Documente Academic
Documente Profesional
Documente Cultură
UNIT – IV
CHAPTER
4 E-Security System
SYNOPSIS
4.1 Introduction
4.2 Threats to Computer Systems and Control measure
4.3 IT Risk
4.4 Information systems security
4.5 Security on the internet
4.6 E-Business Risk Management Issues
4.7 Understanding and defining Enterprise wide security framework
4.8 Information Security Environment in India with respect to real Time
Application in Business.
4.9 Security measures in International and Cross Border financial
transactions.
4.10 Threat Hunting Software
Review Questions
IT RISK MANAGEMENT
IT risk management is the application of the principles of risk management to an
IT organization in order to manage the risks associated with the field. IT risk
E-Security System 5
management aims to manage the risks that come with the ownership, involvement,
operation, influence, adoption and use of IT as part of a larger enterprise.
IT risk management is a component of a larger enterprise risk management
system. This encompasses not only the risks and negative effects of service and
operations that can degrade organizational value, but it also takes the potential
benefits of risky ventures into account.
As a general rule, risk is defined as the product of the likelihood of occurrence
and the impact an even could have. In IT, however, risk is defined as the product of
the asset value, the system's vulnerability to that risk and the threat it poses for the
organization.
IT risks are managed according to the following steps:
Assessment: Each risk is discovered and assessed for severity
Mitigation: Countermeasures are put in place to reduce the impact of
particular risks
Evaluation and Re-Assessment: At the end of a project, the effectiveness
of any counter measures (along with their cost-effectiveness) is evaluated.
Based on the results, actions are taken to improve, change or keep up with
the existing or current plans.
Risk Assessment
Risk Management is a recurrent activity that deals with the analysis, planning,
implementation, control and monitoring of implemented measurements and the
enforced security policy. On the contrary, Risk Assessment is executed at discrete
time points (e.g. once a year, on demand, etc.) and – until the performance of the next
assessment - provides a temporary view of assessed risks and while parameterizing
the entire Risk Management process.
Risk assessment is often conducted in more than one iteration, the first being a
high-level assessment to identify high risks, while the other iterations detailed the
analysis of the major risks and other risks.
The parameters considered for assessment are normally as follows:
assessment of the consequences through the valuation of assets
assessment of the likelihood of the incident (through threat and
vulnerability valuation)
assign values to the likelihood and consequence of the risks
This assessment mainly depends on following 3 primary principles:
The 3 primary principles are:
Confidentiality: Confidentiality of the information can be maintained by
implementing proper access controls through hardware and software to restrict access
6 Information Technology in Business Management - I (S.Y.B.M.S Sem – III)
to the information, by encrypting the same while storing and sending data over the
network etc.
Integrity: Integrity means that it should possible for the receiver of a message to
verify that the message has not been changed in any manner. Changes made in the
messages without according remarks must be impossible. It verifies that neither the
purchase amount nor the goods bought are changed or lost during transmission.
Integrity also means the message has not reached the recipient twice.
Availability: Ability to ensure that an e-commerce site continues to function as
intended and information or data is always available.
Hacking
What is fascinating about website hacking is that they always come down to the
same elements regardless of the organization’s size. It does not matter if you are a
Fortune 500 or a small business selling cupcakes. The only difference is the why.
In large organizations, it is often because they dropped the ball. They knew
exactly what the threat was, but they never thought it would extend to their websites,
with the common response being – “I thought someone else was handling it”. When
it comes to small businesses, it is often – “Why would anyone want to hack me? I
never knew it’d be an issue for me, I’m not Target, I don’t have credit card
information”.
Access Control
Access control speaks specifically to the process of authentication and
authorization; simply put how you log in. When we say log in, we mean more than
just the website. Here are a few areas to think about when assessing access control:
10 Information Technology in Business Management - I (S.Y.B.M.S Sem – III)
How do you log into your hosting panel?
How do you log into your server? (i.e., FTP, SFTP, SSH)
How do you log into your website? (i.e., WordPress, Dreamweaver,
Joomla!)
How do you log into your computer?
How do you log into your social media forums?
The reality is that access control is much more important than most give credit.
It is like the person that locks their front door but leaves every window unlatched and
the alarm system turned off. This begs the question, why did you even lock the door?
Exploitation of access control often comes in the form of a brute force attack, in
which the attacker attempts to guess the possible username and password
combinations in an effort to log in as the user. You can also see various social
engineering attempts of phishing pages designed to capture a user’s ID/username and
password combination, or some form of Cross-Site Scripting (XSS) or Cross-Site
Request Forgery (CSRF) attack in which the attacker tries to intercept the user
credentials via their own browser. There is also the obvious Man in the Middle
(MITM) attack, where the attacker intercepts your username and password while
working via insecure networks and your credentials are transferred between one point
to another via plain text.
