CHAPTER:
1. Table of Contents: Every chapter consists of a well-defined table of content.
For e.g.: 1.1.8.(i) should be read as Module 1. Chapter 1. Topic 8. (Sub-topic i) and
1.2.8. (ii) should be read as Module 1.Chapter 2. Topic 8. (Sub-topic ii)
2.
Aim: Aim refers to the overall goal to be achieved through the chapter.
3.
4.
5.
6.
7.
Summary: Summary is the nutshell of the entire chapter in the form of points.
8.
9.
References: References is a list of online resources which have been used while
designing the chapter.
10.
11.
Video Links: The Video Links table will help you to understand how these
concepts are discussed in detail by the industry today.
COURSE
contains
FOUR
Module 3: Risk Management - deals with risk assessment, risk mitigation and control
methodologies.
Chapter 1: Information Security Risk Assessment
Chapter 2: Information Security Risk Mitigation and Controls
Module 1
Chapter 1.1
Chapter 1.2
15
Module 2
Chapter 2.1
Importance of IT Security
30
Chapter 2.2
Challenges in IT Security
42
Module 3
Risk Management
Chapter 3.1
61
Chapter 3.2
79
Module 4
Chapter 4.1
95
Chapter 4.2
110
iii
Module 1
Introduction to Information Security
Chapter 1.1
Chapter 1.2
Table of Contents
Chapter 1.1
Fundamentals of Information Security
Page No.
Aim
Learning Objectives
Learning Outcome
1
Definition and Evolution of Information Security
1.1.1.(i)
1.1.1.(ii)
Information Security
1.1.2.(i)
Basic Principles
1.1.2.(ii)
1.1.3
1.1.4
10
1.1.1
1.1.2
Summary
11
SAQs
12
Bibliography
14
References
14
External Resources
14
Video Links
14
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
Self-assessment Questions
References
External Resources
Video Links
Aim:
To equip the students with the basic concepts and terms of information security
Learning Objectives:
After going through this chapter students should be able to:
Learning Outcome:
After studying this chapter, you should be able to:
a) The 1960s
During Cold War, many more mainframes were brought online to achieve more difficult
and sophisticated tasks. It became crucial to mainframe in order to communicate via a
more secured process than magnetic tapes between computer centres. Hence, the
department of defences advanced research project agency started examining methods for
a simple way to communicate and support the military exchange of information. Larry
Roberts developed a project called ARPANET to transfer information to different
computer centers. ARPANET is the predecessor to internet.
c) MULTICS
Multiplexed information and computing service (MULTICS) is a computer security
process that was used in earlier days. It was the first operating system to integrate into its
core functions. MULTICS implement several security levels and passwords.
d) The 1990s
At the time of 90s the computer became more popular and they connected to network, to
communicate from one to another computer or system. This results in internet and made
available to public. Internet has become an interconnection between millions of networks.
At the beginning, these connections were on de facto standards. These standards did little
to make sure the security of information. However, internet deployment treated security
at low priority. At that time, all internet users were scientists and hence security was not
necessary. As computers became available to public, stored information became more
exposed to security threats.
e) 2000 to present
Nowadays, internet brings millions of unsecured computer networks into communication
with each other. Therefore, it is necessary to secure data or information as well as
information security is a very important aspect to national security. The growing threat
attacks have made governments and companies more aware of the security.
A successful organisation should have following security layers to protect its operations:
Information security (IS) is designed to protect the confidentiality, integrity, and availability of
computer system data from malicious intentions. Many organisations employ a dedicated
security group to implement and maintain the organisation's information security program.
Confidentiality: This means that information is only being seen or used by people
who are authorised to access it.
Integrity: This means that any changes to the information by an unauthorised user is
impossible (or at least detected), and changes by authorised users are tracked.
Availability: This means that the information is accessible when authorised users
need it.
Spoofing can also change data being transferred across a network, as in the case of user
data protocol (UDP) packet spoofing that can allow the attacker to get access to data
stored on computing systems.
d) Confidentiality: Confidentiality is securing the data from unauthorised access.
Information has confidentiality when it is secured from illicit individuals or systems.
Confidentiality makes sure that only those along the rights and privileges to access
information are capable to do so. When illicit individuals or systems can inspect
information, confidentiality is violated. To secure the confidentiality of information, you
can utilise a number of measures having the following:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
Access: Access is ability to use an object or a thing. An authorised user would have legal
access to information, whereas, hackers would have illegal access.
Risk: The possibility that something wrong or unwanted would happen. Organisation
must minimise the risk to protect the information.
trusted authorities and saved to hardware devices such as routers or load balancers and
not on the web servers.
c) Implement DLP and auditing: Usage of Data Loss Prevention (DLP) and auditing to
monitor, identify, and block the overflow of data into or out of the network.
d) Implement a removable media policy: Avoid the usage of USB drives, external hard
disks, DVD writers, and any writable media. These devices make it easy for security
breaches coming into the network.
e) Secure websites against MIMT and malware infections: Use SSL (Secure sockets
Assassin to delete unwanted email from users inboxes. Users are educated to identify
junk mail.
g) Use comprehensive endpoint security solution: Antivirus software is used to
protect from malware infections on devices and also personal firewall and intrusion
detection are used for endpoint protection.
h) Network-based security hardware and software: Use firewalls, gateway antivirus,
intrusion detection devices, honey pots, and monitoring to screen for DoS attacks.
i) Maintain security patches: Make sure that software and hardware defences are
updated with new antimalware signatures and latest patches.
j) Educate your users: An informed user is a user who behaves more responsibly and
takes fewer risks with valuable company data, including email.
10
Summary:
The history of the information security originates from computer security. Computer
security includes physical security, hardware components, and software components.
Larry Roberts developed the project called ARPANET to transfer information to different
computer centers. ARPANET is the predecessor to internet.
Integrity: Integrity involves consistency and accuracy of data. This means the data
should be unaltered.
Information is known to be accurate when it is free from faults or errors, and it has value
which the user expects.
Authentication involves more than one proof of identity. The proof might be password,
smart card, and much more.
The utility of information is the quality or state of having value for some reason.
11
Self-Assessment Questions:
1) ARPANET is used to__________
(a) Save the data
(b) Transfer the data
(d) Destroy the data
(d) Loss
12
13
Bibliography
References
1.1. http://www.hcpro.com/PPM-311293-12342/Trends-affecting-privacy-and-informationsecurity.html
1.2. http://www.sdnet.com/article/10-security-best-practice-guidelines-for-businesses/
1.3. http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
External Resources
Video Links
Topic
Link
www.youtube.com/watch?v=arupg0UKEMk&feat
ure=youtu.be
https://www.youtube.com/watch?v=cYiX8ATZmQ
k&feature=youtu.be
www.youtube.com/watch?v=SP8cr0fg5Sg&feature
=youtu.be
14
Table of Contents
Chapter 1.2
Key Aspects of Information Security
Page No.
Aim
15
Learning Objectives
15
Learning Outcome
15
Components of Information System
16
1.2.1(i)
Software
16
1.2.1(ii)
Hardware
17
1.2.1(iii)
Data
17
1.2.1(iv)
People
17
1.2.1(v)
Procedures
17
1.2.1(vi)
Network
18
1.2.2
18
1.2.3
Implementing IT Security
19
1.2.4
20
1.2.4.(i)
Initiation Phase
20
1.2.4.(ii)
Development Phase
20
1.2.4.(iii)
Implementation Phase
21
1.2.4.(iv)
Operation Phase
21
1.2.4.(v)
Disposal
22
22
1.2.1
1.2.5
Page No.
1.2.5.(i)
Senior Management
23
1.2.5.(ii)
23
1.2.5.(iii)
Data Responsibilities
24
Summary
25
SAQs
27
Bibliography
29
References
29
External Resources
29
Video Links
29
Legends:
Aim
Learning Objectives
Learning Outcome
Advantage
Summary
Self-assessment Questions
References
External Resources
Video Links
Aim:
To furnish the students with components of information system and implication methods
of IT security
Learning Objectives:
After going through this chapter students should be able to:
Learning Outcome:
After studying this chapter, you should be able to:
15
System software: It manages the resources of computer system and simplifies the
programme.
Application software: These directly assist the end user to perform some task.
16
1.2.1.(ii). Hardware
Hardware system includes physical devices and resources used in information processing. This
gives a platform to create and execute the software. It stores and transfers the data and also gives
an option to alter the information from system. Physical security tools like locks and keys can
also be used to restrict access and interaction with hardware components of information system.
Most of the information system is built on hardware platforms; this is very complex to restrict
the access to the hardware components.
Hardware components include computer systems that consist of several processing units and
computer peripherals like input and output devices.
