Notes

INFORMATION SECURITY - CS1014
Einstein College of Engineering

Page 1

CS1014 INFORMATION SECURITY

PREPARED BY
A.SHERLY ALPHONSE
L/CSE
EINSTEIN COLLEGE OF ENGINEERING

Page 2

UNIT - 1 : INTRODUCTION
Learning Objectives

Upon completion of this material, you should be able to:
Define information security
Relate the history of computer security and how it evolved into information security
Define key terms and critical concepts of information security as presented in this chapter
Discuss the phases of the security systems development life cycle
Present the roles of professionals involved in information security within an organization

Introduction
Information security: a well-informed sense of assurance that the information risks and
controls are in balance. Jim Anderson, Inovant (2002)
Necessary to review the origins of this field and its impact on our understanding of
information security today


Page 3

The 1970s and 80s

ARPANET grew in popularity as did its potential for misuse
Fundamental problems with ARPANET security were identified
No safety procedures for dial-up connections to ARPANET
Nonexistent user identification and authorization to system
Late 1970s: microprocessor expanded computing capabilities and security threats
Information security began with Rand Report R-609 (paper that started the study of
computer security)
Scope of computer security grew from physical security to include:
Safety of data
Limiting unauthorized access to data
Involvement of personnel from multiple levels of an organization

The 1990s
Networks of computers became more common; so too did the need to interconnect
networks
Internet became first manifestation of a global network of networks
In early Internet deployments, security was treated as a low priority
The Present
The Internet brings millions of computer networks into communication with each other
many of them unsecured
Ability to secure a computers data influenced by the security of every computer to which
it is connected


Page 4

What is Security?
The quality or state of being secureto be free from danger
A successful organization should have multiple layers of security in place:
Physical security
Personal security
Operations security
Communications security
Network security
Information security

Critical Characteristics of Information
The value of information comes from the characteristics it possesses:
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession

NSTISSC Security Model


Page 5

Components of an Information System

Information system (IS) is entire set of software, hardware, data, people, procedures, and
networks necessary to use information as a resource in the

organization

Balancing security and access


Page 6

SDLC Systems Development Life Cycle

The Security Systems Development Life Cycle
The same phases used in traditional SDLC may be adapted to support specialized
implementation of an IS project
Investigation
Analysis
Logical design
Physical design
Implementation
Maintenance & change

Identification of specific threats and creating controls to counter them


Page 7

Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on strategic planning
Chief Information Security Officer (CISO)
Primarily responsible for assessment, management, and implementation of IS in
the organization
Usually reports directly to the CIO

Information Security Project Team
A number of individuals who are experienced in one or more facets of required technical
and nontechnical areas:
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users

Data Ownership
Data owner: responsible for the security and use of a particular set of information
Data custodian: responsible for storage, maintenance, and protection of information
Data users: end users who work with information to perform their daily jobs supporting
the mission of the organization
Information Security: Is it an Art or a Science?
Implementation of information security often described as combination of art and science
Security artesan idea: based on the way individuals perceive systems technologists
since computers became commonplace

Security as Art
No hard and fast rules nor many universally accepted complete solutions
No manual for implementing security through entire system

Security as Science
Dealing with technology designed to operate at high levels of performance
Specific conditions cause virtually all actions that occur in computer systems
Nearly every fault, security hole, and systems malfunction are a result of interaction of
specific hardware and software
If developers had sufficient time, they could resolve and eliminate faults

Security as a Social Science
Social science examines the behavior of individuals interacting with systems
Security begins and ends with the people that interact with the system
Security administrators can greatly reduce levels of risk caused by end users, and create
more acceptable and supportable security profiles


Page 8

Unit II THE NEED FOR SECURITY

Dealing with technology designed to operate at high levels of performance
Specific conditions

Learning objective
Upon completion of this chapter you should be able to:
Understand the business need for information security.
Understand a successful information security program is the responsibility of an
organizations general management and IT management.
Understand the threats posed to information security and the more common
attacks associated with those threats.
Differentiate threats to information systems from attacks against information
systems.
Business Needs First,
Technology Needs Last
Information security performs four important functions for an organization:
Protects the organizations ability to function
Enables the safe operation of applications implemented on the organizations IT
systems
Protects the data the organization collects and uses
Safeguards the technology assets in use at the organization

Protecting the Ability to Function
Management is responsible
Information security is
a management issue
a people issue
Communities of interest must argue for information security in terms of impact and cost

Enabling Safe Operation
Organizations must create integrated, efficient, and capable applications
Organization need environments that safeguard applications
Management must not abdicate to the IT department its responsibility to make choices
and enforce decisions

Protecting Data
One of the most valuable assets is data
Without data, an organization loses its record of transactions and/or its ability to deliver
value to its customers
An effective information security program is essential to the protection of the integrity
and value of the organizations data

Safeguarding Technology Assets

Page 9

Organizations must have secure infrastructure services based on the size and scope of the
enterprise
Additional security services may have to be provided
More robust solutions may be needed to replace security programs the organization has
outgrown

Threats
Management must be informed of the various kinds of threats facing the organization
A threat is an object, person, or other entity that represents a constant danger to an asset
By examining each threat category in turn, management effectively protects its
information through policy, education and training, and technology controls
The 2002 CSI/FBI survey found:
90% of organizations responding detected computer security breaches within the
last year
80% lost money to computer breaches, totaling over $455,848,000 up from
$377,828,700 reported in 2001
The number of attacks that came across the Internet rose from 70% in 2001 to
74% in 2002
Only 34% of organizations reported their attacks to law enforcement
The 2002 CSI/FBI survey found:
90% of organizations responding detected computer security breaches within the
last year
80% lost money to computer breaches, totaling over $455,848,000 up from
$377,828,700 reported in 2001
The number of attacks that came across the Internet rose from 70% in 2001 to
74% in 2002
Only 34% of organizations reported their attacks to law enforcement

Acts of Human Error or Failure
Includes acts done without malicious intent
Caused by:

Page 10

Inexperience
Improper training
Incorrect assumptions
Other circumstances
Employees are greatest threats to information security They are closest to the
organizational data

Acts of Human Error or Failure
Employee mistakes can easily lead to the following:
revelation of classified data
entry of erroneous data
accidental deletion or modification of data
storage of data in unprotected areas
failure to protect information
Many of these threats can be prevented with controls

Deviations in Quality of Service by Service Providers
Situations of product or services not delivered as expected
Information system depends on many inter-dependent support systems
Three sets of service issues that dramatically affect the availability of information and
systems are
Internet service
Communications
Power irregularities

Internet Service Issues
Loss of Internet service can lead to considerable loss in the availability of information
organizations have sales staff and telecommuters working at remote locations

Page 11

When an organization outsources its web servers, the outsourcer assumes responsibility
for
All Internet Services
The hardware and operating system software used to operate the web site

Services
Other utility services have potential impact
Among these are
telephone
water & wastewater
trash pickup
cable television
natural or propane gas
custodial services
The threat of loss of services can lead to inability to function properly

Power Irregularities
Voltage levels can increase, decrease, or cease:
spike momentary increase
surge prolonged increase
sag momentary low voltage
brownout prolonged drop
fault momentary loss of power
blackout prolonged loss
Electronic equipment is susceptible to fluctuations, controls can be applied to manage
power quality

Espionage/Trespass
Broad category of activities that breach confidentiality
Unauthorized accessing of information
Competitive intelligence (the legal and ethical collection and analysis of
information regarding the capabilities, vulnerabilities, and intentions of business
competitors) vs. espionage
Shoulder surfing can occur any place a person is accessing confidential
information
Controls implemented to mark the boundaries of an organizations virtual territory giving
notice to trespassers that they are encroaching on the organizations cyberspace
Hackers uses skill, guile, or fraud to steal the property of someone else

