INFORMATION SECURITY Handouts
Uploaded by
Kumkumo Kussia KossaINFORMATION SECURITY Handouts
Uploaded by
Kumkumo Kussia Kossa1
INFORMATION ASSURANCE AND SECURITY
Chapter 1 INTRODUCTION
History
Persons desiring secure communications have used wax seals.
Julius Caesar-Caesar Cipher 50 B.C., which was created in order to prevent his secret messages from
being, read should a message fall into the wrong hands.
The end of the 20th century and early years of the 21st century saw rapid advancements in
telecommunications, computing hardware and software, and data encryption.
INTRODUCTION
Information technology is the vehicle that stores and transports information—a company’s most valuable
resource—from one business unit to another.
But what happens if the vehicle breaks down, even for a little while?
As businesses have become more fluid, the concept of computer security has been replaced by the concept
of information security.
Because this new concept covers a broader range of issues, from the protection of data to the protection of
human resources, information security is no longer the sole responsibility of a discrete group of people in
the company; rather, it is the responsibility of every employee, and especially managers.
Organizations must realize that information security funding and planning decisions involve more than just
technical managers:
Rather, the process should involve three distinct groups of decision makers, or communities of interest:
Information security managers and professionals
Information technology managers and professionals
Nontechnical business managers and professionals
These communities of interest fulfill the following roles:
The information security community protects the organization’s information assets from the many
threats they face.
The information technology community supports the business objectives of the organization by
supplying and supporting information technology appropriate to the business’ needs.
The nontechnical general business community articulates and communicates organizational policy
and objectives and allocates resources to the other groups.
WHAT IS SECURITY?
Understanding the technical aspects of information security requires that you know the definitions of certain
information technology terms and concepts.
In general, security is defined as “the quality or state of being secure—to be free from danger.”
Security is often achieved by means of several strategies usually undertaken simultaneously or used in
combination with one another.
Specialized areas of security
Physical security, which encompasses strategies to protect people, physical assets, and the
workplace from various threats including fire, unauthorized access, or natural disasters
Personal security, which overlaps with physical security in the protection of the people within the
organization
Operations security, which focuses on securing the organization’s ability to carry out its operational
activities without interruption or compromise
Communications security, which encompasses the protection of an organization’s communications
media, technology, and content, and its ability to use these tools to achieve the organization’s
objectives
2
Network security, which addresses the protection of an organization’s data networking devices,
connections, and contents, and the ability to use that network to accomplish the organization’s data
communication functions
Information security includes the broad areas of information security management, computer and
data security, and network security.
Where it has been used?
Governments, military, financial institutions, hospitals, and private businesses.
Protecting confidential information is a business requirement.
Information Security components are
Confidentiality
Integrity
Availability
CIA Triangle
The C.I.A. triangle - confidentiality, integrity, and availability - has expanded into a more comprehensive
list of critical characteristics of information.
At the heart of the study of information security is the concept of policy. Policy, awareness, training,
education, and technology are vital concepts for the protection of information and for keeping information
systems from danger.
3
Critical Characteristics of Information
-Confidentiality - Integrity -Availability
- Privacy - Identification - Authentication
- Authorization - Accountability -Accuracy
- Utility - Possession
Confidentiality
Confidentiality of information ensures that only those with sufficient privileges may access certain
information. When unauthorized individuals or systems can access information, confidentiality is breached.
To protect the confidentiality of information, a number of measures are used:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
Example, a credit card transaction on the Internet.
o The system attempts to enforce confidentiality by encrypting the card number during
transmission, by limiting the places where it might appear (in data bases, log files,
backups, printed receipts, and so on), and by restricting access to the places where it is
stored.
o Giving out confidential information over the telephone is a breach of confidentiality if the
caller is not authorized to have the information, it could result in a breach of
confidentiality.
Integrity
Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is
threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.
Corruption can occur while information is being compiled, stored, or transmitted.
Integrity means that data cannot be modified without authorization.
Eg: Integrity is violated when an employee deletes important data files, when a computer virus
infects a computer, when an employee is able to modify his own salary in a payroll database, when
an unauthorized user vandalizes a website, when someone is able to cast a very large number of
votes in an online poll, and so on.
Availability
Availability is the characteristic of information that enables user access to information without interference
or obstruction and in a required format. A user in this definition may be either a person or another computer
system. Availability does not imply that the information is accessible to any user; rather, it means availability
to authorized users.
For any information system to serve its purpose, the information must be available when it is needed.
Eg: High availability systems aim to remain available at all times, preventing service disruptions due
to power outages, hardware failures, and system upgrades.
Privacy
The information that is collected, used, and stored by an organization is to be used only for the purposes
stated to the data owner at the time it was collected. This definition of privacy does focus on freedom from
observation (the meaning usually associated with the word), but rather means that information will be used
only in ways known to the person providing it.
Identification
An information system possesses the characteristic of identification when it is able to recognize individual
users. Identification and authentication are essential to establishing the level of access or authorization that
an individual is granted.
4
Authentication
Authentication occurs when a control provides proof that a user possesses the identity that he or she claims.
In computing, e-Business and information security it is necessary to ensure that the data,
transactions, communications or documents(electronic or physical) are genuine(i.e. they have not
been forged or fabricated)
Authorization
After the identity of a user is authenticated, a process called authorization provides assurance that the user
(whether a person or a computer) has been specifically and explicitly authorized by the proper authority to
access, update, or delete the contents of an information asset.
Accountability
The characteristic of accountability exists when a control provides assurance that every activity undertaken
can be attributed to a named person or automated process. For example, audit logs that track user activity
on an information system provide accountability.
Accuracy
Information should have accuracy. Information has accuracy when it is free from mistakes or errors and it
has the value that the end users expects. If information contains a value different from the user’s
expectations, due to the intentional or unintentional modification of its content, it is no longer accurate.
Utility
Information has value when it serves a particular purpose. This means that if information is available, but
not in a format meaningful to the end user, it is not useful. Thus, the value of information depends on its
utility.
Possession
The possession of Information security is the quality or state of having ownership or control of some object
or item.
NSTISSC Security Model
‘National Security Telecommunications & Information systems security committee’ document.
- It is now called the National Training Standard for Information security professionals.
The NSTISSC Security Model provides a more detailed perspective on security.
While the NSTISSC model covers the three dimensions of information security, it omits discussion of detailed
guidelines and policies that direct the implementation of controls.
Another weakness of using this model with too limited an approach is to view it from a single perspective.
-The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be
addressed to secure today’s Information systems.
- To ensure system security, each of the 27 cells must be properly addressed during the security process.
-For ex, the intersection between technology, Integrity & storage areas requires a control or safeguard
that addresses the need to use technology to protect the Integrity of information while in storage.
5
NSTISSC Security Model
Components of an Information System
- Software - Hardware - Data
- People - Procedures - Networks
Software
The software components of IS comprises applications, operating systems, and assorted command utilities.
Software programs are the vessels that carry the lifeblood of information through an organization. These
are often created under the demanding constraints of project management, which limit time, cost, and
manpower.
Hardware
Hardware is the physical technology that houses and executes the software, stores and carries the data,
and provides interfaces for the entry and removal of information from the system.
Data
Data stored, processed, and transmitted through a computer system must be protected.
Data is often the most valuable asset possessed by an organization and is the main target of
intentional attacks.
The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures that are later
processed(manipulated) to produce information.
People
There are many roles for people in information systems. Common ones include
Systems Analyst
Programmer
Technician
Securing Components
-Protecting the components from potential misuse and abuse by unauthorized users.
Subject of an attack – Computer is used as an active tool to conduct the attack.
Object of an attack – Computer itself is the entity being attacked
.Two types of attacks
- Direct attack
- Indirect attack
6
1. Direct attack
When a Hacker uses his personal computer to break into a system.[Originate from the
threat itself]
2. Indirect attack
When a system is compromised and used to attack other system.
[Originate from a system or resource that itself has been attacked, and is malfunctioning or working
under the control of a threat].
A computer can, therefore, be both the subject and object of an attack when ,for example, it is first the
object of an attack and then compromised and used to attack other systems, at which point it becomes
the subject of an attack.
Balancing Information Security and Access
- Has to provide the security and is also feasible to access the information for its application.
- Information Security cannot be an absolute: it is a process, not a goal.
- Should balance protection and availability.
Approaches to Information Security Implementation
- Bottom- up- approach.
- Top-down-approach
Has higher probability of success.
Project is initiated by upper level managers who issue policy & procedures & processes.
Dictate the goals & expected outcomes of the project.
Determine who is suitable for each of the required action.
The Systems Development Life Cycle (SDLC)
Investigation
Analysis
Logical design
Physical design
Implementation
Repeat
Maintenance and
change
7
SDLC Waterfall Methodology
SDLC-is a methodology for the design and implementation of an information system in an organization.
- A methodology is a formal approach to solving a problem based on a structured sequence of
procedures.
- SDLC consists of 6 phases.
Investigation
- It is the most important phase and it begins with an examination of the event or plan that initiates
the process.
- During this phase, the objectives, constraints, and scope of the project are specified.
- At the conclusion of this phase, a feasibility analysis is performed, which assesses the economic,
technical and behavioral feasibilities of the process and ensures that implementation is worth the
organization’s time and effort.
Analysis
- It begins with the information gained during the investigation phase.
- It consists of assessments (quality) of the organization, the status of current systems, and the
capability to support the proposed systems.
- Analysts begin by determining what the new system is expected to do, and how it will interact with
existing systems.
- This phase ends with the documentation of the findings and an update of the feasibility analysis.
Logical Design
- In this phase, the information gained from the analysis phase is used to begin creating a systems
solution for a business problem.
- Based on the business need, applications are selected that are capable of providing needed
services.
- Based on the applications needed, data support and structures capable of providing the needed
inputs are then chosen.
- In this phase, analysts generate a number of alternative solutions, each with corresponding
strengths and weaknesses, and costs and benefits.
- At the end of this phase, another feasibility analysis is performed.
Physical design
- In this phase, specific technologies are selected to support the solutions developed in the logical
design.
- The selected components are evaluated based on a make-or-buy decision.
- Final designs integrate various components and technologies.
Implementation
- In this phase, any needed software is created.
- Components are ordered, received and tested.
- Afterwards, users are trained and supporting documentation created.
- Once all the components are tested individually, they are installed and tested as a system.
- Again a feasibility analysis is prepared, and the sponsors are then presented with the system for a
performance review and acceptance test.
Maintenance and change
- It is the longest and most expensive phase of the process.
- It consists of the tasks necessary to support and modify the system for the remainder of its useful
life cycle.
- Periodically, the system is tested for compliance, with business needs.
- Upgrades, updates, and patches are managed.
8
The Security Systems Development Life Cycle (Sec SDLC )
- The same phases used in the traditional SDLC can be adapted to support the implementation of an
information security project.
Investigation
- This phase begins with a directive from upper management, dictating the process, outcomes, and
goals of the project, as well as its budget and other constraints.
- Frequently, this phase begins with an enterprise information security policy, which outlines
the implementation of a security program within the organization.
- Teams of responsible managers, employees, and contractors are organized.
- Problems are analyzed.
- Scope of the project, as well as specific goals and objectives, and any additional constraints not
covered in the program policy, are defined.
- Finally, an organizational feasibility analysis is performed to determine whether the organization
has the resources and commitment necessary to conduct a successful security analysis and design.
Analysis
- In this phase, the documents from the investigation phase are studied.
- The developed team conducts a preliminary analysis of existing security policies or programs, along
with that of documented current threats and associated controls.
- The risk management task also begins in this phase.
-Risk management is the process of identifying, assessing, and evaluating the levels of risk facing
the organization, specifically the threats to the organization’s security and to the information stored and
processed by the organization.
Logical design
- This phase creates and develops the blueprints for information security, and examines and
implements key policies.
- The team plans the incident response actions.
- Plans business response to disaster.
- Determines feasibility of continuing and outsourcing the project.
Physical design
- In this phase, the information security technology needed to support the blueprint outlined in the
logical design is evaluated.
- Alternative solutions are generated.
- Designs for physical security measures to support the proposed technological solutions are created.
- At the end of this phase, a feasibility study should determine the readiness of the organization for
the proposed project.
- At this phase, all parties involved have a chance to approve the project before implementation
begins.
Implementation
- Similar to traditional SDLC
- The security solutions are acquired ( made or bought ), tested, implemented, and tested again
- Personnel issues are evaluated and specific training and education programs are conducted.
- Finally, the entire tested package is presented to upper management for final approval.
Maintenance and change
- Constant monitoring, testing, modification, updating, and repairing to meet changing threats have
been done in this phase.
9
Security Professionals and the organization
Senior management
Chief information Officer (CIO) is the responsible for
Assessment
Management
And implementation of information security in the organization
Information Security Project Team
Champion
- Promotes the project
- Ensures its support, both financially & administratively.
Team Leader
- Understands project management
- Personnel management
- And information Security technical requirements.
Security policy developers
- individuals who understand the organizational culture,
- existing policies
- Requirements for developing & implementing successful policies.
Risk assessment specialists
- Individuals who understand financial risk assessment techniques.
- The value of organizational assets,
- and the security methods to be used.
Security Professionals
- Dedicated
- Trained, and well educated specialists in all aspects of information security from both a technical
and non technical stand point.
System Administrators
- Administrating the systems that house the information used by the organization.
End users
Data owners
Three types Data custodians
Data users
Data Owners
- Responsible for the security and use of a particular set of information.
- Determine the level of data classification
- Work with subordinate managers to oversee the day-to-day administration of the data.
Data Custodians
- Responsible for the storage, maintenance, and protection of the information.
- Overseeing data storage and backups
- Implementing the specific procedures and policies.
Data Users (End users)
- Work with the information to perform their daily jobs supporting the mission of the organization.
- Everyone in the organization is responsible for the security of data, so data users are included here
as individuals with an information security role.
10
Chapter II SECURITY INVESTIGATION
Business Needs First
Information security performs four important functions for an organization:
1. Protects the organization’s ability to function
2. Enables the safe operation of applications implemented on the organization’s IT systems.
3. Protects the data the organization collects and uses.
4. Safeguards the technology assets in use at the organization.
1. Protecting the functionality of an organization
Decision makers in organizations must set policy and operate their organizations in
compliance with the complex, shifting legislation that controls the use of technology.
2. Enabling the safe operation of applications
Organizations are under immense pressure to acquire and operate integrated, efficient, and
capable applications
The modern organization needs to create an environment that safeguards applications using
the organization’s IT systems, particularly those applications that serve as important elements
of the infrastructure of the organization.
3. Protecting data that organizations collect & use
Protecting data in motion
Protecting data at rest
Both are critical aspects of information security.
The value of data motivates attackers to seal, sabotage, or corrupts it.
It is essential for the protection of integrity and value of the organization’s data
4. Safeguarding Technology assets in organizations
Must add secure infrastructure services based on the size and scope of the enterprise.
Organizational growth could lead to the need for public key infrastructure, PKI, an
integrated system of software, encryption methodologies.
Threats
To protect an organization’s information, you must
1. Know yourself
Be familiar with the information to be protected, and the systems that store, transport and process
it.
2. Know the threats you face
To make sound decisions about information security, management must be informed about the
various threats facing the organization, its application, data and information systems.
A threat is an object, person, or other entity, that represents a constant danger to an asset.
Threats to Information Security
Categories of threat Examples
Acts of human error or failure -- Accidents, employee mistakes
Compromises to intellectual property -- Piracy, copyright infringement
Deliberate acts of espionage or trespass -- Unauthorized access and/or/data collection
Deliberate acts of information extortion -- Blackmail or information disclosure
Deliberate acts of sabotage or vandalism -- Destruction of systems or information
Deliberate acts of theft -- Illegal confiscation of equipment or information
Deliberate software attacks -- Viruses, worms, macros, denial-of-service
Forces of nature -- Fire, flood, earthquake, lightning
Deviations in quality of service -- ISP, power, or WAN service providers
Technical hardware failures or errors -- Equipment failure
Technical software failures or errors -- Bugs, code problems, unknown loopholes
Technological obsolescence -- Antiquated or outdated technologies
11
Threats
1. Acts of Human Error or Failure:
Acts performed without intent or malicious purpose by an authorized user.
because of in experience ,improper training,
Making of incorrect assumptions.