It is very difficult to protect the hardware components such as laptops, smartphones, or
secondary devices. Once we miss the device, the information stored in device will also be lost or
misplaced. The price of the devices may be less, but the information stored in the devices may be
precious to an organisation or an individual.
1.2.1.(iii). Data
Any data should be secured from threats. Data is the main target of hackers or intentional
attackers. Data is the main valuable object possessed by a corporate, and it is the major use of
DBMS (database management system). Unfortunately, many system development projects do
not make full use of the database management systems security capabilities, and in some cases
the database is implemented in ways that are less secure than traditional file systems.
1.2.1.(iv). People
People are the main ingredient of information security. This includes end user and the
information specialist. End users are those who use the information system or information it
produces.
e.g.: Customer information system specialists are the persons who develop and operate the
information system. e.g.: Software developers, System analysts.
1.2.1.(v). Procedures
Procedure is a list of instructions to complete a specific task. When an unauthorised user gets
unauthorised access to an organisations procedures, it leads to loss of integrity of the
information. Most of the companies provide procedures to all its employees, but they fail to
educate the employees to protect the information system.
17
1.2.1.(vi). Network
Communication technologies and network components are the basic fundamentals of the
information system. Network component includes communication media comprises of a twisted
pair of wire, cellular wireless technologies. Network infrastructure emphasises that hardware,
software, and data technologies are needed to support the operations.
18
19
20
21
1.2.4.(v). Disposal
In this phase, plans are developed for discarding system information, hardware, software, and to
form the transition to a new system. The information, hardware, and software may be moved to
another system, archived, discarded, or destroyed. If performed improperly, the disposal phase
can result in the unauthorised disclosure of sensitive data. While archiving information,
organisations should consider the requirement and the methods for future retrieval.
Following are the most important and popular SDLC models followed in the industry:
Waterfall Model
Iterative Model
Spiral Model
V-Model
Big Bang Model
22
Champion: Champion is a senior executive who promotes the project and makes sure it
supports at the highest levels of an organisation.
Team leader: A team leader can be project manager who has knowledge of project
management and information security technical requirements.
Security policy developers: Members who understand the organisations policies and
requirements for developing and implementing successful policies.
Risk assessment specialists: People who understand the financial risk assessment
techniques, the importance of organisational assets, and the security methods to be used.
Security professionals: Security professionals are the people who are trained and well
educated in all aspects of the information security from both technical and nontechnical
endpoint.
23
End users: The selection of users from various departments, level, and degrees.
Data owners: Data owners are responsible for the security and the use of a set of
information. Usually, data owners are the members of senior management and determine
the level of the data classification. The data owners work with subordinate managers to
manage the day-to-day administration of the data.
Data custodians: Data custodians are responsible for storage, maintenance, and
protection of the information. They directly work with data owners. If the size of the
organisation is comparatively big, data custodians will have dedicated positions like
CISO. If it is a small company, this can be an additional responsibility of the system
administrator or technology manager.
Data users: Data users are the end users who work with information to perform specific
task in the organisation. Every person in the organisation is responsible for security of the
data. Hence, data users are nothing but all individuals associated with an organisation.
24
Summary:
Information System (IS) is a system composed of people and computers that processes or
interprets information. Information system includes a set of software, hardware, data,
people, procedures, and networks.
Hardware system includes physical devices and resources used in information processing.
This gives a platform to create and execute the software.
Information security should balance both protection and availability of the information.
To achieve balance, information security should satisfy both user, and the security
professional. Level of security must allow reasonable access to protect against threats.
The main advantage of the bottom-up approach is technical expertise of the individual
administrators. In top-down approach project is initiated by upper-level managers.
The waterfall model explains the software development process in a linear sequential
flow.
The main role of CIO is advising the chief executive officer, president, or company
owner on strategic planning that affects the management information in the organisation.
25
Information security project team includes a number of individuals, who are experienced
in required technical or nontechnical areas.
Data owners are responsible for the security and the use of a set of information. Data
custodians are responsible for storage, maintenance, and protection of the information.
26
Self-Assessment Questions:
1) ____________assist the end user to perform some task
(a) System software
(b) Application software
(d) Information software
2) Information security should balance both
(a) Information and system
(c) Protection and availability
(c) SDLC
27
(d) Guards
13) Requirements for the confidentiality, integrity, and availability of information can be
assessed at
(a) Initiation phase
(b) Development phase
(c) Disposal
(d) Implementing phase
14) The first step in the system development life cycle (SDLC) is:
(a) Documentation
(b) Designing
(c) Initiation phase
(d) Development
28
Bibliography
References
1.1.
1.2.
1.3.
1.4.
http://csrc.nist.gov/publications/nistbul/april2009_system-development-life-cycle.pdf
http://www.ustudy.in/node/11805
http://www.ustudy.in/node/11832
http://www.uotechnology.edu.iq/ce/Lectures/SarmadFuad-MIS/MIS_Lecture_3.pdf
External Resources
Video Links
Topic
Link
www.youtube.com/watch?v=oNNIHtwqFJ8&feature=youtu.be
29
Module 2
The Need of IT Security
Chapter 2.1
Importance of IT Security
Chapter 2.2
Challenges in IT Security
Table of Contents
Chapter 2.1
Importance of IT Security
Page No.
Aim
30
Learning Objectives
30
Learning Outcome
30
2.1.1
Introduction
31
2.1.2
Business Needs
31
2.1.2.(i)
35
2.1.2.(ii)
36
37
37
Summary
39
SAQs
40
Bibliography
41
References
41
External Resources
41
Video Links
41
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
Self-assessment Questions
References
External Resources
Video Links
Importance of IT Security
Aim:
To equip the students with the skill of information security in the business environment
Learning Objectives:
The objectives of this chapter is to:
Securing an organisations functionality
Identifying various safe operations of an application
Ways to protect an organisations data
Learning Outcome:
After studying this chapter, you should be able to:
Define IT security for business needs
List out various methods for safe operation of applications
Explain how to manage security of data in an organisation
30
Importance of IT Security
2.1.1. Introduction
The major role of information security programme is to ensure that the system and content
remain the same. Internet is a collection of loosely-connected network all over the world.
Regardless to geographical boundaries, an organisation and an individual can use internet to
access its facilities like information at any point of time. There would be risks that come along
with easy access to information and convenience over the internet. This can be like changing or
misusing the information. Most of the organisations spend millions of dollars alongwith
thousands of hours manpower on their security of information system.
Thus, there are three important things to be considered while dealing with information on the
internet, they are: Integrity, Availability and Confidentiality. These help to make information
available to those who need it in an accurate form and organisations use authorisation and
authentication so that only an authorised person can have access to information which helps it to
be in a protective form.
Size
Culture
Competitive environment
Other factors
Increasing Interdependencies
31
Importance of IT Security
The social and economic processes are becoming increasingly dependent on the
functioning of the existing information. Information system comprises of central
part of many critical structures, economic interactions and communication networks
to traffic systems. As the technical infrastructure becomes more complex, the
functioning of society also becomes more complex and vulnerable which is
dependent on the infrastructure.
Privacy/publicity management
32
Importance of IT Security
A large number of community actors are interested in collecting and using various
kinds of data.
33
Importance of IT Security
Software Development: Quality and security issues are increasingly taken into
account in software development.
At present, software industry is growing and aiming for predictability and smooth flow of
work. Also the clouds are the important driver behind the increase of interest to improve
software quality and security. With cloud-based software failure and incidents are not
only related to single user or device but also might have global repercussions.
34
Importance of IT Security
35
Importance of IT Security
According to Charles Cresson Wood, information security is defined as: In fact, a lot of
[information security] is good management for information technology. Many people think that a
solution to a technology problem is more technology. Well, not necessarily. A lot of my work, out
of necessity, has been trying to get my clients to pay more attention to information security as a
management issue in addition to a technical issue, information security as a people issue in
addition to the technical issue.
Therefore, each organisation should follow execution of information security in terms of their
business facts or important needs instead of making information security as a separate issue.
In short, protecting the ability to function includes the following points:
Management is responsible
Information security is
A management issue
A people issue
Communities of interest must argue for information security in terms of impact and cost.
36
Importance of IT Security
Security programmes are used to keep track of data, and also the value of business in its data.
Security programmes defined a lifecycle which helps to manage the security of data and
technology in an organisation. Securing data in motion and data at rest are both critical aspects of
information security
37
Importance of IT Security
38
Importance of IT Security
Summary
Todays organisations are under immense pressure to obtain and execute integrated,
effective, and capable applications.
An organisation has no value if it doesnt have any data, and it will lose its evidence and
also capability to deliver to its customers.
39
Importance of IT Security
Self-assessment Question:
1) In information security, __________ means that the computer system information can be
modified only by authorised persons.
