CYBER.pdf
Short Description
Download CYBER.pdf...
Description
qwertyuiopasdfghjklzxcvbnmqwertyui opasdfghjklzxcvbnmqwertyuiopasdfgh jklzxcvbnmqwertyuiopasdfghjklzxcvb nmqwertyuiopasdfghjklzxcvbnmqwer CYBER SECURITY: NOTES tyuiopasdfghjklzxcvbnmqwertyuiopas MBA/AUC-002 dfghjklzxcvbnmqwertyuiopasdfghjklzx cvbnmqwertyuiopasdfghjklzxcvbnmq wertyuiopasdfghjklzxcvbnmqwertyuio pasdfghjklzxcvbnmqwertyuiopasdfghj klzxcvbnmqwertyuiopasdfghjklzxcvbn mqwertyuiopasdfghjklzxcvbnmqwerty uiopasdfghjklzxcvbnmqwertyuiopasdf ghjklzxcvbnmqwertyuiopasdfghjklzxc vbnmqwertyuiopasdfghjklzxcvbnmrty uiopasdfghjklzxcvbnmqwertyuiopasdf ghjklzxcvbnmqwertyuiopasdfghjklzxc 13/08/2015
VARUN MODI
UNIT -1 TOPIC 1: Information systems Information systems are the software and hardware systems that support data-intensive applications.
Such a system may be as simple as a 3x5 card catalog system on a desk, or a desktop calendar. Or, it may be as complicated as a multi-node computer database system used to manage vast quantities of related information.
TOPIC 2: Components The six components that must come together in order to produce an information system are: 1. Hardware: The term hardware refers to machinery. This category includes the computer itself, which is often referred to as the central processing unit (CPU), and all of its support equipments. Among the support equipments are input and output devices, storage devices and communications devices. 2. Software: The term software refers to computer programs and the manuals (if any) that support them. Computer programs are machine-readable instructions that direct the circuitry within the hardware parts of the system to function in ways that produce useful information from data. Programs are generally stored on some input / output medium, often a disk or tape. 3. Data: Data are facts that are used by programs to produce useful information. Like programs, data are generally stored in machinereadable form on disk or tape until the computer needs them.
2
4. Procedures: Procedures are the policies that govern the operation of a computer system. "Procedures are to people what software is to hardware" is a common analogy that is used to illustrate the role of procedures in a system. 5. People: Every system needs people if it is to be useful. Often the most over-looked element of the system are the people, probably the component that most influence the success or failure of information systems. This includes "not only the users, but those who operate and service the computers, those who maintain the data, and those who support the network of computers." 6. Feedback: it is another component of the IS, that defines that an IS may be provided with a feedback (Although this component isn't necessary to function).
3
TOPIC 3: Types of Information Systems
information s ys te tems ms , for example: There are various types of informat 1. 2. 3. 4. 5. 6.
Transaction processing systems, Decision support systems, Knowledge management systems, Learning management systems, Database management systems, Office information systems .
4
TOPIC 4: Developing an Information System devel veloping oping an Inform I nforma ation S ys te tem m are: The steps involved in de Analysis: This is a very important part in the development of an Information System and involves looking at an organization or system (such as a nursery school) and finding out how information is being handled at the moment. Feasibility Study: The aim of a feasibility study is to see whether it is possible to develop a system at a reasonable cost. At the end of the feasibility study a decision is taken whether to proceed or not. A feasibility study study contains the general requiremen requirements ts of the proposed proposed system. System Design: The areas that need to be considered in the design process are listed below: 1. Outputs 2. Inputs 3. File Design 4. Hardware 5. Software Testing: Any new system needs to be thoroughly tested before being introduced. First of all the system should be tested with normal data to see if it works correctly. Secondly, the system is tested with data containing known errors to try and make it fail ('crash'). Thirdly, the system is tested with very large amounts of data to see how it can cope. It is important that processing time and response rates remain acceptable with varying amounts of data. Implementation : Implementing or introducing a new system can be done in two ways: Direct Implementa Implementation tion & Parallel Running Documentation : User guides are written in plain English rather than technical language language..
