Beruflich Dokumente
Kultur Dokumente
RUTH G. LUCIANO
PRINCE MERT O. NICOLAS
VANESSA C. PASCUAL
JEROME MANGULABNAN
DENNIS S. ABERIN
0
Information Assurance and Security
(IT-IAS 01)
TABLE OF CONTENTS
1
2
1. Define IA and INFOSEC;
2. discuss the importance of studying information assurance and security (IAS);
3. write their own IS principle/s based on the discussion made in class; and
4. analyze a simple case related to IAS.
What is IA?
Digital Forensic and Cyber Security Center (DFCSC) defines IA as:
“…the practice of assuring information and managing risks related to the
use, processing, storage, and transmission of information or data and the
systems and processes used for those purposes. Information
assuranceincludes protection of the integrity, availability, authenticity,
non-repudiation and confidentiality of user data. It uses physical,
technical and administrative controls to accomplish these tasks. While
focused predominantly on information in digital form, the full range of
IA encompasses not only digital but also analog or physical form as well.
These protections apply to data in transit, both physical and electronic
forms as well as data at rest in various types of physical and electronic
storage facilities” (http://csf102.dfcsc.uri.edu,
https://en.wikipedia.org/wiki/Information_assurance)
Why Information Assurance is Needed?
Information Assurance is very much needed in the business. Therefore, “ IA increases the utility of
information to authorized users and reduces the utility of information to those unauthorized.” (Source:
https://infogalactic.com, https://en.wikipedia.org/wiki/Information_assurance)
In line with this, DFCSC stated that “IA practitioners must consider corporate governance issues
such as privacy, regulatory and standards compliance, auditing, business continuity, and disaster recovery
as they relate to information systems.” (http://csf102.dfcsc.uri.edu,
https://en.wikipedia.org/wiki/Information_assurance)
3
Information Assurance Process
IA process, as enumerated in https://infogalactic.com,
https://en.wikipedia.org/wiki/Information_assurance involves the following:
“1. Enumeration and classification of the information assets to be
protected.
2. Conduct of risk assessment for those information assets (to be done
by IA practitioners).
3. Enumerate possible threats capable of assets exploitation by
determining vulnerabilities in the information assets.
4. Consider the probability of a threat exploiting vulnerability in an asset
5. Determine the effect and impact of a threat-exploiting vulnerability in
an asset, with impact usually measured in terms of cost to the asset's
stakeholders.
6. Summarizing the products of the threats' impact and the probability of
their occurrence in the information asset.”
4
Thecryptologycomponents of IA primarily concentrate on the last four pillars, namely: “…
integrity, authentication, confidentiality, and non-repudiation. These pillars are applied in accordance
with the mission needs of particular organizations.”
(https://itlaw.wikia.org/wiki/Information_assurance)
Tylercybersecurity.com defines these pillars as follows:
“Integrity, which means protecting against improper information
modification or damage, and includes ensuring information non-
repudiation and authenticity; Confidentiality, which means preserving,
authorized restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; Authentication
is the process of determining whether someone (or something) is, in fact,
who (or what) it is declared to
be…”(https://www.tylercybersecurity.com/blog/fundamental-objectives-
of-information-security-the-cia-triad,
https://www.studocu.com/en/document/bangalore-university/operating-
systems/lecture-notes/chapter-1-introduction-to-computer-
security/2575050/view,
https://www.cise.ufl.edu/~nemo/crypto/slides/ch01_overview_nemo.ppt,
https://www.plagscan.com/highlight?doc=132890096&source=35,
https://www.studocu.com/en/document/bangalore-university/operating-
systems/lecture-notes/chapter-1-introduction-to-computer-
security/2575050/view )
5
technology within the company secure from malicious cyber-attacks that
often attempt to breach into critical private information or gain control of
the internal systems.” (Sources: https://isepolido.wordpress.com,
http://indiancybersecurity.com/informaton_security_protection.php)
All institutions, both public and private, deal with a lot of confidential information. With the
advent of modern technology, most of this information is now gathered, processed and
saved digitally and transmitted over computer networks. Write ways on how this
information shall be secured properly to prevent loss of sensitive or confidential
information, prevent hostile use of data or avoid damage to the organization’s reputations.
WHY SECURITY?
PRINCIPLES OF SECURITY
The CIA triad embodies the three concepts on “fundamental security objectives for both data,
information and computing services.”
(https://www.cise.ufl.edu/~nemo/crypto/slides/ch01_overview_nemo.ppt)
These concepts are presented in the figure below:
6
To clearly understand these concepts, please refer to the discussion below:
1. CONFIDENTIALITY
“The terms privacy and secrecy are sometimes used to distinguish between the protection of
personal data (privacy) and the protection of data belonging to an organization (secrecy).”
(https://www.slideshare.net/FatWreckCulley/network-security-fundamentals-29523635)
Let us take this as an example:
“…credit card transaction on the Internet requires the credit card number
to be transmitted from the buyer to the merchant and from the merchant
to a transaction processing network. The system attempts to enforce
confidentiality by encrypting the card number during transmission, by
limiting the places where it might appear (in databases, backups, printed
receipts, etc.), and by restricting access to the places where it is stored. If
an unauthorized party obtains the card number in any way, a breachof
confidentiality has
occurred.”(http://csf102.dfcsc.uri.edu,https://en.wikipedia.org/wiki/Infor
mation_assurance, http://indiancybersecurity.com/
informaton_security_protection.php,
https://onkarsule.files.wordpress.com/2012/08/informationsecurity1.pdf)
In summary, confidentiality is important in maintaining people’s privacy. Unauthorized
disclosure of information will likely to occur when confidentiality is loss.
7
2. INTEGRITY
…is the
assurance that the information is trustworthy and accurate.”
(https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CI)
“…involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life
cycle.”
(https://www.coursera.org/lecture/introduction-cybersecurity-cyber-attacks/cybersecurity-
definition-etu7J, https://www.studocu.com/en/document/bangalore-university/operating-
systems/lecture-notes/chapter-1-introduction-to-computer-security/2575050/view,
https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA,
http://dlearn.eu/why-data-integrity-is-important-for-security/,
https://www.justanswer.com/computer/brdph-1-explain-detail-concept-confidentiality.html)
“Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered
by unauthorized people (for example, in a breach of confidentiality).”
(https://cyberthreatportal.com/elements-of-cybersecurity,
https://www.studocu.com/en/document/bangalore-university/operating-systems/lecture-
notes/chapter-1-introduction-to-computer-security/2575050/view,
https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA)
This goal defines how we avoid our data from being altered. MiTM (Man in the middle attacks) is
the example threat for this goal.
Additional qualifications like “being authorized to do what one does or following the
correct procedures have also been included under the term integrity ensuring that users of
a system, even if authorized, are not permitted to modify data items in such a way that
assets(i.e., accounting records) of the company are lost or corrupted.” (
https://www.slideshare.net/FatWreckCulley/network-security-fundamentals-29523635) DISCUSS.
8
2. AVAILABILITY
Assignment:
Why do we need to keep important corporate information confidential? What kinds of abuses can
you think of in the absence of controls on confidentiality? What criminal activities could be
reduced or eliminated if confidentiality controls were effectively implemented?
REFERENCES
Definition of information assurance. Retrieved from https://interparestrust.org/terminology/term/
information assurance on July 13, 2020.
Elements of Cyber Security. https://cyberthreatportal.com/elements-of-cybersecurity,
https://www.studocu.com/en/document/bangalore-university/operating-systems/lecture-
notes/chapter-1-introduction-to-computer-security/2575050/view
Information assurance definition. Retrieved from https://itlaw.wikia.org/wiki/Information_assurance on
July 14, 2020.
