Chapter One

Building a Secure Organization

I. Basic Concepts & Types of Attacks
What is Network?
• In simple language a computer network is a collection of computers/devices also
known as nodes which are connected to each other in a certain pattern and can
communicate with each other using some protocols.
• Protocols are set of rules that define how the communication is going to happen.
Definition of Network Security
• Network Security is the protection of files, directories in a computer network to manage
the misuse activities and unauthorized activities in a network.
II. Network Security Overview
• With the rapid growth of interest in the Internet, network security has become more
important. Currently, network administrators often spend more effort protecting their
networks than they spend on the actual setup.
• They have to make the following determinations:
• Who will have access to data?

• What resources will users have access to?

• When will users access resources?

Some of these decisions depend on the particular organization you are serving because some
resources can be trusted more than others.
III. Why Network Security is important?

Our Present Life Style & Scenario

V. Types of Attacks
Active Attacks
• Active attacks are based on the modification of the original message in some
manner or the creation of the false messages.
• These attacks cannot be prevented early. However they can be detected with some
effort and attempts can be made to recover from them.
• 3 Types
1. Masquerade
2. Modification
3. Denial of Service
Active Attacks
Masquerade
◦ Masquerade caused when an unauthorized entity pretends to be another entity.

Fig. Alice & Bob are Legal & Legitimate Users Fig. Pretends as Alice
Active Attacks
Modification
◦ It results in some alterations to the original message.
◦ It results in loss of integrity.
2 types
◦ 1. Replay Attacks
◦ In replay attacks user captures a sequence of events, or some data units and resends them.
Active Attacks
2. Alteration
◦ Alteration of message involves some change to the original message.
Active Attacks
• Denial of Service (DoS)
◦ DoS attacks make an attempt to prevent legitimate users from accessing some services, which
they are eligible for.
Passive Attacks
• Passive attacks are those, wherein the attackers indulges in monitoring of data
Transactions. The attacker aims to obtain information that is in transit.
• The term Passive indicates that the attacker does not attempt to perform any
modification to the data.
• Passive attacks are harder to detect, therefore passive attacks should be prevented
rather than detected.
Two categories
1. Release of message contents
2. Traffic Analysis
Passive Attacks
1. Release of Message Contexts
◦ In this type of passive attack confidential data of users is released
publicly over the internet.
◦ Data confidentiality is lost in such scenarios.
Passive Attacks
2. Traffic Analysis
◦ In this type of Passive attack the attacker tries to find similarities between engaged messages
and finds the original content.
◦ Such activity is call as Traffic Analysis.
VI. Principles of Network Security
1. Confidentiality
• The principle of confidentiality specifies that only the sender and the intended
recipient should be able to access the contents of a message.
• Confidentiality gets compromised if an unauthorized person is able to access a
message.
• Interruption attack causes loss of confidentiality.
2. Authentication
• Authentication mechanisms helps to establish proof of
identities.
• The authentication process ensures the origin of an electronic
message or document is correctly identified.
3. Integrity
• When the contents of message are changed after the sender sends it, but
before it reaches the intended recipient, we say that the integrity of a message
is lost.
• Modification causes loss if integrity.
4. Non-Repudiation
• There are situations where an user sends a message and later on refuses that she/he
had send that messages.
• The principle of non-repudiation defeats such possibilities of denying something,
having done it.
• Non-repudiation does not allow the sender of a message to refute the claim of not
sending that money.
5. Access Control
• The principle of access control determines who should be able to access what. An access
control mechanism can be setup to ensure this.
• Access control is broadly related to role management and rule management.
• Role management concentrates on the user side.
• Rule management focuses on the resources side.
6. Availability
• The principle of availability states that resources should be available to
authorized parties at all times.
• Interruption puts the availability of resources in danger.
VII. Building a Secure Organization
• It seems logical that any business, whether a commercial enterprise or a not-for-profit business,
would understand that building a secure organization is important to long-term success.
• Security breaches can cost an organization significantly through a tarnished reputation, lost
business, and legal fees.
• When a business implements and maintains a strong security posture, it can take advantage of
numerous benefits.