(a) Confidentiality
(b) Integrity
(c) Availability
(d) Authenticity
2) ISP stands for
(a) Internet security protocol
(c) Internet service protocol
3) Major role of information security is
(b) Prevention from virus
(a) Detect virus
(d) Information hiding
40
Importance of IT Security
Bibliography
References
1.1. http://www.appliedtrust.com/resources/security/every-company-needs-to-have-asecurity-programme
1.2. http://software.dell.com/documents/protecting-the-organisation-against-the-unknownwhitepaper-27396.pdf
1.3. http://www.pwc.com/us/en/it-risk-security/assets/high-risk-data-discovery.pdf
External Resources
Video Links
Topic
Link
www.youtube.com/watch?v=eUxUUarTRW4&feature=you
tu.be
www.youtube.com/watch?v=whK0uIEsGF0&feature=yout
u.be
41
Table of Contents
Chapter 2.2
Challenges in IT Security
Page No.
Aim
42
Learning Objectives
42
Learning Outcome
42
Threats Landscape
43
2.2.1.(i)
44
2.2.1.(ii)
45
2.2.1.(iii)
47
2.2.1.(iv)
49
Attack Methodologies
49
2.2.2.(i)
Malicious Codes
49
2.2.2.(ii)
Backdoors
51
2.2.2.(iii)
Brute Force
51
2.2.2.(iv)
51
2.2.2.(v)
Spoofing, Sniffing
52
2.2.2.(vi)
Spam
53
2.2.2.(vii)
Drive-by Exploits
53
2.2.2.(viii)
54
2.2.1
2.2.2
Page No.
2.2.2.(ix)
Exploit Kits
54
2.2.2.(x)
Botnets
54
2.2.2.(xi)
Phishing
55
Social Engineering
55
2.2.3.(i)
Human-based Methods
56
2.2.3.(ii)
Computer-based Techniques
56
2.2.3
Summary
57
SAQs
58
Bibliography
60
References
60
External Resources
60
Video Links
60
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
Self-assessment Questions
References
External Resources
Video Links
Challenges in IT Security
Aim:
To furnish students with different techniques for preventing threats and attacks in
information technology
Learning Objectives:
After going through this chapter students should be able to:
Meaning of threats
Threats landscape
Attack methodologies
Learning Outcome:
After studying this chapter, you should be able to:
Identify threats
Describe ways to prevent threats
List out various attack methodologies
42
Challenges in IT Security
43
Challenges in IT Security
44
Challenges in IT Security
Another effort to combat piracy is the online registration process. Individuals who set up
software are always asked to register their software to get technical support and to utilise all the
features of the software. Most of them believe that this process compromises personal privacy as
people never really know accurately what information is obtained from their computers and sent
to the software manufacturer.
45
Challenges in IT Security
The behaviour of worms can be started with or without downloading or executing the
file. If the worm has infected, it can redistribute itself to all e-mail addresses found on the
infected system. Also, a worm can deposit copies of itself onto all web servers which the
infected system can reach, so that users who would then visit those sites become infected.
46
Challenges in IT Security
47
Challenges in IT Security
48
Challenges in IT Security
49
Challenges in IT Security
There are various types of malicious code: The most common type of malicious code is the
virus. A virus is a code fragment, or a piece of code used to destroy or damage the target files. A
virus then waits, normally, until the file is opened to spread to another file where the malicious
code is then injected into that file.
Worm/ Trojan: A worm is usually an absolute file which infects in one place on a given
system and then attempts to copy to other vulnerable systems on the network or internet.
Trojan horses are a different type of malicious code and can be simply unreliable to the end user.
There are a number of freeware programmes on the internet which permit an attacker to insert
malicious code into most of the usual executables. This can be blocked by educating the user to
not to open file attachment unless they know properly what the attachment is.
Key findings:
Theft Trojans are widely used by cyber criminals for money making.
Trojan Autorun and conficker worms are the top threats worldwide. Even though the
vulnerabilities that allow them to infect systems have been addressed, they still claim
victims.
Trojans are the major malware threat in mobile platforms. These trojans vary in nature
from simple SMS-Trojans to multifunctional and more sophisticated trojans.
50
Challenges in IT Security
2.2.2.(ii). Backdoors
Using a known or previously-unknown and newly-developed access method, an attacker can get
access to a system or network resource through a backdoor. Sometimes, these entries are left
behind by system designers or maintenance staff and also called trapdoors. A trapdoor is tough to
examine as always the programmer who puts it in place also generates the access exempt from
the normal audit logging characteristics of the system.
51
Challenges in IT Security
Buffer Overflow:
In information technology sector, buffer overflow circles these days. The term buffer overflow
has become synonymous with vulnerabilities and exploitations. Buffers are used to store the
data, which stores predefined amount of finite data. Buffer overflow occurs when a programme
attempts to store the data which is larger than the size of the buffer.
When the data exceeds the size of the buffer, the extra data can overflow into adjacent memory
locations, corrupting valid data and possibly changing the execution path and instructions. The
ability to exploit a buffer overflow allows one to possibly inject arbitrary code into the execution
path. This arbitrary code could allow remote system-level access, giving unauthorised access to
not only malicious hackers, but also to replicating malware. Buffer overflows are generally
broken into multiple categories, based on both ease of exploitation and historical discovery of the
technique.
52
Challenges in IT Security
Sniffers
A sniffer is a programme or device which can examine data travelling on a network. Sniffers can
be utilised both for legal network management functions and for stealing information.
Unauthorised sniffers can be very hazardous to a networks security as they are really impossible
to check and can get included almost anywhere. This makes them a favourite weapon in the
hackers arsenal. Sniffers always execute on TCP/IP network, where they are sometimes called
packet sniffers. Sniffers add risk to the network, as many systems and users send information on
local networks using normal text. A sniffer programme exhibits all the data going by having
passwords and data inside files like word-processing documents and screens full of susceptive
data from applications.
2.2.2.(vi). Spam
Spam is an unwanted commercial e-mail. When most consider spam a minor trouble rather than
an attack, it has been utilised as a means of enhancing malicious code attacks. In March 2002,
there were reports of malicious code embedded in MP3 files which were having as attachments
to spam. The most important results of spam, still, are the waste of computer and human
resources. Many orgnisations try to cope along the flood of the spam by using e-mail filtering
technologies. Other orgnisations just inform the users of the mail system to delete unwanted
messages.
Key findings:
Drive-by download attack has become the top web threat. The attackers move into
targeted browser plug-ins such as java, adobe reader and much more.
The drive-by download attacks are launched through legitimate websites which are used
by attackers to host malicious links and malicious code.
Drive-by download attack can also occur in mobile as well.
Most of drive-by download attacks are detected from cyber criminals, who have adopted
these exploitation techniques.
53
Challenges in IT Security
Key findings:
SQL injection attacks are most popular among hacktivist groups and cyber criminals.
Cross-site scripting attacks work on any browsing technology as well as mobile web
browsers.
The most critical vulnerabilities for web applications are cross-site scripting; however,
the result is lower than SQL injection.
SQL injection is the top attack method for retail, technology, media and educational
websites.
Key findings:
2.2.2.(x). Botnets
Botnets are a set of compromised computers which are under the control of an attacker. These
compromised systems are called bots. Botnets are multiple usage tools, which can be used for
spamming, identifying theft and infecting other systems and distribute malware.
54
Challenges in IT Security
Key findings:
2.2.2.(xi). Phishing
Phishing technique is a combination of fraudulent e-mails and websites by cybercriminals in
order to gain information unlawfully. Phishing uses different social engineering techniques to
attract its victims into providing information such as passwords and credit card numbers.
Key findings:
In general, the sites that target a financial institutions account, are the most active
phishing sites at any given time.
The present trend in phishing is that phishing sites target mobile platforms along with
PCs.
Phishers host their sites in compromised servers using shared web hosting environments.
55
Challenges in IT Security
56
Challenges in IT Security
Summary:
It is very difficult to handle the information security because of the presence of various
types of threats. It can be internal or external threat.
Intellectual property is defined as the ownership of ideas and control over the tangible or
virtual representation of that view.
Deliberate software attacks take place when an individual or group plans and organises
software to attack a system and take it by surprise. Much of this organised software is
known as malicious code or malicious software or malware.
Espionage or Trespass is a broad category of electronic and human behaviour which can
violate the confidentiality of information.
Trespass can lead to unauthorised actions which enable information collected to enter
systems they have not been authorised to enter.
The malicious code attack comprises of viruses, worms, Trojan horses, and active web
scripts to destroy or snatch information.
Spoofing is a method used to get unauthorised access to computers, where the intruder
sends messages along with a source IP address which has been forged to denote that the
messages are coming from a trusted host.
57
Challenges in IT Security
Self-Assessment Questions:
1) Which of the following is independent of malicious programmes, which do not host any
programme?
