INF 407 COMPUTING ENVIRONMENT

A Computing environment in every organization, is made up of components which enable the organization
to sustain competitive advantage over its competitors.

According to Raggard’s taxonomy of information security, that a computing environment is made up of

five continuously interacting components such activities (process, people, data, technology and networks.

People

Data Networks Technology

Activities

COMPUTING ENVIRONMENT WITH INTERACTING COMPONENTS

The figure above depicts a computing environment in which there is interacting between each components
with itself and the other components within the information system (environment). For instance people can
interact with people, likewise people can interact with other components. For example, an information
owner hiring a security administrator to manager the security of a given information resource, and likewise
when an information owner authorizes a given activity to be performed on a given Data resource using a
given technology.

In our earlier study of information system we were made to understand the various components an
information system. In order to secure an organization information system, the various resources/
components that make up a computing environment need to be properly protected. Securing an
organization is achieved by securing its computing environment.

An Information system is a well-defined computing environment where information is generated for a

specific group of users. In order to protect information, we need to protect all information system
components that are produce the information, we need to protect all information system components that
produce the information jointly. In protecting the computer environment, we need to protect the
components – people, system activities, data resources, technology and networks.

1
 1. People Security

2. Security of IS Activities 3. Technology Security

4. Data Security 5. Network Security

SECURITY OF AN INFORMATION SYSTEM

The figure shows that an information system consist of five components – people (human),
activities(process), technology, data and network. The figure depicts that the security of information system
is said to be the security of all its components: The security of its people, the security of its activities, the
security of its data, the security of its technology and the security of its network.

Activities such as procedure or policies are essentially implemented to explain and define to computers
how to interact with the rest of the components in the computing environment in order to achieve its
security objectives.

Literatures over the past, uses the terms information security, information system security, computer
security and information assurance interchangeably. No matter how these terms are used interchangeably,
what really matters is if it aim at protecting the confidentiality, integrity and availability of information in
the computing environment. Information security means protecting information from unauthorized
interactions. Interaction includes access to the information and its use, disclosure, Disruption, modification
or destruction.

Information security is achieved by implementing managerial, operation and technical controls that deliver
information confidentiality, information integrity and information availability.

 Information confidentiality – the protection of information of information from unauthorized access

or disclosure
 Information Integrity – the protection of information from unauthorized modification
 Information Availability – is realized when a user who need to know, obtains the required
information from the appropriate resource.

SECURITY OF VARIOUS COMPONENTS IN THE COMPUTING ENVIRONMENT

An organization computing environment can be protected by protecting all the components. It can be done
by the following. We have:

 Personnel Security to protect people

 Procedural Security to protect data resources
 Information security to product data resources
 Software and Hardware security to protect technology
2
  Network security to protect networks.

1. PERSONNEL SECURITY – Information Security is the result of the work of people, processes, and
activities. If a good security mechanism is not employed by security staff, it gives rise to insecurity and
failure. In order to prevent insecurity in an organization, there is need to prescribe personnel security.

WHAT IS PERSONNEL SECURITY? Personnel Security simply refer to those practices and tools that are
accepted and adopted by the human resources unit to ensure that personnel security safeguard are applied.

Personnel Security safeguard may be organized into several categories.

(i) Qualification Assurance: Making sure the employees hired matches both the specification of the job and
the security clearance for the job.

(ii) Screening assurance: Screening and background check of candidates have to be conducted thoroughly
to make sure that candidates with history of poor behavior cannot infiltrate into system

(iii) Authorizing of process: This consists of granting or taking away physical or system access privileges
at the time of hiring, or at the termination of his or her duties. All privileges of an employee’s system
access may be granted, or revoked following a formal and auditable process.

(iv) Security training: Security training programs are made available to employees in accordance with the
security requirements of their position.

(v) Nondisclosure agreements: All employees who are involved in security matters have to sign
nondisclosure agreements appropriate to their positions. The nondisclosure agreements have to be signed
by all individuals who need access to sensitive/confidential information, prior to granting access to that
information.

2. ACTIVITY SECURITY: Activities of an information system consist of all procedures, regulations,

policies, standards and protocols governing all interactions between all the components of the information
system and between these components and the information system and its environment. Any weakness in
any activity of the information system can produce undesired events that can compromise the security of
the information system. And any corruption in these activities can cause damage to the information system.

3. INFORMATION SECURITY: As previously stated, data is defined as all basic/raw facts that are
process into information. Information is in simple terms referred to as processed data (i.e data that have
been processed). Information describes the meaning and interpretations that users associate with these
facts. Information security is the protection of information resources against unauthorized access.
Conceptual resources, such as programs, data and information can properly secured by the use of password
and digital certificates. With the unsure state of password usage, especially not knowing who enters the
password. Digitals certificates and biometric techniques can be employed to authenticate the user and
control access to authenticate the user and control access to information resources, but security can still be
compromised due to violations such as eavesdropping.

Digital certificate, similar to identification cards are electronic credentials that are used to certify the online
identities of individuals, organization, and computer. They are issued by recognized authority/government.

3
4. TECHNOLOGY SECURITY: Technology entails the use of both software and hardware to support to
an organization. If software and hardware are compromised, then their function is also said to be
compromised. And this will weaken the organization and its security will be compromised.

Eavesdropping refers to the unauthorized monitoring of other people’s communications conducted on

ordinary telephones system, email, instant messaging or other internet services

5. NETWORK SECURITY: A Network is the connection of two or more devices - such as computers,
router, switches etc for the purpose of communication and sharing of resources. Network security is the
protection of an organization networks and their services from unauthorized modification, destruction, or
disclosure.Its main aim is to provide assurance such that the network is performing critical security-related
functions and has not been compromised in any way.

Adequate security measures need to be attached to workstation on the network, because they may contain
malicious data which might attack other computer on the network. Devices such as router, switches, hubs
and other network equipment should be properly check, because they may be used as an access point to
your network.

SECURITY INTERDEPENDENCE
Information System components such as people security, activities, data, technology and network security
are not independent of themselves, but they are interdependent. i.e depend on each other. For example one
cannot secure a network without securing its resources (data, technology, people or activities), all
components are interrelated. Personnel security requires the services of a network administrators to assign
to he or she a security clearance. Computer hardware and operating system need to be properly checked so
as to secure the network.

WHAT IS SECURITY? Security is, on a general perspective defined as the quality or state of being
secured (being free from danger). Security can in order words be defined as protection against adversaries
from those who would do harm, intentionally or otherwise.

WHAT IS INFORMATION SECURITY? Information Security can be defined according to the committee
on National Security System (CNSS) as the protection of information and its critical elements including the
system and hardware that use, store and transmit information. Information Security protects the
confidentiality, integrity and availability of information asset whether in storage, processing or
transmission. It is achieved via the application of policy, education, training and awareness, and
technology.

Information security includes the broad areas of information security management, computer and security,
and network security. The CNSS model of information security, evolved from a concept developed by the
computer Security Industry called C.I.A triangle. The C.I.A has been the industry standard for computer
security since the development of the mainframe. It is based on three characteristic of information that
gives value to organizations: Confidentiality, integrity and Availability.

4
THE CIA TRIAD

1. CONFIDENTIALITY: information has confidentiality when it is protected from disclosure or exposure

to unauthorized individual or systems. Confidentiality ensures that only those with the rights and privileges
to access information are able to do so. Confidentiality is breached, when unauthorized individual or
system view such information. To protect the confidentiality of information, one can use a number of
measures, including the following:

 Information classification
 Security documents storage
 Application of general security policies
 Education of information custodians and end users
For example, in order to protect the confidentiality is said to protect the confidentiality of your Social
Security Number in an online session the transmission of your Social security Number has to be encrypted

2. INTEGRITY: Information is said to have integrity when it is whole, complete and uncorrupted. The
integrity of information is threatened when the information is exposed to corruption, damage, destruction
or other disruption of its authentic state. Corruption can occur while information is being stored or
transmitted. Most computer viruses and worm are designed with the explicit purpose of corrupting data.

Virus infection can also lead to corruption of information if a file of its record is modified or deleted.

3. AVAILABILITY: Availability enables authorized users (persons or computer system) to access

information without interference or obstruction and to receive it in the required format. Aim at making
information available to users. The security of these three characteristics of information is as important
today as it has always been, but the C.I.A triangle model; no longer, adequately address the constantly
changing environment. The threat to the three characteristics; confidentiality, integrity and availability of
information have evolved into a vast collection of events, including accidental or intentional damage,
destruction, theft, unintended, unauthorized modification or other misuse from human or nonhuman threats.
This has prompted the development of a more robust model that addresses the complexities of the current
information security environment.