◦ A secure organization can use its security program as a marketing tool, demonstrating to clients
that it values their business so much that it takes a very aggressive stance on protecting their
information.
VIII. OBSTACLES TO SECURITY
In attempting to build a secure organization, we should take a close look at the obstacles
that make it challenging to build a totally secure organization.
1. Security Is Inconvenient, but its important
2. Computers Are Powerful and Complex
3. Computer Users Are Unsophisticated
4. Current Trend Is to Share, Not Protect
5. Data Accessible from Anywhere
6. The Bad Guys Are Very Sophisticated
7. Management Sees Security as a Drain on the Bottom Line
1. Security Is Inconvenient, but its important
• Security, by its very nature, is inconvenient, and the more robust the security
mechanisms, the more inconvenient the process becomes.
• Employees in an organization have a job to do; they want to get to work right away.
• To gain a full appreciation of the frustration caused by security measures, we have
only to watch the Transportation Security Administration (TSA) security lines at any
airport. Simply watch the frustration build as a particular item is run through the
scanner for a third time while a passenger is running late to board his flight.
• When we implement any security mechanism, it should be placed on the scale
where the level of security and ease of use match the acceptable level of risk for the
organization.
2. Computers Are Powerful and Complex
• Home computers have become storehouses of personal materials. Our
computers now contain wedding videos, scanned family photos, music
libraries, movie collections, and financial and medical records.
• Because computers contain such familiar objects, we have forgotten that
computers are very powerful and complex devices.
Cont’d…
• Most people are unfamiliar with the way computers truly function and
what goes on “ behind the scenes”. Things such as the Windows,
Registry, ports, and services are completely unknown to most users and
poorly understood by many computer industry professionals.
• For example, many individuals still believe that a Windows login
password protects data on a computer.
3. Computer Users Are Unsophisticated
• Many computer users believe that because they are skilled at generating
spreadsheets, word processing documents, and presentations, they “ know
everything about computers”.
• The “ bad guys ” people who want to steal information from or wreak havoc on
computers systems — have also identified that the average user is a weak link in the
security chain.
• As companies began investing more money in perimeter defenses, attackers look to
the path of least resistance. They send malware as attachments to email, asking
recipients to open the attachment.
Cont’d…
• Despite being told not to open attachments from unknown senders or simply
not to open attachments at all, employees consistently violate this policy,
wreaking havoc on their networks.
• The “ I Love You Virus ” spread very rapidly in this manner. More recently,
phishing scams have been very effective in convincing individuals to provide
their personal online banking and credit-card information.
4. Current Trend Is to Share, Not Protect
• Even now, despite the stories of compromised data, people still want to share their
data with everyone.
• Web-based applications are making this easier to do than simply attaching a file to an
email.
• Social networking sites provides the ability to share material: “ Send messages, files,
links, and events to your friends”.
• Create a network of friends and share stuff.
• These sites can allow proprietary data to leave an organization by bypassing security
mechanisms.
5. Data Accessible from Anywhere
• To be productive, employees now request access to data and contact
information on their laptops, desktops, home computers, and mobile devices.
• Therefore, IT departments must now provide the ability to sync data with
numerous devices.
• Previously mentioned online storage sites can be accessed from both the
home and office or anywhere there is an Internet connection.
• For many, Google’s free email service Gmail is a great tool that provides a very
robust service for free.
6. The Bad Guys Are Very Sophisticated
• At one time the computer hacker was portrayed as a lone teenager with
poor social skills who would break into systems, often for nothing more
than bragging rights.
• As ecommerce has evolved, however, so has the profile of the hacker.
• Now that there are vast collections of credit-card numbers and
intellectual property that can be harvested, organized hacker groups
have been formed to operate as businesses.
Cont’d…
• A document released in 2008 spells it out clearly: “ Cybercrime companies that work
much like real-world companies are starting to appear and are steadily growing,
thanks to the profits they turn”.
• Forget individual hackers or groups of hackers with common goals.
• Hierarchical cybercrime organizations where each cybercriminal has his or her own
role and reward system is what you and your company should be worried about.
• Now that organizations are being attacked by highly motivated and skilled groups of
