SPCI103

POSTGRADUATE COURSE
M.Sc., Cyber Forensics and Information Security

FIRST YEAR
FIRST SEMESTER

CORE PAPER - III

INTRODUCTION TO INFORMATION
SECURITY

INSTITUTE OF DISTANCE EDUCATION

UNIVERSITY OF MADRAS
M.Sc., Cyber Forensics and Information Security CORE PAPER - III
FIRST YEAR - FIRST SEMESTER INTRODUCTION TO
INFORMATION SECURITY

WELCOME
Warm Greetings.

It is with a great pleasure to welcome you as a student of Institute of Distance

Education, University of Madras. It is a proud moment for the Institute of Distance education
as you are entering into a cafeteria system of learning process as envisaged by the University
Grants Commission. Yes, we have framed and introduced Choice Based Credit
System(CBCS) in Semester pattern from the academic year 2018-19. You are free to
choose courses, as per the Regulations, to attain the target of total number of credits set
for each course and also each degree programme. What is a credit? To earn one credit in
a semester you have to spend 30 hours of learning process. Each course has a weightage
in terms of credits. Credits are assigned by taking into account of its level of subject content.
For instance, if one particular course or paper has 4 credits then you have to spend 120
hours of self-learning in a semester. You are advised to plan the strategy to devote hours of
self-study in the learning process. You will be assessed periodically by means of tests,
assignments and quizzes either in class room or laboratory or field work. In the case of PG
(UG), Continuous Internal Assessment for 20(25) percentage and End Semester University
Examination for 80 (75) percentage of the maximum score for a course / paper. The theory
paper in the end semester examination will bring out your various skills: namely basic
knowledge about subject, memory recall, application, analysis, comprehension and
descriptive writing. We will always have in mind while training you in conducting experiments,
analyzing the performance during laboratory work, and observing the outcomes to bring
out the truth from the experiment, and we measure these skills in the end semester
examination. You will be guided by well experienced faculty.

I invite you to join the CBCS in Semester System to gain rich knowledge leisurely at
your will and wish. Choose the right courses at right times so as to erect your flag of
success. We always encourage and enlighten to excel and empower. We are the cross
bearers to make you a torch bearer to have a bright future.

With best wishes from mind and heart,

DIRECTOR

(i)
M.Sc., Cyber Forensics and Information Security CORE PAPER - III
FIRST YEAR - FIRST SEMESTER INTRODUCTION TO
INFORMATION SECURITY

COURSE WRITER

Mr. Mahesh Balakrishnan

Information Security Consultant
Chennai

EDITOR

Dr. N. Kala
Director i/c,
Centre for Cyber Forensics and Information Security
University of Madras, Chepauk,
Chennai – 600 005.
Dr. S. Thenmozhi
Associate Professor
Department of Psychology
Institute of Distance Education
University of Madras
Chepauk Chennnai - 600 005.

© UNIVERSITY OF MADRAS, CHENNAI 600 005.

(ii)
 M.Sc., Cyber Forensics and Information Security

FIRST YEAR

FIRST SEMESTER

Core Paper - III

INTRODUCTION TO INFORMATION SECURITY

SYLLABUS

Unit 1: Overview of Information Security - What is Information and why should be

protect it? - Information Security - Threats - Frauds, Thefts, Malicious Hackers, Malicious
Code, Denial-of-Services Attacks and Social Engineering - Vulnerability – Types - Risk –
an introduction - Business Requirements - Information Security Definitions - Security
Policies - Tier1 (Origination-Level), Tier2 (Function Level), Tier3 (Application/Device Level)
– Procedures - Standards - Guidelines

Unit 2: Information Asset Classification - Why should we classify information? -

Information Asset – Owner, Custodian, User - Information Classification - Secret,
Confidential, Private and Public – Methodology - Declassification or Reclassification -
Retention and Disposal of Information Assets - Provide Authorization for Access – Owner,
Custodian, User

Unit 3: Risk Analysis & Risk Management - Risk Analysis Process - Asset Definition -
Threat Identification - Determine Probability of Occurrence - Determine the Impact of the
Threat - Controls Recommended - Risk Mitigation - Control Types/Categories - Cost/
Benefit Analysis

Unit 4: Access Control - User Identity and Access Management - Account Authorization
- Access and Privilege Management - System and Network Access Control - Operating
Systems Access Controls - Monitoring Systems Access Controls - Intrusion Detection
System - Event Logging - Cryptography

Unit 5: Physical Security - Identify Assets to be Protected - Perimeter Security - Fire

Prevention and Detection - Safe Disposal of Physical Assets.

(iii)
 M.Sc., Cyber Forensics and Information Security

FIRST YEAR

FIRST SEMESTER

Core Paper - III

INTRODUCTION TO INFORMATION SECURITY

SCHEME OF LESSONS

Sl.No. Title Page

1 Overview of Information Security 001

2 Attacks on Information security 014

3 Information Security Governance 038

4 Information Asset Classification 059

5 Risk Analysis and Risk Management 070

6 Access Control 085

7 Physical Security 100

(v)
 1

UNIT - 1
OVERVIEW OF INFORMATION SECURITY
Learning Objectives

After reading this lesson you will be able to understand the following

· The need for protecting Information

· Information security

· Threats

· Vulnerability

· Risk

· Security Definitions

· Security Policies, Procedures, Standards and Guidelines

Structure
1.1. Introduction

1.2. Information

1.2.1. The need for protecting Information

1.2.2. Information security

1.2.2.1. CIA Triangle

1.2.3. Balanced Security

1.2.4. Security Concepts

1.2.4.1. Threats

1.2.4.2. Vulnerability

1.2.4.3. Risk

1.2.4.4. Exposure

1.2.4.5. Control
2

1.1. Introduction
In this lesson we are going to discuss about information security and more so on the
information security governance – so much so the program, and the components of information
security as such.The objective of information security is to protect the information.

1.2. Information
Data can be defined as something that represents a fact. This can be in many forms such
as text, numbers, graphics, sound, videos and the like. Some view information as processed
data. In fact information is data in context. Any communication or representation of knowledge
such as facts, data, or opinions in any medium or form, including textual, numerical, graphic,
cartographic, narrative, or audiovisual could be included in such a process. Information is used
at every level of the enterprise like operational, management and governance levels. Information
is one energizes every business function which relies on technological and other facets including
the field of information technology on itself. As such information contributes to the achievement
of overall organization’s objectives.

1.2.1. The need for protecting Information

Information and information systems which helps us to store, process and retrieve the
right type of information to the right type of user of such information at the right time. This sort
of protection helps information and information systems from unauthorized access, use,
disclosure, disruption, modification or destruction in order to provide confidentiality, integrity
and availability. Thus it is evident that information is an asset and the same needs to be protected
from internal and external resources.

1.2.2. Information Security

The Committee on National Security Systems (CNSS) defines information security as the
protection of information and its critical elements, including the systems and hardware that use,
store, and transmit that information.
1.2.2.1. CIA Triangle

The CIA triad helps in protecting information within an organization in a secured manner
and there by safeguard the critical assets of the organization by protecting against disclosure
to unauthorized users (Confidentiality), improper modification (Integrity) and non-access when
required (Availability).
 3

1.2.2.1.1. Confidentiality: Confidentiality helps to ascertain whether information is to be

kept secret or private by employing mechanisms, such as encryption which will render the data
useless if accessed in an unauthorized manner. Necessary level of secrecy is enforced and
unauthorized disclosure is prevented.

1.2.2.1.2. Integrity:Integrity deals with the provision of accuracy and reliability of the
information and systems. Information should not be modified in an unauthorized manner by
providing the necessary safety measures for timely detection of unauthorized changers.

1.2.2.1.3. Availability: Availability ensures that information is available when it is needed.

Reliable and timely access to data and resources is provided to authorized individuals. This can
be accomplished by implementing tools ranging from battery backup at the data center, to a
content distribution network in the cloud.

Figure 1.1 depicts the CIA triangle which forms the core components of information security
as such.

Figure 1.1: CIA Triangle.

Confidentiality means preserving authorized restrictions on access and disclosure including

means for protecting privacy and proprietary information.Only authorized individuals, processes,
or systems should have access to information on a need-to-know basis.

Confidentiality can be provided by encrypting data as it is stored and transmitted by

enforcing strict access control and data classification. Confidentiality can be achieved by the
following:
4

 Encryption for data at rest (whole disk, database encryption)

 Encryption for data in transit (IPSec, TLS, PPTP, SSH)

 Access control (physical and technical)

Integrity means guarding against improper information modification or destruction and

also ensuring information non-repudiation and authenticity. Integrity is the principle that
information should be protected from intentional, unauthorized, or accidental changes. Integrity
can be achieved by the following:

 Hashing (data integrity)

 Configuration management (system integrity)
 Change control (process integrity)
 Access control (physical and technical)
 Digital Signature
 Transmission CRC functions

Availability ensures timely and reliable access to and use of information to authorized
users when needed. Availability can be achieved by the following:

 RAID (Redundant Array of Independent Disks)

 Clustering

 Load balancing

 Redundant data and power lines

 Software and data backups

 Disk shadowing

 Co-location and offsite facilities

 Rollback functions

 Failover configurations

1.2.3. Balanced Security

It is impossible to obtain perfect information security. Information security is a process,

not a goal. It is possible to make a system available to anyone, anywhere, anytime, through any
means. However such unrestricted access poses a danger to the security of the information.
 5

On the other hand, a completely secure information system would not allow anyone to
access information. To achieve balance, operate an information system that satisfies the user
and the security professional—the security level must allow reasonable access, yet protect
against threats.

Figure 1.2 shows some of the competing voices that must be considered when balancing
information security and access.

Figure 1.2: Balance Information Security

Based on security concerns and issues, an information system or data-processing

department can get very much focused in the management and protection of systems. An
imbalance can occur when the needs of the end user are undermined by too much of focus on
protecting and administering the information systems. Both the information security technologists
and the end users must recognize that both groups share the same overall goals of the
organization to ensure the data is available based on when, where, and how it is required.

1.2.4. Other Inclusive Security Concepts

Along with the CIA Triad other security related concepts and principles need to be
considered while designing security solutions. They include Identification, Authentication,
Authorization, Accountability (IAAA), Non-Repudiation.
6

1.2.4.1. IAAA

The acronym IAAA represents Identification, Authentication, Authorization and

Accountability. Figure 1.3 portrays the elements of IAAA.

Figure 1.3 Elements of IAAA

1.2.4.2. Subject and Object

A subject involves the process of people accessing data files from a data system. Computer
programs are subjects as well. For example a Dynamic Link Library file or a Perl script that
updates database files with new information is also a subject. In fact a subject is an active entity
on a data system. Subject – (Active) Most often users, but can also be programs – Subjects
manipulate object.

While on the other hand an object is any passive data within the system. They range from
documents on physical paper to database tables to text files. The important thing one should
remember about objects is that they are passive within the system as they do not manipulate
other objects. Object – (Passive) any passive data (both physical paper and data) – Objects
are manipulated by subject.

A computer can be either the subject of an attack—an agent entity used to conduct the
attack—or the object of an attack—the target entity. A computer can be both the subject and
object of an attack, when, for example it is compromised by an attack (object), and is then used
to compromise other systems (subject)

Figure 1.4 portrays the subject and object aspects of IAAA.

 7

Figure 1.4: Subject and Object – IAAA

1.2.4.2.1. Access

It refers to the subject or object’s ability to use, manipulate, modify, or affect another
subject or object. Authorized users have legal access to a system, whereas hackers have
illegal access to a system. In this regard access controls regulates access.

1.2.4.2.2. Identification

Identification is a process by which a subject claims to be identified as a subject. A subject

must provide an identity to a system to start the process of authentication, authorization and
accountability (AAA). Without an identity, a system has no way to correlate an authentication
factor with the subject. Providing identity involves typing in a username, speaking a phrase,
positioning for biometrics. Once an identity is established, the identity is accountable for further
actions performed by that subject.

1.2.4.2.3. Authentication

Providing mere identity does not imply access or authority. The identity must be proven or
verified before access can be granted to controlled resources. The process of verifying or
testing that the claimed identity being valid is authentication. The most common form of
authentication is using a password. Authentication verifies the identity of the subject by comparing
one or more factors against the database of valid identities. The capability of the subject and
the system to maintain the secrecy of authentication reflects the level of security of that system.
Identification and authentication are always used together. Providing an identity is the first step
and providing the authentication factors is the second step.
8

1.2.4.2.4. Authorization

Once a subject is authenticated, access must be authorized. The process of authorization

ensures that the requested access to an object is granted provided the rights are assigned to
the authenticated identity. The system evaluates the access control matrix that compares the
subject, the object and the intended activity. If the action requested is not allowed, the subject
is not authorized to access the object.

1.2.4.2.5. Accountability

Security can be maintained provided the subjects are held accountable for their actions.
Accountability relies on the capability to prove subject’s identity and authentication factors.

1.2.4.2.6 Non-repudiation

Non-repudiation prevents a subject from claiming not to have performed an action or not
to have been the cause of an event. It ensures that an activity of a subject is held accountable
for the subject’s actions. The subject cannot deny later that the actions were not performed by
the subject. If non-repudiation is not built into the system and enforced, it is impossible to verify
and ascertain the action performed by that specific entity. It is an essential part of accountability.

1.3. Security Concepts

The important concepts of security are as follows:

· Vulnerability

· Threat

· Risk

· Exposure

· Control

However the words “vulnerability,” “threat,” “risk,” “exposure” and “control” are often
interchanged, even though they have different meanings.

1.3.1.Vulnerability: It is a weakness in a system. It allows a threat source to compromise

security of the system. It can be a software, hardware, procedural, or human weakness that
can be exploited. Vulnerability may be a service running on a server, unpatched applications or
 9

operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical
security that allows anyone to enter a server room, or unenforced password management on
servers and workstations.

1.3.2. Threat: It is any potential danger that is associated with the exploitation of
vulnerability. If the threat is that someone will identify a specific vulnerability and use it against
the company or individual, then the entity that takes advantage of vulnerability is referred to as
a threat agent. A threat agent could be an intruder accessing the network through a port on the
firewall, a process accessing data in a way that violates the security policy, or an employee
circumventing controls in order to copy files to a medium that could expose confidential
information.

1.3.3. Risk: It is the likelihood of a threat source exploiting a vulnerability and the
corresponding business impact. If a firewall has several ports open, there is a higher likelihood
that an intruder will use one to access the network in an unauthorized method. If users are not
educated on processes and procedures, there is a higher likelihood that an employee will make
an unintentional mistake that may destroy data. If an Intrusion Detection System (IDS) is not
implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too
late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business
impact.

1.3.4. Exposure: It is an instance of being exposed to losses. A vulnerability exposes an

organization to possible damages. If password management is lax and password rules are not
enforced, the company is exposed to the possibility of having users’ passwords compromised
and used in an unauthorized manner. If a company does not have its wiring inspected and does
not put proactive fire prevention steps into place, it exposes itself to potentially devastating
fires.

1.3.5. Control or countermeasure: It is put into place to mitigate (reduce) the potential
risk. A countermeasure may be a software configuration, a hardware device, or a procedure
that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit
a vulnerability. Examples of countermeasures include strong password management, firewalls,
a security guard, access control mechanisms, encryption, and security-awareness training.
10

1.4. The relationships among different security concepts

The relationship among different security concepts is illustrated in figure 1.5

1.4.1. Threat agent: It is a specific instance or a component of a threat. Threat agent is

like a lightning strike, hailstorm or tornado which is part of the threat of severe storm itself.
Similarly, all hackers in the world present a collective threat, however Kevin Mitnick, who was
convicted for hacking into phone systems, is a specific threat agent.

1.4.2. Threat: It is a category of objects, persons, or other entities that presents a danger
to an asset. Threats are always present and can be purposeful or undirected. For example,
hackers purposefully threaten unprotected information systems, just like severe storms
incidentally threaten buildings and their contents.

(Source: CISSP by Shon Harris)

Figure 1.5: Relationship among different security concepts

1.4.3. Exploit: It is a technique used to compromise a system. Threat agents may attempt
to exploit a system or other information asset by using it illegally for their personal gain or an
exploit can be a documented process to take advantage of a vulnerability or exposure usually in
software that is either inherent in the software or is created by the attacker. Such an exploit is
done by making use of existing software tools or custom-made software components
 11

1.4.4. Vulnerability: It is a weakness or fault in a system or protection mechanism that

opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package,
an unprotected system port and an unlocked door. Some well-known vulnerabilities have been
examined, documented and published while others remain latent or undiscovered.

1.4.5. Risk:It is a probability that something unwanted might happen. Organizations must
minimize risk to match their risk appetite—the quantity and nature of risk the organization is
willing to accept.

1.4.6. Attack: Attack is an intentional or unintentional act that can cause damage to or
otherwise compromise information and/or the systems that support it. Attacks can be active or
passive, intentional or unintentional, and direct or indirect. Someone casually reading sensitive
information not intended for his or her use is a passive attack. A hacker attempting to break into
an information system is essentially an intentional attack. A lightning strike that causes a fire in
a building is an unintentional attack. A direct attack is a hacker using a personal computer to
break into a system. An indirect attack is a hacker compromising a system and using it to attack
other systems, for example, as part of a botnet (slang for robot network).

This group of compromised computers, running software of the attacker’s choosing can
operate autonomously or under the attacker’s direct control to attack systems and steal user
information or conduct distributed denial-of-service attacks. Direct attacks originate from the
threat itself. Indirect attacks originate from a compromised system or resource that is
malfunctioning or working under the control of a threat.

1.4.7. Loss: A single instance of an information asset suffering damage or unintended or

unauthorized modification or disclosure. When an organization’s information is stolen, it has
suffered a loss.

1.4.8. Asset: Asset is an organizational resource that needs to be protected. An asset

can be logical such as a web site, information or data; or an asset in physical form such as a
person, computer system, or other tangible objects. Assets and particularly information assets
need to be protected with requisite focus of security efforts.
12

1.4.9. Exposure:It is a condition or state of being exposed. It refers to the presence of a

vulnerability which exposes an organization to a possible threat.

1.4.10. Controls, safeguard, or counter measure: It includes security mechanisms,

policies, or procedures that can successfully counter attack, reduce risk, resolve vulnerabilities
and thereby improve the security within an organization. Thus it is put into place to reduce the
potential risk. In this regard protection profile or security posture includes the entire set of
controls and safeguards including policy, education, technology, training and awareness that
the organization implements (or fails to implement) to protect the asset. The terms are sometimes
used interchangeably with the term security program, although the security program often
comprises managerial aspects of security, including planning, personnel, and subordinate
programs.

Summary
· CIA ensures that within the organization, information is protected against disclosure
to unauthorized users, improper modification and non-access when required.

· Information security is a process, not a goal. It is possible to make a system available

to anyone, anywhere, anytime, through any means. However, such unrestricted
access poses a danger to the security of the information.

· Vulnerability is a weakness in a system that allows a threat source to compromise

its security. It can be software, hardware, procedural, or human weakness that can
be exploited.

· A threat is any potential danger that is associated with the exploitation of vulnerability.

· An exposure is an instance of being exposed to losses. Vulnerability exposes an

organization to possible damages.

· A control, or countermeasure, is put into place to mitigate (reduce) the potential

risk. A countermeasure may be a software configuration, a hardware device, or a
procedure that eliminates vulnerability or that reduces the likelihood a threat agent
will be able to exploit a vulnerability.

· Information Security governance is the collection of practices related to supporting,

defining, and directing the security efforts of an organization. Security governance
is closely related to and often intertwined with enterprise and IT governance.
 13

Check your answer

· What is CIA?

· What is IAAA?

· ………………………..is a weakness in a system that allows a threat source to

compromise security.

· …………………………………… are logical assets of organization.

· ……………………………………are physical assets of organization.

· Who is threat Agent?

· What is risk?

· What are controls?

Reference
· National Security Telecommunications and Information Systems Security. National

· Training Standard for Information Systems Security (Infosec) Professionals. File4011.

20 June 1994. Accessed 8 February 2007 from www.cnss.gov/Assets/pdf/
nstissi_4011.pdf.

· CISSP - Book - Shon Harriss.

14

UNIT 2
ATTACKS ON INFORMATION SECURITY
Learning Objectives

After reading this lesson you will be able to understand

· Theft

· Fraud

· Malicious code

· Malicious hacker

· Denial of Services

· Social Engineering

Structure
2.1. Introduction

2.2. Theft

2.3. Fraud

2.4. Malicious code

2.4.1. Virus

2.4.2. Worms

2.4.3. Rootkit

2.4.4. Trojan Horses

2.4.5. Backdoor

2.4.6. Polymorphic Threats

2.4.7. Hoaxes

2.5. Malware Components

2.5.1. Malicious hacker

2.6. Compromises to Intellectual Property

2.7. Denial of Services

 15

2.8. Spyware and Adware

2.9. Logic Bombs

2.10. Ransomware

2.11. Sniffing

2.12. Drive by download

2.13. Types of attacks

2.13.1. Email threats

2.13.2. Malicious code

2.13.3. Hoaxes

2.13.4. Password cracking

2.13.4.1. Brute force

2.13.4.2. Dictionary attack

2.14. Spoofing

2.15. Man-in-the middle

2.16. Spam

2.17. Mailbombing

2.18. Sniffers

2.19. Malware

2.20. Social Engineering

2.1. Introduction
Attacks on information security occur through the following:

· Theft (stealing physical, electronic or intellectual property)

· Fraud (Dishonest or illegal way of gaining money)

· Malicious code (Code or software that attacks a system)

· Denial of Service (Service made unavailable to legitimate users)

16

· Social Engineering (the use of deception to manipulate individuals into divulging

confidential or personal information that may be used for fraudulent purposes.)

