Sie sind auf Seite 1von 63

Introduction of Information Security 1

Notes

Unit 1: Introduction of Information Security

Structure:
1.1 Goals of Computer Security
1.1.1 Vulnerabilities and Attacks
1.1.2 Capabilities and Access Control Lists
1.2 CIA Triangle
1.2.1 Confidentiality
1.2.2 Integrity
1.2.3 Availability
1.3 Identifying the Assets
1.3.1 Identification of Assets
1.3.2 Accountability of Assets
1.3.3 Preparing a Schema for Classification
1.3.4 Implementation of the Classification Schema
1.4 The Need for Security
1.5 Security Threats
1.5.1 Introduction
1.5.2 Security Threats, Attacks, and Vulnerabilities
1.5.3 Security Policies and Plans
1.6 User Authentication
1.6.1 User Authentication vs. Machine Authentication
1.6.2 The Importance of Strong Machine Authentication
1.7 System Access Control
1.7.1 Access Control Challenges
1.7.2 Access Control Principles
1.7.3 Access Control Criteria
1.7.4 Access Control Practices
1.8 Passwords
1.9 Privileged User Management
1.9.1 Enhanced Visibility over Privileged User Activity
1.10 User Account Management
1.10.1 Using the Local Users and Groups Snap-in
1.10.2 Adding USERS with the Local Users and Groups MMC
1.10.3 Adding GROUPS with the Local Users and Groups MMC
1.10.4 Using USER ACCOUNTS in the Control Panel
1.10.5 Using USER ACCOUNTS in the Control Panel to add users to EXISTING
groups
1.11 Data Resource Protection
1.11.1 Effective Data Protection and Recovery Strategy
1.11.2 Protecting Back-up Data
1.11.3 Develop a Data Protection and Recovery Program

Amity Directorate of Distance and Online Education


2 Information Security and Risk Management
1.11.4 Implement the Program
Notes
1.11.5 Manage and Enforce
1.11.6 Test and Revise
1.12 Sensitive System Protection
1.13 Cryptography
1.13.1 Other Uses of Cryptography
1.13.2 Key Management
1.13.3 Cryptographic Algorithms
1.14 Intrusion Detection
1.14.1 Terminology
1.14.2 Alert Type
1.14.3 HIDS and NIDS
1.15 Computer Security Classifications
1.15.1 Government Classification
1.15.2 Typical Classification Levels
1.15.3 NATO Classifications
1.16 Summary
1.17 Check Your Progress
1.18 Questions and Exercises
1.19 Key Terms
1.20 Check Your Progress: Answers
1.21 Case Study
1.22 Further Readings

Objectives
After studying this unit, you should be able to understand:
Ɣ Goals of Computer security
Ɣ Cryptography
Ɣ Password Management
Ɣ User Authentication
Ɣ Data Resource Protection
Ɣ Intrusion Detection
Ɣ Computer Security Classification
Ɣ Fraud Detection
Ɣ A case study based on this unit

1.1 Goals of Computer Security


Computer security, also known as cyber security or IT security, is the protection
of information systems from theft or damage to the hardware, the software, and to the
information on them, as well as from disruption or misdirection of the services they
provide. It includes controlling physical access to the hardware, as well as protecting
against harm that may come via network access, data and code injection, and due to

Amity Directorate of Distance and Online Education


Introduction of Information Security 3

malpractice by operators, whether intentional, accidental, or due to them being tricked


Notes
into deviating from secure procedures.
The field is of growing importance due to the increasing reliance of computer
systems in most societies. Computer systems now include a very wide variety of “smart”
devices, including smart phones, televisions and tiny devices as part of the Internet of
Things – and networks include not only the Internet and private data networks, but also
Bluetooth, Wi-Fi and other wireless networks.
Computer security covers all the processes and mechanisms by which digital
equipment, information and services are protected from unintended or unauthorized
access, change or destruction and the process of applying security measures to ensure
confidentiality, integrity, and availability of data both in transit and at rest.

1.1.1 Vulnerabilities and Attacks


Vulnerability is a system susceptibility or flaw, and much vulnerability are
documented in the Common Vulnerabilities and Exposures (CVE) database and
vulnerability management is the cyclical practice of identifying, classifying, remediating,
and mitigating vulnerabilities as they are discovered. An exploitable vulnerability is one
for which at least one working attack or “exploit” exists.
To secure a computer system, it is important to understand the attacks that can be
made against it, and these threats can typically be classified into one of the categories
below:
Backdoors: A backdoor in a computer system, a cryptosystem or an algorithm, is
any secret method of bypassing normal authentication or security controls. They may
exist for a number of reasons, including by original design or from poor configuration.
They may also have been added later by an authorized party to allow some legitimate
access or by an attacker for malicious reasons; but regardless of the motives for their
existence, they create vulnerability.
Denial-of-service Attack: Denial-of-service attacks are designed to make a
machine or network resource unavailable to its intended users. Attackers can deny
service to individual victims, such as by deliberately entering a wrong password enough
consecutive times to cause the victim account to be locked, or they may overload the
capabilities of a machine or network and block all users at once. While a network attack
from a single IP address can be blocked by adding a new firewall rule, many forms of
DISTRIBUTED DENIAL OF SERVICE (DDoS) attacks are possible, where the attack
comes from a large number of points – and defending is much more difficult. Such
attacks can originate from the zombie computers of a botnet, but a range of other
techniques are possible including reflection and amplification attacks, where innocent
systems are fooled into sending traffic to the victim.

Direct-access Attacks

Common consumer devices that can be used to transfer data surreptitiously

Amity Directorate of Distance and Online Education


4 Information Security and Risk Management
An unauthorized user gaining physical access to a computer is often able to directly
Notes
download data from it. They may also compromise security by making operating system
modifications, installing software worms, key loggers, or covert listening devices. Even
when the system is protected by standard security measures, these may be able to be by
passed by booting another operating system or tool from a CD-ROM or other bootable
media. Disk encryption and Trusted Platform Module are designed to prevent these
attacks.

Eavesdropping
Eavesdropping is the act of surreptitiously listening to a private conversation,
typically between hosts on a network. For instance, programs such as Carnivore and
NarusInsight have been used by the FBI and NSA to eavesdrop on the systems of
internet service providers. Even machines that operate as a closed system (i.e., with no
contact to the outside world) can be eavesdropped upon via monitoring the faint
electromagnetic transmissions generated by the hardware; TEMPEST is a specification
by the NSA referring to these attacks.

Spoofing
Spoofing of user identity describes a situation in which one person or program
successfully masquerades as another by falsifying data.

Tampering
Tampering describes a malicious modification of products. So-called “Evil Maid”
attacks and security services planting of surveillance capability into routers are examples.

Privilege Escalation
Privilege escalation describes a situation where an attacker with some level of
restricted access is able to, without authorization, elevate their privileges or access level.
So, for example, a standard computer user may be able to fool the system into giving
them access to restricted data; or even to “become root” and have full unrestricted
access to a system.

Social Engineering and Trojans


Social engineering aims to convince a user to disclose secrets such as passwords,
card numbers, etc. by, for example, impersonating a bank, a contractor, or a customer.

Systems at Risk
Computer security is critical in almost any industry which uses computers.

Financial Systems
Websites that accept or store credit card numbers and bank account information are
prominent hacking targets, because of the potential for immediate financial gain from
transferring money, making purchases, or selling the information on the black market.
In-store payment systems and ATMs have also been tampered with in order to gather
customer account data and PINs.

Utilities and Industrial Equipment


Computers control functions at many utilities, including coordination of
telecommunications, the power grid, nuclear power plants, and valve opening and
closing in water and gas networks. The Internet is a potential attack vector for such
machines if connected, but the Stuxnet worm demonstrated that even equipment
controlled by computers not connected to the Internet can be vulnerable to physical

Amity Directorate of Distance and Online Education


Introduction of Information Security 5

damage caused by malicious commands sent to industrial equipment (in that case
Notes
uranium enrichment centrifuges) which are infected via removable media. In 2014, the
Computer Emergency Readiness Team, a division of the Department of Homeland
Security, investigated 79 hacking incidents at energy companies.

Aviation
The aviation industry is very reliant on a series of complex system which could be
attacked. A simple power outage at one airport can cause repercussions worldwide,
much of the system relies on radio transmissions which could be disrupted, and
controlling aircraft over oceans is especially dangerous because radar surveillance only
extends 175 to 225 miles offshore. There is also potential for attack from within an
aircraft.
The consequences of a successful attack range from loss of confidentiality to loss of
system integrity, which may lead to more serious concerns such as exfiltration of data,
network and air traffic control outages, which in turn can lead to airport closures, loss of
aircraft, loss of passenger life, damages on the ground and to transportation
infrastructure. A successful attack on a military aviation system that controls munitions
could have even more serious consequences.

Consumer Devices
Desktop computers and laptops are commonly infected with malware either to
gather passwords or financial account information, or to construct a botnet to attack
another target. Smart phones, tablet computers, smart watches, and other mobile
devices such as Quantified Self Devices like activity trackers have also become targets
and many of these have sensors such as cameras, microphones, GPS receivers,
compasses, and accelerometers which could be exploited, and may collect personal
information, including sensitive health information. Wi-Fi, Bluetooth, and cell phone
network on any of these devices could be used as attack vectors, and sensors might be
remotely activated after a successful breach.
Home automation devices such as the Nest thermostat are also potential targets.

Large Corporations
Large corporations are common targets. In many cases, this is aimed at financial
gain through identity theft and involves data breaches such as the loss of millions of
clients’ credit card details by Home Depot, Staples, and Target Corporation.
Not all attacks are financially motivated however; for example, security firm HBGary
Federal suffered a serious series of attacks in 2011 from hacktivist group Anonymous in
retaliation for the firm’s CEO claiming to have infiltrated their group, and Sony Pictures
was attacked in 2014 where the motive appears to have been to embarrass with data
leaks, and cripple the company by wiping workstations and servers.

Government
Government and military computer systems are commonly attacked by activists and
foreign powers. Local and regional government infrastructure such as traffic light controls,
police and intelligence agency communications, personnel records and financial systems
are also potential targets as they are now all largely computerized.

Impact of Security Breaches


Serious financial damage has been caused by security breaches, but because there
is no standard model for estimating the cost of an incident, the only data available is that
which is made public by the organizations involved. “Several computer security

Amity Directorate of Distance and Online Education


6 Information Security and Risk Management
consulting firms produce estimates of total worldwide losses attributable to virus and
Notes
worm attacks and to hostile digital acts in general. The 2003 loss estimates by these
firms range from $13 billion (worms and viruses only) to $226 billion (for all forms of
covert attacks). The reliability of these estimates is often challenged; the underlying
methodology is basically anecdotal.”
However, reasonable estimates of the financial cost of security breaches can
actually help organizations make rational investment decisions. According to the classic
Gordon-Loeb Model analyzing the optimal investment level in information security, one
can conclude that the amount a firm spends to protect information should generally be
only a small fraction of the expected loss (i.e., the expected value of the loss resulting
from a cyber/information security breach).

Attacker Motivation
As with physical security, the motivations for breaches of computer security vary
between attackers. Some are thrill-seekers or vandals, others are activists; or criminals
looking for financial gain. State-sponsored attackers are now common and well
resourced, but started with amateurs such as Markus Hess who hacked for the KGB, as
recounted by Clifford Stoll, in The Cuckoo's Egg.
A standard part of threat modeling for any particular system is to identify what might
motivate an attack on that system, and who might be motivated to breach it. The level
and detail of precautions will vary depending on the system to be secured. A home
personal computer, bank and classified military network all face very different threats,
even when the underlying technologies in use are similar.

Computer Protection (Countermeasures)


In computer security, a countermeasure is an action, device, procedure, or
technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it,
by minimizing the harm it can cause, or by discovering and reporting it so that corrective
action can be taken.
Some common countermeasures are listed in the following sections:

Security Measures
A state of computer “security” is the conceptual idea, attained by the use of the three
processes: threat prevention, detection, and response. These processes are based on
various policies and system components, which include the following:
Ɣ User account access controls and cryptography can protect systems files and
data, respectively.
Ɣ Firewalls are by far the most common prevention systems from a network
security perspective as they can (if properly configured) shield access to
internal network services, and block certain kinds of attacks through packet
filtering. Firewalls can be both hardware- or software-based.
Ɣ Intrusion Detection System (IDS) products are designed to detect network
attacks in progress and assist in post-attack forensics, while audit trails and
logs serve a similar function for individual systems.
Ɣ “Response” is necessarily defined by the assessed security requirements of an
individual system and may cover the range from simple upgrade of protections
to notification of legal authorities, counter-attacks, and the like. In some special
cases, a complete destruction of the compromised system is favoured, as it
may happen that not all the compromised resources are detected.

Amity Directorate of Distance and Online Education


Introduction of Information Security 7

Today, computer security comprises mainly “preventive” measures, like firewalls or


Notes
an exit procedure. A firewall can be defined as a way of filtering network data between a
host or a network and another network, such as the Internet, and can be implemented as
software running on the machine, hooking into the network stack (or, in the case of most
UNIX-based operating systems such as Linux, built into the operating system kernel) to
provide real-time filtering and blocking. Another implementation is a so-called physical
firewall which consists of a separate machine filtering network traffic. Firewalls are
common amongst machines that are permanently connected to the Internet.
However, relatively few organizations maintain computer systems with effective
detection systems, and fewer still have organized response mechanisms in place. As
result, as Reuters points out: “Companies for the first time report they are losing more
through electronic theft of data than physical stealing of assets”. The primary obstacle to
effective eradication of cyber crime could be traced to excessive reliance on firewalls and
other automated “detection” systems. Yet it is basic evidence gathering by using packet
capture appliances that puts criminals behind bars.

Reducing Vulnerabilities
While formal verification of the correctness of computer systems is possible, it is not
yet common. Operating systems formally verified include seL4, and SYSGO’s PikeOS –
but these make up a very small percentage of the market.
Cryptography properly implemented is now virtually impossible to directly break.
Breaking them requires some non-cryptographic input, such as a stolen key, stolen
plaintext (at either end of the transmission), or some other extra cryptanalytic information.
Two factor authentications is a method for mitigating unauthorized access to a
system or sensitive information. It requires “something you know”; a password or PIN,
and “something you have”; a card, dongle, cell phone, or other piece of hardware. This
increases security as an unauthorized person needs both of these to gain access.
Social engineering and direct computer access (physical) attacks can only be
prevented by non-computer means, which can be difficult to enforce, relative to the
sensitivity of the information. Even in a highly disciplined environment, such as in military
organizations, social engineering attacks can still be difficult to foresee and prevent.
It is possible to reduce an attacker’s chances by keeping systems up-to-date with
security patches and updates, using a security scanner and/or hiring competent people
responsible for security. The effects of data loss/damage can be reduced by careful
backing up and insurance.