Information security. Retrieved from https://isepolido.wordpress.com/2013/06/ on July 15, 2020.
Information security. https://onkarsule.files.wordpress.com/2012/08/informationsecurity1.pdf
Information security and protection. Retrieved from http://indiancybersecurity.com/
informaton_security_protection.php on July 15, 2020.
Metivier, Becky (2017). Fundamental objective of information security: the CIA triad. Retrieved from
https://www.tylercybersecurity.com/blog/fundamental-objectives-of-information-security-the-cia-
triad on July 14, 2020.
9
System fundamental for Cyber Security. Retrieved from http://csf102.dfcsc.uri.edu on July 14, 2020.
The CIA Triad. Retrieved from https://whatis.techtarget.com/definition/Confidentiality-integrity-and-
availability-CIA on July 14, 2020.
What is information assurance? Retrieved from https://infogalactic.com/info/Information_assurance on
July 14, 2020.
What is information security? Retrieved from https://infogalactic.com/info/Information_security on July
15, 2020.
What is non-repudiation? Retrieved fromhttps://www.cryptomathic.com/products/authentication-
signing/digital-signatures-faqs/what-is-non-repudiation on July 14, 2020.
Why is cyber security important? Retrieved from http://www.clevernetsol.net/why-is-cybersecurity-
important/ on July 15, 2020.
World Heritage Encyclopedia Edition (2020). Information assurance. Retrieved from
http://self.gutenberg.org/articles/eng/Information_assurance on July 14, 2020.
https://www.studocu.com/en/document/bangalore-university/operating-systems/lecture-
notes/chapter-1-introduction-to-computer-security/2575050/view
https://www.slideshare.net/FatWreckCulley/network-security-fundamentals-29523635
10
11
Directions: Match the items on the left to the definitions that are stated on the right. Write the
letter of your answers legibly on the space provided.
12
Directions:True or False. Write “True” is the statement is correct, and “False” if not.
_____________1. Spims are spams that are present in the instant messaging applications.
_____________2. Hackers have bad intentions always.
_____________3. Vulnerabilities are action that might compromise or destroy an asset.
_____________4. Computer viruses are self-contained.
_____________5. Spamis a message that claims to warn recipients of a (non-existent) computer
virus threat.
_____________6. Interruptionhappens when a system becomes lost, unavailable or unusable.
_____________7. Password Checker are software that is used to retrieve a forgotten password or
other network resources. Sometimes it is also used to access resources without permission.
_____________8. Backdoors refer to the hidden access included by the developers. Attackers
can use them to gain access to the Information Systems.
_____________9. The data breach is widely observed on the Web-based Information Systems
because many assets exposed over the internet are attacker’s apple of the eye.
_____________10. Grey Hat Hackers are combinations of ethical and unethical hackers.
13
a. identify assets
b. identify vulnerabilities
c. identify threats
d. identify controls
ASSETS
Crown Jewels refer to a precious ornament or jewelries worn by a sovereign on certain state occasions.
Simply, crown jewels are particularly valuable or prized possession or something we secure to a safe
place.
This analogy will give us what an ASSET is. In every Information System we develop, we treat every
data as a “crown jewels”.
In Information Security, ASSET refers to any pieces of information, device or some other parts related to
them that supports business activities. Assets are either components of a computer and/or the data that are
stored in it. Basically, assets are the stuff that should be put under strict security measure because failure
to do so may result into losses to the organization.
To put is simply, assets are the main reason why we need to secure and assure our information system,
that once these are exposed, it may lead to problems leading to the organizations’ losses.
On a detailed part, mismanagement on the assets may lead into attacks. Attacks refer to activities that are
intended to snatch assets for the intention of using them for bad interests. This attacks are everywhere
whether on public or private sectors. One example of attacks isData Breaches.
Data Breaches is an event wherein an information is accessed without the consent of the authorized. This
data breach is widely observed on the Web-based Information Systems because many assets exposed over
the internet are attacker’s apple of the eye. In fact, victims rise at 80% in India in 2019. The chart below
shows the different types of attacks happened in the web recorded in the Month of September, 2019.
14
Source: https://www.hackmageddon.com/2019/11/04/september-2019-cyber-attacks-statistics/
The following are the list of Assets that Information Assurance and Security is trying to protect;
1. Customer Data
2. IT and Network Infrastructure
3. Intellectual Property
4. Finances and Financial Data
5. Service Availability and Productivity
6. Reputation
On the other hand, the person with a bad intention to attack one’s asset is a Hacker. Hackers refer to
anyone with a professional skill to access assets without any authorization. Their intention is basically to
commit crimes, mostly to steal and destroy systems. Sometimes, systems were being hacked to hold the
assets of the system in hostage wherein ransom is being collected in condition to bringing back the assets.
However, good hackers also exist. They are the one who uses their skills in hardware and software to
bypass security of a device or a network. Their intention is to provide service to the victims of attacks.
Either public or private sectors are hiring good hackers to help them keep their systems safe.
Computer Security Professional named hackers metaphorically using hat colors such as White, Black and
Gray. This name comes from the old spaghetti in the western country sides where black has been worn by
bad cowboys, white has been worn by the good ones and gray in neutral.
15
White Hat Hackers
Hackers who utilizes their skills to do good is referred to as White Hat Hackers. Most of the big
companies intentionally employs white hat hackers to work for them. Their main responsibility is to
check and find ditch in their systems through hacking.
The main difference of White Hat Hackers to the Black ones is that, white hat performs hacking with the
owner’s permission while the black one, doesn’t.In fact, they are some trainings and certifications for
ethical hacking.
Grey Hat Hackers
Grey can neither be white or black. This analogy applies with the Grey Hat Hackers. They are
combinations of ethical and unethical hackers. Sometimes, they will find for a system or organizations’
weakness without authorized access and report it to the company. Companies then will hire them to
secure the asset. However, if they do not employ the Grey Hat Hackers, they will exploit the said assets
online for the other Black Hat Hackers perform their intentions.
The term hacker always means not good to us. However, it is very important for us to understand that our
judgement to them shall always depend on their intentions.
Aside from hackers, we also have someone who violate or breaks the security of the remote machines.
They are known as Crackers. Initially, crackers get unauthorized access to the vital data and deprive it to
the original user or owner.
Crackers can be identified as fortunately few and far between—experts who discovers security ditch and
exploit them and/or the script kiddie—one who knows how to get programs and run them legitimately.
These hackers and crackers are the one whom Information Security is trying to catch.
Every Attacker, whether a Hacker or a Cracker, uses tools to perform their attacks. The following are the
tools they utilize to do their intentions;
1. Protocol Analyzers (Sniffers). These applications put the host NIC into mode that passes all
traffic to the CPU rather than to the controller it is designed to receive.
2. Port Scanner is an application that intends to probe a host for open port.
3. Finger scanning, is a way to acquire human biometric like fingerprints.
4. Vulnerability Scanning Tools are automated tools that scans web-based applications and finds
vulnerability. Examples are Cross-site scripting, SQL Injection, Command Injection, Path
Traversal and insecure server configuration.
5. Exploit Software is a bit of technology, a chunk of data or a series of commands that
compromises a bug or vulnerability to trigger unintended or unforeseen behavior to occur on
computer software, hardware or anything electronic.
6. Wardialers. This can be used to find backdoors into your network. This dials telephones to check
if there is a line that contains data through a modem and the like.
7. Password Cracker. This software is used to retrieve a forgotten password or other network
resources. Sometimes, these are used to access resources without permission.
8. Keystroke Loggers. Keylogger refers to a surveillance application that has the ability to record
every keystroke that is made on the system. This intends to record log file that is usually
encrypted.
