COMP 324 : INFORMATION SYSTEMS SECURITY

Course Content
Key concepts in Information Security. Information Security in Networked Enterprises. Threats and
vulnerabilities analysis. Effective System Administration. Policies. Risk management. ICT Security
planning. Operational issues in ICT security (incident handling, training, backups etc). Physical security.
Personnel issues. Types and uses of security devices. Business Continuity and Disaster Recovery
Planning. Network Security; (identification and authentication, logical access control, Routers, Proxies,
and Firewalls audit trails and cryptography). Security for Electronic Commerce, Financial Networks,
Intranets and Extranets. Security Across Different Operating Systems and Platforms. Detection of security
breaches.
Assessment
Continuous Assessment Tests (CATs): 40%
End of Semester Written Examinations: 60%

Learning Materials

Information Systems Security Handbook -Isaca

1
LECTURE 1
Key concepts in Information Security
Information security is the practice of defending information from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction.
It is also defined as preservation of confidentiality, integrity and availability of information. Other
properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
Two major aspects of information security are:
 IT security: (Also computer security), It is responsible for keeping all of the technology within
the company secure from malicious cyber attacks that often attempt to breach into critical private
information or gain control of the internal systems.
 Information assurance: The act of ensuring that data is not lost when critical issues arise. These
issues include: natural disasters, computer/server malfunction, physical theft, or any other
instance where data has the potential of being lost.

Basic principles
Confidentiality
Is a set of rules or a promise that limits access or places restrictions on certain types of information.
Confidentiality refers to limiting information access and disclosure to authorized users -- "the right
people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people."
Authentication methods like user-IDs and passwords, that uniquely identify data systems' users and
control access to data systems' resources, underpin the goal of confidentiality.

Integrity
 Data integrity means maintaining and assuring the accuracy and consistency of data over its entire
life-cycle.
 Data cannot be modified in an unauthorized or undetected manner.
 Integrity is violated when a message is actively modified in transit.

Availability
This means that the computing systems used to store and process the information, the security controls
used to protect it, and the communication channels used to access it must be functioning correctly.
 High availability systems aim to remain available at all times, preventing service disruptions due to
power outages, hardware failures, and system upgrades.
 Ensuring availability involves preventing denial-of-service attacks, such as a flood of incoming
messages to the target system essentially forcing it to shut down.

Non-repudiation
It implies that one party of a transaction cannot deny having received a transaction nor can the other party
deny having sent a transaction.

Why is security difficult?

 Data is handled by many people.

 Data networks cover large geographical areas
 There are many threats to information systems
 It is difficult to learn through experience
 It is not possible to measure cost benefit analysis
 Policies are difficult to implement as many people see security as a nuisance / causing
inconvenience.
2
Common Terms
 Risk is the likelihood that something bad will happen that causes harm to an informational asset (or
the loss of the asset).
 Vulnerability is a weakness that could be used to endanger or cause harm to an informational asset.
 A threat is anything (manmade or act of nature) that has the potential to cause harm.
 The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does
use a vulnerability to inflict harm, it has an impact
 Impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income,
loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks,
nor is it possible to eliminate all risk. The remaining risk is called "residual risk".
 A risk assessment is carried out by a team of people who have knowledge of specific areas of the
business.

The risks in information systems

 Physical loss of data. You may lose immediate access to your data for reasons ranging from floods to
loss of electric power. You may also lose access to your data for more subtle reasons: the second disk
failure, for example, while your RAID array recovers from the first.
 Unauthorized access to your own data and client or customer data. Remember, if you have
confidential information from clients or customers, you’re often contractually obliged to protect that
data as if it were your own.
 Interception of data in transit. Risks include data transmitted between company sites, or between the
company and employees, partners, and contractors at home or other locations.
 Your data in someone else’s hands. Do you share your data with third parties, including contractors,
partners, or your sales channel? What protects your data while it is in their hands?
 Data corruption. Intentional corruption might modify data so that it favors an external party: think
Trojan horses or keystroke loggers on PCs. Unintentional corruption might be due to a software error
that overwrites valid data.
 Email Interception
 Email Spoofing
 Web Data Interception
 Network & Volume Invasion
 Marketing Data / Spam & Junk Mail
 Viruses, Worms, Trojan Horses
 Password Cracking
 Mail bomb
 Denial of Service (DoS)
 Piracy of Intellectual Property

Information Security Principles of Success

1. There Is No Such Thing as Absolute Security - Given enough time, tools, skills, and inclination, a
hacker can break through any security measure
2. CIA triad - Protect the confidentiality of data
3. Defense in depth - Security implemented in overlapping layers that provide the three elements needed
to secure assets: prevention, detection, and response. The weaknesses of one security layer are offset
by the strengths of two or more layers

3
4. When Left on Their Own, People Tend to Make the Worst Security Decisions - Takes little to
convince someone to give up their credentials in exchange for trivial or worthless goods.
 Many people are easily convinced to double-click on the attachment
5. Functional and Assurance Requirements - Functional requirements - Describe what a system should
do.
 Assurance requirements - Describe how functional requirements should be implemented and
tested

Does the system do the right things in the right way?

 Verification: the process of confirming that one or more predetermined requirements or
specifications are met
 Validation: a determination of the correctness or quality of the mechanisms used in meeting the
needs
6. Security Through Obscurity Is Not an Answer - Many people believe that if hackers don’t know how
software is secured, security is better. Although this seems logical, it’s actually untrue. Obscuring
security leads to a false sense of security, which is often more dangerous than not addressing security
at all
7. Security = Risk Management:- Security is not concerned with eliminating all threats within a system
or facility but with eliminating known threats and minimizing losses if an attacker succeeds in
exploiting a vulnerability.
Risk analysis and risk management are central themes to securing information systems.
Risk assessment and risk analysis are concerned with placing an economic value on assets to best
determine appropriate countermeasures that protect them from losses
8. Security Controls: Preventative, Detective, and Responsive - A security mechanism serves a
purpose by preventing a compromise, detecting that a compromise or compromise attempt is
underway, or responding to a compromise while it is happening or after it has been discovered.
9. Complexity Is The Enemy of Security: The more complex a system gets, the harder it is to secure
10. Fear, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security: Information security managers
must justify all investments in security using techniques of the trade.
11. When spending resources can be justified with good, solid business rationale, security requests are
rarely denied.
12. People, process, and technology controls are essential elements of security practices including
operations security, applications development security, physical security, and cryptography
13. Open Disclosure of Vulnerabilities Is Good for Security:- Keeping a given vulnerability secret from
users and from the software developer can only lead to a false sense of security. The need to know
trumps the need to keep secrets in order to give users the right to protect themselves
14. Computer security specialists must not only know the technical side of their jobs but also must
understand the principles behind information security
These principles are mixed and matched to describe why certain security functions and operations exist in
the real world of IT

Exercise
What are the elements of a good security program?
Why is it difficult to secure information systems?

Information Security in Networked Enterprises

Your typical security engineer may say it must have firewalls, intrusion detection or any number of
security focused technologies.

4
Meanwhile a security tester may suggest that it is conducting penetration testing to provide assurances
that security widgets are working well.

Information security is about adopting the right measures and controls for a given entity at a given point
in time. Threats change and vulnerabilities are introduced or removed, demanding that security evolves
simply to keep pace.

1: Appointing a security officer

Every organization should assign a security officer even if the role is given to an individual who wears
multiple hats. Larger organizations may establish a dedicated position - the chief security officer who
presides over a team of specialists addressing the different areas of information security.
The security officer is the central point for managing proactive and reactive information security tasks.
The day to day activities for the individual resources that work in the domain will depend on the size and
focus of an organization but ultimately the security officer role should be accountable for the following:
 Strategy -- identifying the security posture an organisation wishes to maintain and how this will be
achieved.
 Operations -- monitoring of security alerts and management of security assets, for example intrusion
detection, jump hosts, firewalls and scanning tools.
 Architecture -- ensuring security is designed into the businesses technology and processes.
 Consultation -- providing consultation to projects or business units by way of requirements, reviews,
recommendations and risk assessment.
 Analysis -- researching products or specific technical issues to assist in provisioning of technology or
remediation of vulnerabilities.
 Testing -- providing security testing such as penetration testing for projects and rolling assurance
exercises.
 Emergency Response -- responding to emergency security incidents such as the compromise of
information assets or the loss of service through a denial of service attack.
 Programme manager -- acting as the business sponsor for a rolling security programme of work.

2: Security reporting
Reporting provides a "heartbeat" for information security across an organisation. It ensures the right
people remain up to date on the latest incidents, threats and initiatives that will influence the security
posture.
Regular reporting ensures those that are accountable for securing information assets are aware of the risks
they may have inherited and the rigour in the controls that protect them.
Security reports must be written for their audience and this is an area where security professionals often
fall down.
The content must be accurate but presented at a level that can be consumed by the target audience.
Reports destined for technologists with an appreciation of the hands on should be literal and explain any
vulnerabilities and controls in technical terms.
Those intended for managers with a technical background should be explained conceptually and include
references to technical detail that supports any conclusions.
Those intended for parties outside the technology group such as the CEO or chief risk officer should
wholly focus on the business impact where the conclusions are justified by a well-designed and
established.

3: Develop governance
For an organisation to maintain a consistent security posture people within that organisation must have
clear instructions that tells them how to behave. Governance ensures that people are aware how they
5
should conduct themselves and if well constructed encourages them to behave in a way that maintains or
may even improve security. There are useful standards such as those produced by International Standards
Organisation, National Institute for Standards and Technology and the Government Communications .

4: Develop a security incident management plan

Every organisation will experience a security incident. The impact of that incident and the likelihood of it
repeating is directly impacted by how an organisation manages it.
 Was the incident clearly identified, validated and contained?
 Was the vulnerability that led to it identified and is there a plan to remediate or apply additional
countermeasures?
 Was the incident reported to an appropriate authority inside the organisation and do any external
parties need to be notified?
These are but a few questions that are answered through a well formed security incident management
plan.
The plan should identify a front door for people reporting potential incidents. From there it should define
an auditable process that validates the incident and initiates a response team well placed to deal with it.
The owner of the plan is the security officer who remains a central part of the response team.
The plan will dictate how the incidents progress is recorded and what if any information is disclosed to a
wider audience. Typically it will empower the response team to operate outside governance, bypassing
change control and other processes that are designed for business as usual rather than an unforeseen
emergency.

5: Initiate a security programme of work

Security initiatives require a vehicle to carry them through design, build and implementation. Grouping
them all in a single program of work allows for budgets to be managed more easily and ensures the
investment in information security is transparent. Upgrades of security devices such as firewalls and
antivirus may be included in the programme, as well as any capital investment in information security,
such as an identity and access management system.
The security programme should be primarily focussed on enhancing information security and be funded at
a level that an organisation considers appropriate. The security officer should have a list of initiatives in
order of priority and the allocated budget should fund those at the top of the list.

6: Assess the security of all initiatives

An unfortunately common observation is that organisations invest heavily in security controls in one area
but due to budgetary constraints ignore others. For example the website may have extensive technical
controls and receive frequent security testing while the "trusted" third party connections are left
unchecked. Often this is due to incorrect assumptions being made by the business on what the security
implications of an action are.
A security assessment should be focused on empowering the business to decide whether an initiative
should progress, change direction, be reviewed at a more detailed level or in the most severe cases be
halted.

7: Complete period-based assurance tasks

While assessing the security of all initiatives is a proactive way of ensuring security is built in, it is also
important to be reactive. With the best intent and design, it is possible for vulnerabilities to be introduced
into a technical environment through human error or as the result of an aggregation of technical
anomalies. Completing periodic assurance tasks is intended to identify and manage vulnerabilities that
may not have been foreseen.

6
One of the most commonly practiced assurance measures is penetration testing. It provides a high level of
assurance that the tested technology would be resistant to a targeted attack by an skilled attacker. It is
however relatively expensive and often tightly scoped. Given the specialized nature of security testing it
could be worth considering using a third party security practitioner. A practitioner can ensure that the
scope is appropriate and that the tester is reputable.

