is one of the oldest forms of cryptography and
serves as an introductory concept in the study of encryption.
 Monoalphabetic Cipher
A monoalphabetic cipher is a type of substitution cipher in which each letter in the plaintext is replaced with a
corresponding letter from a fixed substitution alphabet. This method maintains a one-to-one relationship
between plaintext and ciphertext characters, making it relatively straightforward to implement.
 Polyalphabetic Cipher
A polyalphabetic cipher is a type of substitution cipher that uses multiple substitution alphabets to encrypt a
message. This method significantly increases security compared to monoalphabetic ciphers, where each letter is
replaced with a fixed letter throughout the entire message.
 Rotor Machines
Rotor machines are mechanical devices used for encryption and decryption, notably during the early to mid-20th
century. They revolutionized cryptography by allowing for complex encryption algorithms that were significantly
more secure than manual ciphers.
Key Features of Rotor Machines
• Mechanism: Rotor machines consist of a series of rotating disks (or rotors), each with electrical connections that
map input letters to output letters. As each letter is encrypted, the rotors rotate, changing the substitution
pattern for subsequent letters.
• Complexity: The use of multiple rotors increases the number of possible encryption combinations exponentially.
For example, a machine with three rotors can have a key space that is significantly larger than simpler ciphers,
making it more resistant to cryptanalysis.
• Historical Significance: The most famous rotor machine is the Enigma machine, used by Germany during World
War II. It employed a combination of rotors and a plugboard to further scramble the letters, creating a highly
complex encryption system.
• Development: The concept of rotor machines emerged in the early 20th century, with several inventors
independently developing their own versions around 1915, including Theo van Hengel and Edward Hebern
How Rotor Machines Work
Encryption Process:
• The plaintext letter is input into the machine.
• The electrical signal passes through the rotors, which change the letter according to their internal wiring.
• After passing through the rotors, the signal is output as a different letter.
• The rotors rotate after each letter is encrypted, changing the substitution for the next letter.
Decryption Process:
• The ciphertext is input in the same way.
• The rotors must be set to the same initial position as during encryption to retrieve the original plaintext.
Advantages and Disadvantages
Advantages:
• Increased Security: The complexity of rotor machines makes them much harder to break than simpler ciphers.
• Multiple Stages of Encryption: Each rotor can be seen as an additional layer of encryption, enhancing overall
security.
Disadvantages:
• Mechanical Vulnerabilities: Early rotor machines had weaknesses that could be exploited by skilled cryptanalysts.
For example, William F. Friedman identified vulnerabilities in Hebern's rotor machine
• Key Management: Properly setting up and managing keys was essential; if keys were compromised or not
correctly aligned, decryption would fail.
 Block Cipher
A block cipher is a symmetric cryptographic technique that encrypts data in fixed-size blocks, typically using a
shared secret key. This method contrasts with stream ciphers, which encrypt data one bit at a time. Block ciphers
are fundamental to many encryption protocols and are widely used in securing sensitive information.
Key Characteristics
• Fixed Block Size: Block ciphers operate on fixed-size blocks of data, commonly 64 bits or 128 bits. If the plaintext is
longer than the block size, it is divided into multiple blocks for encryption.
• Encryption and Decryption: A block cipher uses two algorithms: one for encryption (E) and one for decryption (D).
The decryption algorithm is the inverse of the encryption algorithm, allowing the original plaintext to be
recovered from the ciphertext.
• Deterministic Algorithm: The same plaintext encrypted with the same key will always produce the same
ciphertext, which can be a vulnerability if not managed properly.
Common Block Ciphers
• Data Encryption Standard (DES): An older standard that operates on 64-bit blocks with a key size of 56 bits. It has
been largely replaced due to security vulnerabilities.
• Advanced Encryption Standard (AES): A widely used block cipher that supports key sizes of 128, 192, and 256 bits
and operates on 128-bit blocks. AES is considered secure and efficient for modern applications.
• Twofish: A block cipher that uses a block size of 128 bits and variable key lengths up to 256 bits. It was one of the
finalists in the AES competition.
 Data Encryption Standard
The Data Encryption Standard (DES) is a symmetric-key block cipher that was widely used for data encryption.
Developed in the early 1970s by IBM and adopted as a federal standard by the U.S. National Institute of Standards
and Technology (NIST) in 1977, DES played a significant role in securing sensitive data until its deprecation.
Key Features
• Block Size: DES operates on 64-bit blocks of plaintext, meaning that each block of data is encrypted at once.
• Key Length: Although the key size is nominally 64 bits, only 56 bits are effective for encryption, as the remaining 8
bits are used for parity checks.
• Feistel Structure: DES uses a Feistel network structure, which involves 16 rounds of processing where the plaintext
is split into two halves and processed through various functions, including permutations and substitutions.
• Initial and Final Permutations: Before the first round and after the last round, an initial permutation (IP) and a final
permutation (FP) are applied to the data. These permutations do not add security but help in the overall structure
of the algorithm.
• Round Function: The core of DES is its round function, which applies a combination of substitution (S-boxes) and
permutation operations to transform the data.
 UNIT-II
SECURITY CONTROLS
People Management-Human Resource Security-Security
Awareness and Education- Information Management-
Information Classification and handling-Privacy-Documents
and Record Management-Physical Asset Management-Office
Equipment-Industrial Control Systems-Mobile Device
Security- System Development-Incorporating Security into
SDLC- Case study on information security policies.
 PEOPLE MANAGEMENT
HUMAN RESOURCE SECURITY
Sound security practice dictates that information security requirements be embedded into each stage of the
employment life cycle, specifying security- related actions required during the induction of each individual, the
employee’s ongoing management, and termination of his or her employment.
– Hiring new employees
– Training employees
– Monitoring employee behavior
– Handling employee departure/termination
1.Security in the Hiring Process
ISO 27002, Code of Practice for Information Security Controls, lists the following security objective of the hiring
process: to ensure that employees and contractors understand their responsibilities and are suitable for the roles
for which they are considered.
• Background Checks and Screening
• Employment Agreements
• Job Descriptions
2.During Employment
ISO 27002 lists the following security objective with respect to current employees: to ensure that employees and
contractors are aware of and fulfill their information security responsibilities.
• Least privilege
• Separation of duties
• Limited reliance on key Employees
• Dual operator policy
3.Termination of Employment
ISO 27002 lists the following security objective with respect to termination of employment: to protect the
organization’s interests as part of the process of changing or terminating employment.
• Removing the person’s name from all lists of authorized access to applications and systems
• For IT personnel, ensuring that no rogue admin accounts were created
• Explicitly informing guards that the ex-employee is not allowed into the building without special authorization by
named employees
• Removing all personal access codes
• Recovering all assets, including employee ID, disks, documents, and equipment
• Notifying, by memo or email, appropriate departments so that they are aware of the change in employment
status
 SECURITY AWARENESS AND EDUCATION
Two key National Institute of Standards and Technology (NIST) publications, SP 800-16.
• A Role-Based Model for Federal Information Technology/Cybersecurity Training. SP 800-50, Building an
Information Technology Security Awareness and Training Program.
1.Security Awareness
All employees have security responsibilities, all employees must have suitable awareness training. Awareness
seeks to focus an individual’s attention on an issue or a set of issues
• Security Awareness
• Security Culture
• Negligent Behavior
• Accidental Behavior
• Malicious Behavior
• Change Management
An awareness training program are the communication materials and methods used to convey security awareness.
• Use in-house materials
• Use externally obtained materials
In-house materials that are effectively used include the following:
• Brochures, leaflets, and fact sheets
• Security handbook
• Regular email or newsletter
• Distance learning
• Workshop and training sessions
• Formal classes
• Video
• Website
• Emphasizing the difference between critical information and sensitive information, which must be treated
differently.
• critical information -Information that needs to be available and have integrity
• sensitive information -Information that can be disclosed only to authorized individual
• Number of security incidents due to human behavior
• Audit findings
• Results of staff surveys
• Tests of whether staff follow correct procedures
• Number of staff completing training
2. Cybersecurity Essentials Program
Its principal function is to target users of IT systems and applications, including company-supplied mobile devices
and bring your own device (BYOD) policies, and develop sound security practices for these employees.
Secondarily, it provides the foundation for subsequent specialized or role-based training by providing a universal
baseline of key security terms and concepts.
An IT strategy in which employees, business partners, and others use their personally selected and purchased
client devices to execute enterprise applications and access data and the corporate network.
Key topics that should be covered include:
• Technical underpinnings of cybersecurity and its taxonomy, terminology, and challenges
• Common information and computer system security vulnerabilities
• Common cyberattack mechanisms, their consequences, and motivations for use
• Different types of cryptographic algorithms
• Firewalls and other means of intrusion prevention
• Fundamental security design principles and their role in limiting points of vulnerability
3. Role-Based Training
Role-based training is targeted at individuals who have functional rather than user roles with respect to IT systems
and applications.
• Manage
• Design
• Implement
• Evaluate
4. Education and Certification
An education and certification program is targeted at those who have specific security responsibilities, as opposed
to IT workers who have some other.
• Global Information Assurance Certification (GIAC) Security
• Essentials (GSEC)
• Systems Security Certified Practitioner (SSCP):
• Information Systems Audit and Control Association (ISACA)
• Certified Information Security Manager (CISM)
• SANS computer security training and certification
 INFORMATION MANAGEMENT
INFORMATION CLASSIFICATION AND HANDLING
A necessary preliminary step to the development of security controls and policies for protecting information is
that all the information assets of the organization must be classified according to their importance and according
to the impact of security breaches involving the information.