Software Vulnerabilities
Software vulnerabilities are not for the faint of heart. We would argue that 95%
of website owners are unable to address today’s software vulnerabilities; even
everyday developers are unable to account for the threats their own code introduces.
The problem, as we can see it, is in the way we think. It takes a special person to want
to break things. Most of us use things as they are designed.
These software vulnerabilities extend beyond the website itself and easily bleed
into the various technologies we discussed above (i.e., web server, infrastructure,
etc.). Anywhere there is a system, there’s a potential software vulnerability waiting to
be exploited. This can also extend to your browser (i.e., Chrome, Internet Explorer,
Firefox, etc.).
Exploitation of software vulnerabilities can be done in various forms, but for the
sake of sanity, we will target a website’s and not the various supporting elements.
When it comes to websites, exploitation of software vulnerability is achieved
through a cleverly malformed Uniform Resource Locator (URL) or POST
Headers. Via these two methods, an attacker is able to enact a number of attacks;
things like Remote Code Execution (RCE), Remote / Local File Inclusion (R/LFI),
Cross Site Scripting (XSS) and SQL Injection (SQLi) attacks. There are a number of
other attacks, but these are some of the more common attacks we’re seeing affecting
today’s websites.
E-Security System 11
Third-Party Integrations / Services
Third-party integrations/services are increasingly becoming a problem. The
most prominent form is advertisements via ad networks leading to malvertising
attacks. It extends beyond that to services you might use, including things like a
Content Distribution Network (CDN) – as in the recent Washington Post hack last
week.
Third-party integrations and services have become commonplace in today’s
website ecosystem, and are especially popular in the highly extensible Content
Management Systems (CMS) like WordPress, Drupal and Joomla!
The problem with the exploitation of third-party integrations and services is that
it is beyond the website owner’s ability to control. We assume when we integrate
third-party providers that they are ensuring the service you consume is safe, but like
everything else there is always the chance of compromise.
NETWORK Security
a. Firewall
It is recommended that we must use some type of firewall for Internet/Network
security. Intruders are constantly scanning home user systems for known
vulnerabilities. Network firewalls (whether software or hardware-based) can provide
some degree of protection against these attacks.
The term firewall originally meant as “still means” a fire proof wall intended to
prevent the spread of fire from one room to another area therefore “firewall is an
excellent tool for network security”.
12 Information Technology in Business Management - I (S.Y.B.M.S Sem – III)
Definition
A firewall is a system of hardware and software components designed to restrict
access between or among networks, most often between the Internet and a private
Intranet. It is part of an overall security policy that creates a perimeter defense
designed to protect the information resources of the organization.
Functions of Firewall
It controls access to the internet by private users, preventing outside parties from
gaining access to system and confidential data on the private network.
All information entering or leaving the intranet or internet pass through the
firewall. Firewall is a specialized form of router focusing on specific types of network
security function.
A basic purpose of firewall is to disallow unauthorized access while everything
passing through firewall every time. New program installed in window so the
windows firewalls especially if the new program will be involved with the internet.
For example online games and buy them at cheap prices these transactions are held
online if the firewall sees any actions going on to be hazardous, it will not allow it to
happen.
Firewall detect the network at the point of enter so that it can receive and
transmit authorized data without significant delay.
Types of firewalls
There are mainly 2 types of firewalls:
a. Hardware Firewalls
These firewalls are most popular as they can control the network in better
manner. Also, the replacement in case of any failures as well as the maintenance is
comparatively easy. These firewalls need specialized personnel for configuring the
same. Hardware firewalls are best suited to businesses and large networks. Some of
the popular hardware firewalls are Nokia (CheckPoint), Cisco (Pix), Juniper
(NetScreen), WatchGuard (Firebox), Fortinet (FortiGate), SonicWall (Pro Series),
Symantec (SGS), SecureComputing (Sidewinder) etc.
b. Software Firewalls
These are software based firewalls which work on the top of the Operating
System of the computer. These types of firewalls are mainly used for Personal
E-Security System 13
Computer or Home PC network, as they are affordable in terms of price and easy to
configure. Some of the software firewalls are Microsoft, Kasparsky, Norton,
TrendMicro, eScan, McAfee etc.
Limitations of Firewall
It does not solve all the practical security problems.
Insider intrusion (inside user attacks the internal network in same way) cannot
be prevented by firewall.