One of the greatest threats to an organization’s information security is the organization’s own employees.
Entry of erroneous data
accidental deletion or modification of data
Storage of data in unprotected areas.
Failure to protect information
Can be prevented with
- Training
- Ongoing awareness activities
-Verification by a second party
- Many military applications have robust, dual- approval controls built in .
2. Compromises to Intellectual Property
Is defined as the ownership of ideas and control over the tangible or virtual representation of those
ideas.
Intellectual property includes trade secrets, copyrights, trademarks, and patents.
Once intellectual property has been defined and properly identified, breaches to IP constitute a threat
to the security of this information.
Organization purchases or leases the IP of other organizations.
Most Common IP breach is the unlawful use or duplication of software based intellectual property
more commonly known as software Piracy.
Software Piracy affects the world economy.
U.S provides approximately 80% of world’s software.
In addition to the laws surrounding software piracy, two watch dog organizations investigate allegations of
software abuse.
1. Software and Information Industry Association (SIIA)
(i.e)Software Publishers Association
2. Business Software Alliance (BSA)
Another effort to combat (take action against) piracy is the online registration process.
3. Deliberate Acts of Espionage or Trespass
Electronic and human activities that can breach the confidentiality of information.
When an unauthorized individual’s gain access to the information an organization is trying to protect
is categorized as act of espionage or trespass.
Attackers can use many different methods to access the information stored in an information system.
1. Competitive Intelligence[use web browser to get information from market research]
2. Industrial espionage(spying)
3. Shoulder Surfing(ATM)
Trespass
Can lead to unauthorized real or virtual actions that enable information gatherers to enter
premises or systems they have not been authorized to enter.
Sound principles of authentication & authorization can help organizations protect valuable
information and systems.
Hackers-> “People who use and create computer software to gain access to information
illegally”
There are generally two skill levels among hackers.
Expert Hackers-> Masters of several programming languages, networking protocols, and
operating systems .
Unskilled Hackers
12
4. Deliberate Acts of information Extortion (obtain by force or threat)
Possibility of an attacker or trusted insider stealing information from a computer system and
demanding compensation for its return or for an agreement not to disclose the information.
5. Deliberate Acts of sabotage or Vandalism
Destroy an asset or
Damage the image of organization
Cyber terrorism-Cyber terrorists hack systems to conduct terrorist activities through network or
internet pathways.
6. Deliberate Acts of Theft
Illegal taking of another’s property-- is a constant problem.
Within an organization, property can be physical, electronic, or intellectual.
Physical theft can be controlled by installation of alarm systems.
Trained security professionals.
7. Deliberate Software Attacks
Because of malicious code or malicious software or sometimes malware.
These software components are designed to damage, destroy or deny service to the target system.
More common instances are
Virus, Worms, Trojan horses, Logic bombs, Backdoors.
Virus
Segments of code that performs malicious actions.
Virus transmission is at the opening of Email attachment files.
Macro virus-> Embedded in automatically executing macrocode common in word processors,
spreadsheets and database applications.
Boot Virus-> infects the key operating files located in the computer’s boot sector.
Worms
A worm is a malicious program that replicates itself constantly, without requiring another program
to provide a safe environment for replication.
Worms can continue replicating themselves until they completely fill available resources, such as
memory, hard drive space, and network bandwidth.
Eg: MS-Blaster, MyDoom, Netsky, are multifaceted attack worms.
Trojan Horses
Are software programs that hide their true nature and reveal their designed behavior only when
activated.
Trojan horse releases
Trojan horse Trojan horse is its payload, monitors
arrives via E- activated when computer activity,
mail or the software or installs back door, or
software such attachment is transmits information
as free games executed. to hacker
Trojan horse Attack
Back Door or Trap Door
A Virus or Worm has a payload that installs a backdoor or trapdoor component in a system, which
allows the attacker to access the system at will with special privileges.
Eg: Back Orifice
Polymorphism
A Polymorphic threat is one that changes its apparent shape over time, making it undetectable by
techniques that look for preconfigured signatures.
These viruses and Worms actually evolve, changing their size, and appearance to elude detection by
antivirus software programs.
13
Virus & Worm Hoaxes
Virus
A program or piece of code that be loaded on to your computer, without your knowledge and run
against your wishes.
Worm
A program or algorithm that replicates itself over a computer network and usually performs malicious
actions.
Trojan Horse
A destructive program that masquerade on beginning application, unlike viruses, Trojan horse do not
replicate themselves.
Blended threat
Blended threats combine the characteristics of virus, worm, Trojan horses & malicious code with
server and Internet Vulnerabilities.
Antivirus Program
A Utility that searches a hard disk for viruses and removes any that found.
Forces of Nature
Fire: Structural fire that damages the building. Also encompasses smoke damage from a fire or
water damage from sprinkles systems.
Flood: Can sometimes be mitigated with flood insurance and/or business interruption Insurance.
Earthquake: Can sometimes be mitigated with specific causality insurance and/or business
interruption insurance, but is usually a separate policy.
Lightning: An Abrupt, discontinuous natural electric discharge in the atmosphere.
Landslide/Mudslide: The downward sliding of a mass of earth & rocks directly damaging all parts
of the information systems.
Hurricane/typhoon, Tsunami, Dust Contamination:
Deviations in Quality of Service
A product or service is not delivered to the organization as expected.
The Organization’s information system depends on the successful operation of many
interdependent support systems.
It includes power grids, telecom networks, parts suppliers, service vendors, and even the
janitorial staff & garbage haulers.
This degradation of service is a form of availability disruption.
Internet Service Issues
Internet service Provider(ISP) failures can considerably undermine the availability of information.
The web hosting services are usually arranged with an agreement providing minimum service levels
known as a Service level Agreement (SLA).
When a Service Provider fails to meet SLA, the provider may accrue fines to cover losses incurred by
the client, but these payments seldom cover the losses generated by the outage.
14
Communications & Other Service Provider Issues
Other utility services can affect the organizations are telephone, water, waste water, trash pickup,
cable television, natural or propane gas, and custodial services.
The loss of these services can impair the ability of an organization to function.
For an example, if the waste water system fails, an organization might be prevented from allowing
employees into the building.
This would stop normal business operations.
Power Irregularities
Fluctuations due to power excesses.
Power shortages &
Power losses
This can pose problems for organizations that provide inadequately conditioned power for their
information systems equipment.
When voltage levels spike (experience a momentary increase),or surge ( experience prolonged
increase ), the extra voltage can severely damage or destroy equipment.
The more expensive uninterruptible power supply (UPS) can protect against spikes and surges.
Technical Hardware Failures or Errors
Resulting in unreliable service or lack of availability
Some errors are terminal, in that they result in unrecoverable loss of equipment.
Some errors are intermittent, in that they resulting in faults that are not easily repeated.
Technical software failures or errors
This category involves threats that come from purchasing software with unknown, hidden faults.
Large quantities of computer code are written, debugged, published, and sold before all their bugs
are detected and resolved.
These failures range from bugs to untested failure conditions.
Technological obsolescence
Outdated infrastructure can lead to unreliable and untrustworthy systems.
Management must recognize that when technology becomes outdated, there is a risk of loss of data
integrity from attacks.
Man-in-the –Middle
Otherwise called as TCP hijacking attack.
An attacker monitors packets from the network, modifies them, and inserts them back into the
network.
This type of attack uses IP spoofing.
It allows the attacker to change, delete, reroute, add, forge or divert data.
TCP hijacking session, the spoofing involves the interception of an encryption key exchange.
SPAM
Spam is unsolicited commercial E-mail.
It has been used to make malicious code attacks more effective.
Spam is considered as a trivial nuisance rather than an attack.
It is the waste of both computer and human resources it causes by the flow of unwanted E-mail.
Mail Bombing
Another form of E-mail attack that is also a DOS called a mail bomb.
Attacker routes large quantities of e-mail to the target.
The target of the attack receives unmanageably large volumes of unsolicited e-mail.
By sending large e-mails, attackers can take advantage of poorly configured e-mail systems on the
Internet and trick them into sending many e-mails to an address chosen by the attacker.
The target e-mail address is buried under thousands or even millions of unwanted e-mails.
15
Sniffers
A sniffer is a program or device that can monitor data traveling over a network.
Unauthorized sniffers can be extremely dangerous to a network’s security, because they are virtually
impossible to detect and can be inserted almost anywhere.
Sniffer often works on TCP/IP networks, where they are sometimes called “packet Sniffers”.
Social Engineering
It is the process of using social skills to convince people to reveal access credentials or other valuable
information to the attacker.
An attacker gets more information by calling others in the company and asserting his/her authority
by mentioning chief’s name.
Buffer Overflow
A buffer overflow is an application error that occurs when more data is sent to a buffer than it can
handle.
Attacker can make the target system execute instructions.
Timing Attack
Works by exploring the contents of a web browser’s cache.
These attacks allow a Web designer to create a malicious form of cookie, that is stored on the client’s
system.
The cookie could allow the designer to collect information on how to access password- protected
sites.
Attacks
An attack is an act of or action that takes advantage of a vulnerability to compromise a controlled
system.
It is accomplished by a threat agent that damages or steals an organization’s information or physical
asset.
Vulnerability is an identified weakness in a controlled system, where controls are not present or
are no longer effective.
Attacks exist when a specific act or action comes into play and may cause a potential loss.
Malicious code
The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web
scripts with the intent to destroy or steal information.
The state –of-the-art malicious code attack is the polymorphic or multivector, worm.
These attack programs use up to six known attack vectors to exploit a variety of vulnerabilities in
commonly found information system devices.
Attack Replication Vectors
1. IP scan & attack
2. Web browsing
3. Virus
4. Unprotected shares
5. Mass mail
6. Simple Network Management Protocol(SNMP)
1. IP scan & attack
The infected system scans a random or local range of IP addresses and targets any of several
vulnerabilities known to hackers.
2. Web browsing
If the infected system has write access to any Web pages, it makes all Web content files
(.html,.asp,.cgi & others) infectious, so that users who browse to those pages become infected.
16
3. Virus
Each infected machine infects certain common executable or script files on all computers to which it
can write with virus code that can cause infection.
4. Unprotected shares
Using vulnerabilities in file systems and the way many organizations configure them, the infected
machine copies the viral component to all locations it can reach.
5. Mass Mail
By sending E-mail infections to addresses found in the address book, the infected machine infects
many users, whose mail -reading programs also automatically run the program & infect other systems.
6. Simple Network Management Protocol (SNMP)
By using the widely known and common passwords that were employed in early versions of this
protocol, the attacking program can gain control of the device. Most vendors have closed these
vulnerabilities with software upgrades.
Hoaxes
A more devious approach to attacking the computer systems is the transmission of a virus hoax with
a real virus attached.
Even though these users are trying to avoid infection, they end up sending the attack on to their
co-workers.
Backdoors
Using a known or previously unknown and newly discovered access mechanism, an attacker can gain
access to a system or network resource through a back door.
Sometimes these entries are left behind by system designers or maintenance staff, and thus referred
to as trap doors.
A trap door is hard to detect, because very often the programmer who puts it in place also makes
the access exempt from the usual audit logging features of the system.
Password Crack
Attempting to reverse calculate a password is often called cracking.
A password can be hashed using the same algorithm and compared to the hashed results, If they
are same, the password has been cracked.
The (SAM) Security Account Manager file contains the hashed representation of the user’s password.
Brute Force
The application of computing & network resources to try every possible combination of options of a
password is called a Brute force attack.
This is often an attempt to repeatedly guess passwords to commonly used accounts, it is sometimes
called a password attack.
Dictionary
This is another form of the brute force attack noted above for guessing passwords.
The dictionary attack narrows the field by selecting specific accounts to attack and uses a list of
commonly used passwords instead of random combinations.
Denial –of- Services (DOS) & Distributed Denial –of- Service(DDOS)
The attacker sends a large number of connection or information requests to a target.
This may result in the system crashing, or simply becoming unable to perform ordinary functions.
DDOS is an attack in which a coordinated stream of requests is launched dagainst a target from
many locations at the same.
17
Spoofing
It is a technique used to gain unauthorized access to computers, where in the intruder sends
messages to a computer that has an IP address that indicates that the messages are coming from a
trusted host.
Data: Payload IP source: IP destination:
192.168.0.25 100.0.0.75
Original IP packet
From hacker’s system
Data: Payload IP source: IP destination:
100.0.0.80 100.0.0.75
Spoofed (modified)
IP packet
Hacker Spoofed packet
modifies sent to target
source address
to spoof
firewall Firewall allows packet
in, mistaking it for
legitimate traffic
Legal, Ethical, and Professional Issues in Information Security
Law and Ethics in Information Security
Laws are rules that mandate or prohibit certain behavior in society; they are drawn from ethics, which
define socially acceptable behaviors. The key difference between laws and ethics is that laws carry the
sanctions of a governing authority and ethics do not. Ethics in turn are based on Cultural mores.
18
Chapter III SECURITY ANALYSIS
RISK MANAGEMENT
Definition:
The formal process of identifying and controlling the risks facing an organization is called risk
management. It is the probability of an undesired event causing damage to an asset. There are three steps
1. Risk Identification.
2. Risk Assessment
3. Risk Control
Risk Identification: It is the process of examining and documenting the security posture of an
organization’s information technology and the risk it faces.
Risk Assessment: It is the documentation of the results of risk identification.
Risk Control: It is the process of applying controls to reduce the risks to an organization’s data and
information systems.
To keep up with the competition, organizations must design and create safe environments in which
business process and procedures can function.
These environments must maintain Confidentiality & Privacy and assure the integrity of organizational
data-objectives that are met through the application of the principles of risk management
Components of Risk Management
Risk Management
Risk Identification Risk Control
Risk Assessment
is the documented result of Selecting Strategy
the risk identification process
Justifying Controls
Inventorying Assets
Classifying Assets
Identifying Threats &
Vulnerabilities
An Overview of Risk Management
Over 2,400 years ago by Chinese General Sun Tzu said
“1.If you know the enemy & know yourself, you need not fear the result of a hundred battles.
2. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
3. If you know neither the enemy nor yourself, you will succumb in every battle”
Know Yourself
Identify, Examine & Understand the information systems.
To protect assets, you must understand what they are? How they add value to the organization, and
to which vulnerabilities they are susceptible.
The policies, Education and training programs, and technologies that protect information must be
carefully maintained and administered to ensure that they are still effective.
Know the Enemy
Identifying, Examining & Understanding the threats facing the organization.
19
The Roles of the Communities of Interest
It is the responsibility of each community of interest to manage the risks that organization
encounters.
Information Security
Understand the threats and attacks that introduce risk into the organization.
Take a leadership role in addressing risk.
Management & Users
Management must ensure that sufficient resource are allocated to the information security &
Information technology groups to meet the security needs of the organization.
Users work with the systems and the data and are therefore well positioned to understand the value
of the information assets.
Information Technology
Must build secure systems and operate them safely.
Three communities of interest are also responsible for the following
Evaluating the risk controls.
Determining which control options are cost effective.
Acquiring or installing the needed controls.
Overseeing that the controls remain effective.
Important Risk Factors of information Security are
i. Understand the threats and attacks that introduce risk into the organization.
ii. Taking asset inventory.
iii. Verify the threats and vulnerabilities that have been identified as dangerous to the asset inventory,
as well as the current controls and mitigation strategies.
iv. Review the cost effectiveness of various risk control measures.
Risk Identification
IT professionals to know their organization’s information assets through identifying, classifying
and prioritizing them.
Assets are the targets of various threats and threat agents, and the goal is to protect the assets from
the threats.
Once the organizational assets have been identified, a threat identification process is undertaken.
The circumstances and settings of each information asset are examined to identify vulnerabilities.
When vulnerabilities are found, controls are identified and assessed as to their capability to limit
possible losses in the eventuality of attack.
The process of Risk Identification begins with the identification of the organization’s information
assets and an assessment of their value.
The Components of this process are shown in figure
Asset Identification & Valuation
Includes all the elements of an organization’s system, such as people, procedures, data and
information, software, hardware, and networking elements.
Then, you classify and categorize the assets, adding details.
