The Need For Security Analysis NoRestriction

Advanced Penetration
Testing and Security

Analysis
Module 1
The Need for Security
Analysis
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Module Objective
This module
d l will
ill ffamiliarize
ili i you with:
ith
EC-Council
What are we Concerned About?

So What are you Trying to Protect?
Why are Intrusions so Often Successful?
What are the Greatest Challenges?
Threat Agents
Assessment Questions
Risk
Info mation Security
Information
Sec it Awareness
A a eness
Security Policies
ISO 17799
U S Legislation
U.S.
U.K. Legislation
All
Rights
Reserved.
Reproduction
What are we Concerned About?

Th ft
Theft
Fraud/Forgery
Unauthorized Information Access
Interception
te cept o o
or Modification
od cat o o
of Data
ata
EC-Council
All
Rights
Reserved.
Reproduction
So What are you Trying to

Protect?
Your Assets
Your Network Infrastructure
Availability of Your Network
Confidential Personal Data

EC-Council
All
Rights
Reserved.
Reproduction
Why are Intrusions so Often

Successful?
Poor detection, response, and escalation
No formal policies or non-existent procedures for [pro]active auditing,

and/or event management
Limited use of authentication and/or authorization systems
Ignorance of logical and/or organizational boundaries within a network

infrastructure
EC-Council
All
Rights
Reserved.
Reproduction
What are the Greatest

Challenges?
g
Environment complexity
New technologies
New threats and exploits
Limited focus on securityy
Limited securityy expertise
p
EC-Council
All
Rights
Reserved.
Reproduction
Environmental Complexity
Multiple
p p
points of access:
Wired/wireless
Analog/remote
Insecure network design:

Ineffective or non
non-existent
existent
DMZ(s)
Single-layer security design
Multi-vendor environments:
Cisco,, checkpoint,
p
, ISS,, etc.
EC-Council
All
Rights
Reserved.
Reproduction
New Technologies
Technology is advancing rapidly.
New technologies make old techniques ineffective or insufficient.
Security technologies change almost every day.
It often
Its
ft impossible
i
ibl to
t evolve
l our network
t
k iinfrastructure
f t t
att th
the same rapid
id pace.
Tunneling software makes it easier to bypass access controls.
EC-Council
All
Rights
Reserved.
Reproduction
New Threats and Exploits

The average age of malicious attackers is
at its lowest.
This significantly increases the number of

potential threats, as every teenager with a
broadband connection can be a suspect.
New exploits are being discovered as

frequently as every 4 hours -- and this
number is growing ever smaller!
EC-Council
All
Rights
Reserved.
Reproduction
Limited Focus
IT security is often allocated a small
portion of overall IT budgets
(on average, less than 3%; new
statistics say around 6%).
6%)
Few managers see the need for

security
it until
til after
ft an attack
tt k h
has
occurred, and by then, its often too
little, too late.
EC-Council
All
Rights
Reserved.
Reproduction
Limited Expertise
Organizations dont want to spend money on

expensive security personnel.
Most often, Security Administrators are
actually overworked and under-trained
Network Administrators.
Information security is a complex and
specialized field, and engineers need specialized
training.
EC-Council
All
Rights
Reserved.
Reproduction
Tool: Data Loss Cost Calculator

http://www.tech-404.com/calculator.html
p //
4 4
/
Darwin Professional Underwriters Inc., has developed an online data loss

cost calculator that allows companies to estimate their financial risk from
data theft.
This calculator provides companies with a no-cost, easy-to-use, and
interactive tool to assess the impact of a data breach or identify theft data
loss incident.
This calculator can be used to immediately estimate
financial exposure of the organizations in three major
categories:
Internal investigation expenses.
Customer notification/crisis management expenses.
Regulatory/compliance expenses.
EC-Council
All
Rights
Reserved.
Reproduction
How to Use
Enter the number of affected records in a data breach or identity theft incident
within the range of minimum 1000 and maximum 250,000.
250 000
Avoid using commas when entering a number.
The button next to the text box will increase or decrease the number of the
affected records by 500.
A user can switch the options ON or OFF according to their need.
Click the Graph icon to generate a pie chart.
Click each pie chart slice to check distribution of costs for each category.
EC-Council
All
Rights
Reserved.
Reproduction
Data Loss Cost

Calculator Screenshot
Input
Graph
EC-Council
All
Rights
Reserved.
Reproduction
Features of Data Loss

Cost Calculator
Helps to calculate the data loss cost approximately
appro imatel
Range between 1000 and 250,000 is used

