IS Ebook

Edition 1
Year of Publication: 2015

Sivaram Sivasubramanian
Confidentiality & Proprietary Information

This is a confidential document prepared by iNurture. This document, or any portion thereof,
should not be made available to any persons other than the authorized and designated staff of the
company/institution/ Vendor to which it has been submitted.
No part of this document may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without
the prior written permission of iNurture.
How to use the Self Learning Material

The pedagogy imbibed to design this course is to enable you to assimilate the concepts and
processes with ease.
The course is divided into FOUR MODULES. Each module is categorically divided into TWO
CHAPTERS. Each chapter consists of the following elements:
CHAPTER:
1. Table of Contents: Every chapter consists of a well-defined table of content.
For e.g.: 1.1.8.(i) should be read as Module 1. Chapter 1. Topic 8. (Sub-topic i) and
1.2.8. (ii) should be read as Module 1.Chapter 2. Topic 8. (Sub-topic ii)
2.
Aim: Aim refers to the overall goal to be achieved through the chapter.
3.
Learning Objectives: Learning Objectives defines what the chapter intends to

deliver.
4.
Learning Outcome: Learning Outcome refers to what you will be able to

accomplish by going through the chapter.
5.
Advantages: Advantages denotes the positive aspects of that particular method,

theory or practice.
6.
Disadvantages: Disadvantages denotes the drawback of the particular method,

theory or practice.
7.
Summary: Summary is the nutshell of the entire chapter in the form of points.
8.
Self-assessment: Self-assessment contains a set of multiple-choice questions

enabling you to check your knowledge upon completion.
9.
References: References is a list of online resources which have been used while
designing the chapter.
10.
External Resources: External Resources is a list of scholarly books for

additional source of knowledge.
11.
Video Links: The Video Links table will help you to understand how these
concepts are discussed in detail by the industry today.
Information Security Fundamentals

Course Description
Information security was first studied in the early 1970s; today, this has evolved into an
imperative and highly complex domain. This course provides a broad overview of information
security. Information security (IS) is designed to protect the confidentiality, integrity, and
availability of computer system data from malicious intentions. Information security is a method
designed to secure the sensitive information from unauthorised access, use, deletion, or
modification.
Students will be able to demonstrate, understand ideas of Information Security by organizing,
comparing, and interpretation of the facts. Students can also identify the best practices that are
used to protect information, and learn to diversify the protection strategy.
iNurtures Information Security Fundamentals course is designed to serve as a stepping stone
for you to build a career in Information Technology.
The INFORMATION SECURITY FUNDAMENTALS
MODULES with TWO CHAPTERS in each module:
COURSE
contains
FOUR
Module 1: Introduction to Information Security - introduces the general concepts and

evolution of information security.
Chapter 1: Fundamentals of Information Security
Chapter 2: Key Aspects of Information Security
Module 2: The need for IT Security describes importance and challenges in IT

security.
Chapter 1: Importance of IT Security
Chapter 2: Challenges in IT Security
Module 3: Risk Management - deals with risk assessment, risk mitigation and control
methodologies.
Chapter 1: Information Security Risk Assessment
Chapter 2: Information Security Risk Mitigation and Controls
Module 4: Network Infrastructure Security and Connectivity depicts network security

and basic features of device security.
Chapter 1: Fundamentals of Network Security
Chapter 2: Introduction to Device security and Documenting Network
Security processes
ii

Page No.
Module 1
Introduction to Information Security
Chapter 1.1
Fundamentals of Information Security
Chapter 1.2
Key Aspects of Information Security
15
Module 2
The Need of IT Security
Chapter 2.1
Importance of IT Security
30
Chapter 2.2
Challenges in IT Security
42
Module 3
Risk Management
Chapter 3.1
Information Security Risk Assessment
61
Chapter 3.2
Information Security Risk Mitigation and Controls
79
Module 4
Network Infrastructure Security and Connectivity
Chapter 4.1
Fundamentals of Network Security
95
Chapter 4.2
Introduction to Device Security and Documenting

Network Security Processes
110
iii
Module 1
Chapter 1.1
Chapter 1.2
Table of Contents
Chapter 1.1
Page No.
Aim
Learning Objectives
Learning Outcome
1
Definition and Evolution of Information Security
1.1.1.(i)
Evolution of Information Security
1.1.1.(ii)
Information Security
Basic Principles and Critical Concepts of Information Security
1.1.2.(i)
Basic Principles
1.1.2.(ii)
Critical Concepts of Information Security
1.1.3
Key terms of Information Security
1.1.4
Overview on the Best Practices in Information Security
10
1.1.1
1.1.2
Summary
11
SAQs
12
Bibliography
14
References
14
External Resources
14
Video Links
14
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
Self-assessment Questions
References
External Resources
Video Links
Aim:
To equip the students with the basic concepts and terms of information security
Learning Objectives:
After going through this chapter students should be able to:
Basic concepts of information security

Definition and evolution of information security
Principles of information security
Learning Outcome:
After studying this chapter, you should be able to:
Explain the definition of information security

Discuss the concepts of information security
Illustrate the principles of information security
Describe the evolution of information security
1.1.1. Definition & Evolution of Information Security

Information security is a method designed to secure the sensitive information from unauthorised
access, use, deletion, or modification. The terms information security and computer security are
interrelated with the common goal of protecting the confidentiality, availability, and integrity of
information or the data.
According to James Anderson, executive consultant at Emagined Security, information security
in an enterprise is a well-informed sense of assurance that the information risks and controls
are in balance.
1.1.1.(i). Evolution of Information Security

The history of information security originates from computer security. Computer security
comprises of physical security, software components, and hardware components. At the time of
World War II, multiple levels of security were used to secure the mainframe and information.
The rising requirement to handle national security eventually lead to more difficult and more
technologically-sophisticated computer security safeguards.
During early years, information security was a simple process composed of physical security and
simple documentation schemes. The main threats to information security were physical theft,
espionage, and sabotage.
a) The 1960s
During Cold War, many more mainframes were brought online to achieve more difficult
and sophisticated tasks. It became crucial to mainframe in order to communicate via a
more secured process than magnetic tapes between computer centres. Hence, the
department of defences advanced research project agency started examining methods for
a simple way to communicate and support the military exchange of information. Larry
Roberts developed a project called ARPANET to transfer information to different
computer centers. ARPANET is the predecessor to internet.
ARPANET Program plan

June 3, 1968
Advanced Research Project Agency

Washington, D.C. 20301
In ARPA, the Program Plan is

The master document describing
a major program. This plan,
which I wrote in 1968, had the
following concepts:
1. Objectives- Develop Networking and
Resource Sharing
2. Technical Need- Linking Computers
3. Military Need- Resource SharingNot Nuclear War
4. Prior Work- MIT-SDC experiment
5. Effect on ARPA- Link 17 Computer
Research Centers, Network Research
6. Plan- Develop IMPs and start 12/69
7. Cost- $3.4M for 68-71
Program Plan No.723

Date:
3 June 1968
RESOURCE SHARING COMPUTER NETWORKS
A.
Objective of the program,
The objective of this program is twofold: {1} To develop techniques and

obtain experience on interconnecting computers in such a way that a very broad
class of interactions are possible, and {2} To improve and increase computer
research productivity through resource sharing. By establishing network typing
IPTs research centres together, both goals are achieved. In fact, the most efficient
way to develop the techniques needed for an effective network is by involving the
research talent at these centres in prototype activity.
Just as time-shared computer systems have permitted groups of hundreds
of individual users to share hardware and software resources with one another,
networks connecting dozens of such systems will permit resource sharing
between thousands of users. Each system, by virtue of being time-shared, can
offer of its services to another computer system on demand. The most important
criterion for the type of network interconnection desired it that any user or
program on any of the networked computers can utilize any program or
subsystem available on any other computer without having to modify the remote
program.
Fig. 1.1.1: Development of ARPANET

b) The 1970 and1980s
By the next decade, ARPANET became famous and widely used and also the misuse of
this process grew. In December of 1973, Robert M. Bob Metcalfe who is recognised
along development of Ethernet, this networking protocol identifies the primary problems
with ARPANET security. Individual remote sites did not have enough controls to secure
data from illegal remote users.
In June 1967, the Advanced Research Projects Agency formed a taskforce to study the
process of securing the information in computer system. The Rand Report R609 was the
first recognised and published document to classify the role of management and policy
issues in computer security. The main cause to introduce security risk in the computer
system was utilisation of networking components in information systems in the military.
The scope of the computer security includes:
Securing the data or information.
Preventing random and unauthorised access to the data.
Involving personnel from multiple levels of the organisation in matters pertaining to

information security.
c) MULTICS
Multiplexed information and computing service (MULTICS) is a computer security
process that was used in earlier days. It was the first operating system to integrate into its
core functions. MULTICS implement several security levels and passwords.
d) The 1990s
At the time of 90s the computer became more popular and they connected to network, to
communicate from one to another computer or system. This results in internet and made
available to public. Internet has become an interconnection between millions of networks.
At the beginning, these connections were on de facto standards. These standards did little
to make sure the security of information. However, internet deployment treated security
at low priority. At that time, all internet users were scientists and hence security was not
necessary. As computers became available to public, stored information became more
exposed to security threats.
e) 2000 to present
Nowadays, internet brings millions of unsecured computer networks into communication
with each other. Therefore, it is necessary to secure data or information as well as
information security is a very important aspect to national security. The growing threat
attacks have made governments and companies more aware of the security.
1.1.1.(ii). Information Security

Normally, security is quality or state being secured or unaltered. Information security is a method
designed and implemented to secure the confidential or sensitive information from unauthorised
access, use, deletion, or modification.
A successful organisation should have following security layers to protect its operations:
Physical security: To protect physical items and objects.
Personnel security: To protect the individual or group of individuals who are

authorised to access the organisation.
Operation security: To protect the details of particular operations.
Communication security: To protect the communications media.
Network security: To protect networking components and connections.
Information security: To protect confidentiality and availability of information.
Information security (IS) is designed to protect the confidentiality, integrity, and availability of
computer system data from malicious intentions. Many organisations employ a dedicated
security group to implement and maintain the organisation's information security program.
Confidentiality: Confidentiality refers to limiting information access to authorised users and

preventing unauthorised access. It is related to wider concept of data privacy. It includes
authentication methods like user-IDs and passwords, which identify data systems users and
control access to data systems' resources.
Fig. 1.1.2: CIA model

Integrity: Integrity involves consistency and accuracy of data. This means data should be
unaltered.
Availability: As the name suggests, it is the availability of information resources.
1.1.2. Basic Principles and Critical Concepts of Information Security

1.1.2.(i). Basic Principles
Basic principles of information security are arranged in three - level hierarchies.
a) Pervasive principles: The pervasive principles offer common governance-level
guidance to build and handle the security of information. These principles form the
essentials of Board Functional Principles and Detailed Principles. Security of Information
is attained through the preservation of proper confidentiality, integrity, and availability.
The pervasive principles deal with
Confidentiality: This means that information is only being seen or used by people
who are authorised to access it.
Integrity: This means that any changes to the information by an unauthorised user is
impossible (or at least detected), and changes by authorised users are tracked.
Availability: This means that the information is accessible when authorised users
need it.
b) Broad Functional Principles

The Broad Functional Principles (BFP) is resultant from the Pervasive Principles (PP)
which signify the broad conceptual aim of information security. By giving the result for
operational execution of the Pervasive Principles, the Broad Functional Principles are the
building blocks (what to do at a high level) which include the Pervasive principles and
permit definition of the essential units of those principles. As the Broad Functional
Principles are smaller in scope, they are simpler to address in terms of implementation,
planning, and execution.
c) Detailed Security Principles

The Detailed Security Principles specially address methods of getting compliance alon
the Broad Functional Principles with respect to existing environments and accessible
technology. There are many detailed information security principles sustaining one or
more Broad Functional Principles.
The detailed principles address changing technology environments, standards, practices,

and concepts which are related to the Broad Functional Principles. The Detailed
Principles are estimated to always progress to meet the challenge of emerging technology
and upcoming threats.
1.1.2.(ii). Critical Concepts of Information Security

The value of information depends upon the characteristics it possesses. The value may increase
or decrease depending on the characteristic changes. Some of the characters or concepts of
information security are discussed below:
a) Availability: Availability permits the authorised person to access information without
any difficulty. Consider an example of research library, research libraries which need
identification before entrance. Librarians secure the information of the library so that they
are accessible only to authorised patrons. Once authorised patrons have access to the
contents of the stacks, they expect to identify the information they require in a useable
format and familiar language, which in this case normally means bound in a book and
written in English.
b) Accuracy: Information is known to be accurate when it is free from faults or errors,
and it has value which the user expects. If information is altered or changed, it is no
longer correct. Consider an example of checking balance of an account. Assume that the
information in your account is an accurate demonstration of your finances. Wrong
information in your account can result from external or internal errors. If a bank teller, for
occurrence, wrongly adds or subtracts from your account, the value of the information is
altered. Or, you may mistakenly enter an incorrect amount into your account register.
Moreover, an inaccurate bank balance could be a cause leading to mistakes like bouncing
of a cheque.
c) Authenticity: Authentication involves more than one proof of identity. The proof might
be password, smart card, and many more. Authentication and authorisation go hand in
hand. Users must be authenticated before carrying out the activity they are authorised to
perform. Information is authentic while it is in the same condition in which it was
generated, positioned, stored, or transferred. Consider an e-mail statement, When you get
e-mail, you assume that a definite individual or group generated and transferred the
e-mail and you know the initiation of the e-mail. This is not always the case. E-mail
spoofing, the act of sending an e-mail message along a modified field, spoofing the
senders address can cheat e-mail recipients into thinking that messages are legal traffic,
thus suggesting them to open e-mail they otherwise might not have opened.
Spoofing can also change data being transferred across a network, as in the case of user
data protocol (UDP) packet spoofing that can allow the attacker to get access to data
stored on computing systems.
d) Confidentiality: Confidentiality is securing the data from unauthorised access.
Information has confidentiality when it is secured from illicit individuals or systems.
Confidentiality makes sure that only those along the rights and privileges to access
information are capable to do so. When illicit individuals or systems can inspect
information, confidentiality is violated. To secure the confidentiality of information, you
can utilise a number of measures having the following:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
An example of confidentiality violations is an employee throwing away a document

having critical information without shredding it or a hacker who effectively violates into
an internal database of a web-based organisation and steals susceptive data about the
clients like names, addresses, and credit card numbers.
e) Integrity: Integrity of information means that the data or information remains
unchanged while it is stored or transmitted. The integrity of information is threatened as
the information is exposed to corruption. This integrity loss can occur from external
forces like hackers. Transferring data on a circuit along a low voltage level can change
and corrupt the data. Redundancy bits and check bits can compensate for internal and
external threats to the integrity of information.
f) Utility: Utility of information is the quality or state of having value for some reason.
Information has value when it can serve a purpose. If information is accessible, but is not
in a format significant to the end user, it is not useful. e.g.: To a private citizen, U.S.
Census data can rapidly become vast and tough to interpret; though, for a politician, U.S.
Census data discloses information about the residents in a district like their race, gender,
and age. This information can help form a politicians next campaign strategy.
g) Possession: The possession of information is the quality or state of rights or control.

Information is said to be in ones possession if one gets it, independent of format or other
characteristics. While a violation of confidentiality often results in a violation of
possession, a violation of possession does not often result in a breach of confidentiality.
e.g.: Assume a company stores its critical customer data using an encrypted file system.
An employee who has quit, chooses to take a copy of the tape backups to sell the
customers lists to a competitor. The exclusion of the tapes from their secure environment
is a violation of possession. However, as the data is encrypted, neither the employee nor
anyone else can read it without the appropriate decryption methods.
1.1.3. Key terms of Information Security
Access: Access is ability to use an object or a thing. An authorised user would have legal
access to information, whereas, hackers would have illegal access.
Asset: An asset can be a website, information, or data of organisation that is being

protected. Assets are the focus of information security efforts.
Attack: An attack is intentional or an unintentional act which causes damage to

information. Someone reading sensitive information that is not intended for his or her use
is a passive attack. A hacker attempting to break into information system is an intentional
attack.
Exploit: A technique used to compromise a system. Threat agents may attempt to

exploit a system or other information asset by using it illegally for their profit. It takes
advantage of vulnerabilities.
Exposure: A condition or state of being exposed. In information security, exposure

exists when a vulnerability known to an attacker is present.
Loss: It is an instance of an information damage or unauthorised modification. When an

organisations information is stolen, it suffers losses.
Risk: The possibility that something wrong or unwanted would happen. Organisation
must minimise the risk to protect the information.
Threat: A threat is an object or person that presents a danger to an information or asset.

Threats are always purposeful or undirected.
Vulnerability: A weakness or fault in a system or protection mechanism that exposes it

to an attack or damage. Some examples of vulnerabilities are: Flaws in a software
package, an unprotected system port, and an unlocked door. Some well-known
vulnerabilities have been examined, documented, and published; others remain latent (or
undiscovered).
1.1.4. Overview on the Best Practices in Information Security

a) Data encryption: Encryption is essential to protect the sensitive data. The information
might be stored or transmitted; but the data should be encrypted to protect from data loss.
b) Use of digital certificates to sign all your sites: One can obtain certificates from
trusted authorities and saved to hardware devices such as routers or load balancers and
not on the web servers.
c) Implement DLP and auditing: Usage of Data Loss Prevention (DLP) and auditing to
monitor, identify, and block the overflow of data into or out of the network.
d) Implement a removable media policy: Avoid the usage of USB drives, external hard
disks, DVD writers, and any writable media. These devices make it easy for security
breaches coming into the network.
e) Secure websites against MIMT and malware infections: Use SSL (Secure sockets
level), scan websites regularly for malware.

f) Use a spam filter on e-mail servers: Use a time-tested spam filter like Spam
Assassin to delete unwanted email from users inboxes. Users are educated to identify
junk mail.
g) Use comprehensive endpoint security solution: Antivirus software is used to
protect from malware infections on devices and also personal firewall and intrusion
detection are used for endpoint protection.
h) Network-based security hardware and software: Use firewalls, gateway antivirus,
intrusion detection devices, honey pots, and monitoring to screen for DoS attacks.
i) Maintain security patches: Make sure that software and hardware defences are
updated with new antimalware signatures and latest patches.
j) Educate your users: An informed user is a user who behaves more responsibly and
takes fewer risks with valuable company data, including email.
10
Summary:
Information security is a method designed to secure sensitive information from

unauthorised access, use, deletion, or modification.
The history of the information security originates from computer security. Computer
security includes physical security, hardware components, and software components.
In 1960s, information security became essential to mainframe to communicate via a more

secured process than magnetic tapes between computer centres.
Larry Roberts developed the project called ARPANET to transfer information to different
computer centers. ARPANET is the predecessor to internet.
Multiplexed information and computing service (MULTICS) is a computer security

process of earlier days.
Confidentiality: Confidentiality refers to limiting information access to authorised

users and preventing unauthorised access.
Integrity: Integrity involves consistency and accuracy of data. This means the data
should be unaltered.
Availability: As the name suggests, it is availability of information resources.
Information is known to be accurate when it is free from faults or errors, and it has value
which the user expects.
Authentication involves more than one proof of identity. The proof might be password,
smart card, and much more.
The utility of information is the quality or state of having value for some reason.
The possession of information is the quality or state of rights or control.
11
Self-Assessment Questions:
1) ARPANET is used to__________
(a) Save the data
(b) Transfer the data
(d) Destroy the data
(c) Secure the data
2) Which of the following represents the three goals of information security?