Components of Risk Identification
20
Categorization of IT Components
People include employees and nonemployees. There are two categories of employees: those who
hold trusted roles and have correspondingly greater authority and accountability, and other staff
who have assignments without special privileges.
Procedures fall into two categories: IT and business standard procedures, and IT and business
sensitive procedures.
Data Components have been expanded to account for the management of information in all stages:
Transmission, Processing, and Storage.
Software Components can be assigned to one of three categories: Applications, Operating
Systems, or security components.
Hardware is assigned to one of two categories: the usual systems devices and their peripherals,
and the devices that are part of information security control systems. The latter must be protected
more thoroughly than the former.
21
People, Procedures,& Data Asset Identification
People : Position name/number/ID: Supervisor; Security clearance level; special skills.
Procedures : Description/intended purpose/relationship to software / hardware and networking
elements; storage location for update; storage location for reference.
Data : Classification; owner; Creator; Manager; Size of data structure; data structure used;
online/offline/location/backup procedures employed.
Hardware, Software, and Network Asset Identification
Depends on the needs of the organization and its risk management efforts.
Name: Should adopt naming standards that do not convey information to potential system
attackers.
IP address: Useful for network devices & Servers. Many organizations use the dynamic host
control protocol (DHCP) within TCP/IP that reassigns IP numbers to devices as needed, making
the use of IP numbers as part of the asset identification process problematic. IP address use in
inventory is usually limited to those devices that use static IP addresses.
Media Access Control (MAC) address: Electronic serial numbers or hardware addresses. All
network interface hardware devices have a unique number. The MAC address number is used by
the network operating system as a means to identify a specific network device. It is used by the
client’s network software to recognize traffic that it must process.
Element Type: Document the function of each Element by listing its type. For hardware, a list of
possible element types, such as servers, desktops, networking devices or test equipment.
One server might be listed as
Device class= S (Server)
Device OS= W2K ( Windows 2000)
Device Capacity = AS ( Advanced Server )
Serial Number: For hardware devices, the serial number can uniquely identify a specific device.
Manufacturer Name: Record the manufacturer of the device or software component. This can be useful
when responding to incidents that involve these devices or when certain manufacturers announce specific
vulnerabilities.
Manufacturer’s Model No or Part No: Record the model or part number of the element. This record
of exactly what the element is can be very useful in later analysis of vulnerabilities, because some
vulnerability instances only apply to specific models of certain devices and software components.
Software Version, Update revision, or FCO number: Document the specific software or firmware
revision number and, for hardware devices, the current field change order (FCO) number. An FCO is an
authorization issued by an organization for the repair, modification, or update of a piece of equipment.
Documenting the revision number and FCO is particularly important for networking devices that function
mainly through the software running on them. For example, firewall devices often have three versions: an
operating system (OS) version, a software version, and a basic input/output system (BIOS) firmware
version.
Physical location: Note where this element is located physically (Hardware)
Logical Location: Note where this element can be found on the organization’s network. The logical
location is most useful for networking devices and indicates the logical network where the device is
connected.
Controlling Entity: Identify which organizational unit controls the element.
Automated Risk Management Tools
-Automated tools identify the system elements that make up the hardware, software, & network
components.
-Many organizations use automated asset inventory systems.
-The inventory listing is usually available in a data base.
22
Information Asset Classification- In addition to the categories, it is advisable to add another dimension
to represent the sensitivity & Security priority of the data and the devices that store, transmit & process
the data.
Eg: Kinds of classifications are confidential data, internal data and public data.
Information Asset Valuation
- As each asset is assigned to its category, posing a number of questions assists in developing the weighting
criteria to be used for information asset valuation or impact evaluation. Before beginning the inventory
process, the organization should determine which criteria can best be used to establish the value of the
information assets. Among the criteria to be considered are:
Which information Asset is the most critical to the success of the organization.
Which information asset generates the most revenue?
Which information asset generates the most probability?
Which Information asset would be the expensive to replace?
Sample Inventory Worksheet
Data Classification
1. Confidential
2. Internal
3. External
Confidential: Access to information with this classification is strictly on a need-to-know basis or as
required by the terms of a contract.
Internal: Used for all internal information that does not meet the criteria for the confidential category
and is to be viewed only by authorized contractors, and other third parties.
External: All information that has been approved by management for public release.
The military uses five level classifications
1. Unclassified data
2. Sensitive But Unclassified data (SBU)
3. Confidential data
4. Secret data
5. Top Secret data
23
Unclassified data: Information that can generally be distributed to the public without any threat to U.S.
National interests.
Sensitive But Unclassified data (SBU) : Any information of which the loss, misuse, or unauthorized
access to, or modification of might adversely affect U.S. national interests, the conduct of Department of
Defense(DoD) programs, or the privacy of DoD personnel.
Confidential data: Any information or material the unauthorized disclosure of which reasonably could
be expected to cause damage to the national security.
Secret: Any information or material the unauthorized disclosure of which reasonably could be cause
serious damage to the national security.
Top Secret Data: Any information or material the unauthorized disclosure of which reasonably could be
expected to cause exceptionally grave damage to the national security.
Organization may have
1. Research data
2. Personnel data
3. Customer data
4. General Internal Communications
Some organization may use
1. Public data
2. For office use only
3. Sensitive data
4. Classified data
Public: Information for general public dissemination, such as an advertisement or public release.
For Official Use Only: Information that is not particularly sensitive, but not for public release,
such as internal communications.
Sensitive: Information important to the business that could embarrass the company or cause loss
of market share if revealed.
Classified: Information of the utmost secrecy to the organization, disclosure of which could
severely impact the well-being of the organization.
Security Clearances
The other side of the data classification scheme is the personnel security clearance structure.
Each user of data must be assigned a single authorization level that indicates the level of
classification he or she is authorized to view.
Eg: Data entry clerk, development Programmer, Information Security Analyst, or even
CIO.
Most organizations have a set of roles and the accompanying security clearances associated
with each role.
Overriding an employee’s security clearance is the fundamental principle of “need-to-
know”.
Management of classified data
Includes its storage, distribution, portability, and destruction.
Military uses color coordinated cover sheets to protect classified information from the casual
observer.
24
Each classified document should contain the appropriate designation at the top and bottom of each
page.
A clean desk policy requires that employees secure all information in appropriate storage
containers at the end of each day.
When Information are no longer valuable, proper care should be taken to destroy them by means
of shredding, burning or transferring to a service offering authorized document destruction.
Dumpster diving to retrieve information that could embarrass a company or compromise
information security.
Threat Identification
After identifying the information assets, the analysis phase moves on to an examination of the
threats facing the organization.
Identify and Prioritize Threats and Threat Agents
Threats to Information Security
This examination is known as a threat assessment. You can address each threat with a few basic
questions, as follows:
Which threats present a danger to an organization’s assets in the given environment?
Which threats represent the most danger to the organization’s information?
How much would it cost to recover from a successful attack?
Which of the threats would require the greatest expenditure to prevent?
Weighted Ranks of Threats to Information Security
Threat Mean Standard Weight Weighted
Deviation Rank
Deliberate software attacks 3.99 1.03 546 2178.3
Forces of Nature 2.80 1.09 218 610.9
Acts of human error or failure 3.15 1.11 350 1101.0
Deliberate acts of theft 3.07 1.30 226 694.5
Technological obsolescence 2.71 1.11 158 427.9
Technical software failures or 3.16 1.13 358 1129.9
errors
Compromises to intellectual 2.72 1.21 181 494.8
property
25
Vulnerability Identification:
Create a list of Vulnerabilities for each information asset.
Groups of people work iteratively in a series of sessions give best result.
At the end of Identification process, you have a list of assets and their vulnerabilities.
Vulnerability Assessment of a Hypothetical DMZ Router
Threat Possible Vulnerabilities
Deliberate software attacks Internet protocol is vulnerable to denial of
service.
Acts of human error or failure Employees may cause outage if
configuration errors are made.
Technical software failures or errors Vendor-supplied routing software could fail
and cause an outage.
Technical hardware failures or errors Hardware can fail and cause an outage.
Deviations in Quality of service Power system failures are always possible.
Deliberate acts of sabotage or vandalism Internet protocol is vulnerable to denial of
service.
Deliberate acts of theft This information asset has little intrinsic
value, but other assets protected by this
device could be attacked if it is
compromised.
Technological obsolescence If this asset is not reviewed and periodically
updated
Forces of nature All information assets in the organization
are subject to forces of nature
Compromises to intellectual property This information asset has little intrinsic
value, but other assets protected by this
device could be attacked if it is
compromised.
Risk Assessment
Assigns a risk rating or score to each Information asset.
It is useful in gauging the relative risk to each vulnerable asset.
Valuation of Information assets
Assign weighted scores for the value to the organization of each Information asset.
National Institute of Standards & Technology (NIST) gives some standards.
To be effective, the values must be assigned by asking he following questions.
Which threats present a danger to an organization’s assets in the given environment?
Which threats represent the most danger to the organization’s Information?
How much would it cost to recover from a successful attack?
Which of the threats would require the greatest expenditure to prevent?
Likelihood
It is the probability of specific vulnerability within an organization will be successfully
attacked.
NIST gives some standards.
0.1 = Low 1.0 = High
Eg: Number of network attacks can be forecast based on how many network address the
organization has assigned.
26
Risk Determination
Risk = [ ( Likelihood of vulnerability occurrence ) X (Value of information Asset )] __ ( % of
risk mitigated by current controls) + uncertainty of current knowledge of the Vulnerability
• For the purpose of relative risk assessment, risk equals:
– Likelihood of vulnerability occurrence TIMES value (or impact)
– MINUS percentage risk already controlled
– PLUS an element of uncertainty
Eg: Information Asset A has a value score of 50 & has one vulnerability: Vulnerability 1 has a
likelihood of 1.0 with no current controls, estimate that assumptions and data are 90% accurate.
Solution:
Risk = [(1.0) x 50] – 0% + 10%
= (50 x 1.0) – ((50 x 1.0)x 0.0) + ( (50 x 1.0) x 0.1)
= 50 – 0 + 5
= 55
Identify Possible Controls ( For Residual Risk)
Residual risk is the risk that remains to the information asset even after the existing
control has been applied.
Three general categories of controls
1. Policies
2. Programs
3. Technologies
1. Policies
General Security Policy
Program Security Policy
Issue Specific Policy
Systems Specific Policy
2. Programs
Education
Training
Awareness
3. Security Technologies
Technical Implementation Policies
Access Controls
Specially addresses admission of a user into a trusted area of the organization.
Eg: Computer rooms, Power Rooms.
Combination of policies , Programs, & Technologies
Types of Access controls
Mandatory Access Controls (MACs)
Give users and data owners limited control over access to information resources.
Nondiscretionary Controls
Managed by a central authority in the organization; can be based on individual’s
role (role-based controls) or a specified set of assigned tasks (task-based controls)
Discretionary Access Controls ( DAC)
Implemented at discretion or option of the data user
Lattice-based Access Control
Variation of MAC - users are assigned matrix of authorizations for particular areas
of access.
27
Documenting the Results of Risk Assessment
By the end of the Risk Assessment process, you probably have a collection of long lists of
information assets with data about each of them. The goal of this process is to identify the
information assets that have specific vulnerabilities and list them, ranked according to those most
needing protection. You should also have collected some information about the controls that are
already in place. The final summarized document is the ranked vulnerability risk worksheet, a
sample of which is shown in the following table.
Asset Asset Vulnerability Vulnerability Risk Rating
Impact or Likelihood Factor
Relative
value
Customer Service 55 E-mail 0.2 11
Request via e- disruption due
mail(inbound) to hardware
failure
Customer order via SSL 100 Lost orders due 0.1 10
-(inbound) to Web server
hardware
failure
Customer order via SSL 100 Lost orders due 0.1 10
-(inbound) to Web server
or ISP service
failure
Customer Service 55 E-mail 0.1 5.5
Request via e- disruption due
mail(inbound) to SMTP mail
relay attack
Customer Service 55 E-mail 0.1 5.5
Request via e- disruption due
mail(inbound) to ISP service
failure
Customer order via SSL 100 Lost orders due 0.025 2.5
-(inbound) to Web server
denial-of-
service attack
Customer order via SSL 100 Lost orders due 0.01 1
-(inbound)SSL-Secure to Web server
Sockets Layer software failure
Risk Control Strategies
Four basic strategies to control each of the risks that result from these vulnerabilities.
1. Apply safeguards that eliminate the remaining uncontrolled risks for the vulnerability [Avoidance]
2. Transfer the risk to other areas (or) to outside entities[transference]
3. Reduce the impact should the vulnerability be exploited[Mitigation]
4. Understand the consequences and accept the risk without control or mitigation[Acceptance]
Avoidance
It is the risk control strategy that attempts to prevent the exploitation of the vulnerability, and is
accomplished by means of
a) Countering threats c) Removing Vulnerabilities in assets
b) Limiting access to assets d) Adding protective safeguards.
28
Three common methods of risk avoidance are
1. Application of policy
2. Application of Training & Education
3. Application of Technology
Transference
Transference is the control approach that attempts to shift the risk to other assets, other processes,
or other organizations.
It may be accomplished through rethinking how services are offered, revising deployment models,
outsourcing to other organizations, purchasing Insurance, Implementing Service contracts with
providers.
Top 10 Information Security mistakes made by individuals.
1. Passwords on Post-it-Notes
2. Leaving unattended computers on.
3. Opening e-mail attachments from strangers.
4. Poor Password etiquette
5. Laptops on the loose (unsecured laptops that are easily stolen)
6. Blabber mouths ( People who talk about passwords)
7. Plug & Play[Technology that enables hardware devices to be installed and configured
without the protection provided by people who perform installations]
8. Unreported Security Violations
9. Always behind the times.
10. Not watching for dangers inside the organization
Mitigation
- It is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability
through planning & preparation.
Mitigation begins with the early detection that an attack is in progress and the ability of
the organization to respond quickly, efficiently and effectively.
- Includes 3 types of plans.
1. Incident response plan (IRP) -Actions to take while incident is in progress
2. Disaster recovery plan (DRP) - Most common mitigation procedure.
3. Business continuity plan (BCP) - Continuation of business activities if catastrophic event
occurs.
Incident Response Plan (IRP)
This IRP Plan provides answers to questions such as
1. What do I do now?
2. What should the administrator do first?
3. Whom should they contact?
4. What should they document?
The IRP Supplies answers.
For example, a system’s administrator may notice that someone is copying information from the server
without authorization, signaling violation of policy by a potential hacker or an unauthorized employee.
The IRP also enables the organization to take coordinated action that is either predefined and specific or
ad hoc and reactive.
Disaster Recovery Plan (DRP)
Can include strategies to limit losses before and during the disaster.
Include all preparations for the recovery process, strategies to limit losses during the disaster, and
detailed steps to follow when the smoke clears, the dust settles, or the floodwater recede.
29
Business Continuity Plan (BCP)
BCP is the most strategic and long term of the three plans.
It encompasses the continuation of business activities if a catastrophic event occurs, such as the
loss of an entire database, building or operations center.
The BCP includes planning the steps necessary to ensure the continuation of the organization when
the scope or scale of a disaster exceeds the ability of the DRP to restore operations.
Many companies offer this service as a contingency against disastrous events such as fires. Floods,
earthquakes, and most natural disasters.
Acceptance
It is the choice to do nothing to protect a vulnerability and do accept the outcome of its exploitation.
This strategy occurs when the organization has:
Determined the level of risk.
Assessed the probability of attack.
Estimated the potential damage that could occur from attacks.
Performed a thorough cost benefit analysis.
Evaluated controls using each appropriate type of feasibility.
Decided that the particular function, service, information, or asset did not justify the cost
of protection.
Selecting a Risk Control Strategy
-Level of threat and value of asset play major role in selection of strategy
-Rules of thumb on strategy selection can be applied:
When vulnerability (flaw or weakness) exists: Implement security controls to reduce the likelihood
of a vulnerability being exercised.
When vulnerability can be exploited: Apply layered protections, architectural designs, and
administrative controls to minimize the risk.
When the attacker’s cost is less than his potential gain: Apply protections to increase the attacker’s
cost.