2.2. Theft
The threat of theft, the illegal taking of another’s property, which can be physical, electronic,
or intellectual, is a constant. The value of information is diminished when it is copied without the
owner’s knowledge. Physical theft can be controlled quite easily by means of a wide variety of
measures, from locked doors to trained security personnel and the installation of alarm systems.
Electronic theft, however, is a more complex problem to manage and control. When someone
steals a physical object, the loss is easily detected; if it has any importance at all, its absence is
noted. When electronic information is stolen, the crime is not always readily apparent. If thieves
are clever and cover their tracks carefully, no one may ever know of the crime until it is far too
late.

2.3. Fraud
Fraud is a crime of gaining money or financial benefits by a trick or by lying. Fraud is
something or someone that deceives people in a way that is illegal or dishonest. It is deliberate
deception trickery or cheating or to gain an advantage. It is an act or instance of such deceptions.
It is something false or furious a fraud is a person in a deceitful way and is called an imposter or
a cheat.

Eg.Cheque fraud, Internet fraud, website redirection charities fraud, pyramid schemes,
identity threat, credit card fraud, insurance fraud, debt elimination

 Fraud can be a civil or a criminal offence.

 Some of the most common penalties for criminals who commit fraud include

 Incarceration (imprisonment),Probation, Fines, Restitution.

2.4. Malicious code

Deliberate software attacks occur when an individual or group designs and deploys software
to attack a system. Most of this software is referred to as malicious code or malicious software
or sometimes malware. These software components or programs are designed to damage,
destroy, or deny service to the target systems. Some of the more common instances of malicious
 17

code are viruses and worms, trojan horses, logic bombs, and back doors. Prominent among
the history of notable incidences of malicious code are the denial-of-service attacks.

2.4.1. Virus

A virus is a small application, or string of code, that infects software. The main function of
a virus is to reproduce and deliver its payload, and it requires a host application to do this. In
other words, viruses cannot replicate on their own. A virus infects a file by inserting or attaching
a copy of itself to the file. The virus is just the “delivery mechanism.” It can have any type of
payload (deleting system files, displaying specific messages, reconfiguring systems, stealing
sensitive data, installing a sniffer or back door).

The code behaves very much like a virus pathogen that attacks animals and plants, using
the cell’s own replication machinery to propagate the attack beyond the initial target. The code
attaches itself to an existing program and takes control of that program’s access to the targeted
computer. The virus-controlled target program then carries out the virus’s plan by replicating
itself into additional targeted systems. Many times users unwittingly help viruses get into a
system. Opening infected e-mail or some other seemingly trivial action can cause anything
from random messages popping up on a user’s screen to the complete destruction of entire
hard drives of data. Just as their namesakes are passed among living bodies, computer viruses
are passed from machine to machine via physical media, e-mail, or other forms of computer
data transmission. When these viruses infect a machine, they may immediately scan the local
machine for e-mail applications, or even send themselves to every user in the e-mail address
book.

One of the most common methods of virus transmission is via e-mail attachment files.
Most organizations block e-mail attachments of certain types and also filter all e-mail for known
viruses. In earlier times, viruses were slow-moving creatures that transferred viral payloads
through the cumbersome movement of diskettes from system to system. Now, computers are
networked, and e-mail programs prove to be fertile ground for computer viruses unless suitable
controls are in place.

Among the most common types of information system viruses are the macro virus, which
is embedded in automatically executing macro code used by word processors, spread sheets,
and database applications, and the boot virus, which infects the key operating system files
located in a computer’s boot sector.
18

If they cannot self-replicate they do not fall into the subcategory of “virus.” Several viruses
have been released that achieved self-perpetuation by mailing themselves to every entry in a
victim’s personal address book. The virus masqueraded as coming from a trusted source.
Macros are programs are generally used with Microsoft Office products. Macros automate
tasks that users would otherwise have to carry out themselves. Users can define a series of
activities and common tasks for the application to perform when a button is clicked, instead of
doing each of those tasks individually. A macro virus is a virus written in one of these macro
languages and is platform independent. Macro viruses infect and replicate in templates and
within documents. They are common because they are extremely easy to write and are used
extensively in commonly used products (i.e., Microsoft Office).

Some viruses infect the boot sector (boot sector viruses) of a computer and either move
data within the boot sector or overwrite the sector with new information. Some boot sector
viruses have part of their code in the boot sector, which can initiate the viruses when a system
boots up, and the rest of their code in sectors on the hard drive that the virus has marked off as
bad. Because the sectors are marked as bad, the operating system and applications will not
attempt to use those sectors; thus, they will not get overwritten.

A stealth virus hides the modifications it has made to files or boot records. This can be
accomplished by monitoring system functions used to read files or sectors and forging the
results. This means that when an anti-malware program attempts to read an infected file or
sector, the original uninfected form will be presented instead of the actual infected form. The
virus can hide itself by masking the size of the file it is hidden in or actually move itself temporarily
to another location while an anti-malware program is carrying out its scanning process.

So a stealth virus is a virus that hides its tracks after infecting a system. Once the system
is infected, the virus can make modifications to make the computer appear the same as before.
The virus can show the original file size of a file it infected instead of the new, larger size to try
to trick the antimalware software into thinking no changes have been made.

A polymorphic virus produces varied but operational copies of itself. This is done in the
hopes of outwitting a virus scanner. Even if one or two copies are found and disabled, other
copies may still remain active within the system. These viruses can also vary the sequence of
their instructions by including noise, or bogus instructions, with other useful instructions. They
can also use a mutation engine and a random-number generator to change the sequence of
 19

their instructions in the hopes of not being detected. A polymorphic virus has the capability to
change its own code, enabling the virus to have hundreds or thousands of variants. These
activities can cause the virus scanner to not properly recognize the virus and to leave it alone.

2.4.2. Worms

A worm is a malicious program that replicates itself constantly, without requiring another
program environment. Worms can continue replicating themselves until they completely fill
available resources, such as memory, hard drive space, and network bandwidth. Worms are
different from viruses in that they can reproduce on their own without a host application, and are
self-contained programs.

The newer worm variants contain multiple exploits that can use any of the many predefined
distribution vectors to programmatically distribute the worm and deliver a double-barreled payload:
it has an attachment that contains the worm, and if the e-mail is viewed on an HTML-enabled
browser, it attempts to deliver a macro virus.

The complex behavior of worms can be initiated with or without the user downloading or
executing the file. Once the worm has infected a computer, it can redistribute itself to all e-mail
addresses found on the infected system. Furthermore, a worm can deposit copies of itself onto
all web servers that the infected system can reach, so that users who subsequently visit those
sites become infected. Worms also take advantage of open shares found on the network in
which an infected system is located, placing working copies of the worm code onto the server
so that users of those shares are likely to become infected.

In the digital world, worms are just little programs, and like viruses they are used to
transport and deliver malicious payloads. One of the most famous computer worms is Stuxnet,
which targeted Supervisory Control and Data Acquisition (SCADA) software and equipment. It
has a highly specialized payload that was used against Iran’s uranium enrichment infrastructures
with the goal of damaging the country’s nuclear program.

2.4.3. Rootkit

When a system is successfully compromised, an attacker may attempt to elevate his

privileges to obtain administrator- or root user–level access. Once the level of access is achieved,
the attacker can upload a bundle of tools, collectively called a rootkit. The first thing that is
usually installed is a back-door program, which allows the attacker to enter the system at any
20

time without having to go through any authentication steps. The other common tools in a rootkit
allow for credential capturing, sniffing, attacking other systems, and covering the attacker’s
tracks.

The rootkit is just a set of tools that is placed on the compromised system for future use.
Once the rootkit is loaded, the attacker can use these tools against the system or other systems
it is connected to whenever he wants to. The attacker usually replaces default system tools with
new compromised tools, which share the same name. They are referred to as “Trojan programs”
because they carry out the intended functionality but do some malicious activity in the background.
This is done to help ensure that the rootkit is not detected.

2.4.4. Trojan Horses

Trojan horses are software programs that hide their true nature and reveal their designed
behavior only when activated. Trojan horses are frequently disguised as helpful, interesting, or
necessary pieces of software, such as readme.exe files often included with shareware or freeware
packages. Once Trojan horses are brought into a system, they become activated and can
wreak havoc on the unsuspecting user.

A Trojan horse is a program that is disguised as another program. Trojan horses are one
of the fastest growing malware types in the world. Users are commonly tricked into downloading
some type of software from a website that is actually malicious. The Trojan horse can then set
up a back door, install keystroke loggers, implement rootkits, upload files from the victim’s
system, install boot software, and perform many other types of malicious acts. Trojan horses
are commonly used to carry out various types of online banking fraud and identity theft activities.

Remote Access Trojans (RATs) are malicious programs that run on systems and allow
intruders to access and use a system remotely. They mimic the functionality of legitimate remote
control programs used for remote administration, but are used for sinister purposes instead of
helpful activities. They are developed to allow for stealth installation and operation, and are
usually hidden in some type of mobile code, such as Java applets or ActiveX controls, that are
downloaded from websites.

Several RAT programs are available to the hacker. Once the RAT is loaded on the victim’s
system, the attacker can download or upload files, send commands, monitor user behaviors,
install zombie software, activate the webcam, take screenshots, alter files, and use the
compromised system as he pleases.
 21

2.4.5. Back Door or Trap Door

A virus or worm can have a payload that installs a backdoor or trap door component in a
system, which allows the attacker to access the system at will with special privileges.

Using a known or previously unknown and newly discovered access mechanism, an

attacker can gain access to a system or network resource through a back door. Sometimes
these entries are left behind by system designers or maintenance staff, and thus are called trap
doors. A trap door is hard to detect, because very often the programmer who puts it in place
also makes the access exempt from the usual audit logging features of the system.

2.4.6. Polymorphic Threats

One of the biggest challenges to fighting viruses and worms has-been the emergence of
polymorphic threats. A polymorphic threat is one that over time techniques that look for
preconfigured signatures. These viruses and worms actually evolve, changing their size and
other external file characteristics to elude detection by antivirus software programs.

2.4.7. Virus and Worm Hoaxes

As frustrating as viruses and worms are, perhaps more time and money is spent on
resolving virus hoaxes. Well-meaning people can disrupt the harmony and flow of an organization
when they send group e-mails warning of supposedly dangerous viruses that don’t exist. When
people fail to follow virus-reporting procedures, the network becomes overloaded, and much
time and energy is wasted as users forward the warning message to everyone they know, post
the message on bulletin boards, and try to update their antivirus protection software.

2.5. Malware Components

It is common for malware to have six main elements, although it is not necessary for them
all to be in place:

• Insertion Installs itself on the victim’s system

• Avoidance Uses methods to avoid being detected

• Eradication Removes itself after the payload has been executed

• Replication Makes copies of itself and spreads to other victims

• Trigger Uses an event to initiate its payload execution

22

• Payload Carries out its function (that is, deletes files, and installs a back door, exploits
a vulnerability, and so on).

2.5.1. Malicious Hacker

As you identify the vulnerabilities that are inherent to your organization and its systems, it
is important to also identify the sources that could attack them. The International Organization
for Standardization in their ISO/IEC standard 27000 define a threat as a “potential cause of an
unwanted incident, which may result in harm to a system or organization.

Perhaps the most obvious threat source is the malicious attacker who intentionally pokes
and prods our systems looking for vulnerabilities to exploit. In the past, this was a sufficient
description of this kind of threat source. Increasingly, however, organizations are interested in
profiling the threat in great detail. Many organizations are implementing teams to conduct
cyberthreat intelligence that allows them to individually label, track, and understand specific
cybercrime groups. This capability enables these organizations to more accurately determine
which attacks are likely to originate from each group based on their capabilities as well as their
tactics, techniques, and procedures (TTP).

Another important threat source is the insider, who may be malicious or simply careless.
The malicious insider is motivated by a number of factors, but most frequently by disgruntlement
and/or financial gain. In the wake of the massive leak of classified data attributed to Edward
Snowden in 2012, there’s been increased emphasis on techniques and procedures for identifying
and mitigating the insider threat source. While the deliberate insider dominates the news, it is
important to note that the accidental insider can be just as dangerous, particularly if they fall into
one of the vulnerability classes described in the preceding section.

Table 2.1 represents categories of threats with suitable examples

Table 2.1: Category of Threat with examples

S.No Category of Threat Examples

1 Compromises to intellectual property Piracy, copyright infringement

2 Software attacks Viruses, worms, macros, denial of

service
 23

3 Deviations in quality of service ISP, power, or WAN service issues

from service providers

4 Espionage or trespass Unauthorized access and/or data

collection

5 Forces of nature Fire, flood, earthquake, lightning

6 Human error or failure Accidents, employee mistakes

7 Information extortion Blackmail, information disclosure

8 Missing, inadequate or incomplete Loss of access to information

systems due to disk drive failure
without proper backup and recovery
plan organizational policy or planning
in place

9 Missing, inadequate or incomplete Network compromised because no

controls firewall security controls

10 Sabotage or vandalism Destruction of systems or information

11 Theft Illegal confiscation of equipment or

information

12 Technical hardware failures or errors Bugs, code problems, unknown

loopholes

13 Technological obsolescence Antiquated or outdated technologies

2.6. Compromises to Intellectual Property

Many organizations create, or support the development of, intellectual property (IP) as
part of their business operations. Intellectual property is defined as “the ownership of ideas and
control over the tangible or virtual representation of those ideas. Use of another person’s
intellectual property may or may not involve royalty payments or permission, but should always
include proper credit to the source. Intellectual property can be trade secrets, copyrights,
24

trademarks, and patents. The unauthorized appropriation of IP constitutes a threat to information

security. Employees may have access privileges to the various types of IP, and may be required
to use the IP to conduct day-to-day business.Organizations often purchase or lease the IP of
other organizations, and must abide by the purchase or licensing agreement for its fair and
responsible use. The most common IP breach is the unlawful use or duplication of software-
based intellectual property, more commonly known as software piracy. Many individuals and
organizations do not purchase software as mandated by the owner’s license agreements.
Because most software is licensed to a particular purchaser, its use is restricted to a single user
or to a designated user in an organization. If the user copies the program to another computer
without securing another license or transferring the license, he or she has violated the copyright.
Violating Software Licenses, describes a classic case of this type of copyright violation. Software
licenses are strictly enforced by a number of regulatory and private organizations, and software
publishers use several control mechanisms to prevent copyright infringement. Codes, and
even the intentional placement of bad sectors on software media have been used to enforce
copyright laws. The most common tool, a license agreement window that usually pops up during
the installation of new software, establishes that the user has read and agrees to the license
agreement. Another effort to combat piracy is the online registration process. Individuals who
install software are often asked or even required to register their software to obtain technical
support or the use of all features. Some believe that this process compromises personal privacy,
because people never really know exactly what information is obtained from their computers
and sent to the software manufacturer.

2.7. Denial of Service

· A denial-of-service (DOS) attack can take many forms, but at its essence is a compromise
to the availability leg of the CIA triad. A DOS attack results in a service or resource being
degraded or made unavailable to legitimate users.

· A distributed denial-of-service (DOS) attack is identical to a DOS attack except the

volume is much greater. The attacker chooses the flooding technique they want to employ
(SYN, ICMP, DNS) and then instruct an army of hijacked or zombie computers to attack at a
specific time. Where do these computers come from? Every day, tens of thousands of computers
are infected with malware, typically when their users click a link to a malicious website (see the
upcoming section “Drive-by Download”) or open an attachment on an e-mail message. As part
of the infection, and after the cybercriminals extract any useful information like banking information
 25

and passwords, the computer is told to execute a program that connects it to a command and
control (C&C) network. At this point, the cybercriminals can issue commands, such as “start
sending SYN packets as fast as you can to this IP address,” to it and to thousands of other
similarly infected machines on the same C&C network. Each of these computers is called a
zombie or a bot, and the network they form is called a botnet.

Not too long ago, attackers who aspired to launch DDoS attacks had to build their own
botnets, which is obviously no small task. We have recently seen the commercialization of
botnets. The current model seems to be that a relatively small number of organizations own
and rent extremely large botnets numbering in the hundreds of thousands of bots. If you know
where to look and have a few hundred dollars to spare, it is not difficult to launch a massive
DDoS attack using these resources.

2.8. Spyware and Adware

Spyware is a type of malware that is covertly installed on a target computer to gather
sensitive information about a victim. The gathered data may be used for malicious activities,
such as identity theft, spamming fraud, etc. Spyware can also gather information about a victim’s
online browsing habits, which is then often used by spammers to send targeted advertisements.
Spyware can also be used by an attacker to direct a victim’s computer to perform tasks such as
installing software, changing system settings, transferring browsing history, logging keystrokes,
taking screenshots, etc.

Spyware is “any technology that aids in gathering information about a person or organization
without their knowledge.

Spyware is placed on a computer to secretly gather information about the user and report
it. The various types of spyware include (1) a Web bug, a tiny graphic on a Web site that is
referenced within the Hypertext Markup Language (HTML) content of a Web page or e-mail to
collect information about the user viewing the HTML content (2) a tracking cookie, which is
placed on the user’s computer to track the user’s activity on different Web sites and create a
detailed profile of the user’s behavior.”

Adware is “any software program intended for marketing purposes such as that used to
deliver and display advertising banners or pop-ups to the user’s screen or tracking the user’s
online usage or purchasing activity.” Each of these hidden code components can be used to
26

collect information from or about the user which could then be used in a social engineering or
identity theft attack. Adware automatically generates (renders) advertisements. The ads can be
provided through pop-ups, user interface components, or screens presented during the
installation of updates of other products. The goal of adware is to generate sales revenue, not
carry out malicious activities, but some adware uses invasive measures, which can cause security
and privacy issues.

2.9. Logic Bombs

A logic bomb executes a program, or string of code, when a certain set of conditions is
met. For example, a network administrator may install and configure a logic bomb that is
programmed to delete the company’s whole database if he is terminated.

The logic bomb software can have many types of triggers that activate its payload execution,
as in time and date or after a user carries out a specific action. For example, many times
compromised systems have logic bombs installed so that if forensics activities are carried out
the logic bomb initiates and deletes all of the digital evidence. This thwarts the investigation
team’s success and helps hide the attacker’s identity and methods.

2.10. Ransomware
There has been an uptick in the use of ransomware for financial profit in recent years.
This attack works similarly to the process by which a computer is exploited and made to join a
botnet. However, in the case of ransomware, instead of making the computer a bot (or maybe
in addition to doing so), the attacker encrypts all user files on the target. The victim receives a
message stating that if they want their files back they have to pay a certain amount. When the
victim pays, they receive the encryption key together with instructions on how to decrypt their
drives and go on with their lives. Interestingly, these cybercriminals appear to be very good at
keeping their word here. Their motivation is to have their reliability be spread by word of mouth
so that future victims are more willing to pay the ransom.

There is no unique defense against this type of attack, because it is difficult for an attacker
to pull off if you are practicing good network hygiene. The following list of standard practices is
not all-inclusive, but it is a very solid starting point:

 Keep your software’s security patches up to date. Ideally, all your software gets
patched automatically.
 27

 Use host-based anti-malware software and ensure the signatures are up to date.

 Use spam filters for your e-mail.

 Never open attachments from unknown sources. As a matter of fact, even if you
know the source, don’t open unexpected attachments without first checking with
that person. (It is way too easy to spoof an e-mail’s source address.)

 Before clicking a link in an e-mail, float your mouse over it (or right-click the link) to
see where it will actually take you. If in doubt (and you trust the site), type the URL
in the web browser yourself rather than clicking the link.

 Be very careful about visiting unfamiliar or shady websites.

2.11. Sniffing
Network eavesdropping, or sniffing, is an attack on the confidentiality of our data. The
good news is that it requires a sniffing agent on the inside of our network. That is to say, the
attacker must first breach the network and install a sniffer before he is able to carry out the
attack. The even better news is that it is possible to detect sniffing because it requires the NIC
to be placed in promiscuous mode, meaning the NIC’s default behavior is overridden and it no
longer drops all frames not intended for it. The bad news is that network breaches are all too
common and many organizations don’t search for interfaces in promiscuous mode.

Sniffing plays an important role in the maintenance and defense of our networks, so it’s
not all bad. It is very difficult to troubleshoot many network issues without using this technique.
The obvious difference is that when the adversary (or at least an unauthorized user) does it, it
is quite possible that sensitive information will be compromised.

2.12. Drive-by Download

A drive-by download occurs when a user visits a website that is hosting malicious code
and automatically gets infected. This kind of attack exploits vulnerabilities in the user’s web
browser or, more commonly, in a browser plug-in such as a video player. The web-site itself
could be legitimate, but vulnerable to the attacker. Typically, the user visits the site and is
redirected (perhaps invisibly) to wherever the attacker has his malicious code. This code will
probe the user’s browser for vulnerabilities and, upon finding one, craft an exploit and payload
for that user. Once infected, the malware goes to work turning the computer into a zombie,
28

harvesting useful information and uploading it to the malicious site, or encrypting the contents
of the hard-drive in the case of a ransomware attack.

Drive-by downloads are one of the most common and dangerous attack vectors, because
they require no user interaction besides visiting a website. From there, it takes fractions of a
second for the infection to be complete. So what can we do about them? The key is that the
most common exploits attack the browser plug-ins. To protect users from this type of attack,
ensure that all plug-ins are patched and (here is the important part) disabled by default. If a user
visits a website and wants to watch a video, this should require user interaction (e.g., clicking a
control that enables the plug-in). Similarly, Java (another common attack vector) should require
manual enabling on a case-by-case basis. By taking these steps, the risk of infection from
drive-by downloads is reduced significantly.

Admittedly, the users are not going to like this extra step, which is where an awareness
campaign comes in handy. If you are able to show your users the risk in an impactful way, they
may be more willing to go along with the need for an extra click next time they want to watch a
video of a squirrel water-skiing.