Handling of assets:
1. Information Classification
It is useful to view information classification and
handling in the overall context of risk management.
• Categorize
• Select
• Implement
• Assess
• Authorize
• Monitor
That are essential to information classification:
– Information type
– Security objective
– Impact:
– Security classification
2. Information Labeling
A label needs to be associated with each instance of an information type so that its classification is clearly and
unambiguously known. Methods are needed to ensure that a label is not separated from the information and that
the content of the label is secure from unauthorized modification.
Radio-frequency identification (RFID)
A data collection technology that uses electronic tags attached to items to allow the items to be identified and
tracked with a remote system. The tag consists of an RFID chip attached to an antenna.
3. Information Handling
Information handling refers to processing, storing, communicating, or otherwise handling information consistent
with its classification.
ISO 27002 lists the following relevant considerations:
Access restrictions supporting the protection requirements for each level of classification
• Maintenance of a formal record of the authorized recipients of assets
• Protection of temporary or permanent copies of information to a level consistent with the protection of the
original information
• Storage of IT assets in accordance with manufacturers’ specifications An organization can also take advantage of
broader information management tools, such as a document management system (DMS) or a records
management system (RMS)
Data Loss Prevention (DLP)
The automated tools should facilitate integration with other security tools, such as encryption and digital
signature modules and data loss prevention (DLP) packages. A set of technologies and inspection techniques used
to classify information content contained within an object—such as a file, an email, a packet, an application, or a
data store—while at rest (in storage), in use (during an operation), or in transit (across a network).
PHYSICAL ASSET MANAGEMENT
OFFICE EQUIPMENT
INDUSTRIAL CONTROL SYSTEMS
MOBILE DEVICE SECURITY
 SYSTEM DEVELOPMENT
INCORPORATING SECURITY INTO THE SDLC
Case study on information security policies.
This case study examines the implementation of information security policies within organizations, focusing on
the factors that contribute to successful adoption and the role of top management. It is based on research
conducted through interviews and document analysis, highlighting the importance of security policies in
protecting organizational assets.
Background
• Client Profile: The study involved two public organizations that manage sensitive data and are subject to
regulatory compliance. Both organizations faced challenges in implementing effective information security
policies.
Objectives
• Investigate success factors related to the implementation of information security policies.
• Understand the role of top management in enforcing these policies.
Methodology
1.Data Collection:
• Conducted interviews with key stakeholders in both organizations to gather insights on their experiences with
information security policies.
• Performed a literature review to identify established success factors related to policy implementation.
• Analyzed existing documents and reports related to information security practices.
2.Success Factors Identified
Management Support: The involvement and commitment of top management were crucial for policy enforcement and
resource allocation.
• Security Awareness and Training: Regular training sessions helped employees understand the importance of security
policies and their role in safeguarding information.
• Budget Allocation: Adequate funding for security initiatives enabled organizations to implement necessary technologies
and training programs.
• Policy Enforcement: Clear guidelines for enforcing policies were essential for maintaining compliance and accountability.
Findings
Role of Top Management
• One organization reported that top management involvement was vital for successful policy implementation, citing their
influence on resource allocation and prioritization of security initiatives.
• Conversely, the other organization believed that successful implementation could occur without direct management
involvement, relying instead on departmental responsibility.
Challenges Faced
• Resistance from employees due to a lack of understanding of the importance of security policies.
• Difficulty in keeping policies updated with evolving threats and regulatory requirements.
Recommendations for Improvement
• Enhance communication between management and employees regarding the importance of security policies.
• Regularly review and update policies to reflect current threats and compliance requirements.
• Foster a culture of security awareness through ongoing training programs.
 UNIT-III
CYBER SECURITY FOR BUSINESS APPLICATIONS
AND NETWORKS
Business Application Management-Corporate Business
Application Security-End user Developed Applications-
System Access- Authentication Mechanisms-Access
Control- System Management-Virtual Servers-Network
Storage Systems-Network Management Concepts-Firewall-IP
Security-Electronic Communications – Case study on OWASP
vulnerabilities using OWASP ZAP tool.
Business Application Management
Business application management and security is a complex field. Applications encompass purpose-built
applications developed in-house or bycontractors, applications supplied by application and operating system
vendors, and open source application software. Applications may operate on a variety of platforms, including
workstations, PCs, mobile devices, and web based. They may also need to access and generate a wide variety of
data files and databases
CORPORATE BUSINESS APPLICATION SECURITY
Application security overlaps with many of the topics covered in other chapters but needs to be considered as a
separate security concern as well.
The aim of web application security is to identify the following:
– Critical assets of the organization
– Genuine users who may access the data
– The level of access provided to each user
– Various vulnerabilities that may exist in the application
– Data criticality and risk analysis on data exposure
– Appropriate remediation measures
Application security
• The use of software, hardware, and procedural solutions to protect applications from external threats.
• This includes adding features or functionality to application software to prevent a range of different threats.
• It also includes security features outside the application, such as firewalls, antivirus software, and access control
methods
1. Business Application Register
Application portfolio management, there should be an inventory, or register, of all applications, with details
concerning the application, including security- related aspects.
Commercial-off-the-shelf (COTS) software
• Software that is commercially available, leased, licensed, or sold to the general public and that requires no special
modification or maintenance over the life cycle of the product to meet the needs of the procuring agency.
2.Business Application Protection
• The business assets, sound security architecture principles should be applied to business applications.
• The considerations are somewhat different for two categories: internally developed applications and externally-
developed applications.
Internal Application Security
For any application that is developed within the organization, it is essential to incorporate security into all stages of
the SDLC
• Document security requirements.
• Develop standardized procedures for evaluating application security products and services.
• Enforce compliance with government and industry standards and regulations.
• Develop a policy for pre-deployment application testing and validation
• Construct a policy for documentation of application code review.
External Application Security
• The external environment, including the host operating system or virtual operating system, the hardware platform,
and network connections
– Protection against unauthorized access using access control measures at the operating system level
– Enforcement of virtual platform security
– Encryption of network traffic using Transport Layer Security (TLS) or Internet Protocol Security (IPsec)
3. Browser-Based Application Protection
• As enterprises move applications online, both for internal use and for external users, such as customers and
vendors, web application security becomes an increasing concern.
• Web Application Security Risks
– Injection
– Broken authentication
– Sensitive data exposure
– Security misconfiguration
– XML external entity
– Insecure deserialization
– Broken access control
– Using components with known vulnerabilities
– Cross-site scripting (XSS)
– Insufficient logging and monitoring
Web Application Firewall
• The most important tool in countering web application threats is a web application firewall (WAF), a firewall that
monitors, filters, or blocks data packets as they travel to and from a web application.
Context for a Web Application Firewall
• There are a number of hosting options for WAFs, including the following:
– Network-based
– Local hardware:
– Local software
Network-based:
• A network-based firewall is a hardware firewall incorporated with a router at the edge of an enterprise network,
acting as a filter to all traffic to and from network devices, including web-based application servers.
• Because there may be a variety of web applications on a number of servers, this approach can be complex to
maintain. In addition, a network-based firewall may not be placed so as to catch internal traffic.
Local hardware:
• A local hardware firewall is placed between the application server and its network connection or connections.
• This type of firewall is much simpler than a network-based firewall because it only has to have logic for filtering
traffic specific to the local server.
Local software:
• A local software firewall is built on the server host operating system or virtual machine operating system.
• This approach can be as effective as a local hardware firewall and is easier to configure and modify
Key features
• Real-time application security monitoring and access control:
• Virtual patching
• Full HTTP traffic logging
• Web application hardening
Real-time application security monitoring and access control:
All HTTP traffic in both directions passes through Mod Security, where it can be inspected and filtered. Mod
Security also has a persistent storage mechanism, which enables tracking of events over time to perform event
correlation.
Virtual patching:
• This is the ability to apply web application patching without making changes
directly to the application.
• Virtual patching is applicable to applications that use any communication protocol, but it is particularly useful with
HTTP because the traffic can generally be well understood by an intermediary device.
Full HTTP traffic logging:
• Web servers traditionally do very little when it comes to logging for security purposes. Mod Security gives you the
ability to log events, including raw transaction data, which is essential for forensics.
• In addition, the system manager gets to choose which transactions are logged, which parts of a transaction are
logged, and which parts are sanitized.
 END USER-DEVELOPED APPLICATIONS (EUDAS)
Some business processes are supported by user-developed applications referred to as EUDAs that are outside the
formal systems supported by the IT organization
Examples of activities by end user programmers include:
– Using spreadsheets for accounting
– Using Mat Lab for analysis
– Creating a web page
– Recording macros in Word
– Automating office tasks
– Creating business software (SAP programming)
1. Benefits of EUDAs
– Convenience and ease of use
– Powerful tools and technology-aware end users
– Demand for information
Benefit of EUDAs include the following:
Convenience and ease of use:
EUDAs can be developed easily and quickly by non-IT staff. Business users frequently become frustrated
with the amount of time taken by the IT department to service their requests.
They therefore often resort to developing their own solutions, using applications such as Microsoft Excel to
meet their reporting needs. EUDAs allow businesses and users to quickly deploy solutions in response to
shifting market and economic conditions, industry changes, or evolving regulations.
Powerful tools and technology-aware end users:
End-user tools offer rich functionality, including the ability to connect to corporate data sources.
As a result, technology-savvy users can perform powerful data processing from their desktops. This can
help plug functionality gaps for business systems
Demand for information:
Traditionally, managers were often constrained by standard reports in IT systems that failed to meet all
management information and reporting requirements.
