UNIT _ II

What is Information Systems Security?

Information systems security, also known as INFOSEC, is a broad subject
within the field of information technology (IT) that focuses on protecting
computers, networks, and their users. Almost all modern companies, as well
as many families and individuals, have justified concerns about digital risks
to their well-being. These threats come in all shapes and sizes, including
theft of private information in a database hack, installation of malicious
software on a machine and intentional service disruptions.

Security Program Objectives

 Protect the company and its assets.

 Manage Risks by Identifying assets, discovering threats and estimating
the risk
 Provide direction for security activities by framing of information security
policies, procedures, standards, guidelines and baselines
 Information Classification
 Security Organization and
 Security Education
Security Management Responsibilities

 Determining objectives, scope, policies,re expected to be accomplished

from a security program
 Evaluate business objectives, security risks, user productivity, and
functionality requirements.
 Define steps to ensure that all the above are accounted for and properly
addressed
Approaches to Build a Security Program

 Top-Down Approach
o The initiation, support, and direction comes from the top
management and work their way through middle management and
then to staff members.
o Treated as the best approach but seems to based on the I get paid
more therefor I must know more about everything type of mentality.
o Ensures that the senior management who are ultimately responsible
for protecting the company assets is driving the program.
 Bottom-Up Approach
o The lower-end team comes up with a security control or a program
without proper management support and direction.
o It is oft considered less effective and doomed to fail for the same flaw
in thinking as above; I get paid more therefor I must know more
about everything.
Since advancement is directly tied to how well you can convince others, who
often fall outside of your of job duties and department, as to your higher
value to the company as stated by your own effective written communication
this leads to amazing resume writers and take no blame style of email
responses that seems to definitely lead to the eventual failure of company's
standards and actual knowledge. It is often covered up by relationships
which form at the power levels within any group of people and those who are
considered so-called experts having no real idea what is really involved
under the hood of the reports/applications they use and no proof presented
in emails written when self declared claims of their expertise is made or
blame is to be put on another.
Security Controls
Security Controls can be classified into three categories
Administrative Controls which include

 Developing and publishing of policies, standards, procedures, and

guidelines.
 Screening of personnel.
 Conducting security-awareness training and
 Implementing change control procedures.
Technical or Logical Controls which include

 Implementing and maintaining access control mechanisms.

 Password and resource management.
 Identification and authentication methods
 Security devices and
 Configuration of the infrastructure.
Physical Controls which include

 Controlling individual access into the facility and different departments

 Locking systems and removing unnecessary floppy or CD-ROM drives
 Protecting the perimeter of the facility
 Monitoring for intrusion and
 Environmental controls.

The Elements of Security

Vulnerability
Definition of vulnerable. 1 : capable of being physically or emotionally
wounded.
2 : open to attack or damage : assailable vulnerable to criticism.
3 : liable to increased penalties but entitled to increased bonuses after
winning a game in contract bridge

 It is a software, hardware, or procedural weakness that may provide an

attacker the open door he is looking for to enter a computer or network
and have unauthorized access to resources within the environment.
 Vulnerability characterizes the absence or weakness of a safeguard that
could be exploited.
 E.g.: a service running on a server, unpatched applications or operating
system software, unrestricted modem dial-in access, an open port on a
firewall, lack of physical security etc.
Threat

 Any potential danger to information or systems.

 A threat is a possibility that someone (person, s/w) would identify and
exploit the vulnerability.
 The entity that takes advantage of vulnerability is referred to as a threat
agent. E.g.: A threat agent could be an intruder accessing the network
through a port on the firewall
Risk

 Risk is the likelihood of a threat agent taking advantage of vulnerability

and the corresponding business impact.
 Reducing vulnerability and/or threat reduces the risk.
 E.g.: If a firewall has several ports open, there is a higher likelihood that
an intruder will use one to access the network in an unauthorized
method.
Exposure

 An exposure is an instance of being exposed to losses from a threat

agent.
 Vulnerability exposes an organization to possible damages.
 E.g.:If password management is weak and password rules are not
enforced, the company is exposed to the possibility of having users'
passwords captured and used in an unauthorized manner.
Countermeasure or Safeguard