Graphical representation makes the calculation easy and
simple to understand
Each category can be studied in detail with the help of
advance pie chart option
EC-Council
All
Rights
Reserved.
Reproduction
Graphical Representation
of Total Loss
Notification/Crisis
Management
EC-Council
All
Rights
Reserved.
Reproduction
Graphical Representation of
Loss of Each Category
g y
EC-Council
All
Rights
Reserved.
Reproduction
In Order to Ensure...
Accurate authentication
Proper authorization
Confidentiality of data
Integrity of data
Availability of data
Non-repudiation
EC-Council
All
Rights
Reserved.
Reproduction
Authentication
A h i i is
Authentication
i the
h process off verifying
if i the
h id
identity
i off an iindividual.
di id l
Logging on to a computer is a two-stage

process; typically, you will enter your:
Username: This is for the identifying process.
Password: This is for the authenticating process.
process It authenticates
or proves your identity as posited in the username stage.
EC-Council
All
Rights
Reserved.
Reproduction
Authorization
Authorization is the process that establishes whether a given identity or
subject can perform a given function against a given object.
For example, some users may be authorized to view data, and others may
be authorized to delete data; both must be valid users, but they have
different capabilities.
Authorization or access control is typically defined by Access Control
Lists (ACLs).
EC-Council
All
Rights
Reserved.
Reproduction
Confidentiality
Confidentiality is the requirement that particular information be restricted
to the appropriate people.
Mechanisms that are often used to maintain confidentiality include:
Data Classification:
The process of labeling information so that people

understand who is allowed to see it and who isnt.
Encryption:
Information is often encrypted to maintain confidentiality;

only people with the right key are authorized and able to
decrypt it.
Equipment Disposal:
Formatting disks seven times, degaussing tapes, shredding

paper, and sanding CD-ROMs are all activities to protect
confidentiality when we throw away information storage.
EC-Council
All
Rights
Reserved.
Reproduction
Integrity
Integrity is the principle that requires information to
maintain its precision.
precision
Measures to maintain data integrity may include:
EC-Council
Checksums:
A checksum is a number produced by a

mathematical function to verify that a
given block of data hasnt been changed.
Access control:
By ensuring that only the correct people

can update, add, and delete data, we can
protect its integrity.
All
Rights
Reserved.
Reproduction
Availability
The availability principle ensures that our data will be available in a
timely manner. This principle underpins the whole principle of
redundant systems.
Measures to
maintain data
availability may
i l d
include:
EC-Council
Redundant systems
y
disk arrays
y and
clustered machines.
Antivirus software to stop worms
destroying our networks.
Distributed
Di t ib t d denial-of-service
d i l f
i
(DDoS) prevention systems.
All
Rights
Reserved.
Reproduction
Non-Repudiation
Non-repudiation effectively defines a principle

or state that ensures that an action or
transaction cannot be denied:
Non-repudiation of receipt: The sender can prove that the

message was d
delivered
li
d to the
h right
i h person.
Non-repudiation of sender: This is the most common case; the
senders message appears to be from, say, Mark Osborne, but can we
g with such a fickle character?
reallyy be sure when dealing
Non-repudiation of time No one denies receiving or sending
anything; they just deny getting it at a time that makes it meaningful.
EC-Council
All
Rights
Reserved.
Reproduction
We Must be Diligent
We have to secure:
The people.
The technology.
The processes.
EC-Council
All
Rights
Reserved.
Reproduction
Threat Agents
Employees:
p y
No physical security =
no security at all:
Disgruntled employee
Lack of education:
Unattended computer systems

on the LAN
Unlocked doors or poorly
secured server rooms or wiring
closets
The bigger,
bigger the easier
Users
Administrators
Corporate espionage
Misuse of IT privileges:
Internal
External
Organized threats:
EC-Council
Fundamentalist groups
Organized crime
Government/foreign intelligence
Terrorists
All
Rights
Reserved.
Reproduction
Assessment Questions
Here are some q
questions for you
y to ponder:
p
How easy would it be for someone to steal our corporate
information?
How
H
easy would
ld it be
b ffor someone tto crash
h our network?
t
k?
What vulnerabilities exist at our Internet connection?
What is the likelihood that we will be hacked by someone?
What damage could they do?
What could one of our employees do with unauthorized access
privileges?
How easy is it to circumvent these access controls?
Is it easier for insiders than someone trying to come in from the
Internet?
How much should we spend on our IT security program?
Who is responsible for protecting our IT and informational
resources?
EC-Council
All
Rights
Reserved.
Reproduction
How Much Security is Enough?
First, we
have to
understand
d t d
risk:
EC-Council
How much do you have to

l ?
lose?
What is your level of
exposure/risk?
p
/
How are you vulnerable?
How can these risks be
mitigated?
All
Rights
Reserved.
Reproduction
Risk
Risk is the
the possibility of harm or loss
loss.
It refers to the uncertainty about events and outcomes that could have an
undesirable
d i bl effect
ff t on th
the organization
i ti and
d it
its goals.
l
The central element of risk is uncertainty, the probability of experiencing
loss as a result of a threat event.
event
The outcome is uncertain, but the threat is very real.
Risk = Loss * Exposure factor.
EC-Council
All
Rights
Reserved.
Reproduction
Simplifying Risk
R = Risk
A = Asset value
T = Perceived
d threat
h
V = Vulnerabilityy
EC-Council
All
Rights
Reserved.
Reproduction
Risk Analysis
There are many types of risk analysis.
Common security risk analysis methods and tools include:
CRAMM.
SARAH.
IS1 and IS3.
VISART.
Delphi.
EC-Council
All
Rights
Reserved.
Reproduction
Risk Assessment Answers