hackers, creating a secure infrastructure is mandatory.
7. Management Sees Security as a Drain on the
Bottom Line
• Organizations don’t want to spend the money on it, but the risks of not making the purchase outweigh
the costs. Because of this attitude, it is extremely challenging to create a secure organization.
• The attitude is enforced because requests for security tools are often supported by documents
providing the average cost of a security incident instead of showing more concrete benefits of a strong
security posture.
• The problem is exacerbated by the fact that IT professionals speak a different language than
management.
• IT professionals are generally focused on technology, period. Management is focused on revenue.
• Learning these concepts is beneficial to the organization because the technical infrastructure can be
implemented in a cost-effective manner, and they are beneficial from a career development
perspective for IT professionals.
Ten Steps to Building a Secure Organization
1. Evaluate the Risks and Threats
◦ In attempting to build a secure organization, where should you start? One commonly held belief is that
you should initially identify your assets and allocate security resources based on the value of each asset.
a) Threats Based on the Infrastructure Model
b) Global Threats
Once threats and risks are identified, you can take one of four steps:
◦ Ignore the risk.
◦ Accept the risk.
◦ Transfer the risk.
◦ Mitigate the risk.
2. Beware of Common Misconceptions
• In addressing the security needs of an organization, it is common for
professionals to succumb(agreed) to some very common misconceptions.
• Perhaps the most common misconception is that the business is obscure,
unsophisticated, or boring—simply not a target for malicious activity.
3. Provide Security Training for IT Staff—Now and
Forever
• It is important for the IT staff to be prepared to identify and respond to new
threats and vulnerabilities.
• It is recommended that those interested in gaining a deep security
understanding start with a vendor-neutral program.
• A vendor-neutral program is one that focuses on concepts rather than specific
products (Certificate Courses).
4. Think “Outside the Box”
• For most businesses, the threat to their intellectual assets and technical
infrastructure comes from the “bad guys” sitting outside their organizations,
trying to break in.
• These organizations establish strong perimeter defenses, essentially “boxing
in” their assets.
5. Train Employees: Develop a Culture of
Security
• One of the greatest security assets is a business’s own employees, but only if
they have been properly trained to comply with security policies and to
identify potential security problems.
• Downloading and installing unapproved software can install malicious
software that can infect user systems, causing their computers to function
slowly or not at all.
6. Identify and Utilize Built-In Security
Features of the Operating System and
Applications
• Many organizations and systems administrators state that they cannot create a
secure organization because they have limited resources and simply do not have
the funds to purchase robust security tools.
• This is a ridiculous approach to security because all operating systems and many
applications include security mechanisms that require no organizational resources
other than time to identify and configure these tools.
• For Microsoft Windows operating systems, a terrific resource is the online Microsoft TechNet
Library. Under the Solutions Accelerators link you can find security guides for all recent
Microsoft Windows operating systems.
7. Monitor Systems
• Even with the most robust security tools in place, it is important to monitor your
systems.
• All security products are manmade and can fail or be compromised.
• Enabling logging on your systems is one way to put your organization in a position
to identify problem areas.
• One of these standards is the Payment Card Industry Data Security Standard (PCI
DSS).
• PCI DSS states that organizations must “Track and monitor access to network
resources and cardholder data” .
8. Hire a Third Party to Audit Security
• Regardless of how talented your staff is, there is always the possibility that they
overlooked something or inadvertently misconfigured a device or setting.
• For this reason it is very important to bring in an extra set of “eyes, ears, and hands”
to review your organization’s security posture.
The advantage of having a third party review your systems is that the outsiders have
experience reviewing a wide range of systems, applications, and devices in a variety of
industries.
◦ They will know what works well and what might work but cause problems in the
future.
Cont’d…
◦ They are also more likely to be up to speed on new vulnerabilities and the
latest product updates. Why? Because this is all they do.
◦ They are not encumbered by administrative duties, internal politics, and help
desk requests.
◦ They will be more objective than in-house staff, and they will be in a position
to make recommendations after their analysis.
9. Don’t Forget the Basics
• Change Default Account Passwords
• Close Unnecessary Ports