 It is an application or a s/w configuration or h/w or a procedure that

mitigates the risk.
 E.g.: strong password management, a security guard, access control
mechanisms within an operating system, the implementation of basic
input/output system (BIOS) passwords, and security-awareness training.
The Relation Between the Security Elements

 Example: If a company has antivirus software but does not keep the
virus signatures up-to-date, this is vulnerability. The company is
vulnerable to virus attacks.
 The threat is that a virus will show up in the environment and disrupt
productivity.
 The likelihood of a virus showing up in the environment and causing
damage is the risk.
 If a virus infiltrates the company's environment, then vulnerability has
been exploited and the company is exposed to loss.
 The countermeasures in this situation are to update the signatures and
install the antivirus software on all computers

System Vulnerability and Abuse

• Security: Policies, procedures and technical measures to prevent
unauthorized access, alteration, theft, or physical damage
• Controls: Methods, policies, and organizational procedures ensure safety
of organization’s assets; accuracy and reliability of accounting records; and
operational adherence to management standards
• Vulnerability through technical, organizational and environmental factors,
poor management decisions, communication layers
• Accessibility of networks
• Hardware problems (breakdowns, configuration errors, damage from
improper use or crime)
• Software problems (programming errors, installation errors, unauthorized
changes)
• Disasters (fires, floods.)
• Use of networks/computers outside of firm’s control
• Loss and theft of portable devices
Internet vulnerabilities
• Network open to anyone, Size: abuses can have wide impact
• Use of fixed Internet addresses creates fixed targets hackers
• Unencrypted VOIP(Voice Over Internet Protocol) (no use of VPN-Virtual
Private Network)
• E-Mail, P2P(Network Peer to Peer), IM: Interception, Attachments with
malicious software, Transmitting trade secrets

Wireless security challenges

• Radio frequency bands easy to scan
• SSIDs (service set identifiers): Identify access points, Broadcast multiple
times
• War driving: Eavesdroppers drive by buildings and try to detect SSID and
gain access to network and resources, set up rogue access points
• WEP (Wired Equivalent Privacy) WPA2 (WiFi Protected Access)
 Security standard for 802.11; use is optional
 Uses shared password for both users and access point

Malware (malicious software)

• Viruses: Rogue software program that attaches itself to other software
programs or data files in order to be executed, deliver “payload”, spread
through humans
• Worms: Independent computer programs that copy themselves from one
computer to other computers over a network
• Trojan horses: Software program that appears to be benign but then does
something other than expected, does not replicate
• Computers, mobile devices, web 2.0 applications
• SQL injection attacks: Hackers submit data to Web forms that exploits
site’s unprotected software and sends rogue SQL query to database
• Spyware: Small programs install themselves surreptitiously on computers
to monitor user Web surfing activity and serve up advertising
• Key loggers: Record every keystroke on computer to steal serial numbers,
passwords, launch Internet attacks

