Chap1 Introduction to Information Security

Introduction to Information Security We are a part of an information Society. Huge amount of Information can be speedily processed and saved on easily accessible media. Inform plays a really important part in decision making in an organization. For an organization a wrong decision can lead to drastic result. This is one reason why information is steadily acquiring a more central role in business.In the world of today information is becoming increasing important. Generally speaking the standard of information security has not kept pace with this development. For example, information that before was saved on a large amount of paper and physically difficult to steal can today be saved on a disk that can easily be removed. Information security is an attempt to protect information by making it accessible only to the intended individuals groups or organizations. There as on may be financial, political, tactical or purely logistical. Every organization depends upon its resources, and the type of data it handles, has allowed a separate budget and manpower for developing information security arrangements

Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) Definition "The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability." Information Security is simply the process of keeping information secure: protecting its availability, integrity, and privacy. Information has been valued since the dawn of mankind: e.g. where to find food, how to build shelter, etc. As access to computer stored data has increased, Information Security has become correspondingly important. In the past, most corporate assets were hard or physical: factories, buildings, land, raw materials, etc. Today far more assets or computerstored information such as customer lists, proprietary formulas, marketing and sales information, and financial data. Some financial assets only exist as bits stored in various computers. Many businesses are solely based on information the data IS the business. Information Security is a Process: Effective Information Security incorporates security products, technologies, policies and procedures. No collection of products alone can solve every Information Security issue faced by an organization. More than just a set of technologies and reliance on proven

industry practices is required, although both are important. Products, such as firewalls, intrusion detection systems, and vulnerability scanners alone are not sufficient to provide effective Information Security. Security is Everyones Responsibility: Although some individuals may have Security in their title or may deal directly with security on a daily basis, security is everyones responsibility. A chain is only as strong as its weakest link. A workplace may have otherwise excellent security, but if a help desk worker readily gives out or resets lost passwords, or employees let others tailgate on their opening secure doors with their keycard, security can be horribly compromised. Despite the robustness of a firewall, if a single user has hardware (e.g. a modem) or software (e.g. some file sharing software) that allows bypassing the firewall, a hacker may gain access with catastrophic results. There are examples where a single firewall misconfiguration of only a few minutes allowed a hacker to gain entrance with disastrous results. Security is an issue during an applications entire lifecycle. Applications must be designed to be secure, they must be developed with security issues in mind, and they must be deployed securely. Security cannot be an afterthought and be effective. System analysts, architects, and programmers must all understand the Information Security issues and techniques that are germane to their work. Information security CIA triad The fundamental security principles represented in the CIA triad ensure that both the data and the information system that processes the data are protected. The model takes into account different controls, physical security, technical security and human actions. Confidentiality, integrity and availability form three points of the information security triangle. The closer a system moves towards an apex, the further it is from the other two points. Thus, the CIA triad offers a useful model for the evaluation of technological choices. Put together, the triad preserves and protects sensitive information, whether it is personal or proprietary.

1.Confidentiality

Ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidentiality should prevail while data resides on systems and devices within the network, as it is transmitted and once it reaches its destination. Cryptography is the art and science of storing and transmitting confidential data Threat sources Network Monitoring Shoulder Surfing- monitoring key strokes or screen Stealing password files Social Engineering- one person posing as the actual

o o o o

Countermeasures Encrypting data as it is stored and transmitted. By using network padding Implementing strict access control mechanisms and data classification Training personnel on proper procedures.

o o o o

2.Integrity Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people Integrity of data is protected when the assurance of accuracy and reliability of information and system is provided, and unauthorized modification is prevented. Digital Signatures and hash algorithms are mechanisms used to provide data integrity.

Threat sources Viruses Logic Bombs

o o

Backdoor's

Countermeasures Strict Access Control Intrusion Detection Hashing

o o o

3.Availability Availability is to give assurance in the timely and reliable access to data services for authorized users. It ensures that information or resources are available when required . High availability protocols, fully redundant network architectures and system hardware without any single points of failure ensure system reliability and robustness.