The lack of flexibility in these systems and increasing demand for different views of the data have resulted in an
increase in the level of end-user computing in organizations.
2. Risks of EUDAs
• User-developed and user-controlled applications are generally not subject to the same development,
monitoring, and reporting rigor and control as traditional applications.
• Errors
• Poor version and change control
• Poor documentation
• Lack of security
• Lack of an audit trail
• Regulatory and compliance violations:
• Risk of the unknown
3. EUDA Security Framework
• To deal with the many risks associated with the use of EUDAs, enterprises need a comprehensive security
framework that formalizes procedures for managing EUDAs and clarifies organizational policy.
Governance
• The first set of considerations is in the area of governance. Senior executives must define what constitutes an
EUDA. This involves distinguishing EUDAs from IT-developed and supported applications and specifying
which types of EUDAs should be placed under management control.
People
• Proper management and control of EUDAs requires identifying the key stakeholders in the EUDA management
program. Once the key stakeholders are identified, the next step is to establish the roles and
responsibilities.
Process
• Management9s top concerns with respect to EUDAs are the potential risks of any given application.
– Version control
– Change control
– Data integrity control
– Access control
 Authentication Mechanisms
System Access
System Access
• System access is the capability that restricts access to business applications, mobile devices, systems, and
networks to authorized individuals for specific business purposes. System access comprises three distinct
functions:
Authentication:
• Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an
information system. This function is often referred to as user authentication, to distinguish it from message
authentication or data authentication.
Authorization:
• In the context of system access, authorization is the granting of access or other rights to a user, program, or
process to access system resources. Authorization defines what an individual or program can do after successful
authentication.
Access control:
• The process of granting or denying specific requests for accessing and using information and related information
processing services and for entering specific physical facilities. Access control ensures that access to assets is
authorized and restricted based on business and security requirements.
Authorization:
A designated security administrator is responsible for creating and maintaining the authorization database. The
administrator sets these authorizations on the basis of the security policy of the organization and the roles and
responsibilities of individual employees.
The process for authorizing users should include the following:
• Associating access privileges with uniquely defined individuals, for example by using unique identifiers, such as
user IDs.
• Maintaining a central record of access rights granted to a user ID to access information systems and services.
• Obtaining authorization from the owner of the information system or service for the use of the information
system or service. Separate approval for access rights from management may also be appropriate.
• Applying the principle of least privilege to give each person the minimum access necessary to do his or her job.
• Assigning individual access privileges for resources based on information security levels and classification of
information.
• Specifying the networks and networked services to be accessed, such as files and databases.
• Defining requirements for expiration of privileged access rights.
• Ensuring that identifiers are not reused. This means deleting authorizations associated with a user ID when the
individual assigned that user ID changes roles or leaves the organization.
User Authentication
• User authentication is one of the most complex and challenging security functions. There are a wide variety
of methods of authentication, with associated threats, risks, and countermeasures. This section provides an
overview of them.
• The following three sections look at the three general authentication factors: password, hardware token,
and biometric
The following three sections look at the three general authentication factors:
• In most computer security contexts, user authentication is a fundamental building block and the primary line of
defense. User authentication is the basis for most types of access control and for user accountability
User authentication encompasses two functions:
• Identification step: This step involves presenting an identifier to the security system. (Assign identifiers carefully
because authenticated identities are the basis for other security services, such as access control service.)
• Verification step: This step involves presenting or generating authentication information that corroborates the
binding between the entity and the identifier.
Three concepts are important in understanding this model:
Digital identity: The digital identity is the unique representation of a subject engaged in an online transaction. The
representation consists of an attribute or set of attributes that uniquely describe a subject within a given context
of a digital service but does not necessarily uniquely identify the subject in all contexts.
Identity proofing: This process establishes that a subject is who he or she claims to be to a stated level of
certitude. This process involves collecting, validating, and verifying information about a person.
Digital authentication: This process involves determining the validity of one or more authenticators used to claim
a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the
technologies used to authenticate.
Successful authentication provides reasonable risk-based assurances that the subject accessing the service today
is the same as the subject that previously accessed the service.
Six entities are defined in Figure
Credential service provider (CSP): A trusted entity that issues or registers subscriber authenticators. For this
purpose, the CSP establishes a digital credential for each subscriber and issues electronic credentials to
subscribers. A CSP may be an independent third party or may issue credentials for its own use.
Verifier: An entity that verifies the claimant9s identity by verifying the claimant9s possession and control of one
or two authenticators, using an authentication protocol. To do this, the verifier may also need to validate
credentials that link the authenticator(s) to the subscriber9s identifier and check their status.
Relying party (RP): An entity that relies upon the subscriber9s authenticator(s) and credentials or a verifier9s
assertion of a claimant9s identity, typically to process a transaction or grant access to information or a system.
Applicant: A subject undergoing the processes of enrollment and identity proofing.
Claimant: A subject whose identity is to be verified using one or more
authentication protocols.
Subscriber: A party who has received a credential or authenticator from a CSP.
Multifactor Authentication :
Multifactor authentication refers to the use of more than one of the authentication means in the preceding list. The
strength of an authentication system is largely determined by the number of factors incorporated by the system.
A system that requires two factors is generally stronger than a system requiring a single factor, assuming that the
individual factors are reasonably strong.
Password-Based Authentication :
What you know is a widely used line of defense against intruders is a password system. Virtually all multiuser
systems, networkbased servers, web-based ecommerce sites, and other similar services require that a user
provide not only a name or identifier (ID) but also a password.
• The system compares the password to a previously stored password for that user ID, maintained in a system
password file. The password serves to authenticate the ID of the individual logging on to the system.
• In turn, the ID provides security in the following ways: The ID determines whether the user is authorized to gain
access to a system. In some systems, only those who already have an ID filed on the system are allowed to gain
access.
• The ID determines the privileges accorded to the user. A few users may have supervisory or “superuser” status
that enables them to read files and perform functions that are especially protected by the operating system.
Some systems have guest or anonymous accounts, and users of these accounts have more limited privileges than
others.
• The ID is used in what is referred to as discretionary access control. For example, by listing the IDs of the other
users, a user may grant permission to them to read files owned by that user.
Possession-Based Authentication :
Objects that a user possesses for the purpose of user authentication are sometimes called hardware tokens
Types of Cards Used as Possession Factor
eID Functions
Biometric Authentication :
A biometric authentication system attempts to authenticate an individual based on his or her unique physical
characteristics. These include both static characteristics (for example, fingerprints, hand geometry, facial
characteristics, retinal and iris patterns) and dynamic characteristics (for example, voiceprint, signature).
 Access Control
Access Control
This section provides an overview of important aspects of access control. It is useful to begin by defining the
following terms:
Access: Ability and means to communicate with or otherwise interact with a system, to use system resources to
handle information, to gain knowledge of the information the system contains, or to control system components
and functions.
Access control: The process of granting or denying specific requests for obtaining and using information and
related information processing services to enter specific physical facilities.
Access control mechanism: Security safeguards (that is, hardware and software features, physical controls,
operating procedures, management procedures, and various combinations of these) designed to detect and deny
unauthorized access and permit authorized access to an information system.
Access control service: A security service that protects against a system entity using a system resource in a way
not authorized by the system9s security policy.
Basic access control systems typically define three classes of subject, with different access rights for each class:
• Owner: This can be the creator of a resource, such as a file. For system resources, ownership can belong to
a system administrator. For project resources, a project administrator or leader can be assigned ownership.
• Group: In addition to the privileges assigned to an owner, a named group of users can also be granted
access rights, such that membership in the group is sufficient to exercise these access rights. In most schemes, a
user may belong to multiple groups.
• World: The least amount of access is granted to users who are able to access the system but are not included in
the categories owner and group for this resource.
 System Management in Cybersecurity
• System management in cybersecurity encompasses the processes and practices used to ensure that information
systems are secure, reliable, and effective in protecting against cyber threats. It involves a systematic approach to
safeguarding digital assets, managing vulnerabilities, and maintaining the overall integrity of systems.
Key Components of System Management in Cybersecurity
1. Risk Assessment
2. Vulnerability Management
3. Incident Response Planning
4. Security Operations Center (SOC) Management
5. Access Control
6. Data Protection
7. Compliance and Governance
8. Training and Awareness
 Virtual Servers
• Virtualization refers to a technology that provides an abstraction of the computing resources used by some
software, which thus runs in a simulated environment called a virtual machine (VM).
• Benefits arising from using virtualization include better efficiency in the use of the physical system resources than
is typically seen using a single operating system instance.
• This is particularly evident in the provision of virtualized server systems.
• Virtualization also provides support for multiple distinct operating systems and associated applications on the one
physical system. This is more commonly seen on client systems.
Virtualization Security Issues
• A number of security concerns that result from the use of virtualized systems, including the following: Guest
operating system isolation:
• It is important to ensure that programs executing within a guest operating system can only access and use the
resources allocated to it and cannot covertly interact with programs or data in either of the guest operating
system9s or in the hypervisor.
Securing Virtualization Systems
SP 800-125, which provides guidance for appropriate security in virtualized systems, states that organizations using
virtualization should do the following:
• Plan the security of the virtualized system carefully.
• Secure all elements of a full virtualization solution, including the hypervisor, guest operating systems, and
virtualized infrastructure—and also maintain their security
• Ensure that the hypervisor is properly secured
• Restrict and protect administrator access to the virtualization solution
 Network Storage Systems
• Organizations make use of two broad categories of computer storage for files, databases, and other data:
local and networked.
• Local storage, commonly called direct access storage (DAS), is a dedicated digital storage device attached directly
to a server or PC via a cable or residing as an internal drive.