Seven Questions:
1
What can go wrong? (threat events)

If it happened, how bad could it be? (single-loss exposure value)
How often might it happen? (frequency)
How sure are the answers to the first three questions? (uncertainty)
What can be done to remove, mitigate, or transfer risk? (safeguards and controls)
How much will it cost? (safeguard and control costs)
How efficient is it? (cost/benefit
(cost/benefit, or return on investment [ROI] analysis)
EC-Council
All
Rights
Reserved.
Reproduction
Steps of Risk Assessment

Step 1: Inventory, Definition, and Requirements
Phase 1: Identify critical
business processes.
Phase 2: Create a list of

assets used by those critical
processes.
Phase 3: Place a value on

the assets, or somehow
quantify their importance.
Step 2: Vulnerability and Threat Assessment

Phase 1: Run automated security tools to
start process analysis.
Phase 2: Follow up with a manual review.
Step 3: Evaluation of Controls

Identify potential safeguards and controls, as well as their associated cost.
EC-Council
All
Rights
Reserved.
Reproduction
Steps of Risk Assessment

Step 4: Analysis, Decision, and Documentation
Phase 1: Analyze a list of
control options for each threat.
Phase 2: Decide which

control is best to implement
for each threat.
Phase 3: Document the

assessment process and
results.
Step 5: Communication
Communicate results to the appropriate parties.
Step 6: Monitoring
Continuously analyze new threats and modify controls as necessary. Significant organizational
changes should lead to a new risk assessment.
EC-Council
All
Rights
Reserved.
Reproduction
Risk Assessment Values
The RAV is defined as the degradation of security (or

escalation of risk) over a specific life cycle based on best
practices for periodic testing.
EC-Council
All
Rights
Reserved.
Reproduction
Information Security Awareness

Information security is all about people.
If people understand and appreciate the dangers and risks associated

with mismanaging information, the exposures become measurably
reduced.
reduced
EC-Council
All
Rights
Reserved.
Reproduction
Security Policies
Security policies are the foundation of your security infrastructure.
Without them,
them you cannot protect your company from possible lawsuits
lawsuits,
lost revenue, and bad publicity, not to mention basic security attacks.
A security policy is a document or set of documents that describes, at a
high level, the security controls that will be implemented by the company.
Policies are not technology specific and do three
things for a company:
Reduce or eliminate legal liability to employees and third parties.
Protect confidential, proprietary information from theft, misuse,
unauthorized
u
aut o ed disclosure,
d sc osu e, or
o modification.
od cat o .
Prevent waste of company computing resources.
EC-Council
All
Rights
Reserved.
Reproduction
Security Policy Basics
A security policy should determine rules and

regulations for the following systems:
EC-Council
Encryption mechanisms.
Access control devices.
y
Authentication systems.
Firewalls.
Anti-virus systems.
Websites.
Gateways.
Routers and switches.
All
Rights
Reserved.
Reproduction
Security Policy Basics

(Cont d)
(Contd)
There are two types
yp of basic securityy p
policies:
Technical security policies: Include how technology should be configured and
used.
Administrative security policies: Include how people (both end-users and
management) should behave/respond to security.
Persons responsible for the implementation of the

security policies are:
Director of Information Security.

Chief Security Officer.
Director of Information Technology.
Chief Information Officer.
EC-Council
All
Rights
Reserved.
Reproduction
Types of Policies
Promiscuous Policy
Firewall-Management Policy
Permissive Policy
Special-Access Policy
P d tP
Prudent
Policy
li
Network Connection Policy

Network-Connection
Paranoid Policy
Business-Partner Policy
Acceptable-Use Policy
Data Classification Policy
User-Account Policy
Intrusion Detection Policyy
Remote-Access Policy
Information-Protection Policy
EC-Council
Virus Prevention Policy

O h Important Policies
Other
li i
All
Rights
Reserved.
Reproduction
Promiscuous Policy
No restrictions on Internet/remote access
Good luck to your network administrator, you have our
blessings...
EC-Council
All
Rights
Reserved.
Reproduction
Permissive Policy
Known dangerous services/attacks blocked
Policy begins wide open
Known holes plugged/known dangers stopped
Impossible to keep up with current exploits; administrators always

playing catch-up
EC-Council
All
Rights
Reserved.
Reproduction
Prudent Policy
Provides maximum security while allowing known, but necessary,
dangers
All services are blocked; nothing is allowed
Safe/necessary services are enabled individually