8: Provide security training

Security training is a widely recognised requirement for a mature organisation; but all too often the bare
minimum is provided, such as an induction session which ensures everyone knows they shouldn't write
their password down.
Induction training is a great idea but beyond making people aware of the security policy, it should be
different for different roles. Members of the executive face different threats and employ different
countermeasures to those holding a position on the help-desk. The former will likely require a one on one
sessions while the later may be inducted as part of a group.
While security training may seem expensive, it is probably one of the best returns on investment for an
organisation. Guarding against one phishing attempt may be the difference between winning the next big
contract or recovering from an embarrassing information leak.

9: Develop a whistleblower process

Securing an organisation is not limited to the practices of security specialists. It includes everyone from
those cleaning the office (often with unparalleled access) to those on the board. It includes partner
organisations and their staff and their partners and so the list goes on. Along with supporting (or
opposing) security controls, staff and third party affiliates are a useful source of information about
security events. They may observe vulnerabilities or even be aware of vulnerabilities being exploited.
This information is extremely valuable and should be captured and processed to aid in improving ones
security posture.
Reporting of shortcomings is not always something that a hierarchy does particularly well. There is little
incentive for a middle manager to report a shortcoming in an area he/she is responsible for. It may lead to
embarrassment or additional work and for these reasons potential risks can be swept under the rug. A
solution is to develop a whistleblower process which allows anyone to report a perceived security issue to
an information security authority in confidence; without fear of repercussions.

10: Consider security functionally

A challenge that faces many organizations’ is the apparent power that security practitioners require to do
their job. They often have super user rights on a system to provide oversight or control access and they
often report to senior management even though they aren't necessarily executive level managers
themselves. Security is a functional requirement rather than a hierarchical one.
In designing security roles and responsibilities the function of that role must be considered as a focus on
hierarchy will weaken an organization’s ability manage information security well. It can mean the
removal of critical information flows as security reports are summarized into something more general. It
can risk unnecessary spending on security products to imply progress in the absence of consultation to the
right level.
NB
In order for each of these items to be effective they must involve an experienced security practitioner and
such people aren't that easy to find.
Engineers can build the firewalls and testers can break them but in the first instance someone is required
who can decide whether the firewall is required or not.

CAT 1

7
a) What is a honeypot? Give advantages of honeypots. [5 MKS]
b) Explain any five tools/ products you would use in monitoring network security. [5 MKS]
c) How do you fight hackers in a network? [5 MKS]
d) Explain how stack and buffer overflow is a threat to operating systems. [5 MKS]

Lecture 2 –

Threat/Vulnerability Assessments and Risk Analysis

All facilities face a certain level of risk associated with various threats. These threats may be the result of
natural events, accidents, or intentional acts to cause harm. Regardless of the nature of the threat, facility
owners have a responsibility to limit or manage risks from these threats to the extent possible.

Threat Assessment

The first step in a risk management program is a threat assessment. A threat assessment considers the full
spectrum of threats (i.e., natural, criminal, terrorist, accidental, etc.) for a given facility/location.

The assessment should examine supporting information to evaluate the likelihood of occurrence for each
threat. For natural threats, historical data concerning frequency of occurrence for given natural disasters
such as tornadoes, hurricanes, floods, fire, or earthquakes can be used to determine the credibility of the
given threat.

Vulnerability Assessment

Once the credible threats are identified, a vulnerability assessment must be performed. The vulnerability
assessment considers the potential impact of loss from a successful attack as well as the vulnerability of
the facility/location to an attack. Impact of loss is the degree to which the mission of the agency is
impaired by a successful attack from the given threat. A sample set of definitions for impact of loss is
provided below. These definitions are for an organization that generates revenue by serving the public.

 Devastating: The facility is damaged/contaminated beyond habitable use. Most items/assets are
lost, destroyed, or damaged beyond repair/restoration. The number of visitors to other facilities in
the organization may be reduced by up to 75% for a limited period of time.
 Severe: The facility is partially damaged/contaminated. Examples include partial structure breach
resulting in weather/water, smoke, impact, or fire damage to some areas. Some items/assets in the
facility are damaged beyond repair, but the facility remains mostly intact. The entire facility may
be closed for a period of up to two weeks and a portion of the facility may be closed for an
extended period of time (more than one month). Some assets may need to be moved to remote
locations to protect them from environmental damage. The number of visitors to the facility and
others in the organization may be reduced by up to 50% for a limited period of time.
 Noticeable: The facility is temporarily closed or unable to operate, but can continue without an
interruption of more than one day. A limited number of assets may be damaged, but the majority

8
 of the facility is not affected. The number of visitors to the facility and others in the organization
may be reduced by up to 25% for a limited period of time.
 Minor: The facility experiences no significant impact on operations (downtime is less than four
hours) and there is no loss of major assets.

Vulnerability is defined to be a combination of the attractiveness of a facility as a target and the level of
deterrence and/or defense provided by the existing countermeasures. Target attractiveness is a measure of
the asset or facility in the eyes of an aggressor and is influenced by the function and/or symbolic
importance of the facility. Sample definitions for vulnerability ratings are as follows:

 Very High: This is a high profile facility that provides a very attractive target for potential
adversaries, and the level of deterrence and/or defense provided by the existing countermeasures
is inadequate.
 High: This is a high profile regional facility or a moderate profile national facility that provides
an attractive target and/or the level of deterrence and/or defense provided by the existing
countermeasures is inadequate.
 Moderate: This is a moderate profile facility (not well known outside the local area or region)
that provides a potential target and/or the level of deterrence and/or defense provided by the
existing countermeasures is marginally adequate.
 Low: This is not a high profile facility and provides a possible target and/or the level of
deterrence and/or defense provided by the existing countermeasures is adequate.

RISK MANAGEMENT
Risk Analysis is a process of evaluating the probability of hazardous events

Risk: is a quantified measure of the likelihood of a threat being realised.

 The strength of an information infrastructure depends on how well information resources are
managed--what, how, where, and for whom sources of information are established and made
available for reuse
 To say Risk Analysis is an important issue is an understatement. It is difficult to quantify the losses
suffered each year by businesses arising from the use and misuse of Information Systems (IS)
IS risk analysis is the process of:

 identifying potential causes of loss;

 designing and implementing controls to prevent them, and, should these fail;
 Designing and implementing controls to detect any occurrences and to minimize their effect.
Risk Analysis involves the identification and assessment of the levels of risk, calculated from the

 Values of assets
 Threats to the assets
 Their vulnerabilities and likelihood of exploitation
Risk Management involves the identification, selection and adoption of security measures justified by

◦ The identified risks to assets

◦ The reduction of these risks to acceptable levels

9
Risk Analysis and Management

An agreed upon framework is:-

To asses risk:-

 use a risk matrix to evaluate threat & counter-measure

 use a risk management model to manage threat

Responses to Risk

You respond to a risk by either:-

 Avoid it completely by withdrawing from an activity

 Accept it and do nothing
 Reduce it with security measures
10
  Transfer – Involves a third-party liability taking/ insurance.

DESIGNING RISK ANALYSIS

When designing a risk analysis for information systems, the following components can be considered:

 People--the information users and producers who direct, prioritize, interpret, and apply data and
information to policy problems
 Documents, databases, and other information entities that hold information and data collections
 Information processes such as collection, storage, retrieval, dissemination, communication, and
display
 Information technologies--the know-how for manipulating and accessing information, including the
conceptual, statistical, and model-building structures that aggregate and process data and produce
information content, as well as mechanisms, people, and/or systems that provide intellectual, physical, and
economical access to information

Security Models
A security policy is a document that expresses clearly and concisely what the protection
mechanisms are to achieve.

A security model is a specification of a security policy:

 it describes the entities governed by the policy,

 It states the rules that constitute the policy.
There are various types of security models:

 Models can capture policies for confidentiality (Bell-LaPadula) or for integrity (Biba, Clark-
Wilson).
 Some models apply to environments with static policies (Bell-LaPadula), others consider
dynamic changes of access rights (Chinese Wall).
 Security models can be informal (Clark-Wilson), semi-formal, or formal (Bell-LaPadula,
Harrison-Ruzzo-Ullman).
Model vs Policy

 A security model maps the abstract goals of the policy to information system terms by specifying
explicit data structures and techniques that are necessary to enforce the security policy. A security
model is usually represented in mathematics and analytical ideas, which are then mapped to
system specifications, and then developed by programmers through programming code
 For Example, if a security policy states that subjects need to be authorized to access objects, the
security model would provide the mathematical relationships and formulas explaining how x can
access y only through the outlined specific methods
 A security policy outlines goals without regard to how they will be accomplished. A model is a
framework that gives the policy form and solves security access problems for particular
situations.
Note

11
SECURITY DESIGN PRINCIPLES

Security is a system requirement just like performance, capability, cost, etc. Therefore, it may be
necessary to trade off certain security requirements to gain others.

Principles of Secure Design

 Design security in from the start

 Allow for future security enhancements
 Minimize and isolate security controls
 Employ least privilege
 Structure the security relevant features
 Make security friendly
 Don’t depend on secrecy for security
 Economy of mechanism- Should be sufficiently small and as simple as to be verified and
implemented – e.g., security kernel. Complex mechanisms should be correctly Understood,
Modeled, Configured, Implemented and Used
 Complete mediation- Every access to every object must be checked
 Psychological acceptability- User interface must be easy to use, so that users routinely and
automatically apply the mechanisms correctly. Otherwise, they will be bypassed
 Fail-safe defaults- Should be lack of access

Principles for Software Security

 Secure the weakest link

 Practice defense in depth
 Fail securely- If your software has to fail, make sure it does it securely
 Follow the principle of least privilege-
 Compartmentalize- Minimize the amount of damage that can be done by breaking the system into
units
 Keep it simple- Complex design is never easy to understand
 Promote privacy- Try not to do anything that compromises the privacy of the user
 Remember that hiding secrets is hard
12
  Be reluctant to trust- Instead of making assumptions that need to hold true, you should be
reluctant to extend trust
 Use your community resources- Public scrutiny promotes trust

CONTROLS
Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks
relating to personal property, or any company property.

The control environment sets the tone of an organization, influencing the control consciousness of its people. It
is the foundation for all other components of internal control, providing discipline and structure. Control
environment factors include the integrity, ethical values, and competence of the entity’s people; management’s
philosophy and operating style; and the way management assigns authority and organizes and develops its
people

Activity phase controls can be classified as follows:

• Preventative controls exist to prevent the threat from coming in contact with the weakness.
• Detective controls exist to identify that the threat has landed in our systems.
• Corrective controls exist to mitigate or lessen the effects of the threat being manifested.

Organizational Controls
Organizational controls are procedures and processes that define how people in the organization should
perform their duties.
Preventative controls in this category include:
 Clear roles and responsibilities. These must be clearly defined and documented so that management
and staff clearly understand who is responsible for ensuring that an appropriate level of security is
implemented for the most important IT assets.
 Separation of duties and least privileges. When properly implemented, these ensure that people
have only enough access to IT systems to effectively perform their job duties and no more.
 Documented security plans and procedures. These are developed to explain how controls have
been implemented and how they are to be maintained.
 Security training and ongoing awareness campaigns. This is necessary for all members of the
organization so that users and members of the IT team understand their responsibilities and how to
properly utilize the computing resources while protecting the organization's data.
 Systems and processes for provisioning and de-provisioning users. These controls are necessary
so that new members of the organization are able to become productive quickly, while leaving
personnel lose access immediately upon departure. Processes for provisioning should also include
employee transfers from groups within the company where privileges and access change from one
level to another.
 Established processes for granting access to contractors, vendors, partners, and customers. This
is often a variation on user provisioning, mentioned previously, but in many cases it is very distinct.
Sharing some data with one group of external users while sharing a different collection of data with a
different group can be challenging. Legal and regulatory requirements often impact the choices, for
example when health or financial data is involved.
Detection controls in this category include:
 Performing continuing risk management programs to assess and control risks to the organization's key
assets.
 Executing recurrent reviews of controls to verify the controls' efficacy.
13
 Periodic undertaking of system audits to ensure that systems have not been compromised or
misconfigured.
 Performing background investigations of prospective candidates for employment; You should
contemplate implementing additional background investigations for employees when they are being
considered for promotions to positions with a significantly higher level of access to the organization's
IT assets.
 Establishing a rotation of duties, this is an effective way to uncover notorious activities by members
of the IT team or users with access to sensitive information.
Management controls in this category include:
 Incident response planning, which provides an organization with the ability to quickly react to and
recover from security violations while minimizing their impact and preventing the spread of the
incident to other systems.
 Business continuity planning, which enables an organization to recover from catastrophic events that
impact a large fraction of the IT infrastructure.
Operational Controls
Operational controls define how people in the organization should handle data, software and hardware.
They also include environmental and physical protections as described below.
Preventative controls in this category include:
 Protection of computing facilities by physical means such as guards, electronic badges and locks,
biometric locks, and fences.
 Physical protection for end-user systems, including devices such as mobile computer locks and
alarms and encryption of files stored on mobile devices.
 Emergency backup power, which can save sensitive electrical systems from harm during power
brownouts and blackouts; they can also ensure that applications and operating systems are shut down
gracefully manner to preserve data and transactions.
 Fire protection systems such as automated fire suppression systems and fire extinguishers, which are
essential tools for guarding the organization's key assets.
 Temperature and humidity control systems that extend the life of sensitive electrical equipment and
help to protect the data stored on them.
 Media access control and disposal procedures to ensure that only authorized personnel have access to
sensitive information and that media used for storing such data is rendered unreadable by degaussing
or other methods before disposal.
 Backup systems and provisions for offsite backup storage to facilitate the restoration of lost or
corrupted data. In the event of a catastrophic incident, backup media stored offsite makes it possible
to store critical business data on replacement systems.
Detection and recovery controls in this category include:
 Physical security, which shields the organization from attackers attempting to gain access to its
premises; examples include sensors, alarms, cameras, and motion detectors.
 Environmental security, which safeguards the organization from environmental threats such as floods
and fires; examples include smoke and fire detectors, alarms, sensors, and flood detectors.