THE SECURITY STAR MODEL

The Security Star Model is a transformation of the C.I.A triad model, where two more security
goals( authentication and Non-repudiation) and also risk concept CIA triad model. In the Star model, the
CIA triad is extended by adding two security goals and security management foundation.

1. AUTHENTICITY: Authenticity of information is the quality or state of being genuine or original, rather
than a reproduction or fabrication. Information is said to be Authentic when it is in the same state in which
it was created, placed, stored, or transferred. Authentication is a mechanism designed to verify the identity
of an agent, human or system before access is granted. Authentication process usually requests a user ID
and password. It is necessary for effective security management. It may also be implemented with the aid
of smart cards, public key infrastructure, or biometrics.

2. NON- REPUDIATION: Non- Repudiation generally refers to a party’s intention to fulfill accepted
obligations. Non- repudiation in information simply implies that both ends of a transmission cannot deny
their involvement in a particular transmission. Meaning the sender of information cannot deny sending it
and the recipient cannot deny receiving if in fact received. Digital signature may be used to enforce non-
repudiation on the internet.
5
RISK MANAGEMENT

Risk is the probability that something unwanted will happen. Risk can also be defined as the chance that
some undesired events; such as information leakage, information corruption or denial of service, would
take place and produce based consequences that are associated with financial losses. Risks are usually links
to opportunities, threat agents might see link in exploiting asset vulnerabilities. Organization must
minimize risk to match their risk appetite – i.e the quantity and nature of risk, they are willing to accept.
For a given asset, if the security risk is smaller than its tolerant risk, no security control will be adopted to
protect it. For an asset with a security risk higher than its tolerated risk, you should not invest in more
security controls than are needed to reduce current risk down to the asset’s tolerated risk.

Risk have to be identified, assessed and mitigated by a group of people (including – information owners,
business experts, and security experts.

Risk Management is the process of identifying vulnerabilities and threats to the information resources used
by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in
reducing risk to an acceptable level, based on the value of the information resource to the organization.
Risk Management is a sequential process that starts with the identification of risk, then risk assessment and
finally, risk mitigation by selecting the appropriate security controls. Risk is identified by identifying
threats and asset vulnerabilities, it is assessed by studying the effect of the threats on those assets; and it is
mitigated by recommending security controls measure that can reduce current risks to acceptable level.

Some of the steps needed to manage risk include the following:

 Identify and value assets in your computing environment

 Assess asset vulnerabilities and their probabilities of being exploited
 Assess threat and their probabilities of occurrence
 Estimate each threat impact on each asset
 Estimate basic risk, before adopting any security controls
 Select the security control that can reduce risks to acceptable LEVELS
 mitigate by adopting the risk-driven security program devised in step 6
 Evaluate the effectiveness of the risk-driven program to make sure it is reducing risk to acceptable
level.

PARKER’S VIEW OF INFORMATION SECURITY

Don Parker, in 2002, proposed an additional three components to the information security (i.e CIA triad);
they includePossesion, Utility and Authenticity. The Parker’s view of information security constitute a
group of six characteristics of information, which is also called Parkerianhexad.
The Parkerianhexad consist of the following:
(i) Confidentiality
(2) Integrity
(3) Availability
(4) Possession
(5) Authenticity
(6) Utility
In Parker’s view of information security, it is accepted that any information security breach can be traced
back to affect one or more of the fundamental attributes of information.

6
1. Authenticity: Authenticity of information is the quality or state of being authentic. And information is
said to be Authentic when it is in the same state in which it is created, placed or transferred. Authenticity is
aimed at ensuring the origin of the transmitted document is valid.
?this information is not useful to you, receiving a message or a warning written in a foreign language that
you cannot read is breach of utility. Utility of information is the quality or state of having value for some
purpose. Information have value when it can serve a purpose.

WHAT IS INFORMATION SECURITY MANAGEMENT

Information Security Management is a process that is capable of: (1) accurately identifying an
organization’s computing environment, defining its criticality and prioritizing its contributions to the
organization’s business-value – generation capabilities: (2) accurately identifying all security risks,
assessing them, and then mitigating them by devising a comprehensive risk-driven security program; and
(3) providing for continual improvement of the organization’s risk position by automatically revising the
risk-driven security program as security requirements change with changes in the computing environment.
Achieving an effective security management program is only possible if the organization’s assets are
valued and the risk to them studied in terms of vulnerabilities, existing threat, effects of the threats on the
assets and the evaluation of the consequences when undesired incidents take place.

DEFENSE – IN – DEPTH SECURITY

Defense – In – Depth Security is simply a strategy that employs successive layers of defense capable of
stopping an intruder who succeed breaking through one layer from penetrating the next encountered
security layer, so if a latter layer is infiltrated, the next one (layer) will provide extra defense.The main
idea to using multiple barriers is to make sure, if an intruder penetrates one layer, the next layer hopefully
prevent him/her from getting through. For example, the external layer may be a good security awareness
program. The second layer may be a restrictive filtering program. The third layer may be a current antivirus
program. The security layers may be security awareness program, security technology, security policy,
security staff e.t.c.

SECURITY CONTROLS
In terms of security control, it is understood that there are thousands of different attacks, and there are also
thousands of ways we can counter such attack. Most times such attacks remain undetected and un-
countered, but there are many known countermeasures that can be deployed to secure the target assets. A
risk-driven security program is usually written in terms of three different sets of security controls. They
include: Managerial Security Control, Operational Security Controls and Technical Security Control.
1. MANAGERIAL SECURITY CONTROL: It focuses on the management of the information system and
the management of risk for a system. There are techniques and concerns that are normally addressed by
management. They include the following Managerial Security Controls:
 Risk assessment
 Planning
 System and Service acquisition
 Certification, accreditation and security assessment

2. OPERATIONAL CONTROL: This addresses security methods that focuses on mechanism which are
basically implemented and executed by people (as opposed to systems). These set of controls are put in

7
place to improve the security of a particular system (or group of systems). They do require technical or
specialized expertise. The following are operational security controls.
 Personnel Security
 Physical and environmental protection
 Contingency planning
 Configuration management
 Maintenance
 System & information integrity
 Media protection
 Incident response
 Awareness and training

3. TECHNICAL CONTROLS: Focus on security controls that the computer system executes. The control
can provide automated protection for unauthorized access or misuse, facilitate detection of security
violations and support security requirements for applications and data. This control uses software and data
to monitor and control access to information and computing systems. For example, passwords, network –
and – host –based firewalls, network intrusion detection system, access control list and data encryption are
logical controls. The following are examples of Technical Control:
 Personnel security
 Physical and environment protection
 Contingency planning
 Configuration

THE INFORMATION SECURITY LIFE CYCLE

The Security Life Cycle tend describe all the steps that are necessary to achieve Confidentiality, Integrity
and Availability for a given information asset in an organization.
The information Security Life Cycle of a target information asset consists of the following steps below:
1. Security Planning
2. Security Analysis
3. Security Design
4. Security Implementation
5. Security Review
6. Continual Security

1. Security
Planning

8
6. Continual
 The Information Security Life Cycle
The figure above (information Security Life Cycle) shows how the security of an information asset is
achieved. The security is initially planned in terms of the asset security policy, its scope, its security
objectives, a limited preliminary impact analysis, and a limited risk analysis. And once the plan is defined,
the security of information asset is analyzed to define its security requirements.
The basis of the security requirements are established from information about the level of impact the asset
has on the organization’s mission and also on information generated through thorough risk assessment of
the asset. Security analysis often requires information on current threats, current security controls, and asset
vulnerabilities and their exposure. Once the initial set of security requirements are obtained, the design of
the information asset is carried out. Security design stage conducts a more detailed risk-driven security
assessment in order to obtain information on the design of a feasible risk-driven security program. After the
security design is ready, the design of the risk-driven security program is ready for implementation.
And once the security program has been designed and implemented. The security review process has to
start. The security review process consist of the certification, accreditation, and authorization of the
security program is authorized.; Security audit may take place in a periodic manner.

The final process of the security Life cycle is the continual security process, where the security of
information asset is continuously monitored. If risk changes, then corrective actions have be taken to
restore the security of the asset to its accepted state, as prescribed in its security policy. However, if
changes occur in the security objectives, security policy and computing environment, that would
necessitate a new scope for the security of the asset (meaning a new security planning phase is started).