Security by Design
Security by design, or alternately secure by design, means that the software has
been designed from the ground up to be secure. In this case, security is considered as a
main feature.
Some of the techniques in this approach include:
Ɣ The principle of least privilege, where each part of the system has only the
privileges that are needed for its function. That way even if an attacker gains
access to that part, they have only limited access to the whole system.
Ɣ Automated theorem proving to prove the correctness of crucial software
subsystems.
Ɣ Code reviews and unit testing, approaches to make modules more secure
where formal correctness proofs are not possible.

Amity Directorate of Distance and Online Education


8 Information Security and Risk Management
Ɣ Defense in depth, where the design is such that more than one subsystem
Notes
needs to be violated to compromise the integrity of the system and the
information it holds.
Ɣ Default secure settings, and design to “fail secure” rather than “fail insecure”.
Ideally, a secure system should require a deliberate, conscious, knowledgeable
and free decision on the part of legitimate authorities in order to make it
insecure.
Ɣ Audit trails tracking system activity, so that when a security breach occurs, the
mechanism and extent of the breach can be determined. Storing audit trails
remotely, where they can only be appended to, can keep intruders from
covering their tracks.
Ɣ Full disclosure of all vulnerabilities, to ensure that the “window of vulnerability”
is kept as short as possible when bugs are discovered.

1.1.2 Capabilities and Access Control Lists


Within computer systems, two of many security models capable of enforcing
privilege separation are access control lists (ACLs) and capability-based security. Using
ACLs to confine programs has been proven to be insecure in many situations, such as if
the host computer can be tricked into indirectly allowing restricted file access, an issue
known as the confused deputy problem. It has also been shown that the promise of ACLs
of giving access to an object to only one person can never be guaranteed in practice.
Both of these problems are resolved by capabilities. This does not mean practical flaws
exist in all ACL-based systems, but only that the designers of certain utilities must take
responsibility to ensure that they do not introduce flaws.
Capabilities have been mostly restricted to research operating systems, while
commercial OSs still use ACLs. Capabilities can, however, also be implemented at the
language level, leading to a style of programming that is essentially a refinement of
standard object-oriented design. An open source project in the area is the E-language.
The most secure computers are those not connected to the Internet and shielded
from any interference. In the real world, the most secure systems are operating systems
where security is not an add-on.
The following terms used with regards to engineering secure systems are explained
below.
Ɣ Access authorization restricts access to a computer to group of users through
the use of authentication systems. These systems can protect either the whole
computer – such as through an interactive login screen – or individual services,
such as an FTP server. There are many methods for identifying and
authenticating users, such as passwords, identification cards, and, more
recently, smart cards and biometric systems.
Ɣ Anti-virus software consists of computer programs that attempt to identify,
thwart and eliminate computer viruses and other malicious software (malware).
Ɣ Applications with known security flaws should not be run. Either leave it
turned off until it can be patched or otherwise fixed, or delete it and replace it
with some other application. Publicly known flaws are the main entry used by
worms to automatically break into a system and then spread to other systems
connected to it.
Ɣ Authentication techniques can be used to ensure that communication end-
points are who they say they are.

Amity Directorate of Distance and Online Education


Introduction of Information Security 9

Ɣ Automated theorem proving and other verification tools can enable critical
Notes
algorithms and code used in secure systems to be mathematically proven to
meet their specifications.
Ɣ Backups are a way of securing information; they are another copy of all the
important computer files kept in another location. These files are kept on hard
disks, CD-Rs, CD-RWs, tapes and more recently on the cloud. Suggested
locations for backups are a fireproof, waterproof, and heat proof safe, or in a
separate, offsite location than that in which the original files are contained.
Some individuals and companies also keep their backups in safe deposit boxes
inside bank vaults. There is also a fourth option, which involves using one of
the file hosting services that backs up files over the Internet for both business
and individuals, known as the cloud.
Backups are also important for reasons other than security. Natural disasters,
such as earthquakes, hurricanes, or tornadoes, may strike the building where
the computer is located. The building can be on fire, or an explosion may occur.
There needs to be a recent backup at an alternate secure location, in case of
such kind of disaster. Further, it is recommended that the alternate location be
placed where the same disaster would not affect both locations. Examples of
alternate disaster recovery sites being compromised by the same disaster that
affected the primary site include having had a primary site in World Trade
Center I and the recovery site in 7 World Trade Center, both of which were
destroyed in the 9/11 attack, and having one’s primary site and recovery site in
the same coastal region, which leads to both being vulnerable to hurricane
damage (for example, primary site in New Orleans and recovery site in
Jefferson Parish, both of which were hit by Hurricane Katrina in 2005). The
backup media should be moved between the geographic sites in a secure
manner, in order to prevent them from being stolen.
Ɣ Capability and access control list techniques can be used to ensure privilege
separation and mandatory access control. This section discusses their use.
Ɣ Chain of trust techniques can be used to attempt to ensure that all software
loaded has been certified as authentic by the system’s designers.
Ɣ Confidentiality is the non-disclosure of information except to another authorized
person.
Ɣ Cryptographic techniques can be used to defend data in transit between
systems, reducing the probability that data exchanged between systems can
be intercepted or modified.
Ɣ Cyber warfare is an Internet-based conflict that involves politically motivated
attacks on information and information systems. Such attacks can, for example,
disable official websites and networks, disrupt or disable essential services,
steal or alter classified data, and cripple financial systems.
Ɣ Data integrity is the accuracy and consistency of stored data, indicated by an
absence of any alteration in data between two updates of a data record.
Ɣ Cryptographic techniques involve transforming information, scrambling it so it
becomes unreadable during transmission. The intended recipient can
unscramble the message; ideally, eavesdroppers cannot.
Ɣ Encryption is used to protect the message from the eyes of others.
Cryptographically secure ciphers are designed to make any practical attempt of
breaking infeasible. Symmetric key ciphers are suitable for bulk encryption
using shared keys, and public key encryption using digital certificates can

Amity Directorate of Distance and Online Education


10 Information Security and Risk Management
provide a practical solution for the problem of securely communicating when no
Notes
key is shared in advance.
Ɣ Endpoint security software helps networks to prevent exfiltration (data theft)
and virus infection at network entry points made vulnerable by the prevalence
of potentially infected portable computing devices, such as laptops and mobile
devices, and external storage devices, such as USB drives.
Ɣ Firewalls are an important method for control and security on the Internet and
other networks. A network firewall can be a communications processor,
typically a router, or a dedicated server, along with firewall software. A firewall
serves as a gatekeeper system that protects a company’s intranets and other
computer networks from intrusion by providing a filter and safe transfer point
for access to and from the Internet and other networks. It screens all network
traffic for proper passwords or other security codes and only allows authorized
transmission in and out of the network. Firewalls can deter, but not completely
prevent, unauthorized access (hacking) into computer networks; they can also
provide some protection from online intrusion.
Ɣ Honey pots are computers that are either intentionally or unintentionally left
vulnerable to attack by crackers. They can be used to catch crackers or fix
vulnerabilities.
Ɣ Intrusion detection systems can scan a network for people that are on the
network but who should not be there or are doing things that they should not be
doing, for example, trying a lot of passwords to gain access to the network.
Ɣ Pinging – The ping application can be used by potential crackers to find if an
IP address is reachable. If a cracker finds a computer, they can try a port scan
to detect and attack services on that computer.

1.2 CIA Triangle


Confidentiality, integrity and availability, also known as the CIA triad, is a model
designed to guide policies for information security within an organization. The model is
also sometimes referred to as the AIC triad (availability, integrity and confidentiality) to
avoid confusion with the Central Intelligence Agency. The elements of the triad are
considered the three most crucial components of security.

Amity Directorate of Distance and Online Education


Introduction of Information Security 11

In this context, confidentiality is a set of rules that limits access to information,


Notes
integrity is the assurance that the information is trustworthy and accurate, and availability
is a guarantee of reliable access to the information by authorized people.

1.2.1 Confidentiality
Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure
confidentiality are designed to prevent sensitive information from reaching the wrong
people, while making sure that the right people can in fact get it. Access must be
restricted to those authorized to view the data in question. It is common, as well, for data
to be categorized according to the amount and type of damage that could be done should
it fall into unintended hands. More or less stringent measures can then be implemented
according to those categories.
Sometimes safeguarding data confidentiality may involve special training for those
privacy to such documents. Such training would typically include security risks that could
threaten this information. Training can help familiarize authorized people with risk factors
and how to guard against them. Further aspects of training can include strong passwords
and password-related best practices and information about social engineering methods,
to prevent them from bending data handling rules with good intentions and potentially
disastrous results.
A good example of methods used to ensure confidentiality is an account number or
routing number when banking online. Data encryption is a common method of ensuring
confidentiality. User IDs and passwords constitute a standard procedure; two-factor
authentication is becoming the norm. Other options include biometric verification and
security tokens, key fobs or soft tokens. In addition, users can take precautions to
minimize the number of places where the information appears and the number of times it
is actually transmitted to complete a required transaction. Extra measures might be taken
in the case of extremely sensitive documents, precautions such as storing only on air
gapped computers, disconnected storage devices or, for highly sensitive information, in
hard copy form only.

1.2.2 Integrity
Integrity involves maintaining the consistency, accuracy, and trustworthiness of data
over its entire life cycle. Data must not be changed in transit, and steps must be taken to
ensure that data cannot be altered by unauthorized people (for example, in a breach of
confidentiality). These measures include file permissions and user access controls.
Version control may be used to prevent erroneous changes or accidental deletion by
authorized users becoming a problem. In addition, some means must be in place to
detect any changes in data that might occur as a result of non-human-caused events
such as an electromagnetic pulse (EMP) or server crash. Some data might include
checksums, even cryptographic checksums, for verification of integrity. Backups or
redundancies must be available to restore the affected data to its correct state.

1.2.3 Availability
Availability is best ensured by rigorously maintaining all hardware, performing
hardware repairs immediately when needed and maintaining a correctly functioning
operating system environment that is free of software conflicts. It’s also important to keep
current with all necessary system upgrades. Providing adequate communication
bandwidth and preventing the occurrence of bottlenecks are equally important.
Redundancy, failover, RAID even high-availability clusters can mitigate serious
consequences when hardware issues do occur. Fast and adaptive disaster recovery is

Amity Directorate of Distance and Online Education


12 Information Security and Risk Management
essential for the worst case scenarios; that capacity is reliant on the existence of a
Notes
comprehensive disaster recovery plan (DRP). Safeguards against data loss or
interruptions in connections must include unpredictable events such as natural disasters
and fire. To prevent data loss from such occurrences, a backup copy may be stored in a
geographically-isolated location, perhaps even in a fireproof, waterproof safe. Extra
security equipment or software such as firewalls and proxy servers can guard against
downtime and unreachable data due to malicious actions such as denial-of-service (DoS)
attacks and network intrusions.

Ɣ Application Ɣ Infrastructure
Access Layer Access Layer

Confidentiality

Availability Integrity

Ɣ Physical Ɣ Data in
Access Layer Motion Layer

1.3 Identifying the Assets


The task of identifying assets that need to be protected is a less glamorous aspect
of information security. But unless we know these assets, their locations and value, how
are we going to decide the amount of time, effort or money that we should spend on
securing the assets.
The task of identifying assets that need to be protected is a less glamorous aspect
of information security. But unless we know these assets, their locations and value, how
are we going to decide the amount of time, effort or money that we should spend on
securing the assets?
The major steps required for asset classification and controls are:
A. Identification of the assets
B. Accountability of assets
C. Preparing a schema for information classification
D. Implementing the classification schema

Amity Directorate of Distance and Online Education


Introduction of Information Security 13

1.3.1 Identification of Assets Notes


What are the critical assets? Suppose your corporate office was gutted in a major
fire. Coping with this level of disaster will depend on what critical information you
previously backed up at a remote location. Another nightmarish scene is that a hacker
entered your network and copied your entire customer database. What impact will this
have on your business?
Identifying the critical assets is essential for many reasons. You will come to know
what is critical and essential for the business. You will be able to take appropriate
decisions regarding the level of security that should be provided to protect the assets.
You will also be able to decide about the level of redundancy that is necessary by
keeping an extra copy of the data or an extra server that you should procure and keep as
a hot standby.
Next question that we need to ponder upon is: What exactly is an information asset?
Is it the hardware, the software, the programs or the database?
We can broadly classify assets in the following categories:

1. Information Assets
Every piece of information about your organization falls in this category. This
information has been collected, classified, organized and stored in various forms.
(a) Databases: Information about your customers, personnel, production, sales,
marketing and finances is critical for your business. Its confidentiality, integrity
and availability is of utmost importance.
(b) Data files: Transactional data giving up-to-date information about each event.
(c) Operational and support procedures: These have been developed over the
years and provide detailed instructions on how to perform various activities.
(d) Archived information: Old information that may be required to be maintained
by law.
(e) Continuity plans, fallback arrangements: These would be developed to
overcome any disaster and maintain the continuity of business. Absence of
these will lead to ad-hoc decisions in a crisis.

2. Software Assets
These can be divided into two categories:
(a) Application software: Application software implements business rules of the
organization. Creation of application software is a time-consuming task. Integrity
of application software is very important. Any flaw in the application software
could impact the business adversely.
(b) System software: An organization would invest in various packaged software
programs like operating systems, DBMS, development tools and utilities,
software packages, office productivity suites, etc.
Most of the software under this category would be available off-the-shelf, unless the
software is obsolete or non-standard.

3. Physical Assets
These are the visible and tangible equipment and could comprise of:
(a) Computer equipment: Mainframe computers, servers, desktops and notebook
computers.
(b) Communication equipment: Modems, routers, EPABXs and fax machines.

Amity Directorate of Distance and Online Education


14 Information Security and Risk Management
(c) Storage media: Magnetic tapes, disks, CDs and DATs.
Notes
(d) Technical equipment: Power supplies and air conditioners.
(e) Furniture and fixtures.

4. Services
(a) Computing services that the organization has outsourced.
(b) Communication services like voice communication, data communication, value
added services, wide area network, etc.
(c) Environmental conditioning services like heating, lighting, air conditioning and
power.

1.3.2 Accountability of Assets


The next step is to establish accountability of assets. This is not difficult for the
tangible assets like physical assets. Usually, the organization will have fixed assets
register maintained for the purpose of calculating depreciation.
A more difficult task is establishing ownership for the information assets. There will
be a number of users for these assets. But the prime responsibility for accuracy will lie
with the asset owner. Any addition or modification to the information asset will only be
done with the consent of the asset owner. For example, any changes to customer
information will be done with the knowledge and consent of the marketing head.
Information technology staff will probably make the changes physically. But ownership
clearly lies with the business head that has the prime responsibility for the content in the
customer database.
Using these criteria, we have to identify the actual owners of each of the information
assets. This is also an important step for one more reason. Only an owner of the asset
will be able to decide the business value of the asset. Unless the correct business value
of the asset is known, we cannot identify the security requirement of the asset.
The next step is identifying owners of the application software. Application software
implements the business rules. As such, the business process owner should be the
owner of application software. But the responsibility of maintaining application software to
accurately reflect business rules will be vested with the application developers. As such,
the accountability for application software should be with the application development
manager.
System software ownership could be with the appropriate persons within the IT
team. The owner of these assets will be responsible for maintaining all the system
software including protecting the organization against software piracy.