(a) Confidentiality, integrity, and availability
(b) Prevention, detection, and response
(c) People controls, process controls, and technology controls
(d) Network security, PC security, and mainframe security
3) Which of the following terms best describe the assurance that data has not been changed
unintentionally due to an accident or malice?
(a) Availability
(b) Confidentiality
(c) Integrity
(d) Auditing
4) The CIA triad is often represented by which of the following?
(a) Triangle
(b) Diagonal
(c) Ellipse
(d) Circle
5) Related to information security, confidentiality is the opposite of which of the following?
(a) Closure
(b) Exposure
(c) Disaster
(d) Disposal
6) __________is used to delete unwanted emails.
(a) Virus
(b) Spam
(c) Email server
(d) Email delete
7) Ability to use object or data is known as

(a) Accuracy
(b) Access
(c) Exploit
(d) Loss
8) Which of the following information security characteristics belong to content dimension

of information quality?
(a) Reliability
(b) Accuracy
(c) Clarity
(d) Frequency
9) Which of the following terms best describes the absence or weakness in a system that
may possibly be exploited?
(a) Vulnerability
(b) Threat
(c) Risk
(d) Exposure
10) Which of the following terms describes how to take advantage of vulnerability?
(a) Risk
(b) Exploit
(c) Threat
(d) Program
12
11) MULTICS stands for

(a) Multiple information and computer services
(b) Multinational information and computing service
(c) Multiplexed information and computing service
(d) Multiplexed information and computing standards
12) Which was the first recognised document to classify the role management and policy?
(a) Rand Report R609
(b) Rand Report R906
(c) Rand Report R096
(d) Rand Report R696
13) Which of the following terms best describe the probability that a threat to an information
system will happen?
(a) Threat
(b) Vulnerability
(c) Hole
(d) Risk
14) __________is estimated to meet the challenges of emerging technology and upcoming
threats
(a) Detailed Security Principles
(b) Broad Functional Principles
(c) Pervasive Principles
(d) Information principles
15) DLP are implemented to
(a) Recognition of secured data
(c) Secure hardware
(b) Block overflow of data

(d) Secure software
13
Bibliography
References
1.1. http://www.hcpro.com/PPM-311293-12342/Trends-affecting-privacy-and-informationsecurity.html
1.2. http://www.sdnet.com/article/10-security-best-practice-guidelines-for-businesses/
1.3. http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
External Resources
BOSWORTH, S., KABAY, M. E., & WHYNE, E. (2014). COMPUTER SECURITY (6

ed., Vol. 1). New Jersey: John Wiley & Sons,.
Peltier, T. R. (2005). Infomration Security Risk analysis (2nd eddition ed.). Boca Raton,
London, New York: Auerbach Publications.
Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. USA:
Course Technology.
Video Links
Topic
Link
Introduction to information security

Evolution of information security
Concepts of information security
www.youtube.com/watch?v=arupg0UKEMk&feat
ure=youtu.be
https://www.youtube.com/watch?v=cYiX8ATZmQ
k&feature=youtu.be
www.youtube.com/watch?v=SP8cr0fg5Sg&feature
=youtu.be
14
Table of Contents
Chapter 1.2
Page No.
Aim
15
Learning Objectives
15
Learning Outcome
15
Components of Information System
16
1.2.1(i)
Software
16
1.2.1(ii)
Hardware
17
1.2.1(iii)
Data
17
1.2.1(iv)
People
17
1.2.1(v)
Procedures
17
1.2.1(vi)
Network
18
1.2.2
Balancing Information Security and Access
18
1.2.3
Implementing IT Security
19
1.2.4
System Development Lifecycle
20
1.2.4.(i)
Initiation Phase
20
1.2.4.(ii)
Development Phase
20
1.2.4.(iii)
Implementation Phase
21
1.2.4.(iv)
Operation Phase
21
1.2.4.(v)
Disposal
22
Roles and Responsibilities of Security Professionals in an

Organisation
22
1.2.1
1.2.5
Page No.
1.2.5.(i)
Senior Management
23
1.2.5.(ii)
Information Security Project Team
23
1.2.5.(iii)
Data Responsibilities
24
Summary
25
SAQs
27
Bibliography
29
References
29
External Resources
29
Video Links
29
Legends:
Aim
Learning Objectives
Learning Outcome
Advantage
Summary
References
External Resources
Video Links
Aim:
To furnish the students with components of information system and implication methods
of IT security
Components of the information system

Balancing between information security and access
Implementation methodologies of IT security
Responsibilities of security professionals in organisation
Learning Outcome:
Explain the components of information system

Illustrate the balancing of information security and access
Discuss the responsibilities of security professionals
Describe SDLC
Implement methodologies of IT security
15
1.2.1. Components of the Information System

Computer hardware information system includes a set of software, hardware, data, people,
procedures, and networks which makes possible the use of information resources in the
organisation. These components allow the information to be input, processed, output, and stored.
Every information system has its own advantages, disadvantages as well as its own
characteristics and uses.
Fig. 1.2.1: Components of Information System

1.2.1.(i). Software
Software is a set of instructions. It is written in a specialised language to perform a particular
programme or task. Software component of information system includes operating system,
applications, and command utilities. Perhaps, software is the most difficult information system
component to protect from threats.
System software comprises of two categories
System software: It manages the resources of computer system and simplifies the
programme.
Application software: These directly assist the end user to perform some task.
Normally, software is created under certain constraints of project management. Information

technology reports warning holes, bugs, or other basic problems in software. Software contains
all the information of an organisation. Information security is always executed as an addition,
relatively formed as a simple objective of intentional or unintentional attacks.
16
1.2.1.(ii). Hardware
Hardware system includes physical devices and resources used in information processing. This
gives a platform to create and execute the software. It stores and transfers the data and also gives
an option to alter the information from system. Physical security tools like locks and keys can
also be used to restrict access and interaction with hardware components of information system.
Most of the information system is built on hardware platforms; this is very complex to restrict
the access to the hardware components.
Hardware components include computer systems that consist of several processing units and
computer peripherals like input and output devices.
It is very difficult to protect the hardware components such as laptops, smartphones, or
secondary devices. Once we miss the device, the information stored in device will also be lost or
misplaced. The price of the devices may be less, but the information stored in the devices may be
precious to an organisation or an individual.
1.2.1.(iii). Data
Any data should be secured from threats. Data is the main target of hackers or intentional
attackers. Data is the main valuable object possessed by a corporate, and it is the major use of
DBMS (database management system). Unfortunately, many system development projects do
not make full use of the database management systems security capabilities, and in some cases
the database is implemented in ways that are less secure than traditional file systems.
1.2.1.(iv). People
People are the main ingredient of information security. This includes end user and the
information specialist. End users are those who use the information system or information it
produces.
e.g.: Customer information system specialists are the persons who develop and operate the
information system. e.g.: Software developers, System analysts.
1.2.1.(v). Procedures
Procedure is a list of instructions to complete a specific task. When an unauthorised user gets
unauthorised access to an organisations procedures, it leads to loss of integrity of the
information. Most of the companies provide procedures to all its employees, but they fail to
educate the employees to protect the information system.
17
Educating employees is very important to secure the organisational procedures. Therefore,

awareness of procedures, as with all sensitive information, should be distributed among members
of the organisation only on an as-needed basis.
1.2.1.(vi). Network
Communication technologies and network components are the basic fundamentals of the
information system. Network component includes communication media comprises of a twisted
pair of wire, cellular wireless technologies. Network infrastructure emphasises that hardware,
software, and data technologies are needed to support the operations.
1.2.2. Balancing Information Security and Access

Information security is a process and cannot be complete without the essential standards being
adhered to strictly. Information security should balance both protection and availability of the
information. Using internet, one can access the information from anywhere, anytime. However;
this unhindered access to information leads to threats to integrity of the information. On the other
hand, an absolutely secure information system would not be accessible to unauthorised persons.
To achieve balance, i.e., the information security should satisfy both user and the security
professional, level of security must allow reasonable access to protect against threats. Because of
todays security concern and problems, an information system department can get wellestablished in the management and security of systems. Unevenness can happen while the
requirements of the end user are undermined by too heavy a focus on securing and administering
the information systems. Both information security technologies and end users should distinguish
that both groups share the same goals of the organisation- to make sure that the data is available
when, where, and how it is wanted with minimal delays or obstacles.
Fig. 1.2.2: Balancing information security and access
18
1.2.3. Implementing IT Security

Implementation of information security must begin in an organisation, and it is not a simple
process which happens in a specific timeframe. In reality, securing information assets is a
complicated process that requires coordination, time, and patience. Information security starts
from the system administrators who improve the security of their systems. This is referred as
bottom-up approach.
The main advantage of the bottom-up approach is technical expertise of the individual
administrators working with information systems on a day-to-day basis. Hence, they acquire indepth knowledge which is used to enhance the development of an information security system.
Unfortunately, this approach does not work in all conditions as it lacks a number of critical
features such as participant support and organisational staying power.
In top-down approach, a project is initiated by upper-level managers. These managers issue
policies, procedures, and processes of goals and outcomes as there exists a higher probability of
success. This approach has upper management support and usually has dedicated funding.
The successful kind of top-down approach involves a formal development strategy referred to as
system development lifecycle. Normally, this includes experts like executives, chief information
officers, or vice-president of information technology.
Fig. 1.2.3: Implementation of IT security
19
1.2.4. System Development Lifecycle

Information security must be implemented and managed in an organisation to protect the
information. Information security is implemented in an organisation by using system
development lifecycle.
SDLC is a set of methodologies or process of designing and implementing of information
security. There are many different SDLC models and methodologies. Generally, all the
methodologies consist of a series of steps or phases. Information security must be integrated into
SDLC to make sure appropriate protection for the information is provided.
Following are some of the benefits of integrating security into the SDLC:
Premature identification and mitigation of security vulnerabilities.

Awareness of possible engineering challenges caused by mandatory security.
Controls recognition of shared security services and reuse of strategies and tools.
Improved organisation and customer confidence to facilitate adoption and use of systems.
Improved interoperability and integration.
System development lifecycle includes different phases as shown below:
1.2.4.(i). Initiation Phase

Initiation phase is the first phase in the SDLC. During this phase, the organisation establishes the
requirements for a system and documents purpose. Security planning should begin with this
phase with the identification of key security roles and also the information security officer should
be identified.
Requirements for the confidentiality, integrity, and availability of information should be assessed
at this stage. Any information privacy requirements should be determined as well.
1.2.4.(ii). Development/Acquisition Phase

It begins with information gathered during the initiation phase. During this phase, the system is
designed, programmed, or developed. The main security activity in this phase is conducting a
risk assessment and using the results of security controls.
The risk assessment enables the organisation to determine the risks at operations, assets, and
individuals resulting from the operation of information systems. This phase ends with the
documentation of the result and an update of the initiation phase.
20
Fig. 1.2.4: Software Development Life Cycle

1.2.4.(iii). Implementation Phase
In this phase, the organisation configures and enables system security features. These features
are tested for their functionality and installed or implemented on the system by obtaining a
formal authorisation to operate the system. Before placing the system into operations, the
reviews and the system tests should be performed to make sure that it meets all the requirements
of security specifications.
1.2.4.(iv). Operation and Maintenance Phase

During this phase, the systems and products are in place and enhancement or modification in this
system is developed. Hardware and software components may be added or replaced. An
organisation should constantly monitor performance of the system to make sure that it is
consistent with pre-established user and security requirements. Configuration management (CM)
and control activities should be conducted to document for any changes in the security plan of
the system.
21
1.2.4.(v). Disposal
In this phase, plans are developed for discarding system information, hardware, software, and to
form the transition to a new system. The information, hardware, and software may be moved to
another system, archived, discarded, or destroyed. If performed improperly, the disposal phase
can result in the unauthorised disclosure of sensitive data. While archiving information,
organisations should consider the requirement and the methods for future retrieval.
Following are the most important and popular SDLC models followed in the industry:
Waterfall Model
Iterative Model
Spiral Model
V-Model
Big Bang Model
The waterfall method of SDLC is shown in below:

The waterfall model explains the software development process in a linear sequential flow;
hence it is also referred to as a linear-sequential lifecycle model. This means that any phase in
the development process begins only if the previous phase is absolute. In waterfall model, phases
do not overlap.
Fig. 1.2.5: SDLC waterfall model
1.2.5. Roles & Responsibilities of Security Professional in the Organisation

As we know that information security performs best with top-down approach. Senior
management is the key component for security and plays a vital role in the information security,
but the administrator support is also essential to develop and execute specific policy and
procedures.
22
The following is the description of information security responsibilities of various professionals

in an organisation.
1.2.5.(i). Senior Management
Chief information officer (CIO): CIO is also called as vice-president of information

or VP of information technology. The main role of CIO is advising the chief executive
officer, president, or company owner on strategic planning that affects the management
information in the organisation. CIO translates the strategic plans of the organisation into
information plans for information system.
Chief information security officer (CISO): CISO is normally referred to as

manager of IT security or security administrator. CISO usually reports to CIO. The main
role of the CISO is assessment, management, and implementation of information security
in the organisation.
1.2.5.(ii). Information Security Project Team

Information security project team includes a number of individuals, who are experienced in
technical or nontechnical areas. These members are needed to design, manage, and implement
the security factors in the organisation. Roles of information security project team are:
Champion: Champion is a senior executive who promotes the project and makes sure it
supports at the highest levels of an organisation.
Team leader: A team leader can be project manager who has knowledge of project
management and information security technical requirements.
Security policy developers: Members who understand the organisations policies and
requirements for developing and implementing successful policies.
Risk assessment specialists: People who understand the financial risk assessment
techniques, the importance of organisational assets, and the security methods to be used.
Security professionals: Security professionals are the people who are trained and well
educated in all aspects of the information security from both technical and nontechnical
endpoint.
23
System administrator: People with primary responsibility for administering the

systems. Database administrators design and implement database structures.
End users: The selection of users from various departments, level, and degrees.
1.2.5.(iii). Data Responsibilities

There are three types of data ownership
Data owners: Data owners are responsible for the security and the use of a set of
information. Usually, data owners are the members of senior management and determine
the level of the data classification. The data owners work with subordinate managers to
manage the day-to-day administration of the data.
Data custodians: Data custodians are responsible for storage, maintenance, and
protection of the information. They directly work with data owners. If the size of the
organisation is comparatively big, data custodians will have dedicated positions like
CISO. If it is a small company, this can be an additional responsibility of the system
administrator or technology manager.
Data users: Data users are the end users who work with information to perform specific
task in the organisation. Every person in the organisation is responsible for security of the
data. Hence, data users are nothing but all individuals associated with an organisation.
24
Summary:
Information System (IS) is a system composed of people and computers that processes or
interprets information. Information system includes a set of software, hardware, data,
people, procedures, and networks.
Software is a set of instruction written in specialised language to perform particular

programme or task.
Hardware system includes physical devices and resources used in information processing.
This gives a platform to create and execute the software.
Procedure is a list of instruction to complete a specific task. When an unauthorised user

gets access to an organisations procedures, it leads to loss of integrity of the information.
Information security should balance both protection and availability of the information.
To achieve balance, information security should satisfy both user, and the security
professional. Level of security must allow reasonable access to protect against threats.
The main advantage of the bottom-up approach is technical expertise of the individual
administrators. In top-down approach project is initiated by upper-level managers.
Information security is implemented in an organisation by using system development

lifecycle.
SDLC is a set of methodologies or process designing and implementing of information

security.
The waterfall model explains the software development process in a linear sequential
flow.
The main role of CIO is advising the chief executive officer, president, or company
owner on strategic planning that affects the management information in the organisation.
Chief information security officer (CISO): CISO is normally referred to manager

of IT security or security administrator.
25
Information security project team includes a number of individuals, who are experienced
in required technical or nontechnical areas.
Data owners are responsible for the security and the use of a set of information. Data
custodians are responsible for storage, maintenance, and protection of the information.
26
1) ____________assist the end user to perform some task
(a) System software
(b) Application software
(d) Information software
2) Information security should balance both
(a) Information and system
(c) Protection and availability
(c) SDLC
(b) Information and software

(d) Information and availability
3) Bottom-up approach starts from

(a) CEO
(b) VP system
(c) Security manager
(d) System admin
4) Top-down approach begins from

(a) CEO
(b) VP system
(c) Security manager
(d) System admin
5) Information security is implemented by using

(a) SDLC
(b) Top-down approach
(c) Bottom-up approach
(d) Implementation software
6) SDLC uses a__________
(a) Bottom-up approach
(c) Implementation software
(b) Top-down approach

(d) System development software
7) SDLC stands for

(a) System development lifecycle
(c) Software development lifecycle
(b) System display lifecycle

(d) Software display lifecycle
8) The phases of SDLC do not overlap in

(a) Waterfall mode
(b) Circular model
(c) Spiral model
(d) SDLC model
9) Who translates the strategic plans of organisation into information plans?

(a) CISO
(b) CIO
(c) System admin
(d) Project manager
10) Implementation and management of information is the main role of__________
(a) CISO
(b) CIO
(c) System admin
(d) Project manager
27
11) The organisational policies and procedures are developed by

(a) Team leader
(b) Security policy developer
(c) CIO
(d) Security professionals
12) Maintenance and protection of information is carried out by
(a) Data users
(b) Data custodians
(c) Data owners
(d) Guards
13) Requirements for the confidentiality, integrity, and availability of information can be
assessed at
(a) Initiation phase
(b) Development phase
(c) Disposal
(d) Implementing phase
14) The first step in the system development life cycle (SDLC) is:
(a) Documentation
(b) Designing
(c) Initiation phase
(d) Development
15) ___________ design and implement database structures.