1. SECURITY PLANNING
The security planning process is the foundation on which the development of a security program rest; it
should not be skipped, but should be initiated and approved by the organization’s top management and it
has to satisfy the corporate security policy and constantly remain aligned with the organization’s strategic
plan.
The security policy of an information asset contains a detailed description of the acceptable behaviour of
the asset and any deviation from such behavior is a violation of the asset security policy.
The following are steps needed for planning the security of the information asset throughout the entire
security life-cycle project.
(i) Asset definition
(ii) Security Policy
9
(iii) Security objectives
(iv) Security scope

(i) Asset definition – The identification and definition of asset is the first step to be considered in security
because in order to protect the information asset, we need to identify the information asset for which an
approved budget is made. The corporate security policy identifies the information assets that are to be
secured. There are basically two approaches used in the initial identification of the information asset that
are candidates for a security project: Project- based approach and Objective-based approach.
In a problem-based approach, an information asset may be identified as a candidate for a security project if
it (asset) has been involved in an undesired incident that has been blamed compromising one of the security
objectives of the organization or one of its information systems – Confidentiality, Integrity or availability.
The identified information asset has become, if it is not adequately protected, its business mission will be
compromised. The Objective-based approach for asset identification is based on top management or
executive directives. Security project for any information asset in an organization, in real life, will be
initiated of preempting malicious attack, we would be waiting until an undesired event occur, before
planning a corrective action. Detecting undesired incidents, planning a response and recovering from the
resulting damage caused by discovered undesired incident may be considerably more expensive and riskier
than initiating a security project to protect the information asset.

Assets within the computing environment are being identified by most literatures, as information asset,
software asset, physical asset and people. Information asset include data/information and data stores (files,
database etc.). Software assets include any version of computer programs. Physical assets include any
tangible asset in the organization. People include employees, users, customers and partners. An
information asset is always associated with people, activities, data, technology and networks.

(ii) Security Policy – The security asset of an organization should define the acceptable asset interaction
with the rest of the components in the computing environment. For example, the security policy defines
which users and processes are authorized to access the information asset, and once granted access, it
defines the operations they are authorized to perform. The security of information asset can only be
achieved with strict enforcement of its security policy. And any violation of the information asset
undermines its business value-generation capability. If an unauthorized user succeeds in accessing the
information asset; its security will be compromised, if an authorized user accesses the information asset
and performs an unauthorized activity.

All members of the security planning team have to understand the security policy of the information asset
for which a security project is initiated. Likewise the security requirement of an information asset cannot be
defined by staff members who do not fully understand the working of its security policy.

(iii) Security Objective –The most common security objective set for the security of an information assets
are simply those security objectives (goals) defined on the security star model, discussed earlier. (i)
Confidentiality, ii Integrity, Availability, Authentication and Non –Repudiation. These security objectives
may further be tailored to the security policy of the information asset, on how much availability is
sufficient to maintain an acceptable business – value- generation capability for an information asset? And
under what conditions should non – repudiation be verified in order to achieve the business goal set for an
information asset? The security requirements for an information asset also depend on its security
objectives.These requirements will obviously change if we drop old security objective, add a new one or
10
modify an existing one. And it is important that these security objectives be closely linked to the business
security mission of the information asset and should also be well defined.
Any incompleteness in their definition will translate into deficient security requirements that will lead to
inadequate security for the target information asset

(iv) Security Scope – The scope of the asset security project simply defines the security depth and breadth
of the project. The scope defines the depth of the security design and the breadth of the security
requirements that must be addressed in order to achieve the security objectives set for the information asset.
It is understood that not all security requirement can be met, but enough should be satisfied to establish the
acceptable security risk level established by the asset security policy.

There are also some other constraints that influence the definition of the scope of the security project for an
information asset. This project has to respect budget constraints and any feasibility conditions established
by the project feasibility study. A preliminary impact analysis for an information asset defines its criticality
in terms of any impact on confidentiality Integrity, availability, authentication and non – repudiation. For
example unauthorized disclosure, modification or destruction could be expected to have limited, serious or
severe adverse effect on organizational operation and assets.
The preliminary impact analysis indicates the level of impact the target information asset has on the
organization’s business mission. In addition to the preliminary impact analysis, preliminary risk assessment
may be needed to prioritize security tasks constituting the scope of the security project. A preliminary risk
analysis defines the threat environment in which the target information asset operates. This risk assessment
activity will guide the security planning team in defining a scope that is sufficient to provide for the
protection of operational environment.

2. SECURITY ANALYSIS
The objective of security analysis in a security life cycle is to define the security requirements needed to
adequately project the target information asset. And the security requirements should reflect on the results
of risk to the confidentiality, integrity and availability of the system and its information.
The security analysis of an information asset phase basically start with simple questions such as, Why is
Security needed for this asset? The security of information asset is obviously required to: first enforce the
corporate security policy so as to protect the organization’s business mission and secondly, to enforce the
asset security policy to make sure the security of this asset is not compromised in any way that threatens
the overall business value-generation capability of the organization. For example, what are the valuable
components of the information asset that are require protection? What are the threats to the information
asset? How is this asset vulnerable? What are the risks or threats that can cause harm to the asset,
considering the asset vulnerabilities and the resulting impacts of the damage? What are the acceptable risks
for the information asset? Finding answers to these questions might be time consuming, depending on the
complexity of the asset, and might be costly or even infeasible. Security analysis is a huge investment for
the organization. It includes assessing the threats and risks, managing the risks, and revising or establishing
a security policy for the information asset. Security analysis identifies existing and potential threats that
may affect the information asset and estimates the risk that these threats will compromise the security of
the information asset and harm the organization.
[NOTE: The security analysis phase produces the security requirement needed to protect the target
information asset]

The outcome of the security analysis should always be the security requirements of the target information
asset, which defines the appropriate level of protection required, and the security program, which consist of
11
cost-effective and feasible controls. Any security analysis methodology adopted by an organization should
include at least the following activities mentioned below.

1. Asset analysis: The asset has to be studied in terms of its acquisition cost, operating cost, maintenance
cost, its benefit and its contribution in generating business value of the enterprise.
2. Impact analysis: Estimating the potential harm that might be inflicted on the asset as well as the resulting
impact level on the information asset and the organization if the threats occur.
3. Threat analysis: Identifying and defining threats to the target information asset, and estimating their
likelihood of occurrence (how likely they would occur). Threats are usually organized into two main
category – natural and man-made threats. Man-made may be done accidentally or intentionally.
4. Exposure analysis: This deal with analyzing the level to which an information asset is exposed to threat.
5. Vulnerability analysis: Analyzing asset vulnerabilities and estimating asset exposure levels. In
estimating the current risk position of the organization, one needs to identify system vulnerabilities and the
current security controls that are in place. Information asset vulnerability describes a characteristics of
weakness in an asset or one of its components that tends to support the occurrence of a threat.
6. Analyzing current security control that will in determining whether or not adequate protection against
specific threat is in place. Estimating the effectiveness of the current security controls. Identification of
existing security controls for each asset, threat impact scenario. Once the appropriate asset vulnerabilities
and security controls are identified, the effectiveness of existing security control need to be assessed in
order to get an estimate of the risk level associated with each (asset, threat, impact, exposure,
vulnerabilities existing security controls) scenario.
7. Risk analysis: Measuring the risk using exposure rating, asset vulnerabilities and the effectiveness of
current security controls. Risk can be defined as a measure indicating the likelihood and consequences of
threats events or undesired events that could compromise the security of the information asset considering
the asset vulnerabilities and given the effectiveness of existing security control. The outcome of this
process should indicate to the organization, the degree of risk associated with the target information asset.
8. Security Requirement: Defining the security requirements to use in designing the security of the
information asset. The security requirement section is the last step in the security analysis phase.
(i) defining the target information asset of the security project
(ii) identifying existing threats and estimating their likelihood.
(iii) estimating impacts and impacts levels for the information asset
(iv) estimating asset exposure based on threats likelihood and impact.
(v) estimating asset vulnerabilities
(vi) estimatinglevels of effectiveness for the existing security controls.
(vii) estimating risk levels based on threat likelihood, threat vulnerabilities

3. SECURITY DESIGN: Security Design phase is aimed at devising security to meet the security
objectives defined for the target information asset. The five security objective as earlier stated in the
security star model ( Confidentiality, Integrity, availability, authentication and non-repudiation with these
security objectives, we can then design a risk-driven security program that consists of a variety of security
controls that are cost effective and can collectively provide for the security of the information asset. The
security design activity consist of five security desk task
(i) Security design for Confidentiality
(ii) Security design for integrity
(iii) Security design for availability
(iv) Security design authentication
12
(v) Security design for Non-repudiation
And the security design activity are performed based on the outcome (information) obtained from the
security analysis phase of the security life cycle, such as
(a) information about the information asset
(b) information about current threats
© information about impacts and impact level
(d) information about asset security expose levels
(e) information about asset vulnerabilities
(f) information about the effectiveness of existing security controls
(g) information about security risk level.