Threat sources Device or software failure. Environmental issues like heat, cold, humidity, static electricity, and contaminants can also affect system availability. Denial-of-service (DoS) attacks

o o

Countermeasures Maintaining backups to replace the failed system IDS to monitor the network traffic and host system activities Use of certain firewall and router configurations

o o o

Components of Information Security 1. Network security A specialized field in computer networking that involves securing a computer network infrastructure. Network security is typically handled by a network administrator or system administrator who implements the security policy, network software and hardware needed to protect a network and the resources accessed through the network from unauthorized access and also ensure that employees have adequate access to the network and resources

to work. A network security system typically relies on layers of protection and consists of multiple components including networking monitoring and security software in addition to hardware and appliances. All components work together to increase the overall security of the computer network.Network security includes antivirus,anti-spywares, firewall, IPS (intrusion prevention system),Virtual Private Networks. 2. Computer & data security Computer security refers to techniques for ensuring that data stored in a computer cannot be read or compromised by any individuals without authorization. Most computer security measures involve data encryption and passwords. Data encryption is the translation of data into a form that is unintelligible without a deciphering mechanism. A password is a secret word or phrase that gives a user access to a particular program or system.e.g anti virus s/w Data security is the practice of keeping data protected from corruption and unauthorized access. The focus behind data security is to ensure privacy while protecting personal or corporate data. Data is the raw form of information stored as columns and rows in our databases, network servers and personal computers. This may be a wide range of information from personal files and intellectual property to market analytics and details intended to top secret. Data could be anything of interest that can be read or otherwise interpreted in human form.

3.Policy A security policy is a document that outlines the rules, laws and practices for computer network access. This document regulates how an organization will manage, protect and distribute its sensitive information (both corporate and client information) and lays the framework for the computer-network-oriented security of the organization 4. Management of Information Security

Control in IT environment A control is something that is the constant when talking about experiments. The thing that does not ever change and remains the same throughout the experiment. IT environment is the integrated framework upon which digital networks operate. This infrastructure includes data centers, computers, computer networks, Database Management devices, and a regulatory system.In information technology, and on the Internet, infrastructure is the physical hardware used to interconnect computers and users. Infrastructure includes the transmission media, including telephone lines, cable television lines, and satellites and antennas, and also the routers that transfer data between disparate transmission technologies. Different Cotrols 1. Control Objectives for Information and Related Technology (COBIT) is a framework created for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. 2. BS 7799 control- It is an internationally recognized standard for information security that will enhance your reputation and give you and your customers confidence in your organization's information security systems. 3. ISO 17799 control It is an information security code of practice. It includes a number of sections, covering a wide range of security issues. Broadly (very) the objectives of these are as follows: Risk Assessment and Treatment, System Policy, Organizing Information Security, Asset Management, Human Resources Security 4. ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures

that includes all legal, physical and technical controls involved in an organization's information risk management processes. Information Security Management System (ISMS) An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach. ISMS is, as the name implies, a set of policies concerned with information security management. The key concept of ISMS is for an organization to design, implement and maintain a coherent suite of processes and systems for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks. An ISMS typically addresses employee behavior and processes as well as data and technology. It can be targeted towards a particular type of data, such as customer data, or it can be implemented in a comprehensive way that becomes part of the company's culture. ISMS is a management system based on a systematic business risk approach. ISMS is a system designed to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. ISMS is a documented system certifying that:

Information assets in your company are described and secured, Information security risks are managed and mitigated, Security policies together with their ownerships and guarantees are in place, Adherence to security measures is inspected periodically.

ISMS can be implemented as a specific information system that deals with a particular business area, or it can be implemented as an all-encompassing system involving the whole organization. Scope of the ISMS If the organization is going to seek certification (either part of the organization or all of it) or wishes to define an area of the organization covered by the ISMS, then this scope must be defined. It is not necessary implement the same level of security for the whole organization or offer the whole organization for certification. Whatever the scope a formal definition of the scope of the ISMS is required. organization - The organization within the organization that manages information security; Location - The location (or locations) encompassed by the ISMS;

Assets - The assets (physical and logical) that are to be protected at each location in the scope; Technology - The technology (including hardware, networking, software and operating systems - where appropriate) employed in the scope offered for certification Components of ISMS

Why do we need to have ISMS? Implementing sound ISMS in your company is not free and can take many months; however, it can also bring many valuable benefits.