2.13. Types of Attacks

An attack is an act that takes advantage of a vulnerability to compromise a controlled
system. It is accomplished by a threat agent that damages or steals an organization’s information
or physical asset. A vulnerability is an identified weakness in a controlled system, where controls
are not present or are no longer effective. Unlike threats, which are always present, attacks
only exist when a specific act may cause a loss. For example, the threat of damage from a
thunderstorm is present throughout the summer in many places, but an attack and its associated
risk of loss only exist for the duration of an actual thunderstorm. The following sections discuss
each of the major types of attacks used against controlled systems.

2.13.1.E-mail Threats

E-mail spoofing is a technique used by malicious users to forge an e-mail to make it

appear to be from a legitimate source. Usually, such e-mails appear to be from known and
trusted e-mail addresses when they are actually generated from a malicious source. This
technique is widely used by attackers these days for spamming and phishing purposes. An
attacker tries to acquire the target’s sensitive information, such as username and password or
 29

bank account credentials. Sometimes, the e-mail messages contain a link of a known website
when it is actually a fake website used to trick the user into revealing his information.

E-mail spoofing is done by modifying the fields of e-mail headers, such as the From,
Return-Path, and Reply-To fields, so the e-mail appears to be from a trusted source. This
results in an e-mail looking as though it is from a known e-mail address. Mostly the from field is
spoofed, but some scams have modified the Reply-To field to the attacker’s e-mail address. E-
mail spoofing is caused by the lack of security features in SMTP. When SMTP technologies
were developed, the concept of e-mail spoofing didn’t exist, so countermeasures for this type of
threat were not embedded into the protocol. A user could use an SMTP server to send e-mail to
anyone from any e-mail address.

SMTP authentication (SMTP-AUTH) was developed to provide an access control

mechanism. This extension comprises an authentication feature that allows clients to authenticate
to the mail server before an e-mail is sent. Servers using the SMTP-AUTH extension are
configured in such a manner that their clients are obliged to use the extension so that the
sender can be authenticated.

2.13.2. Malicious Code

The malicious code attack includes the execution of viruses, worms, Trojan horses, and
active Web scripts with the intent to destroy or steal information. The state-of-the-art malicious
code attack is the polymorphic, or multivector, worm. These attack programs use upto six known
attack vectors to exploit a variety of vulnerabilities in commonly found information system devices.

A bot (an abbreviation of robot) is “an automated software program that executes certain
commands when it receives a specific input. Bots are often the technology used to implement
Trojan horses, logic bombs, back doors and spyware.

2.13.3. Hoaxes

A more devious attack on computer systems is the transmission of a virus hoax with a real
virus attached. When the attack is masked in a seemingly legitimate message, unsuspecting
users more readily distribute it. Even though these users are trying to do the right thing to avoid
infection, they end up sending the attack on to their coworkers and friends and infecting many
users along the way.
30

2.13.4. Password Crack

Attempting to reverse-calculate a password is often called cracking. A cracking attack is

a component of many dictionary attacks (to be covered shortly). It is used when a copy of the
Security Account Manager (SAM) data file, which contains hashed representation of the user’s
password, can be obtained. A password can be hashed using the same algorithm and compared
to the hashed results. If they are the same, the password has been cracked.

2.13.4.1. Brute Force

The application of computing and network resources to try every possible password
combination is called a brute force attack. Since the brute force attack is often used to obtain
passwords to commonly used accounts, it is sometimes called a password attack. If attackers
can narrow the field of target accounts, they can devote more time and resources to these
accounts. That is one reason to always change the manufacturer’s default administrator account
names and passwords.

Password attacks are rarely successful against systems that have adopted the
manufacturer’s recommended security practices. Controls that limit the number of unsuccessful
access attempts allowed per unit of elapsed time are very effective against brute force attacks.

2.13.4.2. Dictionary Attack

The dictionary attack is a variation of the brute force attack which narrows the field by
selecting specific target accounts and using a list of commonly used passwords (the dictionary)
instead of random combinations. Organizations can use similar dictionaries to disallow passwords
during the reset process and thus guard against easy-to-guess passwords. In addition, rules
requiring numbers and/or special characters in passwords make the dictionary attack less
effective.

2.14. Spoofing

Spoofing is a technique used to gain unauthorized access to computers, wherein the

intruder sends messages with a source IP address that has been forged to indicate that the
messages are coming from a trusted host. To engage in IP spoofing, hackers use a variety of
techniques to obtain trusted IP addresses, and then modify the packet headers to insert forged
addresses. Newer routers and firewall arrangements can offer protection against IP spoofing.
 31

2.15. Man-in-the-Middle

In the well-known man-in-the-middle or TCP hijacking attack, an attacker monitors (or

sniffs) packets from the network, modifies them, and inserts them back into the network.

This type of attack uses IP spoofing to enable an attacker to impersonate another entity
on the network. It allows the attacker to eavesdrop as well as to change, delete, reroute, add,forge,
or divert data. A variant of TCP hijacking, involves the interception of an encryption key exchange,
which enables the hacker to act as an invisible man-in-the-middle—that is, an eaves dropper—
on encrypted communications.

2.16 Spam
Spam is unsolicited commercial e-mail. While many consider spam a trivial nuisance
rather than an attack, it has been used as a means of enhancing malicious code attacks. The
most significant consequence of spam, however, is the waste of computer and human resources.
Many organizations attempt to cope with the flood of spam by using e-mail filtering technologies.
Other organizations simply tell the users of the mail system to delete unwanted messages.

2.17 Mail Bombing

Another form of e-mail attack that is also a DoS is called a mail bomb, in which an attacker
routes large quantities of e-mail to the target. This can be accomplished by means of social
engineering or by exploiting various technical flaws in the Simple Mail Transport Protocol (SMTP).
The target of the attack receives an unmanageably large volume of unsolicited e-mail. By
sending large e-mails with forged header information, attackers can take advantage of poorly
configured e-mail systems on the Internet and trick them into sending many e-mails to an
address chosen by the attacker. If many such systems are tricked into participating in the event,
the target e-mail address is buried under thousands or even millions of unwanted e-mails.

2.18 Sniffers
A sniffer is a program or device that can monitor data traveling over a network. Sniffers
can be used both for legitimate network management functions and for stealing information.
Unauthorized sniffers can be extremely dangerous to a network’s security, because they are
virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite
weapon in the hacker’s arsenal. Sniffers often work on TCP/IP networks, where they’re sometimes
32

called packet sniffers. Sniffers add risk to the network, because many systems and users send
information on local networks in clear text. A sniffer program shows all the data going by, including
passwords, the data inside files—such as word-processing documents—and screens full of
sensitive data from applications.

2.19 Malicious Software (Malware)

Several types of malicious code, or malware, exist, such as viruses, worms, trojan horses,
and logic bombs. They usually are dormant until activated by an event the user or system
initiates. They can be spread by e-mail, sharing media, sharing documents and programs, or
downloading things from the Internet, or they can be purposely inserted by an attacker.

Adhering to the usual rules of not opening an e-mail attachment or clicking on a link that
comes from an unknown source is one of the best ways to combat malicious code. However,
recent viruses and worms have infected personal e-mail address books, so this precaution is
not a sure thing to protect systems from malicious code. If an address book is infected and
used during an attack, the victim gets an e-mail message that seems to have come from a
person he knows. Because he knows this person, he will proceed to open the e-mail message
and double-click the attachment or click on the link. And Bam! His computer is now infected and
uses the e-mail client’s address book to spread the virus to all his friends and acquaintances.

There are many infection channels other than through e-mail, but it is a common one
since so many people use and trust these types of messages coming into and out of their
systems on a daily basis. In fact, by many estimates, upward of 95 percent of all compromises
use e-mail as the principal attack vector.

Manual attacks on systems do not happen as much as they did in the past. Today hackers
automate their attacks by creating a piece of malicious software (malware) that can compromise
thousands of systems at one time with more precision. While malware can be designed to carry
out a wide range of malicious activities, most malware is created to obtain sensitive information
(credit card data, Social Security numbers, credentials, etc.), gain unauthorized access to
systems, and/or carry out a profit-oriented scheme.

The proliferation of malware has a direct relationship to the large amount of profit individuals
can make without much threat of being caught. The most commonly used schemes for making
money through malware are as follows:
 33

· Systems are compromised with bots and are later used in distributed denial-of-
service (DDoS) attacks, spam distribution, or as part of a botnet’s command and
control system.

· Ransomware encrypts some or all of the users’ files with keys that are only given to
the users after they pay a ransom, typically using cryptocurrencies.

· Spyware collects personal data for the malware developer to resell to others.

· Malware redirects web traffic so that people are pointed toward a specific product
for purchase.

· Malware installs key loggers, which collect sensitive financial information for the
malware author to use.

· Malware is used to carry out phishing attacks, fraudulent activities, identity theft
steps, and information warfare activities.

The sophistication level of malware continues to increase at a rapid pace. Years ago you
just needed an anti-malware product that looked for obvious signs of an infection (new files,
configuration changes, system file changes, etc.), but today’s malware can bypass these
simplistic detection methods.

Some malware is stored in RAM and not saved to a hard drive, which makes it harder to
detect. The RAM is flushed when the system reboots, so there is hardly any evidence that it
was there in the first place. Malware can be installed in a “drive-by-download” process, which
means that the victim is tricked into clicking something malicious (web link, system message,
pop-up window), which in turn infects his computer.

As discussed earlier, there are many web browser and web server vulnerabilities that are
available through exploitation. Many websites are infected with malware, and the website owners
do not know this because the malware encrypts itself, encodes itself, and carries out activities
in a random fashion so that its malicious activities are not easily replicated and studied.

We will cover the main categories of malware in the following sections, but the main
reasons that they are all increasing in numbers and potency are as follows:

 Many environments are homogeneous, meaning that one piece of malware will
work on many or most devices.
34

 Everything is becoming a computer (phones, TVs, game consoles, power grids,

medical devices, etc.), and thus all are capable of being compromised.

 More people and companies are storing all of their data in some digital format.

 More people and devices are connecting through various interfaces (phone apps,
Facebook, websites, e-mail, texting, e-commerce, etc.).

 Many accounts are configured with too much privilege (administrative or root access).

 More people who do not understand technology are using it for sensitive purposes
(online banking, e-commerce, etc.).

The digital world has provided many ways to carry out various criminal activities with a
low risk of being caught

2.20 Social engineering

The act of tricking another person into providing confidential information by posing as an
individual who is authorized to receive that information.Social engineering is when one person
tricks another person into sharing confidential information, for example, by posing as someone
authorized to have access to that information. Social engineering can take many forms. Any
one-to-one communication medium can be used to perform social engineering attacks.

Users can intentionally or accidentally disclose sensitive information by not encrypting it

before sending it to another person, by falling prey to a social engineering attack, by sharing a
company’s trade secrets, or by not using extra care to protect confidential information when
processing it.

This is the process of getting a person to violate a security procedure or policy, and
usually involves human interaction or e-mail/text messages. It is a non-technical attack carried
out to manipulate a person into providing sensitive data to an unauthorized individual.

Attackers can trick people into providing their cryptographic key material through various
social engineering attack types. Social engineering attacks are carried out on people with the
goal of tricking them into divulging some type of sensitive information that can be used by the
attacker. The attacker may convince the victim that he is a security administrator that requires
the cryptographic data for some type of operational effort. The attacker could then use the data
to decrypt and gain access to sensitive data. The attacks can be carried out through persuasion,
coercion (rubber-hose cryptanalysis), or bribery (purchase-key attack).
 35

Phishing is a social engineering attack that is commonly carried out through maliciously
crafted e-mail. The goal is to get someone to click a malicious link or for the victim to send the
attacker some confidential data (Aadhaar Number, account number, etc.). The attacker crafts
an e-mail that seems to originate from a trusted source and sends it out to many victims at one
time.

A spear phishing attack zeroes in on specific people. So if an attacker wants your specific
information because he/she wants to break into your bank account, he/she could gather
information about you via Facebook, LinkedIn, or other resources and create an e-mail purporting
to be from someone he/she thinks you will trust.

A similar attack is called whaling. In a whaling attack an attacker usually identifies some
“big fish” in an organization (CEO, CFO, COO, CSO) and targets them because they have
access to some of the most sensitive data in the organization. The attack is finely tuned to
achieve the highest likelihood of success.

Summary
 Threats are the vulnerabilities that are inherent to your organization and its
systems.ISO/IEC standard 27000 define a threat as a “potential cause of an
unwanted incident, which may result in harm to a system or organization.

 A virus is a small application, or string of code, that infects software. The main
function of a virus is to reproduce and deliver its payload, and it requires a host
application to do this. It cannot self-replicate and it needs human interaction to
replicate.

 A worm is a malicious program that replicates itself constantly, without requiring

human interaction. It can continue replicating themselves until they completely fill
available resources, such as memory, hard drive space, and network bandwidth.

 A distributed denial-of-service (DDoS) attack is identical to a DoS attack except the

vol­ume is much greater. The attacker chooses the flooding technique they want to
employ (SYN, ICMP, DNS) and then instruct an army of hijacked or zombie computers
to attack at a specific time.

 Ransomware is a type of malware in which the attacker encrypts all user files on the
target. The victim receives a message stating that if they want their files back they
have to pay a certain amount.
36

 The malicious code attack includes the execution of viruses, worms, Trojan horses,
and active Web scripts with the intent to destroy or steal information.

 The application of computing and network resources to try every possible password
combination is called a brute force attack.

 Spoofing is a technique used to gain unauthorized access to computers, wherein

the intruder sends messages with a source IP address that has been forged to
indicate that the messages are coming from a trusted host.

 Social engineering is when one person tricks another person into sharing confidential
information, for example, by posing as someone authorized to have access to that
information.

Check your Answers

 The Dictionary Attack and ………………………….. are two famous methods for
password attacks.

 ………………………………is a technique used by malicious users to forge an e-

mail to make it appear to be from a legitimate source.

 A ……………………………executes a program, or string of code, when a certain

set of conditions is met.

 Expand & Explain MITM.

 …………………………….. is unsolicited commercial e-mail.

 …………………………….. it is capable of self-replication.

 …………………………….. it is not capable of self-replication.

 A ……………………………occurs when a user visits a website that is hosting

malicious code and automatically gets infected.

 ……………………………… are software programs that hide their true nature and
reveal their designed behavior only when activated.

 What are RATs?

 37

Reference
 ISO (International Organization for. standards.iso.org.

 SATTER, RAPHAEL (28 March 2017). ”What makes a cyberattack? Experts lobby
to restrict the term”.

 S. Karnouskos: Stuxnet Worm Impact on Industrial Cyber-Physical System

Security. In:37th Annual Conference of the IEEE Industrial Electronics Society
(IECON 2011), Melbourne, Australia, 7-10 Nov 2011

 World Economic Forum (2018). ”The Global Risks Report 2018 13th Edition”. World
Economic Forum.

 Internet security glossary

 Distributed Denial-Of-Service”. www.garykessler.net

 Linden, Edward. Focus on Terrorism. New York: Nova Science Publishers, Inc.,
2007. Web

 Wright, Joe; Jim Harmening (2009). “15”. In Vacca, John. Computer and Information
Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 257. ISBN 978-
0-12-374354-1.

 ”ISACA THE RISK IT FRAMEWORK

 Vacca, John. Computer and Information Security Handbook. Morgan Kaufmann

Publications. Elsevier Inc. p. 225. ISBN 978-0-12-374354-1.

 Krebs, Brian. ”Security Fix - Avoid Windows Malware: Bank on a Live CD”.
Voices.washingtonpost.com.

 Wright, Joe; Jim Harmening. Vacca, John. (2009). Computer and Information
Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 257. ISBN 978-
0-12-374354-1.
38

UNIT 3
INFORMATION SECURITY GOVERNANCE
Learning Objectives

After reading this lesson you will be able to understand

· Information Security Governance

o Mission and Vision

o Effective information security governance

o Benefits of information security governance

o Outcome of information security governance

o Information Security Issues

o Policies, Procedures, Standards

Structure

3.1. Introduction

3.2. Information Security Governance

3.2.1. Mission and Vision for Security Governance

3.2.2. Effective security governance

3.2.3. Benefits of Security Governance

3.2.4. Outcomes of Information security governance

3.2.5. Information security governance issues

3.2.6. Information Security Policies, Procedures, Standards and Guidelines

3.2.6.1. Policy

3.2.6.2. Standards

3.2.6.3. Procedures

3.2.6.4. Guidelines

3.2.6.5. Baselines
 39

3.1 Introduction
Information security governance plays a pivotal role in the process of achieving effective
and efficient information security and thereby provides the requisite security governance through
proper documentation, classification, training and governance thereof.

3.2. Information Security Governance

Information Security governance is the collection of practices related to supporting, defining,
and directing the security efforts of an organization. Security governance is closely related to
and often intertwined with enterprise and IT governance. Thus, the common goal of governance
is to maintain business processes while striving toward growth and resiliency.

o Information security governance

o Mission and Vision

o Effective information security governance

o Benefits of information security governance

o Outcome of information security governance

o Information Security Issues

o Policies, Procedures, Standards

Recognizing the pain points and trigger events is often the first step in implementation of
governance. This will improve the buy-in, quick wins can be identified and value can be
demonstrated in the most visible areas of the enterprise.

Recognizing the Pain Points:

The following are the pain points that could act as a stumbling block and trigger an event
and hence recognizing the pain points are crucial for an organization.

 Business frustration with failed initiatives

 Rising IT costs and a perception of low business value

 Significant incidents related to IT risk

 Outsourcing delivery problems

 Failure to meet contractual, statutory and legal requirements

40

 Duplication or overlap between initiatives

 Regular audit findings about poor IT performance

 Perception that IT is limiting the enterprise’s innovation capabilities

 Hidden and rogue IT spending

 Complex IT operating models

 Board members, executives or senior managers who are reluctant to engage with
IT

Other events that trigger a focus on information security governance

The following are the other events in the enterprise’s internal and external environment
that can trigger a focus on the governance.

 A change in the business operating model or sourcing arrangements

 New regulatory or compliance requirements

 A significant technology change or paradigm shift

 External audit or consultant assessments

 A new business strategy or priority

3.2.1. Mission and Vision for Security Governance

The organization should ensure the need for security. The organization should include
this in its mission statement and thereby satisfy the stakeholders through their vision. This is
where security governance comes into play. Security governance is a framework that allows for
the security goals of an organization to be set and expressed by senior management
communicated throughout the different levels of the organization. It grants power to the entities
needed to implement and enforce security and provides a way to verify the performance of
these security activities.

3.2.2. Effective Security Governance

The following are the aspects that are required for establishing effective security
governance.
 41

 Board members need to understand that information security is critical to the

organization and demand to be updated quarterly on security performance and
breaches.

 CEO, CFO, CIO, CISO, and business unit managers participate in a risk management
committee that meets each month, and information security is always on the agenda
to review.

 Executive management sets an acceptable risk level that is the basis for the
organization’s security policies and all security activities.

 Executive management holds business unit managers responsible for carrying out
risk management activities for their specific business units.

 Employees are held accountable for any security breach they participate in, either
maliciously or accidentally.

 Security products, managed services, and consultants are purchased and deployed
in a formal manner. They are also constantly reviewed to ensure they are cost
effective.

 The organization is continuing to review its processes, including security, with the
goal of continued improvement.

3.2.3. Benefits of Information Security Governance

Information security governance provides a series of benefits including,

 Providing assurance that critical decisions are not based on faulty information

 Addressing legal and regulatory requirements

 Providing assurance of policy compliance

 Increasing predictability and reducing uncertainty of business operations by lowering

risk to definable and acceptable levels

 Providing a firm foundation for efficient and effective risk management, process
improvement, rapid incident response and continuity management

 Providing greater confidence in interactions with trading partners. Improving trust in

customer relationships
42

 Protecting the organization’s reputation.

 Effective management of information security resources

3.2.4. Outcomes of Information Security Governance

Information security governance includes the elements required to provide senior

management assurance that its direction and intent are reflected in the security posture of the
organization.

3.2.5. Information Security Governance Issues

The following are the information security governance issues:

 Ineffective bureaucracies

 Countless conflicting jurisdictions

 Aging Institutions

 Inability to adopt dealing with global information crime

3.2.6. Information Security Policies, Procedures, Standards and

guidelines

Management from all communities of interest, including general staff, information

technology and information security, must make policies the basis for all information security
planning, design, and deployment. Policies direct how issues should be addressed and
technologies should be used. Policies do not specify the proper operation of equipment or
software. This information should be placed in the standards, procedures, and practices of
users’ manuals and systems documentation. In addition, policy should never contradict law,
because this can create a significant liability for the organization.

Quality security programs begin and end with policy. Information security is primarily a
management problem, not a technical one, and policy is a management tool that obliges
personnel to function in a manner that preserves the security of information assets. Security
policies are the least expensive control to execute, but the most difficult to implement properly.
They have the lowest cost in that their creation and dissemination requires only the time and
effort of the management team. Even if the management team hires an outside consultant to
help develop policy, the costs are minimal compared to those of technical controls. However,
shaping policy is difficult because policy must:
 43

 Never conflict with laws

 Stand up in court, if challenged

 Be properly administered through dissemination and documented acceptance

For a company’s security plan to be successful, it must start at the top level and be useful
and functional at every single level within the organization. Senior management needs to define
the scope of security and identify and decide what must be protected and to what extent.
Management must understand the regulations, laws, and liability issues it is responsible for
complying with regarding security and ensure that the company as a whole fulfills its obligations.
Senior management also must determine what is expected from employees and what the
consequences of non-compliance will be. A security policy is an overall general statement
produced by senior management that dictates what role security plays within the organization.
A security policy can be an organizational policy, an issue-specific policy, or a system-specific
policy.

3.2.6.1 What is a policy?

Policy means different things to different people. The term policy is defined as a high level
statement of an organization is beliefs, goals, objectives, and the general means to attain a
specific subject area. A policy is brief and set at a high level.

Because policy is written at broad-level, organizations must also develop standards,

procedures, and guidelines that offer employees a clear method to implement the policy and
meet the organization’s business objectives or mission.