The security design phase consists of the following steps:

(i) Risk Mitigation
(ii) Design of security training programs
(iii) Design of security planning programs
(iv)Design of the risk driven security programs

i. Risk Mitigation: This process is aimed at reducing the security of the asset to its acceptable risk level as
specified in its security policy. Risk mitigation may be performed by selecting the most appropriate
security controls that is capable of reducing the asset security risk. In determining the security controls that
need to be selected for risk mitigation, we absolutely have to compute the current risk position of the
information asset. The basic risk of the asset is the current risk of the asset before any new security controls
for risk mitigation have been implemented.
The process of selecting security controls for an information asset needs to put into account the
effectiveness of the security control and their cost implementation and also other factors such as the
corporate security policy, legislation and regulation, safety and regulation, safety and reliability
requirement, technical requirement. And a security control that would reduce the basic risk for the asset to
a risk level that is still above the accepted risk level of the asset security policy should not be selected.
As soon as the security program is devised for the purpose of mitigating the asset risk below the acceptable
risk level of the asset, it still have to be approved by the top management before it is accepted for final use.

ii. Design of Security training programs

The Security maintenance team is a team of well trained professionals and they are in charge of the
continual security of the information asset of the security life cycle. They have professional level skills in
the following area.

(i) Access control system and methodology

(ii) Telecommunication and Network security
(iii) Security management practice
(iv) Security architecture and models
(v) Cryptography
(vi) Physical security
(vii) Operations security
(viii) Applications and system development
(ix) Business Continuity planning
(x) Law, investigation and Ethics

13
Even the low level staffs (operation level) are trained in physical security matters related to the operations
of the information asset.

iii. Design of Security Planning Programs

Security planning simply consist of two aspect: (i)the design of a security plan - which defines the security
requirement of the information for a period of time ( 3years), and (ii) the design of the business continuity
plan, which defines the actions that need to be taken to continue the organization business operation when a
disaster occurs.

iv. Design of the Risk-driven Security program. At this point, a fully documented program with
recommended security controls, its security policy, identified security threats, the effectiveness of current
security controls, asset vulnerability levels and exposures, and basic risk level is being compiled, which is
capable of mitigating basic risk levels below the asset’s accepted level specified in the asset security policy.
All steps that lead to the selection of the security controls can mitigate basic risk level below the
information asset’s accepted risk level specified in the asset security policy, have to be fully documented

4. SECURITY IMPLEMENTATION: This phase basically consists of the implementation of the risk-
driven security program. The risk-driven security program is designed and approved by top management
official. The authorization of the security program is only determined after it is certified (certification) and
accredited (accreditation). This phase (implementation phase) must ensure both usability and sustainability
of the security program. The security implementation staffs should discontinue the implementation process
if the security-tested mechanism found incomplete or vulnerable.

5. SECURITY REVIEW
The security review phase consists of two main steps.
1. Security review for authorization
2. Security auditing
This phase ensure that the authorizing official and asset owners have to agree on the proposed program. In
this phase, the authorizing officials and the system owners are authorized by top management to administer
the certification and accreditation steps needed before the information asset can operate.
The security certification phase aims at determining the extent to which the security controls in the
information are implemented correctly, operating as intended and producing the desired outcomes. And
when the certification and accreditation steps are completed, the information asset owner will either have
authorization to operate the information asset, a provisional authorization to operate the information asset
under specific terms and conditions, or a denial of authorization to operate the information asset.
The authorizing officials are assigned by the upper management to review the information that is needed
from the security certification to determine the risk to asset operations, and which enable the official to
arrive at an appropriate security accreditation decision for the information system. The accreditation step
will determine if the remaining known vulnerabilities in the information asset pose an acceptable level of
risk to asset operation and the organization.

CONTINUAL SECURITY:
The Continual Security phase consists of continuous monitoring activities intended to ensure that the
security risks stay at the accepted levels and that if the effectiveness of current security controls diminish
and cause the accepted risk level to be violated, corrected action are planned to bring the risk levels to their
accepted levels
14
Continual security can be achieved through the following steps
(i) Configuration management and control
(ii) Monitoring of security controls
(iii) Monitoring of the computing environment for any changes
(iv) Reporting of changes and documentation

The purpose of the continual security phase is simply to monitor the security controls in the information
asset on a continuous basis and informing the authorized officials and the asset owner when changes that
may impact negatively on security of the asset and the organization occur. The activities in this phase are
performed continuously throughout the security life cycle of the information asset.
The following activities are carried out in this phase:
 Periodic assessment of risk – magnitude of harm that could result from unauthorized access, use,
disclosure, disruption, modification or destruction of information and information systems.
 Periodic review of policies and procedures that are based on risk assessments, cost-effectively reduce
information security risk to acceptable level and ensure that information security is addressed
throughout the security life cycle of the information asset.
 Security awareness training to inform personnel of the information security risk associated with their
activities and their responsibilities in complying with organization’s policies and procedures designed
to reduce these risks
 Periodic testing and evaluation of the effectiveness of information security policies, procedures,
practices. And security controls to be periodically performed
 A process for planning, implementing, evaluating and documenting remedial actions to address any
deficiencies in the information security policies, procedures, and practices of the agency
 Procedures for detecting, reporting and responding to security incident

BUSINESS CONTINUITY
WHAT IS BUSINESS CONTINUITY? Business Continuity is the ability of an organization to respond to
disaster or business disruption through the timely detection of disruption event, the accurate measurement
of risk and business losses, and the efficient resumption of business operations.
According to the National Fire Protection Association (NFPA), Business continuity is an ongoing process
support by senior management and funded to ensure the necessary steps are taken to identify the impact of
potential losses, maintain viable recovery strategies, recovery plans and continuity of service.
This definition of Business continuity requires management to fund and support the business continuity
effort. The continuity process is an ongoing process that keeps track of all possible losses and their impacts
on the organization. The Continuity process is also responsible for maintaining viable safeguard capable of
facilitating an effective and quick recovery and ensuring continuity of business services.

DISASTER RECOVERY: Disaster Recovery is the activity of resuming computing operations after a
disaster such as floods, serene storms, or geologic incident takes place. Restoring the computing
environment is achieved through the duplication of computer operations. The quality of disaster recovery
can be evaluated by the organization’s ability to recover information system quickly after disaster.
The scope of design of a disaster recovery plan depends on many factors which includes; the type of
incident. Data affected and business losses.

15
The world trade center attack in New York in 2001, can attest to the fact that recovery plans depends on
many factors such as the type of incident, data affected and business losses. Recovery has been slow and
very costly. Some business are still recovering others are yet to recover, and some cannot be recovered.

RESPONSE TO BUSINESS DISRUPTION

Business disruption can happen anytime, anywhere in an organization and without prior notice. So
organizations need to adopt all available safeguards, and defense strategies which are feasible to minimize
the effect of such disruption to minimize disruption on business asset. Those safeguard are divided into
four classes:
(i) Deterrence safeguard
(ii) Detective safeguard
(iii) Preventive safeguard
(iv) Corrective safeguard

The following are some safeguard to minimize disruption.

1. DETERRENCE SAFEGUARD:
This technique is aimed at communicating to disruption agents, the consequences of committing such crime
against the organization. The organization should publish previous cases where attackers were caught and
punished. Deterrence is intended to scare disruptive agents from attacking the organization’s business asset.
a. Sign Deterrence: Designing appropriate warning and deterring messages that are communicated in
different ways to potential disruptive agents
b, Physical Deterrence: Making physical barriers or appliances that scare potential attackers away.
Installing barriers at all entry and exit gates to the organization may deter certain types of disruptive agents
who employ heavy machinery or vehicles to conduct attack A security guard at the door way of an
organization entrance may scare away potential attackers from attempting to enter with fake IDs. .
C. Software and Hardware deterrence tools are useful in deterring potential at attackers from conducting
harmful attacks against the organization. Installing a firewall at network entry point would scare attacker
who might fear their identity might be discover or detected by the firewall
2. DETECTIVE SAFEGUARD: If disruptive events are earlier deleted, it becomes easier to respond and
recover from consequences caused by the disruption. A typical mechanism that can be used is the intrusion
detection system.
3. PREVENTIVE SAFEGUARD: Using preventive control measure in many area where risk is not
acceptable. Preventive control can be applied to the human resource management unit – taken a thorough
background check of candidates for any position in the organization. Preventive action in physical security
area should be adequately taken care of. E.g Fire safety, insurance, security of buildings, protection from
water damage.