(a) Programmers
(b) Project manager
(c) Technical writer
(d) Database administrator
28
Bibliography
References
1.1.
1.2.
1.3.
1.4.
http://csrc.nist.gov/publications/nistbul/april2009_system-development-life-cycle.pdf
http://www.ustudy.in/node/11805
http://www.uotechnology.edu.iq/ce/Lectures/SarmadFuad-MIS/MIS_Lecture_3.pdf
External Resources

Course Technology.
Video Links
Topic
Link
Components of information security www.youtube.com/watch?v=XlcolUHMnh0

SDLC
www.youtube.com/watch?v=oNNIHtwqFJ8&feature=youtu.be
29
Module 2
The Need of IT Security
Chapter 2.1
Chapter 2.2
Table of Contents
Chapter 2.1
Page No.
Aim
30
Learning Objectives
30
Learning Outcome
30
2.1.1
Introduction
31
2.1.2
Business Needs
31
2.1.2.(i)
Protecting the Functionality of an Organisation
35
2.1.2.(ii)
Enabling the Safe Operation of Applications
36
2.1.2.(iii) Protecting Data that Organisations Collect and Use

2.1.2.(iv)
Safeguarding Technology Assets in Organisations
37
37
Summary
39
SAQs
40
Bibliography
41
References
41
External Resources
41
Video Links
41
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
References
External Resources
Video Links
The Need for IT Security
Aim:
To equip the students with the skill of information security in the business environment
The objectives of this chapter is to:
Securing an organisations functionality
Identifying various safe operations of an application
Ways to protect an organisations data
Learning Outcome:
Define IT security for business needs
List out various methods for safe operation of applications
Explain how to manage security of data in an organisation
30
2.1.1. Introduction
The major role of information security programme is to ensure that the system and content
remain the same. Internet is a collection of loosely-connected network all over the world.
Regardless to geographical boundaries, an organisation and an individual can use internet to
access its facilities like information at any point of time. There would be risks that come along
with easy access to information and convenience over the internet. This can be like changing or
misusing the information. Most of the organisations spend millions of dollars alongwith
thousands of hours manpower on their security of information system.
Thus, there are three important things to be considered while dealing with information on the
internet, they are: Integrity, Availability and Confidentiality. These help to make information
available to those who need it in an accurate form and organisations use authorisation and
authentication so that only an authorised person can have access to information which helps it to
be in a protective form.
2.1.2. Business Needs

In every organisation, there should be a programme or a plan to make sure the security of
information is taken care of regardless of its size. This is known as a security programme. It
helps to keep an organisations information security at a desired level by measuring the risks that
might be encountered during business processing. There also need to be policies on how to
overcome any events of threats and plans to keep security practices and programmes up to date.
Structure of information security in each organisation varies depending on the following factors:
Size
Culture
Competitive environment
Other factors
Current information security trends

These trends explain the factors that affect security management and conceptual relationships
that connect these trends to information security and privacy issues.
Increasing Interdependencies
The interdependency between societal processes and information systems increases.
31
The social and economic processes are becoming increasingly dependent on the
functioning of the existing information. Information system comprises of central
part of many critical structures, economic interactions and communication networks
to traffic systems. As the technical infrastructure becomes more complex, the
functioning of society also becomes more complex and vulnerable which is
dependent on the infrastructure.
New interdependencies between organisations and the state emerge.

New interdependencies can also emerge between organisations, companies and states.
e.g.: If critical functionalities of public institutions are dispersed around different
countries and handled by various private companies, public institutions become
dependent on the propriety of other actors practices. ICT (information communication
technology) creates a new lock-in between organisations. Lock-ins refers to strong
interdependencies or relationships between actors.
Internationalisation: Information security issues become more international.

As the ICT network and businesses are global, and users, servers and companies are
positioned in different locations, the need for international coordination of information
security and privacy issues increase. The globalisation of information security occurs in
parallel with economic and social globalisation processes. Generally, ICT is developed to
function irrespective of users location. However; it is actively used for blocking digital
communication traffic beyond national borders.
Also, cloud computing plays a vital role in information security. Recent developments in
the field of computing have enormously changed the way of computing and the concepts
of computing resources. In cloud computing infrastructure, the resources are normally in
someone elses premise and accessed remotely by the cloud users. The security
challenges for cloud computing approach are somewhat dynamic and vast. Location
transparency is one of the major flexibilities for cloud computing, which is the security
threat at the same time. The existing contemporary cloud based services have been found
to suffer from vulnerability issues with the existence of possible security loopholes that
could be exploited by an attacker. Security and privacy are both concerns in cloud
computing.
Privacy/publicity management
Needs to manage private or confidential information and public appearances in ICT

environments increase.
32
Individuals, organisations and companies need to manage their confidential

information and public appearances. Individuals produce content and traces. The
control of ones digital content and footprints and privacy might be handled by
individuals themselves or groups. The major problem here is the usability and
transparency of information systems. The individuals need ICT skills and
functionality of services they use.
Protection of personal data becomes a considerable political issue.

The awareness of rights in personal data, i.e., what information about them is
stored, where the information is being stored and how it is being processed and
distributed. These requirements could be satisfied. It has been argued that in future,
questions about privacy and information management would become more central
and complex.
Validity of Information: It becomes increasingly difficult to ensure the correctness of

information.
Difficulties in ensuring the correctness of information include:
The amount of information that is collected and available continues to explode.
Information is increasingly collected and combined from different sources.
As a result of combination of different information sources, information itself

becomes more complex.
The processed information is often a result of automatic collection and combination

procedures.
Data Collection: Data gathering increases

As the data gathering increases, the factors like capacity and computer resources also
increases. Factors affecting the data collection and data distribution are:
A large number of community actors are interested in collecting and using various
kinds of data.
Many companies see data as an important asset for creating revenue.
33
Interconnected ICT-devices enable easy data collection, processing, storage and

distribution.
Data Combination: Data combination from different sources increases.

Combination of different data types and sources would be increasing in following years.
As the techniques for data combination and system interoperability would be developed.
Considerable technical factors include increasing efficiency of computer hardware, and
the interconnectivity of heterogeneous networks which will increase the amount of data
available and at the same time, facilitate its processing.
Traceability of persons and goods: Traceability of persons and goods increases.

Traceability of persons and goods increases due to new technologies and the growing
trends in data collection and storage. Traceability of goods is strongly connected to the
development of Internet, whereas traceability of persons is a result of passive and active
traces that individuals leave when they use various ICT-mediated services.
Protection of Information Systems: Malicious action against information systems

increases.
As the interactions between individuals, groups and organisations increases, the
malicious action against the information systems also increases. Interconnectivity and
dependencies between information systems and networks creates vulnerabilities which
are the targets of malicious action. Many security protections like firewall are used to
protect the information.
Software Development: Quality and security issues are increasingly taken into
account in software development.
At present, software industry is growing and aiming for predictability and smooth flow of
work. Also the clouds are the important driver behind the increase of interest to improve
software quality and security. With cloud-based software failure and incidents are not
only related to single user or device but also might have global repercussions.
Automation: Automation/autonomous systems are increasingly employed to effect

security.
34
In information security, human errors form a significant percentage of vulnerabilities. A

recent report states that only half of the end devices are protected in a large part of world.
Exploit writing can be accomplished routinely with specialised tools. For the usual end
user systems, these can be even obtained in a readymade form. The challenging part of
the criminal activity is to remain undetected and to break into guarded systems.
Access to Information: Availability of information increases as more and more public

information resources are opened.
Availability of organisational, governmental and other kinds of information which is
being collected by public increases as more public information resources are opened for
citizens and commercial purposes. The process is intensified by new technical standards
and open interfaces and a belief that opening data resources provides a new ground for
economic and social innovations. Moreover, public demand for opening public
information resources are strong, legal data protection issues and authorities slow actions
might diminish the trend.
Information security performs four important functions in an organisation:
Protecting the organisations ability to function.
Enabling safe operation of applications running on an organisations IT systems.
Protecting the data that an organisation collects and uses.
Safeguarding an organisations technology assets.
2.1.2.(i). Protecting the Functionality of an Organisation

Information security is necessary to execute the organisational functionality in a secured manner.
IT management and general management are responsible for this operation. Many business and
government managers are away from addressing information security as they identify it to be a
technically complex task.
But in fact, executing information security is all about information management rather than with
technology. e.g.: Handling payroll has more to do with management than with mathematical
wage computations. Similarly, handling information security is all about following some policies
and its implementations.
35
According to Charles Cresson Wood, information security is defined as: In fact, a lot of
[information security] is good management for information technology. Many people think that a
solution to a technology problem is more technology. Well, not necessarily. A lot of my work, out
of necessity, has been trying to get my clients to pay more attention to information security as a
management issue in addition to a technical issue, information security as a people issue in
addition to the technical issue.
Therefore, each organisation should follow execution of information security in terms of their
business facts or important needs instead of making information security as a separate issue.
In short, protecting the ability to function includes the following points:
Management is responsible
Information security is
A management issue
A people issue
Communities of interest must argue for information security in terms of impact and cost.
Nowadays, in order to protect confidential information in an organisation, organisation reserves

some amount of cost for information security system management. Most of them already know
how to protect it from known threats. But there are some new generations of threats which are
unknown. e.g.: Inadequate usage policies, ineffective data governance, etc.
Thus, organisations need to include all their perimeters such as virtual network, physical IT
environment, and intentional or accidental sabotage by employees. These will help to protect an
organisation from internal and external threats.
2.1.2.(ii). Enabling the Safe Operation of Applications

Todays organisations are under immense pressure to achieve effective and capable applications.
A modern organisation needs to create an environment which secures the applications;
specifically, those which are significant elements of the organisations infrastructure such as
operating system platforms, electronic mail (e-mail), and instant messaging (IM) applications.
Organisations get these elements from a service provider or they build their own elements. If an
organisations infrastructure is positioned, the management should start to manage it.
36
2.1.2.(iii). Protecting Data that Organisations Collect and Use

Once the organisation is established, the data or information should be maintained by it. If the
organisation doesnt have data, it will lose its records and also capability to deliver to its
customer. Thus, it is essential to protect data that an organisation collects and uses it.
e.g.: Let us consider an organisation which is managing customer credit card data.
One needs to consider the following before ones company data management is dictated by
governmental or any other regulations.
Customer information along with confidential data on the behalf of customers.
Product information such as source code, plans, designs, etc.
Financial information along with financial records of company.
Security programmes are used to keep track of data, and also the value of business in its data.
Security programmes defined a lifecycle which helps to manage the security of data and
technology in an organisation. Securing data in motion and data at rest are both critical aspects of
information security
2.1.2.(iv). Safeguarding Technology Assets in Organisations

Organisations must utilise secured information system services to perform efficiently which are
suitable to their size and goals of enterprise. e.g.: Small businesses may include email service
offered by Internet Service Provider (ISP) used to secure their data transactions.
Information structure of a large organisation is maintained by having some of the most efficient
security services such as encryption methodologies, legal agreements which can be utilised to
maintain whole information and public key infrastructure (PKI) which acts as an integrated
system of software.
Thus, the elements of security programmes are used to protect the information infrastructure of
an organisation.
37
Some of elements of a good security programme are:
Designated security officer

Risk assessment
Policies and procedures
Organisational security awareness
Regulatory standards compliance
Audit compliance plan
To maintain focus on IT security, everyone needs have a security programme. It would

help to identify and stay in compliance with guidelines that may affect the way in which
data is managed. The main thing is that, it keeps business on the right footing with its
customers so that goals of an organisation can easily be met.
38
Summary
Information security is essential to execute the organisational functionality in a secured

manner.
Todays organisations are under immense pressure to obtain and execute integrated,
effective, and capable applications.
An organisation has no value if it doesnt have any data, and it will lose its evidence and
also capability to deliver to its customers.
Organisations should employ much-secured information system services to execute

efficiently which are suitable to their size and goals of enterprise.
To maintain focus on IT security everyone needs have a security programme.
39
Self-assessment Question:
1) In information security, __________ means that the computer system information can be
modified only by authorised persons.
(a) Confidentiality
(b) Integrity
(c) Availability
(d) Authenticity
2) ISP stands for
(a) Internet security protocol
(c) Internet service protocol
3) Major role of information security is
(b) Prevention from virus
(a) Detect virus
(d) Information hiding
(b) Intranet security protocol

(d) Intranet service protocol
(c) Protecting information
4) __________ leads to poor performance of business in an organisation.

(a) Failure of managing threats
(b) Physical IT
(c) Policies
(d) Generation of new threats
5) Failure of data integrity may result in__________
(a) Information security
(b) Virus in software
(d) Loss of information
6) ISPs are used to secure
(a) Data transactions
(b) Internet security
(d) Internet threat detection
(c) Securing data
(c) Data positioning
7) ___________ keep definite kinds of network traffic out of the networks.

(a) Virus
(b) Trojan horse
(c) Firewall
(d) ISPs
8) PKI Stands for
(a) People key internet
(c) Public key infrastructure
(b) Public key internet

(d) People key infrastructure
9) Which of the following is not an element of security manager?

(a) Policies and procedures
(b) Risk management
(c) Data transaction
(d) Audit compliance plan
10) Structure of information security in each organisation depends on__________
(a) Network used
(b) Size of the organization
(c) Threats in the internet
(d) Managing relationships
40
Bibliography
References
1.1. http://www.appliedtrust.com/resources/security/every-company-needs-to-have-asecurity-programme
1.2. http://software.dell.com/documents/protecting-the-organisation-against-the-unknownwhitepaper-27396.pdf
1.3. http://www.pwc.com/us/en/it-risk-security/assets/high-risk-data-discovery.pdf
External Resources
Peltier, T R 2012, Information Security Risk Analysis, Third Edition, Auerbach

Silberschats, A & Galvin, P B & Gagne, G 2009, Operating System Concepts, 8th Edition,
John Wiley & sons, Inc.
Stamp, M 2011, Information Security: Principles and Practice, 2nd Edition, John Wiley
& Sons, Inc.
Video Links
Topic
Link
Needs of information security

Data protection in organisation
www.youtube.com/watch?v=eUxUUarTRW4&feature=you
tu.be
www.youtube.com/watch?v=whK0uIEsGF0&feature=yout
u.be
41
Table of Contents
Chapter 2.2
Page No.
Aim
42
Learning Objectives
42
Learning Outcome
42
Threats Landscape
43
2.2.1.(i)
Compromises to Intellectual Property
44
2.2.1.(ii)
Deliberate Software Attacks
45
2.2.1.(iii)
Espionage and Trespass
47
2.2.1.(iv)
Sabotage and Vandalism
49
Attack Methodologies
49
2.2.2.(i)
Malicious Codes
49
2.2.2.(ii)
Backdoors
51
2.2.2.(iii)
Brute Force
51
2.2.2.(iv)
Denial of Service(DoS) and Distributed Denial of

Service(DDoS)
51
2.2.2.(v)
Spoofing, Sniffing
52
2.2.2.(vi)
Spam
53
2.2.2.(vii)
Drive-by Exploits
53
2.2.2.(viii)
Code Injection Attacks
54
2.2.1
2.2.2
Page No.
2.2.2.(ix)
Exploit Kits
54
2.2.2.(x)
Botnets
54
2.2.2.(xi)
Phishing
55
Social Engineering
55
2.2.3.(i)
Human-based Methods
56
2.2.3.(ii)
Computer-based Techniques
56
2.2.3
Summary
57
SAQs
58
Bibliography
60
References
60
External Resources
60
Video Links
60
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
References
External Resources
Video Links
Aim:
To furnish students with different techniques for preventing threats and attacks in
information technology
Meaning of threats
Threats landscape
Attack methodologies
Learning Outcome:
Identify threats
Describe ways to prevent threats
List out various attack methodologies
42
2.2.1. Threats Landscape

Threat landscape is a list of threats, which contains information about threat agents and attack
vectors. There are several examples of threat landscape: Some may contain only threat, others
may be a combination of threat information and various attack methods, some others containing
information about threat agents. In some cases, threat landscapes contain an amount of
information too.
Even though most of the organisations are implemented with security programmes, they are
poorly prepared to detect and respond to attacks. In order to secure the organisations
information, one must know the threats they face and the system which stores, transports, and
executes it. To manage information security in an organisation, management should be notified
about the different threats to an organisations people, applications, and data information
systems. A threat is an object, person, or other entity which executes an ongoing danger to
information or data.
It is very difficult to handle information security because of the presence of various types of
threats, which could be internal or external threat. Failure to handle it may lead to loss of
information. In addition to the various sources of information security attacks, there are also
different types of information security attacks. The information security triad explains the three
initial goals of information security: Integrity, confidentiality, and availability.
Fig. 2.2.1: CIA traid

The first view of the information security triad is integrity. Integrity is explained by ISO-27001
as the action of protecting the accuracy and wholeness of information and processing methods.
This can be understood to mean that if a user requests any kind of information from the system,
the information will be exact.
43
The second view of information security triad is confidentiality. Confidentiality is explained by

ISO-27002 as making sure that information is available only to those authorised to have access
to it. This can be the most significant of tasks to ever accept. It seems simple enough, as
reminding the explanation on threat sources above. People from both inside and outside an
orgnisation might be aggressive to expose the secret information.
The last view of the information security triad availability, also ISO-27001 explains availability
as making sure that authorised users have access to information and linked assets if needed. This
says that a user requires a file or system, the file or system is there to be accessed. One can
have a hardware breakdown, natural disaster, malicious users, and outside attackers all fighting
to delete the availability information from the systems.
Kinds of Threat Landscape:

Depending on the sector, group of assets and time, there are different kinds of threat landscapes.
Generally, a threat landscape is part of risk assessment. Contemporary threats can be found in
risk assessments of existing systems, whereas, emerging threats can be found in assessments
regarding emerging applications. Ideally, this information should flow into risks assessments and
lead to adaptations of identified risks and their mitigation strategies.
2.2.1.(i). Compromises to Intellectual Property

Intellectual property is defined as the ownership of ideas and control over the tangible or virtual
representation of that view. Most of the orgnisations create intellectual property as a part of
business operations. Intellectual properties can be trade secrets, copyrights, trademarks, and
patents. The unauthorised access of IP represents a threat to information security. Employees
may have access to different kinds of IP and may have to use those IPs to conduct day-to-day
business.
Many individuals and orgnisations do not purchase software as authorised by the owners license
agreements. Most of the softwares are licensed to a definite purchaser, and it is used by a single
user or by a chosen user in an orgnisation. If a user copies the programme to another computer
without protecting the original license, he or she has breached the copyright.
There are a number of technical methods like digital watermarks, embedded code copyright, and
many more used to implement copyright laws. The most general tool is a license agreement
window which normally pops up at the time of installation of new software that the user has read
and agrees to the license agreement.
44
Another effort to combat piracy is the online registration process. Individuals who set up
software are always asked to register their software to get technical support and to utilise all the
features of the software. Most of them believe that this process compromises personal privacy as
people never really know accurately what information is obtained from their computers and sent
to the software manufacturer.
2.2.1.(ii). Deliberate Software Attacks

