Module V: Security Management

Topics:
The Information Security. System Vulnerability and Abuse. System Threats(Malicious Software, Hacking etc..) and counter measure. Antivirus, Firewalls, Anti-spyware. Security Audit.

Security Management is a broad field of management related to asset management, physical security and human resource safety functions. It entails the identification of an organization's information assets and the development, documentation and implementation of policies, standards, procedures and guidelines. In network management it is the set of functions that protects telecommunications networks and systems from unauthorized access by persons, acts, or influences and that includes many subfunctions, such as creating, deleting, and controlling security services and mechanisms; distributing securityrelevant information; reporting security-relevant events; controlling the distribution of cryptographic keying material; and authorizing subscriber access, rights, and privileges. Management tools such as information classification, risk assessment and risk analysis are used to identify threats, classify assets and to rate system vulnerabilities so that effective control can be implemented.

The Information Security: Information security means protecting information and systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The terms information security, computer security and assurance are frequently used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Information assurance focuses on the reasons for assurance that information is protected, and is thus reasoning about information security. Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers.

Basic principles:-

Confidentiality
Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting

access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.

Integrity
In information security, integrity means that data cannot be modified undetectably. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality.

Availability
For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-ofservice attacks.

Authenticity
In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim to be.

Non-repudiation
In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.

Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation.

System Vulnerability and Abuse

When data are stored in digital form, they are more vulnerable than when they exist in manual form. Security refers to the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. Controls consist of all the methods, policies, and organizational procedures that ensure the safety of the organization's assets; the accuracy and reliability of its accounting records; and operational adherence to management standards. Threats to computerized information systems include hardware and software failure; user errors; physical disasters such as fire or power failure; theft of data, services, and equipment; unauthorized use of data; and telecommunications disruptions. On-line systems and telecommunications are especially vulnerable because data and files can be immediately and directly accessed through computer terminals or at points in the telecommunications network.

Figure 8-1

FIGURE 8-1 CONTEMPORARY VULNERABILITIES

SECURITY

CHALLENGES

AND

The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.

The Internet poses additional problems because it was explicitly designed to be easily accessed by people on different computer systems. Information traveling over unsecured media can be intercepted and misused. Fixed IP addresses serve as fixed targets for hackers, and Internet software has become a means for introducing viruses and malicious software to otherwise secure networks. Wireless networks are even more vulnerable because radio frequency bands are easy to scan. LANs that use the Wi-Fi (802.11b) standard can be easily penetrated by outsiders with laptops, wireless cards, external antennae, and freeware hacking software. Service set identifiers (SSID) identifying access points in a Wi-Fi network are broadcast multiple times and can be picked up fairly easily by sniffer programs. In war driving, eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic. The initial security standard developed for Wi-Fi, called Wired Equivalent Privacy (WEP), is not very effective. WEP is built into all standard 802.11 products, but users must turn it on, and many neglect to do so, leaving many access points unprotected. Figure 8-2

FIGURE

8-2

WI-FI

SECURITY

CHALLENGES

Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization.

Malicious software, or malware, includes threats such as computer viruses and worms, and Trojan horses. A computer virus is rogue software that attaches itself to other programs or data files in order to be executed, and may be highly destructive to files, computer memory, and hard drives. Viruses are typically designed to spread from computer to computer through e-mail attachments or copied files.

Worms are independent computer programs that copy themselves to computers over a network
independently from other computer programs or files, and therefore spread more rapidly. A Trojan horse is an apparently benign program that actually performs some hidden action such as installing malicious code or compromising the security of a computer. Spyware can also act as malicious software by obtaining information about users' buying habits and infringing on privacy. Keyloggersrecord keystrokes made on a computer to discover steal serial numbers for software and passwords.