4. CORRECTIVE SAFEGUARD: For corrective action to be initiated, we need to gather all the
information needed about the current attack, the business components that have been attacked and the
damage caused to them. As soon as these information have been gathered, the following activities can be
initiated.
(i) Rank affected business components in terms of criticality
(ii) Rank affected business components in terms of damage extent
(iii) Identify alternate corrective action
(iv) select the most feasible alternate correction safeguard
16
(v) Apply the selected corrective actions to the selected business components

WHAT IS BUSINESS CONTINUITY PLANNING (BCP)? Business continuity Planningcan be defined

according to Sun Microsystem as the process of creating, testing and maintaining an organization plan to
recover from any form of disaster.
Every BCP strategy includes three fundamental components: Risk Assessment, Contingency planning and
the actual disaster recovering process.
Business Continuity plan (BCP) is a sequence of steps approved by top management that presents what the
organization should do to restore business operations when a disruptive event take occur. The BCP is a
holistic management process that identifies potential impacts that threaten an organization and provide a
framework for building resilience with the capacity for an effective response that safeguard the interest of
key stakeholders, reputation, brand and value creating activities
The business continuity process establishes a comprehensive framework for building resilience through
scanning the environment for potential business disruption threats, measuring and managing risk: and
devising an effective business continuity response system. The disaster recovering plan is a very important
component of the business continuity system.
BCP manages a live document describing the proactive process for defining the corrective controls needed
to respond to disruptive events for the purpose of bringing the organization’s business operations back to
normal.

DEVELOPING BUSINESS CONTINUITY PLAN

The development of a business continuity plan requires the following five phases:
(i) Business continuity planning
(ii) Business continuity analysis
(iii) Business continuity design
(iv) Business continuity implementation
(v) Business continuity maintenance

CONTINGENCY PLAN – Establish policies and procedures for responding to an emergency (i.e fire,
system failure, natural disaster, e.t.c), that damages the system. Contingency plan includes three mandatory
implementation specifications.
(a) Data backup plan – develop procedures to maintain retrievable, exact copies
(b) Disaster recovery plan – procedure must be established to restore any loss of data
© emergency mode operation plan – establishing procedures to protect the security of the system while
operating in an emergency mode.

FORMS OF CYBERATTACKS AND TERRORISM

The type of attacks that may be conducted against computers and network include the following:
1. Posting of graffiti on web sites, which is essentially harmless but annoying to computer users
2. Attacks by hackers who demonstrate the vulnerabilities of computers to outside attacks for reasons of
pride in their capabilities to disable or affect computers.
3. Criminal behaviour, generally in the form of stealing passwords to gain access to bank accounts, credit
cards and in order to commit fraud and theft
4. Terrorist attacks to disable computers, gain entry into national security sites and data cause havoc to a
nation’s economic structure, and other motivation.

17
Radiofrequency(RF) weapons, which are a series of smooth radio waves causing the target to generate heat
and burn up
Transient electromagnetic device (TEDs) – characterized by emission of a large burst of energy that targets
a large spectrum of space. It can be the size of a briefcase, van, or a large satellite dish.
Electromagnetic bomb/ pulse weapon, which involves the creation of an electromagnetic pulse, that is, an
electromagnetic shock wave that creates an enormous current many times that of a lightning strike
TEMPEST monitoring devices.
Computer virus, logic bombs and Trojan horse
Denial of service (zombie) attack send an overload of e-mail to the target system, causing the system to
crash.
Hackers use a variety of means to further their agenda. Among the means are the following:
Virus – A piece of code attached to a program that becomes active when the program is activated
Worm – A separate program that replicates itself on computers without changing the underlying or other
programs
Trojan horse – A program fragment that appear to be a worm or a virus and permit the hacker to gain
access to the system
Logic bomb – A type of Trojan horse that remains dormant until condition arise for its activation
Trap doors – These permit a programmer to access the user’s software without the user being aware of the
access
Chipping – These are similar to trap doors but remain dormant until access is desired
Denial of Service – The hacker send almost innumerable request for information, which causes computer
systems to shut down.

ACCESS CONTROL
WHAT IS ACCESS CONTROL? Access Control is the mechanism that systems use to identify users and
grant them their assigned privileges to access information system or resources. The protection of private
and confidential information from unauthorized users cannot be achieved without the appropriate access
control process to systems in place. Most access control methodologies are based on the same fundamental
principle of least privileges. This concept applies to access control for any product, system or technologies.
Access control devices properly identify people and verify their identity through identification and
authentication processes so they can stop any attempt of unauthorized access, catch intruder and hold them
accountable for their actions.

ACCESS CONTROL TECHNOLOGY

The most common types of access control technologies often employed to implement enterprise access
control solution ate tokens, smart cards, encrypted keys and password.
 Biometric devices authenticate users to access control system based on unique personal physical
properties of the users, like finger prints, voice print, Iris scan, retina scan, facial scan, hand geometry
or signature dynamics. In biometric, end users do not lose or misplace their personal identify access
features.
Biometrics requires the use of (1) Code or device, like a reader or scanner that convert the gathered
information into digital form, and (2) a database that stores the biometric data for comparison with
18
 previous records. The software converts the biometric input into data from which a data pattern is
extracted. The match data pattern is then processed using an algorithm into a value that can be
compared with biometric data on database.
We have two types of biometric: Physical and Behavioural. Behavioural biometric is used for
verification,whereas physical biometric is used for both identification and verification.
Example of physical biometrics are:
Finger prints – analyzing finger patterns
Facial recognition – measuring facial characteristics
Hand geometry – measuring the shape of the hand
Iris scan – analyzing features of coloured ring of the eye
Retina scan – analyzing blood vessels in the eye
Vascular patterns –analyzing vein patterns
DNA – analyzing genetic makeup

Example of behavioural biometrics include:

Speaker recognition – analyzing vocal behaviour
Signature – analyzing signature dynamics
Keystroke – measuring the time spacing of typed words

 Smart Cards are plastic cards that have integrated circuit embedded in them, which is capable of
executing transactions which are configured in the circuits. The card may be used to authenticate users
to domain, system and networks. Personal identification numbers are also added to the configured
smart card. Two- factor authentication features may be configured on the system.
 A Token is a hand held device that has a built-in challenge response scheme that authenticates with an
enterprise server. Token use time-based challenge and response algorithms that constantly change and
expires after a prescribed length of time. In token, when a password is entered, it cannot be reused.
 Encrypted keys: These are mathematical algorithms that are employed to secure confidential
information and verify the authenticity of the people sending and receiving the information standards
such as X. 509 for encrypted keys have been created to make sure that security requirements are taken
in account and to allow technologies made by different vendors to work together.
 Passwords are used to access control more than any other type of solution because they are easy to
implement and are extremely flexible. Passwords can be used to write-protect document, files and
directories and to allow access to systems and resources. Passwords are unfortunately among the
weakest of the access control solutions that can be implemented.
There are many password- cracking utilities that can be downloaded free from the internet. If a hacker
obtains an encrypted password, file he/she can run the password file or document through a password-
tracking utility, obtain the password, and then access the system using a legitimate user’s account, or
event modify the existing password by a new one not know to the victim, thus preventing the victim
user form accessing, his/her account for prolong period.
Alternatively, by using a protocol analyzer, hackers can easily obtain the network traffic on the wire
and obtain password in plaintext rather easily. Due to password weakness, some organization also
routinely runs password-crackers on their user accounts to check, if users are using easily to guess
password or more secure password choices.

19
ELEMENTARY CRYPTOGRAPHY: SUBSTITUTION CIPHER
Encryption is the process of encoding a message so that its meaning is not obvious; decryption is the
reverse process, transforming an encrypted message back into its normal, original form. Alternatively, the
terms encode and decode or encipher and decipher are used instead of encrypt and decrypt.That is, we say
that we encode, encrypt, or encipher the original message to hide its meaning. Then, we decode, decrypt, or
decipher it to reveal the original message. A system for encryption and decryption is called a cryptosystem.
The original form of a message is known as plaintext, and the encrypted form is called cipher text. For
convenience, we denote a plaintext message P as a sequence of individual characters P = <p1, p2, …,pn>.
Similarly, cipher text is written as C = <c1, c2, …,cm>.

For instance, the plaintext message "I want cookies" can be denoted as the message string
<I, ,w,a,n,t,c,o,o,k,i,e,s>. It can be transformed into cipher text<c1, c2, …,c14>, and the encryption
algorithm tells us how the transformation is done.