When potential loss is substantial: Apply design principles, architectural designs, and technical
and non-technical protections to limit the extent of the attack, thereby reducing the potential for
loss.
Evaluation, Assessment & Maintenance of Risk Controls
Once a control strategy has been implemented, it should be monitored, & measured on an ongoing
basis to determine the effectiveness of the security controls and the accuracy of the estimate of the
Residual risk
There is no exit from this cycle; it is a process that continues for as long as the organization
continues to function.
Categories of Controls
Controlling risk through avoidance, Mitigation or Transference may be accomplished by
implementing controls or safeguards.
Four ways to categorize controls have been identified.
– Control function
• Preventive or detective
– Architectural layer
• One or more layers of technical architecture
– Strategy layer
• Avoidance, mitigation …
– Information security principle
30
Control Function
- Safeguards designed to defend systems are either preventive or detective.
- Preventive controls stop attempts to exploit a vulnerability by implementing a security principle,
such as authentication, or Confidentiality.
- Preventive controls use a technical procedure, such as encryption, or some combination of technical
means and enforcement methods.
- Detective controls – warn organizations of violations of security principles, organizational policies,
or attempts to exploit vulnerabilities.
- Detective controls use techniques such as audit trails, intrusion detection and configuration
monitoring.
Architectural Layer
- Controls apply to one or more layers of an organization’s technical architecture.
- The following entities are commonly regarded as distinct layers in an organization’s Information
architecture.
1. Organizational policy.
2. External Networks.
3. Extranets ( or demilitarized zones )
4. Intranets ( WANs and LANs )
5. Network devices that interface network zones.(Switches, Routers, firewalls and hubs)
6. Systems [ Mainframe, Server, desktop]
7. Applications.
Strategy Layer
Controls are sometimes classified by the risk control strategy they operate within:
1. Avoidance
2. Mitigation
3. transference
Characteristics of Secure Information
1. Confidentiality
2. Integrity
3. Availability
4. Authentication
5. Authorization
6. Accountability
7. Privacy
Confidentiality: The control assures the confidentiality of data when it is stored, processed, or
transmitted. An example of this type of control is the use of Secure Sockets Layer (SSL) encryption
technology to secure Web content as it moves from Web server to browser.
Integrity: The control assures that the information asset properly, completely, and correctly receives,
processes, stores, and retrieves data in a consistent and correct manner .Ex: Use of parity or cyclical
redundancy checks in data transmission protocols.
Availability: The control assures ongoing access to critical information assets. Ex: Deployment of a
network operations center using a sophisticated network monitoring toolset.
31
Authentication: The control assures that the entity (person or computer) accessing information assets is
in fact the stated entity. Ex: The use of cryptographic certificates to establish SSL connections, or the use
of cryptographic hardware tokens such as SecurID cards as a second authentication of identity.
Authorization: The control assures that a user has been specifically and explicitly authorized to access,
update, or delete the contents of an information asset. Ex: Use of access control lists and authorization
groups in the Windows networking environment. Another example is the use of a database authorization
scheme to verify the designated users for each function.
Accountability: The control assures that every activity undertaken can be attributed to a specific named
person or automated process. Ex: Use of audit logs to track when each user logged in and logged out of
each computer.
Privacy: The control assures that the procedures to access, update, or remove personally identifiable
information comply with the applicable laws and policies for that kind of information.
Feasibility Studies
- Before deciding on the strategy (Avoidance, transference, mitigation, or acceptance), for a specific
vulnerability, all the economic and non-economic consequences of the vulnerability facing the
information asset must be explored.
- Cost Avoidance- It is the process of avoiding the financial impact of an incident by implementing a
control.
- Includes
1. Cost Benefit analysis
2. Organizational feasibility
3. Operational Feasibility
4. Technical Feasibility
5. Political feasibility.
Cost Benefit Analysis (CBA)
- Organizations are urged to begin the cost benefit analysis by evaluating the worth of the information
assets to be protected and the loss in value if those information assets were compromised by the
exploitation of a specific vulnerability.
- The formal process to document this decision making process is called a Cost Benefit analysis or an
economic feasibility study.
Cost Benefit Analysis or an Economic Feasibility study
- Some of the items that affect the cost of a control or safeguard include:
1. Cost of development or acquisition [purchase cost] of hardware, software and services.
2. Training Fees(cost to train personnel)
3. Cost of Implementation[Cost to install, Configure, and test hardware, software and services]
4. service Costs[Vendor fees for maintenance and upgrades]
5. Cost of maintenance[Labor expense to verify and continually test, maintain and update]
Benefit is the value that an organization realizes by using controls to prevent losses associated with a
specific vulnerability.
Amount of benefit = Value of the Information asset and Value at risk.
32
Asset Valuation is the process of assigning financial value or worth to each information asset.
Some of the components of asset valuation include:
1. Value retained from the cost of creating the information asset.
2. Value retained from past maintenance of the information asset.
3. Value implied by the cost of replacing the information.
4. Value from providing the information.
5. Value incurred from the cost of protecting the information.
6. Value to owners.
7. Value of intellectual property.
8. Value to adversaries.
9. Loss of Productivity while the information assets are unavoidable.
10. Loss of revenue while information assets are unavailable.
The organization must be able to place a dollar value on each collection of information and the information
assets it owns. This value is based on the answers to these questions:
How much did it cost to create or acquire this information?
How much would it cost to recreate or recover this information?
How much does it cost to maintain this information?
How much is this information worth to the organization?
How much is this information worth to the competition?
A Single loss expectancy (SLE) is the calculation of the value associated with the most likely loss
from an attack. It is a calculation based on the value of the asset and the exposure factor (EF), which
is the expected percentage of loss that would occur from a particular attack, as follows:
Single Loss Expectancy (SLE) = Asset value x Exposure factor [EF]
EF Expected percentage of loss that would occur from a particular attack.
The probability of threat occurring is usually a loosely derived table indicating the probability of an attack
from each threat type within a given time frame (for example, once every 10 years). This value is
commonly referred to as the annualized rate of occurrence (ARO)
The expected value of a loss can be stated in the following equation:
Annualized loss Expectancy (ALE) which is calculated from the ARO and SLE.
ALE = SLE x ARO
Cost Benefit Analysis (CBA) Formula
CBA is whether or not the control alternative being evaluated is worth the associated cost incurred to
control the specific vulnerability. The CBA is most easily calculated using the ALE from earlier
assessments before the implementation of the proposed control, which is known as ALE (prior). Subtract
the revised ALE, estimated based on control being in place, known as ALE (post). Complete the
calculation by subtracting the annualized cost of the safeguard (ACS).
CBA = ALE (Prior) - ALE (Post) - ACS
Where:
-ALE prior is the Annualized Loss Expectancy of the risk before the implementation of the control.
-ALE post is the ALE examined after the control has been in place for a period of time.
-ACS is the Annual Cost of the Safeguard.
33
Bench Marking
• An alternative approach to risk management
• Process of seeking out and studying the practices used in other organizations that produce results
you would like to duplicate in your organization.
• One of two measures typically used to compare practices:
– Metrics-based measures
– Process-based measures
• Good for potential legal protection.
• Metrics-based measures are comparisons based on numerical standards, such as:
1. Numbers of successful attacks.
2. Staff-hours spent on systems protection.
3. Dollars spent on protection.
4. Numbers of Security Personnel.
5. Estimated value in dollars of the information lost in successful attacks.
6. Loss in productivity hours associated with successful attacks.
The difference between an organization’s measures and those of others is often referred to as a
performance gap. The other measures commonly used in benchmarking are process-based measures.
Process-based measures are generally less focused on numbers and more strategic than metrics-based-
measures.
Due Care/Due Diligence
When organizations adopt levels of security for a legal defense, they may need to show that they
have done what any prudent organization would do in similar circumstances - this is referred to
as a standard of due care
Due diligence is the demonstration that the organization is diligent in ensuring that the
implemented standards continue to provide the required level of protection
Failure to support a standard of due care or due diligence can open an organization to legal
liability
Best Business Practices
Security efforts that provide a superior level of protection of information are referred to as best
business practices
Best security practices (BSPs) are security efforts that are among the best in the industry
When considering best practices for adoption in your organization, consider the following:
– Does your organization resemble the identified target?
– Are the resources you can expend similar?
– Are you in a similar threat environment?
Microsoft’s Ten Immutable Laws of Security
1. If a bad guy can persuade you to run his program on your computer, it’s not your computer
anymore
2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore
3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
4. If you allow a bad guy to upload programs to your web site, it’s not your web site anymore
5. Weak passwords trump strong security
6. A machine is only as secure as the administrator is trustworthy
7. Encrypted data is only as secure as the decryption key
8. An out of date virus scanner is only marginally better than no virus scanner at all
9. Absolute anonymity isn't practical, in real life or on the web
10. Technology is not a panacea
34
Problems
The biggest problem with benchmarking in information security is that organizations don’t talk to
each other.
Another problem with benchmarking is that no two organizations are identical
A third problem is that best practices are a moving target.
Baselining
Baselining is the analysis of measures against established standards,
In information security, baselining is comparing security activities and events against the
organization’s future performance.
When baselining it is useful to have a guide to the overall process
Feasibility Studies and the Cost Benefit analysis
• Before deciding on the strategy for a specific vulnerability all information about the economic and
non-economic consequences of the vulnerability facing the information asset must be explored.
• Fundamentally we are asking “What are the actual and perceived advantages of implementing a
control contrasted with the actual and perceived disadvantages of implementing the control?”
Cost Benefit Analysis (CBA)
• The most common approach for a project of information Security controls and safeguards is the
economic feasibility of implementation.
• Begins by evaluating the worth of information assets are compromised.
• It is only common sense that an organization should not spend more to protect an asset than it is
worth.
• The formal process to document this is called a cost benefit analysis or an economic feasibility study.
CBA: Cost Factors
• Some of the items that the cost of a control or safeguard include:
- Cost of Development or Acquisition
- Training Fees
- Cost of implementation.
- Service Costs
- Cost of Maintenance
-
CBA: Benefits
- Benefit is the value that the organization recognizes by using controls to prevent losses associated
with a specific vulnerability.
- This is usually determined by valuing the information asset or assets exposed by the vulnerability
and then determining how much of that value is at risk.
CBA: Asset Valuation
- Asset Valuation is the process of assigning financial value or worth to each information asset.
- The valuation of assets involves estimation of real and perceived costs associated with the design,
development, installation, maintenance, protection, recovery, and defense against market loss and
litigation.
- These estimates are calculated for each set of information bearing systems or information assets.
- There are many components to asset valuation.
CBA: Loss Estimates
- Once the worth of various assets is estimated examine the potential loss that could occur from the
exploitation of vulnerability or a threat occurrence.
35
- This process results in the estimate of potential loss per risk.
- The questions that must be asked here include:
What damage could occur, and what financial impact would it have?
What would it cost to recover from the attack, in addition to the costs above?
What is the single loss expectancy for each risk?
Organizational Feasibility
Organizational Feasibility examines how well the proposed information security alternatives will
contribute to the efficiency, effectiveness, and overall operation of an organization.
Above and beyond the impact on the bottom line, the organization must determine how the proposed
alternatives contribute to the business objectives of the organization.
Operational feasibility
Addresses user acceptance and support, management acceptance and support, and the overall
requirements of the organization’s stake holders.
Sometimes known as behavioral feasibility, because it measures the behavior of users.
One of the fundamental principles of systems development is obtaining user buy in on a project and
one of the most common methods for obtaining user acceptance and support is through user
involvement obtained through three simple steps:
- Communicate
- Educate
- Involve
Technical Feasibility
The project team must also consider the technical feasibilities associated with the design,
implementation, and management of controls.
Examines whether or not the organization has or can acquire the technology necessary to implement
and support the control alternatives.
Political feasibility
For some organizations, the most significant feasibility evaluated may be political
Within Organizations, political feasibility defines what can and cannot occur based on the consensus
and relationships between the communities of interest.
The limits placed on an organization’s actions or a behavior by the information security controls
must fit within the realm of the possible before they can be effectively implemented, and that realm
includes the availability of staff resources.
Risk Management Discussion Points
Not every organization has the collective will to manage each vulnerability through the application of
controls
Depending on the willingness to assume risk, each organization must define its risk appetite
Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they
evaluate the tradeoffs between perfect security and unlimited accessibility
Residual Risk
When we have controlled any given vulnerability as much as we can, there is often risk that has not
been completely removed or has not been completely shifted or planned for this remainder is called
residual risk.
To express it another way, “Residual risk is a combined function of
1. A threat less the effect of some threat –reducing safeguards.
2. Vulnerability less the effect of some vulnerability- reducing safeguards.
3. an asset less the effect of some asset value-reducing safeguards “
36
Documenting Results
At minimum, each information asset-vulnerability pair should have a documented control strategy
that clearly identifies any residual risk remaining after the proposed strategy has been executed.
Some organizations document the outcome of the control strategy for each information asset-
vulnerability pair as an action plan
This action plan includes concrete tasks, each with accountability assigned to an organizational unit
or to an individual
Recommended Practices in Controlling Risk
We must convince budget authorities to spend up to the value of the asset to protect a particular asset
from an identified threat
Each and every control or safeguard implemented will impact more than one threat-asset pair
Qualitative Measures
The spectrum of steps described above was performed with real numbers or best guess estimates of
real numbers-this is known as a quantitative assessment.
However, an organization could determine that it couldn’t put specific numbers on these values.
Fortunately, it is possible to repeat these steps using estimates based on a qualitative assessment.
Instead of using specific numbers, ranges or levels of values can be developed simplifying the
process
Delphi Technique
One technique for accurately estimating scales and values is the Delphi Technique.
The Delphi Technique, named for the Oracle at Delphi, is a process whereby a group of individuals
rate or rank a set of information
The individual responses are compiled and then returned to the individuals for another iteration
This process continues until the group is satisfied with the result.
37
Chapter IV LOGICAL DESIGN
Planning for Security -
• Creation of information security program begins with creation and/or review of organization’s
information security policies, standards, and practices
• Then, selection or creation of information security architecture and the development and use of a
detailed information security blueprint creates plan for future success
• Security education and training to successfully implement policies and ensure secure environment
Why Policy?
• A quality information security program begins and ends with policy
• Policies are least expensive means of control and often the most difficult to implement
• Some basic rules must be followed when shaping a policy:
• Never conflict with law
• Stand up in court
• Properly supported and administered
• Contribute to the success of the organization
• Involve end users of information systems
Definitions
• Policy: course of action used by an organization to convey instructions from management to those
who perform duties
• Organizational rules for acceptable/unacceptable behavior
• Penalties for violations
• Appeals process
• Standards: more detailed statements of what must be done to comply with policy
• Practices, procedures and guidelines effectively explain how to comply with policy
• For a policy to be effective it must be
• Properly disseminated
• Read
• Understood
• Agreed to by all members of organization
Types of Policies
• Enterprise information Security program Policy(EISP)
• Issue-specific information Security Policy ( ISSP)
• Systems-specific information Security Policy (SysSP)
38
Enterprise Information Security Policy (EISP)
• Also Known as a general Security policy, IT security policy, or information security policy.