16
Security Breach
Security breaches happen a lot — not at your house necessarily, but in large and small organizations.
Intention to destroy a company’s standing and finances is one concrete reason why Security Breach
exists.
Security and data breaches can happen on a large uncontrollable scale.
This happens when an attacker or intruder gains access without the permission of the asset’s owner or
keeper. They use bypass mechanism that typically can reach the restricted areas. Security breach is a
violation that can lead to damage and even loss of assets.
Simply, Security Breaches refers to any action that would result in a violation of any rules of the Central
Intelligence Agency. Most of these breaches disrupt services intentionally. However, some of them are
accidental but both can cause hardware or software failures.
The following are activities that cause Security Breaches;
1. Attack through Denial of Service (DoS). This refers to an attack that kills a machine or
network, resulting for a legitimate user not to use the destroyed asset.
2. Distributed denial-of-service (DDoS). This happens when an attacker floods network traffic to
the target making it impossible for a legitimate user be denied to use the network or a node.
3. Unacceptable Web Browsing. Acceptable web browsing is defined in an Acceptable Use Policy
(AUP) like finding for a file in the directory or browsing restricted sites.
4. Wiretapping. Wiretapping refers to the practice of connecting a listening device to a telephone
line to secretly monitor a conversation.
5. Backdoors. This refers to the hidden access included by the developers. Backdoors are used to
obtain exposure to the data repositories.
6. Data Modifications. Refers to the change in data that happens purposely or accidentally. It may
also include incomplete and truncated data.
Additional Security Challenges may include:
1. Spam and Spim. Spam refers to unsolicited email spim are spams over instant messaging.
2. Cookies. Cookies contain little chunks of data that may include login credentials that make it
possible for a user to have a great browsing experience.
3. Hoaxes.A hoax is a message that claims to warn recipients of a (non-existent) computer virus
threat.
17
Vulnerability is a weakness that may harm systems or networks.
There are a wide variety of threats that spread out specially in the internet. Many call the internet as
marketplace of threats.
18
General Classification of Malware
Virus
Like human being, our systems or assets can be infected by a virus too. In computing, virus comes into
another program or application. Basically, it contaminate a program and can cause it to be copied to other
computers themselves. Most of the time, when the user uses an infected application, the virus triggers.
Worm
Worm refers to a program that is self-contained. This also duplicates and send itself to other hosts without
any user intervention. One scary thing about worm is that, it does not need an application that is installed
to contaminate the whole system.
Trojan Horse
Trojan Horse is a malware that hides into a useful program. This collects sensitive information, and may
open backdoors into computers. Trojan Horse can actively upload and download files.
Rootkit
A rootkit is a group of software that is malicious. Basically, these applications gets access to a machine
unauthorizedly and hides their existence on the other applications.
Spyware
Spywares are type of malwares. They target the confidential data. Mostly, they can monitor the actions
and even can do a course of actions like scanning, snooping and installing another spyware. They can
even change the default browser of a computer.
COUNTERMEASURES
As our Old English Saying states, prevention is better than cure, in information security we can also cure,
if not prevent these attacks to happen. There are suggested activities and tools so that we, as Information
Security Professional can do as an antidote or defense from the said attacks.
Countermeasures, basically is an action to detect vulnerabilities, prevent attacks and/or react to the
impacts of positive attacks. In cases of an attack, a victim can get help from the security consultants, law
enforcement offices and/ or experts.
The following are countermeasures that can help in preventing and/or curing malware:
1. Training events for users
2. Regular updates and bulletins about malwares
3. Do not transfer assets to untrusted or unknown sources.
4. Evaluate new programs or quarantine files on a computer
5. Purchase and install anti-malware software and scan your files on a regular basis
6. Use comprehensive login credentials
On the other hand, Firewall can defend your system from various forms of attacks too. Basically, firewall
is a program or a dedicated device that inspects network traffic present in a network. It’s purpose is to
deny or permit traffic depending on protocols.
19
Directions: Write the letter of the correct answer on the space provided before each item.
_________1. What do you call the unsolicited messenger you found on your Facebook messenger?
a.Spam b. Spim
c.Junk d.Archive
_________2. The following are the ways to prevent malware EXCEPT for what?
a.Conduct educating sessions
b.Utilize pwerful username and passwords
c.Sell them your downloaded anti-malware programs
d.Scan your drives regularly and put malicious files on quarantine
_________3. It is a type of malware that masquerades as an essential application,
a.Trojan Horse b.Worm
c.Virus d.Rootkit
_________4. It refers to a suggested activity that may help to assure the safety of your assets.
a.Countermeasure b.Scanning
c.Quarantine d.Anti-malware
_________5. We can say that a file is malicious if it _________,
a.Causes damage b.Escalates security privileges
c.Divulges private data d.Back-ups important files
_________6. It refers to the data that one needs to enable to maximize web-browsing capability.
a.Hoax b.Worm c.Cookies d.Incognito
_________7. This refers to a threat when someone exploits the confidential information into organization
or people for intention of attacking the asset’s owner.
a.Death Threat b.Disclosure Threat
c.Unauthorized Threat d.Hijacking
_________8. The following are “Security Breaches”EXCEPTfor what?
a.Denial of Service Attack(DoS) b.Distributed denial-of-service (DDoS)
c.Wiretapping d.Computer Formatting
_________9. The following are the stuff that Information Security is trying to protect EXCEPTfor what?
a. Attitudes b.Bank Accounts
c. Registration Details d. LAN and WAN Networks
_________10. Assets, such as Crown Jewels should be kept in________.
a.Treasure Box b.Vault
c.Secured database d. Fault-free bodega
21
22
Directions:Write down the letter of the correct/ best answer on the space provided before each item.
_____1. The following are Vendor-Neutral Certification EXCEPTfor what?
a.GIAC b.CIW c.CISCO d. CISSP
_____2. The following are aspects of GIAC-SANS Certifications but not__________.
a.Health b.Audit c.Laws d. Hardware Security
_____3. The highest rank on CISCO certification is the ________,
a.Engineer b.Architect c.Associate d. Expert
_____4. To become eligible in the CIW Web Security Specialist certification, how many certification
from CIW-approved credential list, an applicant must possess?
a.One b.Two c.Three d. None
_____5. This (ICS)2 Certification recognizes your knowledge and ability to successfully implement,
manage or assess security and privacy controls for healthcare and patient information.
a. HCISPP b. SSCP c. CISSP d. CCSP
_____6. National Training Standard for Information Systems Security (InfoSec) Professionals
a.NSTISS-4011 b.CNSS-4012
c.CNSS-4013 d.CNSS-4014
_____7. It has replaced the 8570.01 directive.
a.8140 b.8411 c.8140.1 d.8410
_____8. They manufacture a variety of network security hardware and software. They also offers a varied
range of certifications for its networking product line. Basically, they offer Four levels from 11 different
tracks.
a.Juniper Networks b.CISCO c.ISACA d.APPLE
_____9. Vendor-Specific Certification wherein for one to be certified they require their applicants to pass
an exam that involves 80 percent study materials and 20 percent hands-on experience.
a.Juniper Networks b.CISCO c.Check Point d.RSA
_____10. Their main job is to protect the assets of the company from inside and outside
threats.
a.IS Security Professional b. IS Security Associate
c. IS Security Clerk d. IS Security Expert
23
2.2 CERTIFICATION PROGRAMS IN THE INFORMATION SECURITY FIELD
INTRODUCTION
Just like any other fields, one shall undergo a training and pass a series of assessments to be able to be
certified in the profession. In information security, there are also some evaluations that are conducted so
that one can be expert in it. Mostly, this Certifications are given by a specialized agency either through
the government or by a private sector.