Non-essential services/procedures that cannot be made safe are NOT
allowed
ll
d
Everything
y
g is logged
gg
EC-Council
All
Rights
Reserved.
Reproduction
Paranoid Policy
Everything is
forbidden
EC-Council
No Internet
connection, or
severely limited
Internet usage
Users find ways

y
around overly
severe
restrictions
All
Rights
Reserved.
Reproduction
Acceptable-Use Policy
Should users read and copy files that are not their own, but are accessible to them?
Should users modify files that they have write access to, but are not their own?
Should users make copies of system configuration files (for example, /etc/passwd
and SAM) for their own personal use or to provide to other people?
Should users be allowed to use .rhosts files? Which entries are acceptable?
Should users be allowed to share accounts?
Should users have the ability to make copies of copyrighted software?
EC-Council
All
Rights
Reserved.
Reproduction
User-Account Policy
Who has the authority to approve account requests?
Who (employees, spouses, children, company visitors, for example) is allowed
to use the computing resources?
May users have multiple accounts on a single system?
May users share accounts?
What are the users' rights and responsibilities?
Wh should
When
h ld an accountt be
b disabled
di bl d and
d archived?
hi d?
EC-Council
All
Rights
Reserved.
Reproduction
Remote-Access Policy
Who is allowed to have remote access?
What specific methods (such as cable modem/DSL or dial-up) does the
company support?
Are dial-out modems allowed on the internal network?
Are there any extra requirements, such as mandatory anti-virus and
security software, on the remote system?
May other members of a household use the company network?
Do any restrictions exist on what data may be accessed remotely?
EC-Council
All
Rights
Reserved.
Reproduction
Information-Protection Policy
What are the sensitivity levels of information?
Who may have access to sensitive information?
How is sensitive information stored and transmitted?
What levels of sensitive information may be printed in public
printers?
i t ?
How should sensitive information be deleted from storage media
(
(paper
shredding,
h ddi
scrubbing
bbi hard
h d drives,
d i
d
degaussing
i disks,
di k etc.)?
t )?
EC-Council
All
Rights
Reserved.
Reproduction
Firewall-Management Policy
Who has access to the firewall systems?
y
Who should receive requests to make a change to the firewall
configuration?
fi
ti ?
Who may approve requests to make a change to the firewall
configuration?
fi
i ?
Who may see the firewall configuration rules and access lists?
How often should the firewall configuration be reviewed?

EC-Council
All
Rights
Reserved.
Reproduction
Special-Access Policy
Who should receive requests for special access?
Who may approve requests for special access?
What are the password rules for special-access accounts?
How often are passwords changed?
What are the reasons or situations that would lead to
revocation of special
special-access
access privileges?
EC-Council
All
Rights
Reserved.
Reproduction
Network-Connection Policy
Who may install new resources on the network?
Who must approve the installation of new devices?
Who must be notified that new devices are being added to the network?
Who should document network changes?

Do anyy securityy requirements
q
exist for the new devices being
g added to the
network?
EC-Council
All
Rights
Reserved.
Reproduction
Business-Partner Policy
Is each company required to have a written security policy?

Should each company have a firewall or other perimeter
security device?
How will communications occur (virtual private networking
[VPN] over the Internet, leased line, and so forth)?
How will access to the partner's resources be requested?
EC-Council
All
Rights
Reserved.
Reproduction
Data Classification
Policies
There is the need to classify data according to its use,
sensitivity, and importance.
Thus, data is classified into three classes:
High risk: Data that attracts legal penalties if lost or damaged.
Confidential: Data that is to be protected against unauthorized
disclosure.
Public: Data that is freely available.
EC-Council
All
Rights
Reserved.
Reproduction
Data Classification
Policies (contd)
(
)
Do data owners determine the data classification and ensure data
protection?
Is high risk data encrypted during transmission over insecure
channels?
Is confidential data encrypted during transmission over insecure
channels?
h
l ?
Is all data backed up?
p
Are all backups handled with the same security precaution as that of
the original data?
EC-Council
All
Rights
Reserved.
Reproduction
Intrusion Detection
Policies
Is intrusion detection implemented
p
on all servers and workstations that
contain high risk data?
Are the alarm and alert functions, as well as logging and monitoring
systems, working as intended?
Do the intrusion detection tools ensure safety of the data?
Are the server, firewall, and critical system logs secure?
EC-Council
All
Rights
Reserved.
Reproduction
Virus Prevention Policies

Attempts of willful introduction of computer viruses or disruptive/destructive
programs into the organization environment are prohibited and subject to
prosecution.
Protect all desktop systems with an approved and licensed anti-virus
anti virus software.
software
U d t anti-virus
Update
ti i
software
ft
as per th
the recommendation
d ti off th
the vendor.
d
S
Secure
all
ll servers and
d workstations
k t ti
that
th t are vulnerable
l
bl tto viruses
i
or worm attacks.
tt k
Scan headers of all incoming data including electronic mail for viruses by the email
server.
EC-Council
All
Rights
Reserved.
Reproduction
Laptop Security Policy