Assets Valuation
What is the value of an asset? Like beauty, which is in the eyes of the beholder, an
asset’s value is best known to the asset owner. It may not be merely the written down
value. A more realistic measure is the replacement value. How much is it going to cost if
the asset has to be acquired today? Accurate valuation of an information asset is a tricky
task. Due care must be taken. A seemingly small item may be immensely difficult to
replace today.
True value of the asset will lead us to identify realistic measures needed for
protection of the asset.

Amity Directorate of Distance and Online Education


Introduction of Information Security 15

1.3.3 Preparing a Schema for Classification Notes


The next task is to create classification levels. The criteria for the classification of
assets could be:
1. Confidentiality: Can the information be freely distributed? Or do we need to
restrict it to certain identified individuals?
2. Value: What is the asset value? Is it a high value item, costly to replace or a
low value item?
3. Time: Is the information time-sensitive? Will its confidentiality status change
after some time?
4. Access rights: Who will have access to the asset?
5. Destruction: How long the information will be stored? How can it be destroyed,
if necessary?
Each asset needs to be evaluated against the above criteria and classified for easy
identification. Let us look at each category for classification.
Confidentiality could be defined in terms of:
(a) Confidential: Where the access is restricted to a specific list of people. These
could be company plans, secret manufacturing processes, formulas, etc.
(b) Company only: Where the access is restricted to internal employees only.
These could be customer databases, manufacturing procedures, etc.
(c) Shared: Where the resources are shared within groups or with people outside
of the organization. This could be operational information and contact
information like the internal telephone book to be shared with business
partners and agents.
(d) Unclassified: Where the resources are publicly accessible. For example, the
company sales brochure and other publicity material.
Classification based on value could be high, medium or low value. A detailed
explanation should be prepared giving the reasoning for this classification. A critical
component costing a few rupees may be a very high value item as it is not easily
available and could stop the production of a high cost item.
Access rights need to be defined for individuals as well as groups. Who is cleared to
access confidential information in the organization? And who decides the access rights?
Logically, it will be the asset owner who will decide these access rights.
Destruction should be a scheduled and controlled activity. The information that is no
longer needed by the company but which could still be useful to competitors should be
destroyed as per a pre-decided schedule and method—depending on the confidentiality
classification. For information recorded on hard disk, mere deletion of files does not
obliterate information. A more stringent procedure like multiple overwriting may be
needed.
Classification schema should lead to an implementable structure. It should be
simple to understand and identify.

1.3.4 Implementation of the Classification Schema


The real test of classification schema is when it is implemented. Information is a fluid
resource. It keeps changing its form. The implementation should lead to a uniform way of
identifying the information so that a uniform protection could be provided.
Let us take an example. A company’s business plan is a confidential document. Let
us trace its journey in the corporate world.

Amity Directorate of Distance and Online Education


16 Information Security and Risk Management
The plan will be discussed behind closed doors, known to only a few senior
Notes
members. In the next step, the final plan will be prepared and stored on the MD’s
computer or that of his secretary. A soft copy of this plan would be sent by e-mail to all
executives who need to refer to it. The hard disk of every computer where the plan is
stored will also have a backup copy on floppy or other media. Each member will no doubt
print it and keep a hard copy folder for reference. An extra copy will also be prepared
using the copying machine. If the e-mail is not available, the plan would be sent by fax,
post or courier.
So, the ‘confidential’ plan is now distributed across the organization, available on the
hard disks of computers belonging to each secretary and each senior executive. You get
the general idea. If this can happen to confidential information, imagine how easy it is to
get hold of other types of information. The information explosion has given rise to
proliferation of information in every nook and corner of the organization.
A practical implementation of classification schema, thus, becomes very important.
The classification label should not give an easy way of identification, which could be
misused. It should provide the right amount of protection.
In the example given above, each and every asset where the confidential
information is residing or transiting through will have to be given the same classification
level as that of the information itself.
It may be desirable to altogether avoid transmission of confidential documents in
soft copy format, for example as an attachment to e-mail. Only a restricted number of
hard copies should be circulated. If it is necessary to carry the soft copies, everyone
should be instructed to encrypt information for transmission and storage, and to
memorize their passwords and keep them secret.
Asset classification is, thus, the key to various security controls that need to be
implemented for asset protection.

1.4 The Need for Security


Administrators normally find that putting together a security policy that restricts both
users and attacks is time-consuming and costly. Users also become disgruntled at the
heavy security policies making their work difficult for no discernable reason, causing bad
politics within the company. Planning an audit policy on huge networks takes up both
server resources and time, and often administrators take no note of the audited events. A
common attitude among users is that if no secret work is being performed, why bother
implementing security.
There is a price to pay when a half-hearted security plan is put into action. It can
result in unexpected disaster. A password policy that allows users to use blank or weak
passwords is a hacker’s paradise. No firewall or proxy protection between the
organization’s private local area network (LAN) and the public Internet makes the
company a target for cyber crime.
Organizations will need to determine the price they are willing to pay in order to
protect data and other assets. This cost must be weighed against the costs of losing
information and hardware and disrupting services. The idea is to find the correct balance.
If the data needs minimal protection and the loss of that data is not going to cost the
company, then the cost of protecting that data will be less. If the data is sensitive and
needs maximum protection, then the opposite is normally true.

Amity Directorate of Distance and Online Education


Introduction of Information Security 17

1.5 Security Threats Notes

1.5.1 Introduction
The first part of this section outlines security threats and briefly describes the
methods, tools, and techniques that intruders use to exploit vulnerabilities in systems to
achieve their goals.

1.5.2 Security Threats, Attacks, and Vulnerabilities


Information is the key asset in most organizations. Companies gain a competitive
advantage by knowing how to use that information. The threat comes from others who
would like to acquire the information or limit business opportunities by interfering with
normal business processes.
The object of security is to protect valuable or sensitive organizational information
while making it readily available. Attackers trying to harm a system or disrupt normal
business operations exploit vulnerabilities by using various techniques, methods, and
tools.
Attackers generally have motives or goals—for example, to disrupt normal business
operations or steal information. To achieve these motives or goals, they use various
methods, tools, and techniques to exploit vulnerabilities in a computer system or security
policy and controls.
Goal + Method + Vulnerabilities = Attack

Security Threats
Threats can originate from two primary sources: humans and nature. Human
threats subsequently can be broken into two categories: malicious and non-malicious.
The non-malicious “attacks” usually come from users and employees who are not trained
on computers or are not aware of various computer security threats. Malicious attacks
usually come from non-employees or disgruntled employees who have a specific goal or
objective to achieve.
Figure 1 introduces a layout that can be used to break up security threats into
different areas.

Security Threats

Human Natural Disasters

Floods
Malicious Non-malicious Fires
Earthquakes
Hurricanes

Outsiders like Insiders like Ignorant


Crackers or Disgruntled Employees
Hackers Employees

Figure 1: Security threats into different areas

Amity Directorate of Distance and Online Education


18 Information Security and Risk Management
Natural Disasters
Notes
Nobody can stop nature from taking its course. Earthquakes, hurricanes, floods,
lightning, and fire can cause severe damage to computer systems. Information can be
lost, system downtime or loss of productivity can occur, and damage to hardware can
disrupt other essential services.
Few safeguards can be implemented against natural disasters. The best approach
is to have disaster recovery plans and contingency plans in place. Other threats such
as riots, wars, and terrorist attacks could be included here. Although they are human-
caused threats, they are classified as disastrous.
Human Threats
Malicious threats consist of inside attacks by disgruntled or malicious employees
and outside attacks by non-employees just looking to harm and disrupt an organization.
The most dangerous attackers are usually insiders (or former insiders), because
they know many of the codes and security measures that are already in place. Insiders
are likely to have specific goals and objectives, and have legitimate access to the system.
Employees are the people most familiar with the organization’s computers and
applications, and they are most likely to know what actions might cause the most
damage.
The insider attack can affect all components of computer security. By browsing
through a system, confidential information could be revealed. Insider attacks can affect
availability by overloading the system’s processing or storage capacity, or by causing the
system to crash.
People often refer to these individuals as “crackers” or “hackers.” The definition of
“hacker” has changed over the years. A hacker was once thought of as any individual
who enjoyed getting the most out of the system he or she was using. A hacker would use
a system extensively and study it until he or she became proficient in all its nuances. This
individual was respected as a source of information for local computer users, someone
referred to as a “guru” or “wizard.”
Now, however, the term hacker refers to people who either break in to systems for
which they have no authorization or intentionally overstep their bounds on systems for
which they do not have legitimate access.
The correct term to use for someone who breaks into systems is a “cracker.”
Common methods for gaining access to a system include password cracking, exploiting
known security weaknesses, network spoofing, and social engineering.
Malicious attackers normally will have a specific goal, objective, or motive for an
attack on a system. These goals could be to disrupt services and the continuity of
business operations by using denial-of-service (DoS) attack tools. They might also want
to steal information or even steal hardware such as laptop computers. Hackers can sell
information that can be useful to competitors.
In 1996, a laptop computer was stolen from an employee of Visa International that
contained 314,000 credit card accounts. The total cost to Visa for just canceling the
numbers and replacing the cards was $6 million.
– SecurTek Corporation, http://www.securtekcorporation.com/Protect1.ht
Attackers are not the only ones who can harm an organization. The primary threat to
data integrity comes from authorized users who are not aware of the actions they are
performing. Errors and omissions can cause valuable data to be lost, damaged, or
altered.

Amity Directorate of Distance and Online Education


Introduction of Information Security 19

Non-malicious threats usually come from employees who are untrained in computers
Notes
and are unaware of security threats and vulnerabilities.

Non-
malicious
Threats Good security controls Security
can stop certain attacks Controls and
Techniques Policies
and
Methods

Motives
Malicious Techniques
and
Threats and Assets
Goals
Methods
Vulnerabilities
Techniques
and
Methods
No security policies or
Poor security policies could controls could be
let an attack through disastrous
Natural
Disasters

Figure 2

The following table gives some examples of the various aspects discussed above.
Threats Motives/Goals Methods Security Policies
Ŷ Employees Ŷ Deny services Ŷ Social engineering Ŷ Vulnerabilities
Ŷ Malicious Ŷ Steal information Ŷ Viruses, Trojan Ŷ Assets
Ŷ Ignorant Ŷ Alter information horses, worms Ŷ Information and data
Ŷ Non-employees Ŷ Damage information Ŷ Packet replay Ŷ Productivity
Ŷ Outside attackers Ŷ Delete information Ŷ Packet modification Ŷ Hardware
Ŷ Natural disasters Ŷ Make a joke Ŷ IP spoofing Ŷ Personnel
Ŷ Floods Ŷ Show-off Ŷ Mail bombing
Ŷ Earthquakes Ŷ Various hacking tools
Ŷ Hurricanes Ŷ Password cracking
Ŷ Riots and wars

Note that ignorant employees usually have no motives and goals for causing
damage. The damage is accidental. Also, malicious attackers can deceive ignorant
employees by using “social engineering” to gain entry. The attacker could masquerade
as an administrator and ask for passwords and user names. Employees who are not well
trained and are not security aware can fall for this.
Common examples of computer-related employee sabotage include:
Ɣ Changing data
Ɣ Deleting data
Ɣ Destroying data or programs with logic bombs
Ɣ Crashing systems
Ɣ Holding data hostage

Amity Directorate of Distance and Online Education


20 Information Security and Risk Management
Ɣ Destroying hardware or facilities
Notes
Ɣ Entering data incorrectly

Motives, Goals, and Objectives of Malicious Attackers


There is a strong overlap between physical security and data privacy and integrity.
Indeed, the goal of some attacks is not the physical destruction of the computer system
but the penetration and removal or copying of sensitive information. Attackers want to
achieve these goals either for personal satisfaction or for a reward.
Here are some methods that attackers use:
Ɣ Deleting and altering information. Malicious attackers who delete or alter
information normally do this to prove a point or take revenge for something that
has happened to them. Inside attackers normally do this to spite the organization
because they are disgruntled about something. Outside attackers might want to
do this to prove that they can get in to the system or for the fun of it.
April 27, 2000: Cheng Tsz-chung, 22, was put behind bars last night after
changing the password on another user’s account and then demanding $500
(Hong Kong currency) to change it back. The victim paid the money and then
contacted police. Cheng has pleaded guilty to one charge of unauthorized
access of a computer and two counts of theft. The magistrate remanded Cheng
in custody and said his sentence, which will be handed down on May 10
pending reports, must have a deterrent effect. Cheng’s lawyer told Magistrate
Ian Candy that his client committed the offenses “just for fun.”
Ɣ Committing information theft and fraud. Information technology is
increasingly used to commit fraud and theft. Computer systems are exploited in
numerous ways, both by automating traditional methods of fraud and by using
new methods. Financial systems are not the only ones subject to fraud. Other
targets are systems that control access to any resources, such as time and
attendance systems, inventory systems, school grading systems, or long-
distance telephone systems.
Ɣ Disrupting normal business operations. Attackers may want to disrupt
normal business operations. In any circumstance like this, the attacker has a
specific goal to achieve. Attackers use various methods for denial-of-service
attacks; the section on methods, tools, and techniques will discuss these.

Methods, Tools, and Techniques for Attacks


Attacks = motive + method + vulnerability. The method in this formula exploits
the organization’s vulnerability in order to launch an attack as shown in Figure 2.
Malicious attackers can gain access or deny services in numerous ways. Here are some
of them:
Ɣ Viruses. Attackers can develop harmful code known as viruses. Using hacking
techniques, they can break into systems and plant viruses. Viruses in general
are a threat to any environment. They come in different forms and although not
always malicious, they always take up time. Viruses can also be spread via
e-mail and disks.
Ɣ Trojan horses. These are malicious programs or software code hidden inside
what looks like a normal program. When a user runs the normal program, the
hidden code runs as well. It can then start deleting files and causing other
damage to the computer. Trojan horses are normally spread by e-mail
attachments. The Melissa virus that caused denial-of-service attacks
throughout the world in 1999 was a type of Trojan horse.