10. Patch, Patch, Patch

• Nearly all operating systems have a mechanism for automatically checking for updates. This
notification system should be turned on.
• A simple tool that can help keep track of system updates is the Microsoft Baseline Security
Analyzer, which also will examine other fundamental security configurations.
◦ Use Administrator Accounts for Administrative Tasks
◦ Restrict Physical Access
◦ Don’t Forget Paper!
Enterprise Security
• Enterprise security is about building systems to remain dependable in the face of
malice, error, or mischance.
• As a discipline, it focuses on the tools, processes, and methods needed to design,
implement, and test complete systems, and to adapt existing systems as their
environment evolves.
• Enterprise security requires cross-disciplinary expertise, ranging from cryptography
and computer security through hardware tamper-resistance and formal methods to
a knowledge of economics, applied psychology, organizations and the law.
Cont’d…
• Many security systems have critical assurance requirements.
• Their failure may endanger human life and the environment (as with nuclear
safety and control systems), do serious damage to major economic
infrastructure (cash machines and other bank systems), endanger personal
privacy (medical record systems), undermine the viability of whole business
sectors (pay-TV), and facilitate crime (burglar and car alarms).
Enterprise Security Analysis Framework
Cont’d…
•Good Enterprise security requires four things to come together.
• There’s policy: what you’re supposed to achieve.
• There’s mechanism: the ciphers, access controls, hardware tamper-resistance and
other machinery that you assemble in order to implement the policy.
• There’s assurance: the amount of reliance you can place on each particular
mechanism.
• There’s incentive: the motive that the people guarding and maintaining the system
have to do their job properly, and also the motive that the attackers have to try to
defeat your policy.
Enterprise System - Examples
1. A Bank
Banks operate a surprisingly large range of security-critical computer systems.
◦ The core of a bank’s operations is usually a branch bookkeeping system.
◦ The main threat to this system is the bank’s own staff; about one percent of bankers are fired
each year, mostly for petty dishonesty (the average theft is only a few thousand dollars).
◦ One public face of the bank is its automatic teller machines.
◦ Authenticating transactions based on a customer’s card and personal identification number—
in such a way as to defend against both outside and inside attack— is harder than it looks!
Cont’d… Bank
◦ Another public face is the bank’s website. Bank websites have come under heavy
attack recently from phishing — from bogus websites into which customers are
invited to enter their passwords.
◦ Behind the scenes are a number of high-value messaging systems.
◦ The bank’s branches will often appear to be large, solid and prosperous, giving
customers the psychological message that their money is safe.
Enterprise System - Examples
2. Military
Military systems have also been an important technology driver.
◦ Some of the most sophisticated installations are the electronic warfare systems
whose goals include trying to jam enemy radars while preventing the enemy from
jamming yours.
◦ Military communication systems have some interesting requirements.
◦ It is often not sufficient to just encipher messages: the enemy, on seeing traffic
encrypted with somebody else’s keys, may simply locate the transmitter and attack
it.
Cont’d… Military
◦ Military organizations have some of the biggest systems for logistics and inventory
management, which differ from commercial systems in having a number of special
assurance requirements.
◦ The particular problems of protecting nuclear weapons have given rise over the last
two generations to a lot of interesting security technology, ranging from electronic
authentication systems that prevent weapons being used without the permission of
the national command authority, through seals and alarm systems, to methods of
identifying people with a high degree of certainty using biometrics such as iris
patterns.
Enterprise System - Examples
3. A Hospital
Hospitals have a number of interesting protection requirements mostly to do with patient safety and
privacy.
◦ Patient record systems should not let all the staff see every patient’s record, or privacy violations can be
expected.

◦ Patient records are often anonymized for use in research, but this is hard to do well.

◦ Web-based technologies present interesting new assurance problems in healthcare.