The Department of Defense (DoD) is the one who certifies an individual to wish to get a license in the
field. As an agencywhich primarily provides security to the whole nation, it shall be also held liable if
ever someone whom they certify carries out an attack to any entity. For this reason, the DoD is very strict
in implementing the series of directives.
24
Certifications and Trainings
DoD Directive 8570.01
The DoD Directive 8570.01 is also known as Information Assurance Training Certification and
Workforce Management. This directive mainly affects any DoD Facility or Contractor Organization.
It is intended to ensure that all personnel
directly involved with information protection are accredited with licenses.
DoD Directive 8140
The DoD Directive 8140 has replaced the 8570.01 directive. This was developed by the Defense Agency
focusing on Information Systems known as DISA, where roles of a certified individual have been
identifies such as; providing protection, running and preserving, protecting and defending, researching,
managing, gathering, overseeing and developing and investigating. For someone who wishes to get a
certification, it is very important for him/her to undergo the prescribed trainings. The US DoD/ NSA set a
standard in training listed below;
25
Vendor-Neutral Professional Certifications
Information Security Assurance Certifications (ISC)2
Vendor-neutral certifications cover general ideas and subjects.
Basically, (ISC)2 or the Information Security Certifications certifies an individual that aspires to have
greater information security skills. The following are the certifications that (ISC)2 covers.
26
Global Information Assurance Certification (GIAC-SANS)
GIAC Certifications develops and implements certificate programs for information security. More than 30
certifications for cyber security correspond with SANS training and guarantee mastery in vital, advanced
InfoSec domains. GIAC Certifications include industry, state, and military clients worldwide with the
highest and most comprehensive confirmation of information security expertise and skills available.
GIAC identifies several job disciplines in the information security such as audit, forensics, legal,
management, security administration and software security.
The following table shows the Job Discipline, Level and Credential for GIAC certifications.
27
Certified Internet Webmaster (CIW)
CIW is the world's leading vendor neutral training and certification system in IT and Internet technology.
The CIW credentials concentrate on protection in general as well as on the site. It basically needs to
complete the requirement of the other vendor-neutral certifications. For CIW Web Security Associate,
one shall pass Web Security Associate Exam (1DO-571), for CIW Web Security Specialist, one shall pass
Web Security Associate Exam (1DO-571) and earn ONE credential from CIW- approved credential list,
and CIW Web Security Professional, an applicant shall pass Web Security Associate Exam (1DO-571)
and earn TWO credential from CIW- approved credential list.
CompTIA Security+
CompTIA Security+ Is a global credential validating the basic skills you need to conduct core security
functions and pursue a career in IT security. CompTIA Security+ should be the first IT protection
certification a specialist must win. This sets the core knowledge needed for any position in cybersecurity
and provides a springboard for cybersecurity employment at intermediate level.
Skills such as the following will be acquired in this certification:
Detect various types of compromise and understand penetration testing and vulnerability
scanning concepts
Install, configure, and deploy network components while assessing and troubleshooting issues to
support organizational security
Implement secure network architecture concepts and systems design
Install and configure identity and access services, as well as management controls
Implement and summarize risk management best practices and the business impact
Install and configure wireless security settings and implement public key infrastructure
ISACA
ISACA is an international professional association focused on IT (Information technology) governance.
On its IRS filings, It is known as the Society for Information Systems Audit and Control. ISACA offers
four certifications for IT auditors, risk management and IT management professionals and managers.
ISACA offers;
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Certified in the Governance of Enterprise IT (CGEIT)
Certified in Risk and Information Systems Control (CRISC)
28
VENDOR-SPECIFIC PROFESSIONAL CERTIFICATIONS
Vendors of hardware and software products provide VENDOR-SPECIFIC Technical Certifications. A
certificate signifies competence in the line of product of a specific vendor. Vendors perform various types
of tests and if an applicant satisfies qualification criteria, the applicant has a certain degree of competence
and competencies.
CISCO Systems
Cisco is one of the main producers of software and network protection tools.
They provide its networking products a variety of certifications. They also offer many different levels of
qualification along various paths.
The following table shows the different levels and its corresponding CISCO Certifications.
29
Juniper Networks
Juniper Networks builds a combination of hardware and software for network security. Like CISCO, they
also provide a wide set of certifications for their product line. Basically, Juniper Networks offer Four
levels from 11 different tracks.
The following table shows offered tracks.
RSA
RSA Global is a supplier of workplace health, risk and regulatory solutions. They offer innovative
courses to help the safety of professional use of products effectively. They also conduct licenses on RSA
Archer and RSA SecrID.
Symantec
Symantec offers a wide range of product safety software. They test applicants on its product lines for
certifications, including:
• Administration of Symantec NetBackup for UNIX
• Administration of Symantec Enterprise Vault for Exchange
• Administration of Symantec Endpoint Protection
• Administration of Symantec NetBackup for Windows
30
Check Point
Check Point is a Global network and security system, and software producer.
We provide educational and qualification pathways for safety practitioners to promote awareness and
skills. They require their applicants to pass an 80% examination from study materials and 20% practical
experience.
Check Point Certifications are shown in the table below;
31
Directions: Complete the following OATH statements with words that is appropriate in the job
responsibilities of an Information Security Professional.
Directions: Write the letter of the correct answer on the space provided before each item.
_____1. This (ICS)2 Certification recognizes your knowledge and ability to successfully
implement, manage or assess security and privacy controls for healthcare and patient
information.
a. HCISPP b. SSCP c. CISSP d. CCSP
_____2. National Training Standard for Information Systems Security (InfoSec) Professionals
a.NSTISS-4011 b.CNSS-4012
c.CNSS-4013 d.CNSS-4014
_____3. The following are aspects of GIAC-SANS Certifications but not _______.
a.Health b.Audit c.Laws d. Hardware Security
_____5. Their main job is to protect the assets of the company from inside and outside
threats.
a.IS Security Professional b. IS Security Associate
c. IS Security Clerk d. IS Security Expert
32
_____7. They manufacture a variety of network security hardware and software. They also offers
a varied range of certifications for its networking product line. Basically, they offer Four levels
from 11 different tracks.
a.Juniper Networks b.CISCO c.ISACA d.APPLE
_____8. To become eligible in the CIW Web Security Specialist certification, how many
certification from CIW-approved credential list, an applicant must possess?
a.One b.Two c.Three d. None
_____9. Vendor-Specific Certification wherein for one to be certified they requires their
applicants to pass an exam that involves 80 percent study materials and 20 percent hands-on
experience.
a.Juniper Networks b.CISCO c.Check Point d.RSA
33
34
35
1. define the concepts of risk management, specific response strategies and issues related to IT systems
recovery;
36
Identifying, Inventorying and Classifying properties
The iterative cycle starts with the enumeration of assets, including all aspects of an organization's
structure, such as staff, procedures, data and information, software, hardware and networking
aspects.
Then the properties are classified and graded, adding information to analyze you dig deeper.
37
Evaluation of Information Assets
• Questions help to formulate asset valuation criteria.
• Which information asset:
• Was it the most important to the performance of the organisation?
– Does revenue / profitability generate the most?
– Will it play the biggest part in revenue generation or service delivery?
– Will repairing or preserving it be the costliest?
– Unless it were published, would it be the most disgusting act, or would it suffer the biggest
liability?
38
Specifying the properties vulnerabilities
• Specific threatening avenues may be used to exploit vulnerabilities to attack an organization's
information.
• Analyse how to perpetrate each hazard, and list the strengths and vulnerabilities of the
organization.
• System works better when people with different backgrounds work iteratively within an
organization through a series with brainstorming sessions.