Hackers and computer crime

• Hackers vs. crackers (criminal intent): unauthorized access, weakness
in security protections
· System intrusion + System damage
· Cybervandalism: Intentional disruption, defacement, destruction of Web
site or corporate information system
· Spoofing
Misrepresenting oneself by using fake E-mail addresses or masquerading as
someone else o Redirecting Web link to address different from intended one,
with site masquerading as intended destination
· Sniffer
Eavesdropping program that monitors information traveling over network
Enables hackers to steal proprietary information such as email, company
files, etc.
Denial--of--service attacks (DoS): Flooding server with thousands of false
requests to crash the network.
Distributed denial--‐ of--‐ service attacks (DDoS): Use of numerous
computers to launch a DoS
Botnets: Networks of “zombie” PCs infiltrated by bot malware
Computer crime: “any violations of criminal law that involve a knowledge of
computer technology for their perpetration, investigation, or prosecution”
Computer may be target of crime, e.g.: Breaching confidentiality of protected
data, Accessing a computer system without authority Computer may be
instrument of crime, e.g.: Theft of trade secrets, Using E mail for threats or
harassment
· Identity theft: Theft of personal Information (social security id, driver’s
license or credit card numbers) to impersonate someone else
· Phishing: Setting up fake Web sites or sending e--‐ mail messages that
look like legitimate businesses to ask users for confidential personal data.
· Evil twins: Wireless networks that pretend to offer trustworthy Wi--‐ Fi
connections to the Internet (e.g log credit card numbers)
· Pharming: Redirects users to a bogus Web page, even when individual
types correct Web page address into his or her browser (possible when they
gain access to the Internet Address Information stored by internet service
providers to speed up web browsing and the ISP companies have flawed
software in their servers, hack into and change addresses)
· Click fraud: Occurs when individual or computer program fraudulently
clicks on online ad without any intention of learning more about the
advertiser or making a purchase
· Global threats: Cyber terrorism and Cyber warfare, targeting software that
runs electrical power grids, air traffic control systems, networks of major
banks
Internal threats: employees
• Security threats often originate inside an organization leaking Inside
knowledge
• Sloppy security procedures, User lack of knowledge
• Social engineering: Tricking employees into revealing their passwords by
pretending to be legitimate members of the company in need of information
• End users entering faulty data, not following instructions
• IS specialists: errors in design, development, maintenance
Software vulnerability
• Commercial software contains flaws that create security vulnerabilities –
Hidden bugs (program code defects), Zero defects cannot be achieved
because complete testing is not possible with large programs
– Flaws can open networks to intruders, impede performance
• Patches: Vendors release small pieces of software to repair flaws (patch
management by users), However exploits often created faster than patches
be released and implemented

Business Value of Security and Control

• Failed computer systems can lead to significant or total loss of business
function
• Confidential personal and financial data, Trade secrets, new products,
strategies
• A security breach may cut into firm’s market value almost immediately
• Inadequate security and controls also bring forth issues of liability
• Strong security: high ROI, employees productivity, lower operational
Costs Legal and regulatory requirements for electronic records management
and privacy protection
• Protection data from abuse, exposure, unauthorized access
• HIPAA: Medical security and privacy rules and procedures
• Gramm--‐ Leach--‐ Bliley Act: Requires financial institutions to ensure
the security and confidentiality of customer data
• Sarbanes--‐ Oxley Act: Imposes responsibility on companies and their
management to safeguard the accuracy and integrity of financial information
that is used internally and released externally
Electronic evidence
• Evidence for white collar crimes often in digital form Data on computers, e-
mail, instant messages, e--‐ commerce transactions
• Proper control of data can save time and money when responding to legal
discovery request

Computer forensics:
• Scientific collection, examination, authentication, preservation, and
analysis of data from computer storage media for use as evidence in court of
law
• Includes recovery of ambient and hidden data, plan needed

Establishing a Framework for Security and Control

Where company at risk, what controls must be in place, security policy,
plans for keeping business running if IS not operational

Information systems controls

• Manual and automated controls
• General and application controls

General controls
• Govern design, security, and use of computer programs and security of
data files in general throughout organization’s IT infrastructure.
• Apply to all computerized applications
• Combination of hardware, software, and manual procedures to create
overall control environment
• Types of general controls: Software controls, Hardware controls, Computer
operations controls, Data security controls, Implementation controls,
Administrative controls

Application controls
• Specific controls unique to each computerized application, such as payroll
or order processing
• Include both automated and manual procedures
• Ensure that only authorized data are completely and accurately
processed by that application
• Input controls: authorization, conversion, editing, error handling
• Processing controls: updating
• Output controls

Risk assessment
• Determines level of risk to firm if specific activity or process is not properly
controlled
• Determine value of info assets, points of vulnerability, likely frequency of
the problem, potential for damage
• Concentration on the control points with greatest vulnerability and
potential for loss

Security policy
• Ranks information risks, identifies acceptable security goals, and identifies
mechanisms for achieving these goals, most important assets
• Acceptable use policy (AUP): Defines acceptable uses of firm’s information
resources and computing equipment, unacceptable, consequences
• Authorization policies: Determine differing levels of user access to
information assets