Deliberate software attacks take place when an individual or group plans and organises software
to attack a system and take it by surprise. Much of this organised software is known as
malicious code or malicious software or malware. These software programmes are designed to
violate or destroy service to the target systems. Some of the more general occurrences of
malicious code are viruses and worms, Trojans, logic bombs, and back doors.
a) Virus
A computer virus has sections of code which executes malicious actions. This code acts
much like a virus pathogen which attacks animals and plants utilising the cells own
replication machinery to spread the attack. The code fixes itself to an executable
programme and takes control of that programmes access to the targeted machine. A
virus-controlled target programme then carries out the viruss plan by copying itself into
added targeted systems. This happens by opening an infected e-mail or some other act
which may cause anything from random messages popping up on a users screen.
Computer viruses are transferred from one system to another via physical media, e-mail,
or other forms of data transmission. One of the most common methods of virus
transmission is via e-mail attachment files.
b) Worms
Worms are malicious programmes which start replicating themselves until they entirely
fill all available resources like memory, hard drive space, and network bandwidth.
Worms use Spawn mechanism to damage the system performance. These are independent
of malicious programme and do not host any programme.
Nimda, Kles and Sircam are examples of class worms. These worms unite multiple
modes of attack in to single package. The Kles virus is as shown in the fig, it has an
attachment which has the worm and if the e-mail is seen on an HTML-enabled browser, it
tries to provide macro virus.
45
The behaviour of worms can be started with or without downloading or executing the
file. If the worm has infected, it can redistribute itself to all e-mail addresses found on the
infected system. Also, a worm can deposit copies of itself onto all web servers which the
infected system can reach, so that users who would then visit those sites become infected.
Fig. 2.2.2: Kles Virus

c) Trojan Horses
Trojan horses are software programmes which hide their true nature and expose their
behaviour only when it is activated. If Trojan horses are brought into a system, they
become activated and can do chaos on the unsuspecting user. When a mail attachment is
opened, the Trojan horse programme will install by itself into the users system. The
programme starts to spread itself by following up all e-mails.
46
Fig. 2.2.3: Trojan Horse Attack

d) Backdoor or Trapdoor
A virus or worm can have a payload which installs a backdoor or trapdoor component in
a system that permits the attacker to access the system.
e) Polymorphic Threats
A polymorphic threat is one which, over time, alters the way it appears to antivirus
software programmes. These viruses and worms usually evolve, altering their sizes and
other external file features to avoid detection by antivirus software programmes.
2.2.1.(iii). Espionage or Trespass

Espionage or Trespass is a broad category of electronic and human behaviour which can violate
the confidentiality of information. When an unauthorised individual accesses the information of
an orgnisation, it is known as espionage or trespass. Attackers can utilise many different methods
to access the information stored in an information system. Some information collecting
techniques are known as legal.
e.g.: Using a web browser to execute market research.
47
Fig. 2.2.4: Shoulder Surfing

Some forms of espionage are relatively low tech. e.g.: Shoulder surfing, this method is used in
public or semipublic settings where individuals collect information they are not authorised to
have, by looking over another individuals shoulder or viewing the information from a distance.
Shoulder surfing occurs at computer terminals, desks, ATM machines, on bus, or subway where
people are accessing confidential information.
Trespass can lead to unauthorised actions which enable information collected to enter systems
they have not been authorised to enter. Controls sometimes mark the limits of an orgnisations
virtual region. These limitations give notice to trespassers that they are intruding on the
orgnisations cyberspace. Sound principles of authorisation and authentication would help an
orgnisation to protect confidential information.
A typical performer of espionage or trespass is the hacker. Hackers are people who utilise and
create computer software to get access to information without authorisation.
Generally, there are two types of skill levels among hackers. The first is the expert hacker.
Expert hackers are usually masters in different programming languages. An expert hacker
develops software scripts and programme exploits, these programme scripts are used by a second
level hacker. Second level hacker is also known as unskilled hacker. An unskilled hacker uses
programmes of expert hacker to get the secured information from an orgnisation. Usually, they
understand the system completely.
48
2.2.1.(iv). Sabotage or Vandalism

This type of threat has the deliberate sabotage of a computer system or acts of vandalism to
either destroy or violate the image of an orgnisation. These acts can range from petty vandalism
by employees to organised sabotage against an orgnisation.
Vandalism to a website can corrode consumer confidence on an orgnisation, thus diminishing an
orgnisations sales and net worth as well as its reputation. Compared to website defacement,
vandalism in network is more malicious. Experts have recognised the rise of online vandalism
Hactivist or cyberactivist operations.
2.2.2. Attack Methodologies

Attack is an act which takes place at a controlled system to destroy or damage the secured
information or controlled system. It is completed by using a threat agent which damages or steals
an orgnisations information or physical asset.
Major types of attacks

2.2.2.(i). Malicious Codes
The malicious code attack comprises of viruses, worms, Trojan horses, and active web scripts to
destroy or snatch information. The state of malicious code attack is a polymorphic or multivector
worm. These attack programmes use up to six known attack vectors for different vulnerabilities
in commonly found information system devices.
Other forms of malware contain software applications like bots, spyware and adware - which are
designed to execute sight of users or user action.
A bot (an abbreviation of robot) is an automated software programme which executes commands
when it recognises a definite input. Bots are always the technology used to execute Trojan
horses, logic bombs, back doors, and spyware.
Spyware is a technology of collecting information about a person or an orgnisation without their
knowledge. Spyware is positioned on computer securely to collect information about the user or
report it.
49
There are different types of spyware that contain

1. A web bug: It is a tiny graphic on a website which is placed in Hypertext Markup
Language (HTML) content of a webpage or e-mail to collect information about the user
viewing the HTML.
2. A tracking cookie that is placed on the users system to track the users performance on
different websites and generate a brief profile of the users behaviour.
Adware is a software programme proposed for marketing ideas like display advertising banners
or popups to the users screen or tracking the users online usage or purchasing events.
There are various types of malicious code: The most common type of malicious code is the
virus. A virus is a code fragment, or a piece of code used to destroy or damage the target files. A
virus then waits, normally, until the file is opened to spread to another file where the malicious
code is then injected into that file.
Worm/ Trojan: A worm is usually an absolute file which infects in one place on a given
system and then attempts to copy to other vulnerable systems on the network or internet.
Trojan horses are a different type of malicious code and can be simply unreliable to the end user.
There are a number of freeware programmes on the internet which permit an attacker to insert
malicious code into most of the usual executables. This can be blocked by educating the user to
not to open file attachment unless they know properly what the attachment is.
Key findings:
Theft Trojans are widely used by cyber criminals for money making.
Trojan Autorun and conficker worms are the top threats worldwide. Even though the
vulnerabilities that allow them to infect systems have been addressed, they still claim
victims.
Trojans are the major malware threat in mobile platforms. These trojans vary in nature
from simple SMS-Trojans to multifunctional and more sophisticated trojans.
50
2.2.2.(ii). Backdoors
Using a known or previously-unknown and newly-developed access method, an attacker can get
access to a system or network resource through a backdoor. Sometimes, these entries are left
behind by system designers or maintenance staff and also called trapdoors. A trapdoor is tough to
examine as always the programmer who puts it in place also generates the access exempt from
the normal audit logging characteristics of the system.
2.2.2.(iii). Brute Force

It is an application of network resource to try every possible combination of password. This is
also known as Password attack. These attacks are rarely successful against the system. There
should be a control, which limits the number of wrong entries per unit of elapsed time is very
effective against brute force attacks.
2.2.2.(iv). Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)

In a denial-of-service (DoS) attack, the attacker sends a large number of link or information
requests to a target system. These may cause the target system to overload and not respond to
legal requests for service. The system may crash or just become unable to execute ordinary
functions. A distributed denial of service (DDoS) is an attack in which coordinated streams of
requests are launched against a target from many positions at the same time. The compromised
machines are turned into zombies, systems which are directed remotely by the attacker to
contribute in the attack. DDoS attacks are the most hard to defend against, and there are currently
no controls that any single organisation can apply.
Fig. 2.2.5: Denial of Service Attacks
51
Buffer Overflow:
In information technology sector, buffer overflow circles these days. The term buffer overflow
has become synonymous with vulnerabilities and exploitations. Buffers are used to store the
data, which stores predefined amount of finite data. Buffer overflow occurs when a programme
attempts to store the data which is larger than the size of the buffer.
When the data exceeds the size of the buffer, the extra data can overflow into adjacent memory
locations, corrupting valid data and possibly changing the execution path and instructions. The
ability to exploit a buffer overflow allows one to possibly inject arbitrary code into the execution
path. This arbitrary code could allow remote system-level access, giving unauthorised access to
not only malicious hackers, but also to replicating malware. Buffer overflows are generally
broken into multiple categories, based on both ease of exploitation and historical discovery of the
technique.
First generation buffer overflows involve overwriting stack memory.

Second generation overflows involve heaps, function pointers.
Third generation overflows involve format string attacks and vulnerabilities in heap
structure management.
2.2.2.(v). Spoofing, Sniffing

Spoofing is a method used to get unauthorised access to computers, where the intruder sends
messages along with a source IP address which has been forged to denote that the messages are
coming from a trusted host. To connect in IP spoofing, hackers use a range of methods to get
trusted IP addresses and then change the packet headers to include these forged addresses. Newer
routers and firewall arrangements can provide security against IP spoofing.
Fig. 2.2.6: IP Spoofing
52
Sniffers
A sniffer is a programme or device which can examine data travelling on a network. Sniffers can
be utilised both for legal network management functions and for stealing information.
Unauthorised sniffers can be very hazardous to a networks security as they are really impossible
to check and can get included almost anywhere. This makes them a favourite weapon in the
hackers arsenal. Sniffers always execute on TCP/IP network, where they are sometimes called
packet sniffers. Sniffers add risk to the network, as many systems and users send information on
local networks using normal text. A sniffer programme exhibits all the data going by having
passwords and data inside files like word-processing documents and screens full of susceptive
data from applications.
2.2.2.(vi). Spam
Spam is an unwanted commercial e-mail. When most consider spam a minor trouble rather than
an attack, it has been utilised as a means of enhancing malicious code attacks. In March 2002,
there were reports of malicious code embedded in MP3 files which were having as attachments
to spam. The most important results of spam, still, are the waste of computer and human
resources. Many orgnisations try to cope along the flood of the spam by using e-mail filtering
technologies. Other orgnisations just inform the users of the mail system to delete unwanted
messages.
2.2.2.(vii). Drive-by Exploits

This process refers to injecting a malicious code in to HTML code of websites, which exploits
the vulnerabilities in user web browsers. This is also known as drive-by download attacks, these
attacks target the software residing in internet user computers and infect automatically when user
visits the website, without any interaction.
Key findings:
Drive-by download attack has become the top web threat. The attackers move into
targeted browser plug-ins such as java, adobe reader and much more.
The drive-by download attacks are launched through legitimate websites which are used
by attackers to host malicious links and malicious code.
Drive-by download attack can also occur in mobile as well.
Most of drive-by download attacks are detected from cyber criminals, who have adopted
these exploitation techniques.
53
2.2.2.(viii). Code Injection Attacks

A code injection attack includes well-known attack techniques against web applications such as
SQL injections, cross-site scripting and much more. These attacks try to extract data or take
control over the targeted system or web browser.
Key findings:
SQL injection attacks are most popular among hacktivist groups and cyber criminals.
Cross-site scripting attacks work on any browsing technology as well as mobile web
browsers.
The most critical vulnerabilities for web applications are cross-site scripting; however,
the result is lower than SQL injection.
SQL injection is the top attack method for retail, technology, media and educational
websites.
2.2.2.(ix). Exploit Kits

Exploit kits are ready-to-use software packages that automate cybercrime. They mainly use
drive-by download attacks whose malicious code is injected in to websites. These attacks
develop multiple vulnerabilities in browsers and browser plug-ins. An important characteristic of
exploit kits is their ease of allowing people without technical knowledge to purchase and easily
use them.
Key findings:
In order to avoid classic detection mechanisms, exploits use sophisticated techniques.

Blackhole exploit kit is the most advanced and commonly detected threat.
Blackhole integrates different channels for malware: Malicious advertising through ad
servers, malicious code hosted in compromised websites, search engines and email spam.
2.2.2.(x). Botnets
Botnets are a set of compromised computers which are under the control of an attacker. These
compromised systems are called bots. Botnets are multiple usage tools, which can be used for
spamming, identifying theft and infecting other systems and distribute malware.
54
Key findings:
Botnets have gradually developed from single purpose to multipurpose botnets.

Botnets command control infrastructure have become decentralised by peer-peer
technologies to increase their stability and avoid single points of failure.
Cloud computing platforms are already being used to set up botnets.
Malware authors appear to be interested in turning android mobile phones into zombies.
Botnets support infection capabilities of multiple for multiple operating systems.
2.2.2.(xi). Phishing
Phishing technique is a combination of fraudulent e-mails and websites by cybercriminals in
order to gain information unlawfully. Phishing uses different social engineering techniques to
attract its victims into providing information such as passwords and credit card numbers.
Key findings:
In general, the sites that target a financial institutions account, are the most active
phishing sites at any given time.
The present trend in phishing is that phishing sites target mobile platforms along with
PCs.
Phishers host their sites in compromised servers using shared web hosting environments.
2.2.3. Social Engineering

Social engineering is a process of using social skills to convince the user to reveal confidential
information to the attacker. There are many social engineering techniques used by an attacker.
Human-based attacks aim on confusing people in person or over the phone and always use
imitation to trick users into releasing information.
Computer-related attacks still aim the human users of computer systems; however, do so with
computer-based processes like Email scams, Email attachments, Websites, Instant messaging,
etc.,
55
Types of Social Engineering

2.2.3.(i). Human-based Methods
a) The overly-helpful helpdesk: Helpdesks are most often the targets of social
engineering attempts for a reason. They are skilled to be assisting the users and will
always give out different significant network information without entirely examining the
identity of the caller.
b) Tech Support: The attacker describes that he is troubleshooting a network issue and
has pointed the issue to a definite computer. He claims to get a user ID and password
from the system to end tracing the issue. Except the user has been correctly educated in
security practices, they will be possibly give the trouble shooter the information
requested.
2.2.3.(ii). Computer-based Techniques

a) Pop-up windows: A pop-up window will appear on the screen saying that a user has
lost the network link, and the user is provoked to reenter the username and password. A
previously-installed programme by the intruder will then email the data back to a remote
location.
b) Instant messaging/Internet Relay Chat: Users are directed to sites where they
would get help or more information, but their secret plan is to plant Trojan horse events
on the computers. These systems are later utilised by the hackers to get access to the
systems and the networks to which they are linked.
c) Websites: A general trick is to suggest something free on a website. To win, the user
would need to enter an email address and a password. Most of the employees enter the
same password which they use at work, so the Social Engineer now has a valid user name
and password to enter a corporate network.
56
Summary:
This chapter explains business needs, threats and attacks.
It is very difficult to handle the information security because of the presence of various
types of threats. It can be internal or external threat.
Intellectual property is defined as the ownership of ideas and control over the tangible or
virtual representation of that view.
Deliberate software attacks take place when an individual or group plans and organises
software to attack a system and take it by surprise. Much of this organised software is
known as malicious code or malicious software or malware.
Espionage or Trespass is a broad category of electronic and human behaviour which can
violate the confidentiality of information.
Trespass can lead to unauthorised actions which enable information collected to enter
systems they have not been authorised to enter.
Vandalism to a website can corrode consumer confidence on an orgnisation, thus

diminishing an orgnisations sales and net worth as well as its reputation.
The malicious code attack comprises of viruses, worms, Trojan horses, and active web
scripts to destroy or snatch information.
Spoofing is a method used to get unauthorised access to computers, where the intruder
sends messages along with a source IP address which has been forged to denote that the
messages are coming from a trusted host.
A sniffer is a programme or a device which can examine data travelling on a network.

Sniffers can be utilised both for legal network management functions and for stealing
information.
57
1) Which of the following is independent of malicious programmes, which do not host any
programme?
(a) Trapdoors
(b) Trojan horse
(c) Virus
(d) Worms
2) _______ are used in denial of service attacks, typically against targeted websites.
(a) Worm
(b) Zombie
(c) Virus
(d) Trojan horse
3) Technology which is used to collect the information about an orgnisation is called as
____________
(a) Mutual engine
(b) Spyware
(c) Mutation technique
(d) Polymorphic technique
4) A ________ is a programme that secretly takes over another internet- attached computer
and then uses that computer to launch attacks.
(a) Worm
(b) Virus
(c) Zombie
(d) Trapdoors
5) _________ fix themselves to an existing programme and take control of that programme.
(a) Worms
(b) Viruses
(c) Spywares
(d) Trojan horse
6) The technology used to execute Trojan horse or spyware is known as?
(a) Spyware technology
(b) Trojan horse technology
(c) Bots technology
(d) Antivirus technology
7) A __________ is a file which infects in one place on system and then attempts to copy to
other systems.
(a) Virus
(b) Deadlocks
(c) Worms
(d) Trapdoors
8) What are sniffers?
(a) Used to detect the virus
(b) Used to prevent the virus
(c) Used to examine the data travelling on network
(d) Used to delete the effected data on network
9) ________ is unwanted commercial e-mail.
(a) E-mail service
(b) Spam
(c) Sniffers
(d) Spoofing
58
10) When an attempt is to make a machine or a network resource unavailable to its intended
users, the attack is called
(a) Denial-of-service attack
(b) Slow read attack
(c) Spoofed attack
(d) Starvation attack
11) What is a trapdoor in a programme?
(a) A security hole, inserted at programming time in the system for later use
(b) A type of antivirus
(c) Security hole in a network
(d) Spoofed attack
12) File virus attaches itself to the
(a) Source file
(b) Object file
(d) All of the mentioned
(c) Executable file
13) Which one of the following is a process that uses the spawn mechanism to ravage the
system performance?
(a) Worm
(b) Trojan
(c) Threat
(d) Virus
14) Which of the following is not characteristic of a virus?
(a) Virus destroys and modifies user data
(b) Virus is a standalone programme
(c) Virus is a code embedded in a legitimate programme
(d) Virus cannot be detected.
15) What is known as DOS attack?
(a) It is an attack to block traffic of network
(b) It is an attack to harm content stored in HDD by worm spawn processes
(c) It is an attempt to make a machine or network resource unavailable
(d) None of the options
16) With regard to DOS attack, what is not true from the following options?
(a) We can stop DOS attack completely
(b) By upgrading OS vulnerability, we can stop DOS attack to some extent
(c) DOS attack has to be stopped at network level
(d) Such an attack can last for hours
59
Bibliography
References
1.1.
1.2.
1.3.
1.4.
1.5.
http://www5vip.inl.gov/technicalpublications/Documents/3494179.pdf
http://www.ijpttjournal.org/volume-3/issue-2/IJPTT-V3I2P406.pdf
http://www.black-box.com.tw/support/paper_pdf/Guide-to-CyberCrime.pdf
http://www.infosec.gov.hk/english/virus/types.html
https://www.symantec.com/avcenter/reference/blended.attacks.pdf
External Resources
Information Security Risk Analysis - Thomas R. Peltier, Third Edition, Pub: Auerbach,
2012
Operating System Concepts, 8th Edition by Abraham Silberschats, Peter B. Galvin, Greg
Gagne, Pub: John Wiley & sons, Inc., 2009.
Information security: Principles and Practice - Mark Stamp, 2nd Edition, Pub: John Wiley
& Sons, Inc., 2011
Video Links
Topic
Link
DoDS and Dos
www.youtube.com/watch?v=OhA9PAfkJ10
Difference between virus, worms and

Trojans
www.youtube.com/watch?v=y8a3QoTg4VQ&feat
ure=youtu.be
Difference between virus, worms and