Amity Directorate of Distance and Online Education


Introduction of Information Security 21

Ɣ Worms. These are programs that run independently and travel from computer
Notes
to computer across network connections. Worms may have portions of
themselves running on many different computers. Worms do not change other
programs, although they may carry other code that does.
Ɣ Password cracking. This is a technique attackers use to surreptitiously gain
system access through another user’s account. This is possible because users
often select weak passwords. The two major problems with passwords are
when they are easy to guess based on knowledge of the user (for example,
wife’s maiden name) and when they are susceptible to dictionary attacks (that
is, using a dictionary as the source of guesses).
Ɣ Denial-of-service attacks. This attack exploits the need to have a service
available. It is a growing trend on the Internet because websites in general are
open doors ready for abuse. People can easily flood the Web server with
communication in order to keep it busy. Therefore, companies connected to the
Internet should prepare for (DoS) attacks. They also are difficult to trace and
allow other types of attacks to be subdued.
Ɣ E-mail hacking. Electronic mail is one of the most popular features of the
Internet. With access to Internet e-mail, someone can potentially correspond
with any one of millions of people worldwide. Some of the threats associated
with e-mail are:
Ŷ Impersonation. The sender address on Internet e-mail cannot be trusted
because the sender can create a false return address. Someone could
have modified the header in transit, or the sender could have connected
directly to the Simple Mail Transfer Protocol (SMTP – the protocol used
for sending e-mail) port on the target computer to enter the e-mail.
Ŷ Eavesdropping. E-mail headers and contents are transmitted in the clear
text if no encryption is used. As a result, the contents of a message can
be read or altered in transit. The header can be modified to hide or
change the sender, or to redirect the message.
Ɣ Eavesdropping. This allows a cracker (hacker) to make a complete copy of
network activity. As a result, a cracker can obtain sensitive information such as
passwords, data, and procedures for performing functions. It is possible for a
cracker to eavesdrop by wiretapping, using radio, or using auxiliary ports on
terminals. It is also possible to eavesdrop using software that monitors packets
sent over the network. In most cases, it is difficult to detect eavesdropping.
Ɣ Social engineering. This is a common form of cracking. It can be used by
outsiders and by people within an organization. Social engineering is a hacker
term for tricking people into revealing their password or some form of security
information.
Ɣ Intrusion attacks. In these attacks, a hacker uses various hacking tools to
gain access to systems. These can range from password cracking tools to
protocol hacking and manipulation tools. Intrusion detection tools often can
help to detect changes and variants that take place within systems and
networks.
Note: Additional handout on viruses.

Security Vulnerabilities
As explained previously, a malicious attacker uses a method to exploit vulnerabilities in
order to achieve a goal. Vulnerabilities are weak points or loopholes in security that an
attacker exploits in order to gain access to the network or to resources on the network (see

Amity Directorate of Distance and Online Education


22 Information Security and Risk Management
Figure 2). Remember that the vulnerability is not the attack, but rather the weak point that is
Notes
exploited. Here are some of the weak points:
Ɣ Passwords. Password selection will be a contentious point as long as users
have to select one. The problem usually is remembering the correct password
from among the multitude of passwords a user needs to remember. Users end
up selecting commonly used passwords because they are easy to remember.
Anything from birthdays to the names of loved ones. This is vulnerability
because it gives others a good chance to guess the correct password.
Ɣ Protocol design. Communication protocols sometimes have weak points.
Attackers use these to gain information and eventually gain access to systems.
Ɣ Modems. Modems have become standard features on many desktop computers.
Any unauthorized modem is a serious security concern. People use them not just
to connect to the Internet, but also to connect to their office so they can work from
home. The problem is that a modem is a means of bypassing the “firewall” that
protects a network from outside intruders. A hacker using a “war dialer” tool to
identify the modem telephone number and a “password cracker” tool to break a
weak password can gain access to the system. Due to the nature of computer
networking, once a hacker connects to that one computer, the hacker can often
connect to any other computer in the network.
Some Examples:
Example 1: Non-malicious threat (ignorant employees).
An employee known here as John Doe copies games and other executables from a
1.44 MB disk onto his local hard drive and then runs the executables. Unfortunately, the
games contained various viruses and Trojan horses. The organization had not yet
deployed any anti-virus software. After a short time, John Doe and other employees
began to notice strange and unforeseen events occurring on their computers, causing
disruption of services and possible corruption of data. The following figure explains the
various vulnerabilities that existed and the loss in assets that are involved.

Security
Controls and
Policies

Non-malicious Assets:
Threats: Loss of
productivity
John Doe
and data

Vulnerability: No virus
detection products installed

Vulnerability: No control
on the use of diskettes

Figure 3

Example 2: Malicious threat (malicious attackers).


An employee known here as Sally was turned down for promotion three times. Sally
believes that she has put in a considerable amount of work and overtime and is being
turned down for promotion because she is too young. Sally has a degree in computer
science and decides to resign from the company and take revenge on it by causing the

Amity Directorate of Distance and Online Education


Introduction of Information Security 23

company’s Web server to stop servicing requests. Sally uses a denial-of-service attack
Notes
tool called Trin00 to start an attack on the company’s Web server.
Most of the company’s business is conducted via e-commerce and clients are
complaining that they cannot connect to the Web server. The following diagram outlines
the various tools and vulnerabilities Sally used to achieve her goal.

Security
Controls and
Policies
Malicious
Threats: Goat Tools: Asset:
Disgruntled To Stop Denial-of- Loss of
Employee Productivity Service Productivity
Sally Attack Tools

Vulnerability: No Vulnerability: No Reverse Path Forwarding


Filtering on Routers (RPF) Used to Check for Spoofing

Figure 4

Example 3: Natural disasters.


An organization has various modems and Integrated Services Digital Network
(ISDN) router installations and does not have surge protection. During a thunderstorm,
lightning strikes the telephone and ISDN lines. All modems and ISDN routers are
destroyed, taking with them a couple of motherboards. The following diagram shows the
vulnerability and the loss of assets.

Security
Controls and
Policies
Assets:
Natural Hardware
Disaster: and Loss of
Lightning Productivity
Vulnerability: No
Lightning/Surge Protection

Figure 5

1.5.3 Security Policies and Plans


Security Policies are the foundation, the bottom line of information security of an
organization. Each organization would present a different policy plan that is appropriate,
clear and effective for the organization.

Design and Implement a Security Plan


Designing a security plan includes setting security goals and strategies and deciding
on the level of security that is appropriate. Deciding on the level of security means
weighing the pros and cons of higher versus lower security. Higher security requires
more administration but ensures only the right people will have access to your resources.
Lower security creates a more flexible and open environment, but might not be as secure
as other configurations.

Amity Directorate of Distance and Online Education


24 Information Security and Risk Management
Understand and Implement Security Policy
Notes
Security policy enforces uniform security standards for groups of users. Security
policy is used to establish a basis of security for the environment. Different from user
rights and permissions, security policy applies to all users or objects in the deployment.

Planning for Security


Although security technologies are highly advanced, effective security must
combine technology with good planning for business and social practices. No matter how
advanced and well implemented the technology is, it is only as good as the methods
used in employing and managing it.
Implementing the appropriate security standards is a key issue for most organizations.
To implement security standards, devise a security plan that applies a set of security
technologies consistently to protect the organization’s resources.
A typical security plan might include the following sections:
Ɣ Security goals: Describe why the organization needs protecting.
Ɣ Security risks: Enumerate the types of security hazards that affect the
enterprise, including what poses the threats and how significant the threats are.
Ɣ Security strategies: A description of the general security strategies necessary
to meet the threats and mitigate the risks.
Ɣ Security group descriptions: Describe security groups and their relationship
to one another. This section maps security policies to security groups.
Ɣ Security Policy: Describe Group Policy security settings, such as network
password policies.
Ɣ Network logon and authentication strategies: In a networked environment,
consider authentication strategies for logging on to the network and for using
remote access or smart card to log on.
Ɣ Information security strategies: How to implement information security
solutions, such as an encrypted file system (EFS), Internet Protocol security,
and access authorization using permissions.
Ɣ Administrative policies: Include policies for delegation of administrative tasks
and monitoring of audit logs to detect suspicious activity.
For starters, the easiest way to deal with security policies is to use some pre-written
“off the shelf”. This is certainly a reasonable approach, but it is important to ensure that
the policies are of the requisite standard, and perhaps are compliant with standards.

1.6 User Authentication


Authentication is a process in which the credentials provided are compared to those
on file in a database of authorized users’ information on a local operating system or
within an authentication server. If the credentials match, the process is completed and
the user is granted authorization for access. The permissions and folders returned define
both the environment the user sees and the way he can interact with it, including hours of
access and other rights such as the amount of allocated storage space.
The process of an administrator granting rights and the process of checking user
account permissions for access to resources are both referred to as authorization. The
privileges and preferences granted for the authorized account depend on the user’s
permissions, which are either stored locally or on the authentication server. The settings
defined for all these environment variables are set by an administrator.

Amity Directorate of Distance and Online Education


Introduction of Information Security 25

1.6.1 User Authentication vs. Machine Authentication Notes


User authentication occurs within most human-to-computer interactions other than
guest accounts, automatically logged-in accounts and kiosk computer systems.
Generally, a user has to enter or choose an ID and provide their password to begin using
a system. User authentication authorizes human-to-machine interactions in operating
systems and applications as well as both wired and wireless networks to enable access
to networked and Internet-connected systems, applications and resources.
Machines need to authorize their automated actions within a network too. Online
backup services, patching and updating systems and remote monitoring systems such as
those used in telemedicine and smart grid technologies all need to securely authenticate
to verify that it is the authorized system involved in any interaction and not a hacker.
Machine authentication can be carried out with machine credentials much like a
users’ ID and password only submitted by the device in question. They can also use
digital certificates issued and verified by a Certificate Authority (CA) as part of a public
key infrastructure to prove identification while exchanging information over the Internet,
like a type of digital password.

1.6.2 The Importance of Strong Machine Authentication


With the increasing number of Internet-enabled devices, reliable machine
authentication is crucial to allow secure communication in home automation and other
networked environments. In the Internet of things scenario, which is increasingly
becoming a reality, almost any imaginable entity or object may be made addressable and
able to exchange data over a network. It is important to realize that each access point is a
potential intrusion point. Each networked device needs strong machine authentication
and also, despite their normally limited activity, these devices must be configured for
limited permissions access as well, to limit what can be done even if they are breached.

1.7 System Access Control


Access controls are security features that control how users and systems
communicate and interact with other systems and resources.
Access is the flow of information between a subject and an object.
A subject is an active entity that requests access to an object or the data within an
object, e.g., user, program, process, etc.
An object is a passive entity that contains the information, e.g., computer, database,
file, program, etc.
Access controls give organization the ability to control, restrict, monitor, and protect
resource availability, integrity and confidentiality.

Amity Directorate of Distance and Online Education


26 Information Security and Risk Management

Notes Users Access Controllers Administrator

User Keys

Admin Key

G150 Configures
Controllers
User Keys

Export Key

G2 Programmer
G250 Transfers
Controller
Events

Group
G450

1.7.1 Access Control Challenges


Ɣ Various types of users need different levels of access – internal users, contractors,
outsiders, partners, etc.
Ɣ Resources have different classification levels – confidential, internal use only,
private, public, etc.
Ɣ Diverse identity data must be kept on different types of users – credentials,
personal data, contact information, work related data, digital certificates,
cognitive passwords, etc.
Ɣ The corporate environment is continually changing – business environment
needs, resource access needs, employee roles, actual employees, etc.

1.7.2 Access Control Principles


Ɣ Principle of Least Privilege: States that if nothing has been specifically
configured for an individual or the groups, he/she belongs to, the user should
not be able to access that resource, i.e., Default no access.
Ɣ Separation of Duties.
Ɣ Need to Know: It is based on the concept that individuals should be given
access only to the information that they absolutely require in order to perform
their job duties.

1.7.3 Access Control Criteria


The criteria for providing access to an object include:
Ɣ Roles
Ɣ Groups
Ɣ Location
Ɣ Time
Ɣ Transaction Type

1.7.4 Access Control Practices


Ɣ Deny access to systems by undefined users or anonymous accounts.

Amity Directorate of Distance and Online Education


Introduction of Information Security 27

Ɣ Limit and monitor the usage of administrator and other powerful accounts.
Notes
Ɣ Suspend or delay access capability after a specific number of unsuccessful
logon attempts.
Ɣ Remove obsolete user accounts as soon as the user leaves the company.
Ɣ Suspend inactive accounts after 30 to 60 days.
Ɣ Enforce strict access criteria.
Ɣ Enforce the need-to-know and least-privilege practices.
Ɣ Disable unneeded system features, services and ports.
Ɣ Replace default password settings on accounts.
Ɣ Limit and monitor global access rules.
Ɣ Ensure those logon IDs are non-descriptive of job function.
Ɣ Remove redundant resource rules from accounts and group memberships.
Ɣ Remove redundant user IDs, accounts, and role-based accounts from resource
access lists.
Ɣ Enforce password rotation.
Ɣ Enforce password requirements (length, contents, lifetime, distribution, storage,
and transmission).
Ɣ Audit system and user events and actions and review reports periodically.
Ɣ Protect audit logs.

1.8 Passwords
Ɣ It is the most common form of system identification and authentication
mechanism.
Ɣ A password is a protected string of characters that is used to authenticate an
individual.
Ɣ Password Management
Ŷ Password should be properly guaranteed, updated, and kept secret to
provide and effective security.
Ŷ Passwords generators can be used to generate passwords that are
uncomplicated, pronounceable and non-dictionary words.
Ŷ If the user chooses his passwords, the system should enforce certain
password requirement like insisting to use special char, no of char, case
sensitivity, etc.
Ɣ Techniques for Passwords Attack
Ŷ Electronic monitoring: Listening to network traffic to capture information,
especially when a user is sending her password to an authentication
server. The password can be copied and reused by the attacker at
another time, which is called a replay attack.
Ŷ Access the password file: Usually done on the authentication server.
The password file contains many users’ passwords and, if compromised,
can be the source of a lot of damage. This file should be protected with
access control mechanisms and encryption.
Ŷ Brute force attacks: Performed with tools that cycle through many
possible character, number, and symbol combinations to uncover a
password.
Ŷ Dictionary attacks: Files of thousands of words are used to compare to
the user’s password until a match is found.

Amity Directorate of Distance and Online Education


28 Information Security and Risk Management
Ŷ Social engineering: An attacker falsely convinces an individual that she
Notes
has the necessary authorization to access specific resources.
Ɣ Password checkers can be used to check the strength of the password by
trying to break into the system.
Ɣ Passwords should be encrypted and hashed.
Ɣ Password aging should be implemented.
Ɣ No of logon attempts should be limited.

1.9 Privileged User Management


All organizations have privileged users who are granted far more extensive rights in
the information systems than normal users and therefore require particular attention.
The challenge is two-fold, since it is vital to both maintain a high level of security
surrounding access rights to systems and devices, while also managing a pool of multiple
accounts and outsourced services with sometimes high turnover rates. It is also essential
to have a clear picture of the actions performed by these privileged users.