User must agree to take shared responsibility for the
security of laptop.
laptop
User must protect laptop from installing unlicensed or
malicious software.
A strong password must be used to login.
L t mustt b
Laptop
be secured
d when
h nott iin use.
Encryption techniques should be used to save important
documents.
Backups for all sensitive data should be maintained.
Standard anti-virus software must be used.
EC-Council
All
Rights
Reserved.
Reproduction
Personal Security Policy

1.
2.
3.
4.
5.
6.
All the people related to the organization must protect their assets.
All the people must be trained about their responsibilities and organizations
information security.
Employee handbook must consists of information about the security responsibilities.
All employees must sign organizations non-disclosure agreement.
Chief security officer must implement system for security related issues.
Human resource manager must ensure background checks of the employees.
EC-Council
All
Rights
Reserved.
Reproduction
Cryptography Policy
Cryptography secures data and protects privacy of the
organization.
People of the organization should know about
cryptographic techniques and how to implement them to
get data secured.
Strong cryptographic algorithms should be selected,
subjected to applicable law, and implemented.
National and international cryptographic policies are to be

implemented in private and public sectors.
International trade can be facilitated byy p
promoting
g costeffective, interoperable, portable, and mobile cryptographic
methods.
EC-Council
All
Rights
Reserved.
Reproduction
Fair and Accurate Credit

Transactions Act of 2003 (FACTA)
FACTA policies are divided into the
following categories:
EC-Council
Data classification
Prevention, as well as detection
Consumer request policies
Consumer notification
Employment
p y
p
policies and p
procedures
Data destruction policies
All
Rights
Reserved.
Reproduction
FACTA Policy (contd)

Data classification:
According to FACTA, organizations should protect consumer information
throughout.
Protects
P t t personally
ll id
identifiable
tifi bl d
data,
t or d
data
t th
thatt can b
be associated
i t d clearly
l l
with one individual.
Prevention as well as detection:

Prevention,
Adopt procedures designed to prevent identity theft before it occurs.
Consumer request policies:

Under new FACTA provisions, a consumer may dispute inaccurate
information
o at o directly
d ect y with
w t a furnisher.
u s e .
Furnisher must investigate and provide a timely response to the inquiry.
EC-Council
All
Rights
Reserved.
Reproduction
FACTA Policy (contd)

Consumer notification:
A new provision of FACTA is that consumers are to receive notification prior to
or within 30 days of negative information being reported to a credit bureau.
Employment policies and procedures:

Organization should have hiring policies that require drug screening, credit
checks or background checks, especially for key positions within the
organization.
Data destruction policies:

B
Businesses
i
will
ill need
d to be
b able
bl to prove that
h they
h h
have d
destroyed
d sensitive
ii
documents or information to be FACTA compliant.
Businesses should have a written program outlining how to maintain and shred
documents or destroy other data.
Regularly
l l scheduled
h d l d paper shredding
h ddi and
dd
data di
disposall iis recommended
d d to
prevent the liability from storing excess records with personal information.
EC-Council
All
Rights
Reserved.
Reproduction
Other Important Policies

A wireless
i l
network
t
k policy
li helps
h l secure wireless
i l
networks,
t
k including
i l di
which devices are allowed to be connected, what security measures
should be followed, and so forth.
A lab policy discusses how to protect the internal network from the
insecurities of a test lab.
The best option is to keep the test lab on a completely separate Internet
connection and not have it connected in any way to the internal corporate
network.
EC-Council
All
Rights
Reserved.
Reproduction
Policy Statements
The policy is as effective as the policy statements that it contains. Policy statements
must be
b written
i
iin a very clear
l
and
d fformall style.
l
Good examples
p of p
policyy statements are:
All computers must have antivirus protection activated to provide real-time,
continuous protection.
All servers must be configured with the minimum of services to perform their
designated functions.
All access to data will be based on a valid business need and subject to a formal
approval process.
All computer software must always be purchased by the IT department in
accordance with the organizations procurement policy.
A copy of the backup and restoration media must be kept with the off-site
backups.
While using the Internet, no person is allowed to abuse, defame, stalk, harass,
or threaten any other person or violate local or international legal rights.
EC-Council
All
Rights
Reserved.
Reproduction
Basic Document Set of

Information Securityy Policies
EC-Council
All
Rights
Reserved.
Reproduction
ISO 17799
Another option when you are developing policies is to follow the
internationally recognized International Standards Organization (ISO)
17799, a set of recommendations organized into 10 major sections
covering all facets of information systems policies and procedures.
Many organizations and consulting firms use ISO 17799 as the baseline
for policy best practices.
EC-Council
All
Rights
Reserved.
Reproduction
Domains of ISO 17799

Business continuity planning:
l
Counteract interruptions to business activities and to critical business
processes from the effects of major failures or disasters
System access control:
Control access to information