20
We use this formal notation to describe the transformations between plaintext and cipher text. For example:
we write C = E (P) and P = D(C), where C represents the cipher text, E is the encryption rule, P is the
plaintext, and D is the decryption rule. P = D (E(P)). In other words, we want to be able to convert the
message to protect it from an intruder, but we also want to be able to get the original message back so that
the receiver can read it properly. The cryptosystem involves a set of rules for how to encrypt the plaintext
and how to decrypt the cipher text. The encryption and decryption rules, called algorithms, often use a
device called a key, denoted by K, so that the resulting cipher text depends on the original plaintext
message, the algorithm, and the key value. We write this dependence as C =E (K, P). Essentially, E is a set
of encryption algorithms, and the key K selects one specific algorithm from the set. There are many types
of encryption. In the next sections we look at two simple forms of encryption: substitutions in which one
letter is exchanged for another and transpositions, in which the order of the letters is rearranged.
Cryptanalyst: cryptanalyst is a person who studies encryption and encrypted message and tries to find the
hidden meanings (to break an encryption).
Confusion: it is a technique for ensuring that ciphertext has no clue about the original message.
Diffusion: it increases the redundancy of the plaintext by spreading it across rows and columns.
Substitutions Cipher: It basically consists of substituting every plaintext character for a different cipher
text character.
It is of two types- I. Mono alphabetic substitution cipher
II. Poly alphabetic substitution cipher
Mono alphabetic substitution cipher:
Relationship between cipher text symbol and plain text symbol is 1:1.
 Additive cipher:
Key value is added to plain text and numeric value of key ranges from 0 – 25.
Example: Plain text(P)- H E L LO (H=7,E=4,L=11,L=11,O=14)
Key (K)=15
Cipher text (C)= 7+15,4+15,11+15,11+15,14+15
= 22,19, 26,26,(29%26)=3
= W T A AD

CRYPTOGRAPHY
Cryptography is the science or art of writing in secret code. Cryptography remains the most effective
method of enforcing confidentiality. The plaintext message is transformed using a set of mathematical
algorithm into a new message in cipher text form that reveals no meaningful information to a viewer who
does not know how to decrypt it.

Cryptography is the use of mathematical technique to enhance information security such as confidentiality,
data integrity, authentication and non-repudiation.
Two Cryptographic methods are very popular, private-key (symmetric cryptography) and public-key
(asymmetric cryptography) methods
Private-key algorithm utilize a simple key when encrypting or decrypting information. The sender encrypts
the message and send its cipher text form to the receiver who should know the secret key and the
encryption algorithm in order to be able to decrypt it.

A Public –key encryption uses a pair of keys to encrypt and decrypt messages exchanged between senders
and receivers. Both keys are independent in terms of that one cannot be feasibly computed (1) a public key

21
that should be published and is useful to encrypt the message and (2) a private key that remains private to
the receiver and that is used to decrypt the message.
Each user need to keep private his/her own private key. This is very different from the case of symmetric
cryptography where the sender and the receiver share the same secret key used for both encryption and
decryption.
The Data Encryption Standard (DES) is the most well-known cryptographic mechanism in history. It
remains the standard means for securing electronic commerce in many financial institution around the
world.
Public key cryptography is certainly better in terms of key management than private-key cryptography
because the method has to process an extremely smaller number of keys, especially when the number of
communicating users is high. In order to be more efficient, the network using the public key cryptography
has to make easier the retrieval of user’s public keys.

Virtual Private Networks

The term “virtual private network” is used to mean many different things. Many different products are
marketed as VPNs, but offer widely varying functionality. In the most general sense, a VPN allows remote
sites to communicate as if their networks were directly connected. VPNs also enable multiple independent
networks to operate over a common infrastructure. The VPN is implemented as part of the system’s
networking. That is, ordinary programs like Web servers and e-mail clients see no difference between
connections across a physical network and connections across a VPN. VPN technologies fall into a variety
of categories, each designed to address distinct sets of concerns. VPNs designed for secure remote access
implement cryptographic technology to ensure the confidentiality, authenticity, and integrity of traffic
carried on the VPN. These are sometimes referred to as secure VPNs or crypto VPNs. In this context,
private suggests confidentiality and has specific security implications: namely, that the data will be encoded
so as to be unreadable, and unmodified, by unauthorized parties. Some VPN products are aimed at network
service providers. These service providers — including AT&T, UUNET, and MCI/Sprint, to name only a
few — built and maintain large telecommunications networks, using infrastructure technologies like Frame
Relay and ATM. The telecom providers manage large IP networks basedon this private infrastructure. For
them, the ability to manage multiple IP networks using a single infrastructure might be called a VPN. Some
network equipment vendors offer products for this purpose and call them VPNs. When a network service
provider offers this kind of service to an enterprise customer, it is marketed as equivalent to a private,
leased-line network in terms of security and performance. The fact that it is implemented over an ATM or
Frame Relay infrastructure does not matter to the customer, and is rarely made apparent. These so-called
VPN products are designed for maintenance of telecom infrastructure, not for encapsulating private traffic
over public networks like the Internet, and are therefore addressing a different problem. In this context, the
private aspect of a VPN refers only to network routing and traffic management. It does not imply the use of
security mechanisms such as encryption or strong authentication. Adding further confusion to the plethora
of definitions, many telecommunications providers offer subscription dial-up services to corporate
customers. These services are billed as “private network access” to the enterprise computer network. They
are less expensive for the organization to manage and maintain than in- house access servers because the
telecom provider owns the telephone circuits and network access equipment. But let the buyer beware.
Although the providers tout the security and privacy of the subscription services, the technological
mechanisms provided to help guarantee privacy are often minimal. The private network points-of-presence
in metropolitan areas that provide local telephone access to the corporate network are typically co-located
with the provider’s Internet access equipment, sometimes running over the same physical infrastructure.
Thus, the security risks are often equivalent to using a bare-bones Internet connection for corporate access,
22
often without much ability for customers to monitor security configurations and network utilization. Two
years ago, the services did not encrypt private traffic. After much criticism, service providers are beginning
to deploy cryptographic equipment to remedy this weakness. Prospective customers are well-advised to
question providers on the security and accounting within their service. The security considerations that
apply to applications and hardware employed within an organization apply to network service providers as
well, and are often far more difficult to evaluate. Only someone familiar with a company’s security
environment and expectations can determine whether or not they are supported by a particular service
provider’s capabilities.

INTRUSION DETECTION SYSTEM:

An intrusion detection system (IDS) is a device, typically another separate computer, that monitors
activities to identify malicious or suspicious events. An IDS is a sensor, like a smoke detector, that raises
an alarm if specific things occur. The components in the figure are the four basic elements of an intrusion
detection system, based on the Common Intrusion Detection Framework of [STA96]. An IDS receives raw
inputs from sensors. It saves those inputs, analyzes them, and takes some controlling action.

TYPES OF IDSs
The two general types of intrusion detection systems are signature based and heuristic. Signature-based
intrusion detection systems perform simple pattern-matching and report situations that match a pattern
corresponding to a known attack type. Heuristic intrusion detection systems, also known as anomaly based,
build a model of acceptable behavior and flag exceptions to that model; for the future, the administrator can
mark a flagged behavior as acceptable so that the heuristic IDS will now treat that previously unclassified
behavior as acceptable.
Intrusion detection devices can be network based or host based. A network-based IDS is a stand-alone
device attached to the network to monitor traffic throughout that network; a host-based IDS runs on a
single workstation or client or host, to protect that one host.

SIGNATURE-BASED INTRUSION DETECTION:

A simple signature for a known attack type might describe a series of TCP SYN packets sent to many
different ports in succession and at times close to one another, as would be the case for a port scan. An
intrusion detection system would probably find nothing unusual in the first SYN, say, to port 80, and then
another (from the same source address) to port 25. But as more and more ports receive SYN packets,
especially ports that are not open, this pattern reflects a possible port scan. Similarly, some
implementations of the protocol stack fail if they receive an ICMP packet with a data length of 65535
bytes, so such a packet would be a pattern for which to watch.

HEURISTIC INTRUSION DETECTION:

Because signatures are limited to specific, known attack patterns, another form of intrusion detection
becomes useful. Instead of looking for matches, heuristic intrusion detection looks for behavior that is out
of the ordinary. The original work in this area focused on the individual, trying to find characteristics of
that person that might be helpful in understanding normal and abnormal behavior. For example, one user
might always start the day by reading e-mail, write many documents using a word processor, and
occasionally back up files. These actions would be normal. This user does not seem to use many
administrator utilities. If that person tried to access sensitive system management utilities, this new
behavior might be a clue that someone else was acting under the user's identity. Inference engines work in
two ways. Some, called state-based intrusion detection systems, see the system going through changes of
23
overall state or configuration. They try to detect when the system has veered into unsafe modes. Others try
to map current activity onto a model of unacceptable activity and raise an alarm when the activity
resembles the model. These are called model-based intrusion detection systems. This approach has been
extended to networks. Later work sought to build a dynamic model of behavior, to accommodate variation
and evolution in a person's actions over time. The technique compares real activity with a known
representation of normality. Alternatively, intrusion detection can work from a model of known bad
activity. For example, except for a few utilities (login, change password, create user), any other attempt to
access a password file is suspect. This form of intrusion detection is known as misuse intrusion detection.
In this work, the real activity is compared against a known suspicious area.