A hacker is an individual who intends to gain unauthorized access to a computer system. The term cracker is typically used for hackers with criminal intent. Hackers spoof, or misrepresent themselves, by using fake e-mail addresses or masquerading as someone else. Hacker activities include:

Theft of goods and services System damage Cyber vandalism: The intentional disruption, defacement, or even destruction of a Web site or corporate information system. Spoofing: Hiding of the hackers true identities or email addresses, or redirecting a Web link to a different web site that benefits the hacker. Theft of proprietary information: A =0 is an eavesdropping program that monitors network information and can enable hackers to steal proprietary information transmitting over the network. Denial of service (DoS) attacks: Flooding a network or server with thousands of false communications to crash or disrupt the network. A 0 attack uses hundreds or even thousands of computers to inundate and overwhelm the network from numerous launch points. Hackers can infect thousands of unsuspecting users' computers with malicious software to form a botnet of resources for launching a DDoS.

Figure 8-3

FIGURE 8-3 WORLDWIDE DAMAGE FROM DIGITAL ATTACKS

This chart shows estimates of the average annual worldwide damage from hacking, malware, and spam since 1999. These data are based on figures from mi2G and the authors.

In computer crime, the computer can be either the target of or the instrument of a crime. The most economically damaging kinds of computer crime are DoS attacks, introducing viruses, theft of services, and disruption of computer systems. Other examples of computer crime include:

Identity theft: In identity theft, an impostor obtains key pieces of personal information to impersonate someone else and obtain credit, merchandise, or false credentials. Phishing: Setting up fake Web sites or sending e-mail messages that appear legitimate in order to coerce users for confidential data. Other phishing techniques include evil twins (wireless networks masquerading as legitimate Internet hotspots, used to capture personal information) and pharming, redirecting users bogus Web sites posing as legitimate Web sites.

Click fraud occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase. Click fraud can also be perpetrated with software programs doing the clicking, and bot networks are often used for this purpose. The U.S. Congress responded to the threat of computer crime in 1986 with the Computer Fraud and Abuse Act. This act makes it illegal to access a computer system without authorization. Most U.S. states and European nations have similar legislation. Congress also passed the National Information Infrastructure Protection Act in 1996 to make virus distribution and hacker attacks to disable Web sites federal crimes. One concern is that terrorists or foreign intelligence services could exploit network or Internet vulnerabilities to commit cyber terrorism or cyber warfare and cripple networks controlling essential services such as electrical grids and air traffic control systems. The largest financial threats to businesses actually come from insiders, either through theft and hacking or through lack of knowledge. Malicious intruders may sometimes trick employees into revealing passwords and network access data through social engineering. Employees can also introduce faulty data or improperly process data. Software errors are also a threat to information systems and cause untold losses in productivity. Hidden bugs or program code defects, unintentionally overlooked by programmers working with thousands of line of programming code, can cause performance issues and security vulnerabilities. Software vendors create lines of code called patches to repair flaws without disrupting the software's operation.

Technologies and Tools for Security and Control

Various tools and technologies used to help protect against or monitor intrusion include authentication tools, firewalls, intrusion detection systems, and antivirus and encryption software. Access control consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders. Authentication refers to the ability to know that a person is who he or she claims to be. Access control software is designed to allow only authorized persons to use systems or to

access data using some method authentication technologies include:

for

authentication.

New

Token: A physical device similar to an identification card that is designed to prove the identity of a single user. Smart card: A device about the size of a credit card that contains a chip formatted with access permission and other data. Biometric authentication: Compares a person's unique characteristics, such as fingerprints, face, or retinal image, against a stored set profile.

A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic and prevents unauthorized communication into and out of the network. The firewall identifies names, Internet Protocol (IP) addresses, applications, and other characteristics of incoming traffic. It checks this information against the access rules programmed into the system by the network administrator. There are a number of firewall screening technologies:

Packet filtering examines fields in the headers of data packets flowing between the network and the Internet, examining individual packets in isolation. Stateful inspection determines whether packets are part of an ongoing dialogue between a sender and a receiver. Network Address Translation (NAT) conceals the IP addresses of the organization's internal host computer(s) to protect against sniffer programs outside the firewall. Application proxy filtering examines the application content of packets. A proxy server stops data packets originating outside the organization, inspects them, and passes a proxy to the other side of the firewall. If a user outside the company wants to communicate with a user inside the organization, the

outside user first "talks" to the proxy application and the proxy application communicates with the firm's internal computer.
Figure 8-6

FIGURE

8-6

CORPORATE

FIREWALL

The firewall is placed between the firms private network and the public Internet or another distrusted network to protect against unauthorized traffic.