• Sets strategic direction, scope, and tone for all security efforts within the organization
• Assigns responsibilities to various areas of information security
• Guides development, implementation, and management of information security program
Issue-Specific Security Policy (ISSP)
• The ISSP:
• Addresses specific areas of technology
• Requires frequent updates
• Contains statement on position on specific issue
• Approaches to creating and managing ISSPs:
• Create number of independent ISSP documents
• Create a single comprehensive ISSP document
• Create a modular ISSP document
• ISSP topics could include:
• E-mail, use of Web, configurations of computers to defend against worms and viruses,
prohibitions against hacking or testing organization security controls, home use of company-
owned computer equipment, use of personal equipment on company networks, use of
telecommunications technologies(FAX and phone), use of photocopiers
Components of the ISSP
• Statement of Policy
• Scope and Applicability
• Definition of Technology Addressed
• Responsibilities
• Authorized Access and Usage of Equipment
• User Access
• Fair and Responsible Use
• Protection of Privacy
• Prohibited Usage of Equipment
• Disruptive Use or Misuse
• Criminal Use
• Offensive or Harassing Materials
• Copyrighted, Licensed or other Intellectual Property
• Other Restrictions
• Systems Management
• Management of Stored Materials
• Employer Monitoring
• Virus Protection
• Physical Security
• Encryption
• Violations of Policy
• Procedures for Reporting Violations
• Penalties for Violations
• Policy Review and Modification
• Scheduled Review of Policy and Procedures for Modification
• Limitations of Liability
• Statements of Liability or Disclaimers
Systems-Specific Policy (SysSP)
SysSPs are frequently codified as standards and procedures to be used when
configuring or maintaining systems
Systems-specific policies fall into two groups:
Access control lists (ACLs) consist of the access control lists, matrices, and
capability tables governing the rights and privileges of a particular user to a particular
system
Configuration rules comprise the specific configuration codes entered into security
systems to guide the execution of the system
39
ACL Policies
Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of systems
translate ACLs into sets of configurations that administrators use to control access to
their respective systems
ACLs allow a configuration to restrict access from anyone and anywhere
ACLs regulate:
o Who can use the system
o What authorized users can access
o When authorized users can access the system
o Where authorized users can access the system from
o How authorized users can access the system
The Information Security Blueprint
• It is the basis for the design, selection, and implementation of all security policies, education and
training programs, and technological controls.
• More detailed version of security framework, which is an outline of overall information security
strategy for organization and a road map for planned changes to the information security
environment of the organization.
• Should specify tasks to be accomplished and the order in which they are to be realized.
• Should also serve as a scalable, upgradeable, and comprehensive plan for the information security
needs for coming years.
Security Models
ISO 17799/BS 7799
One of the most widely referenced and often discussed security models is the Information
Technology – Code of Practice for Information Security Management, which was originally
published as British Standard BS 7799
In 2000, this Code of Practice was adopted as an international standard framework for information
security by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) as ISO/IEC 17799.
Drawbacks of ISO 17799/BS 7799
Several countries have not adopted 17799 claiming there are fundamental problems:
o The global information security community has not defined any justification for a code of
practice as identified in the ISO/IEC 17799
o 17799 lacks “the necessary measurement precision of a technical standard”
o There is no reason to believe that 17799 is more useful than any other approach currently
available
o 17799 is not as complete as other frameworks available
o 17799 is perceived to have been hurriedly prepared given the tremendous impact its
adoption could have on industry information security controls
Objectives of ISO 17799
Organizational Security Policy is needed to provide management direction and support.
Ten Sections of ISO/IEC 17799
a. Organizational Security Policy
b. Organizational Security Infrastructure
c. Asset Classification and Control
d. Personnel Security
e. Physical and Environmental Security
f. Communications and Operations Management
g. System Access Control
h. System Development and Maintenance
i. Business Continuity Planning
j. Compliance
40
Alternate Security Models available other than ISO 17799/BS 7799
NIST Security Models
This refers to “The National Security Telecommunications and Information systems Security
Committee” document. This document presents a comprehensive model for information security. The
model consists of three dimensions.
Another possible approach available is described in the many documents available from the Computer
Security Resource Center of the National Institute for Standards and Technology (csrc.nist.gov).
The following NIST documents can assist in the design of a security framework:
NIST SP 800-12 : An Introduction to Computer Security: The NIST Handbook
NIST SP 800-14 : Generally Accepted Security Principles and Practices for Securing IT Systems
NIST SP 800-18 : The Guide for Developing Security Plans for IT Systems
NIST SP 800-26: Security Self-Assessment Guide for IT systems.
NIST SP 800-30: Risk Management for IT systems.
NIST Special Publication SP 800-12
SP 800-12 is an excellent reference and guide for the security manager or administrator in the
routine management of information security.
It provides little guidance, however, on design and implementation of new security systems, and
therefore should be used only as a valuable precursor to understanding an information security
blueprint.
NIST Special Publication SP 800-14
Generally accepted Principles and practices for Security Information Technology Systems.
Provides best practices and security principles that can direct the security team in the development
of Security Blue Print.
The scope of NIST SP 800-14 is broad. It is important to consider each of the security principles it
presents, and therefore the following sections examine some of the more significant points in more
detail:
Security Supports the Mission of the Organization
Security is an Integral Element of Sound Management
Security Should Be Cost-Effective
Systems Owners Have Security Responsibilities Outside Their Own Organizations
Security Responsibilities and Accountability Should Be Made Explicit
Security Requires a Comprehensive and Integrated Approach
Security Should Be Periodically Reassessed
Security is Constrained by Societal Factors
33 Principles enumerated
NIST SP 800-18
The Guide for Developing Security plans for Information Technology Systems can be used as the
foundation for a comprehensive security blueprint and framework.
It provides detailed methods for assessing, and implementing controls and plans for applications of
varying size.
It can serve as a useful guide to the activities and as an aid in the planning process.
The table of contents for Publication 800-18 is presented in the following.
System Analysis
- System Boundaries
- Multiple similar systems
- System Categories
Plan Development- All Systems
- Plan control
- System identification
- System Operational status
- System Interconnection/ Information Sharing
- Sensitivity of information handled
- Laws, regulations and policies affecting the system
41
Management Controls
– Risk Assessment and Management
– Review of Security Controls
– Rules of behavior
– Planning for security in the life cycle
– Authorization of Processing (Certification and Accreditation)
– System Security Plan
Operational Controls
1. Personnel Security
2. Physical Security
3. Production, Input/Output Controls
4. Contingency Planning
5. Hardware and Systems Software
6. Data Integrity
7. Documentation
8. Security Awareness, Training, and Education
9. Incident Response Capability
Technical Controls
– Identification and Authentication
– Logical Access Controls
– Audit Trails
NIST SP 800-26: Security Self-Assessment Guide for IT systems
NIST SP 800-26 Table of contents
Management Controls
1. Risk Management
2. Review of Security Controls
3. Life Cycle Maintenance
4. Authorization of Processing (Certification and Accreditation)
5. System Security Plan
Operational Controls
6. Personnel Security
7. Physical Security
8. Production, Input/Output Controls
9. Contingency Planning
10. Hardware and Systems Software
11. Data Integrity
12. Documentation
13. Security Awareness, Training, and Education
14. Incident Response Capability
Technical Controls
15. Identification and Authentication
16. Logical Access Controls
17. Audit Trails
Management controls address the design and implementation of the security planning process and
security program management. They also address risk management and security control reviews. They
further describe the necessity and scope of legal compliance and the maintenance of the entire security life
cycle.
Operational controls deal with the operational functionality of security in the organization. They include
management functions and lower level planning, such as disaster recovery and incident response planning.
They also address personnel security, physical security, and the protection of production inputs and outputs.
They guide the development of education, training and awareness programs for users, administrators, and
management. Finally, they address hardware and software systems maintenance and the integrity of data.
42
Technical controls address the tactical and technical issues related to designing and implementing security
in the organization, as well as issues related to examining and selecting the technologies appropriate to
protecting information. They address the specifics of technology selection and the acquisition of certain
technical components. They also include logical access controls, such as identification, authentication,
authorization, and accountability. They cover cryptography to protect information in storage and transit.
Finally, they include the classification of assets and users, to facilitate the authorization levels needed.
Using the three sets of controls, the organization should be able to specify controls to cover the
entire spectrum of safeguards, from strategic to tactical, and from managerial to technical.
VISA International Security Model
It promotes strong security measures in its business associates and has established guidelines for
the security of its information systems.
It has developed two important documents
1. Security Assessment Process
2. Agreed Upon Procedures.
Both documents provide specific instructions on the use of the VISA Cardholder Information Security
Program.
The Security Assessment Process document is a series of recommendations for the detailed
examination of an organization’s systems with the eventual goal of integration into the VISA systems.
The Agreed upon Procedures document outlines the policies and technologies required for security
systems that carry the sensitive card holder information to and from VISA systems.
Using the two documents, a security team can develop a sound strategy for the design of good
security architecture.
The only downside to this approach is the specific focus on systems that can or do integrate with
VISA’s systems with the explicit purpose of carrying the aforementioned cardholder information.
Baselining & Best Business Practices
• Baselining and best practices are solid methods for collecting security practices, but provide less
detail than a complete methodology
• Possible to gain information by baselining and using best practices and thus work backwards to an
effective design
• The Federal Agency Security Practices (FASP) site (fasp.nist.gov) designed to provide best practices
for public agencies and adapted easily to private institutions.
• The documents found in this site include specific examples of key policies and planning documents,
implementation strategies for key technologies, and position descriptions for key security personnel.
• Of particular value is the section on program management, which includes the following:
- A summary guide: public law, executive orders, and policy documents
- Position description for computer system security officer.
- Position description for information security officer
- Position description for computer specialist.
- Sample of an information technology(IT) security staffing plan for a large
service application(LSA)
- Sample of an information technology(IT) security program policy
- Security handbook and standard operating procedures.
- Telecommuting and mobile computer security policy.
Hybrid Framework for a Blueprint of an Information Security System
-The framework of security includes philosophical components of the Human Firewall Project, which
maintain that people, not technology, are the primary defenders of information assets in an information
security program, and are uniquely responsible for their protection.
- The spheres of security are the foundation of the security framework.
- The sphere of use, at the left in fig, explains the ways in which people access information; for example,
people read hard copies of documents and can also access information through systems.
43
- The sphere of protection at the right illustrates that between each layer of the sphere of use there
must exist a layer of protection to prevent access to the inner layer from the outer layer.
- Each shaded band is a layer of protection and control.
Sphere of Protection
The “sphere of protection” overlays each of the levels of the “sphere of use” with a layer of security,
protecting that layer from direct or indirect use through the next layer
The people must become a layer of security, a human firewall that protects the information from
unauthorized access and use
Information security is therefore designed and implemented in three layers
o policies
o people (education, training, and awareness programs)
o technology
o As illustrated in the sphere of protection, a variety of controls can be used to protect the information.
o The items of control shown in the figure are not intended to be comprehensive but rather illustrate
individual safeguards that can protect the various systems that are located closer to the center of
the sphere.
o However, because people can directly access each ring as well as the information at the core of the
model, the side of the sphere of protection that attempt to control access by relying on people
requires a different approach to security than the side that uses technology.
Design of Security Architecture
Defense in Depth
- One of the basic foundations of security architectures is the implementation of security in layers.
This layered approach is called defense in depth.
- Defense in depth requires that the organization establish sufficient security controls and
safeguards, so that an intruder faces multiple layers of controls.
-These layers of control can be organized into policy, training and education and technology as
per the NSTISSC model.
- While policy itself may not prevent attacks, they coupled with other layers and deter attacks.
- Training and Education are similar.
- Technology is also implemented in layers, with detection equipment, all operating behind access
control mechanisms.
- Implementing multiple types of technology and thereby preventing the failure of one system
from compromising the security of the information is referred to as redundancy.
44
Security Perimeter
– A Security Perimeter is the first level of security that protects all internal systems from
outside threats.
– Unfortunately, the perimeter does not protect against internal attacks from employee
threats, or on-site physical threats.
– Security perimeters can effectively be implemented as multiple technologies that
segregate the protected information from those who would attack it.
– Within security perimeters the organization can establish security domains, or areas of
trust within which users can freely communicate.
– The presence and nature of the security perimeter is an essential element of the overall
security framework, and the details of implementing the perimeter make up a great deal
of the particulars of the completed security blueprint.
– The key components used for planning the perimeter are presented in the following
sections on firewalls, DMZs, proxy servers, and intrusion detection systems.
45
Key Technology Components
Other key technology components
o A firewall is a device that selectively discriminates against information flowing into or out of
the organization.
o Firewalls are usually placed on the security perimeter, just behind or as part of a gateway
router.
o Firewalls can be packet filtering, stateful packet filtering, proxy, or application level.
o A Firewall can be a single device or a firewall subnet, which consists of multiple firewalls
creating a buffer between the outside and inside networks.
o The DMZ (demilitarized zone) is a no-man’s land, between the inside and outside networks,
where some organizations place Web servers
o These servers provide access to organizational web pages, without allowing Web requests to
enter the interior networks.
o Proxy server- An alternative approach to the strategies of using a firewall subnet or a DMZ
is to use a proxy server, or proxy firewall.
o When an outside client requests a particular Web page, the proxy server receives the request
as if it were the subject of the request, then asks for the same information from the true Web
server(acting as a proxy for the requestor), and then responds to the request as a proxy for
the true Web server.
o For more frequently accessed Web pages, proxy servers can cache or temporarily store the
page, and thus are sometimes called cache servers.
o Intrusion Detection Systems (IDSs). In an effort to detect unauthorized activity within
the inner network, or on individual machines, an organization may wish to implement
Intrusion Detection Systems or IDS.
o IDs come in two versions. Host-based & Network-based IDSs.
o Host-based IDSs are usually installed on the machines they protect to monitor the status of
various files stored on those machines.
o Network-based IDSs look at patterns of network traffic and attempt to detect unusual
activity based on previous baselines.
46
o This could include packets coming into the organization’s networks with addresses from
machines already within the organization (IP spoofing).
o It could also include high volumes of traffic going to outside addresses (as in cases of data
theft) or coming into the network (as in a denial of service attack).
o Both host-and network based IDSs require a database of previous activity.
Security Education, Training, and Awareness Program
• As soon as general security policy exists, policies to implement security education, training and
awareness (SETA) program should follow.
• SETA is a control measure designed to reduce accidental security breaches by employees.
• Security education and training builds on the general knowledge the employees must possess to do
their jobs, familiarizing them with the way to do their jobs securely
• The SETA program consists of three elements: security education; security training; and security
awareness
• The purpose of SETA is to enhance security by:
- Improving awareness of the need to protect system resources.
- Developing skills and knowledge so computer users can perform their jobs
more securely.
- Building in-depth knowledge, as needed, to design, implement, or operate
security programs for organizations and systems.
Security Education
Everyone in an organization needs to be trained and aware of information security, but not every
member of the organization needs a formal degree or certificate in information security.
A number of universities have formal coursework in information security.
For those interested in researching formal information security programs, there are resources
available, such as the NSA-identified Centers of Excellence in Information Assurance Education.
Security Training
It involves providing members of the organization with detailed information and hands-on instruction
to prepare them to perform their duties securely.
Management of information security can develop customized in-house training or outsource the
training program.
Security Awareness
• One of the least frequently implemented, but most beneficial programs is the security awareness
program
• Designed to keep information security at the forefront of users’ minds
• Need not be complicated or expensive
• If the program is not actively implemented, employees may begin to “tune out” and risk of employee
accidents and failures increases
47
Contingency Planning (CP)
Contingency Planning (CP) comprises a set of plans designed to ensure the effective reaction and
recovery from an attack and the subsequent restoration to normal modes of business operations.
Organizations need to develop disaster recovery plans, incident response plans, and business continuity
plans as subsets of an overall CP.
An incident response plan (IRP) deals with the identification, classification, response, and recovery
from an incident, but if the attack is disastrous(e.g., fire, flood, earthquake) the process moves on to
disaster recovery and BCP
A disaster recovery plan (DRP) deals with the preparation for and recovery from a disaster, whether
natural or man-made and it is closely associated with BCP.
A Business continuity plan (BCP) ensures that critical business functions continue, if a catastrophic
incident or disaster occurs. BCP occurs concurrently with DRP when the damage is major or long term,
requiring more than simple restoration of information and information resources.
Components of Contingency Planning
Contingency
Planning
Incident Disaster recovery Business
Response continuity
Plan
There are six steps to contingency planning. They are
1. Identifying the mission-or business-critical functions,
2. Identifying the resources that support the critical functions,
3. Anticipating potential contingencies or disasters,
4. Selecting contingency planning strategies,
5. Implementing the contingencies strategies,
6. Testing and revising the strategy.
Incident response plan (IRP)
It is the set of activities taken to plan for, detect, and correct the impact of an incident on information
assets.
IRP consists of the following 4 phases:
1. Incident Planning
2. Incident Detection
3. Incident Reaction
4. Incident Recovery
Incident Planning
-Planning for an incident is the first step in the overall process of incident response planning.
- The planners should develop a set of documents that guide the actions of each involved individual who
reacts to and recovers from the incident.
- These plans must be properly organized and stored to be available when and where needed, and in a
useful format.