1.9.1 Enhanced Visibility over Privileged User Activity


Wallix Admin Bastion facilitates Privileged User Management providing the ability to
assign access rights to selected elements of the information infrastructure. The
granularity of access control policies possible with WAB is extremely fine, making it easy
to create rights for new administrators based on pre-defined and customizable profiles.
Access rights can be prepared in advance but only enabled for a given period (the
duration of an external service provider's engagement, for example). WAB ensures
optimized and secure access control.

1.10 User Account Management


A user account defines the actions a user can perform in Windows. On a
stand-alone computer or a computer that is a member of a workgroup, a user account
establishes the privileges assigned to each user. On a computer that is part of a network
domain, a user must be a member of at least one group. The permissions and rights
granted to a group are assigned to its members.
User accounts on a computer that is a member of a network domain.
You must be logged on as an administrator or a member of the Administrators group
to use User Accounts in Control Panel.
User Accounts allows you to add users to your computer and to add users to a
group. In Windows, permissions and user rights usually are granted to groups. By adding
a user to a group, you give the user all the permissions and user rights assigned to that
group.
For instance, a member of the Users group can perform most of the tasks necessary to
do his or her job, such as logging on to the computer, creating files and folders, running
programs, and saving changes to files. However, only a member of the Administrators
group can add users to groups, change user passwords, or modify most system settings.
User Accounts lets you create or change the password for local user accounts, which
is useful when creating a new user account or if a user forgets a password. A local user
account is an account created by this computer. If the computer is part of a network, you can
add network user accounts to groups on your computer, and those users can use their
network passwords to log on. You cannot change the password of a network user.

Amity Directorate of Distance and Online Education


Introduction of Information Security 29

In Microsoft Windows XP Professional, you will find one of three different accounts
Notes
in use on any given system.
Ɣ Local user accounts allow you to log on to the local system and access
resources there. If you needed to access any type of resource beyond the local
system, you would need to provide additional credentials in most cases. Local
accounts authenticate to the local security database.
Ɣ Domain user accounts allow you to log on to the domain the user account
belongs to in order to access network resources. You may be able to access
resources in other domains depending on how the trust relationships are
defined or if any modifications have been made to them. Domain accounts
authenticate to a domain controller and to the domain security database.
Ɣ Built-in user accounts allow you to perform administrative tasks on the local
system and sometimes they can access local or network resources, depending
on their configuration on the network. This too, is dependent on how trust
relationships are defined or if any modifications have been made to them. The
only two accounts created by default on a stand-alone Windows XP
Professional clean installation are Administrator and Guest.
The Built-in Administrator account is enabled by default and cannot be deleted from
the system. The name of the account as well as the password can be changed, however,
and this is a recommended best practice. It is also recommended that the default
Administrator account never be used or used as infrequently as possible and only when
tasks need to be performed at an Administrative level. If there is ever more than one
Administrator on a workstation, each one should have an account created for their use. In
the event that you need to log administrative events, this would be easier if there were a
number of different administrator accounts created rather than a single one.
The Guest account also cannot be deleted from the system; however, it is disabled
by default and unless there is some required operational need, it should stay disabled.
The only “need” for the Guest account would be a kiosk type terminal in a lobby of an
office building or hotel and in that event it could be used. If there is ever a short time need
to grant access to a temporary user to a system, it is always worth the “aggravation” to
create an account.

1.10.1 Using the Local Users and Groups Snap-in


You would normally need to be a local administrator to perform most system
configuration functions (even just taking a look at the current configuration settings) on a
Windows XP Professional system, and in some cases, there may be a local policy set by
some other administrator or if your system is in a Domain, a Domain policy setting, which
may prevent you from performing some actions.
To manage local users and groups, you can use the Local Users and Groups MMC
and you can access this tool in a number of different ways.
One way is to select Start, right-click My Computer, and then click Manage, which
will open the Computer Management MMC. Under the System Tools icon, click Local
Users and Groups to open the Local Users and Groups MMC.

Amity Directorate of Distance and Online Education


30 Information Security and Risk Management

Notes

You can also type compmgmt.msc in the RUN box or from a command line to
launch the Computer Management MMC.

What your Start Menu options look like, all depend on how you have the menu set. If
you are using the Classic Start Menu, you would not see My Computer as a selection to
right click on. Your options would be to click Start, select Administrative Tools and then
select Computer Management. Not a whole lot different, but perhaps just enough to
confuse you.
I seem to continually repeat this from article to article, but it is important to stress,
the Windows XP Professional exam rarely tests you on Classic anything. You need to
know how to get from Windows XP Professional settings to Classic and back, but in 90%
of the cases you’re going to find instructions laid out in the Windows XP Professional vein.
I will do my best to point out alternatives in the section as I have done here.

Amity Directorate of Distance and Online Education


Introduction of Information Security 31

If you want to directly open the Local Users and Groups MMC, you can type
Notes
lusrmgr.msc from the RUN box or from a command line. This will run the tool
independently from the Computer Management MMC.
You can also launch the Control Panel and select the User Accounts icon as well.

User Accounts and the Local Users and Groups MMC both function differently while
performing the same task. I will cover the User Accounts functionality separately.

1.10.2 Adding USERS with the Local Users and Groups MMC
Adding a user is as simple as selecting Users from the left pane, right clicking it and
choosing New User. You can also highlight Users by left clicking it and going up to
ACTION on the menu bar and selecting New User.

Depending on your current settings, all you may need to supply in order to create a
user account is a user account name. The full user name, description, and passwords
are not required by default.
To set a password where one isn’t used or to change one that is currently set, you
would right click on the given account and choose SET PASSWORD.
You can also right click on the given account and choose ALL TASKS which leads
you to the single SET PASSWORD option as well.
You can also select the user with a single left click and go to ACTION in the menu to
bring up the same ALL TASKS/SET PASSWORD options as well.

Passwords are not required by default but are always a recommended best practice.

Amity Directorate of Distance and Online Education


32 Information Security and Risk Management
There may be a local policy set by some other administrator or if your system is in a
Notes
Domain, a Domain policy setting, which may force you to use settings that are NOT
normally required by default.
For example, if you try to create an account that has a password policy in place and
you do not meet the minimum requirements for password creation, you will be presented
with an error message that looks like this;

1.10.3 Adding GROUPS with the Local Users and Groups MMC
Adding groups is performed in much the same manner. You can select Groups from
the left pane, right click it and choose New Group. You can also highlight Groups by left
clicking it and going up to ACTION on the menu and selecting New Group.

All that is required for creating a Group is the name. Descriptions do not need to be
entered for the group nor do you need to add any members.

1.10.4 Using USER ACCOUNTS in the Control Panel


How USER ACCOUNTS in the Control Panel functions all depends on whether your
Windows XP Professional system is in a domain or not.
Also, how it looks depends on whether you are using the default Windows XP view
or the Classic interface.

Amity Directorate of Distance and Online Education


Introduction of Information Security 33

This is the default Windows XP view.


Notes

Below is the Classic view.

When you are in a domain and you open the USER ACCOUNTS icon in the Control
Panel, you are presented with the User Accounts view as shown below on the USER tab.

Amity Directorate of Distance and Online Education


34 Information Security and Risk Management

Notes

The “domain” BUCKAROO in this example is the local system and not a domain.
NORTHAMERICA is a domain. The icons for a local account have a computer/user icon.
In the above image in the Password for backup section, you can see this. A DOMAIN
icon in the Users for this computer section would have a planet/user icon combination as
shown below.

Amity Directorate of Distance and Online Education


Introduction of Information Security 35

In order to see the properties of an account, you would select it and click on the
Notes
properties button to see the following window.

On the Group Membership tab of the USER property sheet, you would see three
selections to choose from regarding group memberships.

Amity Directorate of Distance and Online Education


36 Information Security and Risk Management
The OTHER drop down window lists all of the LOCAL groups that the user could
Notes
belong to.

The OTHER drop down window lists only the local groups, regardless of whether
you have chosen a user account in the local accounts database or a domain account that
is in the domain.
You can change the password for a given account from the USER tab by selecting
the account and clicking the RESET PASSWORD button, which will bring up the RESET
PASSWORD window as shown below.

From the ADVANCED tab, you can manage passwords that are in the local database.

Amity Directorate of Distance and Online Education


Introduction of Information Security 37

Notes

By selecting the MANAGE PASSWORDS button, you will open the Stored User
Names and Passwords where you can add, remove or view the properties of an account.

When you select the .NET PASSPORT WIZARD, the wizard will start and allow you
to add a .NET passport to one or more Windows XP Professional user accounts.

Amity Directorate of Distance and Online Education


38 Information Security and Risk Management

Notes

Selecting ADVANCED from the Advanced User Management section simply


launches the Local Users and Groups MMC as if you typed lusrmgr.msc from the RUN
box or from a command line.
The secure logon section is where you would require local users to press CTRL +
ALT + DEL to begin a session.
When you are not in a domain and you open the USER ACCOUNTS icon in the
Control Panel, you are presented with the User Accounts view as shown below.

Amity Directorate of Distance and Online Education


Introduction of Information Security 39

To change any of the listed accounts, you would select CHANGE AN ACCOUNT
Notes
and select the account you wish to change. It’s here that you can change the password,
change the icon (picture) that is associated with the account or to set up the account to
use a .NET passport.
The CREATE A NEW ACCOUNT option allows you to do just that.
The CHANGE THE WAY USERS LOG ON OR OFF option allows you to select
either FAST USER SWITCHING (which is not allowed when the workstation is a member
of a domain) or using the standard USE THE WELCOME SCREEN option.

Fast User Switching cannot be used if the Offline Files option is enabled. Also, once
your system is added to a domain, you can no longer use Fast User Switching, even if
you log on to the workstation by using the local user account database.
That’s a wrap for this week. Be sure to check back in next week for the next article in
this series.
In the meantime, best of luck for your studies and please feel free to contact me with
any questions on my column and remember,
“F.Y.I. can mean more than one thing.”
In Microsoft Windows XP Professional, you will find a number of default local groups
on your system, which can perform the following default functions as outlined:
Administrators Members of the Administrators group have complete and
unrestricted access to the computer and can perform all
administrative tasks. The built-in Administrator account is a
member of this group by default and should the Windows XP
Professional system be joined to a domain, (or domains) the
Domain Admins group of the domain(s) joined will be added to the
local Administrators group as well.

Amity Directorate of Distance and Online Education


40 Information Security and Risk Management

Notes Backup Operators Members of the Backup Operators group can use Windows
Backup (NTBACKUP) to back up and restore data to the local
computer. Being in this group allows them to override security
restrictions for the sole purpose of backing up or restoring files.
Guests Members of the built-in Guests group are limited to only having
access to specific resources for which they have been assigned
explicit permissions for and can only perform specific tasks for
which they have been assigned explicit rights.
This is nearly the same access level as members of the Users
group except for some additional restrictions.
By default, the built-in Guest account is a member of the Guests
group. When the Windows XP Professional system is joined to a
domain (or domains), the Domain Guests group of the domain(s)
joined will be added to the local Guests group as well.
Power Users Members of the Power Users group can create and modify local
user accounts on the computer and share resources. Effectively,
they are one group lower in authority on a local system from the
Administrators group in that they possess most administrative
powers with certain restrictions.
Users Members of the Users Group are prevented from making
accidental or intentional system-wide changes and they are only
slightly higher in the permission scheme than the Guests Group.
Members of the Users group are limited to only having access to
specific resources for which they have been assigned explicit
permissions for and can only perform specific tasks for which they
have been assigned explicit rights.
When a new user is created on a Windows XP Professional
system, it is added to the Users group by default.
When the Windows XP Professional system is joined to a domain
(or domains), the Domain Users group of the domain(s) joined will
be added to the local Users group as well.

Groups are used in Windows XP Professional (and other Microsoft operating


systems) as collection point for user accounts to aid in simplifying system administration
by allowing you to assign permissions and rights to the group of users rather than to each
user account individually.
Local groups are used on individual systems to assign permissions to resources on
that specific computer. Local groups are created and administered in the local security
database on Windows XP Professional systems.
You would normally need to be a local administrator to perform most system
configuration functions (even just taking a look at the current configuration settings in
some instances) on a Windows XP Professional system, and in some cases, there may
be a local policy set by some other administrator or if your system is in a Domain, a
Domain policy setting, which may prevent you from performing some actions.
To manage local users and groups, you can use the Local Users and Groups MMC
and you can access this tool a number of different ways.
One way is to select Start, right-click My Computer, and then click Manage, which
will open the Computer Management MMC. Under the System tools icon, click Local
Users and Groups to open the Local Users and Groups MMC.

Amity Directorate of Distance and Online Education


Introduction of Information Security 41

Notes

You can also type compmgmt.msc in the RUN box or from a command line to
launch the Computer Management MMC.

If you want to directly open the Local Users and Groups MMC, you can type
lusrmgr.msc from the RUN box or from a command line. This will run the tool
independently from the Computer Management MMC.

Amity Directorate of Distance and Online Education


42 Information Security and Risk Management
Some quick points to remember for local groups on Windows XP Professional
Notes
systems that are not domain members are that Local groups can contain only local user
accounts from the local security database and local groups cannot belong to any other
group. (Local groups cannot be nested one inside of the other.) For example, user
accounts can be members of both the WORKERS group and the COFFEE group and
even though every single user of one group is a member of the other, you would not be
able to add all the users to the WORKERS group and then take the WORKERS group
and put it in to the COFFEE group.
Adding a new group is as simple as selecting Groups from the left pane, right
clicking it and choosing New Group. You can also highlight Groups by left clicking it and
going up to ACTION on the menu bar and selecting New Group.

Depending on your current settings, all you need to supply in order to create a new
group is the name. In most cases, the description and adding users at the time is not
required by default.

1.10.5 Using USER ACCOUNTS in the Control Panel to Add Users to EXISTING Groups
How USER ACCOUNTS in the Control Panel functions all depends on whether your
Windows XP Professional system is in a domain or not. Also, how it looks depends on
whether you are using the default Windows XP view or the Classic interface. This is the
default Windows XP view.
Below is the Classic view.

Amity Directorate of Distance and Online Education


Introduction of Information Security 43

When you are in a domain and you open the USER ACCOUNTS icon in the Control
Notes
Panel, you are presented with the User Accounts view as shown below on the USER tab.

The OTHER drop down window lists all of the LOCAL groups that the user could
belong to.

The OTHER drop down window lists only the local groups, regardless of whether
you have chosen a user account in the local accounts database or a domain account that
is in the domain.
From the ADVANCED tab, you can perform functions such as managing passwords
that are in the local database or using the .NET PASSPORT WIZARD to add a .NET
passport to one or more Windows XP Professional user accounts.

Amity Directorate of Distance and Online Education


44 Information Security and Risk Management

Notes

Selecting ADVANCED from the Advanced User Management section simply


launches the Local Users and Groups MMC as if you typed lusrmgr.msc from the RUN
box or from a command line.
The secure logon section is where you would require local users to press CTRL +
ALT + DEL to begin a session.
When you are not in a domain and you open the USER ACCOUNTS icon in the
Control Panel, you are presented with the User Accounts view as shown below.