Firewall needs to be configured very carefully as to have only one entry and exit
point; otherwise a user can bypass the firewall.
Internal network cannot be prevented by Virus attacks.
In short,
Firewalls
Do Do Not
Definition
A component of computer and network infrastructure which is aimed at
detecting an intrusion or attack against computer systems and networks, or
application is called as ‘Intrusion Detection System (IDS)’.
Intrusion Detection Systems are designed to catch the information what might
have not been prevented or even detected by the firewall. Intrusion detection system
is early use to detect an unauthorized access or manipulate information so at least we
have early awareness of a problem.
c. Virtual Private Network (VPN)
A virtual private network (VPN) is a network that uses a public
telecommunication infrastructure, such as the Internet, remote offices or individual
14 Information Technology in Business Management - I (S.Y.B.M.S Sem – III)
users with secure access to their organization's network. A virtual private network can
be contrasted with an expensive system of owned or leased lines that can only be used
by one organization. The goal of a VPN is to provide the organization with the same
capabilities, but at a much lower cost. A typical VPN can be represented as shown in
figure below:
Application Security
Vendors usually release patches for their software when vulnerability has been
discovered. Most product documentation offers a method to get updates and patches.
You should be able to obtain updates from the vendor's web site. Read the manuals or
browse the vendor's web site for more information.
Some applications will automatically check for available updates, and many
vendors offer automatic notification of updates via a mailing list. Look on your
vendor's web site for information about automatic notification. If no mailing list or
other automated notification mechanism is offered you may need to check
periodically for updates.
E-Security System 15
Data Security
Security of data information is to protect the information from unauthorized
access. Data security is critical for most business and house computer. Banks account
details, customer personal information, payment related issues, other confidential
details etc. so this type of information can be hard to replace and very dangerous if it
is captured by wrong person. Data can be lost due to environmental disasters such as
flood, fire or earthquake, but data losing it to hacker or virus infection can have
greater consequences. Data security can be done by using different procedures and
policies that protect Data from accidents, Equipment frailer and natural disasters.
Most commonly used data protection technique is Encryption & Decryption.
This is known as ‘Cryptography’.
Cryptography
Cryptography is used for securing by encoding message to make them
unreadable form. When more and more sensitive data is stored on computers and
transmitted over the internet, we used to ensure information security and safety
Encryption and decryption technique is use for securing data. Nowadays, 128-bit
encryption is most commonly used to encrypt the data.
Encryption
Encryption is converting original text into an unreadable form at the sender’s
end which is then transmitted to the receiver. In encryption original text is not as
plain text and after conversion unreadable text is not as cipher-text. So, In other
words encryption is converting over the networking. Its purpose is to ensure privacy
by keeping information hidden for unauthorized access.
Decryption
Decryption is the reverse process of encryption. At the receiver end decryption
is performed it converts the cipher text back into the plain text to get the original
message back. So in other word reverting cipher text to its original plaintext is called
decryption. Encryption and decryption is especially important in internet or wireless
communication.
There are mainly 2 encryption techniques that are widely used.
Definition
Digital Signature is a unique combination of alphanumeric digits having a
specific length which is issued by a Certifying Authority to Individual, Corporate or
any other entity. A Digital Signature is a tool by which the authenticity of an
electronic document or information can be verified.
Function
One way to implement public key authentication on a per-message basis is to
send a digital signature with each message. A digital signature is added at the end of
each message which is send. 5 Companies in India (NIC, IDRBT, SAFESCRYPT CA
Services, nCode Solutions and E-Mudhra) can issue digital signatures/certificates
using “in-person proofing” as part of the process. A digital signature, first proposed in
1976 by Whitfield Defined of Stanford University, transforms the message that is
signed so that anyone who reads it can be sure of the real sender. It is a block of data
or a sample of the message content (called a message digest) that represents the
private key. Encrypting a message digest with a private key creates a digital
signature. A public key can be used to verify that the signature was, in fact, generated
using the corresponding private key.
A Digital signature’s main function is to verify that a message or a document, in
fact, comes from the claimed sender. This is called authentication. It can be used also
to time-stamp documents when a trusted party signs the document and its time stamp
with his or her secret key. This process attests that the document was present at the
stated time.
When making a digital signature, cryptographic hash functions are generally
used to construct the message digest. A hash function is a formula that converts a
message of a given length into a string of digits, called a message digest. Once the
message digest is encrypted with the sender’s private key, it becomes a digital
signature.
The sender encrypts the message or data or contents using the private key;
The receiver upon receiving the same, requests the public key from the
Certifying Authority (CA);
This public key received from the CA is compared and verified with the Public
Key of the sender;
It is then utilized to decrypt the data received.