Risk Assessment
Risk evaluation assesses the inherent risk in relation to increased vulnerability.
Each information asset is given a risk rating or ranking.
Preparation and coordination in risk management
– The goal at this point is to develop a risk assessment approach for each vulnerability
identified.
39
Likelihood
Likelihood is a chance that a particular vulnerability will be the target of a devastating attack.
In risk evaluation, a numerical value is given to the likelihood.
In Special Publication 800-30 by the NIST suggest that a number should be assigned between 0.1
(low) and 1.0 (high).
Wherever possible, use external sources for probability values that have been checked and
modified for your particular circumstances. Most combinations of assets and vulnerability have
sources of likelihood, for instance:
– The possibility of any given email containing a virus or worm being investigated.
– The number of attack on a network can be estimated based to the number of assigned
addresses for a business.
Risk Calculation
• For the purposes of relative risk assessment the risk is equal to:
– probability of occurrence of vulnerability Times value (or impact)
– minus percentage of risk already controlled
– plus an element of insecurity
Choosing Countermeasures
Patch identified exploitable bugs in applications
Build and execute organizational and access control (data and system) procedures
42
Gives encryption capabilities
Improve physical protections
Disconnect Networks Unreliable
Disruptions include extreme weather events, illegal activity, civil unrest / terrorism,
organizational disruption and disruption of program failures
43
Assessing Maximum Tolerable Downtime (MTD)
MTD is the time during which the process is typically inaccessible causes irreversible effects,
exceeding the MTD results with serious harm to the profitability of the enterprise. Depending on the
process MTD can be in hours, days, or more.
Just an example of a BCP / DRP.
Stage 1: Business as usual
All systems are running production at this stage and are functioning correctly.
Stage 2: Disaster
Disaster happens at a certain point in time, and the systems need to be repaired. The Recovery Point
Objective (RPO) specifies the average amount of data loss accumulated over time. The maximum
tolerable loss in data, for example, is 15 minutes.
Stage 3: Recovery
The system is back online at this point, and the system is being recovered but not yet ready for
production. The RTO determines the overall manageable time required to get all critical services back
online. For example, this covers restoring data from backup or fixing a failure. Mostly this function is
handled by administrator of server, network and storage etc.
At this point, all systems have been restored, the security of the network, the data checked and all
essential infrastructure can restart regular operation. Work Recovery Period (WRT) specifies the overall
tolerable time necessary to confirm the program or data integrity. For example, it might be important to
check databases and logs, to ensure that programs or services are managed and available.
The sum of RTO and WRT is known as the MTD, which determines the minimum time duration that can
disrupt the operational process without harmful effects.
44
Review and Test the Plan
Critical to periodically review and upgrade BCP
BCP Testing
Four steps to better business continuity plan testing:
Step One: Various BCP research methods
A variety of tools are available that you can use to test the efficiency and efficacy of a
business continuity plan. Many of the potential research methods are mentioned:
– Audit Strategy – Simulation Test
– Walk-Through Test – Full Recovery Test
Step Two: How Frequently to Test
There is really no rule for determining how much you are screened for BCP, but certain
specific criteria are generally suggested.
Step Three: Include The Merchants
Having your vendors in this phase not only allows you verify to a greater degree of precision
and reliability, it also offers your vendors the chance to offer feedback that might be of value
to your plans or testing method.
Step Four: Document the Testing
Log all study outcomes, along with any actionable conclusions from such tests;
Backup Frequency
How often you make changes to your files can rely on that. When you update your documents and
save them regularly, you can make a backup at least once a day. For some cases, some files (such as data
logs) may be updated several times a day, in which case a backup process designed for real time backups
is more suitable.
45
Where to back up your data?
Media option will rely on multiple factors including backup size, setup complexity, portability and
security requirements, budget, on-site or off-site backup.
Some Example:
External hard drives
USB flash drives
Network Attached Storage (NAS)
Cloud Backup
FTP/FTPS/SFT
46
Different Backup and Recovery Types
The various forms of backups accessible to IT personnel include:
Full backups - All data is copied to another location in a complete data or device backup.
Incremental Backup - This type only supports the information that has been altered since the
recent backup.
Differential backups - Similar to incremental backup, a differential backup copies all data that
has changed from the last full back up each time it is run.
47
Guidelines for Activation Based on Case Analysis
Some of the most critical steps in DRP activation is to know if activation is sufficient.
As the activation procedures are prepared, the activities of the event analysis must be adequately specified
by the following questions:
1. Which types of events would cause the activation of the plan?
2. How will these incidents be measured to ensure that program activation is appropriate?
3. Who is going to be involved in the event evaluation process?
4. How will the appraisal guidelines be tailored to the correct decision-makers?
5. Who needs to approve program activation?
6. How many approvals are needed for this?
7. How will the activation of the program be communicated?
Recovery Alternatives
Three choice usually are considered if a business (or some part of it) has to be moved for recovery:
A dedicated business location, such as a secondary distribution center;
Commercially leased installations, such as hot sites or mobile facilities;
Arrangement with an internal or external facility;
48
49
50
1. analyse a simple case related to Information Assurance and Security (IAS) Laws.
2. differentiate between laws and ethics
3. understand the role of culture as it applies to ethics in information security
Types of Law
1. Civil law includes a huge range of laws governing a country and dealing with relations
and struggle between organizations and individuals.
2. Criminal law deals with tasks and conduct that are not good to the community and is
applied vigorously by the government.
Private law is comprised of family law , business law and labour law which regulates
ties between persons and organizations.
Public law governs the organization and operation of governing agencies and their
interactions with residents , workers and other public agencies.
51
Cybersecurity in our country
The Cybercrime Prevention Act 2012 (CPA) considered the following as cybercrimes:
Confidentiality and security of computer data and programs (illegal access, unauthorized
capture, data intrusion, network intrusion, misuse of computers and cybersquatting);
The Rule of the Supreme Court on Cybercrime Warrants (AM No. 17-11-03-SC) regulates
the submission and issuance of court orders and related orders relating to the retention,
disclosure, surveillance, search, retrieval or review, as well as the custody and destruction of
computer data as provided for in the CPA.
The Electronic Commerce Act 2000 (ECA) allows for the legal recognition of electronic
records, commercial communications and signatures, government transactions and testimony in
court proceedings. ECA penalizes the hacking and copying of protected content, electronic
signatures or copyrighted works, restricts the liability of service providers who merely provide
access, and bans individuals who do so.
The Access Devices Regulation Act of 1998 (ADRA) penalizes various acts of fraud involving
access devices, such as the use of counterfeit access devices. Access device shall be any card,
plate, code, account number, electronic serial number, personal identification number or other
telecommunications service, device or instrument identifier or other means of access to an
account that may be used to obtain money, goods or services
The 2012 Data Privacy Act (DPA) governs the storage and distribution of personal details,
particularly confidential personal information in government, in the Philippines and the
Philippines; creates the National Privacy Commission (NPC) as a regulatory authority; mandates
that personal information controllers take fair and effective steps to secure and alert personal
information
52
Privacy
In 21st century, privacy became most of the toughest questions in information security. Many
organizations gather, swap, and sell personal information as a trade good, and a lot of people
look to governments for privacy protection.
Privacy of Customer Information
With the passage of the 2011 Data Privacy Act, Philippines introduced a robust data security
and privacy rights policy for organizations that operate within the country. Organizations are
required to meet all data privacy requirements and ensure data security to the highest standards,
for which they will be liable to serious fines and legal action.
With the banking and business process outsourcing (BPO) industry booming in the Philippines,
these data privacy laws will be vital to the development of a secure environment for these
industries in the region. Legal access to information, confidentiality and data protection are some
of the strong reasons that will help to fuel service sector growth and e-governance in the
Philippines.