◦ New technology can introduce risks that are just not understood. Hospital administrators understand
the need for backup procedures to deal with outages of power, telephone service and so on; but
medical practice is rapidly coming to depend on the net in ways that are often not documented.
Impacts of Network Security
• The WannaCry ransomware attack was a May 2017 (12 May 2017 – 15 May 2017)
worldwide cyber attack by the WannaCry ransomware cryptoworm, which targeted
computers running the Microsoft Windows operating system by encrypting data and
demanding ransom payments in the Bitcoin crypto currency.
• The attack was estimated to have affected more than 200,000 computers across 150
countries, with total damages ranging from hundreds of millions to billions of dollars.
Security experts believed from preliminary evaluation of the worm that the attack
originated from North Korea or agencies working for the country.
Cont’d…
• In the world of digitization, where every information is stored digitally, information can be
accessed 24X7,can be accessed via internet and easily retrieved at cheaper rate.
• Everything is done smoothly on one click, effortlessly and efficiently maintained.
• Digitization has improve the life style of the computer users.
• Many thefts or cyber-attacks like spyware, malware, Trojan, phishing, intruders, spam, virus
occurs. Ransomware is also a theft.
• The WannaCry ransomware attack was a May 2017 (12 May 2017 – 15 May 2017)
worldwide cyber attack by the WannaCry ransomware cryptoworm, which targeted
computers running the Microsoft Windows operating system by encrypting data and
demanding ransom payments in the Bitcoin crypto currency.
Cont’d…
• WannaCry Ransomware Attack 2017 was the worst attack that ever had before.
• WannaCry Ransomware is a type of malicious software that blocks user access to
files or systems, holding files or entire devices hostage using encryption until the
victim pays a ransom in exchange for a decryption key, which allows the user to
access the files or systems encrypted by the program.
• The first ransomware in history emerged in 1989 (that’s 32 years ago).
• It was called the AIDS Trojan but, seems elementary nowadays.
Cont’d…
• It spread via floppy disks and involved sending $189 to a post office box in
Panama to pay the ransom.
• There are many types of ransomware like CryptoLocker, CryptoLocker.F and
TorrentLocker, CryptoWall, CryptoTear, Fusob and WannaCry.
• Ransomware Wannacry attacked many hospitals, companies, universities and
government organization across at least 150 Countries, having more than
200,000 victims. It locked all computers and demanded ransom.
Effect of Ransomware Attack 2017
• Encrypting ransomware works by obscuring the contents of user files, through the
use of strong encryption algorithms.
• Victims have no other alternative, than paying the attacker to reverse this process.
• Wannacry Ransomware attack 2017 was one of the largest attacks that were ever
carried out.
• Companies like FedEx, Nissan, railway companies in Germany, Russian Railways,
Interior ministry, telecommunication company like megafor Telefonica in spain, At
least 16 NHS organisation in UK were badly effected. Some systems were caught by
malware.
Working of
Ransomware
Preventive Measures
• Prevention is essential in keeping computer safe. Its a recommendation for users to
keep their operating system and software updated.
• Back up all important and valuable data offline regularly.
• Ransomware can be sent through various sources like Emails, Advertisement, by
creating websites and many more things that can share the ransomware to the
computer users.
• Ransomware restricts the use of the system in various ways after intruding the
system.
• It is mainly classified into the following three types: Scareware, Lock-Screen, and
Encrypting.
Cont’d…
• WannaCry ransomware virus attacked the whole world and no one knows how to
decrypt these files.
• Ransomware is a type of Malicious software designed to block access to computer
system until some of money is paid.
• Antivirus should always have a last update.
• Spam messages should not be opened or replied.
• Back up the data. To defeat, regularly updated backup.
• Apply patches and keep the operating system, antivirus, browsers, Adobe Flash
Player, Java, and other software up-to-date.
Cont’d…
• Keep the Windows Firewall turned on and properly configured at all times.
• Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access,
etc.).
• Sure to disable file sharing.
• Switch off unused wireless connections, such as Bluetooth or infrared ports.
• Exercise caution before using Wi-Fi network.
• Do not click on harmful links in your email.
• Do not visit unsafe and unreliable websites.
• A novel practice to protect against ransomware attack is to back all files completely on
another system frequently to avoid loss of data.`
Crypto Currency - Bitcoin
• Bitcoin is a cryptocurrency and worldwide payment system.
• It is the first decentralized digital currency, as the system works without
a central bank or single administrator.
• The network is peer-to-peer transactions take place between users directly,
without an intermediary.
• These transactions are verified by network nodes through the use
of cryptography and recorded in a public distributed ledger called
a blockchain.
• Bitcoin was invented by an unknown person or group of people under the
name Satoshi Nakamoto and released as open-source software in 2009.
Cont’d…
• Bitcoins are created as a reward for a process known as mining. They can be
exchanged for other currencies, products, and services.
• As of February 2015, over 100,000 merchants and vendors accepted bitcoin
as payment.
• Research produced by the University of Cambridge estimates that in 2017,
there are 2.9 to 5.8 million unique users using a cryptocurrency wallet, most
of them using bitcoin.
Thank you!!