Amity Directorate of Distance and Online Education


Introduction of Information Security 45

To change any of the listed accounts, you would select CHANGE AN ACCOUNT
Notes
and select the account you wish to change. It’s here that you can change the password,
change the icon (picture) that is associated with the account or to set up the account to
use a .NET passport.
The CREATE A NEW ACCOUNT option allows you to do just that.
The CHANGE THE WAY USERS LOG ON OR OFF option allows you to select
either FAST USER SWITCHING (which is not allowed when the workstation is a member
of a domain) or using the standard USE THE WELCOME SCREEN option.

1.11 Data Resource Protection

1.11.1 Effective Data Protection and Recovery Strategy


The reason for backing up data is to be able to recover that data in the event of a
disaster, failure, or loss. An effective strategy should focus on minimizing risk to data by
getting it off-site, offline and out-of-reach.
Doing this keeps data secure and prevents it from falling into the wrong hands,
which has become a large issue for both centralized and decentralized information.
Backing up and protecting data also supports specific compliance objectives for different
data types and different industries. Lastly, the strategy needs to encompass all critical
data to support both centralized and distributed environments.
More and more companies utilize a mobile and remote workforce, creating a greater
geographic dispersion of data. It is not only imperative to understand where all the critical
and sensitive information resides, but to make sure it is backed up consistently and
securely for a timely recovery.
Data availability is a key issue today. Many businesses demand 99.9999% uptime,
or close to it. In other words, they require that users - and business applications - have
access to critical information around the clock. In this environment, unplanned data
outages are not an option. A solid data protection strategy ensures accessibility and
availability of that data whenever and wherever it is needed, to get the business running
again.

1.11.2 Protecting Back-up Data


Implementing a secure data protection strategy requires planning and preparation.
Getting started begins with developing the strategic policies concerning what data needs
to be protected and then identifying that data and any copies of it within the enterprise
storage environment.
The next step is selecting the most secure method for protecting the most critical
data. This could mean electronic vaulting or data encryption. With any approach, the
management process around secure data protection needs to be addressed. The
standard operating procedures governing security of data at rest must contain a metrics
base that tracks not only completion and compliance, but also the logistics management
of both the physical data container and most importantly, the encryption key itself.
Finally, everyone who manages, administers or operates IT infrastructure needs to
become security conscious. Data protection security is as much a culture of awareness
as it is a corporate policy directive. To truly protect the organization’s critical data,
continuous focus on culture, practice and control is imperative to a successful, secure
data protection strategy.

Amity Directorate of Distance and Online Education


46 Information Security and Risk Management

Notes 1.11.3 Develop a Data Protection and Recovery Program


When developing a program, adopt a multi-layered approach for the data and
storage networks:
Ɣ Authentication: Apply multi-level authentication techniques
Ɣ Authorization: Enforce privileges based on roles and responsibilities
Ɣ Encryption: All sensitive data should be encrypted when it is stored or copied
Ɣ Auditing: Logs of administrative operations by users should be maintained for
traceability and accountability.
Relying on a single copy of a file is never a good idea. A good practice is to perform
nightly backups onto removable media and then ship those tapes off-site with a trusted
third party so they are protected and available for recovery in the event of a disaster.
Getting the media off-site and into a secure facility will also protect it from unauthorized
access and potential tampering.
Companies should employ a tight end-to-end chain of custody to know the location
of their backup media at all times to ensure security. Removable media like backup tapes
should be affixed with barcodes and placed in locked containers during transportation.
Barcodes enable the media to be scanned in and out of the company as well as the
facility where it is stored. This also allows companies to generate daily reports for media
being sent off-site and those scheduled for return.
More and more, business data resides at remote sites, on desktop PCs and on
laptops—it is critical to back up and protect this data. Most remote sites do not have a
dedicated IT staff, leaving the backup process full of holes because it does not happen
regularly and is typically incomplete. These issues leave data vulnerable to unauthorized
users, theft and loss. To protect information on employees’ computers, consider
technologies like electronic vaulting, which provide a secure and automated solution to
backing up and protecting distributed data.
Lastly, once media reaches a point of uselessness, that media must be properly
destroyed. This includes scrambling, degaussing and even pulverization. Destruction is
best performed by a third party that can provide a certificate of destruction, as many state
and federal statutes and regulations require proper handling and disposal of records that
contain personal information. However, destroying records that could be requested as
part of a legal action against a company poses major risks to the organization.
Understanding the regulatory and legal risks associated with not preserving “evidence
records” is the first step to managing these risks, and is best handled by a third party who
is more familiar with these policies.

1.11.4 Implement the Program


With a plan in place, it’s time to implement—and communication comes first. Data
loss and information theft are business issues, not IT issues. Therefore, every
employee—from executives on down—should receive training on the risks and threats of
potential data loss. This educational effort should include the investment necessary to
defend data against unauthorized access. With this information, corporate officers can
make knowledgeable, cost vs. benefit decisions on complete backup data protection.

1.11.5 Manage and Enforce


Implementing a program is only half the battle. Once it is up and running, the
company must have a plan for periodically auditing employee compliance and revisiting
the plan to ensure it remains current. Policy without adoption is meaningless. Employees
must receive regular training and reminders of their role so that it becomes second

Amity Directorate of Distance and Online Education


Introduction of Information Security 47

nature for them. And the best-practice approach maintains that the company budgets for
Notes
program maintenance, testing and continual enhancement.

1.11.6 Test and Revise


It is important to regularly test both the backup and recovery functions of a program.
Simulate various threats and scenarios like device issues, data classification issues and
others that could affect the business. Enlist people less familiar with the process to
measure plan clarity and to ensure functionality, if primary personnel are unavailable.
Lastly, be flexible and change the program as the needs of the business change.
There was a time when companies only needed to worry about a centralized
location of their vital business records. Now, they must account for remote servers,
desktop PCs, laptops and handheld computers, all of which might contain personal or
vital business information.
An effective strategy for protecting this information should focus on minimizing risk
to data by getting it off-site, offline and out-of-reach. Additionally, the right plan ensures
companies comply with broad and industry-specific regulations for managing that
information. The key for any organization – regardless of its size or the industry in which
it plays – is to implement a data protection program that mitigates business risks,
reduces costs, increases compliance, and helps improve overall business service levels.

1.12 Sensitive System Protection


First determine what systems are sensitive and the extent they must be protected.
This includes identifying sensitive data.
A. Criticality: Evaluate criticality in terms of what would be affected if the system
were to become unavailable. First, divide the system into sub-elements (i.e.,
applications) that are related to users or business functions. Then evaluate
each application to define the impact on the user if computer support was lost.
Such factors as the effectiveness of the particular function, additional cost of
doing business, lost revenue, possible legal problems, and the effect of the
loss on the image of the organizations.
B. Sensitivity: Sensitivity analysis measures the impact of a non-authorized
person gaining access to the information, or of data being altered in any way.
Most importantly, private personal data should not be disclosed without specific
authorization. Other sensitive areas include trade secrets, formulas, financial
data and company planning information that may be of significant value to
competitors.
C. Source of Sensitivity Information: Do not consider the MIS group a reliable
source of criticality and sensitivity information. Too often, the MIS group reacts
to an individual or group that most quickly to complains in the event of system
degradation. The quickness of the complaint may not necessarily be
representative of the real importance of these data to the company. The best
initial sources are the users of the MIS output. They can best express impact
on the operation and potential costs, thus when this information is validated by
management, the real importance to the organization is captured. This is the
foundation for systems security – validity must be guaranteed.
D. Level of Sensitivity: The military, expresses sensitivity of systems through
classification such as top secret, secret, confidential and unclassified. The
recent introduction of “unclassified but sensitive” was a reaction to privacy
requirements.

Amity Directorate of Distance and Online Education


48 Information Security and Risk Management
The National Computer Security Center, in its Trusted Computer System
Notes
Evaluation Criteria standard, identifies four divisions of security. Level “D” is the
lowest; no security is required. Each higher division represents a major
improvement in the confidence one can place in a system for the protection of
information. The “C” level is Discretionary Control, in which identifiable sections
of a system are protected, as appropriate, to the information in the section. The
“B” level is defined as Mandatory Control in which all data are protected.
Although some data may be more easily accessed than others, the necessary
controls are present. The “A” level is the highest – it represents formally
verifiable protection and is the most comprehensive security available.
Commercially, various categorization schemes are employed. Commonly, such
terms as highly critical, critical, important, and routine are used. The actual
names used are unimportant as long as they are used consistently. The key
factor is that levels are defined so they can be used to identify the extent to
which security measures should be applied to the system.

1.13 Cryptography
Encryption is the science of changing data so that it is unrecognizable and useless
to an unauthorized person. Decryption is changing it back to its original form.
The most secure techniques use a mathematical algorithm and a variable value
known as a ‘key’.
The selected key (often any random character string) is input on encryption and is
integral to the changing of the data. The EXACT same key MUST be input to enable
decryption of the data.
This is the basis of the protection.... if the key (sometimes called a password) is only
known by authorized individual(s), the data cannot be exposed to other parties. Only
those who know the key can decrypt it. This is known as ‘private key’ cryptography, which
is the most well-known form.

Data Encryption Encrypted Data


(“Morpheus”) (“3*; ~>@!w9”)

Key

1.13.1 Other Uses of Cryptography


Many techniques also provide for detection of any tampering with the encrypted
data. A ‘message authentication code’ (MAC) is created, which is checked when the data
is decrypted. If the code fails to match, the data has been altered since it was encrypted.
This facility has many practical applications.

1.13.2 Key Management


As the entire operation is dependent upon the security of the keys, it is sometimes
appropriate to devise a fairly complex mechanism to manage them.

Amity Directorate of Distance and Online Education


Introduction of Information Security 49

Where a single individual is involved, often direct input of a value or string will suffice.
Notes
The ‘memorized’ value will then be re-input to retrieve the data, similar to password
usage.
Sometimes, many individuals are involved, with a requirement for unique keys to be
sent to each for retrieval/decryption of transmitted data. In this case, the keys themselves
may be encrypted. A number of comprehensive and proven key management systems
are available for these situations.

Cryptography Key Basics


The two components required to encrypt data are an algorithm and a key. The
algorithm generally known and the key are kept secret.
The key is a very large number that should be impossible to guess, and of a size
that makes exhaustive search impractical.
In a symmetric cryptosystem, the same key is used for encryption and decryption. In
an asymmetric cryptosystem, the key used for decryption is different from the key used
for encryption.

The Key Pair


In an asymmetric system, the encryption and decryption keys are different but
related. The encryption key is known as the public key and the decryption key is known
as the private key. The public and private keys are known as a key pair.
Where a certification authority is used, remember that it is the public key that is
certified and not the private key. This may seem obvious, but it is not unknown for a user
to insist on having his private key certified!

Key Component
Keys should whenever possible be distributed by electronic means, enciphered
under previously established higher-level keys. There comes a point, of course when no
higher-level key exists and it is necessary to establish the key manually.
A common way of doing this is to split the key into several parts (components) and
entrust the parts to a number of key management personnel. The idea is that none of the
key parts should contain enough information to reveal anything about the key itself.
Usually, the key is combined by means of the exclusive OR operation within a
secure environment.
In the case of DES keys, there should be an odd number of components, each
component having odd parity. Odd parity is preserved when all the components are
combined. Further, each component should be accompanied by a key check value to
guard against keying errors when the component is entered into the system.
A key check value for the combined components should also be available as a final
check when the last component is entered.
A problem that occurs with depressing regularity in the real world is when it is
necessary to re-enter a key from its components. This is always an emergency situation,
and it is usually found that one or more of the key component holders cannot be found.
For this reason, it is prudent to arrange matters so that the components are distributed
among the key holders in such a way that not all of them need to be present.
For example, if there are three components (C1, C2, C3) and three key holders
(H1, H2, H3), then H1 could have (C2, C3), H2 could have (C1, C3) and H3 could have
(C1, C2). In this arrangement, any two out of the three key holders would be sufficient.

Amity Directorate of Distance and Online Education


50 Information Security and Risk Management

Notes 1.13.3 Cryptographic Algorithms


There are, of course, a wide range of cryptographic algorithms in use. The following
are amongst the most well known:
DES: This is the ‘Data Encryption Standard’. This is a cipher that operates on 64-bit
blocks of data, using a 56-bit key. It is a ‘private key’ system.
RSA: RSA is a public key system designed by Rivest, Shamir and Adleman.
HASH: A ‘hash algorithm’ is used for computing a condensed representation of a
fixed length message/file. This is sometimes known as a ‘message digest’, or a
‘fingerprint’.
MD5: MD5 is a 128 bit message digest function. It was developed by Ron Rivest.
AES: This is the Advanced Encryption Standard (using the Rijndael block cipher)
approved by NIST.
SHA-1: SHA-1 is a hashing algorithm similar in structure to MD5, but producing a
digest of 160 bits (20 bytes). Because of the large digest size, it is less likely that two
different messages will have the same SHA-1 message digest. For this reason, SHA-1 is
recommended in preference to MD5.
HMAC: HMAC is a hashing method that uses a key in conjunction with an algorithm
such as MD5 or SHA-1. Thus, one can refer to HMAC-MD5 and HMAC-SHA1.
DES: DES (the Data Encryption Standard) is a symmetric block cipher developed by
IBM. The algorithm uses a 56-bit key to encipher/decipher a 64-bit block of data. The key
is always presented as a 64-bit block, every 8th bit of which is ignored. However, it is
usual to set each 8th bit so that each group of 8 bits has an odd number of bits set to 1.
The algorithm is best suited to implementation in hardware, probably to discourage
implementations in software, which tend to be slow by comparison. However, modern
computers are so fast that satisfactory software implementations are readily available.
DES is the most widely used symmetric algorithm in the world, despite claims that
the key length is too short. Ever since DES was first announced, controversy has raged
about whether 56 bits is long enough to guarantee security.
The key length argument goes like this. Assuming that the only feasible attack on
DES is to try each key in turn until the right one is found, then 1,000,000 machines each
capable of testing 1,000,000 keys per second would find (on average) one key every
12 hours. Most reasonable people might find this rather comforting and a good measure
of the strength of the algorithm.
Those who consider the exhaustive key search attack to be a real possibility (and to
be fair, the technology to do such a search is becoming a reality) can overcome the
problem by using double or triple length keys. In fact, double length keys have been
recommended for the financial industry for many years.
Use of multiple length keys leads us to the Triple DES algorithm, in which DES is
applied three times. If we consider a triple length key to consist of three 56-bit keys K1,
K2, K3, then encryption is as follows:
Ɣ Encrypt with K1
Ɣ Decrypt with K2
Ɣ Encrypt with K3
Decryption is the reverse process:
Ɣ Decrypt with K3
Ɣ Encrypt with K2
Ɣ Decrypt with K1

Amity Directorate of Distance and Online Education


Introduction of Information Security 51

Setting K3 equal to K1 in these processes gives us a double length key K1, K2.
Notes
Setting K1, K2 and K3 all equal to K has the same effect as using a single-length
56-bit key. Thus, it is possible for a system using triple DES to be compatible with a
system using single DES.
RSA: RSA is a public key algorithm invented by Rivest, Shamir and Adleman. The
key used for encryption is different from (but related to) the key used for decryption.
The algorithm is based on modular exponentiation. Numbers e, d and N are chosen
with the property that if A is a number less than N, then (Ae mod N)d mod N = A.
This means that you can encrypt A with e and decrypt using d. Conversely, you can
encrypt using d and decrypt using e (though doing it this way round is usually referred to
as signing and verification).
Ɣ The pair of numbers (e, N) is known as the public key and can be published.
Ɣ The pair of numbers (d, N) is known as the private key and must be kept
secret.
The number e is known as the public exponent, the number d is known as the
private exponent, and N is known as the modulus. When talking of key lengths in
connection with RSA, what is meant is the modulus length.
An algorithm that uses different keys for encryption and decryption is said to be
asymmetric.
Anybody knowing the public key can use it to create encrypted messages, but only
the owner of the secret key can decrypt them.
Conversely, the owner of the secret key can encrypt messages that can be
decrypted by anybody with the public key. Anybody successfully decrypting such
messages can be sure that only the owner of the secret key could have encrypted them.
This fact is the basis of the digital signature technique.
Without going into detail about how e, d and N are related, d can be deduced from
e and N if the factors of N can be determined. Therefore, the security of RSA depends on
the difficulty of factorizing N. Because factorization is believed to be a hard problem, the
longer N is, the more secure the cryptosystem. Given the power of modern computers, a
length of 768 bits is considered reasonably safe, but for serious commercial use 1024 bits
is recommended.
The problem with choosing long keys is that RSA is very slow compared with a
symmetric block cipher such as DES, and the longer the key the slower it is. The best
solution is to use RSA for digital signatures and for protecting DES keys. Bulk data
encryption should be done using DES.

