Beruflich Dokumente
Kultur Dokumente
PART B
1.
2.
3.
4.
5.
Physical security
Personal security
Operations security
Communications security
Network security
Physical Security Addresses the issues necessary to protect physical items, objects or areas of
an org. from unauthorized access and misuse.
Personal Security Involves protection of individual / group of individuals who are authorized
to access the organizations info and its operations.
Operations Security Focuses on protection of details of a particular operation or series of
activities.
Communications Security Includes the protection of an organizations communications
media, technology and content.
2
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
3
Possession
Availability: Enables authorized users persons / computer systems to access info without
interference / obstruction and to receive it in required format.
Eg.- Entry into a research library may require identification before entering. Access is
provided only to authorize patrons. Once authorized, patrons have access to info, in their
required format, familiar language etc.
Accuracy: Info, free from mistakes / errors, which possesses value as required by end user is
said to be accurate. If info contains a value different from users expectations, due to intentional /
unintentional modification of its contents, it is inaccurate.
For eg., in users bank account, if bank teller, mistakenly adds / subtracts, value of info will
change. Also the wrong amount entered accidentally by user too will show wrong info. Such
mistakes would lead to cheque bouncing etc.
Authenticity: It is the quality / state of being genuine / original, rather than a reproduction /
fabrication. Authentic info is the one that was originally created, placed, stored / transferred.
Email spoofing is an attack thru which attacker spoofs the originators address. This makes the
recipient to open the mail because of spoofed address, thinking it to be a legitimate traffic.
Confidentiality: Info is said to be confidential, when disclosure / exposure to unauthorized
individuals / systems is prevented. Only those with the rights and privileges are able to access the
info.
For eg, confidential info could be mistakenly emailed to an outsider rather than someone inside
the organization. Confidential info may also be given away by users when they fill out an online
survey, they give out their pieces of personal history for access to online privileges.
Integrity: Info has integrity, when it is whole, complete & uncorrupted. Integrity is said to be
compromised when info is corrupted, damaged, destroyed or disrupted from its authentic state.
Viruses and worms affect the file integrity during storage / transmission. Such file corruption can
be detected by keeping a watch on files size.
Utility: It is the quality / state of having value for some purpose / end. Info is useful only when it
serves its purpose, else it is useless.
For eg. census info can be overwhelming to a normal citizen, whereas the same could be handy
for a politician.
Possession: It is the quality / state of having ownership / control of some object / item. Info is
said to be in ones possession if one obtains it, independent of format or other characteristics.
carries
Physical security policies deal with h/w as a physical asset and protect it from harm / theft.
Traditional tools like lock / key could restrict access.
Data: Data, stored, processed and transmitted thru a computer should be protected. It is the
most valuable asset of any organization and also the main target of intentional attacks.
People: People have always been a threat to info security. They can be the weakest link in an
organizations info security program.
Policy, education & training, awareness and technology should be properly employed to prevent
people from accidentally / intentionally damaging / losing info. The practices of social engg
should also be checked.
Procedures: They are written instructions for accomplishing specific task. Informations
integrity may be compromised if it falls in the hands of unauthorized user.
In banking applns, if no proper authentication is present, lot of amt could easily be transferred to
unauthorized accts.
Networks: This IS component created much of the need for increased computer and info
security. When info systems are connected to form LANs, these LANs connect to other n/ws
such as Internet, new security challenges emerge.
Securing computers thru physical means with locks & keys to restrict access and interaction to
info systems, though are important, with rapid n/w growth, it no longer holds.
Securing the Components
Security of info and its systems includes securing all components and protecting them from
potential misuse and abuse by unauthorized users.
In such scenario, the computer should be considered as the subject of attack rather the object of
the attack.
When a computer is
Types of attacks
i. Direct A hacker uses his personal computer to break into a system. They originate from
threat itself.
ii. Indirect Occurs when a system is compromised and used to attack other systems, such as
DDOS. They originate from a system / resource that itself has been attacked and is
malfunctioning / working under the control of a threat.
Therefore a computer becomes the object during compromise (take over), then after being
compromised, becomes subject of attack, where it is used to attack other systems.
Balancing Security and Access
Even with best planning & implementation, perfect info security cannot be obtained. It is a
process and it cannot be absolute, also not a goal.
Security should be considered as a balance between protection and availability. It should be
made to provide unrestricted access, available to anyone, anywhere, anytime thru any means.
But the same act poses hazard to infos integrity. If complete info security is implemented
upon the system, then free access may not be possible.
To achieve balance, to operate an info system to the satisfaction of both user and security
professional, the level of security must allow reasonable access, yet protect against threats.
An imbalance occurs when users needs are undermined because of too much focus on
system protection.
Both these groups should exercise patience and cooperation, when interacting with each
other, as they, together share the same overall goals of the organization, which is to ensure
that data is available when, where and how it is needed with minimal delays / obstacles.
Implementation of info security in an organization should begin from either top / bottom level.
The advantage in this bottom-up approach is the technical expertise of individual
administrators.
By working with info systems day to day, these administrators possess in depth knowledge
which greatly enhances the development of an info security system. They know and understand
the threats to their systems and the mechanisms needed to protect them. Disadvantage here is,
lack of participant support and organizational staying power.
On the contrary, in top-down approach, the project is initiated by upper level managers, who
issue policy, procedures and processes, dictate the goals and expected outcome of project and
determine who is accountable for each of the required actions.
The SDLC may be event-driven, i.e., started in response to some occurrence or plan-driven, i.e.,
as a result of a carefully developed implementation strategy.
Once the need is recognized, SDLC methodology ensures that development proceeds in an
orderly & comprehensive fashion.