Prevent unauthorized access to information systems
Ensure the
h protection off networked
k d services
Prevent unauthorized computer access
Detect unauthorized activities
Ensure information security when traveling and telecommuting
EC-Council
All
Rights
Reserved.
Reproduction
Domains of ISO 17799 (contd)
System
development and
maintenance:
Physical and
environmental
security:
EC-Council
Ensure security is built into operational systems

Prevent
P
t loss,
l
modification,
difi ti
or misuse
i
off user d
data
t iin application
li ti systems
t
Protect the confidentiality, authenticity, and integrity of information
Ensure that information technology (IT) projects and support activities are
conducted in a secure manner
Maintain the security of application system software and data
Prevent unauthorized access and damage to and interference with business

premises and information
Prevent loss or compromise of assets and interruption to business activities
Prevent compromise or theft of information and information-processing facilities
All
Rights
Reserved.
Reproduction

Avoid breaches of any criminal or civil law; any statutory, regulatory, or contractual
obligations; and any security requirements
Ensure compliance of systems with organizational security policies and standards
Compliance: Maximize the effectiveness of and minimize interference to and from the systemaudit process
Personnel
security:
Reduce risks of human error, theft, fraud, or misuse of facilities

Ensure that users are aware of information security threats and concerns, and are
equipped to support the corporate security policy in the course of their normal work
Minimize the damage from security incidents and malfunctions and learn from such
incidents
Manage
g information securityy within the organization
g
Maintain the security of organizational information-processing facilities and information
assets accessed by third parties
Security
Maintain the security of information when the responsibility for information processing
organization: has been outsourced to another organization
EC-Council
All
Rights
Reserved.
Reproduction

Computer and network management:
Ensure the correct and secure operation of information-processing facilities

Minimize the risk of systems failures
Protect the integrity of software and information
Maintain the integrity and availability of information processing and communication
Ensure the safeguarding of information in networks and the protection of the supporting
infrastructure
g to assets and interruptions
p
to business activities
Prevent damage
Prevent loss, modification, or misuse of information exchanged between organizations
Asset classification and control:

Maintain
i i appropriate
i
protection
i off corporate assets and
d ensure that
h iinformation
f
i assets
receive an appropriate level of protection
Security policy:
Provide management direction and support for information security
EC-Council
All
Rights
Reserved.
Reproduction
No Simple Solutions
Rapid emergence of new exploits
Most vendors dont take security seriously
Complex network infrastructure
Concentration on performance
Hurried OS and application deployment
EC-Council
All
Rights
Reserved.
Reproduction
U.S. Legislation
U.S. legislation has begun to set the

standard for information security legislation
i a very di
in
directt and
d prescriptive
i ti way:
California SB 1386
Sarbanes-Oxley 2002
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act
(HIPAA)
USA Patriot
P t i t Act
A t 2001
EC-Council
All
Rights
Reserved.
Reproduction
California SB 1386
Currently, it applies only to data of California residents, but a federal

version is reportedly in the pipeline.
In short, this act makes reputational risk of poor security a reality

because it requires
q
public
p
disclosure of anyy securityy breach that involves
personal information if it is unencrypted or if it is reasonably believed
that the information has been acquired by an unauthorized person.
In cases involving over 500,000 people, the organization can warn the
potential victims en masse through a website and by alerting the media.
EC-Council
All
Rights
Reserved.
Reproduction
Sarbanes-Oxley 2002
At the beginning of the new century, a plethora of informal

recommendations came down from the Securities and Exchange
Commission (SEC) about auditor independence
p
after a number of wellpublicized cases of false reporting. With the full extent of the Enron case
coming to light, the Sarbanes-Oxley Act was introduced.
As an instrument for accounting reform and investor protection, this

legislation was intended to reestablish investor confidence. It also was
intended to reduce the stranglehold that the Big
Big Six
Six accounting firms
had on professional services in larger corporations.
EC-Council
All
Rights
Reserved.
Reproduction
Sarbanes-Oxley 2002
Section 201:
Relating to auditor independence, it is no longer allowed for your auditor to perform such
activities
i i i as financial
fi
i l iinformation
f
i systems d
design
i and
d iimplementation;
l
i
iinternall audit
di
outsourcing services; and legal services and expert services (including security).
Section 302:
The CEOs and CFOs of the accounting companys clients must sign statements verifying
the completeness and accuracy of financial reports.
Section 404:
CEOs, CFOs, and auditors must report on and attest to the effectiveness of internal
controls for financial reporting. This report shall:
State the responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting
Contain an assessment,
assessment as of the end of the most recent fiscal year of the issuer
issuer, of the
effectiveness of the internal control structure and procedures of the issuer for financial
reporting
Each registered public accounting firm that prepares or issues the audit report for the
issuer shall attest to, and report on, the assessment made by the management of the
i
issuer.
An attestation
i made
d under
d this
hi subsection
b
i shall
h ll b
be made
d iin accordance
d
with
ih
standards for attestation engagements issued or adopted by the Board. Any such
attestation shall not be the subject of a separate engagement
EC-Council
All
Rights
Reserved.
Reproduction
Gramm-Leach-Bliley Act (GLBA)