• Most users9 computers and most servers have DAS. DAS creates data islands because data cannot be easily
shared with other servers.
• Networked storage is a term used to describe a storage device (usually many devices paired together) that is
available over a network. This kind of storage maintains copies of data across high-speed local area network (LAN)
connections and is designed to back up files, databases, and other data to a central location that can be easily
accessed via standard network protocols and tools.
Networked storage comes in the following topologies:
Storage area network (SAN):
• A SAN is a dedicated network that provides access to various types of storage devices, including tape libraries,
optical jukeboxes, and disk arrays. To servers and other devices in the network, a SAN9s storage devices look like
locally attached devices.
• A disk block– based storage technology, SAN is probably the most pervasive form of storage for very large data
centers and is a de facto staple for databaseintensive applications. These applications require shareable storage,
large bandwidth, and support for the distances from rack to rack within the data center
Network attached storage (NAS):
• NAS systems are networked appliances that contain one or more hard drives that are shared with multiple,
heterogeneous computers. Their specialized role in networks is to store and serve files.
• NAS disk drives typically support built-in data protection mechanisms, including redundant storage containers or
redundant arrays of independent disks (RAID). NAS enables file serving responsibilities to be separated from other
servers on the network and typically provides faster data access than traditional file servers.
 Network Management
• This section provides an overview of network management. Let9s begin by looking at the requirements for
network management.
• This will provide an idea of the scope of the task to be accomplished. To manage a network, it is fundamental to
know something about the current status and behavior of that network.
• Effective management requires a network management system that includes a comprehensive set of data
gathering and control tools and that is integrated with the network hardware and software.
 Firewalls
• The firewall is an important complement to host-based security services such as intrusion detection systems.
Typically, a firewall is inserted between the premises network and the Internet to establish a controlled link and to
erect an outer security wall or perimeter.
• The aim of this perimeter is to protect the premises network from Internetbased attacks and to provide a single
choke point where security and auditing are imposed.
• Firewalls are also deployed internally in an enterprise network to segregate portions of the network.
• A firewall provides an additional layer of defense, insulating internal systems from external networks or other
parts of the internal network.
• This follows the classic military doctrine of <defense in depth,= which is applicable to IT security
Firewall Characteristics Network Firewalls= [BELL94] lists the following design goals for a firewall:
• All traffic from inside to outside, and vice versa , must pass through the firewall. This is achieved by physically
blocking all access to the local network except via the firewall. Various configurations are possible, as explained
later in this chapter.
• Only authorized traffic, as defined by the local security policy, is allowed to pass. Various types of firewalls are
used, and they implement various types of security policies, as explained later in this chapter. The firewall itself is
immune to penetration.
• This implies the use of a hardened system with a secured operating system. Trusted computer systems are
suitable for hosting a firewall and often required in government applications.
Firewalls have limitations, including the following:
• Firewalls cannot stop users from accessing malicious websites, making it vulnerable to internal threats or attacks.
• Firewalls cannot protect against the transfer of virus-infected files or software.
• Firewalls cannot prevent misuse of passwords.
• Firewalls cannot protect if security rules are misconfigured.
• Firewalls cannot protect against non-technical security risks, such as social engineering.
• Firewalls cannot stop or prevent attackers with modems from dialing in to or out of the internal network.
• Firewalls cannot secure the system which is already infected.
Types of Firewalls
• Three types of firewalls, such as software firewalls, hardware firewalls, or both, depending on their structure.
Each type of firewall has different functionality but the same purpose. However, it is best practice to have both to
achieve maximum possible protection.
• A hardware firewall is a physical device that attaches between a computer network and a gateway. For example- a
broadband router. A hardware firewall is sometimes referred to as an Appliance Firewall.
• On the other hand, a software firewall is a simple program installed on a computer that works through port
numbers and other installed software. This type of firewall is also called a Host Firewall.
The following are types of firewall techniques that can be implemented as software or hardware:
• Packet-filtering Firewalls
• Circuit-level Gateways
• Application-level Gateways (Proxy Firewalls)
• Stateful Multi-layer Inspection (SMLI) Firewalls
• Next-generation Firewalls (NGFW)
• Threat-focused NGFW
• Network Address Translation (NAT) Firewalls
• Cloud Firewalls
• Unified Threat Management (UTM) Firewalls
Packet-filtering Firewalls
A packet filtering firewall is the most basic type of firewall. It acts like a management program that monitors
network traffic and filters incoming packets based on configured security rules. These firewalls are designed to
block network traffic IP Protocols, an IP address, and a port number if a data packet does not match the
established rule-set.

While packet-filtering firewalls can be considered a fast solution without many resource requirements, they also
have some limitations. Because these types of firewalls do not prevent web-based attacks, they are not the safest.
Circuit-level Gateways
Circuit-level gateways are another simplified type of firewall that can be easily configured to allow or block traffic
without consuming significant computing resources. These types of firewalls typically operate at the session-level
of the OSI model by verifying TCP (Transmission Control Protocol)
Application-level Gateways(Proxy Firewalls)
Proxy firewalls operate at the application layer as an intermediate device to filter incoming traffic between two
end systems (e.g., network and traffic systems). That is why these firewalls are called 'Application-level Gateways'.
Stateful Multi-layer Inspection (SMLI)
Firewalls o Stateful multi-layer inspection firewalls include both packet inspection technology and TCP handshake
verification, making SMLI firewalls superior to packet-filtering firewalls or circuit-level gateways. Additionally,
these types of firewalls keep track of the status of established connections. o In simple words, when a user
establishes a connection and requests data, the SMLI firewall creates a database (state table). The database is
used to store session information such as source IP address, port number, destination IP address, destination port
number, etc.
Next-generation Firewalls (NGFW)
• Many of the latest released firewalls are usually defined as 'next-generation firewalls'. However, there is no
specific definition for next-generation firewalls. This type of firewall is usually defined as a security device
combining the features and functionalities of other firewalls. These firewalls include deep-packet inspection (DPI),
surface-level packet inspection, and TCP handshake testing, etc.
• In simple words, when a user establishes a connection and requests data, the SMLI firewall creates a database
(state table). The database is used to store session information such as source IP address, port number,
destination IP address, destination port number, etc.
• Connection information is stored for each session in the state table. Using stateful inspection technology, these
firewalls create security rules to allow anticipated traffic.
Network Address Translation (NAT) Firewalls
• Network address translation or NAT firewalls are primarily designed to access Internet traffic and block all
unwanted connections.
• These types of firewalls usually hide the IP addresses of our devices, making it safe from attackers.
Cloud Firewalls
• Whenever a firewall is designed using a cloud solution, it is known as a cloud firewall or FaaS (firewall-as-service).
Cloud firewalls are typically maintained and run on the Internet by third-party vendors.
• This type of firewall is considered similar to a proxy firewall. The reason for this is the use of cloud firewalls as
proxy servers. However, they are configured based on requirements.
 IPSECURITY
• IPsec is a set of Internet standards that augment both versions of IP that are in current use (IPv4 and IPv6) with
security features.
• The principal feature of IPsec is that it encrypts and/or authenticates all traffic at the IP level. Thus, all distributed
applications—including remote logon, client/server, email, file transfer, web access, and so on—are secured.
IPsec provides three main facilities:
• An authentication-only function referred to as Authentication Header (AH),
• a combined authentication/encryption function called Encapsulating Security Payload (ESP), and
• a key exchange function.
• Figure shows a simplified packet format for an IPsec option known as tunnel mode, using ESP and a key exchange
function.
• Figure shows a typical IPsec usage scenario. An organization maintains local area networks (LANs) at dispersed
locations. Insecure IP traffic is conducted on each LAN.
• For traffic offsite, through some sort of private or public WAN, IPsec protocols are used. These protocols operate
in networking devices, such as a router or firewall, that connect each LAN to the outside world.
• The IP sec networking device Typically encrypts and compresses all traffic going into the WAN and decrypts and
decompresses traffic coming from the WAN; these operations are transparent to workstations and servers on the
LAN.
• Secure transmission is also possible with individual users who dial in to the WAN. Such user workstations must
implement the IPsec protocols to provide security.
• Electronic Communications Often the focus of enterprise security is protecting stored information and server
facilities, as well as client/server communication from the wide variety of threats on the landscape.
• It is important not to overlook security related to electronic communications that may not involve server or
database access but that is between individuals.
 Electronic communications
Often the focus of enterprise security is protecting stored information and server facilities, as well as client/server
communication from the wide variety of threats on the landscape.
It is important not to overlook security related to electronic communications that may not involve server or
database access but that is between individuals.
Email:
• It is useful to have a basic grasp of the Internet mail architecture, as defined in RFC 5598, Internet Mail
Architecture. At its most fundamental level, the Internet mail architecture consists of a user world, in the form of
message user agents (MUAs), and a transfer world, in the form of the Message Handling System (MHS), which is
composed of message transfer agents (MTAs).
This section looks at four types of electronic
communications that need to be protected.
 Case study on OWASP vulnerabilities using OWASP ZAP tool
What is OWASP?
• The Open Web Application Security Project (OWASP) is an open, online community that creates methodologies,
tools, technologies and guidance on how to deliver secure web applications.
• It is an international collaborative initiative comprised of both individuals and corporations.
• The project aims to standardise security approaches in web development and spread associated knowledge.
What is OWASP ZAP?
OWASP ZAP (ZAP) is one of the world9s most popular free security tools and is actively maintained by hundreds of
international volunteers. It can help to find security vulnerabilities in web applications. It9s also a great tool for
experienced pen testers and beginners.