If information is the key asset that is needed in your business, then ISMS helps to protect your business case, ISMS delivered via ISO standards is compatible with others in the market, Company management is always involved in the security and always has access to information, Your partners view you as more reliable, credible, and trustworthy, ISMS certification opens doors to new business (for example better competitive position in the EU market), Information and data sources are utilized more efficiently, ISMS makes your investments into information security more efficient, ISMS brings the importance of information security to your employees and makes them more involved in your business,

ISMS changes the culture in your company (brings responsibility and accountability).

ISMS is not only a mechanism or a system to improve the security of your data and information; it also leads to more effective utilization of your information and better competitive position in the market. ISMS conceptual framework The conceptual framework of the Information Security Management System The information security management system (ISO 27001, 2005) is defined as that part of a global management system, based on a certain approach of the business risk, through which it is established, implementing, analyzing, monitoring and improving the security of the information. This system includes organizational structures, politics, planning activities, practices, processes and resources. Information security should be an integral part of the organizations operations and business culture. Figure 1. The steps of process development of the information security management system

1. Definition of Security Policy, 2. Definition of ISMS Scope, 3. Risk Assessment (as part of Risk Management), 4. Risk Management, 5. Selection of Appropriate Controls and 6. Statement of Applicability

Steps 3 and 4, the Risk Assessment and Management process, comprise the heart of the ISMS and are the processes that transform on one hand the rules and guidelines of security policy and the targets; an on the other to transform objectives of ISMS into specific plans for the implementation of controls and mechanisms that aim at minimizing threats and vulnerabilities. The processes and activities related to the steps 5 and 6 do not concern information risks. They are rather related to the operative actions required for the technical implementation, maintenance and control of security measurements. Appropriate controls may either be derived from existing sets of controls or mechanisms, usually included in information security standards and guidelines, or the outcome of a combination or adaptation of proposed controls to the specific organizational requirements or operational characteristics. In both cases, step 6 is the documented mapping of the identified risks, applied to the specific organization with the technical implementation of security mechanisms the organization has decided to deploy. Finally, although the ISMS is a recurring process as a whole, in most of the types of organizations mentioned above, steps 1 and 2 recur on a longer cycle than steps 3, 4, 5 and 6. This is mainly because the establishment of a security policy and the definition of the ISMS scope are more often management and strategic issues while the Risk Management process is an everyday operational concern. Steps for developing ISMS Development of ISMS is based on a process model. So, the process model is called as PDCA (Plan-Do-Check-Act) model The plan-do-check-act (PDCA) cycle is a well-known model for continual process improvement (CPI). When to Use PlanDoCheckAct

As a model for continuous improvement. When starting a new improvement project. When developing a new or improved design of a process, product or service. When defining a repetitive work process. When planning data collection and analysis in order to verify and prioritize problems or root causes. When implementing any change.

OR

1. Plan (establish the ISMS) -Establish the importance of Information Security in Business-Information security is very important for the business. However, its importance is generally not understood fully and so, it is not emphasized enough.Identify and document the business objectives, critical business processes and critical IT processes - Define the Scope for ISMS Typically the scope is defined in the following four headings as a minimum: The organization within the organization that manages information security;The location (or locations) encompassed by the ISMS; Assets - The assets (physical and logical) that are to be protected at each location in the scope; Technology - The technology (including hardware, networking, software and operating systems where appropriate) employed in the scope offered for certification - Define the Security Policy Security policy is the demonstration of managements intent and commitment for the information security in the organization. This should be based on facts about the criticality of information for business as identified during step 1. Security policy statement should strongly reflect the managements belief that if information is not secure, the business will suffer. A clear security policy will provide direction to the information security efforts of the organization as well as create confidence in the minds of various stakeholders. The Chief Executive of the organization should issue the security policy statement to build the momentum towards information security and set clear security goals and objectives. -Identify and Classify the Assets After defining security responsibilities to the employee they need to protect assets of an organization. So assets are classified as.. 1.Information assets-Databases(customer,employee, supplier, products) ,files, documentations, procedures, plans, drawings, diagrams 2.Software assets-Application s/w(Microsoft office,java,tally),system s/w(OS,Unix, Linux) development tools and utilities are part of these assets 3.Physical assets-Computer system,storage media,communication equipments, technical equipments. 4.Service assets-Communication services(Email,chat) - Information access classification Based on the C, I, A classification done for the IT systems in Step 1, each of the IT system will have appropriate access classification.Most business organization follow a four level classification for providing access to the information systems Unclassified: Considered publicly accessible. There are no requirements for access control or confidentiality. Shared: Resources that are shared within groups or with people outside of your organization.