Identity Theft
Upgrade involves modifying or changing an current code data or program, in shape or material,
for the purposes of the statute.
"The usual identification information about a person includes his name, citizenship, address of
residence, contact number, place and date of birth, if any, his spouse's name, occupation, and the
like. The law punishes those who without right obtain or use such identifying information,
indirectly to cause harm.
The theft of identity information must obviously be intended for an unlawful purpose.
Furthermore, the acquisition and dissemination of information made public by the user himself
cannot be considered a form of theft.”
Intellectual Property
Intellectual property ( IP) is a type of properties encompassing the intangible works of the
human intellect. There are several forms of intellectual property and certain nations are more
accepted than others. The most popular categories contain copyrights, licenses, logos, and trade
secrets.
53
Philippine Copyright Law
The copyright law in Philippine or officially recognized as the Republic Act No. 8293 is based
on United States copyright law. Furthermore, Philippine copyright law protects trademarks ,
patents and even different forms of intellectual property. You may also have learned of the
Optical Media Act, which seeks to shield local artists from piracy. Computer programs and video
games are protected under the same Act.
Directions. Identification. Identify what is being referred to in each statement. Write your answer on the
space provided.
1. __________________ It refers to the right of the people to information on matters of public concern.
2. __________________ is a respected professional society that was established in 1947 as “the world’s
first educational and scientific computing society.”
3. ___________________ is a nonprofit organization that focuses on the development and
implementation of information security certifications and credentials.
4. ____________________ SANS stands forecasts
5. ____________________ is a nonprofit society of information security professionals.
6. ____________________ regulates the collection and processing of personal information in the
Philippines and of Filipinos, including sensitive personal information in government.
7. ____________________ penalizes various acts of access device fraud such as using counterfeit access
devices.
8. ____________________ provides for the legal recognition of electronic documents, messages and
signatures for commerce, transactions in government and evidence in legal proceedings.
9. _____________________ CICC stands for
10. ____________________ an inter-agency body for policy coordination and enforcement of the
national cybersecurity
55
REFERENCES
https://mafiadoc.com/legal-ethical-and-professional-issues-in-information-security_599eb5da1723dd0f406ee946.html
https://studyhippo.com/ethics-in-information-technology-2/
https://www.lexology.com/library/detail.aspx?g=63436afb-fc7c-41aa-967c-cef82a8e4cff
https://www.lexology.com/library/detail.aspx?g=63436afb-fc7c-41aa-967c-cef82a8e4cff
https://www.acc.com/sites/default/files/resources/20190314/1492582_1.pdf
https://quizlet.com/28057621/cis-377-mid-term-towson-flash-cards/
https://epdf.pub/lessons-from-the-identity-trail-anonymity-privacy-and-identity-in-a-networked-so.html
https://en.wikipedia.org/wiki/Intellectual_property#Intellectual_property_rights
https://renzjiodionisio.blogspot.com/2010/08/ethics-technology.html
https://www.govserv.org/PH/Cagayan-de-Oro/729716783727407/PNP-Anti-Cybercrime-Group-10
https://www.scribd.com/document/350923005/Chapter-3
https://www.facebook.com/notes/jayson-francisco/anti-cybercrime-bill-now-a-law-new-law-punishes-hacking-online-libel-
internet-ch/455990667757790
https://ezgesports.com/qa/is-intellectual-property-real-property.html
https://ezgesports.com/qa/what-non-physical-property-is-intellectual-property-based-on.html
https://www.preda.org/2012/new-law-punishes-hacking-online-libel-internet-child-porn/
https://www.coursehero.com/file/p2fejk/ISC-PTS-1-REF-107-74-ANS-jurisdiction-PTS-1-REF-89-75-ANS-Liability-PTS-1-
REF/
https://www.slideshare.net/fvsandoval/ethical-issues-and-relevant-laws-on-computing
https://quizlet.com/238714491/domain-1-security-and-risk-management-professional-ethics-flash-cards/
https://en.wikipedia.org/wiki/Glossary_of_computer_science
https://www.preda.org/2012/pnoy-signed-cybercrime-prevention-act/
https://www.gunnebo.com/Privacy-Policy
https://rhczgd6m8l1kkaip12ax254u-wpengine.netdna-ssl.com/wp-content/uploads/James-Hines-Data-Protection-Policy-Rev-
1.1.pdf
https://resources.infosecinstitute.com/cissp-for-legal-and-investigation-regulatory-compliance/
https://www.coursehero.com/file/pf8hlrm/There-are-many-types-of-intellectual-property-and-some-countries-recognize-more/
http://www.unesco.org/new/en/member-states/single-
view/news/unesco_trains_journalists_from_community_radio_stations_on_u/
https://www.fanfiction.net/u/1339123/dragonfairy330
https://www.reddit.com/r/morbidquestions/comments/92ihxv/texas_is_there_some_kind_of_gun_registrydatabase/
https://www.lawphil.net/statutes/repacts/ra1998/ra_8484_1998.html
https://jeopardylabs.com/play/enter-title226529
https://jeopardylabs.com/play/enter-title226529
https://www.cengage.com/resource_uploads/downloads/1111138214_259148.pdf
https://content.grantham.edu/at/IS211/ch03.pdf
https://www.slideshare.net/sappingtonkr/02-legal-ethical-and-professional-issues-in-information-security
https://www.reddit.com/r/morbidquestions/comments/92ihxv/texas_is_there_some_kind_of_gun_registrydatabase/
https://www.facebook.com/Pietofficial/posts/2890769410966028
http://wiki.netseclab.mu.edu.tr/images/8/87/Ceng3544-legal-ethical-professional-issues.pdf
https://vdocuments.mx/legal-ethical-and-professional-issues-in-information-wiki-ethical-and-professional.html
https://vdocuments.mx/legal-ethical-and-professional-issues-in-information-security-chapter-3.html
56
Directions: Answer the following.
1. Cite and explain the Four Parts / Mechanism of Access Control
2. What are the Four Central Components of Access Control?
3. Cite the Four Logical Access Control Solutions.
4. Cite all Biometric Recognition Characteristics
5. Cite and explain the Five Authentication Types
57
1. demonstrate understanding of access control concepts and technologies;
2. analyze formal models of access control; and
3. develop, manage, and maintain system access control.
58
In authentication, the following mechanisms are involved;
The Four Unified Access control Components includes Users, Resources, Actions and Relationships.
59
Minutiae are unique point of reference in one’s biometric that is stored as image to be verified upon a
requested access. Each single attempt at access results in a calculation that is compared to the encoded
value to decide if the consumer is who he or she claims to be. A concern with this approach is that is
changes as our body develops over time.
For authentication during a transaction, retail stores uses signature capture. The customer shall sign a
digital tab with a special pen recording the signature. The signature will stored for future reference, or
compared for validation to a signature on a database.
Voice recognition operates in a similar manner by recording the user 's initial voiceprint reciting a word.
Later, the authentication mechanism allows the user to utter the same phrase when the user tries to access
the device so that the algorithm can match the actual voiceprint to the stored value.
Effectiveness of Biometrics
Biometrics are assessed using parameters such as; the false rejection rate, which is the rate of supplicants
who are in fact approved users but who are denied access; False acceptance rate, which is the percentage
of users who are unauthorized users but are allowed access; and third, the crossover error rate, which is
the amount at which the number of false dismissals is equal to the false acceptances.
60
Kerberos is based on the logic of the following principles;
1. The KDC is aware of the hidden keys of both network clients and servers. Through using these
hidden keys, the KDC initially shares information with the client and the server.