(a) Trapdoors
(b) Trojan horse
(c) Virus
(d) Worms
2) _______ are used in denial of service attacks, typically against targeted websites.
(a) Worm
(b) Zombie
(c) Virus
(d) Trojan horse
3) Technology which is used to collect the information about an orgnisation is called as
____________
(a) Mutual engine
(b) Spyware
(c) Mutation technique
(d) Polymorphic technique
4) A ________ is a programme that secretly takes over another internet- attached computer
and then uses that computer to launch attacks.
(a) Worm
(b) Virus
(c) Zombie
(d) Trapdoors
5) _________ fix themselves to an existing programme and take control of that programme.
(a) Worms
(b) Viruses
(c) Spywares
(d) Trojan horse
6) The technology used to execute Trojan horse or spyware is known as?
(a) Spyware technology
(b) Trojan horse technology
(c) Bots technology
(d) Antivirus technology
7) A __________ is a file which infects in one place on system and then attempts to copy to
other systems.
(a) Virus
(b) Deadlocks
(c) Worms
(d) Trapdoors
8) What are sniffers?
(a) Used to detect the virus
(b) Used to prevent the virus
(c) Used to examine the data travelling on network
(d) Used to delete the effected data on network
9) ________ is unwanted commercial e-mail.
(a) E-mail service
(b) Spam
(c) Sniffers
(d) Spoofing
58
Challenges in IT Security
10) When an attempt is to make a machine or a network resource unavailable to its intended
users, the attack is called
(a) Denial-of-service attack
(b) Slow read attack
(c) Spoofed attack
(d) Starvation attack
11) What is a trapdoor in a programme?
(a) A security hole, inserted at programming time in the system for later use
(b) A type of antivirus
(c) Security hole in a network
(d) Spoofed attack
12) File virus attaches itself to the
(a) Source file
(b) Object file
(d) All of the mentioned
13) Which one of the following is a process that uses the spawn mechanism to ravage the
system performance?
(a) Worm
(b) Trojan
(c) Threat
(d) Virus
14) Which of the following is not characteristic of a virus?
(a) Virus destroys and modifies user data
(b) Virus is a standalone programme
(c) Virus is a code embedded in a legitimate programme
(d) Virus cannot be detected.
15) What is known as DOS attack?
(a) It is an attack to block traffic of network
(b) It is an attack to harm content stored in HDD by worm spawn processes
(c) It is an attempt to make a machine or network resource unavailable
(d) None of the options
16) With regard to DOS attack, what is not true from the following options?
(a) We can stop DOS attack completely
(b) By upgrading OS vulnerability, we can stop DOS attack to some extent
(c) DOS attack has to be stopped at network level
(d) Such an attack can last for hours
59
Challenges in IT Security
Bibliography
References
1.1.
1.2.
1.3.
1.4.
1.5.
http://www5vip.inl.gov/technicalpublications/Documents/3494179.pdf
http://www.ijpttjournal.org/volume-3/issue-2/IJPTT-V3I2P406.pdf
http://www.black-box.com.tw/support/paper_pdf/Guide-to-CyberCrime.pdf
http://www.infosec.gov.hk/english/virus/types.html
https://www.symantec.com/avcenter/reference/blended.attacks.pdf
External Resources
Information Security Risk Analysis - Thomas R. Peltier, Third Edition, Pub: Auerbach,
2012
Operating System Concepts, 8th Edition by Abraham Silberschats, Peter B. Galvin, Greg
Gagne, Pub: John Wiley & sons, Inc., 2009.
Information security: Principles and Practice - Mark Stamp, 2nd Edition, Pub: John Wiley
& Sons, Inc., 2011
Video Links
Topic
Link
www.youtube.com/watch?v=OhA9PAfkJ10
www.youtube.com/watch?v=y8a3QoTg4VQ&feat
ure=youtu.be
www.youtube.com/watch?v=zBFB34YGK1U&fe
ature=youtu.be&list=PLY4JwKk_5ONOugMRlATNW3oYIhjgiBux
60
Module 3
Risk Management
Chapter 3.1
Chapter 3.2
Table of Contents
Chapter 3.1
Information Security Risk Assessment
Page No.
Aim
61
Learning Objectives
61
Learning Outcome
61
3.1.1
Introduction
62
3.1.2
Risk Identification
63
3.1.2.(i)
64
3.1.2.(ii)
65
3.1.2.(iii)
66
3.1.2.(iv)
67
3.1.2.(v)
67
68
3.1.3(i)
Likelihood
68
3.1.3.(ii)
Risk Determination
69
3.1.3
69
70
Risk Control
70
3.1.4.(i)
Defend
70
3.1.4.(ii)
Transfer
70
3.1.3.(iv)
3.1.4
3.1.4.(iii) Mitigate
3.1.5
71
72
Summary
75
SAQs
76
Bibliography
78
References
78
External Resources
78
Video Links
78
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
Self-assessment Questions
References
External Resources
Video Links
Risk Management
Aim:
To equip the students with concepts of risk management in information security
Learning Objectives:
After going through this chapter students should be able to:
Learning Outcome:
After studying this chapter, you should be able to:
61
Risk Management
3.1.1. Introduction
Every organisation has its own methods of operation and responsibilities towards information
security. Organisations use automatic information technology system to process their
information for better support. Risk management plays an important and critical role in
protecting an organisations assets.
The main goal of an organisations risk management process is to protect the organisation and its
ability to perform their operations. Risk management process is not only a technical function
carried out by IT experts but is also a vital part of information security for an organisation.
Objectives of risk management:
To facilitate the management with well-informed risk management decisions that justify
monetary expenditure for the infrastructure needed.
62
Risk Management
Risk assessment is the determination of the extent to which an organisations information assets
are exposed or are at risk.
Risk control is the application of controls to reduce the risks to an organisations data and
information system.
The different components of risk management and their relationship are as shown below:
63
Risk Management
Objectives-based risk identification: Any event that may cause danger in achieving
an objective partly or completely is identified as risk.
Taxonomy-based
risk
identification is a breakdown of possible risk sources, based on the taxonomy and best
practices.
Common risk checking: In several industries, lists with known risks are available.
Each risk in the list can be checked for application to a particular situation.
Risk charting: This method combines the above approaches by listing resources at risk,
threats they face. This also includes noting the modifying factors which may increase or
decrease the risk and consequences arising thereby. Creating a matrix under these
headings enables a variety of approaches as below:
An organisation can begin with resources and consider the threats they are exposed
to, and the consequences of each.
Alternatively, task can start with the threats and examine which resources they would
affect.
Also, it can begin with the consequences and determine which combination of threats
and resources would be involved to bring them about.
64
Risk Management
Traditional System
Components
People
SesSDLC Components
Employees
Nonemployees
Procedures
Procedures
Data
Information
Software
Software
Hardware
65
Risk Management
Procedures: These include IT and business standard procedures and IT and businesssensitive procedures. Business-sensitive procedures are those that may enable a threat
agent to attack against an organisation.
Data component: This keeps a process of information in all its states like transmission,
processing, and storage. Data is usually associated with database.
Data: Classification; owner, creator, and manager; size of data structure; data structure
used (sequential or relational); online or offline; location; and backup procedures
employed.
66
Risk Management
Name: The organisation can have several names for the same product. The name
chosen should be meaningful to all the groups that use the information.
Media access control (MAC) address: These are also called as electronic serial
numbers or hardware addresses. MAC address number is used to identify a specific
network device using network operating system.
67
Risk Management
realistic threats must be investigated further while the unimportant threats can be set aside. If one
assumes that every threat can and will attack every information asset, the project scope quickly
becomes so complex that it overwhelms the ability to plan.
3.1.3.(i). Likelihood
In risk assessment, a numeric value is assigned to likelihood. The National Institute of Standards
and Technology recommends in Special Publication 800-30 assigning a number from low to
high, i.e., 0.1 and 1.0. You can also use a number between 1 and 100.
68
Risk Management
Policies
Programs
Technologies.
Policies: These are the documents that signify an organisations approach to security.
Programmes: These are performed within an organisation to improve security in that
organisation. This includes training, educating the employees, and awareness program.
69
Risk Management
3.1.4.(i). Defend
This strategy attempts to prevent the utilisation of the vulnerabilities. This is a commonly-used
approach and is accomplished by using counter threats, removing vulnerabilities from assets,
limiting access to assets, and implementing protective safeguards.
The common methods used to defend are:
Implementation of policies
Education and training
Administration of technologies
3.1.4.(ii). Transfer
Transfer is a control approach that attempts to shift the risk to other assets or to other
organisations. This is a commonly-used strategy for larger companies. This is accomplished
through rethinking/reengineering services, and revising development models to other
organisations.