A policy is not specific and a detailed description of the problem and each step is needed
to implement the policy. A policy on requiring access control for remote users has exceeded its
scope if there is a discussion about passwords, password length and password history.

A policy is a plan or course of action that conveys instructions from an organization’s

senior management to those who make decisions, take actions, and perform other duties.
Policies are organizational laws in that they dictate acceptable and unacceptable behavior within
the organization. Like laws, policies define what is right, what is wrong, what the penalties are
for violating policy, and what the appeal process is. Standards, on the other hand, are more
detailed statements of what must be done to comply with policy. They have the same requirements
for compliance as policies. Standards may be informal or part of an organizational culture, as in
44

de facto standards. Or standards may be published, scrutinized, and ratified by a group, as in

formal or de jure standards. Finally, practices, procedures, and guidelines effectively explain
how to comply with policy. Policies drives standards which in turn drive practices, procedures,
and guidelines. Policies are put in place to support the mission, vision, and strategic planning of
an organization.

The mission of an organization is a written statement of an organization’s purpose. The

vision of an organization is a written statement about the organization’s goals—where will the
organization be in five years? In ten? Strategic planning is the process of moving the organization
toward its vision.

The meaning of the term security policy depends on the context in which it is used.
Governmental agencies view security policy in terms of national security and national policies
to deal with foreign states. A security policy can also communicate a credit card agency’s method
for processing credit card numbers. In general, a security policy is a set of rules that protect an
organization’s assets. An information security policy provides rules for the protection of the
information assets of the organization.

For a policy to be effective and thus legally enforceable, it must meet the following criteria:

Dissemination (distribution). The organization must be able to demonstrate that the policy
has been made readily available for review by the employee. Common dissemination techniques
include hard copy and electronic distribution.

Review (reading). The organization must be able to demonstrate that it disseminated the
document in an intelligible form, including versions for illiterate, non-English reading, and reading-
impaired employees. Common techniques include recording the policy in English and other
languages.

Comprehension (understanding). The organization must be able to demonstrate that the

employee understood the requirements and content of the policy. Common techniques include
quizzes and other assessments.

Compliance (agreement). The organization must be able to demonstrate that the employee
agrees to comply with the policy, through act or affirmation. Common techniques include logon
banners which require a specific action (mouse click or keystroke) to acknowledge agreement,
or a signed document clearly indicating the employee has read, understood, and agreed to
comply with the policy.
 45

Uniform enforcement. The organization must be able to demonstrate that the policy has
been uniformly enforced, regardless of employee status or assignment.

Management must define three types of security policy, according to the National Institute
of Standards and Technology’s Special Publication 800-14

1. Enterprise information security policies – Tier 1 (Organization - Level)

2. Issue-specific security policies – Tier II (Functional Level)

3. Systems-specific security policies – Tier III (Application/Device Level)

An Enterprise Information Security Policy (EISP) is also known as a general security

policy, organizational security policy, IT security policy, or information security policy. The EISP
is based on and directly supports the mission, vision, and direction of the organization and sets
the strategic direction, scope, and tone for all security efforts. The EISP is an executive level
document, usually drafted by or in cooperation with the chief information officer of the
organization. This policy is usually two to ten pages long and shapes the philosophy of security
in the IT environment. The EISP usually needs to be modified only when there is a change in
the strategic direction of the organization.

The EISP guides the development, implementation, and management of the security
program. It sets out the requirements that must be met by the information security blueprint or
framework. It defines the purpose, scope, constraints, and applicability of the security program.
It also assigns responsibilities for the various areas of security, including systems administration,
maintenance of the information security policies, and the practices and responsibilities of the
users. Finally, it addresses legal compliance. According to the National Institute of Standards
and Technology (NIST), the EISP typically addresses compliance in the following two areas:

1. General compliance to ensure meeting the requirements to establish a program and

the responsibilities assigned therein to various organizational components

2. The use of specified penalties and disciplinary action when the EISP has been developed,
the CISO begins forming the security team and initiating the necessary changes to the information
security program.
46

EISP Elements

Although the specifics of EISPs vary from organization to organization, most EISP
documents should include the following elements:

An overview of the corporate philosophy on security Information on the structure of the

information security organization and individuals who fulfill the information security role

 Fully articulated responsibilities for security that are shared by all members of the
organization (employees, contractors, consultants, partners, and visitors)

 Fully articulated responsibilities for security that are unique to each role within the
organization

In an organizational security policy, management establishes

1. How a security program will be set up.

2. Lays out the program’s goals

3. Assigns responsibilities.

4. Shows the strategic and tactical value of security.

5. Outlines how enforcement should be carried out.

6. Address relative laws, regulations, and liability issues, and how they are to be
satisfied.

7. Provides scope and direction for all future security activities within the organization.

8. Describes the amount of risk senior management is willing to accept.

The components of a good EISP are shown below.

Table 3.1: The components of a good EISP

Component Description

Statement of Purpose Answers the question, “What is this policy for?”

Provides a framework that helps the reader to
understand the intent of the document. Can include
text such as the following:” This document will:Identify
the elements of a good security policy Explain the
 47

need for information security Specify the various

categories of information security Identify the
information security responsibilities and roles Identify
appropriate levels of security through standards and
guidelines. This document establishes an overarching
security policy and direction for our company.
Individual departments are expected to establish
standards, guidelines, and operating procedures that
adhere to and reference this policy while addressing
their specific and individual needs.”

Information Security Elements Def ines inf ormation security. For example:
”Protecting the confidentiality, integrity, and availability
of information while in processing, transmission, and
storage, through the use of policy, education and
training, and technology…” This section can also lay
out security definitions or philosophies to clarify the
policy.

Need for Information Security Provides information on the importance of information

security in the organization and the obligation (legal
and ethical) to protect critical information, whether
regarding customers, employees, or markets.

Information Security Defines the organizational structure designed to

Responsibilities and Roles support information security within the organization.
Identifies categories of individuals with responsibility
for information security (IT department, management,
users) and their information security responsibilities,
including maintenance of this document.

Reference to Other Information Lists other standards that influence and are
influenced by this policy document, perhaps including
Standards and Guidelines relevant laws (federal and state) and other policies.
48

An issue-specific policy, also called a functional policy.

As an organization executes various technologies and processes to support routine

operations, it must instruct employees on the proper use of these technologies and processes.
In general, the issue-specific security policy, or ISSP, (1) addresses specific areas of
technology as listed below, (2) requires frequent updates, and (3) contains a statement on the
organization’s position on a specific issue. An ISSP may cover the following topics, among
others:

1. Email

2. Use of internet

3. Specific minimum configurations of computers to defend against worms and viruses

4. Prohibitions against hacking or testing organization security controls

5. Home use of company-owned computer equipment

6. Use of personal equipment on company networks

7. Use of telecommunications technologies (fax and phone)

8. Use of photocopy equipment

There are a number of approaches to creating and managing ISSPs within an organization.
Three of the most common are:

1. Independent ISSP documents, each tailored to a specific issue

2. A single comprehensive ISSP document covering all issues

3. A modular ISSP document that unifies policy creation and administration, while
maintaining each specific issue’s requirements

The independent ISSP document typically has a scattershot effect. Each department
responsible for a particular application of technology creates a policy governing its use,
management, and control. This approach may fail to cover all of the necessary issues and can
lead to poor policy distribution, management, and enforcement.

The single comprehensive ISSP is centrally managed and controlled. With formal
procedures for the management of ISSPs in place, the comprehensive policy approach
establishes guidelines for overall coverage of necessary issues and clearly identifies processes
 49

for the dissemination, enforcement, and review of these guidelines. Usually, these policies are
developed by those responsible for managing the information technology resources.
Unfortunately, these policies tend to overgeneralize the issues and skip over vulnerabilities.

The optimal balance between the independent and comprehensive ISSP is the modular
ISSP. It is also centrally managed and controlled but is tailored to individual technology issues.
The modular approach provides a balance between issue orientation and policy management.
The policies created with this approach comprise individual modules, each created and updated
by people responsible for the issues addressed. These people report to a central policy
administration group that incorporates specific issues into an overall comprehensive policy.

Statement of Policy : The policy should begin with a clear statement of purpose. Consider
a policy that covers the issue of fair and responsible use of the Internet. The introductory
section of this policy should outline these topics: What is the scope of this policy? Who is
responsible and accountable for policy implementation? What technologies and issues does it
address? Authorized Access and Usage of Equipment This section of the policy statement
addresses who can use the technology governed by the policy, and what it can be used for.
Remember that an organization’s information systems are the exclusive property of the
organization, and users have no particular rights of use. Each technology and process is provided
for business operations. Use for any other purpose constitutes misuse of equipment. This section
defines “fair and responsible use” of equipment and other organizational assets and should
also address key legal issues, such as protection of personal information and privacy. Prohibited
Use of Equipment Unless a particular use is clearly prohibited, the organization cannot penalize
its employees for misuse. The following can be prohibited: personal use, disruptive use or
misuse, criminal use, offensive or harassing materials, and infringement of copyrighted, licensed,
or other intellectual property. As an alternative approach, categories 2 and 3 of Table 5-2 can be
collapsed into a single category—appropriate use. Many organizations use an ISSP section
titled “Appropriate Use” to cover both categories.

Systems Management : The systems management section of the ISSP policy statement
focuses on the users’ relationship to systems management. Specific rules from management
include regulating the use of e-mail, the storage of materials, the authorized monitoring of
employees, and the physical and electronic scrutiny of e-mail and other electronic documents.
It is important that all such responsibilities are designated as belonging to either the systems
administrator or the users; otherwise both parties may infer that the responsibility belongs to
the other party.
50

Violations of Policy : The people to whom the policy applies must understand the penalties
and repercussions of violating the policy. Violations of policy should carry appropriate, not
draconian, penalties. This section of the policy statement should contain not only the specifics
of the penalties for each category of violation but also instructions on how individuals in the
organization can report observed or suspected violations. Many people think that powerful
individuals in the organization can discriminate, single out, or otherwise retaliate against someone
who reports violations. Allowing anonymous submissions is often the only way to convince
users to report the unauthorized activities of other, more influential employees.

Policy Review and Modification : Because any document is only useful if it is upto-
date, each policy should contain procedures and a timetable for periodic review. As the
organization’s needs and technologies change, so must the policies that govern their use. This
section should specify a methodology for the review and modification of the policy to ensure
that users do not begin circumventing it as it grows obsolete.

Limitations of Liability : If an employee is caught conducting illegal activities with

organizational equipment or assets, management does not want the organization held liable.
The policy should state that if employees violate a company policy or any law using company
technologies, the company will not protect them, and the company is not liable for its actions. In
fact, many organizations assist in the prosecution of employees who violate laws when their
actions violate policies. It is inferred that such violations occur without knowledge or authorization
by the organization.

Components of ISSP

Statement of policy

· Scope and applicability

· Definition of technology addressed

· Responsibilities

Authorized access and usage of equipment

· User access

· Fair and responsible use

· Protection of privacy
 51

Prohibited usage of equipment

· Disruptive use or misuse

· Criminal use

· Offensive or harassing materials

· Copyrighted, licensed, or other intellectual property

· Other restrictions

Systems management

· Management of stored materials

· Employer monitoring

· Virus protection

· Physical security

· Encryption

Violations of policy

· Procedures for reporting violations

· Penalties for violations

Policy review and modification

· Scheduled review of policy procedures for modification

· Legal disclaimers

Limitations of liability

· Statements of liability

· Other disclaimers as needed

52

Systems-Specific Policy (SysSP)

While issue-specific policies are formalized as written documents readily identifiable as

policy, system-specific security policies (SysSPs) sometimes have a different look. SysSPs
often function as standards or procedures to be used when configuring or maintaining systems.
For example, a SysSP might describe the configuration and operation of a network firewall.
This document could include a statement of managerial intent; guidance to network engineers
on the selection, configuration, and operation of firewalls; and an access control list that defines
levels of access for each authorized user. SysSPs can be separated into two general groups,
managerial guidance and technical specifications, or they can be combined into a single
policy document.

Managerial Guidance SysSPs A managerial guidance SysSP document is created by

management to guide the implementation and configuration of technology as well as to address
the behavior of people in the organization in ways that support the security of information.

For example, while the method for implementing a firewall belongs in the technical
specifications SysSP, the firewall’s configuration must follow guidelines established by
management. An organization might not want its employees to access the Internet via the
organization’s network, for instance; in that case, the firewall should be implemented accordingly.

Firewalls are not the only technology that may require system-specific policies. Any system
that affects the confidentiality, integrity, or availability of information must be assessed to evaluate
the trade-off between improved security and restrictions.

System-specific policies can be developed at the same time as ISSPs, or they can be
prepared in advance of their related ISSPs. Before management can craft a policy informing
users what they can do with the technology and how they are supposed to do it, it might be
necessary for system administrators to configure and operate the system. Some organizations
may prefer to develop ISSPs and SysSPs in tandem, so that operational procedures and user
guidelines are created simultaneously.

Technical Specifications SysSPs While a manager can work with a systems administrator
to create managerial policy as described in the preceding section, the system administrator
may in turn need to create a policy to implement the managerial policy. Each type of equipment
requires its own set of policies, which are used to translate the management intent for the
technical control into an enforceable technical approach. For example, an ISSP may require
 53

that user passwords be changed quarterly; a systems administrator can implement a technical
control within a specific application to enforce this policy. There are two general methods of
implementing such technical controls: access control lists and configuration rules.

An organization may have a system specific policy which outlines

· How a database containing sensitive information should be protected?

· Who can have access

· How auditing should take place

· How laptops should be locked down and managed

· This policy type is directed to one or a group of similar systems and outlines how
they should be protected.

Policies are written in broad terms to cover many subjects in a general fashion. Much
more granularity is needed to actually support the policy, and this happens with the use of
procedures, standards, guidelines, and baselines. The policy provides the foundation. The
procedures, standards, guidelines, and baselines provide the security framework.

And the necessary security controls (administrative, technical, and physical) are used to
fill in the framework to provide a full security program.

3.2.6.2. Standards

Standards are mandatory requirements that support individual policies. Standards can
range from what software or hardware can be used to what remote access protocol is to be
implemented, to who is responsible for approving what. When developing a information security
policy, it will be necessary to establish a set of supporting standards that Can give a policy its
support and reinforcement in direction. They can also be used to indicate expected user behavior.
They provide a means to ensure that specific technologies, applications, parameters, and
procedures are implemented in a uniform (standardized) manner across the organization. An
organizational standard may require that all employees wear their company identification badges
at all times, that they challenge unknown individuals about their identity and purpose for being
in a specific area, or that they encrypt confidential information. These rules are compulsory
within a company, and if they are going to be effective, they must be enforced.
54

3.2.6.3. Procedures

Procedures are mandatory step-by-step, detailed actions required to successfully complete

a task. Procedures can be very detailed. Procedures are considered the lowest level in the
documentation chain because they are closest to the computers and users (compared to policies)
and provide detailed steps for configuration and installation issues

Procedures spell out how the policy, standards, and guidelines will actually be implemented
in an operating environment. If a policy states that all individuals who access confidential
information must be properly authenticated, the supporting procedures will explain the steps for
this to happen by defining the access criteria for authorization, how access control mechanisms
are implemented and configured, and how access activities are audited. If a standard state that
backups should be performed, then the procedures will define the detailed steps necessary to
perform the backup, the timelines of backups, the storage of backup media, and so on.
Procedures should be detailed enough to be both understandable and useful to a diverse group
of individuals.

3.2.6.4. Guidelines

Guidelines are more general statements designed to achieve the policy’s objectives but
by providing a framework within which to implement procedures. Where standards are mandatory,
guidelines are recommendations. Guidelines are recommended actions and operational guides
to users, IT staff, operations staff, and others when a specific standard does not apply. They
can also be used as a recommended way to achieve specific standards when those do apply.
Guidelines can deal with the methodologies of technology, personnel, or physical security. Life
is full of gray areas, and guidelines can be used as a reference during those times. Whereas
standards are specific mandatory rules, guidelines are general approaches that provide the
necessary flexibility for unforeseen circumstances. Guidelines can be used as a reference; a
policy might state that access to confidential data must be audited. A supporting guideline could
further explain that audits should contain sufficient information to allow for reconciliation with
prior reviews. Supporting procedures would outline the necessary steps to configure, implement,
and maintain this type of auditing.

3.2.6.5. Baseline

Baselines are used to define the minimum level of protection required. Baseline refers to
a point in time that is used as a comparison for future changes. Once risks have been mitigated
 55

and security put in place, a baseline is formally reviewed and agreed upon. All further comparisons
and development are measured against it. A baseline results in a consistent reference point. In
security, specific baselines can be defined per system type, which indicates the necessary
settings and the level of protection being provided. Security personnel must assess the systems
as changes take place and ensure that the baseline level of security is always being met. If a
technician installs a patch on a system and does not ensure the baseline is still being met, there
could be new vulnerabilities introduced into the system that will allow attackers easy access to
the network.

Summary
 Information security governance plays a pivotal role in the process of achieving
effective and efficient information security and thereby provides the requisite security
governance through proper documentation, classification, training and governance
thereof.

 Information security governance includes the elements required to provide senior

management assurance that its direction and intent are reflected in the security
posture of the organization.

 Policy means different things to different people. The term policy is defined as a
high level statement of organization beliefs, goals, objectives and the general means
to attain a specific subject area. A policy is brief and set at a high level.

 The systems management section of the ISSP policy statement focuses on the
users’ relationship to systems management.

 Procedures are mandatory step-by-step, detailed actions required to successfully

complete a task. Procedures can be very detailed. Procedures are considered the
lowest level in the documentation chain because they are closest to the computers
and users (compared to policies) and provide detailed steps for configuration and
installation issues

 Guidelines are more general statements designed to achieve the policy’s objectives
but by providing a framework within which to implement procedures. Where standards
are mandatory, guidelines are recommendations.

 Baselines are used to define the minimum level of protection required. Baseline
refers to a point in time that is used as a comparison for future changes
56

Check your answers

 What is information security governance?

 What are the issues in information security governance?

 What is a policy?

 What is a procedure?

 What is a guideline?

 What is a base line security?

References
 Julia Allen.2007Characteristics of Effective Security Governance.

 Corporate Governance Task Force Report.2006.Information Security Governance:

A Call to Action.

 Peter Weill and Jeanne Ross. 2004. IT Governance.

 ISACA.2006.Information Security Governance: Guidance for Boards of Directors

and Executive Management.

 NIST Special Publication 800-100, 2006.Information Security Handbook: A Guide

for Managers.

 Don Ross.Managing Enterprise Risk in Today’s World of Sophisticated Threats: A

Framework for Developing Broad-Based, Cost Effective Information Security
Programs.

 ISO/IEC 38500: 2008.Corporate Governance of Information Technology.

 CERT. The IT Security Essential Body of Knowledge (EBK).

 Richard N. Katz. 2008. The Tower and the Cloud.

 Brad Wheeler. 2008. E-Research is a Fad: Scholarship 2.0, Cyberinfrastructure,

and IT Governance (a chapter from The Tower and the Cloud based on IT
Governance by Weill and Ross).
 57

 Richard Power.2008.To Govern or Not to Govern.

o Cylab Survey Reveals Gap in Board Governance of Cyber Security. 2008. Richard
Power.

o Governance of Enterprise Security: Cylab 2008 Report. 2008. Jody Westby and
Richard Power.

 Information Security Program Self-Assessment Tool. 2013. EDUCAUSE/Internet2

Higher Education Information Security Council.

 Information Security Governance: Guidance for Boards of Directors and Executive

Management. 2006. IT Governance Institute.

 Pauline Bowen, Joan Hash and Mark Wilson.2006. Information Security Handbook:
A Guide for Managers (NIST Special Publication 800-100).

 Tammy Clark and Toby Sitko.2008. Information Security Governance: Standardizing

the Practice of Security Governance.

 Governing for Enterprise Security. CERT.

 Governing for Enterprise Security: An Implementation Guide. 2007. Jody Westby

and Julia Allen.

 Characteristics of Effective Security Governance. 2007. Julia Allen.

 Governing for Enterprise Security. 2005. Julia Allen.

 Governing for Enterprise Security: References. 2008. CERT.

 Julia Allen.2008.Making Business-Based Security Investment Decisions - A

Dashboard Approach.

 Institute of Internal Auditors.2001.Institute of Internal Auditors report titled “Information

Security Governance: What Directors Need to Know.

 ISM3 Consortium.

o Maturity Model

o ISM3, ISO, Cobit and Parkerian Hexad Information Security Criteria Mapping

 John P. Pironti. 2006. ISACA. Information Security Governance: Motivations, Benefits

and Outcomes.
58

 Information Security Goverance: Guidance for Boards of Directors and Executive

Managment, 2nd Edition by W. Krag Brotby IT Goverance Institute.

 Podcasts available from http://www.cert.org/podcast/#governing

o Getting Real About Security Governance

o The Legal Side of Global Security

o Why Leaders Should Care About Security

o Compliance vs. Buy-in

 Marilu Goodyear.2009.The Career of the IT Security Officer in Higher Education..

 Ronald Yanosky and Jack McGreddie. 2008.Process and Politics: IT Governance

in Higher Education.. ECAR Research Study, Volume 5.

 Mike Rothman.2007. The Pragmatic CSO: 12 Steps to Being a Security Master.