ZAP can scan through the web application and detect issues related to:
• SQL injection
• Broken Authentication
• Sensitive data exposure
• Broken Access control
• Security misconfiguration
• Cross Site Scripting (XSS)
• Insecure Deserialization
• Components with known vulnerabilities
• Missing security headers
Why we chose OWASP ZAP?
• As it is designed to be used by people with a wide range of pen testing experience, it was ideal for our team who
were new to penetration testing.
• ZAP is a free open-source tool which is easy to setup and use. As it is used by the wider community, there is a lot
of help available online through the ZAP blog and other articles to help you setup and use the tool.
• ZAP is cross platform i.e. you can install it in Windows, Linux or Mac OS.
• ZAP can be run in a Docker container, which suited our project tech stack. Also, its functionality is scalable with
many diverse extensions published on GitHub.
• ZAP Jenkins plugin can be setup to run the scans as part of CI / CD pipelines.
How to Use the OWASP ZAP Vulnerability Scanner to Plan A Vulnerability Test?
The OWASP ZAP tool captures the request just before hitting the network, which allows to analyze the various
parameters, header values in the request. It then explores and attacks it to find security issues that need
redressal. In the process, it records the requests and responses on every page and sends out alerts when it
encounters an issue.
Below are the steps on how to initiate the OWASP ZAP penetration testing using a Windows system:
1. Starting the OWASP ZAP UI
To start a vulnerability test using the OWASP ZAP web application scanner, you need to download the tool and
install it.
It is platform agnostic and hence you can set it up on either Windows, Mac OS, or Linux. However, if you are using
Windows or Linux, you should also have Java 8+ already installed on your system.
After installation, click on the OWASP ZAP icon on your desktop. Now, click on the “start” button on the start-up
dialog box, to launch the ZAP UI.
Upon running the interface, a pop-up window will ask if you want to save the session. For a new session, choose
the default option “No, I do not want to persist the session”.
2. Initiating a Scan
• You can start scanning your web application by using the QuickStart automated scan. With QuickStart, you can
scan an application just by entering its URL and pushing the 8attack9 button, which makes it quite simple to
execute.
• You can use passive scanning as well, which is one of the most interesting features of the OWASP ZAP scanner. The
tool records all the requests received by the application and its responses.
• It then issues an alert if any anomaly is observed with either the request or the response. However, it cannot
detect an issue such as an SQL injection attack.
• Instead, you can use the active scanning feature to find out the vulnerabilities not found through passive
scanning.
• During an active scan, ZAP can simulate a real attack against some specific areas of your application to understand
the response
Additionally, the ZAP scanner can be used in different modes like:
• The standard mode which allows you to use every feature of the tool
• You can also use attack mode to run active scans.
• The safe mode turns off the harmful features while the protected mode lets you scan chosen websites within a
defined scope.
 UNIT-IV
TECHNICAL SECURITY
Supply Chain Management-Cloud Security-Security
Architecture-Malware Protection- Intrusion Detection-Digital
Rights Management-Cryptographic Techniques-Threat and
Incident Management-Vulnerability Management-Security
Event Management-Forensic Investigations-Local
Environment Management-Business Continuity. – Case study
on cloud and cryptographic vulnerabilities.
SUPPLY CHAIN MANAGEMENT AND CLOUD SECURITY
SUPPLY CHAIN MANAGEMENT CONCEPTS
• A supply chain was defined as the network of all the individuals,organizations, resources, activities, and
technology involved in the creation and sale of a product, from the delivery of source materials from the supplier
to the manufacturer, through to its eventual delivery to the end user.
• The term supply chain has been used in connection with information and communications technology (ICT).
• National Institute of Standards and Technology (NIST) SP 800-161, Supply Chain Risk Management Practices for
Federal Information Systems and Organizations
• The collection of devices, networking components, applications, and systems that together allow people and
organizations to interact in the digital world.
• Services: Examples include cloud computing services, data center services, network services, and external auditing
services.
• Software/data: Examples include operating system and application software and databases of information, such as
threat information.
• Hardware/products: Examples include computer and networking equipment.
 Services: Examples include cloud computing services, data center services, network services, and external
auditing services.
Software/data: Examples include operating system and application software and databases of information, such
as threat information.
Hardware/products: Examples include computer and networking equipment.
Three types of flows associated with a supply chain:
– Product/service flow.
– Information flow
– Money flow
Supply Chain Management
• Supply chain management (SCM) is the active management of supply chain activities to maximize customer value
and achieve a sustainable competitive advantage
• Supply chain activities cover everything from product development, sourcing, production, and logistics to the
information systems needed to coordinate these activities.
SUPPLY CHAIN RISK MANAGEMENT
Supply chain risk management (SCRM) is the coordinated efforts of an organization to help identify, monitor,
detect, and mitigate threats to supply chain continuity and profitability.
 CLOUD SECURITY
Cloud security from the point of view of a cloud consumer—that is, an organization that makes use of services from a
cloud service provider.
Security Considerations for Cloud Computing
• Confidentiality and privacy .
• Data breach responsibilities
• Responsibility for notifying:
• Risks to intellectual property
• Export controls
• E-discovery
• Risk assessment
• Business continuity
• Legal issues

Threats for Cloud Service Users

• Responsibility ambiguity: The enterprise-owned system relies on services from the cloud provider. The level
of the service provided (SaaS, PaaS, IaaS) determines the magnitude of resources that are offloaded from IT
systems on to the cloud systems
• Loss of governance: The migration of a part of the enterprises IT resources to the cloud infrastructure gives
partial management control to the cloud service provider
• Loss of trust: It is sometimes difficult for a cloud service user to assess the provider’s trust level due to the black-
box feature of the cloud service
• Nonsecure cloud service user access: As most of the resource deliveries are through remote connections,
unprotected application programming interfaces (APIs) (mostly management APIs and PaaS services) are among
the easiest attack vectors.
• Lack of asset management: The cloud service user may have difficulty in assessing and monitoring asset
management by the cloud service provider
• Data loss and leakage: This threat can be strongly related to the preceding item
Risk Evaluation
It is useful to have a detailed questionnaire for performing risk evaluation
for cloud services.
– High-level description
– Authentication
– Authorization—logical access control
– Data security
– Recoverability
– Operational controls
– Incident response
– Application security
Cloud Service Agreement
• From point of view of the overall mission and objectives of an enterprise—essential aspect of using outsourced
cloud services is a formal cloud service agreement (CSA).
– Customer agreement: Describes the overall relationship between the customer and provider. .
– Acceptable use policies: Prohibits activities that providers consider to be an improper or illegal use of their
service. In addition, the provider usually agrees not to violate the intellectual property rights of the customer.
– Cloud service level agreements: Defines a set of service level objectives, including availability, performance,
security, and compliance/privacy. .
– Privacy policies: The privacy policy describes the different types of information collected; how that information is
used, disclosed, and shared; and how the provider protects that information
 SECURITY ARCHITECTURE
• Security architecture is a unified security design that addresses the necessities and potential risks involved in a
certain scenario or environment.
• A security architecture can be considered a design that includes a structure and addresses the connection
between the components of that structure.
• A security architecture is a prescriptive document that uses a set of coherent
• models and principles to guide the implementation of the information security policy of an organization
• A security architecture has the following key characteristics:
• It consists of a transparent and coherent overview of models, principles, starting points, and conditions that give
a concrete interpretation of the information security policy.
• It reduces a complex problem into models, principles, and sub problems to be understood.
• The models and principles show where you take which type of measures, when the principles are applicable, and
how they connect with other principles.
• The most widely used security architectures is the Sherwood Applied
Business Security Architecture (SABSA)
• SABSA was developed to provide an end-to-end framework for determining, designing, and deploying security in a
way that is traceably aligned with the business and into which the many traditional standards and processes can
be incorporated
 MALWARE PROTECTION ACTIVITIES
• Malicious software (malware) is perhaps the most significant security threat to Organizations.
Malicious software (malware)
• Software that exploits vulnerabilities in a computing system to create an attack.
• Malware: A program that is covertly inserted into another program with the intent to destroy data, run destructive
or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s
data,applications, or operating system.
Types of Malware
• Adware: Advertising that is integrated into software.
• Auto-rooter: A malicious hacker tool used to break in to new machines remotely.
• Backdoor (trapdoor): Any mechanisms that bypasses a normal security check;it may allow unauthorized access to
functionality.
• Exploit: Code specific to a single vulnerability or set of vulnerabilities.
• Downloader: A program that installs other items on a machine that is under attack.
• Dropper: A malware installer that surreptitiously carries viruses, backdoors, and other malicious software to be
executed on the compromised machine
• Flooder: A tool used to attack networked computer systems with a large volume of traffic to carry out a denial-of-
service (DoS) attack.
• Keyloggers: A software tool that captures keystrokes on a compromised system.
• Kit (virus generator): A set of tools for generating new viruses automatically.
• Logic bomb: A program inserted into software by an intruder.
• Malware as a Service (MaaS): A web-based provider of malware. MaaS may provide access to botnets, support
hotlines, and servers that regularly update and test malware strains for efficacy.
• Mobile code: Software (for example, script, macro, or other portable instructions) that can be shipped unchanged
to a heterogeneous collection of platforms and execute with identical semantics.
• Potentially unwanted program (PUP): A program that may be unwanted, despite the possibility that users
consented to download it.
The Nature of the Malware Threat
• The European Union Agency for Network and Information Security’s annual threat report.
• Businesses experienced far more malware threats in 2017 compared to 2016.