Identity management
• Business processes and tools to identify valid users of system and control
access: Identifies and authorizes different categories of users, Specifies
which portion of system users can access, Authenticating users and protects
identities
• Identity management systems: Captures access rules for different levels of
users
Disaster recovery planning: Devises plans for restoration of disrupted
services Business continuity planning: Focuses on restoring business
operations after disaster
MIS audit
• Examines firm’s overall security environment as well as controls governing
individual information systems, data quality
• Reviews technologies, procedures, documentation, training, and personnel
• Simulate disaster to test response of technology, IS staff, other employees
• Lists and ranks all control weaknesses and estimates probability of their
occurrence, Assesses financial and organizational impact of each threat

Technologies and Tools for Protecting Information Resources

Identity management software
• Automates keeping track of all users and privileges
• Authenticates users, protecting identities, controlling access
• Authentication: Password systems, Tokens, Smart cards, Biometric

Firewall: Combination of hardware and software that prevents unauthorized

users from accessing private networks
• Static packet filtering: examines selected fields in headers of individual
packets
• Stateful inspections: track info over multiple packets, part of approved
conversation, legitimate connection
• Network address translation (NAT): conceals IP addresses of internal
host computers
• Application proxy filtering: examines app content of packets

Intrusion detection systems:

• Monitor hot spots on corporate networks to detect and deter intruders
• Examines events as they are happening to discover attacks in progress
• Raises alarm or shuts down sensitive network part Antivirus and
antispyware software:
• Checks computers for presence of malware and can often eliminate it as
well
• Require continual updating
Unified threat management (UTM) systems: firewalls, VPNs, IDS, web
content filtering, anti spam software

Securing wireless networks

• WEP security can provide some security by Assigning unique name to
network’s SSID and not broadcasting SSID, Using it with VPN technology
• Wi--‐ Fi Alliance finalized WAP2 specification, replacing WEP with stronger
standards: Continually changing keys, Encrypted authentication system
with central server

Encryption
· Transforming text or data into cipher text that cannot be read by
unintended recipients, encryption key
· Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS)
between 2 computers
· Secure Hypertext Transfer Protocol (S--‐ HTTP) limited to individual
messages
· Symmetric key encryption: Sender and receiver use single, shared key ·
Public key encryption: Uses two, mathematically related keys: Public key
and private key, Sender encrypts message with recipient’s public key,
Recipient decrypts with private key
Digital certificate:
· Data file used to establish the identity of users and electronic assets for
protection of online transactions
· Uses a trusted third party, certification authority (CA), to validate a user’s
identity
· CA verifies user’s identity, stores information in CA server, which generates
encrypted digital certificate containing owner ID information and copy of
owner’s public key

Public key infrastructure (PKI)

· Use of public key cryptography working with certificate authority
· Widely used in e--‐ commerce

Ensuring system availability: Online transaction processing requires 100%

availability, no downtime
• Fault--‐ tolerant computer systems: Contain redundant hardware,
software, and power supply components that create an environment that
provides continuous, uninterrupted service High--‐ availability computing
o Helps recover quickly from crash, Minimizes not eliminates downtime
o Backup servers, multiple server distribution, high capacity storage, god
disaster recovery and business continuity plans
• Recovery--‐ oriented computing: Designing systems that recover quickly
with capabilities to help operators pinpoint and correct of faults in multi-
-component systems
• Controlling network traffic: Deep packet inspection (DPI) Video and
music blocking, using prioritizing
• Security outsourcing: Managed security service providers (MSSPs)

Security in the cloud

• Responsibility for security resides with company owning the data
• Firms must ensure providers provides adequate protection
• Service level agreements (SLAs) including controls

Securing mobile platforms

• Security policies should include and cover any special requirements for
mobile devices
• Tools to authorize all devices in use, maintain inventory records, updates,
lock

Ensuring software quality (software metrics and testing)

• Software metrics: Objective assessments of system in form of quantified
measurements, identify problems as they occur
• Carefully designed, formal, objective, used consistently
• Examples: Number of transactions, Online response time, Payroll checks
printed per hour, Known bugs per hundred lines of code
• Early and regular testing to uncover errors
• Walkthrough: Review of specification or design document by small group
of qualified people
• Debugging: Process by which errors are eliminated