Page 12

Espionage/Trespass
Generally two skill levels among hackers:
Expert hacker
develops software scripts and codes exploits
usually a master of many skills
will often create attack software and share with others
Script kiddies
hackers of limited skill
use expert-written software to exploit a system
do not usually fully understand the systems they hack
Other terms for system rule breakers:
Cracker - an individual who cracks or removes protection designed to prevent
unauthorized duplication
Phreaker - hacks the public telephone network

Information Extortion
Information extortion is an attacker or formerly trusted insider stealing information from
a computer system and demanding compensation for its return or non-use
Extortion found in credit card number theft


Page 13

Sabotage or Vandalism
Individual or group who want to deliberately sabotage the operations of a computer
system or business, or perform acts of vandalism to either destroy an asset or damage the
image of the organization
These threats can range from petty vandalism to organized sabotage
Organizations rely on image so Web defacing can lead to dropping consumer confidence
and sales
Rising threat of hacktivist or cyber-activist operations the most extreme version is
cyber-terrorism

Deliberate Acts of Theft
Illegal taking of anothers property - physical, electronic, or intellectual
The value of information suffers when it is copied and taken away without the owners
knowledge
Physical theft can be controlled - a wide variety of measures used from locked doors to
guards or alarm systems
Electronic theft is a more complex problem to manage and control - organizations may
not even know it has occurred

Deliberate Software Attacks
When an individual or group designs software to attack systems, they create malicious
code/software called malware
Designed to damage, destroy, or deny service to the target systems
Includes:
macro virus
boot virus
worms
Trojan horses
logic bombs
back door or trap door
denial-of-service attacks
polymorphic
hoaxes


Page 14

Compromises to Intellectual Property
Intellectual property is the ownership of ideas and control over the tangible or virtual
representation of those ideas
Many organizations are in business to create intellectual property
trade secrets
copyrights
trademarks
patents
Most common IP breaches involve software piracy
Watchdog organizations investigate:
Software & Information Industry Association (SIIA)
Business Software Alliance (BSA)
Enforcement of copyright has been attempted with technical security mechanisms
Forces of Nature
Forces of nature, force majeure, or acts of God are dangerous because they are
unexpected and can occur with very little warning
Can disrupt not only the lives of individuals, but also the storage, transmission, and use of
information
Include fire, flood, earthquake, and lightning as well as volcanic eruption and insect
infestation
Since it is not possible to avoid many of these threats, management must implement
controls to limit damage and also prepare contingency plans for continued operations

Technical Hardware Failures or Errors
Technical hardware failures or errors occur when a manufacturer distributes to users
equipment containing flaws
These defects can cause the system to perform outside of expected parameters, resulting
in unreliable service or lack of availability
Some errors are terminal, in that they result in the unrecoverable loss of the equipment
Some errors are intermittent, in that they only periodically manifest themselves, resulting
in faults that are not easily repeated
This category of threats comes from purchasing software with unrevealed faults
Large quantities of computer code are written, debugged, published, and sold only to
determine that not all bugs were resolved
Sometimes, unique combinations of certain software and hardware reveal new bugs
Sometimes, these items arent errors, but are purposeful shortcuts left by programmers
for honest or dishonest reasons

Technological Obsolescence
When the infrastructure becomes antiquated or outdated, it leads to unreliable and
untrustworthy systems
Management must recognize that when technology becomes outdated, there is a risk of
loss of data integrity to threats and attacks
Ideally, proper planning by management should prevent the risks from technology
obsolesce, but when obsolescence is identified, management must take action
Attacks
An attack is the deliberate act that exploits vulnerability

Page 15

It is accomplished by a threat-agent to damage or steal an organizations information or
physical asset
An exploit is a technique to compromise a system
A vulnerability is an identified weakness of a controlled system whose controls
are not present or are no longer effective
An attack is then the use of an exploit to achieve the compromise of a controlled
system

Malicious Code
This kind of attack includes the execution of viruses, worms, Trojan horses, and active
web scripts with the intent to destroy or steal information
The state of the art in attacking systems in 2002 is the multi-vector worm using up to six
attack vectors to exploit a variety of vulnerabilities in commonly found information
system devices

Attack Descriptions
IP Scan and Attack Compromised system scans random or local range of IP addresses
and targets any of several vulnerabilities known to hackers or left over from previous
exploits
Web Browsing - If the infected system has write access to any Web pages, it makes all
Web content files infectious, so that users who browse to those pages become infected
Virus - Each infected machine infects certain common executable or script files on all
computers to which it can write with virus code that can cause infection
Unprotected Shares - using file shares to copy viral component to all reachable locations
Mass Mail - sending e-mail infections to addresses found in address book
Simple Network Management Protocol - SNMP vulnerabilities used to compromise and
infect
Hoaxes - A more devious approach to attacking computer systems is the transmission of a
virus hoax, with a real virus attached

Page 16

Back Doors - Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource
Password Crack - Attempting to reverse calculate a password
Brute Force - The application of computing and network resources to try every possible
combination of options of a password
Dictionary - The dictionary password attack narrows the field by selecting specific
accounts to attack and uses a list of commonly used passwords (the dictionary) to guide
guesses
Denial-of-service (DoS)
attacker sends a large number of connection or information requests to a target
so many requests are made that the target system cannot handle them
successfully along with other, legitimate requests for service
may result in a system crash, or merely an inability to perform ordinary functions
Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of
requests is launched against a target from many locations at the same time

Spoofing - technique used to gain unauthorized access whereby the intruder sends
messages to a computer with an IP address indicating that the message is coming from a
trusted host
Man-in-the-Middle - an attacker sniffs packets from the network, modifies them, and
inserts them back into the network
Spam - unsolicited commercial e-mail - while many consider spam a nuisance rather than
an attack, it is emerging as a vector for some attacks

Page 17

Mail-bombing - another form of e-mail attack that is also a DoS, in which an attacker
routes large quantities of e-mail to the target
Sniffers - a program and/or device that can monitor data traveling over a network.
Sniffers can be used both for legitimate network management functions and for stealing
information from a network
Social Engineering - within the context of information security, the process of using
social skills to convince people to reveal access credentials or other valuable information
to the attacker
People are the weakest link. You can have the best technology; firewalls, intrusion-
detection systems, biometric devices ... and somebody can call an unsuspecting employee.
That's all she wrote, baby. They got everything.
brick attack the best configured firewall in the world cant stand up to a well placed
brick
Buffer Overflow
application error occurs when more data is sent to a buffer than it can handle

Page 18

when the buffer overflows, the attacker can make the target system execute
instructions, or the attacker can take advantage of some other unintended
consequence of the failure
Timing Attack
relatively new
works by exploring the contents of a web browsers cache
can allow collection of information on access to password-protected sites
another attack by the same name involves attempting to intercept cryptographic
elements to determine keys and encryption algorithms


Page 19

UNIT-III
RISK MANAGEMENT: IDENTIFYING AND ASSESSING RISK

Learning Objectives:

Define risk management and its role in the SecSDLC
Understand how risk is identified
Assess risk based on the likelihood of occurrence and impact on an organization
Grasp the fundamental aspects of documenting risk identification and assessment

Risk Management

If you know the enemy and know yourself, you need not fear the result of a hundred
battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a
defeat.
If you know neither the enemy nor yourself, you will succumb in every battle. (Sun Tzu)

Know Ourselves
First, we must identify, examine, and understand the information, and systems, currently
in place
In order to protect our assets, defined here as the information and the systems that use,
store, and transmit it, we have to understand everything about the information
Once we have examined these aspects, we can then look at what we are already doing to
protect the information and systems from the threats