The objective of the Gramm-Leach-Bliley Act was to ease the transfer of
financial information between institutions and banks while making the
rights of the individual through security requirements more specific.
Key points include:
Protecting consumers personal financial information held by
financial institutions and their service providers.
The officers and directors of the financial institution shall be subject
t and
to,
d personally
ll liable
li bl for,
f a civil
i il penalty
lt off nott more th
than $
$10,000
for each violation.
Although the penalty is small, it is easy to see how it could impact a bank.
EC-Council
All
Rights
Reserved.
Reproduction
Health Insurance Portability and

Accountabilityy Act ((HIPAA))
The Health Insurance Portability and Accountability Act,
Act universally known as
HIPAA, deals with health personal data, which is defined as:
An individuals
individual s past
past, present
present, or future physical or mental health or condition.
condition
An individuals provision of health care.
Past, present, or future payment for provision of health care to an individual.
The
h primary
i
objective
bj i off the
h security
i rule
l iis to protect the
h confidentiality,
fid i li
integrity, and availability of data when it is managed (i.e., stored, maintained, or
transmitted) by a health care provider.
Health care providers must provide notice of privacy policies and procedures to
patients, obtain consent and authorization for use of information, and tell how
generallyy shared and how p
patients can access, inspect,
p
copy,
py and
information is g
amend their own medical records.
EC-Council
All
Rights
Reserved.
Reproduction
USA Patriot Act 2001

Introduced as a direct result of the events of September
p
11,, 2001,, the USA
Patriot Act has had a huge impact on how government agencies could
obtain information on private individuals.
Wiretap orders now can be obtained pertaining to a person rather

than individual circuits.
Internet service providers (ISPs) may volunteer information that

they believe is of national importance, without fear of prosecution.
Mailbox information can be obtained by subpoena rather than

wiretap order.
EC-Council
All
Rights
Reserved.
Reproduction
U.K. Legislation
The Computer Misuse Act 1990 creates three distinct criminal
offenses:
Unauthorized access to computers, including the illicit copying of software
h ld in
held
i any computer. This
Thi carries
i a penalty
l off up to six
i months
h
imprisonment or up to a 5000 fine and will be dealt with by a magistrate.
This covers hobby hacking and, potentially, penetration testing.
Unauthorized access with intent to commit or facilitate commission of further
offenses (such as fraud or theft), which covers more serious cases of hacking
with a criminal intent. This has a penalty of up to five years imprisonment and
an unlimited fine. Because it is a serious offense, it will be a trial by jury.
Unauthorized
U
th i d modification
difi ti off computer
t material,
t i l which
hi h iincludes
l d th
the
intentional and unauthorized destruction of software or data; the circulation
of infected materials online (viruses); and the unauthorized addition of a
password to a data file (crypto viruses). This offense also carries a penalty of
up to five years imprisonment and an unlimited fine. It is also a serious
offense, so it too will be a trial by jury.
EC-Council
All
Rights
Reserved.
Reproduction
How Does This Law Affect a

Security Officer?
Your security policy must contain an AUP and
be communicated to all employees.
Your systems should contain logon banners

stating
t ti that
th t access is
i ffor authorized
th i d personnell
only and must not contain a welcome.
Penetration tests should be accompanied by

appropriate paperwork.
EC-Council
All
Rights
Reserved.
Reproduction
The Data Protection Act 1998

The Data Protection Act 1998 came into force on March 11, 2000.
2000
Covering the use of personal data (data relating to identifiable living
individuals), it implements the European Directive on data protection
(95/46/EC) in U.K. law.
The act covers manual and computerized records and is concerned with
the processing of personal data. It works in two ways:
Giving individuals (data subjects) certain rights over the way that their data is
processed.
Requiring those who decide how and why personal data is processed (data
p about their use of that data and to comply
p y with the data
controllers) to be open
protection principles in their information-handling practices.
EC-Council
All
Rights
Reserved.
Reproduction
The Data Protection Act 1998

A data controller must comply with the eight principles of good practice, which
require that personal information is:
1
2
3
4
5
6
7
8
Fairly and lawfully processed.