Incident Detection
-Incident Detection relies on either a human or automated system, which is often the help desk staff, to
identify an unusual occurrence and to classify it properly as an incident.
- The mechanisms that could potentially detect an incident include intrusion detection systems (both host-
based and network based), virus detection software, systems administrators, and even end users.
48
- Once an attack is properly identified, the organization can effectively execute the corresponding procedures
from the IR plan. Thus, incident classification is the process of examining a potential incident, or incident
candidate, and determining whether or not the candidate constitutes an actual incident.
- Incident Indicators- There is a number of occurrences that could signal the presence of an incident
candidate.
- Donald Pipkin, an IT security expert, identifies three categories of incident indicators: Possible,
Probable, and Definite Indicators.
-Possible Indicators- There are 4 types of possible indicators of events ,they are,
1. Presence of unfamiliar files.
2. Presence or execution of unknown programs or processes.
3. Unusual consumption of computing resources
4. Unusual system crashes
- Probable Indicators- The four types of probable indicators of incidents are
1. Activities at unexpected times.
2. Presence of new accounts
3. Reported attacks
4. Notification from IDS
Definite Indicators- The five types of definite indicators of incidents are
1. Use of Dormant accounts
2. Changes to logs
3. Presence of hacker tools
4. Notifications by partner or peer
5. Notification by hacker
Incident Reaction
It consists of actions outlined in the IRP that guide the organization in attempting to stop the incident,
mitigate the impact of the incident, and provide information for recovery from the incident.
These actions take place as soon as the incident itself is over.
In reacting to the incident there are a number of actions that must occur quickly, including notification
of key personnel and documentation of the incident.
These must have been prioritized and documented in the IRP for quick use in the heat of the moment.
Incident Recovery
The recovery process involves much more than the simple restoration of stolen, damaged, or
destroyed data files. It involves the following steps.
1. Identify the Vulnerabilities
2. Address the safeguards.
3. Evaluate monitoring capabilities
4. Restore the data from backups.
5. Restore the services and processes in use.
6. Continuously monitor the system
7. Restore the confidence of the members of the organization’s communities of interest.
Disaster Recovery Plan (DRP)
DRP provides detailed guidance in the event of a disaster and also provides details on the roles and
responsibilities of the various individuals involved in the disaster recovery effort, and identifies the
personnel and agencies that must be notified.
At a minimum, the DRP must be reviewed during a walk-through or talk-through on a periodic basis.
Many of the same precepts of incident response apply to disaster recovery:
1. There must be a clear establishment of priorities
2. There must be a clear delegation of roles and responsibilities
3. Someone must initiate the alert roster and notify key personnel.
4. Someone must be tasked with the documentation of the disaster.
5. If and only if it is possible, attempts must be made to mitigate the impact of the disaster on the
operations of the organization.
Business Continuity Plan (BCP)
It prepares an organization to reestablish critical business operations during a disaster that affects
operations at the primary site.
If a disaster has rendered the current location unusable for continued operations, there must be a
plan to allow the business to continue to function.
49
Developing Continuity Programs
Once the incident response plans and disaster recovery plans are in place, the organization needs
to consider finding temporary facilities to support the continued viability of the business in the
event of a disaster.
The development of the BCP is simpler than that of the IRP and DRP ,in that it consists of
selecting a continuity strategy and integrating the off-site data storage and recovery functions
into this strategy.
Continuity Strategies
There are a number of strategies from which an organization can choose when planning for business
continuity.
The determining factor in selection between these options is usually cost.
In general there are three exclusive options: Hot sites, Warm Sites, and Cold sites; and three shared
functions: Time-share, Service bureaus, and Mutual Agreements.
Hot sites: A hot site is a fully configured facility, with all services, communications links, and physical
plant operations including heating and air conditioning. It is the pinnacle of contingency planning, a
duplicate facility that needs only the latest data backups and the personnel to function as a fully
operational twin of the original. Disadvantages include the need to provide maintenance for all the
systems and equipment in the hot site, as well as physical and information security.
Warm sites: A warm site includes computing equipment and peripherals with servers but not client
work stations. It has many of the advantages of a hot site, but at a lower cost.
Cold Sites: A cold site provides only rudimentary services and facilities, No computer hardware or
peripherals are provided. Basically a cold site is an empty room with heating, air conditioning, and
electricity. The main advantage of cold site is in the area of cost.
Time-shares: It allows the organization to maintain a disaster recovery and business continuity option,
but at a reduced overall cost. The advantages are identical to the type of site selected(hot, warm, or
cold). The disadvantages are the possibility that more than one organization involved in the time share
may need the facility simultaneously and the need to stock the facility with the equipment and data from
all organizations involved, the negotiations for arranging the time-share, and associated arrangements,
should one or more parties decide to cancel the agreement or to sublease its options.
Service bureaus: A service bureau is an agency that provides a service for a fee. In the case of disaster
recovery and continuity planning, the service is the agreement to provide physical facilities in the event of
a disaster. These types of agencies also provide off-site data storage for a fee. The disadvantage is that it
is a service, and must be renegotiated periodically. Also, using a service bureau can be quite expensive.
Mutual Agreements: A mutual agreement is a contract between two or more organizations that specifies
how each will assist the other in the event of a disaster.
50
Chapter 5 PHYSICAL DESIGN
Physical design includes selection and implementation of technologies that reduce the
risk from threats to the organization’s information assets. The physical design consists of the following
process
selects technologies to support information security blueprint
identifies complete technical solutions based on these technologies, including deployment, operations,
and maintenance elements, to improve security of environment
designs physical security measures to support technical solution
prepares project plans for implementation phase
5.2 SECURITY TECHNOLOGY
Rogue security software, or applications that scare users into downloading useless anti-virus software
for a fee, shot to the top of the threats list for the second half of 2008, according to a Microsoft study. The
next threat may be the downloader scare ware leaves behind
Firewalls
A firewall in an information security program prevents specific types of information from moving
between the outside world (untrusted network) and the inside world (trusted network).
Firewall Categorization Methods
Firewalls can be categorized by processing mode, development era, or intended structure. The five
processing modes that firewalls can be categorized by are:
1. Packet filtering
2. Application gateways
3. Circuit gateways
4. MAC layer firewalls
5. Hybrids
Firewalls categorized by intended structure are residential-or commercial- grade, hardware- based,
software based, or appliance-based devices.
Packet Filtering
A Packet filtering firewalls examine header information of data packets that come into a network for
compliance with or violation of the rules of the firewall’s database.
A packet filtering firewall installed on TCP/IP determines whether to deny or forward to the next
network connection. If a device finds a packet that matches a restriction, it stops the packet from traveling
.The restrictions implemented are most often based on combination of the following
Internet Protocol (IP) source and destination address
Direction (inbound or outbound)
Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port
requests.
Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial
addresses. The three subsets of packet filtering firewalls are
Static filtering requires that filtering rules governing how the firewall decides which packets are
allowed and which are denied are developed and installed.
Dynamic filtering allows firewall to react to emergent event and update or create rules to deal with
event. It allows only a particular packet with a source, destination and port address to enter
through the firewall.
Stateful inspection also called stateful firewalls that keep track of each network connection between
internal and external systems using a state table. A state table tracks the state and context of each
pocket. Stateful firewalls can block incoming packets that are not responses to internal requests.
Dynamic stateful filtering firewalls keep a dynamic state table to make changes to the filtering rules.
The following Figure depicts how packets are filtered using the Packet Filtering Router and Table
shows an example Firewall rules and formats.
51
Figure 5.2.1 Packet Filtering Router
Application Gateways / firewall
The application level firewall is frequently installed on a dedicated computer; also known as a proxy
server. These servers can store the most recently accessed pages in their cache and called as cache servers.
Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher
levels of risk from less trusted networks. Additional filtering routers can be implemented behind the proxy
server, further protecting internal systems. The disadvantage is they are typically restricted to a single
application, since they work at the application layer. Circuit Gateways
The circuit gateway firewall operates at transport layer. Like filtering firewalls, do not usually look at
data traffic flowing between two networks, but prevent direct connections between one network and another.
MAC Layer Firewalls
MAC layer firewalls designed to operate at the media access control layer of OSI network model. This
gives the ability to consider specific host computer’s identity in its filtering decisions. The MAC addresses of
specific host computers are linked to access control list (ACL).
Hybrid Firewalls
Hybrid Firewalls combine the elements of other types of firewalls; i.e., elements of packet filtering
and proxy services, or of packet filtering and circuit gateways. Alternately, it may consist of two separate
firewall devices; each is a separate firewall system, but are connected to work in tandem. Without completely
replacing the existing firewalls, an organization can make a security improvement, by this approach.
5.3 IDS
Intrusion is a type of attack on information assets in which instigator attempts to gain entry into or
disrupt normal system with harmful intent.
Incident response is an identification of, classification of, response to, and recovery from an incident.
Intrusion prevention consists of activities that seek to deter an intrusion from occurring.
Intrusion correction activities finalize the restoration of operations to a normal state. IDS detect a
violation of its configuration and activate alarm.
Many IDSs enable administrators to configure systems to notify them directly of trouble via e-mail
or pagers.
Systems can also be configured to notify an external security service organization of a “break-in”.
Figure 5.3.1: Intrusion Detection Systems
52
WHY USE an IDS?
IDS prevent problem behaviors by increasing the perceived risk of discovery and punishment. Detect
attacks and other security violations. Detect and deal with preambles to attacks. Document the existing
threat to an organization. Act as quality control for security design and administration, especially of large
and complex enterprises and provide useful information about intrusions that take place.
The following are the reasons for an organization to install IDS
1. They can serve as straightforward deterrent measures.
2. They cover the organization when its network fails to protect against known vulnerabilities.
3. They can help administrators detect the preambles to attacks.
4. They can serve to document the scope of the threats an organization face
5. They help in quality assurance and continuous improvements of the organization.
Types of IDSs and Detection Methods
IDSs operate as network-based, host-based, or application-based systems and focused on protecting
network information assets. All IDSs use one of two detection methods signature based, statistical anomaly-
based.
Signature-Based IDS/ knowledge -based IDS
Signature-Based IDS examines data traffic in search of patterns that match known signatures. It is
widely used because many attacks have clear and distinct signatures. Problem with this approach is that as
new attack strategies are identified, the IDS’s database of signatures must be continually updated.
Statistical Anomaly-Based IDS
The statistical anomaly-based IDS (stat IDS) or behavior-based IDS sample network
activity to compare to traffic that is known to be normal. When measured activity is outside baseline
parameters or clipping level, IDS will trigger an alert to the administrator. IDS can detect new types of
attacks. Requires much more overhead and processing capacity than signature-based. It may generate
many false positives and hence is less commonly used than the signature based type.
Network-Based IDS (NIDS)
A NIDS resides on computer or appliance connected to segment of an organization’s network and
looks for signs of attacks. When examining packets, a NIDS looks for attack patterns. Installed at specific
place in the network where it can watch traffic going into and out of particular network segment. It can
detect many more types of attacks, but requires more complex configuration and maintenance program.
NIDS Signature Matching
To detect an attack, NIDSs look for attack patterns, which are done by using special implementation
of TCP/IP stack. In the process of protocol stack verification, NIDSs look for invalid data packets structure.
In application protocol verification, the higher-order protocols are examined for unexpected packet behavior
or improper use.
Advantages of NIDSs:
Good network design and placement of NIDS can enable organization to use a few devices to monitor
large network
NIDSs are usually passive and can be deployed into existing networks with little disruption to normal
network operations
NIDSs not usually susceptible to direct attack and may not be detectable by attackers.
Disadvantages:
Can become overwhelmed by network volume and fail to recognize attacks
Require access to all traffic to be monitored
Cannot analyze encrypted packets
Cannot reliably ascertain if attack was successful or not
Some forms of attack are not easily discerned by NIDSs, specifically those involving fragmented
packets
Host-Based IDS
A host-based IDS (HIDS) resides on a particular computer or server and monitors activity only on
that system.
HIDS also called as system integrity verifiers as they benchmark and monitor the status of key
system files and detect when intruder creates, modifies, or deletes files.
It is also capable of monitoring system configuration databases. Most HIDSs work on the principle of
configuration or change management.
The HIDS examines the files and logs for predefined events.
The advantage of HIDS over NIDS is that it can usually be installed so that it can access information
encrypted when traveling over network.
53
Advantages of HIDSs:
Can detect local events on host systems and detect attacks that may elude a network-based IDS
Functions on host system, where encrypted traffic will have been decrypted and is available for
processing
Not affected by use of switched network protocols
Can detect inconsistencies in how applications and systems programs were used by examining
records stored in audit logs.
Disadvantages
Pose more management issues and Vulnerable to direct attacks and attacks against host operating
system
Does not detect multi-host scanning, nor scanning of non-host network devices
Susceptible to some denial-of-service attacks
Can use large amounts of disk space and Can inflict a performance overhead on its host systems
Application-Based IDS
Application-based IDS (AppIDS) is a better version of HIDS. It examines application for abnormal
events. The ability to view encrypted data is the unique advantage of AppIDS. It may be configured to the
following types of intercept requests and use them in combination and sequences.
File System
Network Configuration
Execution Space
Advantages of AppIDSs:
Aware of specific users and can observe interaction between application and user
Able to operate even when incoming data is encrypted
Disadvantages
More susceptible to attack
Less capable of detecting software tampering
May be taken in by forms of spoofing
LOG FILE MONITORS
Log file monitor (LFM) is similar to NIDS.
It reviews log files generated by servers, network devices, and even other IDSs for patterns and
signatures.
Patterns that signify attack may be much easier to identify when entire network and its systems are
viewed holistically.
It requires allocation of considerable resources since it will involve the collection, movement, storage,
and analysis of large quantities of log data.
IDS RESPONSE BEHAVIOR
Once IDS detects an anomalous network situation, it has a number of options. IDS responses to
external stimulation can be classified as active or passive.
Active response is a definitive action initiated when certain types of alerts triggered e.g. collecting
additional information about the intrusion, taking action against intrusion.
Passive response options simply report e.g. Setting off alarms, collecting passive data.
A list of response options for IDS is as follows
Audible/visual alarm SNMP traps and plug-ins
E-mail message and Page or phone message
Evidentiary packet dump
Take action against the intruder
Launch program
Reconfigure firewall and Terminate session and Terminate connection
SELECTING IDS APPROACHES AND PRODUCTS
The following questions may be useful for acquiring and deploying an intrusion detection product.
Technical and policy considerations
In order to determine which IDS would best meet the needs of a specific organization’s environment.
What is your systems environment? This is important, for if an IDS is not designed to accommodate
the information sources that are available on your systems whether that activity is an attack or normal.
Organizational requirements and constraints
The organization’s operational goals, constraints, and culture will affect the selection of the IDS and
other security tools and technologies to protect your systems. Consider these organizational requirements
and limitations.
54
IDSs Product Features and Quality
Is the product sufficiently scalable for your environment? Many IDSs are not able to scale to large
or widely distributed enterprise environments.
How has the product been tested?
What is the user level of expertise targeted by the product?
Is the product designed to evolve as the organization grows?
What are the support provisions for the product?
Strength and Limitations of Ids
It is important to understand that what IDSs should be trusted to do and what goals might
be better served by other type of security mechanisms.
Strength of Intrusion Detection Systems
Intrusion detection systems perform the following functions well:
Monitoring and analyzing of system events and user behaviors
Testing the security states of system configurations
Baselining the security state of a system, then tracking any changes to that baseline
Recognizing patterns of system events that correspond to known attacks
Recognizing patterns of activity that statistically vary from normal activity
Managing operating system audit and logging mechanisms and the data they generate.
Altering appropriate staff by appropriate means when attacks are detected.
Measuring enforcement of security policies encoded in the analysis engine.
Providing default information security policies
Allowing non-security experts to perform important security monitoring functions
Limitations of Intrusion Detection Systems
Intrusion detection systems cannot perform the following functions:
Compensating of weak or missing security mechanisms in the protection infrastructure. Such
mechanism includes firewalls, identification and authentication, link encryption, access control
mechanisms and virus detection and eradication.
Instantaneously detecting, reporting, and responding to an attack, when there is a heavy network
or processing load
Detecting newly published attacks launched by sophisticated attackers.