 PricewaterhouseCoopers. 2010.

 https://spaces.at.internet2.edu/display/2014infosecurityguide/
InformationSecurityGovernance
 59

UNIT 4
INFORMATION ASSET CLASSIFICATION
Learning Objectives

After reading this lesson you will be able tounderstand

· Need for Information Asset Classification

· Information Asset

o Owner

o Custodian

o User

· Information Classification

o Secret

o Confidential

o Private and Public

o Methodology

§ Declassification

§ Reclassification

o Retention and Disposal of Information Assets

· o Provide Authorization for Access

o Owner

o Custodian

o User

Structure
4.1. Introduction

4.1.1. Asset Definition

4.1.2. Information Assets

60

4.1.2.1.Software Assets

4.1.2.2.Physical Assets

4.1.2.3.Services

4.2. Threat Identification

4.2.1. Types of Threats

4.3. Information Asset Owners

4.3.1. Asset Owners

4.3.2. Business Owners

4.3.3. Data Owners

4.3.4. System Owners

4.4. Custodians

4.5. Users

4.6. Need for Information Asset classification

4.7. Information classification

4.7.1. Secret

4.7.2. Confidential

4.7.3. Private

4.7.4. Public

4.8. Methodology

4.8.1. Declassification

4.8.2. Reclassification

4.9. Retention of Information

4.10. Disposal of Information

4.11. Access control principles

4.11.1. Least Privilege

4.11.2. Separation of Duties

 61

4.11.3. Need to Know

4.11.4. Authorization

4.11.4.1. Owner

4.11.4.2. User

4.11.4.3. Custodian

4.1. Introduction
The classification of information asset rests with business or mission owners, data owners,
system owners, custodians and users within the realm of agreed and accepted information
security norms. Each of the stakeholders in this regard plays a different role in securing the
assets of the organizations as such.

4.2. Need for Information Asset Classification

Information Asset classification, in the context of Information Security, is the classification
of Information based on its level of sensitivity and the impact to the University should that
Information be disclosed, altered, or destroyed without authorization. The classification of
Information helps determine what baseline Security Controls are appropriate for safeguarding
that Information.

All Institutional Information should be classified into one of three sensitivity tiers, or
classifications.

Tier 1: Public Information

Tier 2: Internal Information

Tier 3: Restricted Information

A Data Classification Program is an extremely important first step to building a secure

organization. Classifying data is the process of categorizing data assets based on nominal
values according to its sensitivity (e.g., impact of applicable laws and regulations). For example,
data might be classified as: public, internal, confidential (or highly confidential), restricted,
regulatory, or top secret.
62

Data and information assets are classified respective of the risk of unauthorized disclosure
(e.g., lost or stolen inadvertently or nefariously). High risk data, typically classified “Confidential”,
requires a greater level of protection, while lower risk data, possibly labeled “internal” requires
proportionately less protection.

4.3. Information Asset

An information asset is a body of information, defined and managed as a single unit so it
can be understood, shared, protected and exploited effectively. Information assets have
recognizable and manageable value, risk, content and lifecycles.

4.3.1. Asset Owner

“Information Asset Owners (IAOs) must be senior/responsible individuals involved in

running the relevant business. Their role is to understand what information is held, what is
added and what is removed, how information is moved, and who has access and why. As a
result, they are able to understand and address risks to the information, and ensure that
information is fully used within the law for the public good. They provide a written judgment of
the security and use of their asset annually to support the audit process.”

4.3.1.1.Business or Mission Owners

Business Owners and Mission Owners (senior management) create the information security
program and ensure that it is properly staffed, funded, and has organizational priority. They are
responsible for ensuring that all organizational assets are protected.

4.3.1.2. Data Owners

The Data Owner (also called information owner) is a management employee responsible
for ensuring that specific data is protected. Data owners determine data sensitivity labels and
the frequency of data backup. They focus on the data itself, whether in electronic or paper form.
A company with multiple lines of business may have multiple data owners. The data owner
performs management duties; Custodians perform the hands-on protection of data.

4.3.1.3. System Owner

The System Owner is a manager responsible for the actual computers that house data.
This includes the hardware and software configuration, including updates, patching, etc. They
 63

ensure the hardware is physically secure, operating systems are patched and up to date, the
system is hardened, etc.

4.3.2. Custodian

The term “custodian” refers to any individual in the organization who has the responsibility
to protect an information asset as it is stored, transported, or processed in line with the security
requirements defined by the information asset owner. Technical hands-on responsibilities are
delegated to Custodians.

“Custodians” include users from the Information Technology/Information Security function

along with the staff who may be responsible for transporting information (e.g. paper records /
CDs / USBs etc) from one place to another or even the facilities or security staff who may have
physical access to information processing and storing facilities.

A Custodian provides hands-on protection of assets such as data. They perform data
backups and restoration, patch systems, configure antivirus software, etc. The Custodians follow
detailed orders; they do not make critical decisions on how data is protected. The Data Owner
may dictate, “All data must be backed up every 24 hours.” The Custodians would then deploy
and operate a backup solution that meets the Data Owner’s requirements.

4.3.3. Users

Users must follow the rules such as mandatory policies, procedures, standards they must
comply with. For example, they must not write their passwords down or share accounts. Users
must be made aware of these risks and requirements. Organizations cannot take for granted
that the users will know what to do, nor assume they are already doing the right thing. The
users must be informed via information security awareness programmes. They must also be
made aware of the penalty for failing to comply with mandatory directives such as policies.

4.4 Information Classification

4.4.1 Top Secret

Top Secret is the highest level of classified information. Information is further

compartmented so that specific access using a code word after top secret is a legal way to hide
collective and important information. Such material would cause “exceptionally grave damage”
to national security if made publicly available.
64

4.4.2. Secret

Information is classified as “secret” when it is recognized as restricted information. The

unauthorized disclosure of such data can be expected to cause significant damage to the national
security.

4.4.3 Confidential

Information is said to be “confidential” when highly sensitive data is intended for limited,
specific use by a workgroup, department, or group of individuals with a legitimate need-to-
know. Explicit authorization by the Data Steward is required for access because of legal,
contractual, privacy, or other constraints. Confidential data has a very high level of sensitivity.
Examples include:

• Payment Card Industry (PCI)

• Sarbanes–Oxley Act (SOX)

•Privacy

4.4.4 Private

Information is said to be “private” when data is meant for internal use only whose
significance is great and whose disclosure may lead to a significant negative impact on an
organization. All data and information which is being processed inside an organization is to be
handled by employees only and should not fall into the hands of outsiders.

4.4.5 Official

Official material forms the generality of government business, public service delivery and
commercial activity. This includes a diverse range of information, of varying sensitivities, and
with differing consequences resulting from compromise or loss. OFFICIAL information must be
secured against a threat model that is broadly similar to that faced by a large private company.

4.4.6 Unclassified

Unclassified is technically not a classification level, but this is a feature of some classification
schemes, used for government documents that do not merit a particular classification or which
have been declassified. This is because the information is low-impact, and therefore does not
require any special protection, such as vetting of personnel.
 65

4.4.7 Public

Information is said to be “public” when it may or must be open to the general public. It is
defined as information with no existing local, national, or international legal restrictions on access
or usage. Public data, while subject to Secure State disclosure rules, is available to all Secure
State employees and all individuals or entities external to the corporation. Examples include:

• Publicly posted press release

• Publicly available marketing materials

• Publicly posted job announcements

4.5. Methodology
4.5.1. Declassification

Declassification is the process of documents that used to be classified as secret ceasing

to be so restricted, often under the principle of freedom of information. Procedures for
declassification vary by country. Papers may be with held without being classified as secret,
and eventually made available.

4.5.2. Reclassification of Information

Reclassification is the changing of an object or concept from one classification to another.

Example: To change the security classification of information, a document, etc.

4.6. Retention of Information

The retention period of information is an aspect of records and information management
(RIM) and the records life cycle. It identifies the duration of time for which the information
should be maintained or “retained”, irrespective of format (paper, electronic, or other). Retention
periods vary on different types of information, based on content and a variety of other factors
including: internal organizational need, regulatory requirements for inspection or audit, legal
statutes of limitation, involvement in litigation, taxation and financial reporting needs, as well as
other factors as defined by local, regional, state, national and/or international governing entities.
66

4.7. Disposal of Information Assets

To ensure security and confidentiality, the disposal of Information Assets in any form must
follow the guidelines. Virtually all of our activities involve creating or handling information in one
form or another via the IT equipment we use. The IT Asset Disposal Policy and its associated
policies are concerned with managing the secure disposal of IT equipment assets which are
owned by the organization and are no longer required.

4.8. Access Control Principles

4.8.1. Principle of Least Privilege

States that if nothing has been specifically configured for an individual or the groups, he/
she belongs to, the user should not be able to access that resource i.e. Default no access

4.8.2. Separation of Duties

Separating any conflicting areas of responsibility, so as to reduce opportunities for

unauthorized or unintentional modification or misuse of organizational assets and/or information.

4.8.3. Need to know

It is based on the concept that individuals should be given access only to the information
that they absolutely require in order to perform their job duties

4.8.4 Authorization

Authorization for access for owner, custodian and users are given below:

4.8.4.1. Authorization for Access - owners

This is limited by contractual obligation, including proprietary computer software, proprietary

considerations and trade secrets.

4.8.4.2. Authorization for Access – user

There are 3 general factors for authenticating a subject.

· Something a person knows- E.g.: passwords, PIN- least expensive, least secure

· Something a person has – E.g.: Access Card, key- expensive, secure

· Something a person is- E.g.: Biometrics- most expensive, most secure

 67

4.8.4.3. Authorization for Access – Custodian

Sensitive information which is confidential or public in nature requires maintenance of

assurance or integrity as to its accuracy and completeness. Examples of sensitive information
are financial and operating information.

Summary
 Information Asset classification, in the context of Information Security, is the
classification of Information based on its level of sensitivity and the impact to the
University should that Information be disclosed, altered, or destroyed without
authorization. The classification of Information helps determine what baseline
Security Controls are appropriate for safeguarding that Information.

 An information asset is a body of information, defined and managed as a single unit

so it can be understood, shared, protected and exploited effectively. Information
assets have recognizable and manageable value, risk, content and lifecycles.

 Information Asset Owners (IAOs) must be senior/responsible individuals involved

in running the relevant business. Their role is to understand what information is
held, what is added and what is removed, how information is moved, and who has
access and why.

 The Data Owner (also called information owner) is a management employee

responsible for ensuring that specific data is protected. Data owners determine
data sensitivity labels and the frequency of data backup. They focus on the data
itself, whether in electronic or paper form. A company with multiple lines of business
may have multiple data owners. The data owner performs management duties;
Custodians perform the hands-on protection of data.

 The System Owner is a manager responsible for the actual computers that house
data. This includes the hardware and software configuration, including updates,
patching, etc. They ensure the hardware is physically secure, operating systems
are patched and up to date, the system is hardened, etc.

 Users must follow the rules such as mandatory policies, procedures, standards
they must comply with.
68

 Information is classified as secret, confidential, private and public.

 Separating any conflicting areas of responsibility, so as to reduce opportunities for

unauthorized or unintentional modification or misuse of organizational assets and/
or information.

Check your answers

Write short notes on

 Need for Information Asset Classification

 Information Asset

 Information Classification

 Methodology of classification

 Retention and Disposal of Information Assets

· Provide Authorization for Access

Reference
 Abdallah, Z. Information Security on a Budget: Data Classification & Data Leakage
Prevention. Available at http://www.takesecurityback.com/tag/data-classification/

 All Data Types. Available at https://www.safecomputing.umich.edu /dataguide/?q=all-

data

 Asset Identification & Classification. Available at http://www.itmatrix.com /index.php

/procedural-services/asset-identification-classification

 Data Classification Guide. Available at https://security.illinois.edu/content/data-

classification-guide

 Information Asset and Security Classification Procedure. Available at http://

policy.usq.edu.au/documents/13931PL

 Kosutic, D. (2014). Information classification according to ISO 27001. Available

at http://advisera.com/27001academy/blog/2014/05/12/information­classification­
according-to-iso-27001/
 69

 Rodgers, C. (2012). Data Classification: Why is it important for Information Security?

Available at https://www.securestate.com/blog/2012/04/03/data-classification-why-
is­it­important­for­information­security (19/10/2016)

 Stewart, J., Chapple, M., Gibson, D. (2015). Certified Information Systems Security
Professional Study Guide (7th Edition).

 Tuttle, H. (2016). Businesses Ignore Significant Cybersecurity Risks to Proprietary

data. Available at http://www.riskmanagementmonitor.com/cybersecurity-risks-to-
proprietary-data/

 What is sensitive data, and how is it protected by law? Available at https://kb.iu.edu/

d/augs (19/10/2016)
70

UNIT 5
RISK ANALYSIS AND RISK MANAGEMENT
Learning Objectives

After reading this lesson you will understand

 Risk analysis process

 Asset Definition

 Threat Identification

 Determine probability of occurrence

 Determine the Impact of the threat

 Risk Controls recommended

 Risk Control Categories

 Risk Avoidance

 Risk mitigation

 Cost/Benefit analysis

 Risk Management

 Components of Risk Management

Structure
5.1. Introduction

5.2. Risk Management

5.3. Components of Risk Management

5.4. The Process of Risk Analysis

5.5. Risk Controls

5.6. Risk Controls and Categories

5.6.1. Risk Avoidance

5.6.2. Risk Mitigation

 71

5.6.3. Risk Transfer

5.6.4. Risk Acceptance

5.7. Cost Benefit Analysis

5.1. Introduction
Risk management is the identification, assessment and prioritization of risks and the
subsequent coordinated and economical application of resources to minimize, monitor and
control the probability and impact of losses. Effective risk management activities create value
and should be an integral part of the decision-making process.

Risk and Determining the Probability and Impact of Threat

A common definition of risk is an uncertain event that if it occurs, can have a positive
or negative effect on a project’s goals. The Risk Impact/Probability Chart is based on the principle
that a risk has two primary dimensions:

 Probability – A risk is an event that “may” occur. The probability of it occurring can
range anywhere from just above 0 percent to just below 100 percent.

 Impact: A risk, by its very nature, always has a negative impact. However, the size
of the impact varies in terms of cost and impact on health, human life, or some
other critical factor.

Figure 5.2
72

The corners of the chart have these characteristics:

 Low impact/low probability – Risks in the bottom left corner are low level, and you
can often ignore them.

 Low impact/high probability – Risks in the top left corner are of moderate importance
– if these things happen, you can cope with them and move on. However, you
should try to reduce the likelihood that they’ll occur.

 High impact/low probability – Risks in the bottom right corner are of high importance
if they do occur, but they’re very unlikely to happen. For these, however, you should
do what you can to reduce the impact they’ll have if they do occur, and you should
have contingency plans in place just in case they do.

 High impact/high probability – Risks towards the top right corner are of critical
importance. These are your top priorities, and are risks that you must pay close
attention to.

5.2. The Process of Risk Analysis

Together these 5 risk management process steps combine to deliver a simple and effective
risk management process.

Step 1: Identify the Risk. You and your team uncover that which might affect your project
or its outcomes. There are a number of techniques you can use to find project risks. During this
step you start to prepare your Project Risk Register.

Step 2: Analyze the risk. Once risks are identified you determine the likelihood and
consequence of each risk. You develop an understanding of the nature of the risk and its
potential to affect project goals and objectives. This information is also input to your Project
Risk Register.

Step 3: Evaluate or Rank the Risk. You evaluate or rank the risk by determining the risk
magnitude, which is the combination of likelihood and consequence. You make decisions about
whether the risk is acceptable or whether it is serious enough to warrant treatment. These risk
rankings are also added to your Project Risk Register.

Step 4: Treat the Risk. This is also referred to as Risk Response Planning. During this
step you assess your highest ranked risks and set out a plan to treat or modify these risks to
 73

achieve acceptable risk levels. You create risk mitigation strategies, preventive plans and
contingency plans in this step. And you add the risk treatment measures for the highest ranking
or most serious risks to your Project Risk Register.

Step 5: Monitor and Review the risk. This is the step where you take your Project Risk
Register and use it to monitor, track and review risks.

5.3. Asset Definition

An asset is any data, device, or other component of the environment that supports
information-related activities. Assets generally include hardware (e.g. servers and switches),
software (e.g. mission critical applications and support systems) and confidential information.
Assets should be protected from illicit access, use, disclosure, alteration, destruction, and/or
theft, resulting in loss to the organization. We can broadly classify assets in the following
categories:

5.3.1. Information assets

Every piece of information about your organization falls in this category. This information
has been collected, classified, organized and stored in various forms.

 Databases: -Information about your customers, personnel, production, sales,

marketing, finances.

 Data files: - Transactional data giving up-to-date information about each event.
Operational and support procedures: These have been developed over the years
and provide detailed instructions on how to perform various activities.
Archived information: Old information that may be required to be maintained by law.

5.3.2. Software assets

These can be divided into two categories: -

(a) Application software: Application software implements business rules of the organization.

(b) System software: An organization would invest in various packaged software programs
like operating systems, DBMS, development tools and utilities, software packages, office
productivity suites etc.
74

5.3.3. Physical assets

These are the visible and tangible equipment and could comprise of:

a) Computer equipment: Mainframe computers, servers, desktops and notebook

computers.

b) Communication equipment: Modems, routers, EPABXs and fax machines.

c) Storage media: Magnetic tapes, disks, CDs and DATs.

d) Technical equipment: Power supplies, air conditioners.

e) Furniture and fixtures

5.3.4. Services

a) Computing services that the organization has outsourced.

b) Communication services like voice communication, data communication, value added

services, wide area network etc.

c) Environmental conditioning services like heating, lighting, air conditioning and power.

5.4. Threat Identification

Any circumstance or event with the potential to adversely impact an IS through unauthorized
access, destruction, disclosure, modification of data, and/or denial of service. Threats can be
classified according to their type and origin.

5.4.1. Types of threats

Different types of threats include:

 Physical damage: fire, water, pollution

 Natural events: climatic, seismic, volcanic

 Loss of essential services: electrical power, air conditioning, telecommunication

 Compromise of information: eavesdropping, theft of media, retrieval of discarded

materials
 75

 Technical failures: equipment, software, capacity saturation,

 Compromise of functions: error in use, abuse of rights, denial of actions.

Once you’ve identified the risks that can pose a probable threat to your company, and
determined how much loss can be expected from an incident, you are then prepared to make
decisions on how to protect your company. After performing a risk assessment, you may find a
considerable number of probable threats that can affect your company. These may include
intrusions, vandalism, theft, or other incidents and situations that may vary from business to
business. This may make any further actions dealing with risk management seem impossible.

5.5. Risk controls

Controls represent a whole range of actions, measures and strategies taken by
management to eliminate or reduce risks. They include documenting policies and procedures,
ensuring separation of duties in certain functions, implementing quality assurance programs,
including appropriate clauses in contracts, etc.

The process in determining risk controls includes, assessing the risk, assessing risk
appetite and evaluating how to treat the risk through mitigating actions. In assessing a risk, we
firstly must give consideration of our risk appetite by making a risk assessment, this could
include:

 avoid the risk

 mitigate the risk
 transfer the risk, and
 accept the risk.

A process should then be followed to identify efficient and effective ways to mitigate
against the risk, this can occur by either:

 removing the risk

 reducing the likelihood of the risk impact.
 reducing the consequences if the risk were to occur, or a combination of these
approaches.
76

5.6. Risk Control and Categories

Understanding all of the risks involved in a business venture or project, as well as their
probabilities, is vital. Risk analysis starts with studying historical precedent, expert opinions and
other sources to become familiar with the scope of potential problems. Next is identifying the
specific risks involved, including the positive and negative consequences that could ensue and
their likelihood. Armed with this predictive data, you can begin to design a relevant and
comprehensive risk management plan.

5.6.1. Risk Avoidance

The best risk control measure is avoidance. For example, a factory owner who learns that
a chemical used in the manufacturing process is dangerous to workers might avoid the risk
entirely by eliminating that step from the manufacturing process or by finding a safe substitute
chemical. Risk avoidance might work in some cut-and-dry scenarios, but being risk-averse also
can cause you to miss out on benefits, such as innovation, that derive from overcoming
challenges. Loss Control has two basic incarnations. First, loss prevention is taking reasonable
steps to lower risk probability. For example, the factory owner in the previous scenario might
alter the manufacturing process to isolate the dangerous chemical from workers. Second, loss
reduction minimizes the severity of a negative outcome. The factory owner might design
mechanical shutdown procedures to quarantine dangerous chemical leaks, for instance, as
well as publish evacuation procedures for worst-case scenarios. Risk Financing at a certain
point, taking further risk control measures becomes infeasible. For example, if the factory owner
has no option but to use the dangerous chemical and has taken appropriate safety measures in
accordance with governmental regulations and best practices within the industry, nothing more
can be done to avoid risk other than shut down the business. Risk financing then becomes a
viable means of risk control. This can take the form of reserving money in your budget for
worst-case scenarios or, if possible, purchasing insurance to help your business recover from a
loss

5.6.2. Risk Mitigation

Risk mitigation, the second process according to SP 800-30, the third according to ISO
27005 of risk management, involves prioritizing, evaluating, and implementing the appropriate
risk-reducing controls recommended from the risk assessment process. Risk mitigation can be
achieved through any of the following risk mitigation options:
 77

 Risk Assumption: -To accept the potential risk and continue operating the IT system
or to implement controls to lower the risk to an acceptable level

 Risk Avoidance: - To avoid the risk by eliminating the risk cause and/or consequence
(e.g., forgo certain functions of the system or shut down the system when risks are
identified)

 Risk Limitation: - To limit the risk by implementing controls that minimize the adverse
impact of a threat’s exercising a vulnerability (e.g., use of supporting, preventive,
detective controls)

 Risk Planning: - To manage risk by developing a risk mitigation plan that prioritizes,
implements, and maintains controls

 Research and Acknowledgement: -To lower the risk of loss by acknowledging

the vulnerability or flaw and researching controls to correct the vulnerability

 Risk Transference: - To transfer the risk by using other options to compensate for
the loss, such as purchasing insurance.

5.6.3. Risk Transfer

The transfer control strategy attempts to shift risk to other assets, other processes, or
other organizations. This can be accomplished by rethinking how services are offered, revising
deployment models, outsourcing to other organizations, purchasing insurance, or implementing
service contracts with providers. This allows the organization to transfer the risks associated
with the management of these complex systems to another organization that has experience in
dealing with those risks. A side benefit of specific contract arrangements is that the provider is
responsible for disaster recovery, and through service level agreements is responsible for
availability.