These principles are considered when an organisation begins to increase its operations. If the
organisation doesnt have security management and administration, it should hire individuals to
perform the tasks.
70
Risk Management
3.1.4.(iii). Mitigate
This is used to reduce the impact caused by development of vulnerabilities. It includes incident
response plan, disaster recovery plan, and business continuity plan. All three plans depend on
ability to identify and respond to attacks as quickly as possible.
Disaster recovery plan: It includes strategies to limit losses before and during the
disaster. Media backup is also a part of DR plan.
Business continuity plan: This is the most deliberate and is a long-term method of the
three plans. It includes planning the steps necessary to make sure the continuation of
organisation.
Risk
Control
Strategy
Categories Used by
NIST SP 800-30
Categories Used by
ISACA and ISO/IEC
27001
Others
Defend
Research and
Acknowledgement
Treat
Self-protection
Transfer
Risk transference
Transfer
Risk transfer
Mitigate
Tolerate(partial)
Selfinsurance(partial)
Accept
Risk Assumption
Tolerate(Partial)
Selfinsurance(partial)
Terminate
Risk Avoidance
terminate
Avoidance
71
Risk Management
High probability: Very much expected that the threat would occur within the next year.
Medium probability: Possible that the threat may occur during the next year.
Low probability: Highly unlikely that the threat could occur during the next year.
Once we determine the probability of a threat occurring, it is necessary to determine the impact
of the threat on the organisation. The review of the probability and impact is the identification of
a risk level that can be assigned to each threat. Once the risk level has been established, the team
can identify appropriate actions.
Following are some of the definitions for impact of a threat:
High impact: It is a critical impact that leads to significant loss of business or corporate
image.
Impact: Measure of the degree of financial/data loss or damage to the value of asset.
72
Risk Management
P
R
O
B
A
B
I
L
I
T
Y
IMPACT
High
Medium
Low
High
Medium
Low
Asset impact: This is a number from 1 to 100, which is the result from weighted factor.
Risk rating factor: Enter the number calculated from asset impact multiplied by
likelihood.
73
Risk Management
Asset
Asset Impact
Relative Value
Customer service
Request via email(inbound)
55
100
100
Customer service
Request via email(inbound)
Customer service
Request via email(inbound)
55
55
100
100
Vulnerability
E-mail disruption
due to hardware
Failure
Lost orders due to
web server
hardware failure
Lost orders due to
web server or ISP
service failure
E-mail disruption
due to SMTP
mail relay attack
E-mail disruption
due to ISP service
failure
Lost orders due to
web server
denial-of-service
attack
Lost orders due to
web server
software failure
Vulnerability
Likelihood
Risk-Rating
Factor
0.2
11
0.1
10
0.1
10
0.1
5.5
0.1
5.5
0.025
2.5
0.01
74
Risk Management
Summary
Risk is the potential harm that may arise from some current process or from some future
event.
Risk control is the application of controls to reduce the risks to an organisations data and
information system.
Transfer is a control approach that attempts to shift the risk to other assets or other
organisations. This is also a commonly used strategy for larger companies.
Mitigation is the effort to reduce loss of life and property by lessening the impact of
disasters.
75
Risk Management
Self-assessment Question:
1) Risk management is one of the most important jobs for a
(a) Client
(b) Investor
(c) Production team
76
Risk Management
(d) Risk
(d) Technologies
12) In risk control, shifting of risk from one asset to another occurs in_________
(a) Defend
(b) Transfer
(c) Mitigation
(d) Controls
13) _________ is very excepted that the threat will occur within next year.
(a) Probability
(b) Medium probability
(c) High probability
(d) Low probability
14) _______ is a critical impact that leads to a significant loss of business or corporate image.
(a) Impact
(b) High impact
(c) Low impact
(d) Medium impact
15) Media backup is a part of________ plan.
(a) Incident response plan
(c) Business continuity plan
77
Risk Management
Bibliography
References
1.1. Ustudy.
Risk identification. Retrieved on July 1, 2015,
http://www.ustudy.in/node/11807
1.2. Ustudy.
Risk
management.
Retrieved
on July
1, 2015,
http://www.ustudy.in/node/11807
1.3. Nspw.
Managing
risk
Retrieved
on
July
1,
2015,
http://www.nspw.org/papers/2001/nspw2001-blakley.pdf
1.4. hhs.
Risk
management.
Retrieved
on July
2, 2015,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf
from
from
from
from
External Resources
Video Links
Topic
Link
www.youtube.com/watch?v=BLAEuVSAlVM&featu
re=youtu.be
www.youtube.com/watch?v=fY6KGN72d7Q&featur
e=youtu.be&list=PL2vMhKNwvYnJ9cPO263nlK7m
5wh7mYE9Q
www.youtube.com/watch?v=sPBYXuqITKg&feature
=youtu.be
Risk management
www.youtube.com/watch?v=n9d7EMEzaHU&featur
e=youtu.be
78
Table of Contents
Chapter 3.2
Information Security Risk Mitigation & Controls
Page No.
Aim
79
Learning Objectives
79
Learning Outcome
79
3.2.1
80
3.2.2
80
3.2.2.(i)
Defend
81
3.2.2.(ii)
Transfer
81
3.2.2.(iii)
Mitigate
82
3.2.2.(iv)
Accept
83
3.2.2.(v)
Terminate
85
90
3.2.3
Summary
92
SAQs
93
Bibliography
94
References
94
External Resources
94
Video Links
94
Legends:
Aim
Learning Objectives
Learning Outcome
(P.T.O.)
Risk Management
Aim:
To equip the students with concepts of mitigation techniques and best practices of risk
management
Learning Objectives:
After going through this chapter students should be able to:
Learning Outcome:
After studying this chapter, you should be able to:
79
Risk Management
3.2.1. Risk Mitigation Strategy Options, the Categories that can be Used to
Classify Controls
Risk mitigation is a systematic method used by senior management to reduce organisational
risks. Once the risk assessment is conducted, the management can use various risk mitigation
techniques to accomplish the process. There are different types of mitigation techniques.
Risk assumption: Once security management team identifies and determines the risk
level, the senior management team selects the best business decisions to accept the
possible risks. It is an acceptable outcome of the risk assessment process.
Risk avoidance: In this process, the management chooses to avoid the risks by
eliminating the process that causes risk to an organisation.
Risk limitation: After the risk assessment, risk limitation is the standard process used
to limit risks. This can be performed by implementing the security controls that minimise
the risks.
Risk planning: Risk planning is the process used to decide and manage the risk by
developing an architecture that identifies, implements, and maintains the risk controls.
Risk transference: In this case, the management transfers the risk by using other
options such as purchasing an insurance policy.
Organisation can use any mitigation technique, but objectives of an organisation will
remain the same.
80
Risk Management
3.2.2.(i). Defend
The defend control strategy attempts to prevent the exploitation of vulnerability. This is the
preferred approach and is accomplished by means of countering threats, removing vulnerabilities
from assets, limiting access to assets, and adding protective safeguards. There are three
common methods used to defend:
Application of policies
Education and training
Implementation of technologies
3.2.2.(ii). Transfer
The transfer control strategy attempts to shift risk to other assets, other processes, or other
organisations. This can be accomplished by rethinking how services are offered, revising
deployment models, outsourcing to other organisations, purchasing insurance, or implementing
service contracts with providers. In the popular book In Search of Excellence, management
consultants Tom Peters and Robert Waterman present a series of case studies of high-performing
corporations. One of the eight characteristics of excellent organisations is that they stick to their
knitting. They stay reasonably close to the business they know. This means that Kodak, a
manufacturer of photographic equipment and chemicals, focuses on photographic equipment and
chemicals. General Motors focuses on the design and construction of cars and trucks. Neither
81
Risk Management
company spends its strategic energies on the technology of website development - for this
expertise, they rely on consultants or contractors.
This principle should be considered whenever an organisation begins to expand its operations,
including information and systems management and information security. If an organisation does
not have quality security management and administration experience, it should hire individuals
that provide such expertise. e.g.: Many organisations want web services, including web
presences, domain name registration, and domain and web hosting. Rather than implementing
their own servers and hiring their own webmasters, web systems administrators, and specialised
security experts, savvy organisations hire an ISP or a consulting organisation to provide these
products and services for them. This allows the organisation to transfer the risks associated with
the management of these complex systems to another organisation that has experience in dealing
with those risks. A side benefit of specific contract arrangements is that the provider is
responsible for disaster recovery, and through service level agreements, is responsible for
guaranteeing server and website availability.
3.2.2.(iii). Mitigate
The mitigate control strategy attempts to reduce impact caused by exploitation of vulnerability
through planning and preparation. This approach requires the creation of three types of plans:
The incident response plan, the disaster recovery plan, and the business continuity plan. Each of
these plans depends on the ability to detect and respond to an attack as quickly possible and
relies on the quality of other plans. Mitigation begins with the early detection that an attack is in
progress and a quick, efficient, and effective response.