Automatically investigating attacks without human intervention
DEPLOYMENT AND IMPLEMENTING OF AN IDS
The strategy for deploying an IDS should consider a number of factors. These factors will determine
the number of administrators needed to install, configure, and monitors the IDS, workstations management,
the size of the storage needed for retention of the data generated by the systems.
IDS Control Strategies
An IDS can be implemented via one of three basic control strategies
Centralized: all IDS control functions are implemented and managed in a central location.
Fully distributed: all control functions are applied at the physical location of each IDS component.
Partially distributed: combines the two; while individual agents can still analyze and respond to
local threats, they report to a hierarchical central facility to enable organization to detect widespread
attacks.
IDS Deployment Overview
Based on careful analysis of organization’s information security requirements but, at the
same time, causes minimal impact. NIDS and HIDS can be used in tandem to cover both
individual systems that connect to an organization’s networks and networks themselves.
Deploying Network-Based IDSs
NIST recommends four locations for NIDS sensors
Location 1: behind each external firewall, in the network DMZ
Location 2: outside an external firewall
Location 3: On major network backbones and Location 4: On critical subnets
Deploying Host-Based IDSs
Proper implementation of HIDSs can be painstaking and time-consuming task
Deployment begins with implementing most critical systems first
Installation continues until either all systems are installed, or the organization reaches planned
degree of coverage it is willing to live with.
55
Measuring the Effectiveness of IDSs
IDSs are evaluated using two dominant metrics.
Administrators evaluate the number of attacks detected in a known collection of probes
Administrators examine the level of use at which IDSs fail.
Evaluation of IDS might read: at 100 Mb/s, IDS was able to detect 97% of directed attacks since
developing this collection can be tedious, most IDS vendors provide testing mechanisms that verify
systems are performing as expected. Some of these testing processes will enable the administrator
to:
Record and retransmit packets from real virus or worm scan.
Record and retransmit packets from a real virus or worm scan with incomplete TCP/IP
session connections (missing SYN packets) .
Conduct a real virus or worm scan against an invulnerable system.
Honey Pots, Honey Nets, and Padded Cell Systems
Honey pots are decoy systems designed to lure potential attackers away from critical systems and
encourage attacks against themselves. When collection of honey pots connecting several honey pot systems
on a subnet is called Honey nets. Honey pots designed to:
Divert attacker from accessing critical systems
Collect information about attacker’s activity
Encourage attacker to stay on system long enough for administrators to document event and,
perhaps, respond
Padded cell: honey pot that has been protected so it cannot be easily compromised.
In addition to attracting attackers with tempting data, a padded cell operates in tandem with
traditional IDS.
When the IDS detects attackers, it seamlessly transfers them to a special simulated environment
where they can cause no harm—the nature of this host environment is what gives approach the
name padded cell.
Advantages
Attackers can be diverted to targets they cannot damage.
Administrators have time to decide how to respond to attacker.
Attackers’ actions can be easily and more extensively monitored, and records can be used to refine
threat models and improve system protections.
Honey pots may be effective at catching insiders who are snooping around a network.
Disadvantages
Legal implications of using such devices are not well defined
Honey pots and padded cells have not yet been shown to be generally useful security technologies
Expert attacker, once diverted into a decoy system, may become angry and launch a more hostile
attack against an organization’s systems
Administrators and security managers will need a high level of expertise to use these systems
Legal implications of using such devices are not well defined
Honey pots and padded cells have not yet been shown to be generally useful security technologies
Expert attacker, once diverted into a decoy system, may become angry and launch a more hostile
attack against an organization’s systems
Administrators and security managers will need a high level of expertise to use these systems
5.4 SCANNING AND ANALYSIS TOOLS
Typically used to collect information that attacker would need to launch successful attack. Attack
protocol is series of steps or processes used by an attacker, in a logical sequence, to launch attack against
a target system or network.
Foot printing is the organized research of Internet addresses owned or controlled by a target
organization
Fingerprinting is systematic survey of all of the target organization’s Internet addresses collected
during the foot printing phase. Fingerprinting reveals useful information about the internal structure
and operational nature of target system or network for anticipated attack.
Port scanners are the tools used by both attackers and defenders to identify the computers active
on a network, and other useful information. They can scan for specific types of computers, protocols,
or resources or their scans can be generic. The more specific the scanner is, the better it can give
attackers and defenders useful information.
56
Firewall Analysis Tools
There are several tools that automate remote discovery of firewall rules and assist the administrator
in analyzing the rules Administrators who feel wary of using same tools that attackers use should
remember:
It is intent of user that will dictate how information gathered will be used
In order to defend a computer or network well, it is necessary to understand ways it can be attacked.
Thus, a tool that can help close up an open or poorly configured firewall will help network defender
minimize risk from the attack.
Operating System Detection Tools
Detecting a target computer’s operating system (OS) is very valuable to an attacker to determine
the susceptible vulnerabilities. There are many tools that use networking protocols to determine a remote
computer’s OS.
Vulnerability Scanners
Active vulnerability scanners scan networks for highly detailed information, it initiate traffic to
determine security holes.
This scanner identifies exposed usernames and groups, shows open network shares and exposes
configuration and other vulnerabilities in servers.
A passive vulnerability scanner listens in on network and determines vulnerable versions of both
server and client software.
Passive vulnerability scanners have the ability to find client-side vulnerabilities that are typically not
found in active scanners.
Packet Sniffers
A packet sniffer/network protocol analyzer is a network tool that collects copies of packets from
network and analyzes them.
It can provide network administrator with valuable information for diagnosing and resolving
networking issues.
In the wrong hands, a sniffer can be used to eavesdrop on network traffic.
To use packet sniffer legally, administrator must be on network that organization owns, be under
direct authorization of owners of network, and have knowledge and consent of the content creators
Wireless Security Tools
An organization that spends its time securing wired network and leaves wireless networks to operate
in any manner is opening itself up for security breach.
A security professional must assess risk of wireless networks.
A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and
assess level of privacy or confidentiality afforded on the wireless network.
5.5 INTRODUCTION TO CRYPTOGRAPHY
Cryptography
Cryptography comes from the Greek words kryptos, meaning “hidden” and graphein, meaning “to
write”, which is the process of making and using codes to secure transmission of information.
Encryption
Encryption is the process of converting an original message into a form that is unreadable by
unauthorized individuals.
Decryption
Decryption is the process of converting the ciphertext message back into plaintext.
Cryptanalysis
Cryptanalysis is the process of obtaining the original message (plaintext) from encrypted message
(ciphertext) without knowing algorithms and keys used to perform the encryption.
Cryptology
Cryptology is the science of encryption which combines cryptography and cryptanalysis
Terminology
Algorithm
The programmatic steps used to convert an unencrypted message into an encrypted sequence of
bits that represent the message.
57
Cipher or Cryptosystem
An encryption method or process encompassing the algorithm, key(s) or cryptovariable(s), and
procedures used to perform encryption and decryption.
Ciphertext or Cryptogram
The encoded message resulting from an encryption.
Code
The process of converting components (words or phrases) of an unencrypted message into encrypted
components.
Decipher
To decrypt or convert ciphertext into the equivalent plaintext.
Encipher
To encrypt or convert plaintext into the equivalent ciphertext.
Key or Cryptovariable
The information used in conjunction with an algorithm to create the ciphertext from the plaintext or
derive the plaintext from the ciphertext. The key can be series of bits.
Keyspace
The entire range of values that can be used to construct an individual key.
Plaintext or Cleartext
The original unencrypted message or a message that has been successfully decrypted.
Steganography
The hiding of messages – for example, within the digital encoding of a picture or graphic.
Workfactor
The amount of effort (usually in hours) required to perform cryptanalysis to decode an encrypted
message when the key or algorithm (or both) are unknown.
Elements of Cryptosystems
Cryptosystems typically made up of algorithms, data handling techniques, and procedures and
process steps which are combined in multiple ways to ensure confidentiality and provide authentication and
authorization for business processes.
Cipher Methods
There are two methods of encrypting plaintext:
Bit stream method – each bit in the plaintext bit is transformed into a cipher bit one bit at a time.
Block cipher method – the message is divided into blocks (e.g., sets of 8-, 16- or 32-bit blocks)
and then each block of plaintext is transformed into an encrypted block of cipher bits using an
algorithm and a key.
Bit stream method mostly use algorithm functions like XOR, whereas block cipher method can use
substitution, transposition, XOR, etc.
Substitution cipher
Substitution cipher substitutes one value for another. The following are the different types of
substitution:
Monoalphabetic substitution – It uses only one alphabet to substitute. Simple method but
powerful if combined with other operations.
Polyalphabetic substitution – More advanced method which uses two or more alphabets.
Vigenère cipher – It is an advanced cipher type that uses simple polyalphabetic code which is made
up of 26 distinct cipher alphabets.
Transposition cipher
Transposition cipher rearranges values within a block to create ciphertext.
Exclusive OR (XOR)
It is a function of Boolean algebra where two bits are compared
If two bits are identical, result is binary 0
If two bits not identical, result is binary 1
Vernam cipher
This is developed at AT&T which uses set of characters once per encryption process.
Book (or Running Key) cipher
This method uses text in book as key to decrypt a message where ciphertext contains codes
representing page, line and word numbers.
58
Hash Functions
Hash functions are mathematical algorithms that generate message summary or digest to confirm
message identity and confirm no content has changed.
Hash algorithms are publicly known functions that create hash value.
Use of keys is not required, but message authentication code (MAC) may be attached to a message.
This method is mostly used in password verification systems to confirm identity of user.
Cryptographic algorithms
Cryptographic algorithms are broadly classified into two broad categories. They are
Symmetric Encryption and
Asymmetric Encryption
Symmetric Encryption
This encryption method uses same “secret key” to encipher and decipher the message and it is also
called as private key encryption. This type of encryption methods uses mathematical operations so it is
extremely efficient, requiring only minimal processing. Both sender and receiver must possess encryption
key. If either copy of key is compromised, an intermediate can decrypt and read messages.
The following are the different methods of symmetric encryption techniques:
Data Encryption Standard (DES) – It is one of most popular symmetric encryption cryptosystems
which uses 64-bit block size of plaintext and 56-bit key. This method is adopted by NIST in 1976 as
federal standard for encrypting non-classified information.
Triple DES (3DES) – This method is created to provide security far beyond DES.
Advanced Encryption Standard (AES) – This technique is developed to replace both DES and
3DES.
Asymmetric Encryption
Asymmetric encryption method uses two different but related keys and either key can be used to
encrypt or decrypt the message. This method is commonly called as public key encryption. For example,
If Key A is used to encrypt the message, only Key B can decrypt it.
Encryption Key Size
When using ciphers, the size of crypto variable or key is very important since the strength of many
encryption applications and cryptosystems were measured by the key size used to encrypt and decrypt.
Cryptography Tools
Public Key Infrastructure (PKI)
This is an integrated system of software, encryption methodologies, protocols, legal agreements, and
third-party services enabling users to communicate securely. PKI systems were based on public key
cryptosystems which includes digital certificates and certificate authorities (CAs). PKI protects information
assets in several ways. They are:
Authentication
Integrity
Privacy
Authorization
Nonrepudiation
Digital Signatures
Digital Signatures are encrypted messages that can be mathematically proven to be authentic. These
are created in response to rising need to verify information transferred using electronic systems. Asymmetric
encryption processes are used to create digital signatures.
Digital Certificates
Digital Certificates are electronic document containing key value and identifying information about
entity that controls key. Digital signature attached to certificate’s container file to certify file is from entity
it claims to be from.
Hybrid Cryptography Systems
This uses different cryptography systems. Except with digital certificates, pure asymmetric key
encryption is not widely used. Asymmetric encryption more often used with symmetric key encryption,
creating hybrid system.
Diffie-Hellman Key Exchange method is the most commonly used hybrid cryptography system which
provided foundation for subsequent developments in public key encryption.
59
Steganography
It is a process of hiding information in use for a long time. Most popular modern version of this
process hides information within files appearing to contain digital pictures or other images. Some
applications hide messages in .bmp, .wav, .mp3, and .au files, as well as in unused space on CDs and DVDs.
5.6 ACCESS CONTROL DEVICES
Successful access control system includes number of components, depending on system’s needs for
authentication and authorization. Strong authentication requires at least two forms of authentication to
authenticate the supplicant’s identity.
Authentication
Authentication is the validation of a supplicant’s identity. There are four general ways to carry out
authentication. They are:
What a supplicant knows?
What a supplicant has?
Who a supplicant is?
Biometrics
The area of authentication deals with a characteristic of the supplicant’s person. This process of using
body measurements is known as bio-metrics.
Biometrics includes the following:
Fingerprint – Comparison of the supplicant’s actual fingerprint to a stored fingerprint.
Palm print – Comparison of the supplicant’s actual palm print to a stored palm print.
Hand Geometry – Comparison of the supplicant’s actual hand to a stored measurement.
Facial recognition using a photographic ID card – a human security guard compares the
supplicant’s face to a photo.
Facial recognition using a digital camera – a supplicant’s face is compared to a stored image.
Retinal print – Comparison of the supplicant’s actual retina to a stored image.
Iris pattern – Comparison of the supplicant’s actual iris to a stored image.
The following are the only three human characteristics that are usually considered truly unique. They are:
Fingerprints.
Retina of the eye.
Iris of the eye.
Effectiveness of Biometrics
Biometric technologies are evaluated based on the following three basic criteria:
False reject rate
False accept rate
Crossover error rate (CER)
Acceptability of Biometrics
Acceptability of Biometrics depends on the balance that must be struck between how acceptable
security system is to users and its effectiveness in maintaining security.
Many biometric systems that are highly reliable and effective are considered intrusive.
As a result, many information security professionals, in an effort to avoid confrontation and possible
user boycott of biometric controls, don’t implement them.
5.7 INTRODUCTION TO PHYSICAL SECURITY
Physical security addresses design, implementation, and maintenance of countermeasures that
protect physical resources of an organization. Most controls can be circumvented if attacker gains physical
access. Physical security is as important as logical security.
Physical Access Controls
Secure facility – The physical location engineered with controls that are designed to minimize risk of
attacks from physical threats. Secure facility can take advantage of natural terrain, traffic flow, and degree
of urban development; can complement these with protection mechanisms (fences, gates, walls, guards,
alarms).
Controls for Protecting the Secure Facility
The following are the several controls for protecting the Secure Facility
Walls, fencing, and gates
Guards
Dogs
ID Cards and badges
Locks and keys
60
Electronic monitoring
Alarms and alarm systems
Computer rooms and wiring closets
Interior walls and doors
Fire Security and Safety
Most serious threat to safety of people who work in an organization is possibility of fire. Fires account
for more property damage, personal injury, and death than any other threat.
Fire Detection and Response
Fire suppression systems are the devices that are installed and maintained to detect and respond to
a fire. Deny an environment of heat, fuel, or oxygen by
Water and water mist systems
Carbon dioxide systems
Soda acid systems
Gas-based systems
Fire Detection
Fire detection systems fall into two general categories: manual and automatic. Part of a complete
fire safety program includes individuals that monitor chaos of fire evacuation to prevent an attacker
accessing offices. There are three basic types of fire detection systems: thermal detection, smoke detection,
flame detection.
Fire Suppression
Fire Suppression systems consist of portable, manual, or automatic apparatus. Portable extinguishers
are rated by the type of fire: Class A, Class B, Class C, Class D. Installed systems apply suppressive agent,
usually either sprinkler or gaseous systems.
Failure of Supporting Utilities and Structural Collapse
Supporting utilities (heating, ventilation and air conditioning; power; water; and others) have
significant impact on continued safe operation of a facility. Each utility must be properly managed to prevent
potential damage to information and information systems.
Heating, Ventilation, and Air Conditioning
Areas within heating, ventilation, and air conditioning (HVAC) system that can cause damage to
information systems include:
Temperature
Filtration
Humidity
Static electricity
Power Management and Conditioning
Electrical quantity (voltage level; amperage rating) is a concern, as is quality of power (cleanliness;
proper installation). Noise that interferes with the normal 60 Hertz cycle can result in inaccurate time clocks
or unreliable internal clocks inside CPU. Grounding ensures that returning flow of current is properly
discharged to ground. Overloading a circuit causes problems with circuit tripping and can overload electrical
cable, increasing risk of fire. In case of power outage, UPS is backup power source for major computer
systems. Emergency Shutoff is an important aspect of power management is the need to be able to stop
power immediately should current represent a risk to human or machine safety.