5.6.4. Risk Acceptance

The accept control strategy is the choice to do nothing to protect a vulnerability and to
accept the outcome of its exploitation. This may or may not be a conscious business decision.
The only industry-recognized valid use of this strategy occurs when the organization has done
the following:

 Determined the level of risk

 Assessed the probability of attack

78

 Estimated the potential damage that could occur from attacks

 Performed a thorough cost benefit analysis

 Evaluated controls using each appropriate type of feasibility

 Decided that the particular function, service, information, or asset did not justify the
cost of protection

This strategy is based on the conclusion that the cost of protecting an asset does not
justify the security expenditure. It is not acceptable for an organization to adopt a policy that
ignorance is bliss and hope to avoid litigation by pleading ignorance of its obligation to protect
employee and customer information. It is also unacceptable for management to hope that if
they do not try to protect information, the opposition will assume that there is little to be gained
by an attack.

The risks far outweigh the benefits of this approach.

5.7. Cost Benefit Analysis (CBA)

Sometimes called Benefit Costs Analysis (BCA), is a systematic approach to
estimating the strengths and weaknesses of alternatives (for example in transactions, activities,
functional business requirements or projects investments); it is used to determine options that
provide the best approach to achieve benefits while preserving savings. Broadly, CBA has two
main purposes:

 To determine if an investment/decision is sound (justification/feasibility) – verifying

whether its benefits outweigh the costs, and by how much

 To provide a basis for comparing projects – which involves comparing the total
expected cost of each option against its total expected benefits.

The following is a list of steps that comprise a generic cost–benefit analysis.

1. Define the goals and objectives of the project/activities

2. List stakeholders(is a member of the “groups without whose support the organization
would cease to exist).

 Primary Stakeholders – usually internal stakeholders, are those that engage in

economic transactions with the business (for example stockholders, customers,
suppliers, creditors, and employees).
 79

 Secondary Stakeholders – usually external stakeholders, are those who – although

they do not engage in direct economic exchange with the business – are affected
by or can affect its actions (for example the general public, communities, activist
groups, business support groups, and the media).

 Excluded Stakeholders – those such as children or the disinterested public, originally

as they had no economic impact on business

3. Select measurement(s) and measure all cost/benefit elements.

4. Predict outcome of cost and benefits over relevant time period.

5. Convert all costs and benefits into a common currency.

6. Apply discount rate.

7. Calculate net present value of project options.

8. Perform sensitivity analysis.

9. Adopt recommended choice

5.8. Risk Management

Risk is defined as the effect of uncertainty on objectives. A risk is the likelihood of a threat
agent exploiting a vulnerability and the corresponding business impact. Defined as the
combination of the probability of an event and its consequence. Characterized by reference to
potential events and consequences or a combination of both.

Risk management is the process of identifying risk, as represented by vulnerabilities, to

an organization’s information assets and infrastructure, and taking steps to reduce this risk to
an acceptable level. Each of the three elements in the C.I.A. triangle, is an essential part of
every IT organization’s ability to sustain long-term competitiveness. When an organization
depends on IT-based systems to remain viable, information security and the discipline of risk
management must become an integral part of the economic basis for making business decisions.
These decisions are based on trade-offs between the costs of applying information systems
controls and the benefits realized from the operation of secured, available systems.

Risk management involves three major undertakings: risk identification, risk assessment,
and risk control.
80

Risk identification is the examination and documentation of the security posture of an

organization’s information technology and the risks it faces.

Risk assessment is the determination of the extent to which the organization’s information
assets are exposed or at risk.

Risk control is the application of controls to reduce the risks to an organization’s data
and information systems. The various components of risk management and their relationship
to each other are shown in Figure: 5.2.

Figure 5.2: Risk Management

5.9. Components of Risk Management

There is no such thing as a 100-percent secure environment. Every environment has
vulnerabilities and threats. The skill is in identifying these threats, assessing the probability of
them actually occurring and the damage they could cause, and then taking the right steps to
reduce the overall level of risk in the environment to what the organization identifies as acceptable.
 81

Risks to an organization come in different forms, and they are not all computer related.
When a company purchases another company, it takes on a lot of risk in the hope that this
move will increase its market base, productivity, and profitability. If a company increases its
product line, this can add overhead, increase the need for personnel and storage facilities,
require more funding for different materials, and maybe increase insurance premiums and the
expense of marketing campaigns. The risk is that this added overhead might not be matched in
sales; thus, profitability will be reduced or not accomplished.

When we look at information security, note that an organization needs to be aware of

several types of risk and address them properly. The following items touch on the major
categories:

 Physical damage: -Fire, water, vandalism, power loss, and natural disasters

 Human interaction: -Accidental or intentional action or inaction that can disrupt

productivity

 Equipment malfunction: -Failure of systems and peripheral devices

 Inside and outside attacks: -Hacking, cracking, and attacking

 Misuse of data: -Sharing trade secrets, fraud, espionage, and theft

 Loss of data: -Intentional or unintentional loss of information to unauthorized

receivers

 Application error: -Computation errors, input errors, and buffer overflows

Threats must be identified, classified by category, and evaluated to calculate their damage
potential to the organization. Real risk is hard to measure, but prioritizing the potential risks in
order of which ones must be addressed first is obtainable.

Not enough people inside or outside of the security profession really understand risk
management. Even though information security is big business today, the focus is more on
applications, devices, viruses, and hacking. Although these items all must be considered and
weighed in risk management processes, they should be considered small pieces of the overall
security puzzle, not the main focus of risk management.

Security is a business issue, but businesses operate to make money, not just to be secure.
A business is concerned with security only if potential risks threaten its bottom line, which they
82

can in many ways, such as through the loss of reputation and customer base after a database
of credit card numbers is compromised; through the loss of thousands of dollars in operational
expenses from a new computer worm; through the loss of proprietary information as a result of
successful company espionage attempts; through the loss of confidential information from a
successful social engineering attack; and so on. It is critical that security professionals understand
these individual threats, but it is more important that they understand how to calculate the risk
of these threats and map them to business drivers.

In order to properly manage risk within an organization, you have to look at it holistically.
Risk, after all, exists within a context. NIST SP 800-39 defines three tiers to risk management:

· Organizational tier- Concerned with risk to the business as a whole, which means
it frames the rest of the conversation and sets important parameters such as the
risk tolerance level.

· Business process tier -Deals with the risk to the major functions of the organization,
such as defining the criticality of the information flows between the organization
and its partners or customers. The bottom tier.

· Information systems tier -Addresses risk from an information systems perspective.

Though this is where we will focus our discussion, it is important to understand that
it exists within the context of (and must be consistent with) other, more encompassing
risk management efforts.

Carrying out risk management properly means that you have a holistic understanding of
your organization, the threats it faces, the countermeasures that can be put into place to deal
with those threats, and continuous monitoring to ensure the acceptable risk level is being met
on an ongoing basis.

Summary

Risk management is the process of identifying risk, as represented by vulnerabilities, to

an organization’s information assets and infrastructure, and taking steps to reduce this risk to
an acceptable level.

Each of the three elements in the C.I.A. triangle, is an essential part of every IT
organization’s ability to sustain long-term competitiveness. Risk identification is the examination
and documentation of the security posture of an organization’s information technology and the
risks it faces.
 83

Check your answers

 Define Risk.

 What is Risk Management?

 _________ is the determination of the extent to which the organization’s information

assets are exposed or at risk.

 Security is an _________ issue.

 Every environment has _________ and _________.

Reference
 https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=908030

 Thomas R. Peltier. 2010. Information Security Risk Analysis (3rd ed.). Auerbach
Publications, Boston, MA, USA.

 https://www.nr.no/~abie/RA_by_Jenkins.pdfThomas R. Peltier. 2008. How to

Complete a Risk Assessment in 5 Days or Less (1st ed.). Auerbach Publications,
Boston, MA, USA.

 Thomas R. Peltier and Justin Peltier. 2006. Complete Guide to CISM Certification.
Auer Bach Publications, Boston, MA, USA.

 Thomas R. Peltier, Justin Peltier, and John A. Blackley. 2005. Information Security
Fundamentals On-Line Self-Study Course. CRC Press, Inc., Boca Raton, FL, USA.

 Thomas R. Peltier. 2005. Information Security Policies and Procedures On-Line

Self-Study Course. CRC Press, Inc., Boca Raton, FL, USA.

 https://its.ny.gov/sites/default/files/documents/risk-management-guide-2012.pdf

 Thomas R. Peltier. 2005. Information Security Risk Analysis On-Line Self-Study

Course. CRC Press, Inc., Boca Raton, FL, USA.

 Thomas R. Peltier. 2005. Information Security Risk Analysis. Auerbach Publications,

Boston, MA, USA.

 Thomas R. Peltier. 2004. Information Security Policies and Procedures: A

Practitioner’s Reference, Second Edition. Auerbach Publications, Boston, MA, USA.

 Thomas R. Peltier, Justin Peltier, and John Blackley. 2003. Information Security
Fundamentals. Auerbach Publications, Boston, MA, USA.
84

 Thomas R. Peltier and Patrick D. Howard. 2002. Total Cissp Exam Prep Book:
Practice Questions, Answers, and Test Taking Tips and Techniques. Auerbach
Publications, Boston, MA, USA.

 Thomas R. Peltier and Justin Peltier. 2002. Managing a Network Vulnerability

Assessment. CRC Press, Inc., Boca Raton, FL, USA.

 Thomas R. Peltier. 2001. Information Security Policies, Procedures, and Standards:

Guidelines for Effective Information Security Management. CRC Press, Inc., Boca
Raton, FL, USA.

 Thomas R. Peltier. 2000. Information Security Risk Analysis (1st ed.). CRC Press,
Inc., Boca Raton, FL, USA.

 Thomas R. Peltier. 1999. Information Security Policies and Procedures: A

Practitioner’s Reference (1st ed.). CRC Press, Inc., Boca Raton, FL, USA.

 Thomas R. Peltier. 1991. Policies and Procedures for Data Security: A Complete
Manual for Computer Systems and Networks. Backbeat Books.

 Thomas R. Peltier. 1991. Policies and Procedures for Data Security: A Complete
Manual for Computer Systems and Networks. Miller Freeman, Inc., Lawrence, KS,
USA.

 Principles of Information Security, Micheal E. Whilman, Herbert J. Mattord.

 85

UNIT 6
ACCESS CONTROL
Learning Objectives

After reading this lesson you will be able to understand

 Access Control

 User Identity and Access Management

 Account Authorization

 Access and Privilege Management

 System and Network Access Control

 Operating Systems Access Controls

 Monitoring Systems Access Controls

 Intrusion Detection System

 Event Logging

 Cryptography

Structure
6. Introduction

6.1. Access Control

6.2. User Identity and Access Management

6.3. Account Authorization

6.4. Access and Privilege Management

6.4.1 Implementation of PAM

6.4.2 Components of a PAM Solution

6.5. System and Network Access Control

6.5.1 System Access Control

6.5.2 Privileges
86

6.6 Network Access Control

6.7 Operating System Access Control

6.8 Monitoring Systems Access Control

6.9 Intrusion Detection System

6.10 Event Logging

6.11 Cryptography

6. Introduction
The goal of access control is to minimize the risk of unauthorized access to physical and
logical systems. Access control is a fundamental component of security compliance programs
that ensures security technology and access control policies are in place to protect confidential
information, such as customer data. Most organizations have infrastructure and procedures
that limit access to networks, computer systems, applications, files and sensitive data, such as
personally identifiable information and intellectual property.

6.1. Access Control

Access control is a security technique that can be used to regulate who or what can view
or use resources in a computing environment. There are two main types of access control:

1. physical and

2. logical.

Ø Physical access control : - limits access to campuses, buildings,

rooms and physical IT assets.

Ø Logical access control: - limits connections to computer networks,

system files and data.

The four main categories of logical access control are:

1. Mandatory access control

2. Discretionary access control

3. Role-based access control

4. Rule-based access control

 87

Systems perform authorization, identification, authentication, access approval, and

accountability of entities through login credentials including passwords, personal identification
numbers (PINs), biometric scans, and physical or electronic keys.

6.2. User Identity and Access Management

Identity management, also known as identity and access management (IAM) is, in
computer security, the security and business discipline that “enables the right individuals to
access the right resources at the right times and for the right reasons”. Identity-management
systems, products, applications and platforms manage identifying and ancillary data about entities
that include individuals, computer-related hardware, and software applications. IAM covers
issues such as how users gain an identity, the protection of that identity and the technologies
supporting that protection (e.g., network protocols, digital certificates, passwords, etc.)

FUNCTIONS:- In the real-world context of engineering online systems, identity

management can involve four basic functions:

(1) The pure identity function: Creation, management and deletion of identities without
regard to access or entitlements;

(2) The user access (log-on) function: For example: a smart card and its associated
data used by a customer to log on to a service or services (a traditional view);

(3) The service function: A system that delivers personalized, role-based, online, on-
demand, multimedia (content), presence-based services to users and their devices.

(4) Identity Federation: A system that relies on federated identity to authenticate a user
without knowing his or her password.

IAM products:- One Identity Manager from Dell combines easy installation, configuration
and use. The system is compatible with Microsoft SQL and Oracle database systems. According
to Dell, the self-service product is so user-friendly that employees can manage all stages in the
IAM life cycle without requiring help from the IT department. The product suite also includes
Cloud Access Manager, which enables single sign-on capabilities for a variety of Web application
access scenarios.

6.3. Account Authorization

Authentication verifies your identity and authentication enables authorization. An
authorization policy dictates what your identity is allowed to do. For example, any customer of
88

a bank can create and use an identity (e.g., a user name) to log into that bank’s online service
but the bank’s authorization policy must ensure that only you are authorized to access your
individual account online once your identity is verified.

Authorization can be applied to more granular levels than simply a web site or company
intranet. Your individual identity can be included in a group of identities that share a common
authorization policy. For example, imagine a database that contains both customer purchases
and a customer’s personal and credit card information. A merchant could create an authorization
policy for this database to allow a marketing group access to all customer purchases but prevent
access to all customer personal and credit card information, so that the marketing group could
identify popular products to promote or put on sale.

We implicitly create authorization policies when we use social media: Facebook, LinkedIn,
or Twitter may authenticate hundreds of millions of users, but to some extent we can authorize
whether or how these users engage with us. The same is true when you share files, videos, or
photos from sites like Google Docs, Dropbox, Instagram, Pinterest, Flickr or even when you
create a “shared” folder on your laptop.

6.4. Access and Privilege Management

The key is to get the importance of the word “Privileged.” A privileged user is someone
who has administrative access to critical systems. For instance, the individual who can set up
and delete email accounts on Microsoft Exchange Server is a privileged user. The word is not
accidental. Like any privilege, it should only be extended to trusted people. Only those seen as
responsible can be trusted with “root” privileges like the ability to change system configurations,
install software, change user accounts or access secure data. Of course, from a security
perspective, it never makes sense to unconditionally trust anyone. That’s why even trusted
access needs to be controlled and monitored. And, of course, privileges can be revoked at any
time.

A PAM solution offers a secure, streamlined way to authorize and monitor all privileged
users for all relevant systems. PAM lets you: Grant privileges to users only for systems on
which they are authorized. Grant access only when it’s needed and revoke access when the
need expires. Avoid the need for privileged users to have or need local/direct system passwords.
Centrally and quickly manage access over a disparate set of heterogeneous systems. Create
an unalterable audit trail for any privileged operation.
 89

6.4.1. Implementation of PAM

To implement privileged identity management (PIM) :

(1) Create a policy that specifies how super user accounts will be managed and what
the account holders should and should not be able to do.

(2) Develop a management model that identifies a responsible party to ensure that the
above policies are followed.

(3) Inventory privileged accounts to determine how extensive the population is and to
identify them.

(4) Establish tools and processes for management, such as provisioning tools or
specialized PIM products.

6.4.2. Components of a PAM Solution

Privileged Access Management solutions vary in their architectures, but most offer the
following components working in concert: Access Manager – This PAM module governs access
to privileged accounts. It is a single point of policy definition and policy enforcement for privileged
access management. A privileged user requests access to a system through the Access Manager.
The Access Manager knows which systems the user can access and at what level of privilege.
A super admin can add/modify/delete privileged user accounts on the Access Manager. This
approach reduces the risk that a former employee will retain access to a critical system. (This
situation is far more common than most IT manager would like to admit)

Password Vault – The best PAM systems prevent privileged users from knowing the
actual passwords to critical systems. This prevents a manual override on a physical device, for
example. Instead, the PAM system keeps these password in a secure vault and opens access
to a system for the privileged user once he has cleared the Access Manager.

Session Manager – Access control is not enough. You need to know what a privileged
user actually did during an administrative session. A Session Manager tracks actions taken
during a privileged account session.
90

6.5. System and Network Access Control

6.5.1. System Access Control

System Access Control authorizes the establishment of a session (i.e., login) and its
continuation until logout. Before granting a session, the TL1 Agent validates and authenticates
the session requester. In addition, the NE/NS also ensures that the communication path between
the NE/NS and the session requester is trusted so that no intruder can enter the channel. The
main objective of System Access Control feature is to reduce the risk of unauthorized access to
the NE/NS. User-Related Security View and Channel-Related Security View help in achieving
system access control Commands that are available for System Access Control. This is explained
in User-Related Security View and Channel-Related Security View.

6.5.2. Privileges

Security in TL1 uses the concept of Privileges. Privilege here means the access level for
a User. By default, there are a few access levels. You can also define you own access level.

The option Configure Privilege in Protocols "TL1" Security panel displays a list of privileges
as given below:

Ø Admin - Administration commands

Ø User - User-level commands
Ø NoTmout - No session termination due to Keep alive timeout
Ø MntSurv - Maintenance and Surveillance commands
Ø Prov - Provisioning commands

The user can add a new privilege or delete an existing privilege from the list by using the
Add/Delete options. While configuring user-related security parameters, the user access privilege
(UAP) can be configured for each user by adding one or more privileges from the list. When an
input message is received from a user, Agent checks if the user privilege matches the channel
privilege and also the command privilege before processing the command.

User-Related Security View

User-Related Security View is essential for identification and authentication of the users
accessing the TL1 Agent. The User-Related Security View contains the security parameters
and their values associated with all the users authorized to access the TL1 Agent. Using the
 91

User-Related Security View system access control is possible. The user details and various
other privileges associated with the user are entered in the User-related Security View.

Channel-Related Security View

The channel-related security view contains details related to security for each of the
protocols. Using the Channel-related Security View System Access control is possible. Using
this view, the administrator can restrict certain channels to certain users or certain resource of
a system can be made accessible only through certain channels. The Channel-Related Security
View contains the security parameters associated with all channels. Channels dealt with here
are the Transport Protocols, such as the TCP, Craft Interface, etc.

6.6. Network Access Control

Network access control (NAC), also called network admission control, is a method of
bolstering the security of a proprietary network by restricting the availability of network resources
to endpoint devices that comply with a defined security policy. A traditional network access
server (NAS) is a server that performs authentication and authorization functions for potential
users by verifying logon information. In addition to these functions, NAC restricts the data that
each particular user can access, as well as implementing anti-threat applications such as firewalls,
antivirus software and spyware-detection programs. NAC also regulates and restricts the things
individual subscribers can do once they are connected. Several major networking and IT vendors
have introduced NAC products. NAC is ideal for corporations and agencies where the user
environment can be rigidly controlled. However, some administrators have expressed doubt
about the practicality of NAC deployment in networks with large numbers of diverse users and
devices, the nature of which constantly change. An example is a network for a large university
with multiple departments.

6.7. Operating System Access Control

Most of today’s operating systems use Discretionary Access Control (DAC) as their primary
access control mechanism. One key weakness of DAC is that it is susceptible to the trojan
horse attack. An attacker can create a malicious program as a trojan horse, and a process
running the Trojan horse program will have the privileges of the user who runs it; thus the
process can abuse these privileges and violate the intended DAC policy. For similar reasons,
existing DAC mechanisms provide inadequate protection when software’s are buggy. When
attackers are able to feed malicious inputs to buggy software, they may be able to exploit the
92

bugs and take control of the process. From this point of view, buggy software becomes Trojan
horses when the attacker is able to feed inputs to them. Exploiting this weakness of DAC,
attackers are able to execute malicious code under the privileges of legitimate users,
compromising end hosts. Host compromise further leads to a wide range of other computer
security problems. Computer worms propagate by first compromising vulnerable hosts and
then propagating to other hosts. Compromised hosts may be organized under a common
command and control infrastructure, forming botnets. Botnets can then be used for carrying out
attacks such as phishing, spamming, and distributed denial of service. This project aims at
developing Mandatory Access Control (MAC) techniques to enhance existing DAC mechanism
to prevent host compromise. This project has several important differences from previous projects
with a similar goal. First, usability is treated as a top priority. The usability goals are as follows:
Configuring such a MAC system should not be more difficult than installing and configuring an
operating system; and existing applications and common usage practices can still be used.
This resulted in design choices that trade off security for simplicity and the introduction of novel
exception mechanisms to the MAC rules. Second, the security objective is clearly defined and
limited. The goal is to protect end host and user files against network attackers, malicious
websites, and user errors. Third, the project closely integrates DAC and MAC, rather than
viewing them as disjoint components. For example, MAC labels for files are inferred from their
DAC permissions.