Technological Controls
Technological controls vary considerably in complexity. They include system architecture design,
engineering, hardware, software, and firmware. They are all of the technological components used to
build an organization's information systems.
Preventative controls in this category include:
 Authentication. The process of validating the credentials of a person, computer, process, or
device. Authentication requires that the person, process, or device making the request provide a

14
 credential that proves it is what or who it says it is. Common forms of credentials are digital
signatures, smart cards, biometric data, and a combination of user names and passwords.
 Authorization. The process of granting a person, computer process, or device access to certain
information, services, or functionality. Authorization is derived from the identity of the person,
computer process, or device requesting access, which is verified through authentication.
 Non-repudiation. The technique used to ensure that someone performing an action on a
computer cannot falsely deny that he or she performed that action. Non-repudiation provides
undeniable proof that a user took a specific action such as transferring money, authorizing a
purchase, or sending a message.
 Access control. The mechanism for limiting access to certain information based on a user's
identity and membership in various predefined groups. Access control can be mandatory,
discretionary, or role-based.
 Protected communications. These controls use encryption to protect the integrity and
confidentiality of information transmitted over networks.
Detection and recovery controls in this category include:
 Audit systems. Make it possible to monitor and track system behavior that deviates from
expected norms. They are a fundamental tool for detecting, understanding, and recovering from
security breaches.
 Antivirus programs. Designed to detect and respond to malicious software, such as viruses and
worms. Responses may include blocking user access to infected files, cleaning infected files or
systems, or informing the user that an infected program was detected.
 System integrity tools. Make it possible for IT staff to determine whether unauthorized changes
have been made to a system. For example, some system integrity tools calculate a checksum for
all files present on the system's storage volumes and store the information in a database on a
separate computer. Comparisons between a system's current state and its previously-known good
configuration can be completed in a reliable and automated fashion with such a tool.
Management controls in this category include:
 Security administration tools included with many computer operating systems and business
applications as well as security oriented hardware and software products. These tools are needed
in order to effectively maintain, support, and troubleshoot security features in all of these
products.
 Cryptography, which is the foundation for many other security controls. The secure creation,
storage, and distribution of cryptographic keys make possible such technologies as virtual private
networks (VPNs), secure user authentication, and encryption of data on various types of storage
media.
 Identification, which supplies the ability to identify unique users and processes. With this
capability, systems can include features such as accountability, discretionary access control, role-
based access control, and mandatory access control.
 Protections inherent in the system, which are features designed into the system to provide
protection of information processed or stored on that system. Safely reusing objects, supporting
no-execute (NX) memory, and process separation all demonstrate system protection features.

Security Risk Management Practices

Comparing Approaches to Risk Management

Many organizations are introduced to security risk management by the necessity of responding to
a relatively small security incident. Whatever the incident, as more and more issues relating to security

15
arise and begin to impact the business, many organizations get frustrated with responding to one crisis
after another. They want an alternative to this reactive approach, one that seeks to reduce the probability
that security incidents will occur in the first place. Organizations that effectively manage risk evolve
toward a more proactive approach, but this is only part of the solution.

The Reactive Approach

Security incidents may help an organization to predict and prepare for future problems. This
means that an organization that takes time to respond to security incidents in a calm and rational manner
while determining the underlying reasons that allowed the incident to transpire will be better able to both
protect itself from similar problems in the future and respond more quickly to other issues that may arise.
Today, many information technology (IT) professionals feel tremendous pressure to complete
their tasks quickly with as little inconvenience to users as possible. When a security event occurs, many
IT professionals feel like the only things they have time to do are to contain the situation, figure out what
happened, and fix the affected systems as quickly as possible. Some may try to identify the root cause, but
even that might seem like a luxury for those under extreme resource constraints. While a reactive
approach can be an effective tactical response to security risks that have been exploited and turned into
security incidents, imposing a small degree of rigor to the reactive approach can help organizations of all
types to better use their resources.
.
The following six steps help when you are responding to security incidents quickly and efficiently:
1. Protect human life and people's safety. This should always be your first priority. For example, if
affected computers include life support systems, shutting them off may not be an option; perhaps you
could logically isolate the systems on the network by reconfiguring routers and switches without
disrupting their ability to help patients.
2. Contain the damage. Containing the harm that the attack caused helps to limit additional damage.
Protect important data, software, and hardware quickly. Minimizing disruption of computing
resources is an important consideration, but keeping systems up during an attack may result in greater
and more widespread problems in the long run. If you determine that there will be no adverse effects,
or that they would be outweighed by the positive benefits of activity, containment should begin as
quickly as possible during a security incident by disconnecting from the network the systems known
to be affected. If you cannot contain the damage by isolating the servers, ensure that you actively
monitor the attacker’s actions in order to be able to remedy the damage as soon as possible. And in
any event, ensure that all log files are saved before shutting off any server.
3. Assess the damage. Immediately make a duplicate of the hard disks in any servers that were attacked
and put those aside for forensic use later. Then assess the damage. You should begin to determine the
extent of the damage that the attack caused as soon as possible, right after you contain the situation
and duplicate the hard disks. This is important so that you can restore the organization's operations as
soon as possible while preserving a copy of the hard disks for investigative purposes. If it is not
possible to assess the damage in a timely manner, you should implement a contingency plan so that
normal business operations and productivity can continue. It is at this point that organizations may
want to engage law enforcement regarding the incident; however, you should establish and maintain
working relationships with law enforcement agencies that have jurisdiction over your organization's
business before an incident occurs so that when a serious problem arises you know whom to contact
and how to work with them. You should also advise your company’s legal department immediately, so
that they can determine whether a civil lawsuit can be brought against anyone as a result of the
damage.

16
4. Determine the cause of the damage. In order to ascertain the origin of the assault, it is necessary to
understand the resources at which the attack was aimed and what vulnerabilities were exploited to
gain access or disrupt services. Review the system configuration, patch level, system logs, audit logs,
and audit trails on both the systems that were directly affected as well as network devices that route
traffic to them. These reviews often help you to discover where the attack originated in the system
and what other resources were affected. You should conduct this activity on the computer systems in
place and not on the backed up drives created in step 3. Those drives must be preserved intact for
forensic purposes so that law enforcement or your lawyers can use them to trace the perpetrators of
the attack and bring them to justice. If you need to create a backup for testing purposes to determine
the cause of the damage, create a second backup from your original system and leave the drives
created in step 3 unused.
5. Repair the damage. In most cases, it is very important that the damage be repaired as quickly as
possible to restore normal business operations and recover data lost during the attack. The
organization's business continuity plans and procedures should cover the restoration strategy. The
incident response team should also be available to handle the restore and recovery process or to
provide guidance on the process to the responsible team. During recovery, contingency procedures are
executed to limit the spread of the damage and isolate it. Before returning repaired systems to service
be careful that they are not reinfected immediately by ensuring that you have mitigated whatever
vulnerabilities were exploited during the incident.
6. Review response and update policies. After the documentation and recovery phases are complete,
you should review the process thoroughly. Determine with your team the steps that were executed
successfully and what mistakes were made. In almost all cases, you will find that your processes need
to be modified to allow you to handle incidents better in the future. You will inevitably find
weaknesses in your incident response plan. This is the point of this after-the-fact exercise—you are
looking for opportunities for improvement. Any flaws should prompt another round of the incident-
response planning process so that you can handle future incidents more smoothly.
This methodology is illustrated in the following diagram:

The Proactive Approach

Instead of waiting for incidences then respond, you minimize the possibility
of the incidences ever occurring in the first place. You make plans to protect
your organization's important assets by implementing controls that reduce the
risk of vulnerabilities being exploited by malicious software, attackers, or
accidental misuse. Each of the security risk management methodologies
shares some common high-level procedures:
1. Identify business assets.
2. Determine what damage an attack against an asset could cause to the
organization.
3. Identify the security vulnerabilities that the attack could exploit.
4. Determine how to minimize the risk of attack by implementing
appropriate controls.

Approaches to Risk Prioritization

There are many different methodologies for prioritizing or assessing
risks, but most are based on one of two approaches or a combination of the
two: quantitative risk management or qualitative risk management.

17
Quantitative Risk Assessment
In quantitative risk assessments, the goal is to try to calculate objective numeric values for each
of the components gathered during the risk assessment and cost-benefit analysis. Where you estimate the
true value of each business asset in terms of what it would cost to replace it, what it would cost in terms
of lost productivity, what it would cost in terms of brand reputation, and other direct and indirect business
values. You endeavor to use the same objectivity when computing asset exposure, cost of controls, and all
of the other values that you identify during the risk management process.

Weaknesses of this method:-

 There is no formal and rigorous way to effectively calculate values for assets and controls.
 Organizations that have tried to meticulously apply all aspects of quantitative risk management have
found the process to be extremely costly. Such projects usually take a very long time to complete their
first full cycle, and they usually involve a lot of staff members arguing over the details of how specific
fiscal values were calculated.
 For organizations with high value assets, the cost of exposure may be so high that you would spend an
exceedingly large amount of money to mitigate any risks to which you were exposed. This is not
realistic, though; an organization would not spend its entire budget to protect a single asset, or even its
top five assets.

Qualitative Risk Assessment

You calculate relative values in this method. Risk analysis is usually conducted through a
combination of questionnaires and collaborative workshops involving people from a variety of groups
within the organization such as information security experts; information technology managers and staff;
business asset owners and users; and senior managers. The questionnaires are designed to discover what
assets and controls are already deployed, and the information gathered can be very helpful during the
workshops that follow. The information security experts and the system administrators typically come up
with controls to mitigate the risks for the group to consider and the approximate cost of each control.
Finally, the results are presented to management for consideration during a cost-benefit analysis.
The basic process for qualitative assessments is very similar to what happens in the quantitative
approach. The difference is in the details. Comparisons between the value of one asset and another are
relative, and participants do not invest a lot of time trying to calculate precise financial numbers for asset
valuation. The benefits of a qualitative approach are that it overcomes the challenge of calculating
accurate figures for asset value, cost of control and the process is much less demanding on staff.

Comparing the Two Approaches

Both qualitative and quantitative approaches to security risk management have their advantages
and disadvantages. Certain situations may call for organizations to adopt the quantitative approach. The
following table summarizes the benefits and drawbacks of each approach:
Quantitative Qualitative
Benefits  Risks are prioritized by financial  Enables visibility and
impact; assets are prioritized by understanding of risk ranking.
financial values.  Easier to reach consensus.
 Results facilitate management of risk  Not necessary to quantify threat
by return on security investment. frequency.
 Results can be expressed in  Not necessary to determine
management-specific terminology (for financial values of assets.