Stealth Mode:
An IDS is a network device (or, in the case of a host-based IDS, a program running on a network device).
Any network device is potentially vulnerable to network attacks. How useful would an IDS be if it itself
were deluged with a denial-of-service attack? If an attacker succeeded in logging in to a system within the
protected network, wouldn't trying to disable the IDS be the next step? To counter those problems, most
IDSs run in stealth mode, whereby an IDS has two network interfaces: one for the network (or network
segment) being monitored and the other to generate alerts and perhaps other administrative needs. The IDS
uses the monitored interface as input only; it never sends packets out through that interface. Often, the
interface is configured so that the device has no published address through the monitored interface; that is,
a router cannot route anything to that address directly, because the router does not know such a device
exists. It is the perfect passive wiretap. If the IDS needs to generate an alert, it uses only the alarm interface
on a completely separate control network.

Goals for Intrusion Detection Systems:

1. Responding to alarms:Whatever the type, an intrusion detection system raises an alarm when it finds a
match. The alarm can range from something modest, such as writing a note in an audit log, to something
significant, such as paging the system security administrator. Particular implementations allow the user to
determine what action the system should take on what events. In general, responses fall into three major
categories (any or all of which can be used in a single response): Monitor, collect data, perhaps increase
amount of data collected. Protect, act to reduce exposure Call a human.
2. False Results: Intrusion detection systems are not perfect, and mistakes are their biggest problem.
Although an IDS might detect an intruder correctly most of the time, it may stumble in two different ways:
by raising an alarm for something that is not really an attack (called a false positive, or type I error in the
statistical community) or not raising an alarm for a real attack (a false negative, or type II error). Too many
false positives means the administrator will be less confident of the IDS's warnings, perhaps leading to a
real alarm's being ignored. But false negatives mean that real attacks are passing the IDS without action.
We say that the degree of false positives and false negatives represents the sensitivity of the system. Most
IDS implementations allow the administrator to tune the system's sensitivity, to strike an acceptable
balance between false positives and negatives.

IDS STRENGTH AND LIMITATIONS:

On the upside, IDSs detect an ever-growing number of serious problems. And as we learn more about
problems, we can add their signatures to the IDS model. Thus, over time, IDSs continue to improve. At the
same time, they are becoming cheaper and easier to administer. On the downside, avoiding an IDS is a first
priority for successful attackers. An IDS that is not well defended is useless. Fortunately, stealth mode
IDSs are difficult even to find on an internal network, let alone to compromise. IDSs look for known
24
weaknesses, whether through patterns of known attacks or models of normal behavior. Similar IDSs may
have identical vulnerabilities, and their selection criteria may miss similar attacks. Knowing how to evade a
particular model of IDS is an important piece of intelligence passed within the attacker community. Of
course, once manufacturers become aware of a shortcoming in their products, they try to fix it. Fortunately,
commercial IDSs are pretty good at identifying attacks. Another IDS limitation is its sensitivity, which is
difficult to measure and adjust. IDSs will never be perfect, so finding the proper balance is critical.
In general, IDSs are excellent additions to a network's security. Firewalls block traffic to particular ports or
addresses; they also constrain certain protocols to limit their impact. But by definition, firewalls have to
allow some traffic to enter a protected area. Watching what that traffic actually does inside the protected
area is an IDS's job, which it does quite well.

INTRUSION DETECTION AND PREVENTION

In multimedia information system, intrusion detection [100] is the act of detecting actions that attempt to
compromise the confidentiality, integrity or availability of a resource. The system performing automated
intrusion detection is called an Intrusion Detection System (IDS). An IDS can be either host- based, if it
monitors system calls or logs, or network- based if it monitors the flow of network packets. Modern IDSs
are usually a combination of these two approaches. When a probable intrusion is discovered by an IDS,
typical actions to perform would be logging relevant information to a file or database, or generating an
email alert. These automatic actions can be implemented through the interaction of Intrusion Detection
Systems and access control systems such as firewalls. If intrusion detection takes a preventive measure
without direct human intervention, then it becomes an intrusion-prevention system (IPS).When an attack is
detected, it can drop the offending packets while still allowing all other traffic to pass. Generally, it is a
network security device that monitors network and system activities for malicious or unwanted behavior
and can react, in real-time, to block or prevent those activities.

Recent advances in multimediaapplication is resident on that specific IP address, usually on a single

computer. Differently, Network- based IPS (NIPS) will operate in-line to monitor all network traffic for
malicious code or attacks. Now, there are exist three kinds of NIPS, i.e., Content-Based IPS (CBIPS) that
inspects the content of network packets for unique sequences, detects and prevents known types of attack
such as worm infections and hacks, Protocol Analysis based IPS that natively decodes application-layer
network protocols and evaluates different parts of the protocol for anomalous behavior or exploits, or Rate-
Based IPS (RBIPS) that monitors and learns normal network behaviors and intends to prevent Denial of
Service attacks. The intrusion detection or prevention technology is immature and dynamic. For example,
the accuracy and adequacy of IDS signatures cannot be determined. The proprietary nature of the
signatures for most commercial intrusion detection systems makes a detailed discussion of their accuracy
and adequacy difficult. This may be adequate for very simple attacks, but are probably inadequate for
sophisticated, multi-stage attacks. Additionally, it is necessary to identify unknown modes of attack
continuously. Generally, intrusion detection systems can match patterns of behavior that represent
signatures of known
attacks, while difficult to recognize new attack strategies. The adaptive approaches are expected to solve
this problem. Furthermore, intrusion detection systems could provide evidence to support prosecution in
court but do not. With the rapidly growing theft and unauthorized destruction of computer-based
information, the frequency of prosecution is rising, and it is urgent to use computer forensics to analyze the
evidence provided by intrusion detection or prevention systems.

Security Professionals and the Organization

25
It takes a wide range of professionals to support a diverse information security program. As noted earlier in
this chapter, information security is best initiated from the top down. Senior management is the key
component and the vital force for a successful implementation of an information security program. But
administrative support is also essential to developing and executing specific security policies and
procedures, and technical expertise is of course essential to implementing the details of the information
security program. The following sections describe the typical information security responsibilities of
various professional roles in an organization.

Senior Management
The senior technology officer is typically the chief information officer (CIO), although other titles such as
vice president of information, VP of information technology, and VP of systems may be used. The CIO is
primarily responsible for advising the chief executive officer, president, or company owner on the strategic
planning that affects the management of information in the organization. The CIO translates the strategic
plans of the organization as a whole into strategic information plans for the information systems or data
processing division of the organization. Once this is accomplished, CIOs work with subordinate managers
to develop tactical and operational plans for the division and to enable planning and management of the
systems that support the organization.

The chief information security officer (CISO) has primary responsibility for the assessment, management,
and implementation of information security in the organization. The CISO may also be referred to as the
manager for IT security, the security administrator, or a similar title. The CISO usually reports directly to
the CIO, although in larger organizations it is not uncommon for one or more layers of management to
exist between the two. However, the recommendations of the CISO to the CIO must be given equal, if not
greater, priority than other technology and information-related proposals. The placement of the CISO and
supporting security staff in organizational hierarchies is the subject of current debate across the industry.

Information Security Project Team

The information security project team should consist of a number of individuals who are experienced in
one or multiple facets of the required technical and nontechnical areas. Many of the same skills needed to
manage and implement security are also needed to design it. Members of the security project team fill the
following roles:

● Champion: A senior executive who promotes the project and ensures its support, both financially and
administratively, at the highest levels of the organization.

● Team leader: A project manager, who may be a departmental line manager or staff unit manager, who
understands project management, personnel management, and information security technical requirements.

● Security policy developers: People who understand the organizational culture, existing policies, and
requirements for developing and implementing successful policies.

● Risk assessment specialists: People who understand financial risk assessment techniques, the value of
organizational assets, and the security methods to be used.

● Security professionals: Dedicated, trained, and well-educated specialists in all aspects of information
security from both a technical and nontechnical standpoint.

● Systems administrators: People with the primary responsibility for administering the systems that house
the information used by the organization.
26
● End users: Those whom the new system will most directly affect. Ideally, a selection of users from
various departments, levels, and degrees of technical knowledge assist the team in focusing on the
application of realistic controls applied in ways that do not disrupt the essential business activities they
seek to safeguard.