• Ransom ware continues to dominate the Windows malware scene, with an evolution from 55% in January 2017 to
75% in July 2017.
• There is increasing threat from clickless malware, which is automated malware injection programs that do not
require user action to activate.
• There is also a rise in fileless malware, which is malware code that resides in
• RAM (random access memory) or propagates through the use of carefully crafted scripts, such as Power Shell, to
infect its host.
• There has been a growth of malicious functions being packaged within
Potentially Unwanted Programs (PUPs)
Practical Malware Protection
• malware enters through a variety of attack surfaces, including end-user
devices, mail attachments, web pages, cloud services, user actions, and
removable media.
• Malware is designed to avoid, attack, or disable defenses. And malware is
constantly evolving to stay ahead of existing defenses
 INTRUSION DETECTION SYSTEM (IDS)
Intrusion detection system (IDS): Hardware or software products that gather and analyze information from various
areas within a computer or a network for the purpose of finding and providing real-time or near-real-time
warning of attempts to access system resources in an unauthorized manner.
Classification of IDS
• Host-based IDS
• Network-based IDS
Logical Components of IDS
• Sensors: Sensors are responsible for collecting data..
• Analyzers: Analyzers receive input from one or more sensors or from other analyzers. The analysis engines are
responsible for determining if an intrusion has occurred.
• User interface: The user interface to an IDS enables a user to view output from the system or control the behavior
of the system
Approaches to Intrusion Detection
• Intrusion detection assumes that the behavior of the intruder differs from that of a legitimate user in ways that
are quantifiable
Host-Based Intrusion Detection Techniques
• Host-based IDSs add a specialized layer of security software to vulnerable or sensitive systems; examples include
database servers and administrative systems.
• A host-based IDS monitors activity on a system in a variety of ways to detect suspicious behavior.
• IDS halts an attack before any damage is done, but its primary purpose is to detect intrusions, log suspicious
events, and send alerts.
• Threshold detection
• Profile based
Network-Based Intrusion Detection Systems
• A network-based IDS (NIDS) monitors the traffic on the network segment as a data source.
• This is generally accomplished by placing the network interface card in promiscuous mode to capture all network
traffic that crosses its network segment
IDS Best Practices
• Create separate accounts for each IDS user and administrator.
• Restrict network access to IDS components.
• Ensure that IDS management communications are protected appropriately, such as encrypting them or
transmitting them over a physically or logically separate network.
• Back-up IDS configuration settings periodically and before applying updates to ensure that existing settings are not
inadvertently lost.
• Monitor and tune one IDS sensor at a time to prevent security staff from being overwhelmed by alerts and false
positives.
• Have alerts of a certain priority sent directly to a security administrator so attacks are quickly known or when
other events might require administration attention.
• Have a system in place to ensure that IDS event logs are reviewed regularly
DIGITAL RIGHTS MANAGEMENT
Digital rights management (DRM) refers to systems and procedures which ensure that holders of digital rights are
clearly identified and receive the stipulated payment for their work.
• DRM systems should meet the following objectives:
– Provide persistent content protection against unauthorized access to the digital content, limiting access to only
those with the proper authorization.
– Support a variety of digital content types (for example, music files, video streams, digital books, images).
– Provision content use on a variety of platforms (for example, PCs, tablets, mobile phones).
– Facilitate content distribution on a variety of media (for example, CDROMs, DVDs, flash memory).
DRM System Architecture
CRYPTOGRAPHIC SOLUTIONS
Uses of Cryptography
Cryptography is used to protect data at rest and data in motion, both inside and outside the boundaries of an
enterprise’s IT system.
– Data encryption
– Digital signature
– User authentication
Cryptographic Algorithms
Cryptographic algorithms fall into three broad categories: encryption/decryption algorithms, secure hash
algorithms, and digital signature algorithms.
Symmetric Encryption
• Symmetric encryption, also referred to as conventional encryption, is a cryptographic scheme in which encryption
and decryption are performed using the same key.
• Plaintext: This is the original message or data block that is fed into the algorithm as input.
• Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the
plaintext.
• Secret key: The secret key is also input to the encryption algorithm. The exact substitutions and transformations
performed by the algorithm depend on the key.
 • Cipher text: This is the scrambled message produced as output.
• Decryption algorithm: This is the inverse of the encryption algorithm. It takes the cipher text and the secret key
and produces the original plaintext

Public Key Encryption

• Public key cryptography, also called asymmetric cryptography, involves the use of two separate keys, in contrast to
symmetric encryption, which uses only one key. The use of two keys has profound consequences in the areas of
confidentiality, key distribution, and authentication.
– Plaintext: This is the readable message or data block that is fed into the algorithm as input.
– Encryption algorithm: The encryption algorithm performs various transformations on the plaintext.
– Public key and private key: This is a pair of keys that were selected so that if one is used for encryption, the other is
used for decryption.
– Cipher text: This is the scrambled block produced as output. It depends on the plaintext and the key.
– Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the original
plaintext.
Secure Hash Functions
• A secure hash function takes a variable-length block of data as input and produces a fixed-length hash value that is
typically shorter than the input data block.
• Secure hash functions are an essential element of many security protocols and applications.
Digital Signatures
• A digital signature is a data-dependent bit pattern, generated by an agent as a function of a file, message, or other
form of data block.
– The data block was signed by the alleged signer
– The data block was not altered since the signing. Further, the signer cannot repudiate the signature.
• Digital signatures are widely used for a number of purposes, including the following:
– Digitally signing email messages to authenticate the sender
– Digitally signing a software program to authenticate the source of the program and to counter the threat of
software tampering
– Verifying the authorship or origin of digital data
– Ensuring the integrity of digital data against tampering
– Authenticating online entities
 THREAT AND INCIDENT MANAGEMENT
TECHNICAL VULNERABILITY MANAGEMENT
Technical vulnerability management, usually referred to simply as vulnerability management, is a security practice
specifically designed to prevent the exploitation of technical vulnerabilities that exist in a system or an
organization.
• The process involves the identification, classification, remediation, and mitigation of various vulnerabilities in a
system.
• It is an integral part of cyber security and is practiced together with risk management as well as other security
practices
Technical vulnerability
• Hardware, firmware, communication, or software flaw that
leaves an information processing system open to potential
exploitation either externally or internally, resulting in risk for
the system.
1. Plan Vulnerability Management
• Effective management of technical vulnerabilities begins with planning.
– Risk and process integration
– Integration with asset inventory
– Establishment of clear authority to review vulnerabilities
– System and application life cycle integration
2. Discover Known Vulnerabilities
– The discover step involves monitoring sources of information about known vulnerabilities to hardware, software,
and network equipment.
– Key sources of information include the following:
• Computer emergency response (or readiness) team (CERT)
• Packet Storm
• Security Focus
• Internet Storm Center (ISC)
3. Scan for Vulnerabilities
• In addition to monitoring vulnerability reporting services, enterprises need to regularly scan software, systems,
and networks for vulnerabilities and proactively address those that are found
• There are two challenges involved in scanning that an enterprise needs to address:
• Scanning can cause disruptions.
• Scanning can generate huge amounts of data and numerous false positives.
4.Log and Report
• When a vulnerability scan is completed, the organization should log the results so that personnel can verify the
activity of the regular vulnerability scanning tools.
– The skill required to utilize the vulnerability
– The availability of the utilize to potential attackers
– The privilege gained upon successful utilization
– The risk and impact of this vulnerability if use is successful
5. Remediate Vulnerabilities
• An organization should deploy automated patch management tools and software update tools for operating
system and software/applications on all systems for which such tools are available and safe
Performing Patch Management
• There are a number of issues to consider related to performing patch management. One is the relationship
between timing, prioritization, and testing.
Patch Management Technologies
– Agent-based scanning – Agentless scanning – Passive network monitoring
 SECURITY EVENT MANAGEMENT
Security event management (SEM) is the process of identifying, gathering, monitoring, analyzing, and reporting
security-related events.
• The objective of SEM is to extract from a large volume of security events those events that qualify as incidents.
• SEM takes data input from all devices/nodes and other similar applications, such as log management software.
• The collected events data is analyzed with security algorithms and statistical computations to trace out any
vulnerability, threat, or risk.
SEM Functions
As event data are generated, they are generally stored in logs local to the devices that generate them.
• – Normalization
• – Filtering
• – Aggregation
These preliminary steps reduce the volume of data. The objective of the next steps is to analyze the data and
generate alerts of security incidents.
SEM Best Practices
• Pattern matching
• Scan detection
• Threshold detection
• Event correlation
• SEM systems interact with virtually all other systems in an IT environment, deployment of SEM system is a large
and complex project and needs to be planned and implemented carefully.
• Plan
• Simplify
• Deploy
 FORENSIC INVESTIGATIONS
NIST SP 800-96, Guide to Integrating Forensic Techniques into Incident Response, defines computer forensics, or
digital forensics, as the identification, collection, examination, and analysis of data while preserving the integrity
of the information and maintaining a strict chain of custody for the data.
• Computer forensic analysis is used for a number of reasons, including the following:
• To investigate crimes
• To investigate suspicious employee behavior
• To reconstruct serious security incidents
• To troubleshoot operational problems
• To support due diligence for audit record maintenance
• To recover from accidental system damage
 LOCAL ENVIRONMENT MANAGEMENT
LOCAL ENVIRONMENT SECURITY
• An enterprise devotes much of its effort in developing security policies and procedures to addressing enterprise
wide security issues. local environment
• Most organizations have many different end-user environments, often across physical locations and comprising
individuals who use a wide range of technologies to handle information.
• There are significant differences in the knowledge, behavior, and actions of end users in different environments.