18
 example, monetary values and  Easier to involve people who are
probability expressed as a specific not experts on security or
percentage). computers.
 Accuracy tends to increase over time
as the organization builds historic
record of data while gaining
experience.
Drawbacks  Impact values assigned to risks are  Insufficient differentiation between
based on subjective opinions of important risks.
participants.  Difficult to justify investing in
 Process to reach credible results and control implementation because
consensus is very time consuming. there is no basis for a cost-benefit
 Calculations can be complex and time analysis.
consuming.  Results are dependent upon the
 Results are presented in monetary quality of the risk management
terms only, and they may be difficult team that is created.
for non-technical people to interpret.
 Process requires expertise, so
participants cannot be easily coached
through it.
LECTURE 3 - INFORMATION SECURITY POLICY

Policy: IS an essential foundation of effective information security program:

“The success of an information resources protection program depends on the policy
generated, and on the attitude of management toward securing information on automated
systems.
You, the policy maker, set the tone and the emphasis on how important a role information
security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization
with the objectives of reduced risk, compliance with laws and regulations and assurance of
operational continuity, information integrity, and confidentiality.”

Why Policy?
A quality information security program begins and ends with policy
Policies are least expensive means of control and often the most difficult to implement
Some basic rules must be followed when shaping a policy:
 Never conflict with law
 Stand up in court
 Properly supported and administered
 Contribute to the success of the organization
 Involve end users of information systems
The Bulls-eye Model

19
 Bulls-eye model layers:
 Policies: first layer of defense
 Networks: threats first meet organization’s network
 Systems: computers and manufacturing systems
 Applications: all applications systems

Policies are important reference documents for internal audits and for resolution of legal disputes
about management's due diligence. Policy documents can act as a clear statement of
management's intent

20
Policies, Standards, & Practices
Policy: plan or course of action that influences and determines decisions
Standards: more detailed statement of what must be done to comply with policy
Practices, procedures and guidelines: explain how employees will comply with policy

For policies to be effective, they must be:

 Properly disseminated
 Read
 Understood
 Agreed-to

Policies require constant modification and maintenance

In order to produce a complete information security policy, management must define three types
of information security policy:
 Enterprise information security program policy
 Issue-specific information security policies
 Systems-specific information security policies

Enterprise Information Security Policy (EISP)

Sets strategic direction, scope, and tone for organization’s security efforts
Assigns responsibilities for various areas of information security
21
Guides development, implementation, and management requirements of information security
program

EISP Elements
EISP documents should provide :
 An overview of corporate philosophy on security
 Information about information security organization and information security roles

• Responsibilities for security shared by all members of the organization

• Responsibilities for security unique to each role within the organization

Issue-Specific Security Policy (ISSP)

 Provides detailed, targeted guidance to instruct organization in secure use of technology
systems
 Begins with introduction to fundamental technological philosophy of organization
 Serves to protect employee and organization from inefficiency/ambiguity
 Documents how technology-based system is controlled
 Identifies processes and authorities that provide this control
 Serves to indemnify organization against liability for inappropriate or illegal system use

Every organization’s ISSP should:

 Address specific technology-based systems
 Require frequent updates
 Contain an issue statement on the organization’s position on an issue

Implementing ISSP
Common approaches:
 Number of independent ISSP documents
 Single comprehensive ISSP document
 Modular ISSP document that unifies policy creation and administration
Recommended approach is modular policy, which provides a balance between issue orientation
and policy management

Systems-Specific Policy (SysSP)

 Systems-Specific Policies (SysSPs) frequently do not look like other types of policy
 They may often be created to function as standards or procedures to be used when
configuring or maintaining systems
SysSPs can be separated into:
 Management guidance
 Technical specifications
 Combined in a single policy document
Management Guidance SysSPs
 Created by management to guide the implementation and configuration of technology

22
  Applies to any technology that affects the confidentiality, integrity or availability of
information
 Informs technologists of management intent
 Technical Specifications SysSPs
 System administrators directions on implementing managerial policy
 Each type of equipment has its own type of policies

Two general methods of implementing such technical controls:

 Access control lists
 Configuration rules

Access Control Lists

 Include user access lists, matrices, and capability tables that govern rights and privileges
 Can control access to file storage systems, object brokers or other network
communications devices
 Capability Table: similar method that specifies which subjects and objects users or
groups can access
 Specifications are frequently complex matrices, rather than simple lists or tables
 Level of detail and specificity (often called granularity) may vary from system to system
 ACLs enable administrations to restrict access according to user, computer, time,
duration, or even a particular file

ACLs
In general ACLs regulate:
 Who can use the system
 What authorized users can access
 When authorized users can access the system
 Where authorized users can access the system from
 How authorized users can access the system
 Restricting what users can access, e.g. printers, files, communications, and applications
Administrators set user privileges, such as:
 Read
 Write
 Create
 Modify
 Delete
 Compare
 Copy

23
Configuration Rules
Configuration rules are specific configuration codes entered into security systems to guide
execution of system when information is passing through it
Rule policies are more specific to system operation than ACLs and may or may not deal with users
directly
Many security systems require specific configuration scripts telling systems what actions to
perform on each set of information processed

Combination SysSPs
 Often organizations create a single document combining elements of both Management
Guidance and Technical Specifications SysSPs
 While this can be confusing, it is very practical
 Care should be taken to articulate required actions carefully as procedures are presented

Guidelines for Policy Development

It is often useful to view policy development as a two-part project
 Design and develop policy (or redesign and rewrite outdated policy)
 Establish management processes to perpetuate policy within organization

The Policy Project

 Policy development or re-development projects should be well planned, properly funded, and
aggressively managed to ensure completion on time and within budget
 When a policy development project is undertaken, the project can be guided by the SecSDLC
process

Investigation Phase
The policy development team should:
1. Obtain support from senior management, and active involvement of IT management,
specifically CIO
2. Clearly articulate goals of policy project
3. Gain participation of correct individuals affected by recommended policies
4. Be composed from Legal, Human Resources and end-users
5. Assign project champion with sufficient stature and prestige
6. Acquire a capable project manager
7. Develop detailed outline of and sound estimates for the cost and scheduling of the project

Analysis Phase
Analysis phase should include the following activities:
1. New or recent risk assessment or IT audit documenting the current information security needs
of the organization
2. Key reference materials—including any existing policies

Design Phase
Design phase should include:
1. How policies will be distributed
2. How verification of distribution will be accomplished
3. Specifications for any automated tools
4. Revisions to feasibility analysis reports based on improved costs and benefits as design is
clarified

Implementation Phase
 Implementation Phase: writing the policies
 Make certain policies are enforceable as written
 Policy distribution is not always as straightforward
 Effective policy
1. Is written at a reasonable reading level
2. Attempts to minimize technical jargon and management terminology

Maintenance Phase
 Maintain and modify policy as needed to ensure that it remains effective as a tool to meet
changing threats
 Policy should have a built-in mechanism via which users can report problems with the policy,
preferably anonymously
 Periodic review should be built in to the process

The Information Security Policy Made Easy Approach (ISPME)

1. Gathering Key Reference Materials
2. Defining A Framework For Policies
3. Preparing A Coverage Matrix
4. Making Critical Systems Design Decisions
5. Structuring Review, Approval, And Enforcement Processes
Coverage Matrix

Guide for Developing Security Plans

1. Policies:
Living documents that constantly change and grow
Must be properly disseminated (distributed, read, understood and agreed to) and managed
 2. Good management practices for policy development and maintenance make for a more
resilient organization
In order to remain current and viable, policies must have:
 Individual responsible for reviews
 Schedule of reviews
 Method for making recommendations for reviews
 Indication of policy and revision date

Policies exist first, and foremost, to inform employees of what is and is not acceptable behavior in
the organization
Policy seeks to improve employee productivity, and prevent potentially embarrassing situations

LECTURE 4 - PLANNING FOR CONTINGENCIES

What Is Contingency Planning?

It is the overall planning for unexpected events is called contingency planning (CP)
It is how organizational planners position their organizations to prepare for, detect, react to, and recover
from events that threaten the security of information resources and assets
Main goal: restoration to normal modes of operation with minimum cost and disruption to normal business
activities after an unexpected event
Contingency Planning Components
Incident response planning (IRP) focuses on immediate response
Disaster recovery planning (DRP) focuses on restoring operations at the primary site after disasters occur
Business continuity planning (BCP) facilitates establishment of operations at an alternate site

To ensure continuity across all processes during planning process, contingency planners should:
 Identify the mission- or business-critical functions
 Identify resources that support critical functions
 Anticipate potential contingencies or disasters
 Select contingency planning strategies
 Implement selected strategy
 Test and revise contingency plans

CP Operations
Four teams are involved in contingency planning and contingency operations:
 CP team
 Incident recovery (IR) team
 Disaster recovery (DR) team
 Business continuity plan (BC) team
Components of Contingency Planning

Incident Response Plan

Incident Response Plan (IRP): Is a detailed set of processes and procedures that anticipate, detect, and
mitigate the impact of an unexpected event that might compromise information resources and assets
Incident response (IR): Set of procedures that commence when an incident is detected
When a threat becomes a valid attack, it is classified as an information security incident if:
 It is directed against information assets
 It has a realistic chance of success
 It threatens the confidentiality, integrity, or availability of information assets
It is important to understand that IR is a reactive measure, not a preventative one

During the Incident

 Planners develop and document the procedures that must be performed during the incident
 These procedures are grouped and assigned to various roles
 Planning committee drafts a set of function-specific procedures

After the Incident

 Once the procedures for handling an incident are drafted, planners develop and document the
procedures that must be performed immediately after the incident has ceased
 Separate functional areas may develop different procedures
 Before the Incident
 Planners draft a third set of procedures, those tasks that must be performed in advance of the incident
Include:
 Details of data backup schedules
 Disaster recovery preparation
 Training schedules
 Testing plans
 Copies of service agreements
 Business continuity plans

Preparing to Plan
 Planning requires detailed understanding of information systems and threats they face
 IR planning team seeks to develop pre-defined responses that guide users through steps needed to
respond to an incident
 Pre-defining incident responses enables rapid reaction without confusion or wasted time and effort
 IR team consists of professionals capable of handling information systems and functional areas affected
by an incident
 Each member of the IR team must:
– Know his or her specific role
– Work in concert with each other
– Execute the objectives of the IRP

Incident Detection
 Challenge is determining whether an event is routine system use or an actual incident
 Incident classification: process of examining a possible incident and determining whether or not it
constitutes actual incident
 Initial reports from end users, intrusion detection systems, host- and network-based virus detection
software, and systems administrators are all ways to track and detect incident candidates
 Careful training allows everyone to relay vital information to the IR team

Possible Incident Indicators

– Presence of unfamiliar files
– Presence or execution of unknown programs or processes
– Unusual consumption of computing resources
– Unusual system crashes
Probable Indicators
– Activities at unexpected times
– Presence of new accounts
– Reported attacks
– Notification from IDS
Definite Indicators
– Use of dormant accounts
– Changes to logs
– Presence of hacker tools
– Notifications by partner or peer
– Notification by hacker

Occurrences of Actual Incidents

 Loss of availability
 Loss of integrity
 Loss of confidentiality
 Violation of policy
  Violation of law

Incident Response
Once an actual incident has been confirmed and properly classified, the IR team moves from detection
phase to reaction phase
 In the incident response phase, a number of action steps taken by the IR team and others must occur
quickly and may occur concurrently
 These steps include notification of key personnel, the assignment of tasks, and documentation of the
incident

Notification of Key Personnel

 As soon as incident is declared, the right people must be immediately notified in the right order
 Alert roster: document containing contact information of individuals to be notified in the event of actual
incident either sequentially or hierarchically
 Alert message: scripted description of incident
 Other key personnel: must also be notified only after incident has been confirmed, but before media or
other external sources learn of it

Documenting an Incident
 As soon as an incident has been confirmed and the notification process is underway, the team should
begin documentation
– Should record the who, what, when, where, why and how of each action taken while the
incident is occurring
 Serves as a case study after the fact to determine if right actions were taken and if they were effective
– Can also prove the organization did everything possible to deter the spread of the incident