Data Responsibilities
The three types of data ownership and their respective responsibilities are outlined below:

● Data owners: Those responsible for the security and use of a particular set of information. They are
usually members of senior management and could be CIOs. The data owners usually determine the level of
data classification (discussed later), as well as the changes to that classification required by organizational
change. The data owners work with subordinate managers to oversee the day-to-day administration of the
data.

● Data custodians: Working directly with data owners, data custodians are responsible for the storage,
maintenance, and protection of the information. Depending on the size of the organization, this may be a
dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or
other technology manager. The duties of a data custodian often include overseeing data storage and
backups, implementing the specific procedures and policies laid out in the security policies and plans, and
reporting to the data owner.

● Data users: End users who work with the information to perform their assigned roles supporting the
mission of the organization. Everyone in the organization is responsible for the security of data, so data
users are included here as individuals with an information security role.

Communities of Interest
Each organization develops and maintains its own unique culture and values. Within each organizational
culture, there are communities of interest that develop and evolve. As defined here, a community of interest
is a group of individuals who are united by similar interests or values within an organization and who share
a common goal of helping the organization to meet its objectives. While there can be many different
communities of interest in an organization, this book identifies the three most common and that have roles
and responsibilities in information security. In theory, each role must complement the other; in practice,
this is often not the case.

Information Security Management and Professionals

The roles of information security professionals are aligned with the goals and mission of the information
security community of interest. These job functions and organizational roles focus on protecting the
organization’s information systems and stored information from attacks.

Information Technology Management and Professionals

The community of interest made up of IT managers and skilled professionals in systems design,
programming, networks, and other related disciplines has many of the same objectives as the information
security community. However, its members focus more on costs of system creation and operation, ease of
use for system users, and timeliness of system creation, as well as transaction response time. The goals of
the IT community and the information security community are not always in complete alignment, and
depending on the organizational structure, this may cause conflict.

Organizational Management and Professionals

27
The organization’s general management team and the rest of the resources in the organization make up the
other major community of interest. This large group is almost always made up of subsets of other interests
as well, including executive management, production management, human resources, accounting, and
legal, to name just a few. The IT community often categorizes these groups as users of information
technology systems, while the information security community categorizes them as security subjects. In
fact, this community serves as the greatest reminder that all IT systems and information security objectives
exist to further the objectives of the broad organizational community. The most efficient IT systems
operated in the most secure fashion ever devised have no value if they are not useful to the organization as
a whole.

LEGAL, PRIVACY, AND ETHICAL ISSUES IN COMPUTER SECURITY

Protecting Programs And Data

Copyrights, patents, and trade secrets are legal devices that can protect computers, programs and data. Here
how each of these forms are originally designed to be used and how each is currently used in computing are
described.

Copyrights:
Copyrights are designed to protect the expression of ideas. Thus it is applicable to a creative work, such as
story, photographs, song or pencil sketch. The right to copy an expression of an idea is protected by
copyright. The idea of copyright is to allow regular and free exchange of ideas. Copyright gives the author
the exclusive right to make copies of the expression and sell them in public. That is, only the author can
sell the copies of the author’s book.

Patents:
Patents are unlike copyrights in that they protect inventions, tangible objects, or ways to make them, not
works of the mind. The distinction between patents and copyrights is that patents were intended to apply to
the results of science, technology, and engineering, whereas copyrights are meant to cover works in the
arts, literature, and written in the scholarship. A Patent is designed to protect the device or process for
carrying out an idea itself.

Trade Secrets:
A trade secret is unlike a patent and copyright in that it must kept secret. The information has value only as
secret, and an infringer is one who divulges the secret. Once divulged, the information usually cannot be
made secret. A trade secret is information that gives one company a competitive edge over others. For
example the formula of a soft drink is a trade secret, as is a mailing list of customer or information about a
product due to be announced in a few months

CODES OF ETHICS
A written set of guidelines issued by an organization to its workers and management to help them conduct
their actions in accordance with its primary values and ethical standards.

As an ISSO (Information system security Officer) professional, you must behave in a professional manner
at all times and therefore, comply with the professional code of ethics. It is quite possible that members of
associations with a code of ethics have actually never read the code of ethics, even though as an ISSO
professional and member of one or more security-related associations, you are required to comply with the
associations’ codes of ethics. In fact, it can even be considered unethical not to have ever read the codes of
ethics for the various associations to which you as an ISSO professional belong. What does that say about
28
you and your professionalism? One may counter by saying that he or she always acts in an ethical manner
and doesn’t have to read any codes of ethics. This “know-it-all” attitude is a symptom of possibly a more
serious matter: the idea that one has no more to learn about an InfoSec-related topic. That is not only
impossible but will end up costing the corporation in terms of effectiveness and efficiency. How? Because
the ISSO who is not continuously learning and applying new and better techniques does not take advantage
of new (and possibly better and cheaper) ways of protecting assets. Now is a good time to take the
opportunity to read some codes of ethics from security-related professional associations. Please take the
time to read, understand, and apply the codes of ethics that follow.

American Society for Industrial Security

Aware that the quality of professional security activity ultimately depends upon the willingness of
practitioners to observe special standards of conduct and to manifest good faith in professional
relationships, the American Society for Industrial Security adopts the following Code of Ethics and man-
dates its conscientious observance as a binding condition of membership in or affiliation with the Society:

Code of Ethics
I. A member shall perform professional duties in accordance with the law and the highest moral principles.
II. A member shall observe the precepts of truthfulness, honesty, and integrity.
III. A member shall be faithful and diligent in discharging professional responsibilities.
IV. A member shall be competent in discharging professional responsibilities.
V. A member shall safeguard confidential information and exercise due care to prevent its improper
disclosure.
VI. A member shall not maliciously injure the professional reputation or practice of colleagues, clients, or
employers.

Article I
A member shall perform professional duties in accordance with the law and the highest moral principles.

Ethical Considerations

I-1 A member shall abide by the law of the land in which the services are rendered and perform all duties in
an honorable manner.

I-2 A member shall not knowingly become associated in responsibility for work with colleagues who do
not conform to the law and these ethical standards.

I-3 A member shall be just and respect the rights of others in performing professional responsibilities.

Article II
A member shall observe the precepts of truthfulness, honesty, and integrity.

The ISSO and Ethical Conduct 287

Ethical Considerations
II-1 A member shall disclose all relevant information to those having the right to know.

II-2 A right to know is a legally enforceable claim or demand by a person for disclosure of information by
a member. Such a right does not depend upon prior knowledge by the person of the existence of the
information to be disclosed.

29
II-3 A member shall not knowingly release misleading information nor encourage or otherwise participate
in the release of such information.

Article III
A member shall be faithful and diligent in discharging professional responsibilities.

Ethical Considerations
III-1 A member is faithful when fair and steadfast in adherence to promises and commitments.

III-2 A member is diligent when employing best efforts in an assignment.

III-3 A member shall not act in matters involving conflicts of interest without appropriate disclosure and
approval.

III-4 A member shall represent services or products fairly and truthfully.

Article IV
A member shall be competent in discharging professional responsibilities.

Ethical Considerations
IV-1 A member is competent who possesses and applies the skills and knowledge required for the task.
IV-2 A member shall not accept a task beyond the member’s competence nor shall competence be claimed
when not possessed.

Article V
A member shall safeguard confidential information and exercise due care to prevent its improper
disclosure.

Ethical Considerations
V-1 Confidential information is nonpublic information, the disclosure of which is restricted.

V-2 Due care requires that the professional must not knowingly reveal confidential information, or use a
confidence to the disadvantage of the principal or to the advantage of the member or a third person, unless
the principal consents after full disclosure of all the facts. This confidentiality continues after the business
relationship between the member and his principal has terminated.

V-3 A member who receives information and has not agreed to be bound by confidentiality is not bound
from disclosing it. A member is not bound by confidential disclosures made of acts or omissions which
constitute a violation of the law.

V-4 Confidential disclosures made by a principal to a member are not recognized by law as privileged in a
legal proceeding. The member may be required to testify in a legal proceeding to the information received
in confidence from his principal over the objection of his principal’s counsel.

V-5 A member shall not disclose confidential information for personal gain without appropriate
authorization.

Article VI
A member shall not maliciously injure the professional reputation or practice of colleagues, clients, or
employers.

30
Ethical Considerations
VI-1 A member shall not comment falsely and with malice concerning a colleague’s competence,
performance, or professional capabilities.

VI-2 A member who knows, or has reasonable grounds to believe, that another member has failed to
conform to the Society’s Code of Ethics shall present such information to the Ethical Standards Committee
in accordance with Article VIII of the Society’s bylaws.

31