2. By providing temporary session keys for communication between the client and KDC, the server
and KDC, and the client and server, Kerberos authenticates a client through a requested service
on a server via TGS. Communications between the client and the server are then made using
these temporary session keys.
Visit http://web.mit.edu/Kerberos/, to obtain Kerberos service.
61
Directions: Answer the following.
1. Cite and explain the Four Parts / Mechanism of Access Control
2. What are the Four Central Components of Access Control?
3. Cite the Four Logical Access Control Solutions.
4. Cite all Biometric Recognition Characteristics
5. Cite and explain the Five Authentication Types
REFERENCES
Varghese, Thomas. "Addressing Red Flags Compliance". SC Magazine, Jan. 28,
2009.
62
5.2 AUDITING, TESTING AND MONITORING
Security Audit
Security audits assess efficiency of an information system against a set of criteria. On the other hand, a
vulnerability evaluation requires a systematic analysis of a whole information system, searching for
possible security vulnerabilities. Penetration testing is a secret activity in which a security specialist
attempts a variety of attacks to determine whether or not a device will survive a malicious hacker's same
types of attacks. Each of the approaches has inherent strengths, and using two or more of them in
conjunction may be the most effective approach of all.
The following figure best explains the Security Controls Address Risk which is referred to as Security
Cycle.
63
Security Monitoring for Computer Systems
Security Monitoring for Computer Systems may be identified based to the information it captures namely;
1. Real-time Monitoring- this focuses on the Host IDS, System Integrity Monitoring and Data Loss
Prevention.
2. Non-real-time Monitoring- it checks application and system logging.
3. Log Activities- this monitor host-based activities and networks and its devices.
With regards to Log Activities, Event Logs, Access Logs, Security Logs, Audit Logs are basically
involved.
REFERENCES
“Principles of Information Security” Michael E. Whitman, Ph.D., CISM, CISSP,
Herbert J. Mattord, CISM, CISSP
2012 Course Technology, Cengage Learning
64
Directions. Identification. Identify what is being referred to in each statement. Write your answer on the
space provided.
1. ____________________ which concerns itself with the secrecy system itself and its design
3. ______________ which concerns itself with the breaking of the secrecy system above.
4. _______________ a set of information that will allow words to be changed to other words or symbols,
for instance, a code for the word “rifle” may be “escargot.”
5. _______________ the message that you wish to put into a secret form.
10. ______________ each plaintext letter is replaced by another character whose position in the alphabet
is a certain number of units away.
65
Lesson 5.3 Basic Concepts of Cryptography
CRYPTOPOLOGY
Cryptology is characterized as the method of having communications inaccessible to all individuals
excluding those who have the ability to read and interpret it.
There are two portions that is being studied in Cryptology. First the CRYPTOPGRAPHY that involves
the confidentiality program and its structure itself, and second CRYPTANALYSIS which is associated
with breaking the above-mentioned system of anonymity.
Code - A compilation of knowledge enabling terms to be transferred to symbols or other phrases. Banana
can be a code for gun. However, This isn't some kind of cryptography that can be evaluated. The only
means a message can be decrypted is by having the terms set and their codes.
Plaintext is the meaning you wish to convey in a coded form. Plain text is generally written without
spaces in any lower case letter. There are figures printed out, and the punctuation is overlooked. It is also
referred to as clear.
For example, the sentence;
Cipher relates to the plaintext-alteration process. The secret version of plaintext is called ciphertext.
66
Example;
thebombisplantedontheroof will be then changed to
ymjgtrgnxuqfsyjityjwttk
For a decoder to read it easily, the code is typically written every after 5 characters. The example above
can be presented as;
ymjg trgnx uqfsy jityj wttk
When we encipher, we alter the plaintext to ciphertext while when we decipher, we do it the other way
around.
Key refers to data that enables us to encode the plaintext and decode the ciphertext as well.
In this case, both upper and lower case uses the same numerical value.
67
68
69
70
71
72
1. discuss the importance of creating a secured network design;
2. discuss steps or procedure on securing a network;
3. write down 10 software security best practices; and
4. give concrete examples on the application of these practices in actual software
development.
All information systems (IS) create risks to an organization; whether or not the level of risk
introduced is acceptable or not acceptable in formulating a business decision, controls such as “firewalls,
resource isolation, hardened system configurations, authentication and access control systems and
encryption can be used to help mitigate identified risks to acceptable levels.”
(https://www.slideshare.net/lavanyamarichamy/network-design-consideration)
In this lesson, we will be discussing about firewalls and authentication procedure that we can
implement to have a secured network.
Security, as described by Lavanya (2019),“is often an overlooked aspect of network design, and
attempts at retrofitting security on top of an existing network can be expensive and difficult to implement
properly. Separating assets of differing trust and security requirements should be an integral goal during
the design phase of any new project.”
She further stresses that “…aggregating assets that have similar security requirements in
dedicated zones allows an organization to use small numbers of network security devices, such as
firewalls and intrusion-detection systems, to secure and monitor multiple application systems.”
(https://www.slideshare.net/lavanyamarichamy/network-design-consideration)
Other influences on network design include budgets, availability requirements, the network’s size
and scope, future growth expectations, capacity requirements, and management’s risk tolerance. For
example, dedicated WAN links to remote offices can be more reliable than virtual private networks
(VPNs), but they cost more, especially when covering large distances. Fully redundant networks can
easily recover from failures, but having duplicate hardware increases costs, and the more routing paths
available, the harder it is to secure and segregate traffic flows.
A significant but often missed or under-considered factor in determining an appropriate security
design strategy is to identify how the network will be used and what is expected from the business it
supports. This design diligence can help avoid expensive and difficult retrofits after the network is
implemented.
Let’s consider some key network design strategies.
73
FIREWALLS
What is a Firewall?
A firewall is defined by Khandal, et al (2018) as “…a program or network devices that filters the
information coming through the internet connection into your private network or computer system.”
Firewall is further explained in www.auysolutions.com as “is a network security system that
monitorsand controls incoming and outgoing network traffic based on predetermined security rules. A
firewall typically establishes a barrier between a trusted internal network and untrusted external network,
such as the Internet.”
Theseare often categorized as either “network-based firewalls or host-based firewalls”
(https://www.auysolutions.com/product/security-essentials/)
Network firewalls run on network hardware and filter traffic between two or more networks.
Host-based firewalls, on the other hand, run on host computers and control network traffic
coming in and out of those machines.
Network-Based Firewall
74
Host-Based Firewall
Advantages of Firewalls
The advantages of firewalls as discussed by Khandal (2018) are as follows:
Concentration of security, “…all modified software and logging is located on the firewall system as
opposed to being distributed to multiple hosts.”
Protocol filtering, “…where the firewalls filters protocols and services that are either not necessary or
that cannot be adequately secured from exploitation.”
Information hiding, “…in which a firewall can “hide” names of internal systems (or) electronic mail
addresses, thereby revealing less information to outside hosts.”
Application gateways, “…where the firewalls require inside or outside users to connect first to the
firewall before connecting further, thereby are filtering the protocol.”
75
Disadvantages of Firewalls
Firewalls, on the other hand, are disadvantageous in terms of (Khandal, et al., 2018):
The most obvious being that certain types of network access maybe hampered or even blocked
for some hosts, including telnet, FTP, NFS, etc.
A second disadvantages with a firewall system is that it concentrates security in one spot as
opposed to distributing it among systems, thus a compromised of the firewall could be disastrous to other
less protected systems on the subnet.
Example: If someone attacks the security guard, the organization faces more risks.
The second goal would be “only authorized traffic which is delineated by the local security policy
will be allowed to proceed.” (Khandal et al, 2018)
Example: The Bank Manager informed the Security Guard to block A and B.