Incident Containment Strategies

 Essential task of IR is to stop the incident or contain its impact
 Incident containment strategies focus on two tasks:
– Stopping the incident
– Recovering control of the systems
 IR team can stop the incident and attempt to recover control by means of several strategies:
– Disconnect affected communication circuits
– Dynamically apply filtering rules to limit certain types of network access
– Disable compromised user accounts
– Reconfigure firewalls to block problem traffic
– Temporarily disable compromised process or service
– Take down conduit application or server
– Stop all computers and network devices

Incident Escalation
 An incident may increase in scope or severity to the point that the IRP cannot adequately contain the
incident
 Each organization will have to determine, during the business impact analysis, the point at which the
incident becomes a disaster
 The organization must also document when to involve outside response

Initiating Incident Recovery

 Once the incident has been contained, and system control regained, incident recovery can begin
 IR team must assess full extent of damage in order to determine what must be done to restore systems
 Immediate determination of the scope of the breach of confidentiality, integrity, and availability of
information and information assets is called incident damage assessment
 Those who document the damage must be trained to collect and preserve evidence, in case the incident
is part of a crime or results in a civil action

Recovery Process
 Once the extent of the damage has been determined, the recovery process begins:
– Identify and resolve vulnerabilities that allowed incident to occur and spread
– Address, install, and replace/upgrade safeguards that failed to stop or limit the incident, or
were missing from system in the first place
– Evaluate monitoring capabilities (if present) to improve detection and reporting methods, or
install new monitoring capabilities
– Restore data from backups as needed
– Restore services and processes in use where compromised (and interrupted) services and
processes must be examined, cleaned, and then restored
– Continuously monitor system
– Restore the confidence of the members of the organization’s communities of interest

After Action Review

 Before returning to routine duties, the IR team must conduct an after-action review, or AAR
 AAR: detailed examination of events that occurred
 All team members:
– Review their actions during the incident
– Identify areas where the IR plan worked, didn’t work, or should improve

Law Enforcement Involvement

 When incident violates civil or criminal law, it is organization’s responsibility to notify proper
authorities
 Selecting appropriate law enforcement agency depends on the type of crime committed: Federal,
State, or Local
 Involving law enforcement has both advantages and disadvantages:
– Usually much better equipped at processing evidence, obtaining statements from witnesses, and
building legal cases
– However, involvement can result in loss of control of chain of events following an incident

Disaster Recovery
 Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural
or man made
 In general, an incident is a disaster when:
– organization is unable to contain or control the impact of an incident
OR
– level of damage or destruction from incident is so severe, the organization is unable to quickly
recover

Disaster Classifications
A DRP can classify disasters in a number of ways
 Most common method: separate natural disasters from man-made disasters
 Another way: by speed of development
– Rapid onset disasters
– Slow onset disasters

Planning for Disaster

 Scenario development and impact analysis are used to categorize the level of threat of each potential
disaster
 DRP must be tested regularly
 Key points in the DRP:
– Clear delegation of roles and responsibilities
– Execution of alert roster and notification of key personnel
– Clear establishment of priorities
– Documentation of the disaster
– Action steps to mitigate the impact
– Alternative implementations for various systems components

Crisis Management.
 Crisis management: set of focused steps taken during and after a disaster that deal primarily with
people involved
 Crisis management team manages event:
– Supporting personnel and their loved ones during crisis
– Determining event's impact on normal business operations
– When necessary, making a disaster declaration
– Keeping public informed about event
– Communicating with outside parties
 Two key tasks of crisis management team:
– Verifying personnel status
– Activating alert roster

Responding to the Disaster

 Actual events often outstrip even best of plans
 To be prepared, Disaster Recovery Plan should be flexible
 If physical facilities are intact, begin restoration there
 If organization’s facilities are unusable, take alternative actions
 When disaster threatens organization at the primary site, Disaster Recovery Plan becomes Business
Continuity Planning BCP

Business Continuity Planning (BCP)

– Ensures critical business functions can continue in a disaster
– Most properly managed by CEO of organization
– Activated and executed concurrently with the DRP when needed
– Reestablishes critical functions at alternate site (DRP focuses on reestablishment at primary site)
– Relies on identification of critical business functions and the resources to support them

Continuity Strategies
 Several continuity strategies for business continuity
– Determining factor is usually cost
 Three exclusive-use options:
– Hot sites
– Warm sites
– Cold sites
 Three shared-use options:
– Timeshare
– Service bureaus
– Mutual agreements

Off-Site Disaster Data Storage

To get any BCP site running quickly, organization must be able to recover data
 Options include:
– Electronic vaulting: bulk batch-transfer of data to an off-site facility
– Remote Journaling: transfer of live transactions to an off-site facility
 – Database shadowing: storage of duplicate online transaction data

Overview

Business Impact Analysis (BIA)

 BIA
– Provides information about systems/threats and detailed scenarios for each potential attack
– Not risk management focusing on identifying threats, vulnerabilities, and attacks to determine
controls
– Assumes controls have been bypassed or are ineffective and attack was successful
 CP team conducts BIA in the following stages:
– Threat attack identification
– Business unit analysis
– Attack success scenarios
– Potential damage assessment
– Subordinate plan classification

Major Tasks in Contingency Planning

Attack Success Scenario Development

 Scenarios depicting impact of successful attack are done on each functional area
 Attack profiles should include scenarios depicting typical attack including:
– Methodology
– Indicators
– broad consequences
 More details are added including alternate outcomes—best, worst, and most likely

Potential Damage Assessment

 From detailed scenarios, the BIA planning team must estimate the cost of the best, worst, and most
likely outcomes by preparing an attack scenario end case
 This will allow identification of what must be done to recover from each possible case

Combining the DRP and the BCP

 Because DRP and BCP are closely related, most organizations prepare them concurrently and may
combine them into a single document
 Such a comprehensive plan must be able to support reestablishment of operations at two different
locations
• Immediately at alternate site
• Eventually back at primary site
 Therefore, although a single planning team can develop combined DRP/BRP, execution requires
separate teams
Testing Contingency Plans
 Once problems are identified during the testing process, improvements can be made, and the resulting
plan can be relied on in times of need
 There are five testing strategies that can be used to test contingency plans:
– Desk Check
– Structured walkthrough
– Simulation
– Parallel testing
– Full interruption
 Continuous Improvement
 Iteration results in improvement
 A formal implementation of this methodology is a process known as continuous process
improvement (CPI)
 Each time plan is rehearsed, it should be improved
 Constant evaluation and improvement leads to an improved outcome
LECTURE 5 Telecommunications, Network, and Internet Security
The OSI model addresses the following security issues:-
OSI Model and Security
Security Mechanisms used in networks
 Encipherment
 Digital signature
 Access control
 Data integrity
 Authentication
 Traffic padding
 Routing protocol
Basic Network Security Infrastructures

Layer Function Network Protocols or Standards

Device

7: Application Provides services such as HTTP, FTP, TFTP, DNS,

email, file transfers and file SMTP, SFTP, SNMP, RLogin,
servers BootP, MIME

6: Presentation Provides encryption, code MPEG, JPEG, TIFF

conversion and data
formatting

5: Session Negotiates and establishes a Gateways SQL, X- Window, ASP, DNA,

connection with another SCP, NFS, RPC
computer

4: Transport Supports end-to-end delivery Gateway TCP, UDP, SPX

of data

3: Network Performs packet routing Router IP, OSPF, ICMP, RIP, ARP,
RARP

2: Data link Provides error checking and Switch Ethernet, Token Ring, 802.11
transfer of message frames

1: Physical Physically interfaces with Hub EIA RS-232, EIA RS-449,

transmission medium and IEEE, 802
sends data over the network
Router
A network traffic management device that, unbeknownst to the user, sits between subnetworks
(LANs) and routes traffic intended for or leaving the network segments to which it’s attached

Packet Filter
A simple and effective form of protection that matches all packets against a series of rules
Basic Packet Filtering
 Allows communication originating from one side of the communication path or the other
 Identifies and controls traffic by examining the source, destination, port number, and
protocol types

Stateful Inspection Packet Filtering

 A more complex packet-filtering technology that keeps track of the state of the current
connection to help assure that only desired traffic passes through

Benefits of Packet-Filtering Routers

 Little or no cost to implement because packet filtering is a feature of standard routers
 Little impact on router performance
 Generally transparent to users and applications

Limitations of Packet-Filtering Routers

 Defining packet filters can be a complex task
 The filtering rule set can become complicated, increasing in difficulty to manage and
comprehend
 There are few testing facilities to verify the correctness of the filtering rules
 The packet throughput of a router decreases as the number of filters increase
 It is not capable of understanding the context/data of a particular service

Firewalls
 Firewalls typically run monitoring software to detect and thwart external attacks on the site and
protect the internal corporate network
 Firewalls are an essential device for network security
 Many of the architectures needed for security rely on one or more firewalls within an
intelligent design

Application-Level Gateway Firewall

 Allows the network administrator to implement stricter security policies than packet-filtering
routers can manage
 Requires special-purpose code (a proxy service) for each desired application
 The proxy code can be configured to support only acceptable features of an application
 Users are permitted access to the proxy services, but may not log in to the application-level
gateway itself

Benefits of Application-Level Gateways

 The network manager has complete control over each service and permitted services
 It has the ability to support strong user authentication and provide detailed logging information
 The filtering rules are much easier to configure and test
Limitations of Application-Level Gateways
 It requires either that users modify their behavior or that specialized software be installed on
each system that accesses proxy services
 Firewall Implementation Examples
1. Packet-Filter Router
 Inexpensive and transparent to users
 Inherent limitations of a packet-filtering router
2. Screened Host Firewalls
a. Public information server can be placed on the segment shared by the packet-filtering
router and the bastion host

3. DMZ or Screened-Subnet Firewall

 Private network is invisible
 Inside users must access the Internet via the proxy services
Intrusion Detection Systems (IDS)
 IDSs attempt to detect an intruder breaking into systems or an authorized user misusing
system resources
 IDSs are needed to detect both types of intrusions
 Break-in attempts from the outside
 Knowledgeable insider attacks
Two basic philosophical options
1. Prohibit everything that is not expressly permitted
2. Permit everything that is not expressly denied

A Good Intrusion Detection System must

 run continually without human supervision
 be fault tolerant
 resist subversion
 impose minimal overhead on the attached network
 observe deviations from normal behavior
 be easily tailored to the network
 cope with changing system behavior

False Positives, False Negatives, and Subversion Attacks

A false positive occurs when the system classifies an action as anomalous when it is legitimate
A false negative occurs when an intrusive action has occurred but the system allows it to pass as
nonintrusive behavior
A subversion error occurs when an intruder modifies the operation of the intrusion detector to
force false negatives to occur

Virtual Private Networks (VPNs)

 VPN is a network technology that makes it possible to establish private “tunnels” over the
public Internet
 IP security (IPSec) operates at both the Network Layer and Session Layer of the TCP/IP
protocol stack
 IPSec VPNs are the most common form in use today and are widely available from network
and firewall providers

IPsec - Performs both encryption and authentication to address the inherent lack of security on IP-
based networks

Three characteristics - Sender authentication, message integrity, and data confidentiality

SECURING MULTI-PLATFORM SYSTEMS

Networks are increasingly heterogeneous, containing different types of hardware and software and
running multiple operating systems that all need to be able to communicate with one another.
There are fewer and fewer pure Windows (or pure UNIX) shops, with many companies running
Windows domains side-by-side with UNIX web servers, accessed by client computers running
Windows, Linux and Mac. Add to the mix a variety of smart phones (Windows Mobile, iPhone,
Android, Symbian and more) that need to download mail and possibly access other network
resources, and you have a real challenge.
The same basic security concepts apply to both heterogeneous and homogeneous networks, so it
goes without saying that, regardless of the platform(s), you should:
 Secure the edge with a good firewall/threat management gateway and intrusion
detection/prevention system
 Use anti-virus and anti-malware software (including on non-Windows systems) and keep
definitions updated
 Implement security auditing/monitoring to detect attempted breaches
 Harden systems by turning off unnecessary services
 Close unused ports
 Restrict physical access to the systems
 Restrict administrative/root access to those who really need it; on UNIX systems, restrict
root access to secure terminals
 Implement file level permissions; on UNIX systems, partition the file system and use read-
only partitions for storing files that don’t change often, and use ACLs (Access Control
Lists) for complex permissions management
 On UNIX systems, limit the access processes have on the file system by using the chroot
and ulimit interfaces
 Enforce strong password policies
  In high security environments, require two-factor authentication
 On UNIX systems, use SSH (Secure Shell) for remote command line access
 Use encryption: to protect files on the drive, to protect data crossing the network, to protect
the operating system from unauthorized access
 Implement a public key infrastructure to issue digital certificates

Hire an outside security auditor

A third party security audit can be useful to evaluate and advise on the security implementation in
any complex network, but that goes double for a heterogeneous network. A company that does
security audits for a living will have personnel experienced in reviewing many different types of
systems and will be current on new vulnerabilities and new solutions that your IT personnel may
not have the time to keep up with. They can perform penetration testing for a real-world
assessment of where the vulnerabilities lie, and they can advise you on the most effective and most
cost-effective ways to close the gaps.