82
Risk Management
3.2.2.(iv). Accept
The accept control strategy is the choice to do nothing to protect a vulnerability and to accept
the outcome of its exploitation. This may or may not be a conscious business decision. The only
industry-recognised valid use of this strategy occurs when the organisation has done the
following:
83
Risk Management
This strategy is based on the conclusion that the cost of protecting an asset does not justify the
security expenditure. e.g.: Suppose it would cost an organisation $100,000 per year to protect a
server. Security assessment determined that for $10,000 the organisation could replace the
information contained in the server, replace the server itself, and cover associated recovery costs.
In this case, management may be satisfied with taking its chances and saving the money that
would normally be spent on protecting this asset.
If vulnerability in the organisation is handled by means of acceptance, it may reflect an inability
to conduct proactive security activities and an apathetic approach to security in general. It is not
acceptable for an organisation to adopt a policy of ignorance is a bliss and hopes to avoid
litigation by pleading ignorance of its obligation to protect employee and customer information.
It is also unacceptable for management to hope that if they do not try to protect information, the
opposition will assume that there is little to be gained by an attack. The risks far outweigh the
benefits of this approach.
Risk Control
Strategy
Categories Used by
NIST SP 800-30
Categories Used by
ISACA and ISO/IEC
27001
Others
Defend
Research and
Acknowledgement
Treat
Self-protection
Transfer
Risk Transference
Transfer
Risk transfer
Mitigate
Tolerate (partial)
Self-insurance
(partial)
Accept
Risk Assumption
Tolerate (partial)
Self-insurance
(partial)
Terminate
Risk Avoidance
Terminate
Avoidance
84
Risk Management
Plan
When Deployed
Time Frame
As incident or
disaster unfolds
Immediate
and real-time
reaction
List of steps to be
taken during disaster
Intelligence
gathering
Information analysis
Disaster
Recovery Plan
Preparations for
recovery should a
disaster occur;
strategies to limit
losses before and
during disaster; step-
by-step Instructions
to regain normalcy
Immediately after
the incident is
labeled a disaster
Short-term
recovery
Business
Continuity
Plan
Steps to ensure
continuation of the
overall business
when the scale of a
disaster exceeds the
DR plans ability to
restore operations
Preparations steps
for activation of
secondary data
centers
Establishment of a
hot site in a remote
Location
Immediately after
the disaster is
determined to
affect the
continued
operations of the
organisation
Long-term
operation
Incident
Response Plan
Description
Actions an
organization takes
during incidents
(attacks)
Example
3.2.2.(v). Terminate
The terminate control strategy directs the organisation to avoid those business activities that
introduce uncontrollable risks. If an organisation studies the risks from implementing businessto-consumer e-commerce operations and determines that the risks are not sufficiently offset by
the potential benefits, the organisation may seek an alternate mechanism to meet customer needsperhaps developing new channels for product distribution or new partnership opportunities. By
terminating the questionable activity, the organisation reduces the risk exposure.
85
Risk Management
Preventive
Controls:
Risk assessment should identify, quantify, and prioritise information security risks against
defined criteria for risk acceptance and objectives relevant to the organisation. Information
gathered at risk assessment phase should guide and determine the appropriate risk management
action to protect the information security risks.
The organisation should formulate a risk treatment plan (RTP) in order to identify the
appropriate management actions, resources and responsibilities for dealing with information
security risks. The RTP should be set within the context of the organisation's information
security policy and should clearly identify the approach to risk.
PDCA:
PDCA is a four-step problem-solving technique used to improve business processes. The
four steps are plando-check-act. It can also be used to affect both major performance
breakthroughs as well as small incremental improvements in projects and processes.
PDCA is also known as Deming wheel or Shewhart cycle.
(P.T.O.)
86
Risk Management
Phases of PDCA:
Plan: The purpose of this phase is to examine current situation, understand the nature of the
problem. It identifies all possible causes of problem and prioritises them.
Check/study: It includes analysing the effect of intervention. In this phase, new data and
baseline data are compared to determine whether an improvement is achieved or not.
Act: This phase marks the conclusion of the planning, testing and analysis regarding whether the
desired improvement was achieved as expressed in the aim statement, and the purpose is to act
upon what has been learned.
87
Risk Management
Management principles
Resources
Personnel
Information security process
88
Risk Management
Residual risk: The risk that remains even after controls are known as residual risk. i.e., risk
after the controls. Even when vulnerabilities have been controlled as much as possible, there is
often still some risk that has not been completely removed, shifted, or planned for. This
remainder is called residual risk.
The significance of residual risk must be judged within the context of the organisation.
Although it is unreasonable, the goal of information security is not to bring residual risk to zero;
it is to bring residual risk into line with an organisations comfort zone or risk appetite.
If decision makers have been informed of uncontrolled risks and the proper authority groups
within the communities of interest have decided to leave residual risk in place, the information
security programme has accomplished its primary goal.
89
Risk Management
Applying best practices: One can study the documented best practices procedures that have
been shown to be effective and are recommended by organisation. While considering best
practices, an organisation can consider the following points:
90
Risk Management
Best practices:
Senior risk management: Senior management must have the knowledge of risk
management and responsible for sending the information about the importance of risk
management.
Using teams and committees: Most of the organisations use informal and formal
team mechanism to manage risks in the organisation. These teams bring various risk
attitudes and new thinking to issues and solutions.
Using simple business risk language: A Common risk language must be used from
boardroom to the boiler room, so that everyone can understand easily.
Risk management training: Training can be on risk assessment, safety, managing risk
to make sure that all managers or members are aware of risks.
91
Risk Management
Summary:
The defend control strategy attempts to prevent the exploitation of the vulnerability. An
organisation can mitigate risk to an asset by countering the threats it faces or by
eliminating its exposure.
The transfer control strategy attempts to shift risk to other assets, other processes, or other
organisations.
The mitigation control strategy attempts to reduce the impact caused by the exploitation
of vulnerability through planning and preparation.
The actions an organisation can and perhaps should take while an incident is in progress
should be specified in a document called the incident response (IR) plan.
The most common of the mitigation procedures is the disaster recovery (DR) plan. The
DR plan can include strategies to limit losses before and during the disaster.
The business continuity (BC) plan is the most strategic and long term of the three plans.
The accept control strategy is the choice to do nothing to protect a vulnerability and to
accept the outcome of its exploitation.
The terminate control strategy directs the organisation to avoid those business activities
that introduce uncontrollable risks.
92
Risk Management
Self-Assessment Questions:
1) Risk mitigation method is used by_____________
(a) Organisation
(b) Senior management
(d) Risk team
93
Risk Management
Bibliography
References
1.1. Tbs. Best practices of risk management. Retrieved on July 2, 2015, from
http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/riskmanagement/rm-pps01-eng.asp
1.2. hhs.
Risk
management.
Retrieved
on
July
2,
2015,
from
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf
1.3. csrc. Managing security risk Retrieved on July 2, 2015, from
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
External Resources
Video Links
Topic
Link
Risk mitigation
Introduction to risk mitigation
Best practices in risk management
www.youtube.com/watch?v=ibVfAhy7WZQ&feat
ure=youtu.be
www.youtube.com/watch?v=nopu1wk3oBc&featu
re=youtu.be
www.youtube.com/watch?v=w4lux2BpPHo&featu
re=youtu.be
94
Module 4
Network Infrastructure Security and
Connectivity
Chapter 4.1
Chapter 4.2
Table of Contents
Chapter 4.1
Information Security Risk Assessment
Page No.
Aim
95
Learning Objectives
95
Learning Outcome
95
4.1.1
96
4.1.2
Device-Based Security
96
4.1.2.(i)
Configuring Firewall
97
4.1.2.(ii)
97
97
98
4.1.3
Media-Based Security
98
4.1.4
Network-Based Security
101
4.1.4.(i)
Intranet
102
4.1.4.(ii)
Extranet
102
4.1.2.(iv)
Summary
106
SAQs
107
Bibliography
109
References
109
External Resources
109
Video Links
109
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
Self-assessment Questions
References
External Resources
Video Links
Network Infrastructure
Security and Connectivity
Aim:
To furnish the students with concepts of network security
Learning Objectives:
After going through this chapter students should be able to:
Network-based security
Security components used in the media
Device-based security
Learning Outcome:
After studying this chapter, you should be able to:
95
Network Infrastructure
Security and Connectivity
Network control software should maintain an audit trail of all operation activities.
Network standards and protocols should be documented and made available to the
operators.
Network access by the system engineers should be closely monitored and reviewed to
detect unauthorised access to the network.