Trojans
www.youtube.com/watch?v=zBFB34YGK1U&fe
ature=youtu.be&list=PLY4JwKk_5ONOugMRlATNW3oYIhjgiBux
60
Module 3
Risk Management
Chapter 3.1
Chapter 3.2
Information Security Risk Mitigation &

Controls
Table of Contents
Chapter 3.1
Page No.
Aim
61
Learning Objectives
61
Learning Outcome
61
3.1.1
Introduction
62
3.1.2
Risk Identification
63
3.1.2.(i)
Plan and Organise the Process
64
3.1.2.(ii)
Asset Identification and Inventory
65
3.1.2.(iii)
People, Procedures, and Data asset Identification
66
3.1.2.(iv)
Hardware, Software, and Network Asset Identification
67
3.1.2.(v)
Identifying and Prioritising Threats
67
Risk Assessment and Identifying Risk Assessment
68
3.1.3(i)
Likelihood
68
3.1.3.(ii)
Risk Determination
69
3.1.3
3.1.3.(iii) Identify Possible Controls
69
Documenting the Results of Risk Assessments
70
Risk Control
70
3.1.4.(i)
Defend
70
3.1.4.(ii)
Transfer
70
3.1.3.(iv)
3.1.4
3.1.4.(iii) Mitigate
3.1.5
Assessing Risk Based on Probability of Occurrence and

likely Impact and Fundamental Aspects of Documenting
Risk via the Process of Risk Assessment
71
72
Summary
75
SAQs
76
Bibliography
78
References
78
External Resources
78
Video Links
78
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
References
External Resources
Video Links
Risk Management
Aim:
To equip the students with concepts of risk management in information security
Risk management and methodologies

Identifying risk assessment
Risk control strategies
Fundamental aspects of documenting risk via the process of risk assessment
Learning Outcome:
Define risk management, risk identification, and risk control

Describe how risk is identified and assessed
Explain the fundamental aspects of documenting risk
Illustrate how to maintain and perpetuate risk controls
61
Risk Management
3.1.1. Introduction
Every organisation has its own methods of operation and responsibilities towards information
security. Organisations use automatic information technology system to process their
information for better support. Risk management plays an important and critical role in
protecting an organisations assets.
The main goal of an organisations risk management process is to protect the organisation and its
ability to perform their operations. Risk management process is not only a technical function
carried out by IT experts but is also a vital part of information security for an organisation.
Objectives of risk management:
To secure the IT systems that store, process, or transmit organisational information.
To facilitate the management with well-informed risk management decisions that justify
monetary expenditure for the infrastructure needed.
To assist the management in authorising the IT systems on the basis of supporting

documentation.
Definition of risk management and methodologies

Risk is a combination of assets. A threat is capable of damaging the assets and vulnerabilities.
According to Certified Information Systems Auditor (CISA) Review Manual 2006: Risk
management is the process of identifying vulnerabilities and threats to the information resources
used by an organisation in achieving business objectives and deciding what countermeasures, if
any, to take in reducing risk to an acceptable level, based on the value of the information
resource to the organisation.
Risk management is the process of allowing IT managers to balance operational and economic
costs for protective measures. It includes three processes: risk identification, risk assessment, and
risk control.
Risk identification is the examination and documentation of the security perspective of an
organisations information technology and the risks it faces.
62
Risk Management
Risk assessment is the determination of the extent to which an organisations information assets
are exposed or are at risk.
Risk control is the application of controls to reduce the risks to an organisations data and
information system.
The different components of risk management and their relationship are as shown below:
Fig. 3.1.1: Components of risk management
3.1.2. Risk Identification

Risk management strategies require that information security professionals know their
organisations information assets which need to be identified, classified, and prioritised. Once
the organisational assets have been checked, a threat assessment process identifies and quantifies
the risks facing each asset.
63
Risk Management
Common risk identification methods are:
Objectives-based risk identification: Any event that may cause danger in achieving
an objective partly or completely is identified as risk.
Scenario-based risk identification: In scenario analysis, different scenarios are

formed. Scenarios may be the alternative ways to achieve an objective or an analysis of
the interaction of forces.
Taxonomy-based
risk
identification: Taxonomy in taxonomy-based risk
identification is a breakdown of possible risk sources, based on the taxonomy and best
practices.
Common risk checking: In several industries, lists with known risks are available.
Each risk in the list can be checked for application to a particular situation.
Risk charting: This method combines the above approaches by listing resources at risk,
threats they face. This also includes noting the modifying factors which may increase or
decrease the risk and consequences arising thereby. Creating a matrix under these
headings enables a variety of approaches as below:
An organisation can begin with resources and consider the threats they are exposed
to, and the consequences of each.
Alternatively, task can start with the threats and examine which resources they would
affect.
Also, it can begin with the consequences and determine which combination of threats
and resources would be involved to bring them about.
3.1.2.(i). Plan and Organise the Process

The initial step in the risk identification is to follow project management principles. One can
begin with organising a team consisting of representatives of all affected groups. Risk can occur
from any part of the organisation and hence, the representative can come from any department of
the organisation.
64
Risk Management
Components of risk identification are as shown below:
Fig. 3.1.2: Components of risk identification
3.1.2.(ii). Asset Identification and Inventory

Asset identification begins with elements of an organisations system like people, procedures,
data and information software, and hardware and networking elements. Figure above shows the
categorised components of information system.
Traditional System
Components
People
SesSDLC Components
Employees
Nonemployees
Procedures
Procedures
Data
Information
Software
Software
Hardware
System devices and

peripherals
Networking components
Risk Management System

Components
Trusted employees
Other staff
People at trusted organizations
Strangers
IT and business standard procedures
IT and business sensitive procedures
Transmission
Processing
Storage
Applications
Operating systems
Security components
Systems and peripherals
Security devices
Intranet components
Internet or DMZ components
Table 3.1.1: Categorising the components of information system
65
Risk Management
People: It include employees and non-employees. There are two categories in

employees: employees are those who hold confidential roles and other staff who have
assignments without any special roles. Nonemployees include contractors and
consultants.
Procedures: These include IT and business standard procedures and IT and businesssensitive procedures. Business-sensitive procedures are those that may enable a threat
agent to attack against an organisation.
Data component: This keeps a process of information in all its states like transmission,
processing, and storage. Data is usually associated with database.
Software components: Software component can be applications, operating systems, or

security components. Security components can be applications or operating systems and
used to protect sensitive data.
Hardware component: Hardware component can be system devices and their

peripherals and information security control components.
3.1.2.(iii). People, Procedures, and Data Asset Identification

Once people, procedures, and data assets are identified, they are recorded or stored using datahandling process. While deciding which information assets to track, consider the following asset
attributes:
People: Position name/number/ID; supervisor; security clearance level; and special

skills.
Procedures: Description; purpose; relationship to software, hardware and networking

elements; storage location for reference; and storage location for update.
Data: Classification; owner, creator, and manager; size of data structure; data structure
used (sequential or relational); online or offline; location; and backup procedures
employed.
66
Risk Management
3.1.2.(iv). Hardware, Software, and Network Asset Identification

Depending on the need of the organisation and its risk management methods, the attributes of
software, hardware, and network assets are tracked.
Name: The organisation can have several names for the same product. The name
chosen should be meaningful to all the groups that use the information.
IP address: IP address is used to identify the network devices and servers.

However; relational database and track software instances are used to identify the
software. Most of the organisations use DHCP within TCP/IP that assigns IP numbers
to devices.
Media access control (MAC) address: These are also called as electronic serial
numbers or hardware addresses. MAC address number is used to identify a specific
network device using network operating system.
Classifying and Prioritising Information Assets

Internet components can be subdivided into servers, networking devices, protection
devices and much more. Likewise, some organisations subdivide the components of
information system.
A data classification scheme normally requires an equivalent security structure. This
determines the level of information of individuals based on what they need to know. It is
also important that the categories be comprehensive and mutually exclusive.
Information Asset Valuation

In order to assign the value to information assets for risk assessment, one can pose a
number of questions and collect the answers for that. Before beginning the inventory
process, an organisation should determine which criteria can best establish the value of
information assets.
3.1.2.(v). Identifying and Prioritising Threats

After identifying and performing the initial classification of an organisations information assets,
the analysis phase moves on to the examination of threats facing an organisation. There are
various threats that face an organisation and its information and information systems. The
67
Risk Management
realistic threats must be investigated further while the unimportant threats can be set aside. If one
assumes that every threat can and will attack every information asset, the project scope quickly
becomes so complex that it overwhelms the ability to plan.
3.1.3. Risk Assessment and Identifying Risk Assessment

Risk assessments address the possible impacts to organisational operations and assets. An
organisation performs risk assessment to determine the risks common to an organisations
missions, business processes and information systems. Risk assessments are not simple and not a
one-time process that provides permanent information for decision makers. Organisations take
up risk assessments as an ongoing basis throughout the system development lifecycle.
3.1.3.(i). Likelihood
In risk assessment, a numeric value is assigned to likelihood. The National Institute of Standards
and Technology recommends in Special Publication 800-30 assigning a number from low to
high, i.e., 0.1 and 1.0. You can also use a number between 1 and 100.
Fig. 3.1.3: Stages of risk assessment
68
Risk Management
Fig. 3.1.4: Factors of risk
3.1.3.(ii). Risk Determination

Risk equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk
already controlled plus an element of uncertainty, as shown in the fig.
e.g.: Information asset A has a value score of 50 and has a vulnerability of 1. Vulnerability 1 has
a likelihood of 1.0 with no current controls. It is estimated that assumptions and data are 90
percent accurate.
Asset A: Vulnerability 1 rated as 55 = (50 1.0) 0% + 10% where
55 = (50 1.0) ((50 1.0) 0.0) + ((50 0.0) 0.1)
55 = 50 0 + 5
3.1.3.(iii). Identify Possible Controls

For every threat and its associated vulnerabilities that have residual risk (is the risk to the
information asset that remains even after the application of controls), one must create an initial
list of important controls.
There are three types of controls:
Policies
Programs
Technologies.
Policies: These are the documents that signify an organisations approach to security.
Programmes: These are performed within an organisation to improve security in that
organisation. This includes training, educating the employees, and awareness program.
69
Risk Management
Technologies: These are the technical implementations of policies described by an

organisation.
3.1.3.(iv). Documenting the Results of Risk Assessments

At the end of risk assessment process, one will have a list of information assets with data. These
are ranked according to those needing the most protection. The final summarised document is the
ranked vulnerability risk worksheet.
3.1.4. Risk Control

When an organisations management identifies any risk from threats, management allows the
information technology and information security team to work on such risks. Once the team for
information security development has created the ranked vulnerability worksheet, the team
should choose one of the strategies to control the risks. The risk control strategies are explained
as follows:
3.1.4.(i). Defend
This strategy attempts to prevent the utilisation of the vulnerabilities. This is a commonly-used
approach and is accomplished by using counter threats, removing vulnerabilities from assets,
limiting access to assets, and implementing protective safeguards.
The common methods used to defend are:
Implementation of policies
Education and training
Administration of technologies
3.1.4.(ii). Transfer
Transfer is a control approach that attempts to shift the risk to other assets or to other
organisations. This is a commonly-used strategy for larger companies. This is accomplished
through rethinking/reengineering services, and revising development models to other
organisations.
These principles are considered when an organisation begins to increase its operations. If the
organisation doesnt have security management and administration, it should hire individuals to
perform the tasks.
70
Risk Management
3.1.4.(iii). Mitigate
This is used to reduce the impact caused by development of vulnerabilities. It includes incident
response plan, disaster recovery plan, and business continuity plan. All three plans depend on
ability to identify and respond to attacks as quickly as possible.
Incident response plan: Incident response plan enables an organisation to take

suitable action on damage, which may be predefined or specific.
Disaster recovery plan: It includes strategies to limit losses before and during the
disaster. Media backup is also a part of DR plan.
Business continuity plan: This is the most deliberate and is a long-term method of the
three plans. It includes planning the steps necessary to make sure the continuation of
organisation.
Risk
Control
Strategy
Categories Used by
NIST SP 800-30
Categories Used by
ISACA and ISO/IEC
27001
Others
Defend
Research and
Acknowledgement
Treat
Self-protection
Transfer
Risk transference
Transfer
Risk transfer
Mitigate
Risk Limitation and

Risk Planning
Tolerate(partial)
Selfinsurance(partial)
Accept
Risk Assumption
Tolerate(Partial)
Selfinsurance(partial)
Terminate
Risk Avoidance
terminate
Avoidance
Table 3.1.2: Risk control strategies
71
Risk Management
3.1.5. Assessing Risk Based on Probability of Occurrence and likely Impact

and Fundamental Aspects of Documenting Risk via the Process of Risk
Assessment
Assessing risk based on the probability of occurrence and likely impact.
Once the list of threats is identified and the security management team has agreed on the
definition of each threat, then it is essential to determine how likely any threat might occur. Risk
management team derives the probability of a potential threat that may be exercised against the
risk assessment.
Following are some of the definitions of the probabilities that a threat may occur:
High probability: Very much expected that the threat would occur within the next year.
Medium probability: Possible that the threat may occur during the next year.
Low probability: Highly unlikely that the threat could occur during the next year.
Probability: The possibility that a threat might occur.
Once we determine the probability of a threat occurring, it is necessary to determine the impact
of the threat on the organisation. The review of the probability and impact is the identification of
a risk level that can be assigned to each threat. Once the risk level has been established, the team
can identify appropriate actions.
Following are some of the definitions for impact of a threat:
High impact: It is a critical impact that leads to significant loss of business or corporate
image.
Medium impact: Short interruption of a system that results in partial financial/data

loss.
Low impact: Interruption with no financial/data loss.
Impact: Measure of the degree of financial/data loss or damage to the value of asset.
72
Risk Management
P
R
O
B
A
B
I
L
I
T
Y
IMPACT
High
Medium
Low
High
Medium
Low
A Corrective action must be implemented

B Corrective action should be implemented
C Requires monitor
D No action required at this time
Fig. 3.1.5: Probability-impact matrix
Fundamental aspects of documenting risk via the process of risk assessment

The results of risk identification processes are documented in a standard format and reported to
the asset owner. These documents help senior management or business owners to make decisions
on policy, procedures, budget, and management change. The risk analysis report is represented in
such a way that it should be easily understood by senior management and allocates the resources
to reduce the risks.
The final summarised document is ranked on a vulnerability risk worksheet. This is as shown
below:
Asset: List out each vulnerable asset.
Asset impact: This is a number from 1 to 100, which is the result from weighted factor.
Vulnerability: List all uncontrolled vulnerabilities.
Vulnerability likelihood: State the likelihood of realisation of the vulnerability by a

threat agent. This is a number from 0.1 to 1.0.
Risk rating factor: Enter the number calculated from asset impact multiplied by
likelihood.
73
Risk Management
Asset
Asset Impact
Relative Value
Customer service
Request via email(inbound)
55
Customer order via

SSL(inbound)
100
Customer order via

SSL(inbound)
100
Customer service
Customer service
55
55
Customer order via

SSL(inbound)
100
Customer order via

SSL(inbound)
100
Vulnerability
E-mail disruption
due to hardware
Failure
Lost orders due to
web server
hardware failure
Lost orders due to
web server or ISP
service failure
E-mail disruption
due to SMTP
mail relay attack
E-mail disruption
due to ISP service
failure
Lost orders due to
web server
denial-of-service
attack
Lost orders due to
web server
software failure
Vulnerability
Likelihood
Risk-Rating
Factor
0.2
11
0.1
10
0.1
10
0.1
5.5
0.1
5.5
0.025
2.5
0.01
Table 3.1.3: Ranked vulnerabilities risk worksheet
74
Risk Management
Summary
Risk is the potential harm that may arise from some current process or from some future
event.
Risk is a function of the likelihood of a given threat-sources exercising a particular

potential vulnerability, and the resulting impact of that adverse event on an organisation.
Risk identification is the examination and documentation of the security perspective of an

organisations information technology and the risks it faces.
Risk assessment is the determination of the extent to which an organisations information

assets are exposed or are at risk.
Risk control is the application of controls to reduce the risks to an organisations data and
information system.
There are three types of controls: policies, programs, and technologies.
Defend strategies attempt to prevent the utilisation of vulnerabilities. This is a commonly

used approach and is accomplished by countering threats.
Transfer is a control approach that attempts to shift the risk to other assets or other
organisations. This is also a commonly used strategy for larger companies.
Mitigation is the effort to reduce loss of life and property by lessening the impact of
disasters.
75
Risk Management
1) Risk management is one of the most important jobs for a
(a) Client
(b) Investor
(c) Production team
(d) Project manager
2) Which of the following is known as common risk identification method?

(a) Objective-based risk identification
(b) Technology risk identification
(c) Estimation risk identification
(d) Organisational risk identification
3) Which of the following strategies means that the impact of risk will be reduced?
(a) Avoidance strategies
(b) Minimisation strategies
(c) Contingency plans
(d) Risk control strategies
4) Who has the responsibility for information security within an organisation?
(a) IT Security Officer
(b) Project Managers
(c) Senior Management
(d) All of the options
5) The following term is used to represent the likelihood of a threat source taking advantage
of vulnerability:
(a) Vulnerability
(b) Threat
(c) Risk
(d)Exposure
6) Organisational security goals are typically:
(a) Monthly (every 30 days)
(c) Tactical (daily)
(b) Operational (mid-term)

(d) Strategic (long-term)
7) Risk management helps you do all of the followings except:

(a) Identify risks
(b) Assess risks
(c) Reduce risk to an acceptable level
(d) Completely avoid risk
8) Any risk left over after implementing safeguards is known as:
(a) Leftover risk
(b) Residual risk
(c) Remaining risk
(d) Totally leftover risk
9) Which one is not a risk management activity?
(a) Risk assessment
(b) Risk generation
(d) Risk identification
(c) Risk control
76
Risk Management
10) Asset identification begins with following except:

(a) Networking elements
(b) Data
(c) Procedures
11) Which of the following is not a type of controls?
(b) Programme
(c) Procedures
(a) Policies
(d) Risk
(d) Technologies
12) In risk control, shifting of risk from one asset to another occurs in_________
(a) Defend
(b) Transfer
(c) Mitigation
(d) Controls
13) _________ is very excepted that the threat will occur within next year.
(a) Probability
(b) Medium probability
(c) High probability
(d) Low probability
14) _______ is a critical impact that leads to a significant loss of business or corporate image.
(a) Impact
(b) High impact
(c) Low impact
(d) Medium impact
15) Media backup is a part of________ plan.
(a) Incident response plan
(c) Business continuity plan
(b) Disaster recovery plan

(d) Media recovery plan
77
Risk Management
Bibliography
References
1.1. Ustudy.
Risk identification. Retrieved on July 1, 2015,
1.2. Ustudy.
Risk
management.
Retrieved
on July
1, 2015,
1.3. Nspw.
Managing
risk
Retrieved
on
July
1,
2015,
http://www.nspw.org/papers/2001/nspw2001-blakley.pdf
1.4. hhs.
Risk
management.
Retrieved
on July
2, 2015,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf
from
from
from
from
External Resources

Course Technology.
Video Links
Topic
Link
Introduction to risk management
www.youtube.com/watch?v=BLAEuVSAlVM&featu
re=youtu.be
Introduction to risk assessment
www.youtube.com/watch?v=fY6KGN72d7Q&featur
e=youtu.be&list=PL2vMhKNwvYnJ9cPO263nlK7m
5wh7mYE9Q
Analysis of risk management
www.youtube.com/watch?v=sPBYXuqITKg&feature
=youtu.be
Risk management
www.youtube.com/watch?v=n9d7EMEzaHU&featur
e=youtu.be
78
Table of Contents
Chapter 3.2
Information Security Risk Mitigation & Controls
Page No.
Aim
79
Learning Objectives
79
Learning Outcome
79
3.2.1
Risk Mitigation Strategy Options, the Categories that can be

used to Classify Controls
80
3.2.2
Risk Control Strategies
80
3.2.2.(i)
Defend
81
3.2.2.(ii)
Transfer
81
3.2.2.(iii)
Mitigate
82
3.2.2.(iv)
Accept
83
3.2.2.(v)
Terminate
85
Overview on the Best Practices in Information Security Risk

Management
90
3.2.3
Summary
92
SAQs
93
Bibliography
94
References
94
External Resources
94
Video Links
94
Legends:
Aim
Learning Objectives
Learning Outcome
(P.T.O.)
Please Turn Over

Summary
References
External Resources
Video Links
Risk Management
Aim:
To equip the students with concepts of mitigation techniques and best practices of risk
management
Various risk mitigation strategy options.