• End users employ a variety of corporate-issued and personally owned devices (in organizations that have bring
your own device [BYOD] policies).
Local Environment Profile
Security management and senior executives may not have a good grasp on the security issues in a local
environment, such as the value of information that employees have access to and use.
• – Individuals:
• – Business processes and information:
• – Technology use:
• – Location:
Local Security Coordination
• An enterprise must manage the twofold concern of ensuring that the enterprise wide information security policy
is applied in the local environment and that policy elements are adapted to the local profile Information Security
Coordinator
• An information security coordinator is responsible for developing and maintaining information security in the local
environment and coordinating this with the organization’s security executives and managers
• Developing the local environment profile
• Determining the best way to implement enterprise security policy in the local environment
• Ensuring that physical security arrangements are in place and adequate
• Assisting with communicating security policies and requirements to local end users and local management
• Coordinating end-user awareness training
• Coordinating area response to information security risk assessments
Information Protection Champion
• Identifying critical and sensitive information
• Assessing information risks in the local environment
• Selecting and implementing security controls to mitigate information risks
• Delivering information security awareness messages to promote information security in the local environment
 LOCAL ENVIRONMENT MANAGEMENT BEST
PRACTICES
The SGP breaks down the best practices in the local environment management category into two areas and five
topics.
Local environments
• This area deals with security issues in end-user environments and other local environments.
– Local environment profile:
– Local security coordination
Physical and environmental security
▪ Physical protection
▪ Power supplies
▪ Hazard protection
 BUSINESS CONTINUITY
• A fundamental concern for all organizations is business continuity.
• An organization needs to perform essential functions during an emergency situation that disrupts normal
operations and resume normal operations in a timely manner after the emergency has ended.
• The International Organization for Standardization (ISO) has published a family of standards for business continuity
management
– ISO 22300, Security and Resilience—Vocabulary:
– ISO 22301, Business Continuity Management Systems—Requirements
– ISO 22313, Business Continuity Management Systems—Guidance:
– ISO 22317, Business Continuity Management Systems: Guidelines for Business Impact Analysis
Elements of Business Continuity Management
BUSINESS CONTINUITY CONCEPTS
Business continuity: The capability of an organization to continue delivering products or services at acceptable
predefined levels following a disruptive incident.
Natural Disasters
Threats in the natural disaster category include the following:
– Accidental fire
– Severe natural event
– Accidental flood
– Accidental failure of air conditioning
– Electromagnetic radiation.
Systems Problems
– Software malfunction
– Equipment malfunction/failure
– Breach of information system maintainability
Human-Caused Disasters
– Human-caused threats include the following:
• Theft of equipment
• Deliberate fire
• Deliberate flood
• Deliberate loss of power supply
• Destruction of equipment or media
• Unauthorized use of equipment
BUSINESS CONTINUITY PROGRAM
It encompasses policies, procedures, and management structure andmechanism for coordinating security activity.
Governance
– Executive management meets to define objectives and goals of a business continuity strategy and policy.
– Senior management appoints a business continuity director and a BCM steering committee.
– Business continuity specialists prepare a business/process effort chart, showing level of effort and time, as well as
a project plan.
Business Impact Analysis
• A BIA helps identify and prioritize information systems and components that are critical to supporting the
organization’s mission/business processes.
– Business processes
– Information systems/applications
– Assets
– Personnel
– Suppliers
Maximum Tolerable Downtime (MTD)
• The amount of time after which an organization’s viability is irrevocably threatened if product and service delivery
are not resumed.
Recovery Time Objective (RTO)
• The target time set for resumption of product, service, or activity delivery after an incident.
Recovery Point Objective (RPO)
• The amount of data that can be lost without severely impacting the recovery of operations or the point in time in
which systems and data must be recovered
BUSINESS CONTINUITY READINESS
Business continuity readiness, refers to the capability of an organization and its assets to respond to, manage, and
recover from a disruptive even
Awareness
• Establishing objectives of a BCM awareness and training program
• Identifying functional awareness and training requirements
• Recognizing appropriate internal and external audiences
• Developing awareness and training methodology
• Identifying, acquiring, or developing awareness tools
• Establishing the foundation for evaluating the program’s effectiveness
• Ensuring continual improvement of the BCM program
Training
✓ Training provides skills and familiarizes leadership and staff with the procedures and tasks to perform in
executing Continuity plans.
Business resilience
• It allows companies to adapt quickly to disruptions, maintain continuous business operations and safeguard
people, assets and brand equity.
– Recovery
– Hardening Redundancy
Business Continuity Plan

Business Continuity Objectives

• Minimize loss of life, injury, and property damage.
• Protect essential facilities, equipment, records, and assets.
• Meet the operational requirements of the respective organization
• Meet the sustainment needs of the respective organization
• Ensure the continuous performance of essential functions that require additional considerations beyond
traditional continuity planning
 Case study on cloud and cryptographic vulnerabilities.
Key Incidents
1.Capital One Data Breach (2019):
• Incident: A misconfiguration in Capital One's cloud firewall allowed an attacker to exploit vulnerabilities, leading
to unauthorized access to personal information of approximately 100 million customers.
• Cause: The breach was attributed to a misconfigured web application firewall (WAF) that failed to block requests
from the attacker, who was able to execute commands to access sensitive data stored in AWS.
• Impact: The breach highlighted the risks associated with cloud misconfigurations and the importance of robust
security practices in cloud environments.
2. Life Insurance Mobile Application Vulnerability:
• Incident: A vulnerability in a life insurance mobile application allowed unauthorized access to sensitive user
information due to a hardcoded IP address pointing to an MQTT server.
• Cause: This security lapse originated from inadequate supply chain monitoring and poor coding practices.
• Impact: Attackers could gain access to live user activity and personally identifiable information (PII),
demonstrating the risks of insecure application development.
3.Amazon EC2 and S3 Cryptographic Flaw:
• Incident: Research identified a cryptographic vulnerability in Amazon's EC2 and S3 services that could allow
unauthorized access through compromised instances.
• Cause: The flaw was linked to inadequate integrity checks for instances, enabling attackers to duplicate legitimate
services.
• Impact: This incident underscored the need for robust cryptographic implementations and thorough security
assessments of cloud services.
Common Vulnerabilities in Cloud Computing
1.Misconfigurations:
• Incorrect settings in cloud applications can expose sensitive data and increase the attack surface. For example,
open ports or unsecured storage can lead to unauthorized access.
2.Insufficient Identity and Access Management (IAM):
• Weak password policies and lack of multi-factor authentication can result in unauthorized users gaining access to
sensitive data.
3.Insecure APIs:
• Poorly secured APIs can lead to injection attacks, data exposure, and privilege escalation. For instance, the Twitter
API breach exposed personal data due to inadequate security measures.
4.Data Breaches:
• Unauthorized access and extraction of sensitive information are prevalent risks in cloud environments, often
resulting from misconfigurations or weak access controls.
5.Cryptographic Failures:
Using outdated or improperly implemented cryptographic protocols can jeopardize data security. Organizations
must ensure robust encryption practices are in place.
Recommendations for Mitigating Vulnerabilities
1.Regular Security Audits:
• Conduct periodic assessments of cloud configurations and security measures to identify vulnerabilities before
they can be exploited.
2.Implement Strong IAM Policies:
• Enforce strong password policies, multi-factor authentication, and role-based access controls to minimize
unauthorized access risks.
3.Secure API Development:
Ensure that APIs are designed with security best practices in mind, including input validation and proper
authentication mechanisms.
4.Data Encryption:
Implement strong encryption protocols for data at rest and in transit to protect sensitive information from
unauthorized access.
5.Continuous Monitoring:
Utilize monitoring tools to detect unusual activities within cloud environments promptly, allowing for quick
incident response.
6.Education and Training:
Provide ongoing training for developers and IT staff on secure coding practices and the importance of maintaining
secure cloud configurations.
 UNIT-V
SECURITY ASSESSMENT
Security Monitoring and Improvement-Security Audit-
Security Performance-Information Risk Reporting-
Information Security Compliance Monitoring-Security
Monitoring and Improvement Best Practices. – Case study on
vulnerability assessment using ACUNETIX.
 SECURITY MONITORING AND IMPROVEMENT
SECURITY AUDIT
Security audit
An independent review and examination of a system’s records and activities to determine the adequacy of system
controls, ensure compliance with established security policy and procedures, detect breaches in security services,
and recommend any changes that are indicated for countermeasures.
Security audit trail
A chronological record of system activities that is sufficient
to enable the reconstruction and examination of the sequence
of environments and activities surrounding or leading to an
operation, procedure, or event in a security relevant transaction
from inception to final results.
1. Security Audit and Alarms Model
X.816 has developed a model that shows the elements
of the security auditing function and their relationships
to security alarms
2. Data to Collect for Auditing
• The choice of what data to collect should be based on a number of requirements.