Processed
d ffor li
limited
i d purposes and
d not processed
d iin any manner iincompatible
ibl with
i h those
h
purposes .
Adequate, relevant, and not excessive.
Accurate.
Not kept for longer than is necessary.
Processed in accordance with the data subjects rights.
Kept secure.
Not transferred to countries without adequate protection for the information.
EC-Council
All
Rights
Reserved.
Reproduction
The Human Rights Act 1998

Based on the European Convention on Human Rights, the Human Rights Act 1998
came into
i t force
f
in
i October
O t b 2000. Under
U d A
Article
ti l 8 off th
the C
Convention,
ti
people
l are
afforded the right to privacy.
This not only
Thi
l covers privacy
i
while
hil people
l are iin the
h workplace,
k l
iit also
l applies
li to email
il
communications, Internet use, and telephone calls. Bottom line: If you are going to
monitor employees, you must let people know in advance.
How Does This Law Affect a Security Officer?
Your security policy must be communicated to employees and include a warning that
systems may be monitored for security purposes. Monitoring would include:
Pen tests.
IDS.
Mail scanning.
Packet sniffers.
EC-Council
All
Rights
Reserved.
Reproduction
Interception of Communications
The Telecommunications Regulations 2000 provided that an
employer retains the right to carry out monitoring despite the
fact the employee has not given his or her express consent, if
such monitoring is required to carry out the following:
Recording evidence of business transactions.
Ensuring compliance with regulatory or self-regulatory guidelines.
Maintaining the effective operation of the employers systems (for
example, preventing viruses).
Monitoring standards of training and service.
Preventing or detecting criminal activity.
Preventing the unauthorized use of the computer or telephone system.
EC-Council
All
Rights
Reserved.
Reproduction
The Freedom of Information

Act 2000
The Freedom of Information Act 2000 was implemented on January 1, 2005.
It gives private individuals the right to access

information held by public authorities, including:
Central government.
Local authorities.
NHS.
Schools.
Police departments.
EC-Council
All
Rights
Reserved.
Reproduction
The Audit Investigation and

Communityy Enterprise
p
Act 2005
5
The Audit Investigation and Community Enterprise Act 2005 reinforces powers already in place from the
companies act. This law makes a director responsible for giving accurate information to auditors, liable
for prosecution for withholding relevant information of which the auditor is unaware, and signing off
audit reports attesting to that fact. This responsibility takes the form of a statement in the directors
report to the effect that there is no relevant information that has not been disclosed to the auditors.
Should an inspector discover that information has been withheld, the directors will be liable to
imprisonment and/or a fine.
The act also contains a whistleblower protection clause that excludes liability for breach of confidence for
those who provide information to authorities.
EC-Council
All
Rights
Reserved.
Reproduction
Summary
In this module, weve discussed the statistics and importance of vulnerabilities and
their impact on business.
We have reviewed the various challenges against security.
Weve discussed the challenges and how to simplify risk.
We have discussed security policies and postures.
We have discussed ISO 17799 standard for security policies.
Last, but not least, we went over a few important
p
laws and regulations
g
related to
information security.
EC-Council
All
Rights
Reserved.
Reproduction
EC-Council
All
Rights
Reserved.
Reproduction
EC-Council
All
Rights
Reserved.
Reproduction
EC-Council
All
Rights
Reserved.
Reproduction

The Need For Security Analysis NoRestriction

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

The Need For Security Analysis NoRestriction

Hochgeladen von

Copyright:

Verfügbare Formate

Advanced Penetration

Testing and Security

What are we Concerned About?

What are we Concerned About?

Unauthorized Information Access

So What are you Trying to

Your Network Infrastructure

Availability of Your Network

Confidential Personal Data

Why are Intrusions so Often

No formal policies or non-existent procedures for [pro]active auditing,

Limited use of authentication and/or authorization systems

Ignorance of logical and/or organizational boundaries within a network

What are the Greatest

Insecure network design:

New Threats and Exploits

This significantly increases the number of

New exploits are being discovered as

Few managers see the need for

Organizations dont want to spend money on

Tool: Data Loss Cost Calculator

Darwin Professional Underwriters Inc., has developed an online data loss

Click the Graph icon to generate a pie chart.

Data Loss Cost

Features of Data Loss

Range between 1000 and 250,000 is used

Logging on to a computer is a two-stage

The process of labeling information so that people

Information is often encrypted to maintain confidentiality;

Formatting disks seven times, degaussing tapes, shredding

A checksum is a number produced by a

By ensuring that only the correct people

Non-repudiation effectively defines a principle

Non-repudiation of receipt: The sender can prove that the

Unattended computer systems

How Much Security is Enough?

How much do you have to

Risk = Loss * Exposure factor.

Risk Assessment Answers

What can go wrong? (threat events)

Steps of Risk Assessment

Phase 2: Create a list of

Phase 3: Place a value on

Step 2: Vulnerability and Threat Assessment

Phase 2: Follow up with a manual review.

Step 3: Evaluation of Controls

Steps of Risk Assessment

Phase 2: Decide which

Phase 3: Document the

Risk Assessment Values

The RAV is defined as the degradation of security (or

Information Security Awareness

If people understand and appreciate the dangers and risks associated

Security Policy Basics

A security policy should determine rules and

Security Policy Basics

Persons responsible for the implementation of the

Director of Information Security.

Network Connection Policy

Data Classification Policy

Intrusion Detection Policyy

Virus Prevention Policy

Policy begins wide open