Summary
1. The Telecommunications, Network, and Internet Security domain is one of the most important
areas that security practitioners must understand well
2. We can begin to mix and match the building blocks of network security tools and techniques to
implement defense in depth in preserving confidentiality, integrity, and availability
3. It is important to know how to find security information and how to decide which security
architecture is most appropriate for a given situation

LECTURE 6 : Network Security Audit

A network audit is a formal or informal inventory, assessment, and analysis of your network’s
hardware, software, operating systems, servers, and users.

Network audits typically check:

 All network infrastructure and internet-accessible systems

 The security mechanisms activated to protect the network
 The practices used for day-to-day network management
Network security best practices for threat detection and response

Baseline network protocols and monitor usage.

Establish the baseline usage of different protocols on your wired and wireless networks. To create
an accurate baseline, data should be gathered from a variety of sources including routers, switches,
firewalls, wireless access points, network sniffers and dedicated data collectors. Then monitor for
deviations from these baselines, which can be indicative of data tunneling, malicious software
transmitting data to unauthorized destinations, and other threats.
Use honeypots and honeynets.
A honeypot is a decoy system designed to look like a real network asset, and a honeynet is a
network of honeypots that simulates a larger, more complex network environment. They are
designed to lure adversaries into interacting with them, both to divert malicious actors from true
assets and to enable security teams to study attack techniques and gather other intelligence for
effective threat management.

Use intrusion detection and prevention systems.

It is vital to monitor and log activity across the network and analyze it to spot unusual logins,
suspicious computer events and other anomalies.
An intrusion detection system (IDS) monitors network data flows for potentially malicious activity
and alerts administrators about anomalies.
An intrusion prevention system (IPS) also monitors network traffic for threats; however, in
addition to alerting administrators, it can automatically take action to block or mitigate threats.
These tools can be a valuable part of your network security strategy. For example, by comparing
current activity to an established baseline, they could spot a spike in network activity that could
indicate a ransomware or SQL injection attack.
They can also use attack signatures — characteristic features common to a specific attack or
pattern of attacks — to spot attacks that don’t generate activity that violates your organization’s
baseline.
Automate response to attacks when appropriate.
Many modern security tools can be configured to respond automatically to known threats. For
example, these systems can:
 Block IP address — An IPS or firewall can block the IP address from which the attack
originated. This option is very effective against phishing and denial-of-service attacks.
However, some attackers spoof the source IP address during attacks, so the wrong address will
be blocked.
 Terminate connections — Routers and firewalls can be configured to disrupt the connections
that an intruder maintains with the compromised system by targeting RESET TCP packets at
the attacker.
 Acquire additional information — Tools can also collect valuable information that help
determine such the point of initial access, which accounts were compromised, how the
intruders moved across the network and what data was compromised.

Use multiple vendors.

Using solutions from different vendors bolsters cyber resilience by reducing the risk associated
with a single point of failure — if a solution from one vendor is compromised, the presence of
solutions from other vendors helps maintain the defensive shield. This approach also enables
greater adaptability in response to evolving threats and security requirements. More broadly, it can
lead to competitive pricing and drive innovation, as vendors strive to offer the most advanced and
cost-effective solutions.

Appendix A: The OSI Model

The OSI (Open Systems Interconnection) model is an established framework for network systems.
It comprises seven layers, from physical hardware to application-level interactions:

What A Network Security Assessment Checklist Should Look Like

Doing things are a lot easier if you have some sort of guide to help you. This applies to network
security as well. Knowing the strengths and weaknesses of your network is important. Using
a network security assessment checklist gives you direction.

Here are the details one could expect in a network security assessment checklist:
Things to
check for Description

Make sure all This is a standard physical security procedure. Someone sneaking in your business
security or premises can do malicious things on your network.
surveillance Having security cameras everywhere will prevent an attacker from entering your
business premises. A network security assessment checklist should always include
cameras are
this detail on it.
working.
 Things to
check for Description

Check if your This is very important for the physical security of your network. A sample keyless
keyless entry entry system is a door using biometrics for authentication. An intruder can’t enter
systems are your building without verifying their identity first.
A network security assessment checklist should also include this detail on it.
working.

Lock This is a standard computer security procedure that most people do not follow. The
computers importance of locking your PC is that no one could use it other than you.
when not in You should always lock your workstation if you are going away from it like when
taking breaks. One of the major threats to information security is the insider threats.
use.
These are the employees who are negligent and don’t follow security policies. They
are the security risks that are outside the scope of a network assessment tool.
A network security assessment checklist must always include this security
procedure on it.
Test the Your anti-malware software should be capable of detecting, removing, and
capability of preventing various threats. This includes the following:
your  Viruses
 Trojans
antimalware
 Worms
software.  Rootkits
 Spyware
 Adware
 Ransomware
Also, consider the variations of these threats and zero-day attacks. A network
security assessment checklist should always contain this security procedure on it.
Check for Block adult sites, gaming sites, and social media sites. This should be in align with
web content. your company’s security policies. These sites should be inaccessible by default.
Browsing these sites also reduces productivity and increases security risks. Clicking
on links especially on adult sites will trigger a malware infection.
A network security assessment checklist should always include this security
procedure.
Try working Test if your firewall is effective at doing its job. It should react to any suspicious
around your and malicious activity. Upon threat detection, it should notify you right away.
firewall. There are a lot of tools out there to test the strength of a firewall. It is a matter of
preference which one best fits your business needs.
It is necessary to include this detail in a network security assessment checklist.
Use a This procedure gives programs and processes access to network resources. A
whitelisting whitelist can contain the following:
approach  applications
 email addresses
 IP addresses
All the elements in the whitelist have access to network resources. Things not on
the list do not have permission. The logic here is to deny all and permit some.
Whitelisting is an important thing to add in your network security assessment
checklist.
 Things to
check for Description

Patch Cybercriminals always target outdated software. They exploit the weaknesses while
management the software vendor is preparing a patch.
It is necessary to update the software components of your network. Patching them
will fix the bugs and vulnerabilities.
Patching is a vital process to include in a network security assessment checklist.

Check list

1. General
 A written Network Security Policy that lists the rights and responsibilities of all staff,
employees, and consultants
 Security Training for all users regarding the use of the Network Environment and sharing
data outside the company as well as allowing anybody to access their systems
 Make sure users have been trained regarding the sharing of information by email and
the Internet
 All outside vendors and contractors need to sign a security agreement while they are
working in your environment
 Have contingency plans in place for if and when there is a data breach or security
breach.
2. Password Security
 Written password policy
 Password Training for all authorized users to ensure they understand the potential risks
of using passwords in an insecure way
 Inspect Workstations for written passwords in the user or server areas
 Keep password requirements documentation in a safe place
3. LAN Security
 Hardening of servers on the internal network, removing unnecessary services and
applications
 Keeping unnecessary files off of servers
 Server permissions set appropriately for users
 No anonymous users allowed
 Share the functions of server administration between administrators
 Remote administration policy
 Disable Remote Administration where it isn’t needed
 Remote Access Security policy and implementation
 Rename Administrator Account
 Enable auditing of Administrator login attempts
 Create extra-strong passwords for Administrator accounts
 Passwords for server administration accounts should be different than workstation user
accounts for the same users
 Disable Guest Account
 Restrict Access to the Everyone Group
 Create appropriate user and group accounts
 Set appropriate group access permissions
  Configure audit logs to track unauthorized access of files/systems/folders/accounts
 Configure patch management or scheduled download and application of the operating
system and security patches
 Ensure Wireless Network security is configured properly, including the use of wireless
security protocols
4. Workstation Logons
 Screen Locks on all computers
 Require passwords on all computers, including screen lock recovery
 Consider using two-factor authentication
 Harden workstations, removing unnecessary applications and programs
 Anti-virus software installed and disable circumnavigating
 Ensure anti-virus updates are occurring regularly
 Ensure software updates are occurring regularly
 Ensure the operating system and security patches are occurring regularly
 Pop-up blockers enabled
5. Mobile Devices
 An IT security policy or BYOD policy (Bring Your Own Device) needs to be in
place for mobile devices that are used on the network
 Enforcement of the mobile device policies needs to be decided on and enforced
 Wireless access points need to be secure
6. Network Equipment Security
 Configure audit logs to monitor access
 Document configuration working configuration settings in case of failure
 Document user accounts/passwords for accessing these devices and put them in a safe
place
 Make sure that firmware upgrades occur regularly
7. Router/Firewall Security
 Use a firewall and make sure that all public-facing services are on a separate network
segment or DMZ (email, FTP, web, for example) for intrusion prevention.
 Make sure that all externally sourced IP addresses are not allowed inside the LAN, but
only to the DMZ
 Configure firewall policies to deny inbound access to unused ports
 Review all firewall policies for potential security risks
 Implement network address translation (NAT) where possible
 Use stateful packet inspection on the firewall, preventing IP address spoofing and
DOS attacks.
 Make sure the router and firewall software is updated regularly
 Make sure the router and firewall firmware is updated regularly
 Consider having penetration testing performed for further weakness exposure

45
LECTURE 7: OPERATING SYSTEMS SECURITY

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and
availability.
OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms,
malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which
safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised.

Operating system consists of a collection of objects, hardware or software

7. Each object has a unique name and can be accessed through a well-defined set of operations
(hopefully)
8. Protection and security problem - ensure that each object is accessed correctly and only by those
processes of authorized users that are allowed to do so
9. OS designer faces challenge of creating a protection scheme that cannot be bypassed by any software
that may be created in the future
10. Networking adds to the problem as it allows access to a computer and its resources without being in
the same physical location

OS security may be approached in many ways, including adherence to the following:

 Performing regular OS patch updates
 Installing updated antivirus engines and software
 Scrutinizing all incoming and outgoing network traffic through a firewall
 Creating secure accounts with required privileges only (i.e., user management)

i. Authentication
Authentication refers to identifying the each user of the system and associating the executing programs
with those users. It is the responsibility of the Operating System to create a protection system which
ensures that a user who is running a particular program is authentic. Operating Systems generally
identifies/ authenticates users using following three ways:
 Username / Password - User need to enter a registered username and password with Operating
system to login into the system.
 User card/key - User need to punch card in card slot, or enter key generated by key generator in
option provided by operating system to login into the system.
 User attribute - fingerprint/ eye retina pattern/ signature - User need to pass his/her attribute
via designated input device used by operating system to login into the system.
ii. One Time passwords
One time passwords provides additional security along with normal authentication. In One-Time
Password system, a unique password is required every time user tries to login into the system. Once a
one-time password is used then it can not be used again. One time password are implemented in various
ways.
 Random numbers - Users are provided cards having numbers printed along with corresponding
alphabets. System asks for numbers corresponding to few alphabets randomly chosen.
 Secret key - User are provided a hardware device which can create a secret id mapped with user
id. System asks for such secret id which is to be generated every time prior to login.
 Network password - Some commercial applications send one time password to user on
registered mobile/ email which is required to be entered prior to login.
iii. Threats in securing operating systems
Some of the most common types of violations include:

46
  Breach of Confidentiality - Theft of private or confidential information, such as credit-card
numbers, trade secrets, patents, secret formulas, manufacturing procedures, medical information,
financial information, etc.
 Breach of Integrity - Unauthorized modification of data, which may have serious indirect
consequences. For example a popular game or other program's source code could be modified to
open up security holes on users systems before being released to the public.
 Breach of Availability - Unauthorized destruction of data, often just for the "fun" of causing
havoc and for bragging rites. Vandalism of web sites is a common form of this violation.
 Theft of Service - Unauthorized use of resources, such as theft of CPU cycles, installation of
daemons running an unauthorized file server, or tapping into the target's telephone or networking
services.
 Denial of Service, DOS - Preventing legitimate users from using the system, often by overloading
and overwhelming the system with an excess of requests for service.