6.8. Monitoring Systems Access Control

To have Monitoring Systems Access Controls installed are absolutely essential and active
within any business. If you have a business property and would like to have complete control,
then a security system is the only way to do it. Closed Circuit Television systems (CCTV) are
the most popular option for businesses of all sizes. These security and monitoring systems are
able to do more than just monitor and record unauthorized access and activities within a business
– CCTV surveillance systems are known to also deter unauthorized access, intrusion and object
displacement which can cause major losses within a business. The main aim of installing security
and monitoring systems in a business is for the correct management personnel to be alerted of
the fact that unauthorized activities have occurred so that the correct response can be enabled.
As CCTV systems record everything, the footage is often invaluable if evidence of a crime or
incident is needed in a court case or company disciplinary hearing. The safety and security of
the business, its assets, staff and productivity are all protected by security and monitoring
systems as all operations, processes, visitors and even customers are watched. Besides the
 93

numerous safety features and benefits offered by security and monitoring systems, they are
also a great tool when it comes to health and safety within the business, and quality control.

6.9. Intrusion Detection System

An intrusion detection system (IDS) is a type of security software designed to automatically
alert administrators when someone or something is trying to compromise information system
through malicious activities or through security policy violations.

An IDS works by monitoring system activity through examining vulnerabilities in the system,
the integrity of files and conducting an analysis of patterns based on already known attacks. It
also automatically monitors the Internet to search for any of the latest threats which could result
in a future attack. There are multiple ways in which detection is performed by an IDS. In signature-
based detection, a pattern or signature is compared to previous events to discover current
threats. This is useful for finding already known threats, but does not help in finding unknown
threats, variants of threats or hidden threats. Another type of detection is anomaly-based
detection, which compares the definition or traits of a normal action against characteristics
marking the event as abnormal.

6.9.1 There are three primary components of an IDS:

(1) Network Intrusion Detection System (NIDS): This does analysis for traffic on a whole
subnet and will make a match to the traffic passing by to the attacks already known in a library
of known attacks.

(2)Network Node Intrusion Detection System (NNIDS): This is similar to NIDS, but the
traffic is only monitored on a single host, not a whole subnet.

(3)Host Intrusion Detection System (HIDS): This takes a “picture” of an entire system’s
file set and compares it to a previous picture. If there are significant differences, such as missing
files, it alerts the administrator.

6.10. Event Logging

Event logging provides a standard, centralized way for applications (and the operating
system) to record important software and hardware events. The event logging service records
events from various sources and stores them in a single collection called an event log. The
Event Viewer enables you to view logs; the programming interface also enables you to examine
94

logs. Entries in the main panel of Event Viewer provide a quick overview of when, where, and
how an event occurred. The event type precedes the date and time of the event. Event types
include:

Ø Information : An informational event which is generally related to a successful action.

Ø Success Audit : An event related to the successful execution of an action.

Ø Failure Audit: An event related to the failed execution of an action.

Ø Warning : A warning. Details for warnings are often useful in preventing future system
problems.

Ø Error: An error, such as the failure of a service to start. Note : Warnings and errors
are the two types of events that you’ll want to examine closely. Whenever these
types of events occur and you’re unsure of the cause, double-click the entry to view
the detailed event description.

In addition to type, date, and time, the summary and detailed event entries provide the
following information:

Ø Source : The application, service, or component that logged the event.

Ø Category : The category of the event, which is sometimes used to further describe
the related action.

Ø Event : An identifier for the specific event.

Ø User: The user account that was logged on when the event occurred.

Ø Computer : The name of the computer where the event occurred.

Ø Description : In the detailed entries, a text description of the event.

Ø Data: In the detailed entries, any data or error code output by the event.

6.11. Cryptography
Cryptography involves creating written or generated codes that allows information to be
kept secret. Cryptography converts data into a format that is unreadable for an unauthorized
user, allowing it to be transmitted without anyone decoding it back into a readable format, thus
compromising the data. Information security uses cryptography on several levels. The information
cannot be read without a key to decrypt it. The information maintains its integrity during transit
and while being stored. Cryptography also aids in non-repudiation. This means that neither the
 95

creator nor the receiver of the information may claim they did not create or receive it. Cryptography
is also known as cryptology.

Cryptography also allows senders and receivers to authenticate each other through the
use of key pairs. There are various types of algorithms for encryption, some common algorithms
include:

(1)Secret Key Cryptography (SKC) - Here only one key is used for both encryption and
decryption. This type of encryption is also referred to as symmetric encryption.

(2)Public Key Cryptography (PKC): Here two keys are used. This type of encryption is
also called asymmetric encryption. One key is the public key and anyone can have access to it.
The other key is the private key, and only the owner can access it. The sender encrypts the
information using the receiver’s public key. The receiver decrypts the message using his/her
private key. For non-repudiation, the sender encrypts plain text using a private key, while the
receiver uses the sender’s public key to decrypt it. Thus, the receiver knows who sent it.

(3)Hash Functions: These are different from SKC and PKC. They have no key at all and
are also called one-way encryption. Hash functions are mainly used to ensure that a file has
remained unchanged.

Modern cryptography concerns itself with the following four objectives:

1) Confidentiality (the information cannot be understood by anyone for whom it was

unintended)

2) Integrity (the information cannot be altered in storage or transit between sender and
intended receiver without the alteration being detected)

3) Non-repudiation (the creator/sender of the information cannot deny at a later stage his
or her intentions in the creation or transmission of the information)

4) Authentication (the sender and receiver can confirm each others identity and the origin/
destination of the information)

Summary
 Access control is a security technique that can be used to regulate who or what can
view or use resources in a computing environment.
96

 Physical access control, limits access to campuses, buildings, rooms and physical
IT assets.

 Logical access control, limits connections to computer networks, system files and
data.

 The four main categories of access control are Mandatory access control,
Discretionary access control, Role-based access control, Rule-based access control.

 Identity management, also known as identity and access management (IAM) is, in
computer security, the security and business discipline that enables the right
individuals to access the right resources at the right times and for the right reasons.

 Authentication verifies your identity and authentication enables authorization. An

authorization policy dictates what your identity is allowed to do.

 A privileged user is someone who has administrative access to critical systems. A

PAM solution offers a secure, streamlined way to authorize and monitor all privileged
users for all relevant systems.

 Password Vault – The best PAM systems prevent privileged users from knowing
the actual passwords to critical systems. This prevents a manual override on a
physical device, for example. Instead, the PAM system keeps these password in a
secure vault and opens access to a system for the privileged user once he has
cleared the Access Manager.

 Session Manager – Access control is not enough. You need to know what a privileged
user actually did during an administrative session. A Session Manager tracks actions
taken during a privileged account session.

 The main objective of System Access Control feature is to reduce the risk of
unauthorized access to the NE/NS.

 Privilege means the access level for a User.

 Network access control (NAC), also called network admission control, is a method
of bolstering the security of a proprietary network by restricting the availability of
network resources to endpoint devices that comply with a defined security policy.

 Event logging provides a standard, centralized way for applications (and the operating
system) to record important software and hardware events.
 97

 Cryptography involves creating written or generated codes that allows information

to be kept secret. Cryptography converts data into a format that is unreadable for
an unauthorized user, allowing it to be transmitted without anyone decoding it back
into a readable format, thus compromising the data. Information security uses
cryptography on several levels.

Check your answers

 ………………………… is a security technique that can be used to regulate who or
what can view or use resources in a computing environment.

 ……………………., limits access to campuses, buildings, rooms and physical IT

assets.

 ……………………….., limits connections to computer networks, system files and

data.

 The four main categories of access control are ………………………, ……………..,

……………………, ……………………………….

 ……………………….. is, in computer security, the security and business discipline

that enables the right individuals to access the right resources at the right times and
for the right reasons.

 ………………….. verifies your identity and authentication enables authorization. An

authorization policy dictates what your identity is allowed to do.

· A ……………………………….. is someone who has administrative access to critical

systems. A PAM solution offers a secure, streamlined way to authorize and monitor
all privileged users for all relevant systems.

 ……………………..the best PAM systems prevent privileged users from knowing

the actual passwords to critical systems. This prevents a manual override on a
physical device, for example. Instead, the PAM system keeps these passwords in a
secure vault and opens access to a system for the privileged user once he has
cleared the Access Manager.

 …………………….. Access control is not enough. You need to know what a privileged
user actually did during an administrative session.
98

 A ……………………. tracks actions taken during a privileged account session.

 The main objective of System Access Control feature is to reduce the risk of
……………………. to the NE/NS.

 …………………. means the access level for a User.

 …………………………, is a method of bolstering the security of a proprietary network

by restricting the availability of network resources to endpoint devices that comply
with a defined security policy.

 ………………………. provides a standard, centralized way for applications (and

the operating system) to record important software and hardware events.

 ………………..involves creating written or generated codes that allows information

to be kept secret. It converts data into a format that is unreadable for an unauthorized
user, allowing it to be transmitted without anyone decoding it back into a readable
format, thus compromising the data. Information security uses cryptography on
several levels.

Reference
 Federal Financial Institutions Examination Council (2008). ”Authentication in an
Internet Banking Environment”(PDF).

 ”MicroStrategy’s office of the future includes mobile identity and cybersecurity”.

Washington Post.

 ”iPhone 5S: A Biometrics Turning Point?”. BankInfoSecurity.com.

 ”NFC access control: cool and coming, but not close”. Security Systems News.

 ”Ditch Those Tacky Key Chains: Easy Access with EC Key”. Wireless Design and
Development. 2012-06-11.

 “Kisi And KeyMe, Two Smart Phone Apps, Might Make House Keys Obsolete”. The
Huffington Post. The Huffington Post.

 ”Opening new doors with IP access control ­ Secure Insights”. Secure Insights.

 ”Incident Command System :: NIMS Online :: Serving the National Incident

Management System (NIMS) Community”. 2007-03-18.

 ”Smart access control polices for residential & commercial buildings”. Archived from
the original on 4 July 2017.
 99

 ”Cybersecurity: Access Control”. 4 February 2014.

 ”SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and
Considerations” (PDF). NIST. 2014.

 Schapranow, Matthieu-P. (2014). Real-time Security Extensions for EPCglobal

Networks. Springer. ISBN 978-3-642-36342-9.

 http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&
p = 1 & u = %2 F n e ta h t m l % 2 F PTO % 2 F s e a r c h - bo o l . h t m l & r = 1 & f = G & l = 5 0
&co1=AND&d=PTXT&s1=8,984,620.PN.&OS=PN/8,984,620&RS=PN/8,984,620

 ”OrBAC: Organization Based Access Control - The official OrBAC model

website”. orbac.org.

 ”Archived copy” (PDF). ”What is Data Hiding? - Definition from”.

 ”Controlling Access to Members of a Class (The Java™ Tutorials > Learning the
Java Language > Classes and Objects)”. docs.oracle.com.

 Satish Talim / Original design: Erwin Aligam -. ”Ruby Access Control: Ruby Study
Notes - Best Ruby Guide, Ruby Tutorial”. rubylearning.com.
100

UNIT – 7
PHYSICAL SECURITY
Learning Objective

After reading this chapter you will be able to understand:

 Physical Security

 Perimeter Security

 Fire Prevention and Detection

 Safe disposal of physical assets

 Emergency Preparedness Plan

 Security Guards

 Modern sophisticated equipments

 Security Alarm System

Structure
7.1. Physical Security

7.2. Perimeter Security

7.3. Fire Prevention and Detection

7.3.1 Heat detector

7.3.2 Smoke detector

7.3.3 Flame detector

7.3.4 Fire gas detector

7.4. Safe disposal of physical assets

7.4.1 Recycling

7.4.2 Tracking

7.5 Emergency Preparedness plan

7.5.1 What is a workplace emergency?

7.5.2 What is an emergency action plan?

 101

7.5.3 How to alert workers of an emergency ?

7.5.4 Emergency Plan and Evacuation Coordinators

7.6 Security Guard

7.6.1 Duties & Responsibilities

7.7 Modern Sophisticated Equipment

7.7.1. RFID Badges

7.7.2. Video surveillance

7.7.3. Perimeter security systems

7.7.4. Iris recognition

7.7.5 Security guards and photo ID badges

7.7.6 Security linked to mobile devices

7.7.7 Fingerprint scanning

7.7.8 Facial recognition

7.8 Security Alarm Systems

7.8.1 Design of Security Alarms

7.8.2 Sensors

7.1 Physical Security

Physical security describes security measures that are designed to deny unauthorized
access to facilities, equipment and resources and to protect personnel and property from damage
or harm (such as espionage, theft, or terrorist attacks).Physical security involves the use of
multiple layers of interdependent systems which include CCTV surveillance, security guards,
protective barriers, locks, access control protocols, and many other techniques. Physical security
systems for protected facilities are generally intended to:

(1) Deter potential intruders (e.g. Warning signs and perimeter markings)

(2) Detect intrusions and monitor/record intruders (e.g. Intruder alarms and CCTV systems)

(3) Trigger appropriate incident responses (e.g. By security guards and police).
102

It is up to security designers, architects and analysts to balance security controls against

risks, taking into account the costs of specifying, developing, testing, implementing, using,
managing, monitoring and maintaining the controls, along with broader issues such as aesthetics,
human rights, health and safety, and societal norms or conventions.

Physical access security measures that are appropriate for a high security prison or a
military site may be inappropriate in an office, a home or a vehicle, although the principles are
similar.

Identify Assets to be protected: - Identifying the critical assets is essential for many reasons.
You will come to know what is critical and essential for the business. You will be able to take
appropriate decisions regarding the level of security that should be provided to protect the
assets. You will also be able to decide about the level of redundancy that is necessary by
keeping an extra copy of the data or an extra server that you should procure and keep as a hot
standby. Not all information is created equal. Some information is more important to the profitable
operation of a business than other information. This is not my opinion, it is an undeniable fact
for every organization, and one of the few universal truths in the information security world.
Every organization likely has three distinct types of information: information that can be shared
freely, often referred to as public information, information that can be shared with certain
audiences in specific ways, often referred to as sensitive information, and information that
should remain confidential to the company and should not be shared, often referred to as
secret or internal information. We can broadly classify assets in the following categories:

1. Information assets Every piece of information about your organization falls in this
category. This information has been collected, classified, organized and stored in various forms.

 Databases: Information about your customers, personnel, production, sales,

marketing, finances. This information is critical for your business. Its confidentiality,
integrity and availability is of utmost importance.

 Data files: Transactional data giving up-to-date information about each event.

 Operational and support procedures: These have been developed over the years
and provide detailed instructions on how to perform various activities.

 Archived information: Old information that may be required to be maintained by

law.
 103

 Continuity plans, fallback arrangements: These would be developed to overcome

any disaster and maintain the continuity of business. Absence of these will lead to
ad-hoc decisions in a crisis.

2. Software assets: These can be divided into two categories:

a) Application software: Application software implements business rules of the

organization. Creation of application software is a time consuming task. Integrity of application
software is very important. Any flaw in the application software could impact the business
adversely.

b) System software: An organization would invest in various packaged software programs

like operating systems, DBMS, development tools and utilities, software packages, office
productivity suites etc. Most of the software under this category would be available off the shelf,
unless the software is obsolete or non-standard.

3. Physical assets: These are the visible and tangible equipment and could comprise of:

a) Computer equipment: Mainframe computers, servers, desktops and notebook

computers.

b) Communication equipment: Modems, routers, EPABXs and fax machines.

c) Storage media: Magnetic tapes, disks, CDs and DATs.

d) Technical equipment: Power supplies, air conditioners.

e) Furniture and fixtures

4. Services

a) Computing services that the organization has outsourced.

b) Communication services like voice communication, data communication, value added

services, wide area network etc.

c) Environmental conditioning services like heating, lighting, air conditioning and power.

These critical information assets should become the focus of more resource intensive
detection and response capabilities. Technologies like Data Loss Prevention and Security
104

Information and Event Management systems. Those systems would form the foundation that
allows an organization to deploy next-level technologies to protect their assets within a defined
scope that is justifiable from a cost/benefit analysis perspective.

7.2 Perimeter Security

Some people, when they hear the term perimeter, may conjure up an image of a small
squad of soldiers spread out on the ground in a circular formation. Others may come up with
the circling-the-wagons image. A perimeter is the fortified boundary of the network that might
include the following aspects:

(1) Border routers

(2) Firewalls

(3) IDSs

(4) IPSs

(5) VPN devices

(6) Software architecture

(7) DMZs and screened subnets

7.2.1. Border Routers: - Routers are the traffic cops of networks. They direct traffic into,
out of, and within our networks. The border router is the last router you control before an
untrusted network such as the Internet. Because all of an organization’s Internet traffic goes
through this router, it often functions as a network’s first and last line of defense through initial
and final filtering.

7.2.2. Firewalls: - A firewall is a chokepoint device that has a set of rules specifying what
traffic it will allow or deny passing through it. A firewall typically picks up where the border router
leaves off and makes a much more thorough pass at filtering traffic. Firewalls come in several
different types, including static packet filters, tasteful firewalls, and proxies. You might use a
static packet filter such as a Cisco router to block easily identifiable “noise” on the Internet, a
tasteful firewall such as a Check Point FireWall-1 to control allowed services, or a proxy firewall
such as Secure Computing Sidewinder to control content. Although firewalls aren’t perfect,
they do block what we tell them to block and allow what we tell them to allow.
 105

7.2.3. Intrusion Detection Systems: -AN IDS is like a burglar alarm system for your
network that is used to detect and alert on malicious events. The system might comprise many
different IDS sensors placed at strategic points in your network. Two basic types of IDS exist:
network-based (NIDS), such as Snort or Cisco Secure IDS, and host-based (HIDS), such as
Tripwire or ISS Black ICE. NIDS sensors monitor network traffic for suspicious activity. NIDS
sensors often reside on subnets that are directly connected to the firewall, as well as at critical
points on the internal network. HIDS sensors reside on and monitor individual hosts.

7.2.4. Intrusion Prevention Systems: - An IPS is a system that automatically detects

and thwarts computer attacks against protected resources. In contrast to a traditional IDS,
which focuses on notifying the administrator of anomalies, an IPS strives to automatically defend
the target without the administrator’s direct involvement. Such protection may involve using
signature-based or behavioral techniques to identify an attack and then blocking the malicious
traffic or system call before it causes harm. In this respect, an IPS combines the functionality of
a firewall and IDS to offer a solution that automatically blocks offending actions as soon as it
detects an attack.

7.2.5. Virtual Private Networks:-A VPN is a protected network session formed across
an unprotected channel such as the Internet. Frequently, we reference a VPN in terms of the
device on the perimeter that enables the encrypted session, such as Cisco VPN Concentrator.
The intended use might be for business partners, road warriors, or telecommuters. A VPN
allows an outside user to participate on the internal network as if connected directly to it. Many
organizations have a false sense of security regarding their remote access just because they
have a VPN. However, if an attacker compromises the machine of a legitimate user, a VPN can
give that attacker an encrypted channel into your network. You might trust the security of your
perimeter, but you have little control over your telecommuters’ systems connecting from home,
a hotel room, or an Internet café. Similar issues of trust and control arise with the security of
nodes connected over a VPN from your business partner’s network.

7.2.6. Software Architecture:-Software architecture refers to applications that are hosted

on the organization’s network, and it defines how they are structured. For example, we might
structure an e-commerce application by splitting it into three distinct tiers:
106

(1)The web front end that is responsible for how the application is presented to the user

(2)The application code that implements the business logic of the application

(3)The back-end databases that store underlying data for the application

Software architecture plays a significant role in the discussion of a security infrastructure

because the primary purpose of the network’s perimeter is to protect the application’s data and
services. When securing the application, you should ensure that the architecture of the software
and the network is harmonious.

7.2.7. De-Militarized Zones and Screened Subnets

We typically use the terms DMZ and screened subnet in reference to a small network
containing public services connected directly to and offered protection by the firewall or other
filtering device. A DMZ and a screened subnet are slightly different, even though many people
use the terms interchangeably. The term DMZ originated during the Korean War when a strip of
land at the 38th parallel was off-limits militarily. A DMZ is an insecure area between secure
areas. Just as the DMZ in Korea was in front of any defenses, the DMZ, when applied to
networks, is located outside the firewall. A firewall or a comparable traffic-screening device
protects a screened subnet that is directly connected to it.

7.3. Fire Prevention and Detection

Fire prevention: - In data centers, where an organization’s entire digital infrastructures
operates, close attention to fire safety is a must. Every procedure should include fire-safety
considerations that are followed every time. Here are five things to keep in mind:

1) Use caution around flammable materials. Things that seem innocuous — boxes and
other packaging items, for example — can pose a fire hazard. Experts recommend using staging
areas, or “breakdown rooms,” where equipment is removed from boxes and unwrapped before
it ever enters the actual data center. This eliminates many potentially hazardous materials from
ever reaching the data center. Any flammable materials that do need to be in the data center
should be stored in fire-retardant cabinets.

2) Create multiple power rooms. Many data centers have a single power room to house
electrical buses, including back-up, or “catcher” buses. In the event of a fire, and the use of
water to fight a blaze, it’s likely the water could shut down an entire room. Smoke also can
 107

dictate a complete power room shut down, in turn shutting down the entire data center. Experts
recommend, if at all possible, having each bus in a separate room with its own emergency
power off (EPO) switch. The uninterruptible power supply (UPS) for each bus would also be in
its own room.

3) Regularly inspect and maintain all fire-safety systems. Following a regular service and
inspection routine for all fire-prevention systems and equipment ensures they remain operational.

4) Monitor changes within the facility as a whole. Facility renovations and upgrades can
affect how a fire-safety system could interact with data center equipment. One such example:
more sophisticated computer equipment could require containment strategies to keep the data
center at an appropriate temperature. The equipment, such as screens to contain a hot or cold
aisle, could have an effect on sprinkler and fire-suppression-system discharge patterns. Thus,
changes not only drive facility design but also fire-safety considerations.

5) Prepare for the worst. Facilities professionals and data center managers need to be
prepared for a fire. A solid emergency plan informs local firefighters about the building. It’s also
essential to let them know how the data center operates to help first responders understand
that fire hoses aren’t always the best solution in this space.

Fire detection: - Fire detectors sense one or more of the products or phenomena resulting
from fire, such as smoke, heat, infrared and/or ultraviolet light radiation, or gas.