Intrusion detection systems feature full-time monitoring tools placed at the most vulnerable points of corporate networks to detect and deter intruders continually. Scanning software looks for patterns indicative of known methods of computer attacks, such as bad passwords, checks to see if important files have been removed or modified, and sends warnings of vandalism or system administration errors. Antivirus software is designed to check computer systems and drives for the presence of computer viruses. However, to remain effective, the antivirus software must be continually updated. Vendors of Wi-Fi equipment have developed stronger security standards. The Wi-Fi Alliance industry trade group's 802.11i specification tightens security for wireless LAN products. Many organizations use encryption to protect sensitive information transmitted over networks. Encryption is the coding and scrambling of messages to prevent their access by unauthorized individuals. Two methods for encrypting network traffic on the Web are:

Secure Sockets Layer (SSL): SSL and its successor Transport Layer Security (TLS) enable client and server computers to establish a secure connection session and manage encryption and decryption activities.

Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for encrypting data flowing over the Internet, but it is limited to individual messages.

Data is encrypted by applying a secret numerical code, called an encryption key, so that the data are transmitted as a scrambled set of characters. To be read, the message must be decrypted (unscrambled) with a matching key. There are two alternative methods of encryption:

Symmetric key encryption: The sender and receiver create a single encryption key that is shared. Public key encryption: A more secure encryption method that uses two different keys, one private and one public.

Figure 8-7

PUBLIC

KEY

ENCRYPTION

A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipients public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message.

Digital signatures and digital certificates help with authentication. A digital signature is a digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message. Digital certificates are data files used to establish the identity of users and electronic assets for protection of online transactions. A digital certificate system uses a trusted third party known as a certificate authority (CA) to validate a user's identity. The digital certificate system would enable, for example, a credit card user and a merchant to validate that their digital certificates were issued by an authorized and trusted third party before they exchange data. Public key infrastructure (PKI), the use of public key

cryptography working with a certificate authority, is a principal technology for providing secure authentication of identity online. Figure 8-8

FIGURE

8-8

DIGITAL

CERTIFICATES

Digital certificates help establish the identity of people or electronic assets. They protect online transactions by providing secure, encrypted, online communication.

System Threats(Malicious Software, Hacking etc..) and counter measure.

Threat:-In computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or "accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event.

Sources of Threats
A person, a group of people, or even some phenomena unrelated to human activity can serve as an information security threat. Following from this, all threat sources break down into three groups: The human factor. This group of threats concerns the actions of people with authorized or unauthorized access to information. Threats in this group can be divided into: External, including cyber criminals, hackers, internet scams, unprincipled partners, and criminal structures. Internal, including actions of company staff and users of home PCs. Actions taken by this group could be deliberate or accidental. The technological factor. This threat group is connected with technical problems - equipment used becoming obsolete and poor-quality software and hardware for processing information. This all leads to equipment failure and often to data loss. The natural-disaster factor. This threat group includes any number of events brought on by nature and other events independent of human activity.

Types of Threats
Worms This malicious program category largely exploits operating system vulnerabilities to spread itself. The class was named for the way the worms crawl from computer to computer, using networks and e-mail. This feature gives many worms a rather high speed in spreading themselves. Viruses Programs that infected other programs, adding their own code to them to gain control of the infected files when they are opened. This simple definition explains the fundamental action performed by a virus infection. Trojans Programs that carry out unauthorized actions on computers, such as deleting information on drives, making the system hang, stealing confidential information, etc. This class of malicious program is not a virus in the traditional sense of the word (meaning it does not infect other computers or data). Trojans cannot break into computers on their own and are spread by hackers, who disguise them as regular software. The damage that they incur can exceed that done by traditional virus attacks by several fold. Spyware Software that collects information about a particular user or organization without their knowledge. You might never guess that you have spyware installed on your computer. Risk ware Potentially dangerous applications include software that has not malicious features but could form part of the development environment for malicious programs or could be used by hackers as auxiliary components for malicious programs.