There are four levels at which a system must be protected:

 Physical - The easiest way to steal data is to pocket the backup tapes. Also, access to the root
console will often give the user special privileges, such as rebooting the system as root from
removable media. Even general access to terminals in a computer room offers some opportunities
for an attacker, although today's modern high-speed networking environment provides more and
more opportunities for remote attacks.
 Human - There is some concern that the humans who are allowed access to a system be
trustworthy, and that they cannot be coerced into breaching security. However more and more
attacks today are made via social engineering, which basically means fooling trustworthy people
into accidentally breaching security.
◦ Phishing involves sending an innocent-looking e-mail or web site designed to fool people
into revealing confidential information. E.g. spam e-mails pretending to be from e-Bay,
PayPal, or any of a number of banks or credit-card companies.
◦ Dumpster Diving involves searching the trash or other locations for passwords that are
written down. ( Note: Passwords that are too hard to remember, or which must be
changed frequently are more likely to be written down somewhere close to the user's
station. )
◦ Password Cracking involves divining users passwords, either by watching them type in
their passwords, knowing something about them like their pet's names, or simply trying
all words in common dictionaries.
 Operating System - The OS must protect itself from security breaches, such as runaway
processes ( denial of service ), memory-access violations, stack overflow violations, the launching
of programs with excessive privileges, and many others.
 Network - As network communications become ever more important and pervasive in modern
computing environments, it becomes ever more important to protect this area of the system. (
Both protecting the network itself from attack, and protecting the local system from attacks
coming in through the network. ) This is a growing area of concern as wireless communications
and portable devices become more and more prevalent.
iv.
v. Program Threats
Operating system's processes and kernel do the designated task as instructed. If a user program made
these process do malicious tasks then it is known as Program Threats.
Following is the list of some well known program threats.
 Trojan Horse - Such program traps user login credentials and stores them to send to malicious
user who can later on login to computer and can access system resources.

47
  Trap Door - If a program which is designed to work as required, have a security hole in its code
and perform illegal action without knowledge of user then it is called to have a trap door.
 Logic Bomb - Logic bomb is a situation when a program misbehaves only when certain
conditions met otherwise it works as a genuine program. It is harder to detect.
 Virus - Virus as name suggest can replicate themselves on computer system .They are highly
dangerous and can modify/delete user files, crash systems. A virus is generatlly a small code
embedded in a program. As user accesses the program, the virus starts getting embedded in other
files/ programs and can make system unusable for user.
 Spyware is a version of a Trojan Horse that is often included in "free" software downloaded off
the Internet. Spyware programs generate pop-up browser windows, and may also accumulate
information about the user and deliver it to some central site. ( This is an example of covert
channels, in which surreptitious communications occur. ) Another common task of spyware is to
send out spam e-mail messages, which then purportedly come from the infected user.
vi.
vii. System Threats
System threats refers to misuse of system services and network connections to put user in trouble. System
threats can be used to launch program threats on a complete network called as program attack. System
threats creates such an environment that operating system resources/ user files are mis-used. Following is
the list of some well known system threats.
 Worm -Worm is a process which can choked down a system performance by using system
resources to extreme levels.A Worm process generates its multiple copies where each copy uses
system resources, prevents all other processes to get required resources. Worms processes can
even shut down an entire network.
 Port Scanning - Port scanning is a mechanism or means by which a hacker can detects system
vulnerabilities to make an attack on the system. Port Scanning is technically not an attack, but
rather a search for vulnerabilities to attack. The basic idea is to systematically attempt to connect
to every known ( or common or possible ) network port on some remote machine, and to attempt
to make contact. Once it is determined that a particular computer is listening to a particular port,
then the next step is to determine what daemon is listening, and whether or not it is a version
containing a known security flaw that can be exploited.
 Because port scanning is easily detected and traced, it is usually launched from zombie systems,
i.e. previously hacked systems that are being used without the knowledge or permission of their
rightful owner. For this reason it is important to protect "innocuous" systems and accounts as well
as those that contain sensitive information or special privileges.
 Denial of Service - Denial of service attacks normally prevents user to make legitimate use of the
system. For example user may not be able to use internet if denial of service attacks browser's
content settings.
Some of the forms of viruses include:
◦ File - A file virus attaches itself to an executable file, causing it to run the virus code first and then
jump to the start of the original program. These viruses are termed parasitic, because they do not leave
any new files on the system, and the original program is still fully functional.
◦ Boot - A boot virus occupies the boot sector, and runs before the OS is loaded. These are also known
as memory viruses, because in operation they reside in memory, and do not appear in the file system.
◦ Macro - These viruses exist as a macro ( script ) that are run automatically by certain macro-capable
programs such as MS Word or Excel. These viruses can exist in word processing documents or
spreadsheet files.
◦ Source code viruses look for source code and infect it in order to spread.
◦ Polymorphic viruses change every time they spread - Not their underlying functionality, but just their
signature, by which virus checkers recognize them.

48
◦ Encrypted viruses travel in encrypted form to escape detection. In practice they are self-decrypting,
which then allows them to infect other files.
◦ Stealth viruses try to avoid detection by modifying parts of the system that could be used to detect it.
For example the read( ) system call could be modified so that if an infected file is read the infected part
gets skipped and the reader would see the original unadulterated file.
◦ Tunneling viruses attempt to avoid detection by inserting themselves into the interrupt handler chain,
or into device drivers.
◦ Multipartite viruses attack multiple parts of the system, such as files, boot sector, and memory.
◦ Armored viruses are coded to make them hard for anti-virus researchers to decode and understand. In
addition many files associated with viruses are hidden, protected, or given innocuous looking names
such as "...".
 In 2004 a virus exploited three bugs in Microsoft products to infect hundreds of Windows servers
( including many trusted sites ) running Microsoft Internet Information Server, which in turn
infected any Microsoft Internet Explorer web browser that visited any of the infected server sites.
One of the back-door programs it installed was a keystroke logger, which records users
keystrokes, including passwords and other sensitive information.
 There is some debate in the computing community as to whether a monoculture, in which nearly
all systems run the same hardware, operating system, and applications, increases the threat of
viruses and the potential for harm caused by them.
1.
2. Password Vulnerabilities
 Passwords can be guessed.
◦ Intelligent guessing requires knowing something about the intended target in specific, or
about people and commonly used passwords in general.
◦ Brute-force guessing involves trying every word in the dictionary, or every valid
combination of characters. For this reason good passwords should not be in any
dictionary ( in any language ), should be reasonably lengthy, and should use the full range
of allowable characters by including upper and lower case characters, numbers, and
special symbols.
 "Shoulder surfing" involves looking over people's shoulders while they are typing in their
password.
◦ Even if the lurker does not get the entire password, they may get enough clues to narrow
it down, especially if they watch on repeated occasions.
◦ Common courtesy dictates that you look away from the keyboard while someone is
typing their password.
◦ Passwords echoed as stars or dots still give clues, because an observer can determine how
many characters are in the password. :-(
 "Packet sniffing" involves putting a monitor on a network connection and reading data contained
in those packets.
◦ SSH encrypts all packets, reducing the effectiveness of packet sniffing.
◦ However you should still never e-mail a password, particularly not with the word
"password" in the same message or worse yet the subject header.
◦ Beware of any system that transmits passwords in clear text. ( "Thank you for signing up
for XYZ. Your new account and password information are shown below". ) You probably
want to have a spare throw-away password to give these entities, instead of using the
same high-security password that you use for banking or other confidential uses.
3. Protected Objects
The rise of multiprogramming meant that several aspects of a computing system required protection.
memory
sharable I/O devices, such as disks

49
 serially reusable I/O devices, such as printers and tape drives
sharable programs and subprocedures
networks
sharable data
As it assumed responsibility for controlled sharing, the operating system had to protect these objects.
4.
5. Security Methods of Operating Systems
The basis of protection is separation: keeping one user's objects separate from other users. Separation in
an operating system can occur in several ways.
 Physical separation , in which different processes use different physical objects, such as separate
printers for output requiring different levels of security
 Temporal separation , in which processes having different security requirements are executed at
different times
 Logical separation , in which users operate under the illusion that no other processes exist, as
when an operating system constrains a program's accesses so that the program cannot access
objects outside its permitted domain
 Cryptographic separation , in which processes conceal their data and computations in such a way
that they are unintelligible to outside processes
Combinations of two or more of these forms of separation are also possible.
 The first two approaches are very stringent and can lead to poor resource utilization. Therefore, we
would like to shift the burden of protection to the operating system to allow concurrent execution of
processes having different security needs.

There are several ways an operating system can assist, offering protection at any of several levels.
 Do not protect . Operating systems with no protection are appropriate when sensitive procedures
are being run at separate times.
 Isolate . When an operating system provides isolation, different processes running concurrently
are unaware of the presence of each other. Each process has its own address space, files, and other
objects. The operating system must confine each process somehow, so that the objects of the
other processes are completely concealed.
 Share all or share nothing . With this form of protection, the owner of an object declares it to be
public or private. A public object is available to all users, whereas a private object is available
only to its owner.
 Share via access limitation . With protection by access limitation, the operating system checks the
allowability of each user's potential access to an object. That is, access control is implemented for
a specific user and a specific object.
 Share by capabilities . An extension of limited access sharing, this form of protection allows
dynamic creation of sharing rights for objects. The degree of sharing can depend on the owner or
the subject, on the context of the computation, or on the object itself.
 Limit use of an object . This form of protection limits not just the access to an object but the use
made of that object after it has been accessed. For example, a user may be allowed to view a
sensitive document, but not to print a copy of it. More powerfully, a user may be allowed access
to data in a database to derive statistical summaries (such as average salary at a particular grade
level), but not to determine specific data values (salaries of individuals).
These modes of sharing are arranged in increasing order of difficulty to implement, but also in increasing
order of fineness of protection they provide.
A given operating system may provide different levels of protection for different objects, users, or
situations.

50
2.
3. Memory and Address Protection
 Preventing one program from affecting the memory of other programs.
 Protection can be built into the hardware mechanisms that control efficient use of memory, so that solid
protection can be provided at essentially no additional cost.
1.
2. Fence
 The simplest form of memory protection was introduced in single-user operating systems, to prevent
a faulty user program from destroying part of the resident portion of the operating system. As its
name implies, a fence is a method to confine users to one side of a boundary.
 Another implementation used a hardware register, often called a fence register , containing the
address of the end of the operating system. In contrast to a fixed fence, in this scheme the location of
the fence could be changed. Each time a user program generated an address for data modification, the
address was automatically compared with the fence address. If the address was greater than the fence
address (that is, in the user area), the instruction was executed; if it was less than the fence address
(that is, in the operating system area), an error condition was raised.
3.
4. Relocation
If the operating system can be assumed to be of a fixed size , programmers can write their code assuming
that the program begins at a constant address. This feature of the operating system makes it easy to
determine the address of any object in the program.
It also makes it essentially impossible to change the starting address if, for example, a new version of the
operating system is larger or smaller than the old. If the size of the operating system is allowed to change,
then programs must be written in a way that does not depend on placement at a specific location in
memory.
5.
6. Base/Bounds Registers
 With two or more users, none can know in advance where a program will be loaded for execution.
 The relocation register solves the problem by providing a base or starting address.
 All addresses inside a program are offsets from that base address.
 A variable fence register is generally known as a base register .
7.
8. Segmentation
Segmentation , involves the dividing a program into separate pieces. Each piece has a logical unity,
exhibiting a relationship among all of its code or data values.
Segmentation allows a program to be divided into many pieces having different access rights.
This hiding of addresses has three advantages for the operating system.
1. The operating system can place any segment at any location or move any segment to any location,
even after the program begins to execute. Because the operating system translates all address
references by a segment address table, the operating system needs only to update the address in that
one table when a segment is moved.
2. A segment can be removed from main memory (and stored on an auxiliary device) if it is not being
used currently.
3. Every address reference passes through the operating system, so there is an opportunity to check each
one for protection.
Segmentation offers these protective benefits.
 Each address reference is checked for protection.
 Many different classes of data items can be assigned different levels of protection.
 Two or more users can share access to a segment, with potentially different access rights.
 A user cannot generate an address or access to an unpermitted segment.