Know the Enemy

Page 20

For information security this means identifying, examining, and understanding the threats
that most directly affect our organization and the security of our organizations
information assets
We then can use our understanding of these aspects to create a list of threats prioritized
by importance to the organization

Accountability for Risk Management
It is the responsibility of each community of interest to manage risks; each community
has a role to play:
Information Security - best understands the threats and attacks that introduce risk
into the organization
Management and Users play a part in the early detection and response process -
they also insure sufficient resources are allocated
Information Technology must assist in building secure systems and operating
them safely

Accountability for Risk Management
All three communities must also:
Evaluate the risk controls
Determine which control options are cost effective
Assist in acquiring or installing needed controls
Ensure that the controls remain effective

Risk Management Process
Management reviews asset inventory
The threats and vulnerabilities that have been identified as dangerous to the asset
inventory must be reviewed and verified as complete and current
The potential controls and mitigation strategies should be reviewed for completeness
The cost effectiveness of each control should be reviewed as well, and the decisions
about deployment of controls revisited

Risk Identification
A risk management strategy calls on us to know ourselves by identifying, classifying,
and prioritizing the organizations information assets
These assets are the targets of various threats and threat agents and our goal is to protect
them from these threats
Next comes threat identification:
Assess the circumstances and setting of each information asset
Identify the vulnerabilities and begin exploring the controls that might be used to
manage the risks

Asset Identification and Valuation
This iterative process begins with the identification of assets, including all of the
elements of an organizations system: people, procedures, data and information, software,
hardware, and networking elements
Then, we classify and categorize the assets adding details as we dig deeper into the
analysis

Page 21

Hardware, Software, and Network Asset Identification
Automated tools can sometimes uncover the system elements that make up the hardware,
software, and network components
Once created, the inventory listing must be kept current, often through a tool that
periodically refreshes the data

Network Asset Identification
What attributes of each of these information assets should be tracked?
When deciding which information assets to track, consider including these asset
attributes:
Name
IP address
MAC address
Element type
Serial number
Manufacturer name
Manufacturers model number or part number
Software version, update revision, or FCO number
Physical location
Logical location
Controlling entity

People, Procedures, and Data Asset Identification
Unlike the tangible hardware and software elements already described, the human
resources, documentation, and data information assets are not as readily discovered and
documented
These assets should be identified, described, and evaluated by people using knowledge,
experience, and judgment
As these elements are identified, they should also be recorded into some reliable data
handling process


Page 22

Asset Information for People
For People:
Position name/number/ID try to avoid names and stick to identifying positions,
roles, or functions
Supervisor
Security clearance level
Special skills
Asset Information for procedures
For Procedures:
Description
Intended purpose
What elements is it tied to
Where is it stored for reference
Where is it stored for update purposes
Asset Information for Data
For Data:
Classification
Owner/creator/manager
Size of data structure
Data structure used sequential, relational
Online or offline
Where located
Backup procedures employed

Classification
Many organizations already have a classification scheme
Examples of these kinds of classifications are:
confidential data
internal data
public data
Informal organizations may have to organize themselves to create a useable data
classification model
The other side of the data classification scheme is the personnel security clearance
structure

Information Asset Valuation
Each asset is categorized
Questions to assist in developing the criteria to be used for asset valuation:
Which information asset is the most critical to the success of the organization?
Which information asset generates the most revenue?
Which information asset generates the most profitability?
Which information asset would be the most expensive to replace?
Which information asset would be the most expensive to protect?
Which information asset would be the most embarrassing or cause the greatest
liability if revealed?

Page 23

Information Asset Valuation
Create a weighting for each category based on the answers to the previous questions
Which factor is the most important to the organization?
Once each question has been weighted, calculating the importance of each asset is
straightforward
List the assets in order of importance using a weighted factor analysis worksheet


Page 24

Data Classification and Management
A variety of classification schemes are used by corporate and military organizations
Information owners are responsible for classifying the information assets for which they
are responsible
Information owners must review information classifications periodically
The military uses a five-level classification scheme but most organizations do not need
the detailed level of classification used by the military or federal agencies
Security Clearances
The other side of the data classification scheme is the personnel security clearance
structure
Each user of data in the organization is assigned a single level of authorization indicating
the level of classification
Before an individual is allowed access to a specific set of data, he or she must meet the
need-to-know requirement
This extra level of protection ensures that the confidentiality of information is properly
maintained

Management of Classified Data
Includes the storage, distribution, portability, and destruction of classified information
Must be clearly marked as such
When stored, it must be unavailable to unauthorized individuals
When carried should be inconspicuous, as in a locked briefcase or portfolio
Clean desk policies require all information to be stored in its appropriate storage
container at the end of each day
Proper care should be taken to destroy any unneeded copies
Dumpster diving can prove embarrassing to the organization
Threat Identification
Each of the threats identified so far has the potential to attack any of the assets protected
This will quickly become more complex and overwhelm the ability to plan
To make this part of the process manageable, each step in the threat identification and
vulnerability identification process is managed separately, and then coordinated at the
end of the process

Page 25

Identify and Prioritize Threats
Each threat must be further examined to assess its potential to impact organization - this
is referred to as a threat assessment
To frame the discussion of threat assessment, address each threat with a few questions:
Which threats present a danger to this organizations assets in the given
environment?
Which threats represent the most danger to the organizations information?
How much would it cost to recover from a successful attack?
Which of these threats would require the greatest expenditure to prevent?
Vulnerability Identification
We now face the challenge of reviewing each information asset for each threat it faces
and creating a list of the vulnerabilities that remain viable risks to the organization
Vulnerabilities are specific avenues that threat agents can exploit to attack an information
asset

Page 26

Vulnerability Identification
Examine how each of the threats that are possible or likely could be perpetrated and list
the organizations assets and their vulnerabilities
The process works best when groups of people with diverse backgrounds within the
organization work iteratively in a series of brainstorming sessions
At the end of the process, an information asset / vulnerability list has been developed
this list is the starting point for the next step, risk assessment

Risk Assessment
We can determine the relative risk for each of the vulnerabilities through a process called
risk assessment

Page 27

Risk assessment assigns a risk rating or score to each specific information asset, useful in
gauging the relative risk introduced by each vulnerable information asset and making
comparative ratings later in the risk control process

Introduction to Risk Assessment
Risk Identification Estimate Factors
Likelihood
Value of Information Assets
Percent of Risk Mitigated
Uncertainty

Risk Determination
For the purpose of relative risk assessment:
risk =
likelihood of vulnerability occurrence times
value (or impact)
minus
percentage risk already controlled
plus
an element of uncertainty

Identify Possible Controls
For each threat and its associated vulnerabilities that have any residual risk, create a
preliminary list of control ideas
Residual risk is the risk that remains to the information asset even after the existing
control has been applied

Access Controls
One particular application of controls is in the area of access controls
Access controls are those controls that specifically address admission of a user into a
trusted area of the organization
There are a number of approaches to controlling access
Access controls can be
discretionary
mandatory
nondiscretionary

Types of Access Controls
Discretionary Access Controls (DAC) are implemented at the discretion or option of the
data user
Mandatory Access Controls (MACs) are structured and coordinated with a data
classification scheme, and are required
Nondiscretionary Controls are those determined by a central authority in the organization
and can be based on that individuals role (Role-Based Controls) or a specified set of
duties or tasks the individual is assigned (Task-Based Controls) or can be based on
specified lists maintained on subjects or objects


Page 28

Lattice-based Control
Another type of nondiscretionary access is lattice-based control, where a lattice structure
(or matrix) is created containing subjects and objects, and the boundaries associated with
each pair is contained
This specifies the level of access each subject has to each object
In a lattice-based control the column of attributes associated with a particular object are
referred to as an access control list or ACL
The row of attributes associated with a particular subject (such as a user) is referred to as
a capabilities table

Documenting Results of Risk Assessment
The goal of this process has been to identify the information assets of the organization
that have specific vulnerabilities and create a list of them, ranked for focus on those most
needing protection first
In preparing this list we have collected and preserved factual information about the assets,
the threats they face, and the vulnerabilities they experience
Introduction to Risk Assessment
The process you develop for risk identification should include designating what function
the reports will serve, who is responsible for preparing the reports, and who reviews them
We do know that the ranked vulnerability risk worksheet is the initial working document
for the next step in the risk management process: assessing and controlling risk


Page 29

UNIT-IV
BLUEPRINT FOR SECURITY

Learning Objectives
Understand managements responsibilities and role in the development,
maintenance, and enforcement of information security policy, standards,
practices, procedures, and guidelines
Understand the differences between the organizations general information
security policy and the requirements and objectives of the various issue-
specific and system-specific policies.
Know what an information security blueprint is and what its major
components are.
Understand how an organization institutionalizes its policies, standards,
and practices using education, training, and awareness programs.
Become familiar with what viable information security architecture is,
what it includes, and how it is used.