Company Only: Access to be restricted to your internal employees only. Confidential: Access to be restricted to a specific list of people.Example Specific portions of HR database would be identified and classified for the defined level of access. Only the HR database owner, i.e. the Head of HR, should be responsible for this classification. -Identify and Assess the threats and risks Every asset is exposed to numerous threats. These threats are broadly classified in three categories: Natural Threats - These are Acts of God like floods, earthquakes, tornados, landslides, avalanches, electrical storms and other such events. Environmental Threats Long term power failure, pollution, chemicals, liquid leakage etc.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Human Threats Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information). -Use of risk analysis tools: Various commercial risk analysis tools are available to aid an organization in evaluating the level of security. These have large databases of questions, which help in analyzing the risks. Examples of such tools are Cobra and CRAMM -Plan for Risk Management Options for risk management are based on cost benefit analysis of various options available to handle the risk. Transfer the risk: For example, take a fire insurance policy and transfer the risk for fire to an insurance company. Avoidance of the risk: For example, if there is an old server, which is Malfunctioning(broken),replacing it will avoid all the associated risk. Acceptance of the risk: You are aware of the risk but the solution to avoid the risk is too costly.BS 7799 & ISO 27001 provides the 127 controls, which can be deployed to reduce the risk.

2.Do-Implement the plan, execute the process, make the product.Implement the risk management strategies or policies.After identifying threats then apply some procedures and actions as.. Natural and Environmental Threats: - Disaster recovery plan - Backup and recovery plan - Wide area network recovery plan Human Threats - Password Security & Controls - Internet access and security - Punitive Actions

- Email security Technical threats - Program Change Controls, Application Software Security, Database Security Network & Telecommunication Security,Operating Systems Security,Firewall Security Incident Response and Management,Intranet Security, Virus Protection. The risk management approach for identifying and justifying the risks. Now we should start checking our selection of controls against the127 controls defined by BS 7799 and ISO 27001. As explained, these controls are described in very general terms and no specific interpretation has been provided.So,these controls are used with training and awareness program by top management ,end users and IT department. 3.Check Study the actual results (measured and collected in "DO" above) and compare against the expected results (targets or goals from the "PLAN") to ascertain any differences. Look for deviation in implementation from the plan and also look for the appropriateness and completeness of the plan to enable the execution, i.e., "Do". Monitor and Review the ISMS performance.- Implementation of information security management system is not a one-time job. It needs to be constantly monitored and reviewed. Periodic audit should be performed to review the performance of various controls and measures defined in ISMS. Internal audit teams or external consultants could perform the audit. The Security Steering Committee should conduct management review of the performance of ISMS at least once a year. This review should be based on various reports submitted by incident reporting and review processes and internal audit reports. 4.Act Request corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product. Maintain the ISMS and ensure continual Improvement-It provides an opportunity to maintain the security in an organized manner and ensure continual improvement. You could ensure that the frequent improvement actually takes place by having the following measures in place: Management review should ensure that appropriate actions are taken on various security lapses reported through the following mechanisms: - Incident response reports - Internal audit reports - External audit reports - Learning from incidents - Disciplinary process New threats may be identified in existing implementations. Constant watch should be kept on the reports posted by security agencies.Periodic risk assessment should be done to evaluate the impact of new threats on the existing security implementation.