This process is done ONLY at that particular instance. The process is initiated
and completed everytime the encrypted document or information is opened by
the user/receiver.
Usage
Digital signatures are commonly used for software distribution, financial
transactions, and in other cases where it is important to maintain confidentiality
and detect forgery or tampering.
Digital signatures are equivalent to traditional handwritten signatures in many
aspects and if properly implemented digital signatures are more difficult to forge
than the handwritten type.
Digital Signature ensures that no alterations are made to the information or data
once the document has been digitally signed.
Definition:
Electronic Payment is a financial exchange that takes place online between
buyers and sellers. The content of this exchange is usually some form of digital
financial instrument (such as encrypted credit card numbers, electronic cheques or
digital cash) that is backed by a bank or an intermediary, or by a legal tender. The
various factors that have lead the financial institutions to make use of electronic
payments are:
There are also many problems with the traditional payment systems that are
leading to its fade out. Some of them are enumerated below:
1. Lack of Convenience:
Traditional payment systems require the consumer to either send paper
cheques by snail-mail or require him/her to physically come over and sign
papers before performing a transaction. This may lead to annoying
circumstances sometimes.
2. Lack of Security:
This is because the consumer has to send all confidential data on a paper,
which is not encrypted, that too by post where it may be read by anyone.
3. Lack of Coverage:
When we talk in terms of current businesses, they span many countries or
states. These business houses need faster transactions everywhere. This is
not possible without the bank having branch near all of the company’s
offices. This statement is self-explanatory.
4. Lack of Eligibility:
Not all potential buyers may have a bank account.
5. Lack of support for micro-transactions:
E-Security System 23
Many transactions done on the Internet are of very low cost though they
involve data flow between two entities in two countries. The same if done
on paper may not be feasible at all.
Electronic Tokens:
An electronic token is a digital analog of various forms of payment backed by a
bank or financial institution. There are two types of tokens:
a. Real Time: (or Pre-paid tokens) - These are exchanged between buyer
and seller, their users pre-pay for tokens that serve as currency.
Transactions are settled with the exchange of these tokens. Examples of
these are DigiCash, Debit Cards, Electronic purse etc.
b. Post Paid Tokens : are used with fund transfer instructions between the
buyer and seller. Examples – Electronic cheques, Credit card data etc.
Electronic Cheques:
The electronic cheques are modeled on paper checks, except that they are
initiated electronically. They use digital signatures for signing and endorsing and
require the use of digital certificates to authenticate the payer, the payer’s bank and
bank account. They are delivered either by direct transmission using telephone lines
or by public networks such as the Internet.
Introduction
Threat hunting or essentially Cyber Threat Hunting is "the process of
proactively and iteratively searching through networks to detect and isolate advanced
threats that evade existing security solutions.” This is in contrast to traditional threat
management measures, such as firewalls, intrusion detection systems (IDS),
and Security information & Event Management (SIEM) Systems, which typically
involve an investigation after there has been a warning of a potential threat or an
incident has occurred.
Threat hunting can be a manual process, in which a security analyst sifts through
various data information using their own knowledge and familiarity with the network
to create hypotheses about potential threats, such as, but not limited to, Lateral
Movement by Threat Actors. To be even more effective and efficient, however, threat
hunting can be partially automated, or machine-assisted, as well. In this case, the
analyst utilizes software that leverages machine learning and User & Entity
Behavior Analytics (UEBA) to inform the analyst of potential risks. The analyst
then investigates these potential risks, tracking suspicious behavior in the network.
Ideally, threat hunting is a continuous and repetitive process. More importantly,
it is carried out in a loop and on hypothetical basis. The hypothesis is of following
types:
Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated
risk scores that can also serve as hunting hypotheses”.
Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk
assessments, company- or employee-level trends”.
28 Information Technology in Business Management - I (S.Y.B.M.S Sem – III)
Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds,
malware analysis, vulnerability scans”.
The analyst researches their hypothesis by going through vast amount of data
about the network. The results are then stored so that they can be used to improve the
automated portion of the detection system and to serve as a foundation for future
hypotheses. The Detection Maturity Level (DML) model expresses threat indicators
can be detected at different semantic levels. High semantic indicators such as goal
and strategy, or Tactics, Techniques and Procedure (TTP) are more valuable to
identify than low semantic indicators such as network artifacts and atomic indicators
such as IP addresses. SIEM tools typically only provide indicators at relatively low
semantic levels. There is therefore a need to develop SIEM tools that can provide
threat indicators at higher semantic levels.