Information Security Policy, Standards, and Practices
Management from all communities of interest must consider policies as the basis
for all information security efforts
Policies direct how issues should be addressed and technologies used
Security policies are the least expensive control to execute, but the most difficult
to implement
Shaping policy is difficult because:
Never conflict with laws
Stand up in court, if challenged
Be properly administered

Definitions
A policy is
A plan or course of action, as of a government, political party, or business,
intended to influence and determine decisions, actions, and other matters
Policies are organizational laws
Standards, on the other hand, are more detailed statements of what must be done
to comply with policy
Practices, procedures, and guidelines effectively explain how to comply with
policy
For a policy to be effective it must be properly disseminated, read, understood and
agreed to by all members of the organization

Types of Policy
Management defines three types of security policy:
General or security program policy

Page 30

Issue-specific security policies
Systems-specific security policies

Security Program Policy
A security program policy (SPP) is also known as
A general security policy
IT security policy
Information security policy
Sets the strategic direction, scope, and tone for all security efforts within the
organization
An executive-level document, usually drafted by or with, the CIO of the
organization and is usually 2 to 10 pages long

Issue-Specific Security Policy (ISSP
As various technologies and processes are implemented, certain guidelines are
needed to use them properly
The ISSP:
addresses specific areas of technology
requires frequent updates
contains an issue statement on the organizations position on an issue
Three approaches:
Create a number of independent ISSP documents
Create a single comprehensive ISSP document
Create a modular ISSP document

Example ISSP Structure
Statement of Policy
Authorized Access and Usage of Equipment
Prohibited Usage of Equipment
Systems Management
Violations of Policy
Policy Review and Modification

Page 31

Limitations of Liability

Systems-Specific Policy (SysSP)
While issue-specific policies are formalized as written documents, distributed to
users, and agreed to in writing, SysSPs are frequently codified as standards and
procedures used when configuring or maintaining systems
Systems-specific policies fall into two groups:
Access control lists (ACLs) consist of the access control lists, matrices,
and capability tables governing the rights and privileges of a particular
user to a particular system
Configuration rules comprise the specific configuration codes entered into
security systems to guide the execution of the system

ACL Policies
Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of
systems translate ACLs into sets of configurations that administrators use to
control access to their respective systems
ACLs allow configuration to restrict access from anyone and anywhere
ACLs regulate:
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system

Rule Policies
Rule policies are more specific to the operation of a system than ACLs

Page 32

Many security systems require specific configuration scripts telling the systems
what actions to perform on each set of information they process
Policy Management
Policies are living documents that must be managed and nurtured, and are
constantly changing and growing
Documents must be properly managed
Special considerations should be made for organizations undergoing mergers,
takeovers, and partnerships
In order to remain viable, policies must have:
an individual responsible for reviews
a schedule of reviews
a method for making recommendations for reviews
a specific effective and revision date

Information Classification
The classification of information is an important aspect of policy
The same protection scheme created to prevent production data from accidental
release to the wrong party should be applied to policies in order to keep them
freely available, but only within the organization
In todays open office environments, it may be beneficial to implement a clean
desk policy
A clean desk policy stipulates that at the end of the business day, all classified
information must be properly stored and secured

Systems Design
At this point in the Security SDLC, the analysis phase is complete and the design
phase begins many work products have been created
Designing a plan for security begins by creating or validating a security blueprint

Page 33

Then use the blueprint to plan the tasks to be accomplished and the order in which
to proceed
Setting priorities can follow the recommendations of published sources, or from
published standards provided by government agencies, or private consultants

Information Security Blueprints
One approach is to adapt or adopt a published model or framework for
information security
A framework is the basic skeletal structure within which additional detailed
planning of the blueprint can be placed as it is developed of refined
Experience teaches us that what works well for one organization may not
precisely fit another

ISO 17799/BS 7799
One of the most widely referenced and often discussed security models is the
Information Technology Code of Practice for Information Security Management,
which was originally published as British Standard BS 7799
This Code of Practice was adopted as an international standard by the
International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework
for information

Page 34

security

ISO 17799 / BS 7799

Several countries have not adopted 17799 claiming there are fundamental
problems:
The global information security community has not defined any
justification for a code of practice as identified in the ISO/IEC 17799
17799 lacks the necessary measurement precision of a technical
standard
There is no reason to believe that 17799 is more useful than any other
approach currently available
17799 is not as complete as other frameworks available
17799 is perceived to have been hurriedly prepared given the tremendous
impact its adoption could have on industry information security controls
Organizational Security Policy is needed to provide management direction and
support
Objectives:
Operational Security Policy
Organizational Security Infrastructure

Page 35

Asset Classification and Control
Personnel Security
Physical and Environmental Security
Communications and Operations Management
System Access Control
System Development and Maintenance
Business Continuity Planning
Compliance

NIST Security Models

Another approach available is described in the many documents available from
the Computer Security Resource Center of the National Institute for Standards
and Technology (csrc.nist.gov) Including:
NIST SP 800-12 - The Computer Security Handbook
NIST SP 800-14 - Generally Accepted Principles and Practices for
Securing IT Systems
NIST SP 800-18 - The Guide for Developing Security Plans for IT
Systems

NIST SP 800-14
Security Supports the Mission of the Organization
Security is an Integral Element of Sound Management
Security Should Be Cost-Effective
Systems Owners Have Security Responsibilities Outside Their Own
Organizations
Security Responsibilities and Accountability Should Be Made Explicit
Security Requires a Comprehensive and Integrated Approach
Security Should Be Periodically Reassessed
Security is Constrained by Societal Factors
33 Principles enumerated

IETF Security Architecture
The Security Area Working Group acts as an advisory board for the protocols and
areas developed and promoted through the Internet Society
No specific architecture is promoted through IETF
RFC 2196: Site Security Handbook provides an overview of five basic areas of
security
Topics include:
security policies
security technical architecture
security services
security incident handling


Page 36

VISA Model
VISA International promotes strong security measures and has security guidelines
Developed two important documents that improve and regulate its information
systems
Security Assessment Process
Agreed Upon Procedures
Using the two documents, a security team can develop a sound strategy for the
design of good security architecture
The only down side to this approach is the very specific focus on systems that can
or do integrate with VISAs systems

Baselining and Best Practices
Baselining and best practices are solid methods for collecting security practices,
but they can have the drawback of providing less detail than would a complete
methodology
It is possible to gain information by baselining and using best practices and thus
work backwards to an effective design
The Federal Agency Security Practices Site (fasp.csrc.nist.gov) is designed to
provide best practices for public agencies
Baselining and best practices are solid methods for collecting security practices,
but they can have the drawback of providing less detail than would a complete
methodology
It is possible to gain information by baselining and using best practices and thus
work backwards to an effective design
The Federal Agency Security Practices Site (fasp.csrc.nist.gov) is designed to
provide best practices for public agencies