In dwellings, smoke detectors are often stand-alone devices. In non-domestic buildings,

fire detection will typically take the form of a fire alarm system, incorporating one or more of the
following automatic devices:

(1) Heat detector

(2) Smoke detector

(3) Flame detector

(4) Fire gas detector

7.3.1. Heat detector

A heat detector is a fire alarm device designed to respond when the convicted thermal
energy of a fire increases the temperature of a heat sensitive element. The thermal mass and
108

conductivity of the element regulate the rate of flow of heat into the element. All heat detectors
have this thermal lag. Heat detectors have two main classifications of operation, “rate-of-rise”
and “fixed temperature”. The Heat detector is used to help in the reduction of damaged property.
It is triggered when temperature increases.

7.3.2. Smoke detector

A smoke detector is a device that senses smoke, typically as an indicator of fire.

Commercial security devices issue a signal to a fire alarm control panel as part of a fire alarm
system, while household smoke detectors, also known as smoke alarms, generally issue a
local audible or visual alarm from the detector itself.

7.3.3. Flame detector

A flame detector is a sensor designed to detect and respond to the presence of a flame
or fire, allowing flame detection. Responses to a detected flame depend on the installation, but
can include sounding an alarm, deactivating a fuel line (such as a propane or a natural gas
line), and activating a fire suppression system. When used in applications such as industrial
furnaces, their role is to provide confirmation that the furnace is properly lit; in these cases they
take no direct action beyond notifying the operator or control system. A flame detector can often
respond faster and more accurately than a smoke or heat detector due to the mechanisms it
uses to detect the flame.

7.3.4. Fire gas detector

A carbon monoxide detector or CO detector is a device that detects the presence of the
carbon monoxide (CO) gas in order to prevent carbon monoxide poisoning. CO is a colorless,
tasteless and odorless compound produced by incomplete combustion of carbon-containing
materials. It is often referred to as the “silent killer” because it is virtually undetectable without
using detection technology. Elevated levels of CO can be dangerous to humans depending on
the amount present and length of exposure. Smaller concentrations can be harmful over longer
periods of time while increasing concentrations require diminishing exposure times to be harmful.

7.4. Safe disposal of physical assets

Improper disposal can occur at any level within a company. Banks have accidentally
thrown out computers containing confidential client information, and high level executives have
sold phones containing valuable company information. A company is financially responsible for
 109

all data it stores and can face serious consequences if this data is breached — especially if the
reason for the breach is negligence. Deleting documents and files stored on a computer cannot
always remove all of the data. In fact, there are special programs specifically designed to pull
deleted data from a hard drive. The only way to ensure data remains safe is to have a drive
professionally wiped or destroyed. A small business’s physical assets usually include computers,
printers, copiers, tablets, and phones. All IT equipment must be disposed of correctly if you are
to preserve the confidentiality of your data. Third-party services are available to wipe hard
drives and eliminate any residual information on your IT equipment before it is thrown out. You
may be surprised to discover even a copier or a fax machine may contain confidential documents
within its hard drive. Thus, these machines also need to be disposed of carefully. Often, the
hard drives can be shredded so important company data is not compromised. Refurbishing
companies often accept old IT equipment, as long as it is still functioning. This can be an
excellent way to recapture some value from the IT equipment without having to sell it or worry
about it falling into the wrong hands. These companies wipe out the hard drives and fully restore
the equipment before reselling the items.

7.4.1 Recycling

Recycling assets is an excellent way to support the environment and remove your
company’s old assets. Contacting companies who perform recycling of electronic equipment
will educate you as to both your responsibilities and what you can expect from their services. If
you want to ensure the safety of your data, remove hard drives for shredding beforehand.
Another method for recycling assets involves using the components of older equipment within
other machines or simply breaking the equipment down for raw materials.

7.4.2 Tracking

Tracking assets is a significant responsibility of any business – large or small. Detailed

information about purchase, maintenance, and physical disposition of assets is required for the
reporting of a company’s financial liabilities and worth. As asset management solution makes
the recording of these details possible and allows for the development of protocols for following
each asset’s life cycle (including destruction) and ensures an accurate physical inventory and
balance sheet. The disposal of IT assets should be handled in a timely and responsible fashion.
While it may seem difficult to properly dispose of a physical asset, it can be equally dangerous
to have non-functioning equipment in storage or simply around the office. This equipment is
vulnerable as long as it holds data, especially if no one is managing it. A better solution is to
110

assess your physical assets on a regular basis and to properly dispose of any and all obsolete
equipment quickly.

Below mentioned are the some of the commonly used security devices worldwide.

o Smart Locks

o Control Panel

o Keypads

o Sensors

o Motion Detectors

o Smoke Detectors

o Security Cameras

o Key Fobs

7.4.2.1 Smart Locks

It doesn’t seem like the most high-tech part of the security system, but it can be. Smart
locks are all the rage these days. Some tie into a larger home security setup, while others work
nicely alone—or at least in conjunction with a Smartphone or other web-enabled device. When
choosing a smart lock, consider the size of the lock, the functionality, and of course, the price.

7.4.2.2 Control Panel

If this is going to be a high-tech system, it’s going to need a brain. The control panel
monitors the activity from the various components that you’ll see on this list. Once something
like a sensor or camera is triggered, the control panel can notify you or a monitoring company
(if you have that option). While not all of the products on this list require a control panel, it does
tie together a complete system. There are plenty of hardwired and wireless options. ADT has
specific control panels that can tie into other products and the company’s 24/7 monitoring service.
Elk has the M1, a control panel that’s designed to work with several third-party systems. Honeywell
also has a slew of its own options, including the pictured VISTA-21iP, which provides up to 48
zones of protection.
 111

7.4.2.3 Keypads

If you’re going to have a control panel, you’ll need ways to access it. Sometimes, running
down to the main control panel isn’t convenient—or safe. Instead, you can add keypads
throughout the house so the system can be accessed almost anywhere. Of course, you probably
wouldn’t need one inside the bathroom, but having one in the garage and another in your
bedroom will allow you to arm and disarm the system, check the status, or alert the monitoring
company at a moment’s notice. There are plenty of keypads for the DIYer, but every professionally
installed system also has its own selection of keypads.

7.4.2.4. Sensors

There are several different types of sensors. These are basically “switches,” which can
trigger the alarm system in case of an emergency. Some sensors are designed to alert the
system when a door or window has been opened. Some can even alert you to breaking glass or
when water is present in a place where it shouldn’t be present. Once a sensor is triggered, it
can alert your system to sound an alarm, send a text message, or even notify authorities. In
some cases, the sensor can trigger cameras to start recording. Despite being the smallest part
of a security system, sensors are the most crucial. Just be aware that some sensors do require
wiring knowledge to be installed and/or integrated into a whole-house system. Of course, there
are easy alternatives like the pictured Swann Magnetic Window/Door Alarm, which doesn’t
require wiring and operates like a stand-alone security device with its own built-in audible alarm

7.4.2.5. Motion Detectors

What happens if an intruder slips past those window and door sensors? You may want
to think about a motion detector. This is very similar to a sensor, except that it detects motion
and body heat. Pets can actually trigger some motion sensors, so you may want to take that
into consideration when buying one. (In other words, a few extra bucks could save you a lot of
chest pains.) However, if you don’t have a pet or need an inexpensive alternative, Belkin’s
WeMo Switch + Motion makes for an affordable ($79.99), easy alternative. Just plug in the
device and pair it with the lamp and the free WeMo app. Users can set up the system to turn on
a light, fan or other device once motion is detected. The system can also send out alerts,
making it a nice compliment for a web-enabled camera.
112

7.4.2.6. Smoke Detectors

Smoke detectors aren’t just convenient; they’re also required by law. They can even be
pretty high-tech. If the smoke detector is tied into a security system with monitoring, you can get
a super-speedy response from police and fire departments. The newly released Nest Protect
doesn’t work with larger security systems, but it does work with the Nest thermostat and a
variety of web-enabled devices. The combination smoke and carbon monoxide alarm also has
audible alerts, the option to silence the alarm with the wave of a hand, and a Path light feature
for lighting your way in the middle of the night.

7.4.2.7. Security Cameras

Cameras have become a vital part of the home security setup. After all, who doesn’t
want a peek at their home while away from home? There are plenty of hardwired options, but
stand-alone, web-enabled cameras have recently become a very popular security option. Both
the Drop cam HD and Samsung’s upcoming Smart Cam HD PRO offer an easy alternative.
Just place the camera wherever you want it, plug it in, connect it to your home network, and you
can get a live peek at your property from any device with a web connection. Some stand-alone
cameras even offer cloud-based storage for a small monthly fee.

7.4.2.8. Key Fobs

This tiny device may not seem as essential as the others on our list—until your
Smartphone runs out juice, anyway. A key fob is a tiny device with built-in access to your
security system. No web connection is needed. Instead, it has limited access built into a something
that can double as a keychain. It’s also a nice backup plan or even an easy way to give someone
limited access to your home security system. Key fobs are also very easy to store in the glove
compartment or in a kitchen drawer. The one pictured is Vivint’s key fob, which allows users to
arm and disarm the security system, as well as call the monitoring station, all without having to
enter the home.

7.5. Emergency Preparedness Plan

Emergencies and disasters can strike anywhere and at any time bringing workplace injuries
and illnesses with them. Employers and workers may be required to deal with an emergency
when it is least expected and proper planning before an emergency is necessary to respond
effectively. The best way to protect workers is to expect the unexpected and to carefully develop
 113

an emergency action plan to guide everyone in the workplace when immediate action is
necessary. Planning in advance helps ensure that everyone knows what to do when an
emergency occurs.

7.5.1 What is a workplace emergency?

A workplace emergency is a situation that threatens workers, customers, or the public;

disrupts or shuts down operations; or causes physical or environmental damage. Emergencies
may be natural or man-made, and may include hurricanes, tornadoes, earthquakes, floods,
wildfires, winter weather, chemical spills or releases, disease outbreaks, releases of biological
agents, explosions involving nuclear or radiological sources, and many other hazards. Many
types of emergencies can be anticipated in the planning process, which can help employers
and workers plan for other unpredictable situations.

7.5.2 What is an emergency action plan?

An emergency action plan (EAP) is intended to facilitate and organize employer and
worker actions during workplace emergencies and is recommended for all employers. Well-
developed emergency plans and proper worker training (i.e., so that workers understand their
roles and responsibilities within the plan) will result in fewer and less severe worker injuries and
less damage to the facility during emergencies. A poorly prepared plan may lead to a disorganized
evacuation or emergency response, resulting in confusion, injury, illness (due to chemical,
biological and/or radiation exposure), and/or property damage.

7.5.3 How to alert workers of an emergency?

If a business is required to have an EAP, the plan must include a way to alert workers,
including disabled workers, to evacuate or take other action. These standards require:

1. Employers to ensure that alarms are distinctive and recognized by all workers as a
signal to evacuate the work area or perform actions identified in the plan; and

2. Alarms to be able to be heard, seen, or otherwise perceived by everyone in the workplace.

Local fire codes require an auxiliary power supply in the event that electricity is shut off.

7.5.4 Emergency Plan and Evacuation Coordinators

When drafting an emergency action plan, consider selecting a responsible individual to

lead and coordinate the emergency plan and evacuation. It is critical that workers know who the
114

coordinator is and understand that the coordinator has the authority to make decisions during
emergencies.

The Coordinator should be responsible for:

1. Assessing the situation to determine whether an emergency exists and if so, requiring
activation of emergency procedures;

2. Supervising all emergency efforts in the area, including evacuating personnel;

3. Ensuring that external emergency services, such as the local fire department or
emergency medical service, are available and notified when necessary; and coordinating these
services when they arrive on site; and

4. Directing the shutdown of plant operations when required;

5. Ensuring that only trained workers use portable fire extinguishers;

6. Ensuring that routes for emergency vehicles and paths for emergency responder access
are clear;

7. Informing arriving emergency responders of the incident location, conditions, and status
of occupants; and

8. Having knowledgeable workers available to advise emergency responders.

7.6. Security Guard

A security guard is a person employed by a public or private party to protect the employing
party’s assets from a variety of hazards by enforcing preventative measures. Security guards
do this by maintaining a high-visibility presence to deter illegal and inappropriate actions, looking
for signs of crime or other hazards, taking action to minimize damage and reporting any incidents
to their clients and emergency services as appropriate.

7.6.1 Duties & Responsibilities

1. Maintains safe and secure environment for customers and employees by patrolling
and monitoring premises and personnel.
 115

2. Secures premises and personnel by patrolling property; monitoring surveillance

equipment; inspecting buildings, equipment, and access points; permitting entry.

3. Obtains help by sounding alarms.

4. Prevents losses and damage by reporting irregularities; informing violators of policy

and procedures; restraining trespassers.

5. Controls traffic by directing drivers.

6. Completes reports by recording observations, information, occurrences, and

surveillance activities; interviewing witnesses; obtaining signatures.

7. Maintains environment by monitoring and setting building and equipment controls.

8. Maintains organization’s stability and reputation by complying with legal requirements.

9. Ensures operation of equipment by completing preventive maintenance

requirements; following manufacturer’s instructions; troubleshooting malfunctions;
calling for repairs; evaluating new equipment and techniques.

10. Contributes to team effort by accomplishing related results as needed.

7.7. Modern Sophisticated Equipment

Physical security has come a long way since the advent of the lock and key. But for all of
its changes, the greatest aspect of the evolution of physical security is how it has begun to
mesh with our digital world. What follows, then, are eight of the most significant developments
that have occurred over time in the field of physical security, and how some of them still stand
to be advanced

7.7.1. RFID Badges

Most buildings these days incorporate RFID badges in some capacity. The badges, which
contain two crucial pieces of information – the site code and the individual badge ID –, allow
employees to swipe their card in close proximity to a scanner in order to gain access to certain
areas.

7.7.2. Video surveillance

Video surveillance has been around for quite some time now, but it has improved drastically
since its inception. Video surveillance is now sophisticated enough to incorporate facial recognition
and higher quality cameras are creating footage that is sharper than ever.
116

7.7.3. Perimeter security systems

No longer do we need to rely solely on walls or fences for guarding a facility’s perimeter,
thanks to the advances in perimeter monitoring systems. Some systems now use microwaves
or radio waves to establish a perimeter and can alert security teams when the protected area is
being encroached upon.

7.7.4. Iris recognition

Striking a balance between being both accurate and non-invasive, iris recognition now
allows security teams to identify people based solely on the pattern of their eye.

7.7.5 Security guards and photo ID badges

There’s something to be said for a good, old-fashioned pair of eyes. With the use of RFID
cards and outsourced access systems, the human element of security is being lost. Knowing
who has been coming into the building for years – or perhaps noticing that a person is using
someone else’s photo ID badge simply because their face isn’t the one on the card – are things
a machine can’t do, but a human can.

7.7.6. Security linked to mobile devices

It’s not uncommon these days to have security systems – especially home security systems
– linked to a mobile device. Smart sensors, wireless deadbolts, and remote control security/
utility systems can all be controlled by a user’s mobile device.

7.7.7 Fingerprint scanning

Fingerprint scanning not only ups the level of security at an access point by requiring
identification that is unique to each person, but also allows security systems to keep track of
who is entering the facility.

7.7.8 Facial recognition

Part of the advancements that have been made in video surveillance is facial recognition
coding. Facial recognition has become so advanced that it can not only be used to verify that
somebody is who they say they are, it can also be used to pick a person out of the crowd and
even determine if they’re up to no good.
 117

7.8. Security Alarm Systems

A security alarm is a system designed to detect intrusion – unauthorized entry – into a
building or other area. Security alarms are used in residential, commercial, industrial, and military
properties for protection against burglary or property damage, as well as personal protection
against intruders. Security alarms in residential areas show a correlation with decreased theft.
Car alarms likewise help protect vehicles and their contents. Prisons also use security systems
for control of inmates.

Some alarm systems serve a single purpose of burglary protection; combination systems
provide both fire and intrusion protection. Intrusion alarm systems may also be combined with
closed-circuit television surveillance (CCTV) systems to automatically record the activities of
intruders, and may interface to access control systems for electrically locked doors. Systems
range from small, self-contained noisemakers, to complicated, militaries systems with computer
monitoring and control. It may even include two-way voice which allows communication between
the panel and Monitoring station.

7.8.1. Design of Security Alarms

The most basic alarm consists of one or more sensors to detect intruders, and an alerting
device to indicate the intrusion. However, a typical premises security alarm employs the following
components:

Premises control unit (PCU), Alarm Control Panel (ACP), or simply panel: The “brain” of
the system, it reads sensor inputs, tracks arm/disarm status, and signals intrusions. In modern
systems, this is typically one or more computer circuit boards inside a metal enclosure, along
with a power supply.

7.8.2. Sensors
7.8.2.1. Devices which detect intrusions

Sensors may be placed at the perimeter of the protected area, within it, or both. Sensors
can detect intruders by a variety of methods, such as monitoring doors and windows for opening,
or by monitoring unoccupied interiors for motions, sound, vibration, or other disturbances.
118

7.8.2.2. Alerting devices

These indicate an alarm condition. Most commonly, these are bells, sirens, and/or flashing
lights. Alerting devices serve the dual purposes of warning occupants of intrusion, and potentially
scaring off burglars. These devices may also be used to warn occupants of a fire or smoke
condition.

7.8.2.3. Keypads

Small devices, typically wall-mounted, which function as the human-machine interface to

the system. In addition to buttons, keypads typically feature indicator lights, a small multi-character
display, or both.

Interconnections between components. This may consist of direct wiring to the control
unit, or wireless links with local power supplies.

In addition to the system itself, security alarms are often coupled with a monitoring service.
In the event of an alarm, the premises control unit contacts a central monitoring station. Operators
at the station see the signal and take appropriate action, such as contacting property owners,
notifying police, or dispatching private security forces. Such signals may be transmitted via
dedicated alarm circuits, telephone lines, or the internet.

Summary
 Physical security describes security measures that are designed to deny unauthorized
access to facilities, equipment and resources and to protect personnel and property
from damage or harm (such as espionage, theft, or terrorist attacks).

 A perimeter is the fortified boundary of the network that might include the following
aspects: Border routers, Firewalls, IDSs, IPSs, VPN devices, Software architecture,
DMZs and screened subnets.

 Fire prevention: - In data centres, where an organization’s entire digital infrastructure

operates, close attention to fire safety is a must. Every procedure should include
fire-safety considerations that are followed every time.

 Sensors may be placed at the perimeter of the protected area, within it, or both.
Sensors can detect intruders by a variety of methods, such as monitoring doors
and windows for opening, or by monitoring unoccupied interiors for motion, sound,
vibration, or other disturbances.
 119

Check your answers

Write short answers
 Physical security
 Perimeter security
 Fire detection system
 Security alarms
 Sensors
 Keypads

Reference
1. ”Chapter 1: Physical Security Challenges”. Field Manual 3­19.30: Physical Security.
Headquarters, United States Department of Army. 2001
2. Garcia, Mary Lynn (2007). Design and Evaluation of Physical Protection Systems.
Butterworth-Heinemann. pp. 1–11. ISBN 9780080554280.
3. ”Chapter 2: The Systems Approach”. Field Manual 3­19.30: Physical Security.
Headquarters, United States Department of Army. 2001.
4. Anderson, Ross (2001). Security Engineering. Wiley. ISBN 978­0­471­38922­4.
5. For a detailed discussion on natural surveillance and CPTED, see Fennelly,
Lawrence J. (2012). Effective Physical Security. Butterworth-Heinemann. pp. 4–
6. ISBN 9780124158924.
6. Task Committee; Structural Engineering Institute (1999). Structural Design for
Physical Security. ASCE. ISBN 978-0-7844-0457-7.
7. Baker, Paul R. (2012). “Security Construction Projects”. In Baker, Paul R.; Benny,
Daniel J. The Complete Guide to Physical Security. CRC Press.
ISBN 9781420099638.
8. ”Chapter 4: Protective Barriers”. Field Manual 3­19.30: Physical Security.
Headquarters, United States Department of Army. 2001.
9. Talbot, Julian & Jakeman, Miles (2011). Security Risk Management Body of
Knowledge. John Wiley & Sons. pp. 72–73. ISBN 9781118211267.
10. Kovacich, Gerald L. & Halibozek, Edward P. (2003). The Manager’s Handbook for
Corporate Security: Establishing and Managing a Successful Assets Protection
Program. Butterworth-Heinemann. pp. 192–193. ISBN 9780750674874.
120

MODEL QUESTION PAPER

M.SC CYBER FORENSICS AND INFORMATION SECURITY

FIRST YEAR- FIRST SEMESTER

PAPER-III

INTRODUCTION TO INFORMATION SECURITY

Time:3 hours Maximum : 80

Section-A

Answer any 10 of the following in 50 words in each (10 x 2 = 20)

1. What is CIA?

2. What is threat agent?

3. Explain MITM.

4. What are RATs?

5. What is a policy?

6. What is Information Security governance?

7. What is Information Asset classification?

8. List down the types of asset owners.

9. Define Risk.

10. What is Cost Benefit Analysis?

11. Define Cryptography.

12. Define perimeter security.

Section-B

Answer any five of the following in 250 words in each (5 x 6 = 30)

1. Explain the need for protecting information.

2. Explain in detail basic security concepts.

 121

3. What is Social Engineering?

4. What is malicious codes and what are malware components?

5. What are the benefits of Information Security governance?

6. Write short notes on the following:

a) Standards b) Guidelines

7. What is risk management?

SECTION – C

Answer any THREE questions in about 500 words each (3 x 10 = 30 )

1. Discuss in detail about attacks on Information Security.

2. What are the three tiers of Information security policies? Discuss in detail about
enterprise information security policy.

3. What is Information asset? Discuss in detail about information classification.

4. Explain the process of Risk analysis.

5. Explain in detail about Perimeter Security.