Rootkits Utilities used to conceal malicious activity. They mask malicious programs to keep anti-virus programs from detecting them. Rootkits modify the operating system on the computer and alter its basic functions to hide its own existence and actions that the hacker undertakes on the infected computer.

How threats spread

As modern computer technology and communications tools develop, hackers have more opportunities for spreading threats. Let's take a closer look at them: The Internet The Internet is unique, since it is no one's property and has no geographical borders. In many ways, this has promoted development of countless web resources and the exchange of information. Today, anyone can access data on the Internet or create their own webpage. However, these very features of the worldwide web give hackers the ability to commit crimes on the Internet, making them difficult to detect and punish as they go. USB flash drives USB flash drives are widely used for storing and transmitting information. When you use a USB disk that has malicious programs on it, you can damage data stored on your computer and spread the virus to your computer's other drives or other computers on the network.

Tips to protect yourself from malware

Be mindful of what you are clicking on Many websites that hosts harmful content will use banners and pop up advertisements, pretending to be an error messages or offering you a prize. When you visit these sites harmful content is downloaded into your computer. Avoid being tempted in the first place. Be aware of what you are downloading Don't download software from a website that's full of advertisements, or listings of 'free' programs, these are often fake files. Be cautious and question them, scan them with security software prior to opening or only download programs from reputable or corporate websites. Purchase security software Many users are not aware that using pirated software can not protect user's computer against threats and the pirated software from unauthorized third parties may contain viruses. Be careful before you open your removable media Many malicious programs attack your computers and spread via USB storage. USB Disk Security can protect your computer against any threats via removable media. Update Windows when prompted Microsoft release updates for Windows regularly. They include important security patches and tools. Install them when prompted to patch up security gaps in your operating system, browser or third party software. Take extra care when using Peer-To-Peer programs Since files shared on P2P networks are not policed. Anyone can release anything they want via this medium. As such get into the habit of scanning the files you downloaded before running/executing them.

Accept incoming files when you expect them and from people that you know Some threats have the ability to infect machines and automatically send copies of themselves to that user's contact list. It may appear that your friend is sending you a file but it may turn out to be a malicious program propagating itself. Know your File Formats Images usually come in .jpg .jpeg .png .bmp .gif .tif formats. Executables come in .exe .bat .com .dll formats. If someone says they are sending you a photo but the file ends with .exe or .com, please do not open it. They're obviously mistaken or potentially endangering you. Be aware of what's happening There are various places to seek for help and learn more about your computer. It pays to be knowledgeable on your computer, as malicious threats often take advantage of those who are unaware of what's happening.

Antivirus, Firewalls, Anti-spyware.

Antivirus or anti-virus software is software used to prevent, detect and remove malware , such as: computer viruses, adware, backdoors, malicious BHOs, dialers, fraud tools, hijackers, key loggers, malicious LSPs, root kits, spyware, Trojan horses and worms. Computer security, including protection from social engineering techniques, is commonly offered in products and services of antivirus software companies. This page discusses the software used for the prevention and removal of malware threats, rather than computer security implemented by software methods.

A firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network's firewall builds a bridge between an internal network that is assumed to be secure and trusted, and another network, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted.

Spyware is a type of malicious program installed on computers that

collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Some spyware, such as key loggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users. While the term spyware suggests software that monitors a user's computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any type of data, including personal information like Internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, which can result in slow Internet connection speeds, un-authorized changes in browser settings, or changes to software settings.

Anti-spyware programs
Anti-spyware programs can combat spyware in two ways: 1. They can provide real-time protection in a manner similar to that of antivirus protection: they scan all incoming network data for spyware and blocks any threats it detects. 2. Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed onto the computer. This kind of anti-spyware can often be set to scan on a regular schedule.

Security audit :-A computer security audit is a manual or systematic

measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments, or CAAT's, include system generated audit reports or using software to monitor and report changes to files and settings on a system. Systems can include personal computers, servers, mainframes, network routers, switches. Applications can include Web Services, Microsoft Project Central, Oracle Database. (examples only).