MANAGING

INFORMATION
SECURITY

IS Security threats
An information security threat can be defined as

any condition that may result or is

having the potential to result in a
condition that might lead to loss,
misuse, fraud, misrepresentation,
destruction, modification or denial of
data and other information
processing resources that may cause
financial or operational hardships to

Security: The Need

Security breaches can be very expensive in terms of
business disruption and the financial losses that may
result
Increasing volumes of sensitive information are
transferred across the internet or intranets connected
to it
Widespread sharing of internet links to transport
business data
Directors of business organizations are increasingly
required to provide effective information security

Goals of Network Security

Confidentiality: available to authorized systems or
individuals only
Integrity: data is not manipulated unauthorized or
accidently
Availability: guarantee access to a service or
resources to authorized users
Accountability/non-repudiation: none of the parties
involved can deny an operation at a later date
Authentication: confirming a users identity

Type of Security Threats

4 basic types:
Access
Modification
Denial of service and
Repudiation

Type of Security Threats: Access

primarily directed towards gaining unauthorized
access to the information and IS resources
Directed towards breaching confidentiality
Uses Network capture programs or Sniffers
Threats include
Snooping
Eavesdropping
Interception

Type of Security Threats: Modification

primarily directed towards breaching integrity of
data resources
Data is susceptible to such threats at storage as
well as in transit
Threats include
Changes
Insertions
Deletions

Type of Security Threats: Denial of

services

explicit attempt by attackers to prevent legitimate

users of a service from using that service.
Examples may include:
attempts to flood a network, thereby preventing
legitimate network traffic
attempts to disrupt connections between two machines,
thereby preventing access to a service
attempts to prevent a particular individual from accessing a
service
attempts to disrupt service to a specific system or person

Type of Security Threats: Denial of

services
There are three basic types of Denial of Service
attack:
Consumption of scarce, limited, or nonrenewable resources
Destruction or alteration of configuration
information
Physical destruction or alteration of network
components

Type of Security Threats: Repudiation

attack against the accountability of the
information
attempt to either provide false information or to
claim that an event occurred when actually it did
not happened
Threats include
Masquerading
Denying an Event

Sources of Security Threats

Security vulnerabilities may arise due to
Network and Hardware Design
lack of unambiguous system blueprint,
new developments and subsequent additions of
components to the system
attempts to connect to incompatible components
over-reliance on open-source infrastructure
over-emphasis on simplifying access and use of
resources

Sources of Security Threats

Security vulnerabilities may arise due to
Software Security Holes
Security loopholes and bugs
Communication protocols
Incompatible software
Open-source applications
Malware (Worms, Viruses, Trojan Horses, Rootkits, etc.)

Sources of Security Threats

Security vulnerabilities may arise due to
IT and Access Policies
User profiling and authentication
Access control to information system resources
Lack of clear cut defined IT/IS usage policies and their
ineffective implementation
Lack of or ambiguous IT risk assessment and mitigation
procedures

Countermeasures
Access Control
Hardware-based Access Control Systems
Access terminal
Visual event monitoring
Identification cards
Biometric identification
Video surveillance
Password Schemes
Firewalls

Firewalls: A Special Access Control

Mechanism

Countermeasures
Software Vulnerability Control
one of the most important parts of computer and
network security for the following reasons.
Virus programs use vulnerabilities in operating
system and application software to gain
unauthorized access, spread, and do damage.
Intruders use vulnerabilities in operating system and
application software to gain unauthorized access,
attack other systems, and do damage.
Some software itself may be hostile

Countermeasures
Software Vulnerability Control
Keep anti-malware programs current and updated
Update software security patches
Restrict install and use of only approved software
Manage device profiles
Periodic check and updating of software vulnerability
assessment and countermeasures

Countermeasures
Cryptography
Symmetric / Secret key cryptography
Asymmetric / Public key cryptography
Hash functions
Digital signatures

Cryptographic techniques

Identifying and managing IT risks

A useful way of recognizing threats is to classify
them as follows
Physical threats
Logical threats
Technical failure
Infrastructure failure
Human error

Risk Management Procedure

Structured way of controlling risk
Typical approach includes:
Risk Identification
Risk assessment
Risk mitigation
risk reduction
impact reduction
Contingency planning

Managing Risk: Risk Identification

Industry surveys and reports
Critical process mapping
What-if analysis
Maintenance of risk register

Managing Risk: Risk Assessment

base risk assessment on the following factors:
the probability or likelihood of each risk materializing
the cost or impact of the problem if it did happen

quantitative assessment of risks would be the

numerical product of these two factors

Managing Risk: Risk Mitigation

Risk Reduction
reduce the probability of the risk affecting business in the first place
Risk avoidance
Adopting best-practices and benchmarks

Impact Reduction
Fully understands the nature of the problem
Put in early detection mechanisms and periodic checks/assessments
Implement fail-safe mechanisms
Risk transfer

Managing Risk: Contingency Planning

impact-reduction measure
describe in detail what to do if a particular
problem occurs
need a contingency plan when:
a risk that you think has a high chance of happening and
will have a high impact
cannot reduce the risk to an acceptable level
residual risk is still so large that you need to take a
structured approach to reduce its likely impact

Managing Risk: Contingency Planning

The main considerations that you should address in a
contingency plan are:
Scope - what particular risk the contingency plan is designed for
Initiation - how you will know when to put the plan into action
Actions - what sequence of actions you will take in order to
control the problem and minimize its impact
Roles and responsibilities - who will do what and when

Business Continuity Plan (BCP) - involve planning for

the rapid acquisition of temporary buildings, reciprocal
arrangements with other organizations, special staffing
arrangements etc.