Professional Membership
It may be worth the information security professionals time and money to join
professional societies with information on best practices for its members
Many organizations have seminars and classes on best practices for implementing
security
Finding information on security design is the easy part, sorting through the
collected mass of information, documents, and publications can take a substantial
investment in time and human resources

NIST SP 800-26
Management Controls
Risk Management
Review of Security Controls
Life Cycle Maintenance
Authorization of Processing (Certification and Accreditation)
System Security Plan
Operational Controls
Personnel Security

Page 37

Physical Security
Production, Input/Output Controls
Contingency Planning
Hardware and Systems Software
Data Integrity
Documentation
Security Awareness, Training, and Education
Incident Response Capability
Technical Controls
Identification and Authentication
Logical Access Controls
Audit Trails

Sphere of Use
Generally speaking, the concept of the sphere is to represent the 360 degrees of
security necessary to protect information at all times
The first component is the sphere of use
Information, at the core of the sphere, is available for access by members of the
organization and other computer-based systems:
To gain access to the computer systems, one must either directly access
the computer systems or go through a network connection
To gain access to the network, one must either directly access the network
or go through an Internet connection

Sphere of Protection
The sphere of protection overlays each of the levels of the sphere of use with
a layer of security, protecting that layer from direct or indirect use through the
next layer

Page 38

The people must become a layer of security, a human firewall that protects the
information from unauthorized access and use
Information security is therefore designed and implemented in three layers
policies
people (education, training, and awareness programs)
technology

Controls

Management controls cover security processes that are designed by the strategic
planners and performed by security administration of the organization
Operational controls deal with the operational functionality of security in the
organization
Operational controls also address personnel security, physical security, and the
protection of production inputs and outputs
Technical controls address those tactical and technical issues related to designing
and implementing security in the organization

The Framework
Management Controls
Program Management
System Security Plan
Life Cycle Maintenance
Risk Management
Review of Security Controls
Legal Compliance
Operational Controls
Contingency Planning
Security ETA
Personnel Security
Physical Security
Production Inputs and Outputs
Hardware & Software Systems Maintenance
Data Integrity
Technical Controls
Logical Access Controls
Identification, Authentication, Authorization, and Accountability
Audit Trails
Asset Classification and Control
Cryptography

SETA
As soon as the policies exist, policies to implement security education, training,
and awareness (SETA) should follow
SETA is a control measure designed to reduce accidental security breaches

Page 39

Supplement the general education and training programs in place to educate staff
on information security
Security education and training builds on the general knowledge the employees
must possess to do their jobs, familiarizing them with the way to do their jobs
securely

SETA Elements
The SETA program consists of three elements
security education
security training
security awareness
The organization may not be capable or willing to undertake all three of these
elements but may outsource them
The purpose of SETA is to enhance security by:
Improving awareness of the need to protect system resources
Developing skills and knowledge so computer users can perform their jobs
more securely
Building in-depth knowledge, as needed, to design, implement, or operate
security programs for organizations and systems

Security Education
Everyone in an organization needs to be trained and aware of information security,
but not every member of the organization needs a formal degree or certificate in
information security
When formal education for appropriate individuals in security is needed an
employee can identify curriculum available from local institutions of higher
learning or continuing education

Page 40

A number of universities have formal coursework in information security
(See for example http://infosec.kennesaw.edu)
Security Training
Security training involves providing members of the organization with detailed
information and hands-on instruction designed to prepare them to perform their
duties securely
Management of information security can develop customized in-house training or
outsource the training program
Security Awareness
One of the least frequently implemented, but the most beneficial programs is the
security awareness program
Designed to keep information security at the forefront of the users minds
Need not be complicated or expensive
If the program is not actively implemented, employees begin to tune out, and the
risk of employee accidents and failures increases

Comments
Defense in Depth
One of the foundations of security architectures is the requirement to
implement security in layers
Defense in depth requires that the organization establish sufficient security
controls and safeguards, so that an intruder faces multiple layers of
controls
Security Perimeter
The point at which an organizations security protection ends, and the
outside world begins
Referred to as the security perimeter
Unfortunately the perimeter does not apply to internal attacks from
employee threats, or on-site physical threats

Page 41


Page 42

Key Technology Components
Other key technology components
A firewall is a device that selectively discriminates against information
flowing into or out of the organization
The DMZ (demilitarized zone) is a no-mans land, between the inside and
outside networks, where some organizations place Web servers
In an effort to detect unauthorized activity within the inner network, or on
individual machines, an organization may wish to implement Intrusion
Detection Systems or IDS


Page 43


Page 44

UNIT-V
PHYSICAL SECURITY

Physical security describes both measures that prevent or deter attackers from accessing
a facility, resource, or information stored on physical media, and guidance on how to
design structures to resist various hostile acts.
[1]
It can be as simple as a locked door or as
elaborate as multiple layers of armed security guards and guardhouse placement.
Physical security is not a modern phenomenon. Physical security exists in order to deter
persons from entering a physical facility. Historical examples of physical security include
city walls, moats, etc.
The key factor is the technology used for physical security has changed over time. While
in past eras, there was no passive infrared (PIR) based technology, electronic access
control systems, or video surveillance system (VSS) cameras, the essential methodology
of physical security has not altered over time
The field of security engineering has identified the following elements to physical
security:
explosion protection;
obstacles, to frustrate trivial attackers and delay serious ones;
alarms, security lighting, security guard patrols or closed-circuit television
cameras, to make it likely that attacks will be noticed; and
security response, to repel, catch or frustrate attackers when an attack is detected.
In a well designed system, these features must complement each other.
[2]
There are at
least four layers of physical security:
Environmental design
Mechanical, electronic and procedural access control
Intrusion detection
Video monitoring
Personnel Identification
The goal is to convince potential attackers that the likely costs of attack exceed the value
of making the attack.

Page 45

The initial layer of security for a campus, building, office, or physical space uses crime
prevention through environmental design to deter threats. Some of the most common
examples are also the most basic - barbed wire, warning signs and fencing, concrete
bollards, metal barriers, vehicle height-restrictors, site lighting and trenches.

Electronic access control
The next layer is mechanical and includes gates, doors, and locks. Key control of the
locks becomes a problem with large user populations and any user turnover. Keys quickly
become unmanageable forcing the adoption of electronic access control. Electronic
access control easily manages large user populations, controlling for user lifecycles
times, dates, and individual access points. For example a user's access rights could allow
access from 0700 to 1900 Monday through Friday and expires in 90 days. Another form
of access control (procedural) includes the use of policies, processes and procedures to
manage the ingress into the restricted area. An example of this is the deployment of
security personnel conducting checks for authorized entry at predetermined points of
entry. This form of access control is usually supplemented by the earlier forms of access
control (i.e. mechanical and electronic access control), or simple devices such as physical
passes.
An additional sub-layer of mechanical/electronic access control protection is reached by
integrating a key management system to manage the possession and usage of mechanical
keys to locks or property within a building or campus.
The third layer is intrusion detection systems or alarms. Intrusion detection monitors for
attacks. It is less a preventative measure and more of a response measure, although
some
[who?]
would argue that it is a deterrent. Intrusion detection has a high incidence of
false alarms. In many jurisdictions, law enforcement will not respond to alarms from
intrusion detection systems.
[citation needed]