1.14 Intrusion Detection


An intrusion detection system (IDS) is a device or software application that
monitors network or system activities for malicious activities or policy violations and
produces reports to a management station. IDS come in a variety of “flavors” and
approach the goal of detecting suspicious traffic in different ways. There are network
based (NIDS) and host based (HIDS) intrusion detection systems. NIDS is a network
security system focusing on the attacks that come from the inside of the network
(authorized users). When we classify the designing of the NIDS according to the system
interactivity property, there are two types: online and offline NIDS. Online NIDS deals
with the network in real time and it analyzes the Ethernet packet and applies it on the
some rules to decide if it is an attack or not. Offline NIDS deals with a stored data and
pass it on a some process to decide if it is an attack or not.

Amity Directorate of Distance and Online Education


52 Information Security and Risk Management
Some systems may attempt to stop an intrusion attempt but this is neither required
Notes
nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS)
are primarily focused on identifying possible incidents, logging information about them,
and reporting attempts. In addition, organizations use IDPSes for other purposes, such
as identifying problems with security policies, documenting existing threats and deterring
individuals from violating security policies. IDPSes have become a necessary addition to
the security infrastructure of nearly every organization. IDPSes typically record
information related to observed events, notify security administrators of important
observed events and produce reports. Many IDPSes can also respond to a detected
threat by attempting to prevent it from succeeding. They use several response
techniques, which involve the IDPS stopping the attack itself, changing the security
environment (e.g., reconfiguring a firewall) or changing the attack’s content.

1.14.1 Terminology
Burglar Alert/Alarm: A signal suggesting that a system has been or is being
attacked.
Detection Rate: The detection rate is defined as the number of intrusion instances
detected by the system (True Positive) divided by the total number of intrusion instances
present in the test set.
False Alarm Rate: It is defined as the number of ‘normal’ patterns classified as
attacks (False Positive) divided by the total number of ‘normal’ patterns.

1.14.2 Alert Type


Ɣ True Positive: Attack - Alert
Ɣ False Positive: No attack - Alert
Ɣ False Negative: Attack - No Alert
Ɣ True Negative: No attack - No Alert
Ɣ True Positive: A legitimate attack which triggers an IDS to produce an alarm.
Ɣ False Positive: An event signaling an IDS to produce an alarm when no attack
has taken place.
Ɣ False Negative: No alarm is raised when an attack has taken place.
Ɣ True Negative: An event when no attack has taken place and no detection is
made.
Ɣ Noise: Data or interference that can trigger a false positive or obscure a true
positive.
Ɣ Site Policy: Guidelines within an organization that control the rules and
configurations of an IDS.
Ɣ Site Policy Awareness: An IDS’s ability to dynamically change its rules and
configurations in response to changing environmental activity.
Ɣ Confidence Value: A value an organization places on an IDS based on past
performance and analysis to help determine its ability to effectively identify an
attack.
Ɣ Alarm Filtering: The process of categorizing attack alerts produced from an
IDS in order to distinguish false positives from actual attacks.
Ɣ Attacker or Intruder: An entity which tries to find a way to gain unauthorized
access to information, inflict harm or engage in other malicious activities.
Ɣ Masquerader: A person who attempts to gain unauthorized access to a system
by pretending to be an authorized user. They are generally outside users.

Amity Directorate of Distance and Online Education


Introduction of Information Security 53

Ɣ Misfeasor: They are commonly internal users and can be of two types:
Notes
1. An authorized user with limited permissions.
2. A user with full permissions and who misuses their powers.
Ɣ Clandestine User: A person who acts as a supervisor and tries to use his
privileges so as to avoid being captured.
1.14.3 HIDS and NIDS
Intrusion detection systems are of two main types, network based (NIDS) and host
based (HIDS) intrusion detection systems.
Network Intrusion Detection Systems
Network Intrusion Detection Systems (NIDS) are placed at a strategic point or points
within the network to monitor traffic to and from all devices on the network. It performs an
analysis of passing traffic on the entire subnet, and matches the traffic that is passed on
the subnets to the library of known attacks. Once an attack is identified, or abnormal
behaviour is sensed, the alert can be sent to the administrator. An example of an NIDS
would be installing it on the subnet where firewalls are located in order to see if someone
is trying to break into the firewall. Ideally, one would scan all inbound and outbound traffic;
however, doing so might create a bottleneck that would impair the overall speed of the
network. OPNET and NetSim are commonly used tools for simulation network intrusion
detection systems. NID Systems are also capable of comparing signatures for similar
packets to link and drop harmful detected packets which have a signature matching the
records in the NIDS.
Host Intrusion Detection Systems
Host Intrusion Detection Systems (HIDS) run on individual hosts or devices on the
network. A HIDS monitors the inbound and outbound packets from the device only and
will alert the user or administrator if suspicious activity is detected. It takes a snapshot of
existing system files and matches it to the previous snapshot. If the critical system files
were modified or deleted, an alert is sent to the administrator to investigate. An example
of HIDS usage can be seen on mission critical machines, which are not expected to
change their configurations.

1.15 Computer Security Classifications


As per the US Department of Defense Trusted Computer System’s Evaluation
Criteria, there are four security classifications in computer systems: A, B, C, and D. This
is widely used specifications to determine and model the security of systems and of
security solutions. Following is the brief description of each classification.
Sr. Classification Description
No. Type
1 Type A Highest level. Uses formal design specifications and verification
techniques. Grants a high degree of assurance of process security.
2 Type B Provides mandatory protection system. Have all the properties of a class
C2 system. Attaches a sensitivity label to each object. It is of three types:
Ɣ B1 – Maintains the security label of each object in the system.
Label is used for making decisions to access control.
Ɣ B2 – Extends the sensitivity labels to each system resource, such as
storage objects, supports covert channels and auditing of events.
Ɣ B3 – Allows creating lists or user groups for access control to grant
access or revoke access to a given named object.

Amity Directorate of Distance and Online Education


54 Information Security and Risk Management

3 Type C Provides protection and user accountability using audit capabilities. It is of


Notes
two types:
Ɣ C1 – Incorporates controls so that users can protect their private
information and keep other users from accidentally reading / deleting
their data. UNIX versions are mostly Cl class.
Ɣ C2 – Adds an individual-level access control to the capabilities of a Cl
level system
4 Type D Lowest level. Minimum protection. MS-DOS, Window 3.1 fall in this category.
Classified information is material that a government body claims is sensitive
information that requires protection of confidentiality, integrity, or availability. Access is
restricted by law or regulation to particular groups of people, and mishandling can incur
criminal penalties and loss of respect. A formal security clearance is often required to
handle classified documents or access classified data. The clearance process usually
requires a satisfactory background investigation. Documents and other information
assets are typically marked with one of several (hierarchical) levels of sensitivity—e.g.,
restricted, confidential, secret and top secret. The choice of level is often based on an
impact assessment; governments often have their own set of rules which include the
levels, rules on determining the level for an information asset, and rules on how to protect
information classified at each level.
This often includes security clearances for personnel handling the information.
Although “classified information” refers to the formal categorization and marking of
material by level of sensitivity, it has also developed a sense synonymous with
“censored” in US English. A distinction is often made between formal security
classification and privacy markings such as “commercial in confidence”. Classifications
can be used with additional keywords that give more detailed instructions on how data
should be used or protected.
Some corporations and non-government organizations also assign sensitive
information to multiple levels of protection, either from a desire to protect trade secrets, or
because of laws and regulations governing various matters such as personal privacy,
sealed legal proceedings and the timing of financial information releases.

1.15.1 Government Classification


The purpose of classification is to protect information. Higher classifications protect
information that might endanger national security. Classification formalizes what
constitutes a “state secret” and accords different levels of protection based on the
expected damage the information might cause in the wrong hands.
However, classified information is frequently “leaked” to reporters by officials for
political purposes. Several US presidents have leaked sensitive information to get their
point across to the public.

1.15.2 Typical Classification Levels


Although the classification systems vary from country to country, most have levels
corresponding to the following British definitions.
Top secret is the highest level of classified information. Information is further
compartmented so that specific access using a code word after top secret is a legal way
to hide collective and important information. Such material would cause “exceptionally
grave damage” to national security if made publicly available. Prior to 1942, the UK and
other members of the British Empire used Most Secret, but this was changed to match
the US’s Top Secret to simplify allied interoperability.

Amity Directorate of Distance and Online Education


Introduction of Information Security 55

The Washington Post reports in an investigation entitled Top Secret America, that
Notes
per 2010 “An estimated 854,000 people ... hold top-secret security clearances” in the
United States.
Secret: “It is desired that no document be released which refers to experiments with
humans and might have adverse effect on public opinion or result in legal suits.
Documents covering such work field should be classified ‘secret’.”
On April 17, 1947, Atomic Energy Commission memo from Colonel O.G. Haywood,
Jr. to Dr. Fidler at the Oak Ridge Laboratory in Tennessee. As of 2010, Executive Order
13526 bans classification of documents simply to “conceal violations of law, inefficiency,
or administrative error” or “prevent embarrassment to a person, organization, or agency”.
Secret material would cause “serious damage” to national security if it were publicly
available.
In the United States, operational “Secret” information can be marked with an
additional “LIMDIS”, to limit readership.
Confidential: Confidential material would cause damage or be prejudicial to
national security if publicly available.
Restricted: Restricted material would cause “undesirable effects” if publicly
available. Some countries do not have such a classification; in public sectors, such as
commercial industries, such level are also called and known as “Private Information”.
Official: Official material forms the generality of government business, public
service delivery and commercial activity. This includes a diverse range of information, of
varying sensitivities, and with differing consequences resulting from compromise or loss.
OFFICIAL information must be secured against a threat model that is broadly similar to
that faced by a large private company.
The OFFICIAL classification replaces the Confidential and Restricted classifications
after April 2014 in the UK.
1.15.3 NATO Classifications
For example, sensitive information shared amongst NATO allies has four levels of
security classification; from most to least classified:
1. Cosmic Top Secret (CTS)
2. Nato Secret (NS)
3. Nato Confidential (NC)
4. Nato Restricted (NR)
Conclusion: Malicious attackers will use various methods, tools, and techniques to
exploit vulnerabilities in security policies and controls to achieve a goal or objective.
Non-malicious attacks occur due to poor security policies and controls that allow
vulnerabilities and errors to take place. Natural disasters can occur at any time. So,
organizations should implement measures to try to prevent the damage they can cause.
Prevention: Take measures that prevent your information from being damaged,
altered, or stolen. Preventive measures can range from locking the server room door to
setting up high-level security policies.
Detection: Take measures that allow you to detect when information has been
damaged, altered, or stolen, how it has been damaged, altered, or stolen, and who has
caused the damage. Various tools are available to help detect intrusions, damage or
alterations, and viruses.
Reaction: Take measures that allow recovery of information, even if information is
lost or damaged.

Amity Directorate of Distance and Online Education


56 Information Security and Risk Management
The above measures are all very well, but if we do not understand how information
Notes
may be compromised, we cannot take measures to protect it. Here are some components
that we can examine on how information can be compromised:
Confidentiality: The prevention of unauthorized disclosure of information. This can
be the result of poor security measures or information leaks by personnel. An example of
poor security measures would be to allow anonymous access to sensitive information.
Integrity: The prevention of erroneous modification of information. Authorized users
are probably the biggest cause of errors and omissions and the alteration of data. Storing
incorrect data within the system can be as bad as losing data. Malicious attackers also
can modify, delete, or corrupt information that is vital to the correct operation of business
functions.
Availability: The prevention of unauthorized withholding of information or resources.
This does not apply just to personnel withholding information. Information should be as
freely available as possible to authorized users.
Authentication: The process of verifying that users are who they claim to be when
logging onto a system. Generally, the use of user names and passwords accomplishes
this. More sophisticated is the use of smart cards and retina scanning. The process of
authentication does not grant the user access rights to resources—this is achieved
through the authorization process.
Authorization: The process of allowing only authorized users access to sensitive
information. An authorization process uses the appropriate security authority to
determine whether a user should have access to resources.

1.16 Summary
Information security plays an important role in protecting the assets of an
organization. As no single formula can guarantee 100% security, there is a need for a set
of benchmarks or standards to help ensure an adequate level of security is attained,
resources are used efficiently, and the best security practices are adopted.
While information security plays an important role in protecting the data and assets
of an organization, we often hear news about security incidents, such as defacement of
websites, server hacking and data leakage. Organizations need to be fully aware of the
need to devote more resources to the protection of information assets, and information
security must become a top concern in both government and business.
The 17 security-related areas include: (a) access control; (b) awareness and training;
(c) audit and accountability; (d) certification, accreditation, and security assessments;
(e) configuration management; (f) contingency planning; (g) identification and authentication;
(h) incident response; (i) maintenance; (j) media protection; (k) physical and environmental
protection; (l) planning; (m) personnel security; (n) risk assessment; (o) systems and
services acquisition; (p) system and communications protection; and (q) system and
information integrity.
Although there are a number of information security standards available, an
organization can only benefit if those standards are implemented properly. Security is
something that all parties should be involved in. Senior management, information
security practitioners, IT professionals and users all have a role to play in securing the
assets of an organization. The success of information security can only be achieved by
full cooperation at all levels of an organization, both inside and outside.