Finally, the last design goal is that the firewall “…itself is resistant to penetration inclusive in a
solid trustworthy system with0 a protected operating system.” (Khandal et al, 2018)
Example: Here the security guard himself/herself act as an intellectual to block few peoples.
AUTHENTICATION
Authentication is the “process of reliably verifying the identity of someone (or something).”
(http://www.dis.uniroma1.it/~damore/sicu/slide/slide2012/8.Authentication-1v1.1.pdf)
76
There are lots of examples of authentication in human interaction.
AUTHENTICATION IDENTIFICATION
Computers also verify the identity of its users, based on three (3) methods:
VERIFICATION
Validation of information supplied against a table of possible values based on users claimed
identity, verify identity based on your physical characteristics, known as biometrics. Characteristics used
include:
Signature
Fingerprint, hand geometry face or body profile
Speech, retina pattern
77
How authentication is done depends on capabilities of entity being authenticated. Two most
important capabilities:
TYPES OF AUTHENTICATION
There are three types of authentication. These concepts are explained below:
1. Password-based authentication
Authenticating oneself by showing a secret password to the remote peer (and to the network).
(Shankar, 2013)
“Always vulnerable to eaves dropping attack.” (Shankar, 2013)
Usual protection: “limit frequency of incorrect password entries. (Shankar, 2013)
2. Address-based authentication
Authenticating oneself, according to Shankar (2013), can be done “by using a physically-secured
terminal/computer.” Conceptually similar to password-based authentication.
3. Cryptography-based authentication
“Authenticating oneself by showing evidence of a secret key to the remote peer (and to the
network) but without exposing the secret to the peer (or to the network).Secret key can be obtained from a
password.” (Shankar (2013)
2. Trojan Horses
A Trojan horse is a useful, or apparently useful, program, which also performs unwanted/ harmful
functions.
78
If a user can be induced to run a Trojan horse which mimics the login program then, the Trojan
can capture the user’s password.
The password can then be sent to the author of the Trojan
3. On-Line Guessing
I can impersonate you if I can guess your password.
Some systems enforce easily guessable passwords.
Some people use easily guessable passwords.
With enough guesses even obscure passwords can be guessed.
Executing users who get their password wrong would probably be unacceptable.
Can make sure that guesses have to be typed
4. Locking Accounts
Can lock accounts after too many failed attempts.
But then easy for someone to deny access.
Can cut-off connection after a number of failed attempts and require it to be re-established.
Can have system response be very slow.
Assignment:
1. Write a 200-word essay with the theme: “What can’t a firewall protect against?”
2. Using the insights you have learned from this lesson; write down 10 best practices in
ensuring computer security.
79
80
REFERENCES:
Gupta, Amita (2018). Knowledge base password aging and expiration. Retrieved from
https://www.orcanos.com/help/Knowledgebase/password-aging-password-expiration/ on July 17,
2020.
81
Directions: Say that you are on the situation that your parents do not want you to pursue your
degree on Information Security, how are you going to convince them? Write your answer on the
comic bubble.
82
Do a research on securing our Future through IAS. Document the result of your research
and prepare a write-up discussing the important or significant contribution/s of IAS in our daily
lives be it in economical, physical, spiritual or any other aspects you can identify.
Introduction
As we all know, that there are wide variety of career one can choose into in the field of
Computing Science and Information Security. Pursuing education in these areas of knowledge is
really a prize. Aside from the high rate of employability, high salary rate can also be a
motivation in pursuing well.
In the field of Information Security alone, there are number of opportunities one can take in the
future. Aside from the certifications we have tackled in Lesson 2.2, there are also some programs
that is available to add knowledge in this area.
Getting a Professional Certificate trough, a certifying body is really an edge or an advantage.
However, it is one’s call whatever means he/she will use to learn and gain more knowledge.
One option for an aspirant to be trained in the field of Information Security is through Self-Study
Programs. This program aims to educate an individual at the comfort of his/her time. This is
also referred to as Self-Paced learning, where one will not be required to attend mandatory
trainings. The advantages of this self-study program are as follows;
1. Self-motivation
2. Low cost
3. Flexible materials
4. Flexible schedule
5. Supplemental materials.
However, procrastination, resource selection, lack of interaction, quality, and validated outcomes
may be a factor to be considered in self-study programs. These are its disadvantages.
In self-study programs, choosing a material to study is really a struggle. In selecting what
instructional materials to utilize, one must check that is should come from reputable sources,
meaning the resources shall come from a reliable or well-respected organization or author. You
can check the material review so that you may have an insight to its content. Self-study
materials shall also be supplemented by other products to support your learning. Finally, hand-
son skill sets or laboratory activities shall also be enforced from the materials to evaluate the
learning process.
83
Another option to acquire knowledge in the area of Information Security is through Instructor-
Led programs. This may be an alternative to the self-paced learning. This type of program is
also known as the Formal Training that is being catered inside an educational group or a school.
Completing the prescribed hours or requirement for the training leads to a certificate that will
prove one’s competence.
Instructor-led programs starts from general to highly technical.
A professional can also acquire additional knowledge to IS through the Continuing Professional
Education (CPE) and/or Continuing Professional Development (CPD). The main goal of
these programs is to keep the practitioners updated to the current state of technology in the field.
Postsecondary Degree programs are also offered in the colleges and universities specializing in
Information Technology, Information Systems Security, Information Assurance and other field
of Computing Sciences. One may continue his/her journey up to Ph.D.
A degree may be taken by an individual trough as two-year program. That is what we call
Associate Degree, wherein it prepares one for a wide variety of entry-level positions in the IT
and IS fields.
On the other hand, a four-year degree program or the Bachelor’s Degree is needed to have a
higher entry positions in the areas such as IT and IS.
Some of them includes:
1. BS in Computer Science
2. BS in Information Technology
3. BS in Applied Science
4. BS in Engineering
Some of the institutions offers a laddered course where an Associate Degree can be continued to
the Bachelor’s.
It is very important for us to study the curriculum offered by an institution first and visualize
what field you will pursue in the future.
Master of Science Degree is a two-year study program after completing the Bachelor’s Degree.
This is basically intended to specialize in one field of study. It focuses more on depth of
knowledge in a specific field. This might include;
1. Master of Science (MS or MSc)
2. Master of Science in Information Technology (MScIT)
3. Master in Business Administration
a. Focusing on the process of securing IS
b. Focusing on the management and maintenance of IS.
84
Doctoral Degree is the highest educational attainment one can obtain. It requires more
comprehensive and extensive studies. It may vary from three to five years. Fields may include;
1. Doctor of Science
2. Doctor of Information Technology
3. Doctor of Technology
4. Doctor of Philosophy
Aside from these formal schooling, there are also some programs that intends to certify an
individual. They focuses more on the technicality and skills needed to be developed by an
individual through hands-on or experiential learning.
The following are the Security Training Organizations that enables one to get certified;
1. SANS Institute
2. ITPG
3. InfoSec Institute
4. ISACA
5. Phoenix TS
6. SEI
Many are the ways one can acquire knowledge. It can be through informal or formal training.
The intention of these falls into one purpose and that is to gain knowledge and skill that can be
used as arms in this world whose demand is increasing rapidly.
It may be difficult to achieve, or one might say that he/she made a wrong decision but one thing
is for sure, when you learn to love what you do, you will succeed. You are half-way to the
highest paying job. So do it right. You are on the right track.
Directions: Assume that you are certified by the certifying bodies in Lesson2 and graduated
you’re your dream degree in the field, write down an application letter for the job, Information
Security Officer in XYZ Bank, the leading bank of the billionaires. State your credential, skills
and something that you can contribute to the organization.
85