Page 46

Closed-circuit television sign
The last layer is video monitoring systems. Security cameras can be a deterrent
[citation
needed]
in many cases, but their real power comes from incident verification
[3]
and
historical analysis.
[4]
For example, if alarms are being generated and there is a camera in
place, the camera could be viewed to verify the alarms. In instances when an attack has
already occurred and a camera is in place at the point of attack, the recorded video can be
reviewed. Although the term closed-circuit television (CCTV) is common, it is quickly
becoming outdated as more video systems lose the closed circuit for signal transmission
and are instead transmitting on computer networks. Advances in information technology
are transforming video monitoring into video analysis. For instance, once an image is
digitized it can become data that sophisticated algorithms can act upon. As the speed and
accuracy of automated analysis increases, the video system could move from a
monitoring system to an intrusion detection system or access control system. It is not a
stretch to imagine a video camera inputting data to a processor that outputs to a door
lock. Instead of using some kind of key, whether mechanical or electrical, a person's
visage is the key. FST21, an Israeli company that entered the US market this year,
markets intelligent buildings that do just that.
[5]
When actual design and implementation
is considered, there are numerous types of security cameras that can be used for many
different applications. One must analyze their needs and choose accordingly.
[6]

Private factory guard

Page 47

Intertwined in these four layers are people. Guards have a role in all layers, in the first as
patrols and at checkpoints. In the second to administer electronic access control. In the
third to respond to alarms. The response force must be able to arrive on site in less time
than it is expected that the attacker will require to breach the barriers. And in the fourth to
monitor and analyze video. Users obviously have a role also by questioning and reporting
suspicious people. Aiding in identifying people as known versus unknown are
identification systems. Often photo ID badges are used and are frequently coupled to the
electronic access control system. Visitors are often required to wear a visitor badge.
Other physical security tools
In recent times, new developments in information and communications technology, as
well as new demands on security managers, have widened the scope of physical security
apparatus.
Fire alarm systems are increasingly becoming based on Internet Protocol, thus leading to
them being accessible via local and wide area networks within organisations. Emergency
notification is now a new standard in many industries, as well as physical security
information management (PSIM). A PSIM application integrates all physical security
systems in a facility, and provides a single and comprehensive means of managing all of
these resources. It consequently saves on time and cost in the effectual management of
physical security
Many installations, serving a myriad of different purposes, have physical obstacles in
place to deter intrusion. This can be high walls, barbed wire, glass mounted on top of
walls, etc.
The presence of PIR-based motion detectors are common in many places, as a means of
noting intrusion into a physical installation. Moreover, VSS/CCTV cameras are
becoming increasingly common, as a means of identifying persons who intrude into
physical locations.
Businesses use a variety of options for physical security, including security guards,
electric security fencing, cameras, motion detectors, and light beams.
ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling
the money inside when they are attacked. Money tainted with a dye could act as a flag to
the money's unlawful acquisition.
Safes are rated in terms of the time in minutes which a skilled, well equipped safe-
breaker is expected to require to open the safe. These ratings are developed by highly

Page 48

skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories.
In a properly designed system, either the time between inspections by a patrolling guard
should be less than that time, or an alarm response force should be able to reach it in less
than that time.
Hiding the resources, or hiding the fact that resources are valuable, is also often a good
idea as it will reduce the exposure to opponents and will cause further delays during an
attack, but should not be relied upon as a principal means of ensuring security. (See
security through obscurity and inside job.)
Not all aspects of Physical Security need be high tech. Even something as simple as a
thick or thorny bush can add a layer of physical security to some premises, especially in a
residential setting.


Page 49

Firewalls

A firewall is any device that prevents a specific type of information from moving
between the untrusted network outside and the trusted network inside
There are five recognized generations of firewalls
The firewall may be:
a separate computer system
a service running on an existing router or server
a separate network containing a number of supporting devices

Different generations of firewalls:.
First Generation Called packet filtering firewalls Examines every incoming packet
header and selectively filters packets based on address, packet type, port request, and
others factors The restrictions most commonly implemented are based on: IP source
and destination address Direction (inbound or outbound)

Second Generation
TCP or UDP source and destination port-requests Second Generation Called
application-level firewall or proxy server
Often a dedicated computer separate from the filtering router
With this configuration the proxy server, rather than the Web server, is exposed to
the outside world in the DMZ
Additional filtering routers can be implemented behind the proxy server
The primary disadvantage of application-level firewalls is that they are designed
for a specific protocol and cannot easily be reconfigured to protect against
attacks on protocols for which they are not designed

Third Generation
Called stateful inspection firewalls
Keeps track of each network connection established between internal and external
systems using a state table which tracks the state and context of each packet in the
conversation by recording which station sent what packet.
These firewalls can track connectionless packet traffic such as UDP and remote
procedure calls (RPC) traffic

Fourth Generation

Page 50

While static filtering firewalls, such as first and third generation, allow entire sets
of one type of packet to enter in response to authorized requests, a dynamic
packet filtering firewall allows only a particular packet with a particular source,
destination,and port address to enter through the firewall
It does this by understanding how the protocol functions, and opening and closing
doors in the firewall, based on the information contained in the packet header.
In this manner, dynamic packet filters are an intermediate form, between
traditional static packet filters and application proxies

Fifth Generation
The final form of firewall is the kernel proxy, a specialized form that works under
the Windows NT Executive, which is the kernel of Windows NT
It evaluates packets at multiple layers of the protocol stack, by checking security
in the kernel as data is passed up and down the stack

Firewalls are categorized by processing modes
The five processing modes are
1) Packet filtering
2) Application gateways
3) Circuit gateways
4) MAC layer firewalls
5) Hybrids

Packet-filtering Routers
Most organizations with an Internet connection have some form of a router as the
interface at the perimeter between the organizations internal networks and the
external service provider
Many of these routers can be configured to filter packets that the organization
does not allow into the network
This is a simple but effective means to lower the organizations risk to external
attack
The drawback to this type of system includes a lack of auditing and strong
authentication
The complexity of the access control lists used to filter the packets can grow and
degrade network performance


Page 51

Screened-Host Firewall Systems
Combine the packet-filtering router with a separate, dedicated firewall
such as an application proxy server


Page 52

Dual homed host firewalls

Dual-homed Host Firewalls
The bastion-host contains two NICs (network interface cards)
One NIC is connected to the external network, and one is connected to the
internal network. With two NICs all traffic must physically go through the
firewall to move between the internal and external networks
A technology known as network-address translation (NAT) is commonly
implemented with this architecture to map from real, valid, external IP
addresses to ranges of internal IP addresses that are non-routable

Page 53


Page 54

Screened-Subnet Firewalls?
Screened-Subnet Firewalls (with DMZ)
Consists of two or more internal bastion-hosts, behind a packet-filtering router,
with each host protecting the trusted network
The first general model consists of two filtering routers, with one or more dual-
homed bastion-host between them
The second general model involves the connection from the outside or untrusted
network going through this path:
o Through an external filtering router
o Into and then out of a routing firewall to the separate network segment known
as the DMZ.

The factors to be considered while selecting a right firewall
Selecting the Right Firewall
What type of firewall technology offers the right balance of protection features
and cost for the needs of the organization?
What features are included in the base price? What features are available at extra
cost? Are all cost factors known?
How easy is it to set up and configure the firewall? How accessible are staff
technicians with the mastery to do it well?
Can the candidate firewall adapt to the growing network in the target
organization?