Amity Directorate of Distance and Online Education


Introduction of Information Security 57

1.17 Check Your Progress Notes


I. Fill in the Blanks
1. Data that has been encrypted by an encryption algorithm (a cipher) is called
__________.
2. A(n) __________ cipher maps a single plaintext character to multiple
ciphertext characters.
3. A(n) __________ cipher rearranges the letters without changing them.
4. A(n) __________ cipher manipulates an entire block of plaintext at one time.
5. The __________ was specifically designed to replace the weaker Data
Encryption Standard (DES).
II. True or False
1. A cipher is an encryption or decryption algorithm tool used to create encrypted
or decrypted text.
2. Most security experts recommend that the family of DES hashes be replaced
with a more secure hash algorithm.
3. The Secure Hash Algorithm (SHA) creates a more secure hash 160 bits long
instead of 128 bits as with other algorithms.
4. Symmetric encryption algorithms use a single key to encrypt and decrypt.
5. A stream cipher takes one character and replaces it with one character.
III. Multiple Choice Questions
1. In computer security, __________ means that computer system assets can be
modified only by authorized parities.
(a) Confidentiality
(b) Integrity
(c) Availability
(d) Authenticity
2. In computer security, __________ means that the information in a computer
system only be accessible for reading by authorized parities.
(a) Confidentiality
(b) Integrity
(c) Availability
(d) Authenticity
3. The type of threats on the security of a computer system or network are
__________.
(i) Interruption (ii) Interception (iii) Modification (iv) Creation (v) Fabrication
(a) (i), (ii), (iii) and (iv) only
(b) (ii), (iii), (iv) and (v) only
(c) (i), (ii), (iii) and (v) only
(d) All (i), (ii), (iii), (iv )and (v)
4. Which of the following is independent malicious program that need not any
host program?
(a) Trap doors
(b) Trojan horse
(c) Virus
(d) Worm

Amity Directorate of Distance and Online Education


58 Information Security and Risk Management
5. The __________ is code that recognizes some special sequence of input or is
Notes
triggered by being run from a certain user ID of by unlikely sequence of events.
(a) Trap doors
(b) Trojan horse
(c) Logic bomb
(d) Virus
6. The __________ is code embedded in some legitimate program that is set to
“explode” when certain conditions are met.
(a) Trap doors
(b) Trojan HORSE
(c) Logic Bomb
(d) Virus
7. Which of the following malicious program do not replicate automatically?
(a) Trojan horse
(b) Virus
(c) Worm
(d) Zombie
8. __________ programs can be used to accomplish functions indirectly that an
unauthorized user could not accomplish directly.
(a) Zombie
(b) Worm
(c) Trojan horses
(d) Logic bomb
9. State whether true of false.
(i) A worm mails a copy of itself to other systems.
(ii) A worm executes a copy of itself on another system.
(a) True, False
(b) False, True
(c) True, True
(d) False, False
10. A __________ is a program that can infect other programs by modifying them,
the modification includes a copy of the virus program, which can go on to infect
other programs.
(a) Worm
(b) Virus
(c) Zombie
(d) Trap doors

1.18 Questions and Exercises


1. What is information security?
2. Discuss the functions of cryptography.
3. What is the user authentication concept?
4. Discuss the key components of computer security.
5. What are store operation resources?
6. What is user account?
7. Discuss the CIA triangle.

Amity Directorate of Distance and Online Education


Introduction of Information Security 59

1.19 Key Terms Notes


Ɣ Alert: Notification that a specific attack has been directed at the information
system of an organization.
Ɣ Attack: Intentional act of attempting to bypass one or more computer security
controls.
Ɣ Authenticate: To verify the identity of a user, user device, or other entity, or the
integrity of data stored, transmitted, or otherwise exposed to unauthorized
modification in an information system, or to establish the validity of a transmission.
Ɣ Authentication: Security measure designed to establish the validity of a
transmission.
Ɣ Cipher or Cipher Text: A cryptographic system in which units of plain text are
substituted or transposed according to a predetermined key.
Ɣ Ciphony: A process of enciphering audio information, resulting in encrypted
speech.
Ɣ Code: A system for replacing words, phrases, letters or numbers by other
words or groups of letters or numbers for concealment or brevity.

1.20 Check Your Progress: Answers


I. Fill in the Blanks
1. ciphertext
2. homoalphabetic substitution
3. transposition
4. block
5. Triple Data Encryption Standard (3DES)
II. True or False
1. True
2. False
3. True
4. True
5. True
III. Multiple Choice Questions
1. (b) Integrity
2. (a) Confidentiality
3. (c) (i), (ii), (iii) and (v) only
4. (d) Worm
5. (a) Trap doors
6. (c) Logic bomb
7. (a) Trojan horse
8. (c) Trojan horses
9. (c) True, True
10. (b) Virus

Amity Directorate of Distance and Online Education


60 Information Security and Risk Management

Notes 1.21 Case Study

Case Study: A Security Audit for Better Business


Information Security becomes imperative for an organization when a growing
number of its employees gain access to business resources. Organon India Ltd. tackled
this issue through a security audit. When bulk pharmaceutical giant Organon India Ltd
(OIL), wanted to gain an edge over its rivals, it decided that the best way to do it was to
provide its employees with higher levels of access to business critical resources and the
Internet. Maintaining an acceptable standard for information assurance, however, was
equally important.
This was achieved by conducting a third party information security audit. At the end
of the audit exercise, the company was able to make a number of process improvements
and devise various strategic policies for better information security.

At OIL
Organon (a part of the Akzo Nobel) — headquartered in Roseland, NJ,
USA—creates and markets prescription medicines that improve health and quality of
human life. OIL’s Indian operations began more than 35 years back, in Mumbai. Its two
factories located in and around Calcutta are involved in making bulk drugs. The
company's sales and distribution team is spread across the country with regional offices
in Calcutta, Delhi, and Chennai.
The organization relies first and foremost on its expertise in research and
development to produce medicines.

Need for Security Audit


Over the past few of years, OIL has used IT as a means of increasing operational
efficiencies and as a business driver. Consequentially, the company has invested
substantially in areas such as:
Ɣ IT infrastructure
Ɣ Line building
Ɣ Implementing ERP systems
Ɣ E-mail
Ɣ Other workflow applications
As an increasing number of people were gaining access to business critical
resources through the growing use of information technology, security became a real
concern for the top management.
When the management chose to beat competition by giving employees increased
access to business critical resources, it also felt the need to conduct a security audit to
get a closer look at the strengths and weaknesses of the current infrastructure along with
advice on strategies and policies required to stay competitive.
OIL chose Sify as its auditor. “Since they already were our Internet bandwidth
service provider, we felt that they could provide us with world-class network security
services as well,” said A.K. Sircar, Controller – Information Technology, for the company.

The Audit Solution


The audit was divided into three phases: Assessment, Supply and Deployments,
and Review.

Amity Directorate of Distance and Online Education


Introduction of Information Security 61

Assessment
Notes
In this phase, a detailed IT infrastructure review was performed. This involved:
Ɣ Vulnerability assessment and analysis of the OIL infrastructure.
Ɣ Detailed study of OIL’s internal policies, processes, and procedures pertaining
mostly towards IT.
Ɣ GAP Analysis for OIL to uncover the inadequacies of the current processes,
procedures, and practices in accordance with the BS7799 standard for
information security.
Many documents that formed the network study, security policies, technical
procedures and process related documents were included in the scope of this study. All
the IT processes, both at the practical day-to-day implementation and policy/guideline
levels of OIL were studied and analyzed.
The study included OIL’s security policies, change control processes, configuration
management, third party and internal supply, service level agreements and other relevant
areas.
Ɣ Information Resource Risk Assessment: The respective threats and
vulnerabilities were identified for the resources. The assessment was done
using best-of-breed commercial as well as Open Source tools while the
processes were assessed with BS7799 as a reference.
Ɣ Security Architecture Design: To mitigate these risks, detailed and in-depth
security architecture design was recommended.
Ɣ Recommendation: The final recommendations, based on the above, were
submitted to the management for approval.

Supply and Deployments


In this phase, best-of-breed products were recommended to support the security
architecture design proposed for OIL infrastructure. These products were in the later
stage supplied to OIL. Once the OIL management approved recommendations, the
following technical security architecture was deployed:
Ɣ Reorganizing IP addressing schemes for the enterprise.
Ɣ Layer 2 VLANs for internal traffic segmentation with centralized access control
for the VLANs.
Ɣ Access control using high performing Net Screen firewalls.
Ɣ Real-time monitoring using ISS real secure network IDS and host-based IDS
with fusion module for real-time attack correlation and monitoring.
Ɣ Virus, worm, Spam, and malware defense using Trend Micro
Ɣ Web usage monitoring using Web sense.
Ɣ Firewall log analysis through Web Trends.
The recommended technical architecture was backed by best practice policies as
well as processes to ensure mitigation of risks discovered during the assess phase.

Review
In this phase, the review of the security policies and processes of the organization
would be performed by the global IT teams and would be both scheduled as well as
unscheduled. Sify, as a security service provider, would also be responsible for ensuring
that the company comes out with little or no severe concerns during the course of the
audit.

Amity Directorate of Distance and Online Education


62 Information Security and Risk Management
Assessing the Security Audit Process
Notes
The security audit has provided a number of benefits to OIL. It has enabled the
company to safely open the network to the Internet, without compromising on the
performance. It has helped increase productivity of the employees by ensuring that
during official hours only the resources relevant to accomplishing their key result areas
are made available.
The results have allowed the company to follow better resource management
practices, like bandwidth management by prioritizing traffic. It can now monitor traffic in
real time to access the business critical resources. This helps avoid internal malicious
activity and assures higher levels of access to the critical resources.
And the audit has helped increase the efficiencies (with respect to time and effort
saved) of the IT team by integrating a firewall log analyzer within the infrastructure.

Going Ahead
In the next few months, OIL will regularize its audit practice. This will enable
improvements in processes and overall business strategy. And it will help the company
continue to use IT as an important business driver.
IT Infrastructure at OIL
Organon India Ltd. (OIL) has offices in Mumbai, Calcutta, Delhi, Chennai and Hyderabad. Its
data center is independently situated in Mumbai.
All business critical resources have been located in the data center.
These include:
Ɣ ERP application, which runs on IBM AS/400 mainframe platform. All users located
around the country log-on to the AS/400 and update data, orders, and other
ERP-related operations using Citrix
Ɣ Mailing solution
Ɣ Internal workflow applications
Ɣ DNS servers
The OIL WAN rides on the Sify Network to connect its nationwide offices across the country and
the data center. The WAN is an IP-based VPN with a mix of leased lines and broadband as the
last mile to each of OIL’s offices.
The company has Internet connectivity in Calcutta and Mumbai. It is planning a link between the
Mumbai data center and the research center in the Netherlands via Osaka (Japan). This link is
being sourced from Equant. The link is to provide access to specific applications and for users to
interact with the Netherlands’ office.

<In a nutshell>
The Company
Organon India Ltd. (OIL) is a pharmaceutical company that manufactures bulk drugs and carries
out a lot of R&D activities.
The Need
OIL wanted to provide higher levels of access to business critical resources and the Internet to its
employees. At the same time, it wanted to maintain an acceptable standard of information
assurance.
The Solution
It used the services of a third party to conduct an IT security audit.

Amity Directorate of Distance and Online Education


Introduction of Information Security 63

The Benefits Notes


The audit provided the company with the ability to open the network to the Internet, while
ensuring that the network is secure, and performance is not compromised. It has helped increase
productivity of the employees, ensured better resource management practices, like bandwidth
management through prioritizing traffic.

1.22 Further Readings


1. Stallings, Cryptography and Network Security: Principles and Practice, 5/e
(Prentice Hall, 2010). Relative to this book’s 4th edition, the Network Security
Components and an extra chapter on SNMP are also packaged as ‘Stallings’
Network Security Essentials: Applications and Standards, Third Edition
(Prentice Hall, 2007).
2. Kaufman, Perlman and Speciner, Network Security: Private Communications
in a Public World, 2/e (Prentice Hall, 2003).
3. Menezes, van Oorschot and Vanstone, Handbook of Applied Cryptography
(CRC Press, 1996; 2001 with corrections), free online for personal use.
4. Stallings and Brown, Computer Security: Principles and Practice, 3/e (2014,
Prentice Hall).
5. Boyle and Panko, Corporate Computer Security, 3/e (2013, Prentice Hall). See
also: Panko, Corporate Computer and Network Security, 2/e (2009, Prentice
Hall).
6. Gollmann, Computer Security, 3/e (2011, Wiley).
7. Smith, Elementary Information Security (2011, Jones & Bartlett Learning).
8. Stamp, Information Security: Principles and Practice, 2/e (2011, Wiley).
9. Goodrich and Tamassia, Introduction to Computer Security (2010,
Addison-Wesley).
10. Saltzer and Kaashoek, Principles of Computer System Design (2009, Morgan
Kaufmann).
11. Smith and Marchesini, The Craft of System Security (2007, Addison-Wesley).
12. Pfleeger and Pfleeger, Security in Computing, 4/e (2007, Prentice Hall).
13. Bishop, Computer Security: Art and Science (2002, Addison-Wesley).
14. Adams and Lloyd, Understanding Public Key Infrastructure, 2/e (Macmillan
Technical, 2002).
15. Housley and Polk, Planning for PKI: Best Practices Guide for Deploying Public
Key Infrastructures (Wiley, 2001).

Miscellaneous Resources:
1. IEEE Security and Privacy Magazine Tables of Contents (since Jan. 2003).
2. Review of 10 Cryptography Books (Plus Background Introduction), Susan
Landau, Bull. Amer. Math. Soc., 41 (2004), pp. 357-367. Copyright 2004, AMS.
3. (Classic Security Paper) J.H. Saltzer, M.D. Schroeder, The Protection of
Information in Computer Systems, Web version. Proc. IEEE, 63(9): 1278-1308
(Sept.1975), DOI: 10.1109/PROC.1975.9939.
4. DoD Orange Book (1985) and Other Seminal Papers in Computer Security
(thanks to: UC Davis/Matt Bishop).
5. Educational Comic Strips Teaching about Password Guessing Attacks (thanks
to Leah Zhang at Carleton).

Amity Directorate of Distance and Online Education

Das könnte Ihnen auch gefallen