Water Problems
Lack of water poses problem to systems, including functionality of fire suppression systems and
ability of water chillers to provide air-conditioning. Surplus of water, or water pressure, poses a real threat
(flooding; leaks). It is very important to integrate water detection systems into alarm systems that regulate
overall facilities operations.
Structural Collapse
Unavoidable forces can cause failures of structures that house organization. Structures designed and
constructed with specific load limits; overloading on these limits results in structural failure and potential
injury or loss of life. Periodic inspections by qualified civil engineers should be assisted in identifying
potentially dangerous structural conditions.
Maintenance of Facility Systems
Physical security must be constantly documented, evaluated, and tested. Documentation of facility’s
configuration, operation, and function should be integrated into disaster recovery plans and operating
procedures. Testing helps improve the facility’s physical security and identify weak points.
61
Interception of Data
Three methods of data interception are as follows:
Direct observation
Interception of data transmission
Electromagnetic interception
U.S. government developed TEMPEST program to reduce risk of electromagnetic radiation (EMR)
monitoring.
Mobile and Portable Systems
With the increased threat to information security for laptops, handhelds, and PDAs, mobile computing
requires more security than average in-house system. Many mobile computing systems have corporate
information stored within them; some are configured to facilitate user’s access into organization’s secure
computing facilities. Controls should support security and retrieval of lost or stolen laptops.
CompuTrace software, stored on laptop; reports to a central monitoring center.
Burglar alarms made up of a PC card that contains a motion detector.
Remote Computing Security
Remote site computing – It is away from organizational facility. Telecommuting – Computing using
telecommunications including Internet, dial-up, or leased point-to-point links. Employees may need to
access networks on business trips; telecommuters need access from home systems or satellite offices. To
provide secure extension of organization’s internal networks, all external connections and systems must be
secured.
Special Considerations for Physical Security Threats
Develop physical security in-house or outsource?
Many qualified and professional agencies
Benefit of outsourcing includes gaining experience and knowledge of agencies
Downside includes high expense, loss of control over individual components, and level of trust that
must be placed in another company.
Social engineering
It is use of people skills to obtain information from employees that should not be released.
Inventory Management
Computing equipment should be inventoried and inspected on a regular basis. Classified information
should also be inventoried and managed. Physical security of computing equipment, data storage media
and classified documents varies for each organization.
5.8 INTRODUCTION TO SECURITY AND PERSONNEL
When implementing information security, there are many human resource issues that must be
addressed. They are
Positioning and naming.
Staffing.
Evaluating impact of information security across every role in IT function.
Integrating solid information security concepts into personnel practices.
Employees often feel threatened when organization is creating or enhancing overall information
security program.
Staffing the Information Security Function
Selecting personnel is based on many criteria, including supply and demand. Many professionals
enter security market by gaining skills, experience, and credentials. At present, information security industry
is in period of high demand.
Qualifications and Requirements
The following factors must be addressed:
Management should learn more about position requirements and qualifications
Upper management should learn about budgetary needs of information security function
IT and management must learn more about level of influence and prestige the information security
function should be given to be effective
Organizations typically look for technically qualified information security generalist
Organizations look for information security professionals who understand:
Information security usually a management problem, not a technical problem
Threats facing an organization and how they can become attacks
How to protect organization’s assets from information security attacks
62
Entry into the Information Security Profession
Many information security professionals enter the field through one of two career paths:
Law enforcement and military
Technical, working on security applications and processes
Information Security Positions
Use of standard job descriptions can increase degree of professionalism and improve the consistency
of roles and responsibilities between organizations.
Chief Information Security Officer (CISO or CSO) is the Top information security position and they
have these typical qualifications: accreditation; graduate degree; experience and their major functions are
as follows:
Frequently reports to Chief Information Officer.
Manages the overall information security program.
Drafts or approves information security policies.
The typical qualifications of Security Manager are not uncommon to have accreditation; ability to
draft middle and lower level policies, standards and guidelines; budgeting, project management and hiring
and firing; manage technicians and they must be accountable for day-to-day operation of information
security program and to accomplish objectives as identified by CISO.
Security Technician
Technically qualified individuals tasked to configure security hardware and software that tend to be
specialized and their typical qualifications were as follows:
Varied; organizations prefer expert, certified, proficient technician.
Some experience with a particular hardware and software package.
Actual experience in using a technology usually required.
Credentials of Information Security Professionals
Many organizations seek recognizable certifications where most existing certifications are relatively
new and not fully understood by hiring organizations. Certifications include: CISSP and SSCP; CISA and
CISM; GIAC; SCP; TICSA; Security+; IISFA’s Certified Information Forensics Investigator.
Cost of Being Certified
Better certifications can be very expensive even experienced professionals find it difficult to take an
exam without some preparation. Many candidates teach themselves through trade press books; others
prefer structure of formal training. Before attempting a certification exam, do all homework and review
exam criteria, its purpose, and requirements in order to ensure that the time and energy spent pursuing
certification are well spent.
Employment Policies and Practices
Management community of interest should integrate solid information security concepts into
organization’s employment policies and practices. Organization should make information security a
documented part of every employee’s job description.
From information security perspective, hiring of employees is a responsibility laden with potential
security pitfalls. CISO and information security manager should provide human resources with information
security input to personnel hiring guidelines.
Job Descriptions
Integrating information security perspectives into hiring process begins with reviewing and updating
all job descriptions.
Interviews
For organizations that include on-site visits as part of interviews, important to use caution when
showing candidate around facility.
Background Checks
Background checks differ in level of detail and depth with which candidate is examined which may
include identity check, education and credential check, previous employment verification, references check,
drug history, credit history, and more.
Employment Contracts
Many security policies require an employee to agree in writing. New employees may find policies
classified as “employment contingent upon agreement,” whereby employee is not offered the position unless
binding organizational policies are agreed to.
New Hire Orientation
New employees should receive extensive information security briefing on policies, procedures and
requirements for information security.
63
On-the-Job Security Training
Organization should conduct periodic security awareness training for the employees.
Performance Evaluation
Organizations should incorporate information security components into employee performance
evaluations.
Termination
Once cleared, the former employee should be escorted from premises. Hostile departures include
termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting. Friendly
departures include resignation, retirement, promotion, or relocation.
Security Considerations for Non-employees
Individuals not subject to screening, contractual obligations, and eventual secured terminations often
have access to sensitive organizational information. Relationships with these individuals should be carefully
managed to prevent possible information leak or theft.
Temporary Employees
Employees are hired by organization to serve in temporary position or to supplement existing
workforce. Access to information for temporary employees should be limited to that necessary to perform
duties.
Contract Employees
They were hired to perform specific services for organization. Host Company often makes contract
with parent organization rather than with individual for a particular task.
Consultants
They should be handled like contract employees, with special requirements for information or facility
access integrated into contract. Security and technology consultants must be prescreened, escorted, and
subjected to non-disclosure agreements to protect organization. Just because security consultant is paid
doesn’t make the protection of organization’s information the consultant’s number one priority.
Business Partners
Businesses find themselves in strategic alliances with other organizations, desiring to exchange
information or integrate systems. There must be meticulous, deliberate process of determining what
information is to be exchanged, in what format, and to whom. Nondisclosure agreements and the level of
security of both systems must be examined before any physical integration takes place.
Separation of Duties and Collusion
Separation of duties – control used to reduce chance of individual violating information security;
stipulates that completion of significant task requires at least two people. Collusion – Unscrupulous workers
conspiring to commit unauthorized task. Two-man control – Two individuals review and approve each other’s
work before the task is categorized as finished. Job rotation – Employees know each other’s job skills.
Privacy and the Security of Personnel Data
Organizations required by law to protect sensitive or personal employee information which includes
employee addresses, phone numbers, social security numbers, medical conditions, and family names and
addresses. This responsibility also extends to customers, patients, and business relationships.
You might also like
- Chap019 - Test Bank - Chapter 19 Chap019 - Test Bank - Chapter 19No ratings yetChap019 - Test Bank - Chapter 19 Chap019 - Test Bank - Chapter 19203 pages
- ITEC 5001U, Fall 2012, Unit 2 Assignment: From Chapter 475% (4)ITEC 5001U, Fall 2012, Unit 2 Assignment: From Chapter 47 pages
- Chapter 1 Test Bank Aud Internal ControlNo ratings yetChapter 1 Test Bank Aud Internal Control8 pages
- Principles of Information Security 7E - Module 4No ratings yetPrinciples of Information Security 7E - Module 454 pages
- Categories of End-Users (Contd..) : - Sophisticated UserNo ratings yetCategories of End-Users (Contd..) : - Sophisticated User26 pages
- Computer Science Textbook Solutions - 11No ratings yetComputer Science Textbook Solutions - 1131 pages
- Advantages and Disadvantages of Virtual Memory Management Schemes100% (3)Advantages and Disadvantages of Virtual Memory Management Schemes2 pages
- AIS S09 Revenue Cycle Exercise Pack AIS S09 Revenue Cycle Exercise PackNo ratings yetAIS S09 Revenue Cycle Exercise Pack AIS S09 Revenue Cycle Exercise Pack7 pages
- Advantage and Disadvantage of Whistle Blowing100% (1)Advantage and Disadvantage of Whistle Blowing3 pages
- Evaluation of Misstatements Identified During The Audit: Risk Management & Audit-ICMAP 1No ratings yetEvaluation of Misstatements Identified During The Audit: Risk Management & Audit-ICMAP 118 pages
- Chapter 2 - Professinal Ethics Legal LiabilityNo ratings yetChapter 2 - Professinal Ethics Legal Liability29 pages
- Colegio de Montalban Institute of Computer Studies Department of Information TechnologyNo ratings yetColegio de Montalban Institute of Computer Studies Department of Information Technology4 pages
- Chapter 3 Reviewer - Information Security ManagementNo ratings yetChapter 3 Reviewer - Information Security Management4 pages
- Module 3. The IT Audit Process 1 .Docx-2No ratings yetModule 3. The IT Audit Process 1 .Docx-2196 pages
- Lecture 1 - Introduction To Computer SecurityNo ratings yetLecture 1 - Introduction To Computer Security20 pages
- F8 (AA) Kit - Que 81 Prancer ConstructionNo ratings yetF8 (AA) Kit - Que 81 Prancer Construction2 pages
- Audit Quality and Environment, Social, and Governance RisksNo ratings yetAudit Quality and Environment, Social, and Governance Risks26 pages
- Part I Diagnosis Examination Autosaved AutosavedNo ratings yetPart I Diagnosis Examination Autosaved Autosaved57 pages
- Financial Statement Assertions... Auditing Ass. (Nikita, Pooja, Shivani)No ratings yetFinancial Statement Assertions... Auditing Ass. (Nikita, Pooja, Shivani)9 pages
- Systems Controls and Security Measures in An Accounting Information System PaprintNo ratings yetSystems Controls and Security Measures in An Accounting Information System Paprint7 pages
- Exercises 4 Financial Planning BudgetingNo ratings yetExercises 4 Financial Planning Budgeting2 pages
- Audit Report: Qualified Opinion Scope LimitationsNo ratings yetAudit Report: Qualified Opinion Scope Limitations4 pages
- Information Systems Controls For System Reliability - Part 1: Information Security0% (1)Information Systems Controls For System Reliability - Part 1: Information Security23 pages
- Case Study-Monitoring Employees On Networks-Unethical or Good Business100% (1)Case Study-Monitoring Employees On Networks-Unethical or Good Business5 pages
- Solution Manual To Accompany: Contemporary Issues in Accounting 2e by Rankin Et AlNo ratings yetSolution Manual To Accompany: Contemporary Issues in Accounting 2e by Rankin Et Al8 pages
- (TAN410) Quiz 3. Review Chapter 4 + Chapter 5 - questions-đã chuyển đổiNo ratings yet(TAN410) Quiz 3. Review Chapter 4 + Chapter 5 - questions-đã chuyển đổi11 pages
- Advantages and Disadvantages of Digital MediaNo ratings yetAdvantages and Disadvantages of Digital Media1 page
- Immediate download Accounting Information Systems 14th Edition Romney Solutions Manual all chapters100% (10)Immediate download Accounting Information Systems 14th Edition Romney Solutions Manual all chapters70 pages
- Topic 11 - Revenue From Contract With Customers (IFRS 15)No ratings yetTopic 11 - Revenue From Contract With Customers (IFRS 15)24 pages
- Accounting For Assets, Impairments and Grants100% (1)Accounting For Assets, Impairments and Grants21 pages
- Benefits of A CAAT Audit Are:: 1) What Is Computer-Assisted Audit Technique?No ratings yetBenefits of A CAAT Audit Are:: 1) What Is Computer-Assisted Audit Technique?24 pages
- Data Analytics For Accounting Exercise Multiple Choice and Discussion QuestionNo ratings yetData Analytics For Accounting Exercise Multiple Choice and Discussion Question3 pages
- CS1014 Information Security 3 0 0 100 AIMNo ratings yetCS1014 Information Security 3 0 0 100 AIM19 pages
- Advanced Networking Principles and Protocols Lecture 3 Part5No ratings yetAdvanced Networking Principles and Protocols Lecture 3 Part524 pages
- DBA Chapter 4 Advanced Concepts in DatabaseNo ratings yetDBA Chapter 4 Advanced Concepts in Database12 pages
- Application Development With Android Operating SystemNo ratings yetApplication Development With Android Operating System47 pages
- 20 Questions To Test Your Skills On CNN Convolutional Neural NetworksNo ratings yet20 Questions To Test Your Skills On CNN Convolutional Neural Networks11 pages
- Chapter Four:: Working With Background ServicesNo ratings yetChapter Four:: Working With Background Services23 pages
- Chapter 2 Multimedia Authoring and ToolsNo ratings yetChapter 2 Multimedia Authoring and Tools3 pages
- Syllabus LUMS-EOBI Recruitment Test For Assistant Director IT Cadre (BPS-17)No ratings yetSyllabus LUMS-EOBI Recruitment Test For Assistant Director IT Cadre (BPS-17)2 pages
- Intel® Driver & Support Assistant - Detailed ReportNo ratings yetIntel® Driver & Support Assistant - Detailed Report5 pages
- Counter Descriptions MINI-LINK 6600 and MINI-LINK 6366No ratings yetCounter Descriptions MINI-LINK 6600 and MINI-LINK 6366111 pages
- Behavioural Models - From Modelling Finite Automata To Analysing Business Processes (PDFDrive)No ratings yetBehavioural Models - From Modelling Finite Automata To Analysing Business Processes (PDFDrive)282 pages
- Full Download Principles of Information Systems 13th Edition Stair Solutions Manual All Chapter 2024 PDF100% (19)Full Download Principles of Information Systems 13th Edition Stair Solutions Manual All Chapter 2024 PDF37 pages
- Addis Ababa University Addis Ababa Institute of Technology School of Electrical and Computer EngineeringNo ratings yetAddis Ababa University Addis Ababa Institute of Technology School of Electrical and Computer Engineering6 pages
- Name: Badilla, Jan Allysa E. Strand and Section: Stem I JeruelNo ratings yetName: Badilla, Jan Allysa E. Strand and Section: Stem I Jeruel4 pages
- Memory Organization: Registers, Cache, Main Memory, Magnetic Discs, and Magnetic TapesNo ratings yetMemory Organization: Registers, Cache, Main Memory, Magnetic Discs, and Magnetic Tapes15 pages
- 1599.BIODEVICES 2009 International Conference On Biomedical Electronics and Devices, 14th - 17th 2009 by INSTICC PDFNo ratings yet1599.BIODEVICES 2009 International Conference On Biomedical Electronics and Devices, 14th - 17th 2009 by INSTICC PDF508 pages
- Tension Control System XCTRL & Xctrl-2Drv: Installation and Operation ManualNo ratings yetTension Control System XCTRL & Xctrl-2Drv: Installation and Operation Manual38 pages