Categories that can be used to classify controls.
Risk control strategies.
Best practices in information security risk management.
Learning Outcome:
Describe the various risk mitigation strategy options.

Identify the categories that can be used to classify controls.
Discuss the best practices in information security risk management.
79
Risk Management
3.2.1. Risk Mitigation Strategy Options, the Categories that can be Used to
Classify Controls
Risk mitigation is a systematic method used by senior management to reduce organisational
risks. Once the risk assessment is conducted, the management can use various risk mitigation
techniques to accomplish the process. There are different types of mitigation techniques.
Risk assumption: Once security management team identifies and determines the risk
level, the senior management team selects the best business decisions to accept the
possible risks. It is an acceptable outcome of the risk assessment process.
Risk alleviation: Senior management will approve the implementation of security

controls recommended by risk management team. This lowers the risk to a certain level.
Risk avoidance: In this process, the management chooses to avoid the risks by
eliminating the process that causes risk to an organisation.
Risk limitation: After the risk assessment, risk limitation is the standard process used
to limit risks. This can be performed by implementing the security controls that minimise
the risks.
Risk planning: Risk planning is the process used to decide and manage the risk by
developing an architecture that identifies, implements, and maintains the risk controls.
Risk transference: In this case, the management transfers the risk by using other
options such as purchasing an insurance policy.
Organisation can use any mitigation technique, but objectives of an organisation will
remain the same.
3.2.2. Risk Control Strategies

When management determines that risks from information security threats are creating a
competitive disadvantage, they empower the information technology and information security
communities concerned, to control the risks. Once the project team for information security
development has created the ranked vulnerability worksheet, the team must choose one of the
five basic strategies to control each of the risks. The five strategies are: Defend, Transfer,
Mitigate, Accept, and Terminate.
80
Risk Management
3.2.2.(i). Defend
The defend control strategy attempts to prevent the exploitation of vulnerability. This is the
preferred approach and is accomplished by means of countering threats, removing vulnerabilities
from assets, limiting access to assets, and adding protective safeguards. There are three
common methods used to defend:
Application of policies
Education and training
Implementation of technologies
Implementing the Defend Strategy

Organisations can mitigate risk to an asset by countering the threats it faces or by eliminating its
exposure. It is difficult to eliminate a threat, but is possible with proper planning. e.g.: In 2002,
McDonalds Corporation which was subjected to attacks by animal rights cyberactivists, sought
to reduce risks by imposing stricter conditions on egg suppliers regarding the health and welfare
of chicken. This strategy was consistent with other changes made by McDonalds to meet
demands from animal rights activists and improve relationships with these groups.
Another defence strategy is the implementation of security controls and safeguards to deflect
attacks on systems. This strategy minimises the probability that an attack would be successful.
An organisation with dial-in access vulnerability, e.g.: May choose to implement a control or
safeguard for that service. An authentication procedure based on a cryptographic technology,
such as RADIUS (Remote Authentication Dial-In User Service), or any other protocol, would
provide sufficient control. On the other hand, the organisation may choose to eliminate the dialin system and service to avoid the potential risks.
3.2.2.(ii). Transfer
The transfer control strategy attempts to shift risk to other assets, other processes, or other
organisations. This can be accomplished by rethinking how services are offered, revising
deployment models, outsourcing to other organisations, purchasing insurance, or implementing
service contracts with providers. In the popular book In Search of Excellence, management
consultants Tom Peters and Robert Waterman present a series of case studies of high-performing
corporations. One of the eight characteristics of excellent organisations is that they stick to their
knitting. They stay reasonably close to the business they know. This means that Kodak, a
manufacturer of photographic equipment and chemicals, focuses on photographic equipment and
chemicals. General Motors focuses on the design and construction of cars and trucks. Neither
81
Risk Management
company spends its strategic energies on the technology of website development - for this
expertise, they rely on consultants or contractors.
This principle should be considered whenever an organisation begins to expand its operations,
including information and systems management and information security. If an organisation does
not have quality security management and administration experience, it should hire individuals
that provide such expertise. e.g.: Many organisations want web services, including web
presences, domain name registration, and domain and web hosting. Rather than implementing
their own servers and hiring their own webmasters, web systems administrators, and specialised
security experts, savvy organisations hire an ISP or a consulting organisation to provide these
products and services for them. This allows the organisation to transfer the risks associated with
the management of these complex systems to another organisation that has experience in dealing
with those risks. A side benefit of specific contract arrangements is that the provider is
responsible for disaster recovery, and through service level agreements, is responsible for
guaranteeing server and website availability.
3.2.2.(iii). Mitigate
The mitigate control strategy attempts to reduce impact caused by exploitation of vulnerability
through planning and preparation. This approach requires the creation of three types of plans:
The incident response plan, the disaster recovery plan, and the business continuity plan. Each of
these plans depends on the ability to detect and respond to an attack as quickly possible and
relies on the quality of other plans. Mitigation begins with the early detection that an attack is in
progress and a quick, efficient, and effective response.
Incident Response Plan

The actions an organisation can and perhaps should take while an incident is in progress should
be specified in a document called the incident response (IR) plan. The IR plan provides answers
to questions victims might pose in the midst of an incident, such as What do I do now? e.g.: A
systems administrator may notice that someone is copying information from the server without
authorisation, signalling violation of policy by a potential hacker or an unauthorised employee.
What should the administrator do first? Whom should he or she contact? What should he or she
document? The IR plan provides the answers. In the event of a serious virus or worm outbreak,
the IR plan can be used to assess the likelihood of imminent damage and to inform key decision
makers in the various communities of interest (IT, information security, organisation
management, and users). The IR plan also enables an organisation to take coordinated action that
is either predefined and specific, or adhoc and reactive.
82
Risk Management
Disaster Recovery Plan

The most common of the mitigation procedures is the disaster recovery (DR) plan. Although
media backup strategies are an integral part of the DR plan, the overall program includes the
entire spectrum of activities used to recover from an incident. The DR plan can include strategies
to limit losses before and during the disaster. These strategies are fully deployed once the
disaster has been stopped.
DR plans usually include all preparations for the recovery process, strategies to limit losses
during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the
floodwaters recede. The DR plan and the IR plan overlap to a certain degree. In many respects,
the DR plan is the subsection of the IR plan that covers disastrous events. The IR plan is also
flexible enough to be useful in situations that are near disasters, but that still requires
coordinated, planned actions.
While decisions and actions are same in some DR an IR plans, their urgency and outcomes can
differ dramatically. The DR plan focuses more on preparations completed before and actions
taken after the incident. Whereas, the IR plan focuses on intelligence gathering, information
analysis, coordinated decision making, urgent, and concrete actions.
Business Continuity Plan

This is the most strategic and long-term among the three plans. It encompasses the continuation
of business activities if a catastrophic event occurs, such as loss of the entire database, building,
or operations center. The BC plan includes planning the steps necessary to ensure the
continuation of the organisation when scope or scale of disaster exceeds the ability of the DR
plan to restore operations. This can include preparation steps for activation of secondary data
centres, hot sites, or business recovery sites. These systems enable organisations to continue
operations with minimal disruption of service. Many companies offer DR services as a
contingency against disastrous events such as fires, floods, earthquakes, and most natural
disasters.
3.2.2.(iv). Accept
The accept control strategy is the choice to do nothing to protect a vulnerability and to accept
the outcome of its exploitation. This may or may not be a conscious business decision. The only
industry-recognised valid use of this strategy occurs when the organisation has done the
following:
83
Risk Management
Determined the level of risk

Assessed the probability of attack
Estimated the potential damage that could occur from attacks
Performed a thorough cost benefit analysis
Evaluated controls using each appropriate type of feasibility
Decided that the particular function, service, information, or asset did not justify the cost
of protection
This strategy is based on the conclusion that the cost of protecting an asset does not justify the
security expenditure. e.g.: Suppose it would cost an organisation $100,000 per year to protect a
server. Security assessment determined that for $10,000 the organisation could replace the
information contained in the server, replace the server itself, and cover associated recovery costs.
In this case, management may be satisfied with taking its chances and saving the money that
would normally be spent on protecting this asset.
If vulnerability in the organisation is handled by means of acceptance, it may reflect an inability
to conduct proactive security activities and an apathetic approach to security in general. It is not
acceptable for an organisation to adopt a policy of ignorance is a bliss and hopes to avoid
litigation by pleading ignorance of its obligation to protect employee and customer information.
It is also unacceptable for management to hope that if they do not try to protect information, the
opposition will assume that there is little to be gained by an attack. The risks far outweigh the
benefits of this approach.
Risk Control
Strategy
Categories Used by
NIST SP 800-30
Categories Used by
ISACA and ISO/IEC
27001
Others
Defend
Research and
Acknowledgement
Treat
Self-protection
Transfer
Risk Transference
Transfer
Risk transfer
Mitigate
Risk /limitation and Risk

Planning
Tolerate (partial)
Self-insurance
(partial)
Accept
Risk Assumption
Tolerate (partial)
Self-insurance
(partial)
Terminate
Risk Avoidance
Terminate
Avoidance
Table 3.2.1: Risk Control Strategy Terminology
84
Risk Management
Plan
When Deployed
Time Frame
As incident or
disaster unfolds
Immediate
and real-time
reaction
List of steps to be
taken during disaster
Intelligence
gathering
Information analysis
Disaster
Recovery Plan
Preparations for
recovery should a
disaster occur;
strategies to limit
losses before and
during disaster; step-
by-step Instructions
to regain normalcy
Procedures for the

recovery of lost data
Procedures for the
reestablishment of
lost services
Shutdown
procedures to protect
systems and data
Immediately after
the incident is
labeled a disaster
Short-term
recovery
Business
Continuity
Plan
Steps to ensure
continuation of the
overall business
when the scale of a
disaster exceeds the
DR plans ability to
restore operations
Preparations steps
for activation of
secondary data
centers
Establishment of a
hot site in a remote
Location
Immediately after
the disaster is
determined to
affect the
continued
operations of the
organisation
Long-term
operation
Incident
Response Plan
Description
Actions an
organization takes
during incidents
(attacks)
Example
Table 3.2.2: Summaries of Mitigation Plans
3.2.2.(v). Terminate
The terminate control strategy directs the organisation to avoid those business activities that
introduce uncontrollable risks. If an organisation studies the risks from implementing businessto-consumer e-commerce operations and determines that the risks are not sufficiently offset by
the potential benefits, the organisation may seek an alternate mechanism to meet customer needsperhaps developing new channels for product distribution or new partnership opportunities. By
terminating the questionable activity, the organisation reduces the risk exposure.
85
Risk Management
Types of risk control:
Directive Controls: Often called administrative controls, these are intended to

advise employees of the behaviour expected of them during their interfaces with or
use the organisations information systems.
Preventive
Detective Controls: Detective controls involve the use of practices, processes,
Controls:
Included in preventive controls are physical,

administrative, and technical measures intended to preclude actions violating policy
or increasing risk to system resources.
and tools that identify and possibly react to security violations.
Corrective Controls: Corrective controls also involve physical, administrative,

and technical measures designed to react to detection of an incident in order to
reduce or eliminate the opportunity of an unwanted event to recur.
Risk assessment should identify, quantify, and prioritise information security risks against
defined criteria for risk acceptance and objectives relevant to the organisation. Information
gathered at risk assessment phase should guide and determine the appropriate risk management
action to protect the information security risks.
The organisation should formulate a risk treatment plan (RTP) in order to identify the
appropriate management actions, resources and responsibilities for dealing with information
security risks. The RTP should be set within the context of the organisation's information
security policy and should clearly identify the approach to risk.
PDCA:
PDCA is a four-step problem-solving technique used to improve business processes. The
four steps are plando-check-act. It can also be used to affect both major performance
breakthroughs as well as small incremental improvements in projects and processes.
PDCA is also known as Deming wheel or Shewhart cycle.
(P.T.O.)
86
Risk Management
Fig. 3.2.1: PDCA cycle
Phases of PDCA:
Plan: The purpose of this phase is to examine current situation, understand the nature of the
problem. It identifies all possible causes of problem and prioritises them.
Do: The purpose of this phase is to implement the action plan.
Implement the improvement.

Collect and document the data.
Document problems, unexpected observations, lessons learned and knowledge gained.
Check/study: It includes analysing the effect of intervention. In this phase, new data and
baseline data are compared to determine whether an improvement is achieved or not.
Act: This phase marks the conclusion of the planning, testing and analysis regarding whether the
desired improvement was achieved as expressed in the aim statement, and the purpose is to act
upon what has been learned.
87
Risk Management
Risk control methods:

Policy: Security policy contains a set of objectives for the company, which includes
rules of behaviour for users and the administrators. Security policy is a living
document, which means the document is continuously updated as the technology and the
requirements change.
Procedures: Procedure is step-by-step instructions to assist workers or the users in

implementing the policies, standards and guidelines.
Audits: Information security audits should be performed regularly, in order to prevent

conflicts in the organisation. The management or security administration of an
organisation always bears the overall responsibility for IS audit. One person in the
organisation must be named responsible for IS audits. Respective person will then
supervise the entire process of audits.
Main goals of IS audits are:
Check the existence security policy, standards, guidelines and procedures

Identify the inadequacies and examine the effectiveness of the existing policy,
standards, guidelines and procedures
Identify and understand the existing vulnerabilities and risks;
Provide recommendations and corrective actions for improvements
Information security management systems:

Information security management system (ISMS) is a set of policies and procedures to
manage an organisations sensitive data. Main purpose of ISMS is to minimise risk.
ISMS involves the following essential component
Management principles
Resources
Personnel
Information security process
88
Risk Management
Fig. 3.2.2: Components of ISMS
Employee awareness programmes: Employee awareness plays an important role in

risk mitigation. The objective of awareness is to cause employees to consider or rethink
routine functions in the course of completing or executing their jobs, so as to prevent the
effects of unauthorised disclosure, modification, use, or availability of information or
systems.
Residual risk: The risk that remains even after controls are known as residual risk. i.e., risk
after the controls. Even when vulnerabilities have been controlled as much as possible, there is
often still some risk that has not been completely removed, shifted, or planned for. This
remainder is called residual risk.
The significance of residual risk must be judged within the context of the organisation.
Although it is unreasonable, the goal of information security is not to bring residual risk to zero;
it is to bring residual risk into line with an organisations comfort zone or risk appetite.
If decision makers have been informed of uncontrolled risks and the proper authority groups
within the communities of interest have decided to leave residual risk in place, the information
security programme has accomplished its primary goal.
89
Risk Management
Fig. 3.2.3: Inherent risk and Residual risk
3.2.3. Overview on the Best Practices in Information Security Risk

Management
Best security practices or best practices are the security efforts that are best in the industry and
balancing the need of access to information with protection. Best practices provide as much
security to information and systems. Organisations implementing the best practices may not be
best in all areas, but they may be a successful security effort in one or more areas.
Applying best practices: One can study the documented best practices procedures that have
been shown to be effective and are recommended by organisation. While considering best
practices, an organisation can consider the following points:
Is our organisation in a similar industry as the target?

Does our organisation face the similar challenges as the target?
Check whether the structure of our organisation is same as the target?
Is our organisation in a similar threat environment as that proposed in the best practice?
90
Risk Management
Best practices:
Promoting an organisational philosophy and culture that says everybody is a

risk manager: Principle practice for integrating risk management is to construct an
organisations culture in such a way that, every member of the organisation is a risk
manager. Most of the organisations think that this is the best practice than developing and
issuing wide policies and procedures. Ideally, employees understand the organisational
goals and work based on them.
Senior risk management: Senior management must have the knowledge of risk
management and responsible for sending the information about the importance of risk
management.
Establishing open communication channels: Open communication is nothing but

sharing the information. This is necessary in order to process the risk management
successfully. Managers must have channels across their business units to identify risks.
Using teams and committees: Most of the organisations use informal and formal
team mechanism to manage risks in the organisation. These teams bring various risk
attitudes and new thinking to issues and solutions.
Using simple business risk language: A Common risk language must be used from
boardroom to the boiler room, so that everyone can understand easily.
Setting up a corporate risk management function: Most of the organisations form

a team to manage risk. The CRO (chief risk officer) is responsible for establishing and
maintaining risk awareness across the organisation.
Audit committee assists in implementing risk management: The internal audit

implements risk management in organisation.
Guidance: Guidance can be provided indirectly or directly to the internal services or

organisational members.
Risk management training: Training can be on risk assessment, safety, managing risk
to make sure that all managers or members are aware of risks.
91
Risk Management
Summary:
Risk mitigation is a systematic method used by senior management to reduce

organisational risk.
The defend control strategy attempts to prevent the exploitation of the vulnerability. An
organisation can mitigate risk to an asset by countering the threats it faces or by
eliminating its exposure.
The transfer control strategy attempts to shift risk to other assets, other processes, or other
organisations.
The mitigation control strategy attempts to reduce the impact caused by the exploitation
of vulnerability through planning and preparation.
The actions an organisation can and perhaps should take while an incident is in progress
should be specified in a document called the incident response (IR) plan.
The most common of the mitigation procedures is the disaster recovery (DR) plan. The
DR plan can include strategies to limit losses before and during the disaster.
The business continuity (BC) plan is the most strategic and long term of the three plans.
The accept control strategy is the choice to do nothing to protect a vulnerability and to
accept the outcome of its exploitation.
The terminate control strategy directs the organisation to avoid those business activities
that introduce uncontrollable risks.
92
Risk Management
1) Risk mitigation method is used by_____________
(a) Organisation
(b) Senior management
(d) Risk team
(c) Security people
2) Which of the following is a method of risk mitigation except?