51
4.
5. Control of Access to General Objects
Protecting memory is a specific case of the more general problem of protecting objects . As
multiprogramming has developed, the numbers and kinds of objects shared have also increased.
Examples of the kinds of objects for which protection is desirable:
1. memory
2. a file or data set on an auxiliary storage device
3. an executing program in memory
4. a directory of files
5. a hardware device
6. a data structure, such as a stack
7. a table of the operating system
8. instructions, especially privileged instructions
9. passwords and the user authentication mechanism
10. the protection mechanism itself
The memory protection mechanism can be fairly simple because every memory access is guaranteed to go
through certain points in the hardware. With more general objects, the number of points of access may be
larger, a central authority through which all accesses pass may be lacking, and the kind of access may not
simply be limited to read, write, or execute.
There are several complementary goals in protecting objects.
 Check every access . We may want to revoke a user's privilege to access an object. If we have
previously authorized the user to access the object, we do not necessarily intend that the user
should retain indefinite access to the object.
 Enforce least privilege . The principle of least privilege states that a subject should have access to
the smallest number of objects necessary to perform some task. Even if extra information would
be useless or harmless if the subject were to have access, the subject should not have that
additional access.
 Verify acceptable usage . Ability to access is a yes-or-no decision. But it is equally important to
check that the activity to be performed on an object is appropriate.
1. Directory
 One simple way to protect an object is to use a mechanism that works like a file directory.
 Every file has a unique owner who possesses "control" access rights (including the rights to declare
who has what access) and to revoke access to any person at any time.
 Each user has a file directory, which lists all the files to which that user has access.
Several difficulties can arise.
 The list becomes too large if many shared objects, such as libraries of subprograms or a common table
of users, are accessible to all users.
 The directory of each user must have one entry for each such shared object, even if the user has no
intention of accessing the object.
 Deletion must be reflected in all directories.
2.

4.

52
LECTURE 8: DATABASE SECURITY

A database is a collection of data and a set of rules that organize the data by specifying certain
relationships among the data.

A database administrator is a person who defines the rules that organize the data and also controls who
should have access to what parts of the data.

The user interacts with the database through a program called a database manager or a database
management system ( DBMS ), informally known as a front end.

Advantages of Using Databases

A database is a single collection of data, stored and maintained at one central location, to which many
people have access as needed.
The actual implementation may involve some other physical storage arrangement or access. The essence
of a good database is that the users are unaware of the physical arrangements; the unified logical
arrangement is all they see. A database offers many advantages over a simple file system:
 shared access, so that many users can use one common, centralized set of data
 minimal redundancy, so that individual users do not have to collect and maintain their own sets of
data
 data consistency, so that a change to a data value affects all users of the data value
 data integrity, so that data values are protected against accidental or malicious undesirable
changes
 controlled access, so that only authorized users are allowed to view or to modify data values
A DBMS is designed to provide these advantages efficiently . However, as often happens, the objectives
can conflict with each other.
This clash is not surprising, because measures taken to enforce security often increase the computing
system's size or complexity.
Security interests may also reduce the system's ability to provide data to users by limiting certain queries
that would otherwise seem innocuous .

Security Requirements
The following is a list of requirements for database security.
 Physical database integrity . The data of a database are immune to physical problems, such as power
failures, and someone can reconstruct the database if it is destroyed through a catastrophe.
 Logical database integrity . The structure of the database is preserved. With logical integrity of a
database, a modification to the value of one field does not affect other fields, for example.
 Element integrity . The data contained in each element are accurate.
 Auditability . It is possible to track who or what has accessed (or modified) the elements in the
database.
 Access control . A user is allowed to access only authorized data, and different users can be restricted
to different modes of access (such as read or write).
 User authentication . Every user is positively identified, both for the audit trail and for permission to
access certain data.
 Availability . Users can access the database in general and all the data for which they are authorized.

53
Integrity of the Database
If a database is to serve as a central repository of data, users must be able to trust the accuracy of the data
values.
 This condition implies that the database administrator must be assured that updates are performed
only by authorized individuals.
 It also implies that the data must be protected from corruption, either by an outside illegal program
action or by an outside force such as fire or a power failure.
Two situations can affect the integrity of a database:
 when the whole database is damaged
 when individual data items are unreadable.

It is important to be able to reconstruct the database at the point of a failure. For instance, when the power
fails suddenly, a bank's clients may be in the middle of making transactions or students may be in the
midst of registering online for their classes.
The DBMS must maintain a log of transactions. In the event of a system failure, the system can obtain
accurate account balances by reverting to a backup copy of the database and reprocessing all later
transactions from the log.

Element Integrity
The integrity of database elements is their correctness or accuracy. Authorized users are responsible for
entering correct data in databases. However, users and programs make mistakes collecting data,
computing results, and entering values.
DBMSs sometimes take special action to help catch errors as they are made and to correct errors after
they are inserted.
This corrective action can be taken in three ways.
5. The DBMS can apply field checks, activities that test for appropriate values in a position. A field
might be required to be numeric, an uppercase letter, or one of a set of acceptable characters . The
check ensures that a value falls within specified bounds or is not greater than the sum of the values in
two other fields. These checks prevent simple errors as the data are entered.
6. Provided by access control. Data files may contain data from several sources, and redundant data may
be stored in several different places.
7. Means of providing database integrity is maintaining a change log for the database. A change log lists
every change made to the database; it contains both original and modified values. Using this log, a
database administrator can undo any changes that were made in error.

Auditability
For some applications it may be desirable to generate an audit record of all access (read or write) to a
database.
 Such a record can help to maintain the database's integrity, or at least to discover after the fact who
had affected what values and when.
 Users can access protected data incrementally; that is, no single access reveals protected data, but a
set of sequential accesses viewed together reveals the data, much like discovering the clues in a
detective novel . In this case, an audit trail can identify which clues a user has already been given, as a
guide to whether to tell the user more.
 it is possible for a record to be accessed but not reported to a user, as when the user performs a select
operation.

Access Control
Databases are often separated logically by user access privileges.
Limited access is both a responsibility and a benefit of this centralization.

54
The database administrator specifies who should be allowed access to which data, at the view, relation,
field, record, or even element level.
The DBMS must enforce this policy, granting access to all specified data or no access where prohibited .
Restricting inference may mean prohibiting certain paths to prevent possible inferences. Restricting
access to control inference also limits queries from users who do not intend unauthorized access to values.
Moreover, attempts to check requested accesses for possible unacceptable inferences may actually
degrade the DBMS's performance.

User Authentication
The DBMS can require rigorous user authentication. A DBMS might insist that a user pass both specific
password and time-of-day checks. This authentication supplements the authentication performed by the
operating system.

Availability
A DBMS has aspects of both a program and a system. It is a program that uses other hardware and
software resources, yet to many users it is the only application run. Users often take the DBMS for
granted, employing it as an essential tool with which to perform particular tasks .
Integrity/Confidentiality/Availability
The three aspects of computer security ”integrity, confidentiality, and availability ”clearly relate to
database management systems.
 integrity is a major concern in the design of database management systems.
 Confidentiality is a key issue with databases because of the inference problem, whereby a user can
access sensitive data indirectly. Inference and access control are covered later in this chapter.
 Availability is important because of the shared access motivation underlying database development.
However, availability conflicts with confidentiality. The last sections of the chapter address
availability in an environment in which confidentiality is also important.

Reliability and Integrity

Database concerns about reliability and integrity can be viewed from three dimensions:
Database integrity : concern that the database as a whole is protected against damage, as from the failure
of a disk drive or the corruption of the master database index. These concerns are addressed by
operating system integrity controls and recovery procedures.
Element integrity : concern that the value of a specific data element is written or changed only by
authorized users. Proper access controls protect a database from corruption by unauthorized users.
Element accuracy : concern that only correct values are written into the elements of a database. Checks on
the values of elements can help to prevent insertion of improper values. Also, constraint conditions can
detect incorrect values.

Several factors can make data sensitive.

 Inherently sensitive. The value itself may be so revealing that it is sensitive. Examples are the
locations of defensive missiles or the median income of barbers in a town with only one barber.
 From a sensitive source. The source of the data may indicate a need for confidentiality. An example is
information from an informer whose identity would be compromised if the information were
disclosed.
 Declared sensitive. The database administrator or the owner of the data may have declared the data to
be sensitive. Examples are classified military data or the name of the anonymous donor of a piece of
art.
 Part of a sensitive attribute or a sensitive record . In a database, an entire attribute or record may be
classified as sensitive. Examples are the salary attribute of a personnel database or a record describing
a secret space mission.

55
 Sensitive in relation to previously disclosed information. Some data become sensitive in the presence
of other data. For example, the longitude coordinate of a secret gold mine reveals little, but the
longitude coordinate in conjunction with the latitude coordinate pinpoints the mine.
All of these factors must be considered to determine the sensitivity of the data.

Multilevel Databases
So far, we have considered data in only two categories: either sensitive or nonsensitive.
Sensitivity is determined not just by attribute but also in ways that we investigate below.

Three characteristics of database security emerge.

 The security of a single element may be different from the security of other elements of the same
record or from other values of the same attribute. This situation implies that security should be
implemented for each individual element.
 Two levels ”sensitive and nonsensitive ”are inadequate to represent some security situations. Several
grades of security may be needed. These grades may represent ranges of allowable knowledge, which
may overlap. Typically, the security grades form a lattice.
 The security of an aggregate ”a sum, a count, or a group of values in a database ”may be different
from the security of the individual elements. The security of the aggregate may be higher or lower
than that of the individual elements.
Proposals f or Multilevel Security
Sensitivity Lock
A sensitivity lock is a combination of a unique identifier (such as the record number) and the sensitivity
level. Because the identifier is unique, each lock relates to one particular record. Many different elements
will have the same sensitivity level. A malicious subject should not be able to identify two elements
having identical sensitivity levels or identical data values just by looking at the sensitivity level portion of
the lock. Because of the encryption, the lock's contents, especially the sensitivity level, are concealed
from plain view. Thus, the lock is associated with one specific record, and it protects the secrecy of the
sensitivity level of that record.

Separation
Separation is necessary to limit access. These mechanisms can help to implement multilevel security for
databases.

Partitioning
The database is divided into separate databases, each at its own level of sensitivity. This approach is
similar to maintaining separate files in separate file cabinets .
This control destroys a basic advantage of databases: elimination of redundancy and improved accuracy
through having only one field to update.
It does not address the problem of a high-level user who needs access some low-level data combined with
high-level data.
Nevertheless, because of the difficulty of establishing, maintaining, and using multilevel databases, many
users with data of mixed sensitivities handle their data by using separate, isolated databases.

Encryption
If sensitive data are encrypted, a user who accidentally receives them cannot interpret the data. Thus, each
level of sensitive data can be stored in a table encrypted under a key unique to the level of sensitivity.

Integrity Lock
The lock is a way to provide both integrity and limited access for a database.

56
Summary of Database Security
This lecture has addressed three aspects of security for database management systems: confidentiality and
integrity problems specific to database applications, the inference problem for statistical databases, and
problems of including users and data of different sensitivity levels in one database.
Both confidentiality and integrity are important to users of databases.

Confidentiality can be broken by indirect disclosure of a negative result or of the bounds of a value.
Integrity of the entire database is a responsibility of the DBMS software; this problem is handled by most
major commercial systems through backups , redundancy, change logs, and two-step updates. Integrity of
an individual element of the database is the responsibility of the database administrator, who defines the
access policy.

Multilevel secure databases must provide both confidentiality and integrity. Separation can be
implemented physically, logically, or cryptographically .
The five approaches to assuring confidentiality in multilevel secure databases:
 integrity lock,
 trusted front end,
 commutative filters,
 distributed databases, and
 restricted views.
But the analysis of the problems and the derivation of techniques are typical of how we analyze security
needs in any software application.

Exercise
Discuss emerging trends in Information security.

57