Each phase ends with structured review / reality check, during which the decision of continuing /
discontinuing, outsourcing or postponement of the project is decided, depending on the need for
additional expertise, organizational knowledge or resources.
Process starts with investigation of problem faced by organization, continues with analysis of
current organizational practices mentioned in investigation, then proceeds to logical & physical
design phases where solns are identified and associated with evaluation criteria.
During implementation, solns are evaluated, selected and acquired thru a make / buy process.
These solns, whether made / bought, are tested, installed and tested again.
Users of system are trained & documentation is developed. Finally system becomes mature and
is maintained / modified over the remainder of its operational life.
Generally the implementation of info system may involve multiple iterations / cycles.
Investigation: This phase begins with an examination of an event / plan that initiates the
process. The objectives, constraints, and scope of the project are specified. A preliminary
cost/benefit analysis is performed to evaluate perceived benefits and cost to be incurred for such
benefits.
At conclusion, a feasibility analysis is performed to assess the economic, technical, and
behavioral feasibilities of the process and to ensure that implementation is worth the
organizations time and effect.
9
Analysis: This phase begins with info gained during the investigation phase. Here, assessment of
the organization, status of current systems and the capability to support the proposed system are
analyzed.
Analysts should determine what the new system is expected to do and how the new system will
interact with existing systems. This phase ends with the documentation of the findings and a
feasibility analysis update.
Logical Design: The info gained from analysis phase is used to begin creating a systems soln for
a business problem. The soln provided should drive the business. Applns, capable of providing
needed service to business are selected.
Then based on applns, data support and structures capable of providing needed i/p is chosen.
Finally specific technologies needed to implement the physical soln are listed out. Thus a blue
print for desired soln is provided in this phase. Logical design should be implementation
independent and contain no reference to specific technologies, vendors / products.
This phase addresses how the proposed system will solve the given problem. A no. of alternative
solns, each with corresponding strength and weakness are developed along with cost-benefit
analysis, thus allowing for general comparison of available options.
At end, another feasibility analysis is performed.
Physical Design: Specific technologies are selected to support the alternative solns that are
identified and evaluated in the logical design. Selected components are evaluated based on a
make / buy decision. Final designs integrate various components and technologies.
Another feasibility analysis is conducted, after which the entire soln is presented to
organizational mgmt for approval.
Implementation: Any needed s/w is created. Components are ordered, received & tested. Users
are trained and support documents are created.
After individual testing of each component gets over, they are installed and tested as a system.
Again a feasibility analysis is prepared and the sponsors are presented with the system for a
performance review and acceptance test.
Maintenance & Change: It is the longest & most expensive phase of process. It consists of
tasks necessary to support and modify the system for the remainder of its useful life cycle.
Though formal development stops, the life cycle continues until the process begins again from
the investigation phase. Periodically the system is tested for compliance, and the feasibility of
continuance and discontinuance is evaluated. Upgrades, updates and patches are managed.
When the current system can no longer support the evolving mission of the organization, the
project is terminated and a new project is implemented.
Security Systems Development Life Cycle
10
The same phases used in the traditional SDLC are adapted to support the specialized
implementation of a security project.
SDLC & SecSDLC processes differ in intent and specific activities but the overall methodology
is the same. Basic process is identification of threats and to develop controls to counter them.
The SecSDLC is a coherent program rather than a series of random, seemingly unconnected
actions.
Investigation: This phases initiative is given by upper mgmt, dictating the process, outcomes
and goals of project as well as its budget and other constraints.
Teams of responsible managers, employees and contractors are organized. Problems are
analyzed and the scope of project, its specific goals, objectives and constraints, not covered in
program policy, are defined.
Finally, an organizational feasibility analysis is performed to determine whether the org. has
resources and commitment, necessary to conduct a successful security analysis and design.
Analysis: Documents from investigation phase are studied. Development team conducts a
preliminary analysis of existing security policies or programs, along with documented current
threats and associated controls.
It includes an analysis of relevant legal issues that could impact the design of the security
solution. Privacy laws dealing with personal info should be carefully considered.
The risk management task which deals with identifying, assessing, and evaluating the levels of
risk, specifically threats to organizations security and to the stored & processed info also begins
in this phase.
Logical Design: This phase creates and develops blueprint for info security and examines and
implements key policies that influence later decisions. Incident Response Action, in the event of
catastrophic loss is discussed and the following questions are answered:
* Continuity planning how will business continue in the event of loss?
* Incident response What steps are taken, when an attack occurs?
* Disaster Recovery What must be done to recover info & vital systems
immediately after a disastrous event?
Next a feasibility analysis determines whether or not the project should be continued / out
sourced.
Physical Design: The info security technology needed to support the blue print outlined in
logical design is evaluated, alternate solutions are generated and a final design is decided.
The info security blue print may be revisited to keep it in line with the changes needed when
physical design is completed.
Criteria for determining the definition of successful solution are prepared. Physical security
measures to support the proposed technological solution are designed.
11
Feasibility analysis is conducted, which determines the readiness of the org for proposed project.
Champion & sponsors are presented with the design. All parties involved should approve it,
before implementation starts.
Implementation: Security solutions are made / bought, tested, implemented and tested again.
Personnel issues are evaluated and education & training programs are conducted. Entire tested
package is presented to upper mgmt for final approval.
Maintenance & Change: Because of ever changing threat environment, this phase is most
important.
Info security system needs constant monitoring, testing modification, updating & repairing.
C.I.A. triangle
The C.I.A. triangle was the standard based on confidentiality, integrity, and availability.
The C.I.A. triangle has expanded into a list of critical characteristics of information
12