96
Network Infrastructure
Security and Connectivity
Types of firewalls
Many companies provide software firewall which is used to secure a single computer or a small
network. e.g.: Zone alarm which is a software firewall used to protect homes, Offices or small
networks.
Switch: Switch can make it harder for the attacker to get information from network and are
easier to launch some attacks.
Virtual Private Networks (VPNs): VPN is a method used to increase connection security.
Care should be taken while connecting; failure may lead to decrease in the overall system
security.
Modems: Unauthorised hardware peripheral such as modems presents another threat to network
infrastructure.
97
Network Infrastructure
Security and Connectivity
e.g.: Microsoft network monitor gives the information about what type of traffic is travelling in
network segments.
One individual can install the network monitor and Dynamic Host Configuration Protocol
(DHCP). This is used to capture the packets occurring at the client computer. DCHP assigns IP
address to the client connected to internet.
Media security
Media refers to devices which the data can be recorded on such as paper, CDs, DVDs, USB
sticks, backup sticks, and much more. The purpose of media security is to protect confidential
information stored on the media. All media that contain confidential information are strictly
labelled as Confidential to protect them from unauthorised access, and these are physically
controlled and securely stored.
When the information is no longer used or when the project is completed, the data should be
destroyed.
Important points:
Media must be removed or deleted in a safe way if the data is no longer used.
98
Network Infrastructure
Security and Connectivity
The transport media is packed well and carried out by a recognised courier firm.
(a) Cryptography
Cryptography is the heart of security. If we need to create privacy, we need to encrypt our
messages at the senders site and decrypt it at the receivers site. Cryptography is the
science of using mathematics to encrypt and decrypt data. It enables us to store sensitive
information or transmit it across insecure networks so that it cannot be read by anyone
else except the intended recipient.
Modification: An unauthorised party not only gains access to but tampers with an
asset. This attack is on integrity.
Fabrication: An unauthorised party inserts counterfeit objects into the system. This
is an attack on authenticity.
99
Network Infrastructure
Security and Connectivity
Strong passwords
Password rotation
Spam filters
Desktop- based filters or antivirus
100
Network Infrastructure
Security and Connectivity
Digital signatures: Digital signatures are also used to protect the information. In
general, a digital signature combines authentication with message integrity checking.
Digital signature uses basic encryption technologies to achieve integrity.
e.g.: The sender signs document using a private key, and the receiver verifies the
signature using public key.
One way to implement digital signature is to use RSA-type (Rivest-Shamir-Adleman)
technology. This technology transfers message in authentication mode by encrypting the
message using private key and sending it along with unencrypted message. Decrypting
the encrypted version and comparing it with the plain text message provides a check on
the contents and the sender.
This can be costly in terms of computing resources and bandwidth, so an additional step
is used. A one-way mathematical transformation is applied to the message. This
transformation is called a hash function, and its output is a message digest. The digest is
encrypted with private key and that acts as the digital signature.
(c) Digital rights management or DRM
DRM is a systematic approach to copyright protection for digital media. The main
principle of DRM is to prevent unauthorised redistribution of digital media and restrict
the ways in which consumers can copy content they have purchased.
DRM products were developed in response to the rapid increase in online piracy of
commercially-marketed materials. DRM is implemented by embedding code that
prevents copying and specifies a time period in which the content can be accessed or
limits the number of devices the media can be installed on.
101
Network Infrastructure
Security and Connectivity
Network-based security offers multiple services to protect the information from internal and
external threats. It works with both endpoint computer and the internal company firewalls.
4.1.4.(ii). Extranet
This is a part of intranet which is accessible to the customer inside or outside of an organisation.
The purpose of extranet is to make the company information securely available to customers or
suppliers.
Extranet requires security measures like
A firewall
Methods for user authentication
Encryption of information transit
VPNs that communicate with internet
(a) IP security:
IP security (IPsec) is a collection of protocols used to provide security for a packet at the
IP level. IP security does not define the use of any specific encryption or authentication
method.
IPsec requires a logical connection between two hosts using a signaling protocol called
security association. Security association (SA) connection is a complex connection
between source and the destination.
IPsec operates at two different modes: Transport mode and tunnel mode. The mode
defines where the IPsec header is added to the IP packet.
102
Network Infrastructure
Security and Connectivity
Transport mode: IPsec header is added between the IP header and rest of the packet as
shown in the figure.
Tunnel mode: In this mode, the IPsec header is placed in front of the original IP header.
A new IP header is added in front. The IPsec header, the preserved IP header, and the rest
of the packet are treated as payload.
Authenticating the client and server to each other: SSL protocol supports the
use of cryptographic techniques to authenticate the communication between client
and server.
Securing data privacy: The data must be protected from interception and be
readable only by intended recipients.
103
Network Infrastructure
Security and Connectivity
SSL is not a single protocol but rather, it is a set of protocols that can be divided in two
layers:
SSL handshake
protocol
SSL cipher
change protocol
SSL alert
protocol
Application Protocol
(e.g.: HTTP)
104
Network Infrastructure
Security and Connectivity
VPN creates a network that is private but virtual. It is private because it guarantees
privacy inside the organisation. It is virtual because it does not use real private WANs.
Following are some of the terms used in VPN:
Private networks: It is designed for use inside an organisation and allows access to
shared resources.
Intranet: It is a private network (LAN) that uses the internet model. The access to
network is limited to users inside an organisation.
Extranet: This is same as intranet with one major difference, i.e., some resources can be
accessed by particular users outside the organisation under the control of network
administrator.
105
Network Infrastructure
Security and Connectivity
Summary
Firewall is a device used to protect the information. It acts as a shield to internal network
from threats.
Virtual Private Networks (VPNs): VPN is a method used to increase connection security.
Network monitor is a tool used to display and analyse the contents of the packets which is
transmitted across the network. This may be used by administrator to research about the
packets or it may be misused by hackers.
The monitoring utilities help us to analyse the network to improve the performance or
security of a system.
Network-based security offers multiple services to protect the information from internal
and external threats.
106
Network Infrastructure
Security and Connectivity
Self-assessment Question:
1) ___________ is used to increase the connectivity in the network
(a) LAN
(b) VAN
(c) VPN
(d) NPN
2) VPN Stands for_________
(a) Visual private network
(c) Virtual process network
107
Network Infrastructure
Security and Connectivity
11) The process turning cipher text into plain text is known as
(a) Encryption method
(b) Decryption method
(c) Cipher conversion
(d) Text conversion
12) At transport mode.............. is added between IP header and the packets.
(a) IP header
(b) IPsec header
(c) IP packet
(d) IPsec packet
13) At tunnel mode IPsec is placed at
(a) In front of IP header
(c) Between the IP header and packet
108
Network Infrastructure
Security and Connectivity
Bibliography
References
1.1. http://catalogue.pearsoned.co.uk/samplechapter/0789732912.pdf
1.2. http://www.sans.org/reading-room/whitepapers/basics/infrastructure-security-step-step430
1.3. http://catalogue.pearsoned.co.uk/samplechapter/0789732912.pdf
External Resources
Video Links
Topic
Link
www.youtube.com/watch?v=UPmVTPyE5DM&featu
re=youtu.be
www.youtube.com/watch?v=gVK6S53AcA&feature=youtu.be
109
Table of Contents
Chapter 4.2
Introduction to Device Security and Documenting Network
Security Processes
Page No.
Aim
110
Learning Objectives
110
Learning Outcome
110
Monitoring and Diagnosing
111
4.2.1.(i)
111
4.2.1.(ii)
113
4.2.1.(iii)
115
Hardening
116
4.2.2.(i)
OS Hardening
116
4.2.2.(ii)
Network Hardening
117
4.2.2.(iii)
Application Hardening
117
118
4.2.3.(i)
Physical Security
118
4.2.3.(ii)
Network Security
119
120
4.2.4.(i)
Policy
120
4.2.4.(ii)
Standards
121
4.2.4.(iii)
Guidelines
121
4.2.4.(iv)
Procedures
122
4.2.1
4.2.2
4.2.3
4.2.4
Page No.
Summary
123
SAQs
124
Bibliography
126
References
126
External Resources
126
Video Links
126
Legends:
Aim
Learning Objectives
Learning Outcome
Merits
Summary
Self-assessment Questions
References
External Resources
Video Links
Network Infrastructure
Security and Connectivity
Aim:
To furnish the students with concepts of device security and network security process
Learning Objectives:
After going through this chapter students should be able to:
Purpose of security
Firewall and classification of firewalls
Intrusion detection and prevention systems
Types of threats and remedies
Relationship between policies, standards and guidelines
Learning Outcome:
After studying this chapter, you should be able to:
110
Network Infrastructure
Security and Connectivity
111
Network Infrastructure
Security and Connectivity
Classifications of firewall
Packet filters: These are firewalls that operate at the network layer. They can only filter the
packets based on the information available at the network layer. This information includes IP
address of source and destination.