What are Sock Servers?
SOCKS Servers
The SOCKS system is a proprietary circuit-level proxy server that places special
SOCKS client-side agents on each workstation
Places the filtering requirements on the individual workstation, rather than on a
single point of defense (and thus point of failure)
This frees the entry router of filtering responsibilities, but then requires each
A SOCKS system can require additional support and management resources to
configure and manage possibly hundreds of individual clients, versus a single device or
set of devices

The recommended practices in designing firewalls
Firewall Recommended Practices
All traffic from the trusted network is allowed out
The firewall device is always inaccessible directly from the public network

Page 55

Allow Simple Mail Transport Protocol (SMTP) data to pass through your firewall,
but insure it is all routed to a well-configured SMTP gateway to filter and route
messaging traffic securely
All Internet Control Message Protocol (ICMP) data should be denied
Block telnet (terminal emulation) access to all internal servers from the public
networks
When Web services are offered outside the firewall, deny HTTP traffic from
reaching your internal networks by using some form of proxy access or DMZ
architecture

Intrusion Detection Systems (IDSs)
An IDS operates as either network-based, when the technology is focused on
protecting network information assets, or host-based, when the technology is focused
on protecting server or host information assets
IDSs use one of two detection methods, signature-based or statistical anomaly-based


Page 56

Different types of IDSs
a) Network-based IDS
A network-based IDS(NIDS) resides on a computer or an appliance connected to a
segment of an organizations network and monitors traffic on that network
segment,looking for indications of ongoing or successful attacks.
b) Host-based IDS
A Host-based IDS(HIDS) works differently from a network-based version of IDS.
While a netwerok-based-IDS resides on a network segment and monitors activities
across that segment,a host-based IDS resides on a particular computer or server,known
as the host and monitors activity only on that system. HIDs are also known as System
Integrity Verifiers as they benchmark and monitor the status of key system files and
detect when an intruder creates, modifies or deletes monitored files. A HIDs is also
capable of monitoring system configuration databases, such as windows registries, in
addition to stored configuration files like .ini, .cfg, and .dat files.
c) Application-based IDS
A refinement of Host-based IDs is the application-based IDS(AppIDS). Whereas
the HIDs examines a single system for file modification, the application based IDs
examines an application for abnormal incidents. It looks for anomalous occurrences such
as users exceeding their authorization, invalid file executions etc.
d) Signature-based IDS
It is based on detection methods. A signature-based IDS (also called Knowledge-
based IDs) examines data traffic in search of patterns that match known signatures that
is, preconfigured, predetermined attack patterns.
Many attacks have clear and distinct signatures such as (i) footprinting and
fingerprinting activities, have an attack pattern that includes the use of ICMP,DNS
querying,and e-mail routing analysis (ii) Exploits involve a specific attack sequence
designed to take advantage of a vulnerability to gain access to a system (iii) Denial of
Service(DoS) and Distributed Denial of Service(DDoS) attacks.
e)Statistical Anomaly-Based IDS(Also called Behaviour-based IDS)
This approach is used for detecting intrusions based on the frequency with which certain
network activities takes place. Statistical Anomaly-Based IDS collects statistical
summaries by observing traffic that is known to be normal. A baseline is
established based on normal period. The Stats IDs periodically sample network
activity, and using statistical methods ,compares the sampled network activity to the
baseline. When the measured activities are outside the baseline parameters,it is said to be
exceeding the clipping level; at this point, the IDS will trigger an alert to notify the
administrator.
f) Log File Monitors(LFM)
Log File Monitor(LFM) is an approach to IDS that is similar to NIDS. Using L Fm
the system reviews the log files generated by servers, network devices, and when other

Page 57

IDSs. These systems look for patterns and signatures in the log files that may indicate an
attack or intrusion is in process or has already succeeded.

What are Honey Pots, Honey Nets,and Padded Cell Systems?
A class of powerful security tools that go beyond routine intrusion detection is
known variously as honey pots, honey nets,and padded cell systems.
Oney pots are decoy systems designed to lure potential attackers away from critical
systems and encourage attacks against the themselves. These systems are created for the
sole purpose of deceiving potential attackers. In Industry they are known as decoys, lures,
and fly-traps.

When a collection of honey pots connects several honey pot systems on a subnet,it may
be called a honey net.

In sum, honey pots are designed to
i) Divert an attacker from accessing critical systems.
ii) Collect information about the attackers activity
iii) Encourage the attacker to stay on the system long enough for administrators to
document the event and, perhaps ,respond.

A Padded Cell is a honey pot that has been protected so that it cannot be easily
compromised. In otherwords, a padded cell is a hardened honey spot..

The advantages and disadvantages of using honey pot or padded cell
approach
Advantages:
Attackers can be diverted to targets that they cannot damage.
Administrators have time to decide how to respond to an attacker.
Attackers action can be easily and extensively monitored
Honey pots may be effective at catching insiders who are snooping around a
network.
Disadvantages:
The legal implication of using such devices are not well defined.
Honey pots and Padded cells have not yet been shown to be generally useful
security technologies.
An expert attacker,once diverted into a decoy system,may become angry and
launch a hostile attack against an organizations systems
Admins and security managers will need a high level of expertise to use these
systems.

Page 58

Scanning and Analysis Tools
Scanners, sniffers, and other analysis tools are useful to security administrators in
enabling them to see what the attacker sees
Scanner and analysis tools can find vulnerabilities in systems
One of the preparatory parts of an attack is known as footprinting collecting IP
addresses and other useful data
The next phase of pre-attack data gathering process is called fingerprinting
scanning all known addresses to make a network map of the target

How Scanning and Analysis tools are useful in enforcing Information Security?
Scanning and Analysis Tools
Scanners, sniffers, and other analysis tools are useful to security administrators in
enabling them to see what the attacker sees
Scanner and analysis tools can find vulnerabilities in systems
One of the preparatory parts of an attack is known as footprinting collecting IP
addresses and other useful data

Page 59

The next phase of pre-attack data gathering process is called fingerprinting
scanning all known addresses to make a network map of the target
What are foot printing and finger printing?

The attack protocol is a series of steps or processes used by an attacker ,in a logical
sequence ,to launch an attack against a target system or netweok. One of the preparatory
part of the attack protocol is the collection of publicly available information about a
potential target,a process known as footprinting.
Footprinting is the organized research of the Internet addresses owned or controlled by
the target organization. The attacker uses public Internet data sources to perform keyword
searches to identify the network addresses of the organization. This research ios
augmented by browsing the organizations web pages.

The next phase of the attack protocol is a second intelligence or data-gathering process
called fingerprinting. This is systematic survey of all of the target organizations
Internet addresses (which are collected during the footprinting phase); the survey is
conducted to ascertain the network services offered by the hosts in that range.
Fingerprinting reveals useful information about the internal structure and operational
nature of the target system or network for the anticipated attack.
Different types of the Scanning and Analysis tools available.
Port Scanners
Port scanners fingerprint networks to find ports and services and other useful
information

Why secure open ports?
An open port can be used to send commands to a computer, gain access to a
server, and exert control over a networking device
o The general rule of thumb is to remove from service or secure any port not
absolutely necessary for the conduct of business

Vulnerability Scanners
Vulnerability scanners are capable of scanning networks for very detailed
information
As a class, they identify exposed usernames and groups, show open network
shares,expose configuration problems, and other vulnerabilities in servers

Page 60

Packet Sniffers
A network tool that collects copies of packets from the network and analyzes them
Can be used to eavesdrop on the network traffic
To use a packet sniffer legally, you must be:
on a network that the organization owns
under direct authorization of the owners of the network
have knowledge and consent of the content creators (users)

Content Filters
Although technically not a firewall, a content filter is a software filter that allows
administrators to restrict accessible content from within a network
The content filtering restricts Web sites with inappropriate content

Trap and Trace
Trace: determine the identity of someone using unauthorized access
Better known as honey pots, they distract the attacker while notifying the
Administrator

What is Cryptography?
Cryptography ,which comes from the Greek work kryptos,meaning hidden,and
graphein, meaning to write,is aprocess of making and using codes to secure the
transmission of information.
Cryptoanalysis is the process of obtaining the original message (called plaintext) from an
encrypted message (called the cipher ext) without knowing the algorithms and keys used
to perform the encryption.
Encryption is the process of converting an original message into a form that is unreadable
to unauthorized individuals-that is; to anyone without the tools to convert the encrypted
message back to its original format.
Decryption is the process of converting the cipher text into a message that conveys
readily understood meaning.