• X.816 suggests the auditing the following:
• Security events related to a specific connection:
1. Connection requests
2. Connection confirmed
3. Disconnection requests
4. Disconnection confirmed
5. Statistics appertaining to the connection
• Security events related to the use of security services:
1. Security service requests
2. Security mechanisms usage
3. Security alarms
• Security events related to management:
1. Management operations
2. Management notifications
• The list of auditable events should include at least the following:
• Deny access
• Authenticate
• Change attribute
• Create object
• Delete object
• Modify object
• Use privilege
• The following security-related events are important:
• Authentication: Verify success and verify fail
• Access control: Decide access success and decide access fail
• Non-repudiable origination of message, non-repudiable receipt of message, unsuccessful repudiation
of event, and successful repudiation of event
• Integrity: Use of shield, use of unshield, validate success, and validate fail
• Confidentiality: Use of hide and use of reveal
• Audit: Select event for auditing, deselect event for auditing, and change audit event selection criteria
 As a security administrator designs an audit data collection policy, it is useful to organize the audit trail into
categories for purposes of choosing data items to collect
• System-Level Audit Trails
• Application-Level Audit Trails
• User-Level Audit Trails
• Network-Level Audit Trails
• Physical Access Audit Trails
3. Internal and External Audit
• A sound auditing policy includes both internal security audits and external security audits. Internal audits are
carried out by the organization itself, typicallyon a quarterly basis or after a significant security event
Internal security audit
• An audit conducted by personnel responsible to the management of the organization being audited.
External security audit
• An audit conducted by an organization independent of the one being audited.
4. Security Audit Controls
• A useful guide to developing a security audit program is the family of audit controls defined in SP 800-53, Security
and Privacy Controls for Federal Information Systems and Organizations.
1. Audit and accountability policy and procedures
2. Audit events:
3. Content of audit records
4. Audit storage capacity
5. Response to audit processing failures:
6. Audit review, analysis, and reporting:
7. Audit reduction and report generation:
8. Protection of audit information:
9. Audit record retention
SECURITY PERFORMANCE
• Security performance is the measurable result of security controls applied to information systems and supporting
information security programs.
• The Information Security Forum’s (ISF’s) Standard of Good Practice for Information Security (SGP) defines the security
performance function
• Security monitoring and reporting: Consists of monitoring security performance regularly and reporting to specific
audiences, such as executive Management
• Information risk reporting: Consists of producing reports relating to information risk and presenting reporting to
executive management on a regular basis
• Information security compliance monitoring: Consists of information security controls derived from regulatory and
legal drivers and contracts, used to monitor security compliance
1. Security Performance Measurement
• Security performance: The measurable result of security controls applied to information systems and
supporting information security programs.
• Security performance metric: A variable related to security performance to which a value is assigned as the
result of measurement.
• Strategic support: Assessments of security properties can be used to aid in different kinds of decision making,
such as program planning, resource allocation, and product and service selection.
• Quality assurance: Security metrics can be used during the software development life cycle to eliminate
vulnerabilities
• Tactical oversight: Monitoring and reporting of the security status
Sources of Security Metrics
• A security officer or a group responsible for developing a set of metrics for security performance assessment
draws on several authoritative sets.
• Performance and conformance: Collect, validate, and evaluate business, IT, and process goals and metrics
• System of internal control: Continuously monitor and evaluate the control environment, including self-
assessments and independent assurance reviews.
• Compliance with external requirements: Evaluate whether IT processes and IT-supported business processes
are compliant with laws, regulations, and contractual requirements
2. Information Security Metric Development Process
It shows how this process takes place within a larger organizational context and demonstrates that information
security metrics are used to progressively measure implementation, efficiency, effectiveness, and the business
impact of information security activities within organizations or for specific systems
3. Security Monitoring and Reporting
The objective of security monitoring and reporting is to provide each audience with a relevant, accurate,
comprehensive, and coherent assessment of information security performance
• Establish a monitoring approach
• Set performance and conformance targets.
• Collect and process performance and conformance data.
• Analyze and report performance.
• Ensure the implementation of corrective actions
4. Information Risk Reporting
• The objective of security monitoring and reporting is to provide each audience with a relevant, accurate,
comprehensive, and coherent assessment of information security performance.
• COBIT 5 provides specific guidance on security monitoring and reporting based on the three processes defined
as performance and conformance, system of internal control, and compliance with external requirements
• COBIT 5 defines the following steps:
• Establish a monitoring approach
• Set performance and conformance targets
• Collect and process performance and conformance data
• Analyze and report performance
• Ensure the implementation of corrective actions
• Monitor internal controls
• Review business process controls effectiveness
 INFORMATION RISK REPORTING
• Risk reporting is a process that produces information systems reports that address threats, capabilities,
vulnerabilities, and inherent risk changes.
• Risk reporting describes any information security events that the institution faces and the effectiveness of
management’s response to and resilience in the face of those events.
• The Information Systems Audit and Control Association (ISACA) has developed useful guidance on information
risk reporting, based on COBIT 5
• Process: A collection of practices influenced by the enterprise’s policies and procedures that takes inputs from a
number of sources.
• Activity: The main action taken to operate the process, which provides guidance to achieve management
practices for successful governance and management of enterprise IT Activities.
INFORMATION SECURITY COMPLIANCE MONITORING
The objective of information security compliance monitoring is to ensure that information security controls are
consistently prioritized and addressed according to information security obligations associated with legislation,
regulations, contracts, industry standards, or organizational policies.
COBIT 5 Guidelines
• COBIT 5 provides specific guidance on security monitoring and reporting for compliance with external
requirements.
• Identify external compliance requirements. On a continuous basis, identify and monitor for changes in local and
international laws, regulations, and other
• Optimize response to external requirements. Review and adjust policies, principles, standards, procedures, and
methodologies to ensure that legal, regulatory, and contractual requirements are addressed and
communicated.
• Confirm external compliance. Confirm compliance of policies, principles, standards, procedures, and
methodologies with legal, regulatory, and contractual requirements.
• Obtain assurance of external compliance. Obtain and report assurance of compliance and adherence with
policies, principles, standards, procedures, and methodologies. Confirm that corrective actions to address
compliance gaps are closed in a timely manner.
Compliance Strategy
The following steps constitute a general approach to information security compliance monitoring:
• identify key stakeholders and/or partners across the organization who regularly deal with institutional
compliance issues
• Identify key standards, regulations, contractual commitments, and other areas that address specific
requirements for security and privacy.
• Perform a high-level gap analysis of each compliance requirement that is applicable to determine where
progress needs to be made.
• Develop a prioritized action plan that will help organize remedial efforts.
• Develop a compliance policy, standard, roles and responsibilities, and/or procedures in collaboration with other
key stakeholders
 SECURITY MONITORING AND IMPROVEMENT BEST PRACTICES
The SGP breaks down the best practices in the security monitoring and improvement category into two areas
and eight topics and provides detailed checklists for each topic.
• Security audit: This area provides guidance for conducting thorough,independent, and regular audits of the
security status of target environments
• Security audit management: The objective of this topic is to ensure that security controls have been
implemented effectively and that risk is being adequately managed and to provide the owners of target
environments
Security audit process—planning
Security audit process—fieldwork
Security audit process—reporting
Security audit process—monitoring
• Security performance: This area provides guidance for monitoring information risks; compliance with the
security-related elements of legal, regulatory, and contractual requirements
• Security monitoring and performance: The objective of this topic is to ensure that there is a reporting function
that provides selected audiences with a relevant, accurate, comprehensive, and coherent assessment of
information security performance.
• Information risk reporting: The objective of this topic is to ensure that there is a reporting function that
provides executive management with an accurate, comprehensive, and coherent view of information risk across
the organization
• Information security compliance monitoring: This topic provides guidelines for a security management process
that should be established, which comprises information security controls derived from regulatory and legal
drivers and contracts.
Case study on vulnerability assessment using ACUNETIX
This case study explores the use of Acunetix, a prominent web vulnerability scanner, to assess vulnerabilities in
web applications. Acunetix automates the identification of security issues, providing organizations with insights
into potential risks associated with their web applications.
Background
• Client Profile: A financial services company that manages sensitive customer data and transactions through its
web applications. The organization sought to enhance its security posture by identifying and addressing
vulnerabilities before they could be exploited.
Challenges:
• Ensuring the security of multiple web applications against a backdrop of increasing cyber threats.
• Complying with industry regulations and standards for data protection.
• Reducing the time and resources spent on manual vulnerability assessments.
Methodology
1.Preparation:
• The organization implemented Acunetix to conduct regular vulnerability assessments of its web applications.
• Initial configurations included setting up scanning parameters, defining the scope, and integrating Acunetix with
the existing CI/CD pipeline for continuous testing.
2.Scanning Process:
• Automated Vulnerability Scanning: Acunetix performed automated scans to identify common vulnerabilities such
as SQL injection, Cross-Site Scripting (XSS), and security misconfigurations.
• Dynamic Application Security Testing (DAST): The tool employed DAST techniques to analyze running applications
without requiring access to the source code.
• Integration with Issue Trackers: Vulnerabilities identified during scans were automatically logged into the
organization’s issue tracking system for timely remediation.
3.Reporting:
• Acunetix generated detailed reports categorizing vulnerabilities by severity levels (high, medium, low) and
provided remediation guidance.
• Reports included information on potential impacts, exploitability, and links to relevant resources for further
investigation.
Results
• Vulnerability Identification: The scanning process revealed several critical vulnerabilities, including:
• SQL Injection: Several endpoints were found vulnerable to SQL injection attacks due to improper input validation.
• Cross-Site Scripting (XSS): Multiple instances of XSS vulnerabilities were detected, allowing attackers to inject
malicious scripts into web pages viewed by users.
• Insecure Direct Object References (IDOR): Some APIs were identified as lacking proper access controls, enabling
unauthorized users to access sensitive data.
• Improved Security Posture: Following remediation efforts based on Acunetix findings:The organization patched
critical vulnerabilities within weeks of identification.
• Enhanced security measures were implemented across all web applications, significantly reducing the risk of
exploitation.
• Efficiency Gains: The automated nature of Acunetix allowed the organization to conduct vulnerability
assessments more frequently and efficiently, reducing reliance on manual testing processes.