They may have different filtering rules for incoming and outgoing packets.
Packet filters are more effective since the packets are processed up to the network layer
and only the header information is examined.
Application
Transport
Network
Packets
Link
Physical
Fig. 4.2.2: Packet filters
Stateful packet filter: As the name suggests, it indicates the state of the packet. Stateful
packet filter operates at the transport layer since it contains the information about connections.
The main benefit is that, in addition to the features of the packet filters, it also contains
ongoing connection of the packets.
112
Network Infrastructure
Security and Connectivity
Application
Stateful packets
Transport
Network
Link
Physical
Application proxy packets: These are firewalls that protect network resources by filtering
messages at the application layer as proxy. It is also called as Gateway firewall.
It has complete view of connections and is able to filter the bad or unwanted data at the
application layer.
Incoming packet is destroyed and a new packet is created when the data passes through
the firewall.
Application
Proxy packets
Transport
Network
Link
Physical
Fig. 4.2.4: Application proxy filters
113
Network Infrastructure
Security and Connectivity
Types of IDS
Host-based IDS: Detection methods or activities occur at the host end. These are
designed to detect attacks such as buffer overflows and have little view of network
activities.
Network-based IDS: Detection methods or activities occur at the network traffic. They
are placed at a strategic point or points within the network to monitor traffic to and from
all devices on the network. These are designed to detect attacks such as network probes,
malformed packets and may have some overlap with the firewalls.
Signature-based IDS: Here the system input or network traffic is examined for
specific behaviour patterns known to indicate an attack. Signature-based IDS monitor
data on the network against database of signatures or attributes from known malicious
threats. This works similar to the antivirus software which detects viruses and malware.
There are many techniques used to make signature-based detection easier. Most of the
signature-based IDS are based on the simple pattern-matching algorithm technique. In
this case, the IDS simply looks for the substring within the stream. It is programmed to
interpret a certain series of packets.
114
Network Infrastructure
Security and Connectivity
against an established baseline. The baseline would determine what is normal for that
network; e.g.: Bandwidth generally used, protocols used, ports and devices generally
connected to each other, etc., It alerts the administrator or user when traffic is detected
which is anomalous or significantly different from the baseline.
Anomaly detection is split in to two categories: Static and Dynamic.
Static: It focuses on the software changes and ignores the hardware changes. This is
used to monitor data integrity.
115
Network Infrastructure
Security and Connectivity
As IPS is inline security component, it works efficiently and fast. The IPS must detect and
respond accurately to eliminate the threats.
4.2.2. Hardening
Hardening is a method of configuring and updating the system to protect it against attacks. The
purpose of system hardening is to eliminate as many security risks as possible. Hardening is
usually the process of securing a system by reducing its surface vulnerabilities.
4.2.2.(i). OS Hardening
The hardening of operating system involves that the system is configured to limited possibilities
of internal and external attacks. Methods of hardening may differ from one OS to another OS,
but the concepts involved are similar for all operating systems.
Basic operating system hardening techniques are as follows:
Nonessential services: Operating systems are configured to run only the assigned
tasks. e.g.: Unless the user searches for web services, there is no need to have the HTTP
services running on the system.
Patches and fixes: It is important that the operating system must be updated with latest
patches and bug fixes.
116
Network Infrastructure
Security and Connectivity
File and dictionary protection: Access to file and dictionary can be strictly
controlled using Access Control lists of file permissions.
File and file system encryption: Some of the file system provides an option for
encryption. Sensitive data is formatted with file system type with encryption features.
Unnecessary protocols: All unnecessary protocols and services are disabled and
removed from hosts on the network.
Ports: Unwanted ports blocked by firewall and associated services are disabled on hosts
within the network.
117
Network Infrastructure
Security and Connectivity
Application patches are supplied from vendor who sells the application. There are many varieties
of patches some of which are explained as follows:
Hot fixes: Hot fixes are small pieces of code which are used to fix a specific problem.
Patches: Patches are a collection of fixes. These are released when a serious problem
has to be addressed.
Analysis: The system analyses and correlates the data or events to identify the
situations.
Reporting: Software tracks all the information for reporting and analysis.
Audit trail: It also monitors how each operator interacts with the system and keeps a
track of manual changes in the system.
118
Network Infrastructure
Security and Connectivity
Data modification: An attacker can access or modify confidential data without the
knowledge of sender or receiver.
IP address spoofing: Once the attacker gets IP address, he can modify or delete
confidential data. He can modify the server and the network configuration.
Computer virus: It is small piece of software which can spread from one infected
computer to another. Virus can corrupt, delete or steal the data from computer.
Trojan horse: Trojan horse does not replicate the data directly. It can record the
password by logging keystrokes. It can infect a system by just downloading an
application.
Data backup system: Data is secured as backup. Backups are very useful in case of
any hardware or software damage.
119
Network Infrastructure
Security and Connectivity
Operating system: An operating system must be updated for current patches and the
updates. OS must have good security tools and features.
Firewalls: Firewall is a network security system that controls the incoming and
outgoing network traffic based on an applied rule set.
IP security: Using IP security, the data is encrypted and then sent to the receiver. Thus
securing the data.
120
Network Infrastructure
Security and Connectivity
Technical policy: It includes the security responsibilities to the system and is more detailed
than governing policy. It answers what, when, why and where security policy questions.
Governing Policy
Technical
Policies
End-User
Policies
End-user policy: It conveys all important topics to the end user. It answers the security policy
questions at the appropriate level.
4.2.4.(ii). Standards
Standards consist of low level mandatory controls, which help to support the information
security policy. It normally contains security controls relating to the specific technology.
Standards improve the efficiency of the security systems. It also provides consistency in the
network. e.g.: If you support 100 routers, the configuration should be similar for all routers. If
you do not do this, it is very difficult to maintain security.
4.2.4.(iii). Guidelines
Guidelines consist of recommended, nonmandatory controls that support standards and act as
standards, in the absence of the standards. Guidelines are similar to the standards but are more
flexible and are not mandatory. Guidelines and standards can be explained using an example as
follows:
121
Network Infrastructure
Security and Connectivity
Password must have 8 characters (Standards), whereas the password expires in 30 days
(Guidelines).
That is 8 characters is the condition known as Standards.
That which expires in 30 days is a Guideline, which is not mandatory.
4.2.4.(iv). Procedures
Procedures are step-by-step instructions to assist workers or the users in implementing the
policies, standards and guidelines.
A supporting data standard builds upon this, and the sensitive information is encrypted
using specific encryption method.
A supporting guideline explains the instructions for recording the sensitive data.
122
Network Infrastructure
Security and Connectivity
Summary:
A firewall is a network security system, either hardware or software that controls the
incoming and outgoing network traffic based on an applied rule set.
Firewall identifies what to let in and out of the network. Packet filters, proxy packets and
stateful packets are the three types of firewalls.
There are different types of IDS like signature-based IDS, anomaly-based IDS.
Hardening is a method of configuring and updating the system to protect against attacks.
It is a very important step in protecting the personal data and information.
Network security is a process of protecting the hardware and software from unauthorised
access, malfunction and modification. It creates secure platform for computers.
Information security policy consists of high level statements, used to protect the
information in business or an organisation. These are formulated by senior management.
123
Network Infrastructure
Security and Connectivity
Self-Assessment Questions:
1) What is firewall in computer network?
(a) Physical boundary of network
(b) An operating system of computer network
(c) A system designed to prevent unauthorised access
(d) A web browsing software
2) Which of the following can be software?
(a) Routers
(b) Firewalls
(c) Gateway
(d) Modems
(d) Modem
124
Network Infrastructure
Security and Connectivity
(d) Procedures
125
Network Infrastructure
Security and Connectivity
Bibliography
References
1.1 http://www.securnet.biz/Ebooks/Network_Security.pdf
1.2 https://www.paloaltonetworks.com/resources/learning-center/what-is-an-intrusionprevention-system-ips.html
1.3 http://www.techotopia.com/index.php/Security_Baselines_and_Operating_System%2C
_Network_and_Application_Hardening#Operating_System_Hardening
External Resources
Video Links
Topic
Link
Firewalls
Intrusion detection system
Intrusion detection vs. Intrusion
prevention systems
Operating system hardening
www.youtube.com/watch?v=xnqC2aPb00&feature=youtu.be
www.youtube.com/watch?v=tMBGU2Ct04c&featur
e=youtu.be
www.youtube.com/watch?v=rvKQtRklwQ4&featur
e=youtu.be
www.youtube.com/watch?v=Rv4h8wcSyf8&feature
=youtu.be
126