Basic Encryption Definitions.
Encryption Definitions
Algorithm: the mathematical formula used to convert an unencrypted message into
an encrypted message.
Cipher: the transformation of the individual components (characters, bytes, or bits) of
an unencrypted message into encrypted components.

Page 61

Ciphertext or cryptogram: the unintelligible encrypted or encoded message
resulting from an encryption.
Code: the transformation of the larger components (words or phrases) of an
unencrypted message into encrypted components.
Cryptosystem: the set of transformations necessary to convert an unencrypted
message into an encrypted message.
Decipher: to decrypt or convert ciphertext to plaintext.
Encipher: to encrypt or convert plaintext to ciphertext.
Key or cryptovariable: the information used in conjunction with the algorithm to
create ciphertext from plaintext.
Keyspace: the entire range of values that can possibly be used to construct an
individual key.
Link encryption: a series of encryptions and decryptions between a number of
systems, whereby each node decrypts the message sent to it and then re-encrypts it
using different keys and sends it to the next neighbor, until it reaches the final
destination.
Plaintext: the original unencrypted message that is encrypted and results from
successful decryption.
Steganography: the process of hiding messages in a picture or graphic.
Work factor: the amount of effort (usually in hours) required to perform
cryptanalysis on an encoded message.

Data Encryption Standard(DES)
Data Encryption Standard (DES)
Developed in 1977 by IBM
Based on the Data Encryption Algorithm (DEA)
Uses a 64-bit block size and a 56-bit key
With a 56-bit key, the algorithm has 256 possible keys to choose from (over
quadrillion)
DES is a federally approved standard for non classified data
DES was cracked in 1997 when RSA put a bounty on the algorithm offering
$10,000 to the team to crack the algorithm - fourteen thousand users collaborated
over the Internet to finally break the encryption

Triple DES (3DES)
Developed as an improvement to DES
Uses up to three keys in succession and also performs three different encryption
operations:
3DES encrypts the message three times with three different keys, the most

Page 62

secure level of encryption possible with 3DES
In 1998, it took a dedicated computer designed by the Electronic Freedom
Frontier (www.eff.org) over 56 hours to crack DES
The successor to 3DES is Advanced Encryption Standard (AES), based on the
Rijndael Block Cipher, a block cipher with a variable block length and a key length of
either128, 192, or 256 bits
It would take the same computer approximately 4,698,864 quintillion years to
crack AES

Digital Signatures
An interesting thing happens when the asymmetric process is reversed, that is the
private key is used to encrypt a short message
The public key can be used to decrypt it, and the fact that the message was sent by
the organization that owns the private key cannot be refuted
This is known asnonrepudiat ion, which is the foundation of digital signatures
Digital Signatures are encrypted messages that are independently verified by a
central facility (registry) as authentic

PKI or Public Key Infrastructure
Public Key Infrastructure is the entire set of hardware, software, and
cryptosystems necessary to implement public key encryption
PKI systems are based on public-key cryptosystems and include digital certificates
and certificate authorities (CAs) and can:
Issue digital certificates
Issue crypto keys
Provide tools to use crypto to secure information
Provide verification and return of certificates

PKI Benefits
PKI protects information assets in several ways:
Authentication
Integrity
Privacy
Authorization
Nonrepudiation

Securing E-mail
Encryption cryptosystems have been adapted to inject some degree of security

Page 63

into e-mail:
S/MIME builds on the Multipurpose Internet Mail Extensions (MIME)
encoding format by adding encryption and authentication
Privacy Enhanced Mail (PEM) was proposed by the Internet Engineering
Task Force (IETF) as a standard to function with the public key
cryptosystems
PEM uses 3DES symmetric key encryption and RSA for key exchanges
and digital signatures
Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses
the IDEA Cipher along with RSA for key exchange

Seven Major Sources of Physical Loss
Temperature extremes
Gases
Liquids
Living organisms
Projectiles
Movement
Energy anomalies

Secure facility
A secure facility is a physical location that has been engineered with controls designed
to minimize the risk of attacks from physical threats A secure facility can use the natural
terrain; traffic flow, urban development, and can complement these features with
protection mechanisms such as fences, gates, walls, guards, and alarms

Controls for Protecting the Secure Facility
Walls, Fencing, and Gates
Guards
Dogs, ID Cards, and Badges
Locks and Keys
Mantraps
Electronic Monitoring
Alarms and Alarm Systems
Computer Rooms
Walls and Doors

Controls used in a Secure Facility
ID Cards and Badges

Page 64

Ties physical security to information access with identification cards (ID) and/or
name badges
ID card is typically concealed
Name badge is visible
These devices are actually biometrics (facial recognition)
Should not be the only control as they can be easily duplicated, stolen, and modified
Tailgating occurs when unauthorized individuals follow authorized users through the
control

Locks and Keys
There are two types of locks
mechanical and electro-mechanical

Locks can also be divided into four categories
manual, programmable, electronic, and biometric

Locks fail and facilities need alternative procedures for access
Locks fail in one of two ways:

when the lock of a door fails and the door becomes unlocked, that is a fail-safe
lock
when the lock of a door fails and the door remains locked, this is a fail-secure
lock

Electronic Monitoring
Records events where other types of physical controls are not practical
May use cameras with video recorders
Drawbacks:
o reactive and do not prevent access or prohibited activity
o recordings often not monitored in real time and must be reviewed to have any
value

Alarms and Alarm Systems
Alarm systems notify when an event occurs
Used for fire, intrusion, environmental disturbance, or an interruption in services
These systems rely on sensors that detect the event: motion detectors, smoke detectors,
thermal detectors, glass breakage detectors, weight sensors, and contact sensors


Page 65

Computer Rooms and Wiring Closets
Computer rooms and wiring and communications closets require special attention
Logical controls are easily defeated, if an attacker gains physical access to the
computing equipment
Custodial staff are often the least scrutinized of those who have access to offices and
are given the greatest degree of unsupervised access

Interior Walls and Doors
The walls in a facility are typically either:
o standard interior
o firewall
All high-security areas must have firewall grade walls to provide physical security
from potential intruders and improves the facility's resistance to fires
Doors that allow access into secured rooms should also be evaluated
Doors that allow access into secured rooms should also be evaluated
Computer rooms and wiring closets can have push or crash bars installed to meet
building codes and provide much higher levels of security than the standard door pull
handle
Fire Safety
The most serious threat to the safety of the people who work in the organization is
the possibility of fire
Fires account for more property damage, personal injury, and death than any other
threat
It is imperative that physical security plans examine and implement strong
measures to detect and respond to fires and fire hazards

Fire Detection and Response
Fire suppression systems are devices installed and maintained to detect and
respond to a fire
They work to deny an environment of one of the three requirements for a fire to
burn: heat, fuel, and oxygen

Water and water mist systems reduce the temperature and saturate some fuels
to prevent ignition
Carbon dioxide systems rob fire of its oxygen
Soda acid systems deny fire its fuel, preventing spreading
Gas-based systems disrupt the fires chemical reaction but leave enough
oxygen for people to survive for a short time


Page 66

Chief Information Security Officer
The top information security position in the organization, not usually an executive
and frequently reports to the Chief Information Officer
The CISO performs the following functions:
Manages the overall InfoSec program
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with
security managers on operational plans
Develops InfoSec budgets based on funding
Sets priorities for InfoSec projects & technology
Makes decisions in recruiting, hiring, and firing of security staff
Acts as the spokesperson for the security team

Notes

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Notes

Încărcat de

Drepturi de autor:

Formate disponibile

INFORMATION SECURITY - CS1014

Einstein College of Engineering

S-ar putea să vă placă și