(a) Risk planning
(b) Risk limitation
(c) Risk avoidance
(d) Risk transfer
3) Which mitigation process is used to limit the risk?
(a) Risk avoidance
(b) Risk abundance
(c) Risk limitation
(d) Risk assumption
4) Which of the following is not a control strategy?
(a) Mitigation
(b) Defend
(c) Accept
(d) Risk control
5) Which control strategy is used to prevent exploitation of vulnerabilities?

(a) Defend
(b) Accept
(c) Transfer
(d) Mitigate
6) Which of the following technology is used by RADIUS?
(a) Authentication technology
(b) Cryptographic technology
(c) Remote technology
(d) Implementation technology
7) __________is long-term plan in mitigation technique.
(a) Incident Response Plan
(b) Disaster Recovery Plan
(c) Business Continuity Plan
(d) Control plan
8) Who is responsible for establishing and maintaining risk awareness in an organisation?
(a) Manager
(b) Team leader
(c) Admin
(d) CRO
9) CRO stands for?
(a) Chief responsible officer
(c) Chief risk organizer
(b) Chief risk officer

(d) Control risk officer
10) __________begins with early detection of attack in the progress.

(a) Termination
(b) Defence
(c) Acceptance
(d) Mitigation
93
Risk Management
Bibliography
References
1.1. Tbs. Best practices of risk management. Retrieved on July 2, 2015, from
http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/riskmanagement/rm-pps01-eng.asp
1.2. hhs.
Risk
management.
Retrieved
on
July
2,
2015,
from
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf
1.3. csrc. Managing security risk Retrieved on July 2, 2015, from
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
External Resources

Course Technology.
Video Links
Topic
Link
Risk mitigation
Introduction to risk mitigation
Best practices in risk management
www.youtube.com/watch?v=ibVfAhy7WZQ&feat
ure=youtu.be
www.youtube.com/watch?v=nopu1wk3oBc&featu
re=youtu.be
www.youtube.com/watch?v=w4lux2BpPHo&featu
re=youtu.be
94
Module 4
Network Infrastructure Security and
Connectivity
Chapter 4.1
Chapter 4.2
Introduction to Device Security and

Documenting Network Security Processes
Table of Contents
Chapter 4.1
Page No.
Aim
95
Learning Objectives
95
Learning Outcome
95
4.1.1
Understanding Infrastructure of Network Security
96
4.1.2
Device-Based Security
96
4.1.2.(i)
Configuring Firewall
97
4.1.2.(ii)
Understanding Vulnerabilities in Router Switches and

Modems
97
4.1.2.(iii) Network Monitor
97
Diagnostics and Utilities used for Monitoring Networks
98
4.1.3
Media-Based Security
98
4.1.4
Network-Based Security
101
4.1.4.(i)
Intranet
102
4.1.4.(ii)
Extranet
102
4.1.2.(iv)
Summary
106
SAQs
107
Bibliography
109
References
109
External Resources
109
Video Links
109
Legends:
Aim
Learning Objectives
Learning Outcome
Summary
References
External Resources
Video Links
Network Infrastructure
Security and Connectivity
Aim:
To furnish the students with concepts of network security
Network-based security
Security components used in the media
Device-based security
Learning Outcome:
Explain about vulnerabilities in device security

Discuss media security
Manage network security
Illustrate about utilities used in the network
95
4.1.1. Understanding Infrastructure of Network Security

Network security is a security provided to a network from unauthorised access and risks. It is a
multidisciplinary subject requiring a number of different skills. Most of the companies invest on
the computing infrastructure like networking apparatus, workstation, server hardware, software
and their maintenance. In order to maintain network security, security professionals must be
familiar with latest updates and the usage in a particular environment.
Communication networks (wide area or local area networks) generally include devices connected
to the network as well as programs and files supporting the network operations. Control is
accomplished through a network control terminal and specialised communications software.
The following are controls over the communication network:
Network control functions should be performed by technical operators.
Network control software should maintain an audit trail of all operation activities.
Audit trails should be periodically reviewed.
Network standards and protocols should be documented and made available to the
operators.
Network access by the system engineers should be closely monitored and reviewed to
detect unauthorised access to the network.
Analysis should be performed to verify system efficiency.
Data encryption should be used to protect messages during transmission.
4.1.2. Device-Based Security

The computer network infrastructure consists of different types of components. Every device that
is connected to the network has security concerns. This includes firewalls, routers, switches,
modems, servers, workstations and much more. Each of these components is adequately secured.
96
4.1.2.(i). Configuring Firewall

Firewall work captures and analyses the data which is entering the network and then rejects the
undesirable data according to the rules and policies that are configured on firewall.
Types of firewalls
Packet filters: Operating at network layer.
Proxy server firewall: Operates at session layer.
Stateful firewall: Operates at application layer.
Many companies provide software firewall which is used to secure a single computer or a small
network. e.g.: Zone alarm which is a software firewall used to protect homes, Offices or small
networks.
4.1.2.(ii). Understanding Vulnerabilities in Router Switches and Modems

In this section, we will discuss about some general risks with all the remote accesses.
Switch: Switch can make it harder for the attacker to get information from network and are
easier to launch some attacks.
Virtual Private Networks (VPNs): VPN is a method used to increase connection security.
Care should be taken while connecting; failure may lead to decrease in the overall system
security.
Modems: Unauthorised hardware peripheral such as modems presents another threat to network
infrastructure.
4.1.2.(iii). Network Monitor

Network monitor is a tool used to display and analyse the contents of the packets which is
transmitted across the network. This may be used by administrator to research about the packets
or it may be misused by hackers.
97
e.g.: Microsoft network monitor gives the information about what type of traffic is travelling in
network segments.
One individual can install the network monitor and Dynamic Host Configuration Protocol
(DHCP). This is used to capture the packets occurring at the client computer. DCHP assigns IP
address to the client connected to internet.
4.1.2.(iv). Diagnostics and Utilities used for Monitoring Network

There are many utilities that allow to monitor the systems events and activities. The monitoring
utilities help us to analyse the network to improve the performance or security of the system.
Utilities provide raw data to analyse. This is explained as follows:
Launch a windows command prompt using command prompt in your computer. Use Ping
command to test a remote access of the computer, type ping IP addresses. This command
shows the amount of time taken to reach the target and response time.
4.1.3. Media-Based Security

A network is a series of computers connected to each other transmitting information across some
type of media. Although the network is secured, the attackers may still be able to access the
information as it flows through wires or removable media such as CDs or Disks.
Media security
Media refers to devices which the data can be recorded on such as paper, CDs, DVDs, USB
sticks, backup sticks, and much more. The purpose of media security is to protect confidential
information stored on the media. All media that contain confidential information are strictly
labelled as Confidential to protect them from unauthorised access, and these are physically
controlled and securely stored.
When the information is no longer used or when the project is completed, the data should be
destroyed.
Important points:
Media must be removed or deleted in a safe way if the data is no longer used.
System documentation is kept secured and updated regularly.
98
The transport media is packed well and carried out by a recognised courier firm.
Media security includes:
(a) Cryptography
Cryptography is the heart of security. If we need to create privacy, we need to encrypt our
messages at the senders site and decrypt it at the receivers site. Cryptography is the
science of using mathematics to encrypt and decrypt data. It enables us to store sensitive
information or transmit it across insecure networks so that it cannot be read by anyone
else except the intended recipient.
How cryptography works:

Cryptographic algorithm is used for encryption and decryption process. It works in
combination with a key. The key may be a word, number or phrase used to encrypt the
plain text or message. The security of encrypted data or information is entirely dependent
on two things: The strength of the cryptographic algorithm and the secrecy of the key.
There are different types of attacks that create the need for network security, network
services and network mechanisms. Security services and mechanisms can be viewed with
the general model.
Security attacks: Attacks on the security of a computer system or a network are

best characterised by viewing the function of that system as providing information.
Interruption: An asset of the system is destroyed or becomes unavailable. This is

an attack on availability.
Interception: An unauthorised party gains access to an asset. This is an attack on

confidentiality. The unauthorised party could be a person, a program or a computer.
Modification: An unauthorised party not only gains access to but tampers with an
asset. This attack is on integrity.
Fabrication: An unauthorised party inserts counterfeit objects into the system. This
is an attack on authenticity.
99
Encryption and decryption: The process of distinguishing a message in such a

way as to hide its substance. Encryption message is a cipher text. The process of
turning cipher text back to plain text is called decryption as shown below.
Fig. 4.1.1: Encryption and decryption model

While transferring the data, a message is encrypted by using encryption algorithm which
is known as cipher text. A cipher text is again decrypted by using decryption algorithm
and then it is delivered to the receiver. Both encryption and decryption and operations use
the keys.
(b) E-mail security

E-mail is a service which allows you to send messages in an electronic mode via internet.
The transmitted message must make sense to only the intended receiver. E-mail hacking
can be done in many ways such as spam, virus, phishing and much more. In order to
secure the information, data must be encrypted.
E-mail security encompasses multiple techniques used to secure an e-mail service. It
includes
Strong passwords
Password rotation
Spam filters
Desktop- based filters or antivirus
E-mail spams are junk mails sent by companies or organisations as an advertisement of

their products and services. These may cause following problems:
100
It floods e-mail accounts with unwanted junk mails.

Time and energy is wasted in deleting junk mails.
It acquires more memory space and slows the speed of the computer.
Some unwanted e-mails contain viruses that cause harm to the computer system.
Digital signatures: Digital signatures are also used to protect the information. In
general, a digital signature combines authentication with message integrity checking.
Digital signature uses basic encryption technologies to achieve integrity.
e.g.: The sender signs document using a private key, and the receiver verifies the
signature using public key.
One way to implement digital signature is to use RSA-type (Rivest-Shamir-Adleman)
technology. This technology transfers message in authentication mode by encrypting the
message using private key and sending it along with unencrypted message. Decrypting
the encrypted version and comparing it with the plain text message provides a check on
the contents and the sender.
This can be costly in terms of computing resources and bandwidth, so an additional step
is used. A one-way mathematical transformation is applied to the message. This
transformation is called a hash function, and its output is a message digest. The digest is
encrypted with private key and that acts as the digital signature.
(c) Digital rights management or DRM
DRM is a systematic approach to copyright protection for digital media. The main
principle of DRM is to prevent unauthorised redistribution of digital media and restrict
the ways in which consumers can copy content they have purchased.
DRM products were developed in response to the rapid increase in online piracy of
commercially-marketed materials. DRM is implemented by embedding code that
prevents copying and specifies a time period in which the content can be accessed or
limits the number of devices the media can be installed on.
4.1.4. Network-Based Security

Network is composed of hosts and routers. A host can be a device, a server or a wireless device.
A router is connected to network to send the information in the form of packets.
101
Network-based security offers multiple services to protect the information from internal and
external threats. It works with both endpoint computer and the internal company firewalls.
Managing network security

4.1.4.(i). Intranet
This is a private network in an organisation. The main purpose of intranet is to share the
information within the organisation. Special encryption and decryption methods are used along
with other security measures.
4.1.4.(ii). Extranet
This is a part of intranet which is accessible to the customer inside or outside of an organisation.
The purpose of extranet is to make the company information securely available to customers or
suppliers.
Extranet requires security measures like
A firewall
Methods for user authentication
Encryption of information transit
VPNs that communicate with internet
Network-based security includes:
(a) IP security:
IP security (IPsec) is a collection of protocols used to provide security for a packet at the
IP level. IP security does not define the use of any specific encryption or authentication
method.
IPsec requires a logical connection between two hosts using a signaling protocol called
security association. Security association (SA) connection is a complex connection
between source and the destination.
IPsec operates at two different modes: Transport mode and tunnel mode. The mode
defines where the IPsec header is added to the IP packet.
102
Transport mode: IPsec header is added between the IP header and rest of the packet as
shown in the figure.
Fig. 4.1.2: IPsec modes
Tunnel mode: In this mode, the IPsec header is placed in front of the original IP header.
A new IP header is added in front. The IPsec header, the preserved IP header, and the rest
of the packet are treated as payload.
(b) SSL (Secure socket layer)

The major role of the SSL is to provide security for web traffic. Security includes
confidentiality, integrity and authentication. SSL protects sensitive information through
the use of cryptography. The data is encrypted across networks to protect the information.
The main objectives of SSL:
Authenticating the client and server to each other: SSL protocol supports the
use of cryptographic techniques to authenticate the communication between client
and server.
Securing data privacy: The data must be protected from interception and be
readable only by intended recipients.
103
SSL is not a single protocol but rather, it is a set of protocols that can be divided in two
layers:
Protocols to ensure data security and integrity.
Protocols that are designed to establish an SSL connection.
SSL handshake
protocol
SSL cipher
change protocol
SSL alert
protocol
Application Protocol
(e.g.: HTTP)
SSL Record Protocol

TCP
IP
Fig. 4.1.3: SSL protocol
SSL uses these protocols to address the task and SSL record protocol is responsible for
data encryption. It is also used to encapsulate data sent by other SSL protocols. The other
protocols cover the area of session management.
HTTPS is a secure HTTP communication based on SSL protocol. HTTPS stands for
Hypertext Transfer Protocol Secure, is used to secure transmitted data from
eavesdropping. HTTPS makes use of HTTP on a connection and is encrypted by the
transport-layer security. The main benefit of HTTPS is to provide authentication of
website and to secure privacy and integrity of the exchanged data.
e.g.: Gmail login is done through HTTPS channel.
(c) Virtual private networks (VPN)

VPN (virtual private networks): This makes use of internet in order to share the
information over the network, and the data is secured. While sending the information,
many technical protocols are being developed to ensure the availability of service.
VPN is a technology that is gaining popularity among larger organisations that use global
internet for both intra- and interorganisation communication, but require privacy in their
internal communication.
104
VPN creates a network that is private but virtual. It is private because it guarantees
privacy inside the organisation. It is virtual because it does not use real private WANs.
Following are some of the terms used in VPN:
Private networks: It is designed for use inside an organisation and allows access to
shared resources.
Intranet: It is a private network (LAN) that uses the internet model. The access to
network is limited to users inside an organisation.
Extranet: This is same as intranet with one major difference, i.e., some resources can be
accessed by particular users outside the organisation under the control of network
administrator.
Fig. 4.1.4: Virtual private network
105
Summary
Device-based security includes firewalls, routers, switches, modems, servers,

workstations and much more.
Firewall is a device used to protect the information. It acts as a shield to internal network
from threats.
Virtual Private Networks (VPNs): VPN is a method used to increase connection security.
Modems: Unauthorised hardware peripheral such as modems present another threat to

network infrastructure.
Network monitor is a tool used to display and analyse the contents of the packets which is
transmitted across the network. This may be used by administrator to research about the
packets or it may be misused by hackers.
The monitoring utilities help us to analyse the network to improve the performance or
security of a system.
The purpose of media security is to protect confidential information stored on media.
Network-based security offers multiple services to protect the information from internal
and external threats.
Intranet is a private network in an organisation. The main purpose of intranet is to share

the information within the organisation.
Extranet is a part of intranet which is accessible to customers inside or outside of an

organisation.
106
1) ___________ is used to increase the connectivity in the network
(a) LAN
(b) VAN
(c) VPN
(d) NPN
2) VPN Stands for_________
(a) Visual private network
(c) Virtual process network
(b) Virtual private network

(d) Visual process network
3) __________ is used to capture the packets occurring at the clients computer.

(a) TCP
(b) DHCP
(c) VPN
(d) Filter packets
4) ___________command is used to test the remote access of the computer
(a) Ping
(b) Telnet
(c) Secret
(d) Test
5) Once the data stored on media is no longer used, it must be__________
(a) Stored safely
(b) Destroyed
(c) Not destroyed
(d) Demonstrated
6) __________ is used to share the information within an organisation.
(a) Internet
(b) Extranet
(c) Intranet
(d) Internal network
7) ___________ is a part of extranet which is accessible outside an organisation?
(a) Internet
(b) External network
(c) Intranet
(d) Extranet
8) Which of the protocol assigns IP address to the client connected to the internet?
(a) VPN
(b) DCHP
(c) TCP\IP
(d) Ping
9) Cryptography works based on___________
(a) Cryptographic techniques
(b) Encryption technique
(c) Decryption techniques
(d) Encryption and decryption techniques
10) The encrypted message is known as
(a) Encrypted message
(b) Decrypted message
(d) Normal text
(c) Cipher text
107
11) The process turning cipher text into plain text is known as
(a) Encryption method
(b) Decryption method
(c) Cipher conversion
(d) Text conversion
12) At transport mode.............. is added between IP header and the packets.
(a) IP header
(b) IPsec header
(c) IP packet
(d) IPsec packet
13) At tunnel mode IPsec is placed at
(a) In front of IP header
(c) Between the IP header and packet
(b) After the IP header

(d) At the end of the packet
14) ..............protocol is responsible for data encryption in SSL.

(a) SSL record
(b) SSL alert
(c) SSL handshake
15) Major role of SSL is to provide security for
(a) Web traffic
(b) Stream cipher
(c) Bit cipher
(d) SSL cipher
(d) Data cipher
108
Bibliography
References
1.1. http://catalogue.pearsoned.co.uk/samplechapter/0789732912.pdf
1.2. http://www.sans.org/reading-room/whitepapers/basics/infrastructure-security-step-step430
1.3. http://catalogue.pearsoned.co.uk/samplechapter/0789732912.pdf
External Resources

ed., Vol. 1). New Jersey: John Wiley & Sons.
Course Technology.
Video Links
Topic
Link

Device-Based Security
www.youtube.com/watch?v=UPmVTPyE5DM&featu
re=youtu.be
www.youtube.com/watch?v=gVK6S53AcA&feature=youtu.be
109
Table of Contents
Chapter 4.2
Introduction to Device Security and Documenting Network
Security Processes
Page No.
Aim
110
Learning Objectives
110
Learning Outcome
110
Monitoring and Diagnosing
111
4.2.1.(i)
Monitoring Network Firewall
111
4.2.1.(ii)
Intrusion Detection System(IDS)
113
4.2.1.(iii)
Intrusion Prevention System(IPS)
115
Hardening
116
4.2.2.(i)
OS Hardening
116
4.2.2.(ii)
Network Hardening
117
4.2.2.(iii)
Application Hardening
117
Physical and Network Security
118
4.2.3.(i)
Physical Security
118
4.2.3.(ii)
Network Security
119
Policies, Standards and Guidelines
120
4.2.4.(i)
Policy
120
4.2.4.(ii)
Standards
121
4.2.4.(iii)
Guidelines
121
4.2.4.(iv)
Procedures
122
4.2.1
4.2.2
4.2.3
4.2.4
Page No.
Summary
123
SAQs
124
Bibliography
126
References
126
External Resources
126
Video Links
126
Legends:
Aim
Learning Objectives
Learning Outcome
Merits
Summary
References
External Resources
Video Links

Documenting Network Security Process
Aim:
To furnish the students with concepts of device security and network security process
Purpose of security
Firewall and classification of firewalls
Intrusion detection and prevention systems
Types of threats and remedies
Relationship between policies, standards and guidelines
Learning Outcome:
Describe the use of firewalls and types of firewalls

Discuss the intrusion detection methods and its advantages
Illustrate about physical and network security
Narrate different hardening techniques
110

4.2.1. Monitoring and Diagnosing

A network monitoring and diagnosis system periodically records values of network performance
metrics in order to measure network performance, identify performance anomalies, and
determine root causes for the problems so that customers performance is not affected. These
monitoring and diagnostic capabilities are critical to todays computer networks since their
effectiveness determines the quality of network service.
In every organisation, there should be a security professional team to look after these activities.
Security professionals must review the security logs and alerts in real time to identify malicious
activities in the system. This improves the effectiveness of security infrastructure.
Benefits of security monitoring:
Protects from internal and external threats.

Protects personal data of clients.
Hacking attempts from the internet will not be able to affect physical computer.
4.2.1.(i). Monitoring Network Firewall

A firewall is a network security system, either hardware or software that controls the incoming
and outgoing network traffic based on an applied rule set. It is placed between the trusted and
untrusted systems and establishes a barrier between them. Firewall blocks unauthorised access to
the network. It can be implemented using software, hardware or both.
Fig. 4.2.1: Firewall

A firewall is placed in between the internal network which is considered as trusted and internet
which is considered as untrusted. Firewall identifies what to let into and out of the network.
111

Classifications of firewall
Packet filters: These are firewalls that operate at the network layer. They can only filter the
packets based on the information available at the network layer. This information includes IP
address of source and destination.
They may have different filtering rules for incoming and outgoing packets.
Packet filters are more effective since the packets are processed up to the network layer
and only the header information is examined.
Application
Transport
Network
Packets
Link
Physical
Fig. 4.2.2: Packet filters
Stateful packet filter: As the name suggests, it indicates the state of the packet. Stateful
packet filter operates at the transport layer since it contains the information about connections.
It keeps track of TCP (Transmission control protocol).
The main benefit is that, in addition to the features of the packet filters, it also contains
ongoing connection of the packets.
It is slower than packet filters.
112

Application
Stateful packets
Transport
Network
Link
Physical
Fig. 4.2.3: Stateful packet filters
Application proxy packets: These are firewalls that protect network resources by filtering
messages at the application layer as proxy. It is also called as Gateway firewall.
It has complete view of connections and is able to filter the bad or unwanted data at the
application layer.
Incoming packet is destroyed and a new packet is created when the data passes through
the firewall.
Application
Proxy packets
Transport
Network
Link
Physical
Fig. 4.2.4: Application proxy filters
4.2.1.(ii). Intrusion Detection System (IDS)

Intrusion detection is a type of security management system for computers and networks. It
monitors network or system activities for malicious activities or policy violations; gathers and
analyses the information and reports it to the network administrator. This includes both, attacks
from outside an organisation or inside an organisation.
113

Intrusion detection functions include:
Monitoring and analysing user and system activities

Analysing system configurations
Assessing system and file integrity
Ability to recognise patterns of typical attacks
Analysis of abnormal activities
Tracking of user policy violations
Types of IDS
Host-based IDS: Detection methods or activities occur at the host end. These are
designed to detect attacks such as buffer overflows and have little view of network
activities.
Network-based IDS: Detection methods or activities occur at the network traffic. They
are placed at a strategic point or points within the network to monitor traffic to and from
all devices on the network. These are designed to detect attacks such as network probes,
malformed packets and may have some overlap with the firewalls.
Signature-based IDS: Here the system input or network traffic is examined for
specific behaviour patterns known to indicate an attack. Signature-based IDS monitor
data on the network against database of signatures or attributes from known malicious
threats. This works similar to the antivirus software which detects viruses and malware.
There are many techniques used to make signature-based detection easier. Most of the
signature-based IDS are based on the simple pattern-matching algorithm technique. In
this case, the IDS simply looks for the substring within the stream. It is programmed to
interpret a certain series of packets.
Advantages of Signature-based IDS:
Simple and efficient

Warning issued will be specific
The user can quickly determine whether the attack is real or a false alarm
Anomaly-based IDs: Anomaly-based IDS attempts various techniques to detect

anomalous behaviour within the system. In this case, first the normal factors of the
system are determined. An anomaly-based IDS monitors network traffic and compares it
114

against an established baseline. The baseline would determine what is normal for that
network; e.g.: Bandwidth generally used, protocols used, ports and devices generally
connected to each other, etc., It alerts the administrator or user when traffic is detected
which is anomalous or significantly different from the baseline.
Anomaly detection is split in to two categories: Static and Dynamic.
Static: It focuses on the software changes and ignores the hardware changes. This is
used to monitor data integrity.
Dynamic: Depends on the profile, which is established by IDS or network

administrator. It may include information about bandwidth, ports, and timeframes.
Anomaly-based IDS can be explained as follows:
Let us consider the commands open, read, write and close, using which we can measure a
normal behaviour of the system. In this, the following four pairs are normal (open, read),
(read, close),(close, open),(open, open) and the other two pairs (read, open),(close, read)
are abnormal. If the ratio of the abnormal to normal pairs is high, the warning alarm is
formed.
Advantages of anomaly-based IDS:
New threats can be detected without having the database up to date.

Very little maintenance.
The longer the system is in use, the more accurate it can become at identifying
threats.
4.2.1.(iii). Intrusion Prevention System (IPS)

Intrusion prevention system is a threat prevention technology that examines network traffic flow
to detect threats. It acts as a complementary layer of analysis that negatively selects untrusted
content. It provides policies and rules for network traffic along with an intrusion detection
system.
IPS is directly placed in communication path between source and destination (inline) for
analysing and taking automated actions on all traffic flows that enter the network.
115

IPS includes the following steps:
A warning alarm is sent to administrator

Malicious packets are dropped
Traffic from the source address is blocked
Connection is reset
As IPS is inline security component, it works efficiently and fast. The IPS must detect and
respond accurately to eliminate the threats.
4.2.2. Hardening
Hardening is a method of configuring and updating the system to protect it against attacks. The
purpose of system hardening is to eliminate as many security risks as possible. Hardening is
usually the process of securing a system by reducing its surface vulnerabilities.
4.2.2.(i). OS Hardening
The hardening of operating system involves that the system is configured to limited possibilities
of internal and external attacks. Methods of hardening may differ from one OS to another OS,
but the concepts involved are similar for all operating systems.
Basic operating system hardening techniques are as follows:
Nonessential services: Operating systems are configured to run only the assigned
tasks. e.g.: Unless the user searches for web services, there is no need to have the HTTP
services running on the system.
Patches and fixes: It is important that the operating system must be updated with latest
patches and bug fixes.
Password management: Most operating systems provide an option for strong

passwords.
Unnecessary accounts: Unused or unnecessary accounts are disabled or removed from

operating system.
116

File and dictionary protection: Access to file and dictionary can be strictly
controlled using Access Control lists of file permissions.
File and file system encryption: Some of the file system provides an option for
encryption. Sensitive data is formatted with file system type with encryption features.
File sharing: Unnecessary file sharing is disabled.
4.2.2.(ii). Network Hardening

Network hardening is a process of securing network topology from hardware design and
software.
Basic network hardening techniques are as follows:
Updating software and hardware: It is an important part of network hardening in

which the network routers are updated with the latest version of patches and fixes.
Password protection: Most of the network routers provide an option of remote

management interface. It is very important that such devices are protected with a strong
password.
Unnecessary protocols: All unnecessary protocols and services are disabled and
removed from hosts on the network.
Ports: Unwanted ports blocked by firewall and associated services are disabled on hosts
within the network.
Restricted network access: A network access to sensitive data should be restricted. A

firewall should be introduced between network and the internet.
4.2.2.(iii). Application Hardening

Application hardening is a process of securing application against the internet base attacks. It is
possible by removing the unwanted functions and components. We can restrict the access and the
applications can be kept up to date with patches and fixes.
117

Application patches are supplied from vendor who sells the application. There are many varieties
of patches some of which are explained as follows:
Hot fixes: Hot fixes are small pieces of code which are used to fix a specific problem.
Patches: Patches are a collection of fixes. These are released when a serious problem
has to be addressed.
Upgrades: Upgrade is a collection of patching application. Upgrade means moving up

to a better, more functional and more secure application.
4.2.3. Physical and Network Security

4.2.3.(i). Physical Security
Physical security is a method of protecting computer systems, peripherals and assets. It is as
important as data security. Physical security is designed and implemented in several layers. It
collects and correlates events from existing security devices and proactively resolves the
situations. There are many physical security management systems available to protect the
systems.
Features of physical security:
Collection: Device management software collects data from security devices or

systems.
Analysis: The system analyses and correlates the data or events to identify the
situations.
Verification: It presents the relevant information quickly and in a simple format to

verify the situation.
Resolution: The system provides operating procedures or instructions to resolve the

situation.
Reporting: Software tracks all the information for reporting and analysis.
Audit trail: It also monitors how each operator interacts with the system and keeps a
track of manual changes in the system.
118

4.2.3.(ii). Network Security

Network security is the process of protecting the hardware and software from unauthorised
access, malfunction and modification. It creates secure platform for computers.
Using network security, sensitive data is secured from threats.
Need for network security:
Protect sensitive data while allowing specific access.

Provide authentication and access control for resources.
Protect from malicious data modifications.
Protect from vulnerabilities.
Types of network threats:

Some of the network threats are explained as follows.
Data modification: An attacker can access or modify confidential data without the
knowledge of sender or receiver.
IP address spoofing: Once the attacker gets IP address, he can modify or delete
confidential data. He can modify the server and the network configuration.
Denial of service: A Denial-of-Service (DoS) attack is an attack meant to shut down a

machine or network, making it inaccessible to its intended users.
Computer virus: It is small piece of software which can spread from one infected
computer to another. Virus can corrupt, delete or steal the data from computer.
Trojan horse: Trojan horse does not replicate the data directly. It can record the
password by logging keystrokes. It can infect a system by just downloading an
application.
Network security tools:
Data backup system: Data is secured as backup. Backups are very useful in case of
any hardware or software damage.
119

Operating system: An operating system must be updated for current patches and the
updates. OS must have good security tools and features.
Firewalls: Firewall is a network security system that controls the incoming and
outgoing network traffic based on an applied rule set.
Antiviral products: Antivirus software was originally developed to detect and

remove computer viruses.
IP security: Using IP security, the data is encrypted and then sent to the receiver. Thus
securing the data.
Modems: Secured modems are used in the network.
4.2.4. Policies, Standards and Guidelines

4.2.4.(i). Policy
Information security policy consists of high level statements used to protect the information in
the business or organisation. These are formulated by senior management.
Security policy contains a set of objectives for the company, which includes rules of behaviour
for users and the administrators. A security policy is living document, which means the
document is continuously updated as the technology and the requirements change.
The security policy acts as bridge between the management and the security requirements.
Need of security policy:

A security policy should fulfil many purposes like
Protect the information

Set the rules for expected behaviour by users.
Assign security personnel to monitor and investigate.
Identify and authorise the consequences of violation.
Help minimise risk.
120

Security policy components:

Security policy includes three components as follows
Governing policy: It controls all security-related interactions in the company. It answers

security policy questions.
Technical policy: It includes the security responsibilities to the system and is more detailed
than governing policy. It answers what, when, why and where security policy questions.
Governing Policy
Technical
Policies
End-User
Policies
Fig. 4.2.5: Security policy
End-user policy: It conveys all important topics to the end user. It answers the security policy
questions at the appropriate level.
4.2.4.(ii). Standards
Standards consist of low level mandatory controls, which help to support the information
security policy. It normally contains security controls relating to the specific technology.
Standards improve the efficiency of the security systems. It also provides consistency in the
network. e.g.: If you support 100 routers, the configuration should be similar for all routers. If
you do not do this, it is very difficult to maintain security.
4.2.4.(iii). Guidelines
Guidelines consist of recommended, nonmandatory controls that support standards and act as
standards, in the absence of the standards. Guidelines are similar to the standards but are more
flexible and are not mandatory. Guidelines and standards can be explained using an example as
follows:
121

Password must have 8 characters (Standards), whereas the password expires in 30 days
(Guidelines).
That is 8 characters is the condition known as Standards.
That which expires in 30 days is a Guideline, which is not mandatory.
4.2.4.(iv). Procedures
Procedures are step-by-step instructions to assist workers or the users in implementing the
policies, standards and guidelines.
Relation between policy, guideline and standards:
Policy states that information must be protected while transferring.
A supporting data standard builds upon this, and the sensitive information is encrypted
using specific encryption method.
A supporting guideline explains the instructions for recording the sensitive data.
A procedure provides step-by-step instructions to perform encrypted data transfers.
Fig. 4.2.6: Relation between policy, standards and guidelines
122

Summary:
A firewall is a network security system, either hardware or software that controls the
incoming and outgoing network traffic based on an applied rule set.
Firewall identifies what to let in and out of the network. Packet filters, proxy packets and
stateful packets are the three types of firewalls.
Intrusion Detection is a type of security management for computer and networks. It

gathers and analyses the information from various parts within the computer.
There are different types of IDS like signature-based IDS, anomaly-based IDS.
Intrusion prevention system is a threat prevention technology that examines network

traffic flows to detect threats. It acts as a complementary layer of analysis that selects
untrusted content.
Hardening is a method of configuring and updating the system to protect against attacks.
It is a very important step in protecting the personal data and information.
Physical security is a method of protecting computer systems, peripherals and assets. It

collects and correlates events from existing security devices and proactively resolves the
situations.
Network security is a process of protecting the hardware and software from unauthorised
access, malfunction and modification. It creates secure platform for computers.
Information security policy consists of high level statements, used to protect the
information in business or an organisation. These are formulated by senior management.
Standards consist of security controls relating to the specific technology.
Guidelines consist of recommended, nonmandatory controls that support standards and

act as standards in the absence of the standards.
123

1) What is firewall in computer network?
(a) Physical boundary of network
(b) An operating system of computer network
(c) A system designed to prevent unauthorised access
(d) A web browsing software
2) Which of the following can be software?
(a) Routers
(b) Firewalls
(c) Gateway
(d) Modems
3) Which of the following method is used to protect data and passwords?

(a) Encryption
(b) Authentication
(c) Authorisation
(d) Repudiation
4) ________ is a program that can infect other programs by modifying the data?
(a) Worm
(b) Virus
(c) Zombie
(d) Trojan horse
5) Packet filters operate at ___________
(a) Physical layer
(b) Network layer
(d) Transport layer
(c) Application layer
6) Firewall that protects network resources at application layer is _______

(a) Packet filter
(b) Stateful packet filter
(c) Proxy packets
7) Gateway firewall is also known as ________
(a) Packet filters
(b) Stateful packet filters
(d) Signature IDs
(d) Modem
(c) Application proxy
8) Which of the following is intrusion detection method

(a) Anomaly detection
(b) Stack based
(c) Zone based
(d) Alert database
9) What are the characteristics of signature-based IDS?

(a) Simple pattern matching algorithm
(b) It is programmed to interpret a certain series of packets
(c) The user can quickly determine whether the attack is real or a false alarm.
10) Which of the following malicious programmes do not replicate automatically?
(a) Trojan horse
(b) Virus
(c) Worm
(d) Zombie
124

11) Network layer firewall works as a

(a) Frame filters
(b) Packet filters
(c) Network filter
12) ________ is also known as living document.

(a) Policy
(b) Guidelines
(c) Standards
(d) Procedures
13) Which of the following is not a characteristic of policy?

(a) Protect the information
(b) Identify and authorise the consequences of violation.
(c) Help to minimise the risk management.
(d) Support guidelines
14) _________ collects and correlates activities from existing security and resolves the
situation.
(a) Physical security
(b) Network security
(c) Application hardening
(d) Guidelines
125

Bibliography
References
1.1 http://www.securnet.biz/Ebooks/Network_Security.pdf
1.2 https://www.paloaltonetworks.com/resources/learning-center/what-is-an-intrusionprevention-system-ips.html
1.3 http://www.techotopia.com/index.php/Security_Baselines_and_Operating_System%2C
_Network_and_Application_Hardening#Operating_System_Hardening
External Resources

Course Technology.
Video Links
Topic
Link
Firewalls
Intrusion detection system
Intrusion detection vs. Intrusion
prevention systems
Operating system hardening
www.youtube.com/watch?v=xnqC2aPb00&feature=youtu.be
www.youtube.com/watch?v=tMBGU2Ct04c&featur
e=youtu.be
www.youtube.com/watch?v=rvKQtRklwQ4&featur
e=youtu.be
www.youtube.com/watch?v=Rv4h8wcSyf8&feature
=youtu.be
126

IS Ebook

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

IS Ebook

Diunggah oleh

Hak Cipta:

Format Tersedia

Edition 1

Year of Publication: 2015

Confidentiality & Proprietary Information

How to use the Self Learning Material

Learning Objectives: Learning Objectives defines what the chapter intends to

Learning Outcome: Learning Outcome refers to what you will be able to

Advantages: Advantages denotes the positive aspects of that particular method,

Disadvantages: Disadvantages denotes the drawback of the particular method,

Self-assessment: Self-assessment contains a set of multiple-choice questions

External Resources: External Resources is a list of scholarly books for

Information Security Fundamentals

Module 1: Introduction to Information Security - introduces the general concepts and

Module 2: The need for IT Security describes importance and challenges in IT

Module 4: Network Infrastructure Security and Connectivity depicts network security

Information Security Fundamentals

Introduction to Information Security

Fundamentals of Information Security

Key Aspects of Information Security

The Need of IT Security

Information Security Risk Assessment

Information Security Risk Mitigation and Controls

Network Infrastructure Security and Connectivity

Fundamentals of Network Security

Introduction to Device Security and Documenting

Fundamentals of Information Security

Key Aspects of Information Security

Evolution of Information Security

Basic Principles and Critical Concepts of Information Security

Critical Concepts of Information Security

Key terms of Information Security

Overview on the Best Practices in Information Security

Introduction to Information Security

Fundamentals of Information Security

Basic concepts of information security

Explain the definition of information security

Information Security Fundamentals

Introduction to Information Security

Fundamentals of Information Security

1.1.1. Definition & Evolution of Information Security

1.1.1.(i). Evolution of Information Security

Information Security Fundamentals

Introduction to Information Security

Fundamentals of Information Security

ARPANET Program plan

Advanced Research Project Agency

In ARPA, the Program Plan is

Program Plan No.723

Objective of the program,

The objective of this program is twofold: {1} To develop techniques and

Fig. 1.1.1: Development of ARPANET

Information Security Fundamentals

Introduction to Information Security

Fundamentals of Information Security

The scope of the computer security includes:

Securing the data or information.

Preventing random and unauthorised access to the data.

Involving personnel from multiple levels of the organisation in matters pertaining to

1.1.1.(ii). Information Security

Information Security Fundamentals

Introduction to Information Security

Fundamentals of Information Security

Physical security: To protect physical items and objects.

Personnel security: To protect the individual or group of individuals who are