5
The guide should cover how to run the system, how to enter data, how to modify data and how to save and print reports. The guide should include a list of error messages and advice on what to do if something goes wrong.
TOPIC 5: Information security Information security Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).
TOPIC 6: Need of Information Security Why do you need Information Security?
This is sometimes tough to answer because the answer seems obvious. No? As we know, information information security security is all about about protecting the confidentiality, confidentiality, integrity and availability of information. information. Answer these questions: questions: Do you have information that needs to be kept confidential (secret)? Do you have information that needs to be accurate? Do you have information that must be available when you need it?
6
If you answered yes to any of these questions, then you have a need for information security. We need information security to reduce the risk of unauthorized information disclosure, modification, and destruction. We need information security to reduce risk to a level that is acceptable to the business (management). We need information security to improve the way we do business.
TOPIC 7: Threats to Information Systems Threats to Information Systems:
On next page
7
TOPIC 8: Information Assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.
The information assurance process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA
8
practitioner will perform a risk assessment for those assets. Vulnerabilities in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The assessment then considers both the probability and impact of a threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders. The sum of the products of the threats' impact and the probability of their occurring is the total risk to the informatio information n asset. With the risk assessment complete, the IA practitioner then develops a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response to threats. A framework published by a standards organization, organization, such as Risk IT, CobiT, PCI DSS orISO/IEC 27002, may guide development. Countermeasures may include technical tools such as firewalls and anti-virus software, policies and procedures requiring such controls as regular backups and configuration hardening, employee training in security awareness, or organizing personnel into dedicated computer emergency response team (CERT) or computer security incident response team (CSIRT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way. After the risk managem management ent plan is implemented, implemented, itit is tested and and evaluated, evaluated, often by means of formal audits.
TOPIC 9: CYBER SECURITY WHAT IS CYBER SECURITY?
Cyber security, also referred to as information technology security, focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction.
9
WHY IS CYBER SECURITY IMPORTANT? Governments, Governme nts, military, corporation corporations, s, financial institution institutions, s, hospitals and other businesses collect, process and store a great deal of confidential information on computers and transmit that data across networks to other computers. With the growing volume and sophistication of cyber attacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security.
TOPIC 10: Security Risk Analysis Security in any system should be commensurate with its risks. However, the process to determine which security controls are appropriate and cost effective, is quite often a complex and sometimes a subjective matter. One of the prime functions of security risk analysis is to put this process onto a more objective basis. There are a number of distinct approaches to risk analysis. However, these essentially break down into two types: quantitativ quantitative e and qualitativ qualitative. e. Quantitative Risk Analysis
This approach employs two fundamental elements; the probability of an event occurring and the likely loss should it occur. Quantitative risk analysis makes use of a single figure produced from these elements. This is called the 'Annual Loss Expectancy (ALE)' or the 'Estimated Annual Cost (EAC)'. This is calculated for an event by simply multiplying multiplying the potential loss by by the probability probability.. The problems with this type of risk analysis are usually associated with the unreliability and inaccuracy of the data. Probability can rarely be precise and can, in some cases, promote complacency.. In addition, controls and countermeasures often tackle a complacency number of potential events and the events themselves are frequently interrelated.
10
Qualitative Risk Analysis
This is by far the most widely used approach to risk analysis. Probability data is not required and only estimated potential loss is used. Most qualitative risk analysis methodologies make use of a number of interrelated elements: THREATS
These are things that can go wrong or that can 'attack' the system. Examples might include fire or fraud. Threats are ever present for every system. VULNERABILITIES
These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, for fire a vulnerability would be the presence of inflammable materials (e.g. paper). CONTROLS
These are the t he countermeasures countermeasures for vulnerabilities vulnerabilities.There .There are four types: Deterrent controls reduce the likelihood of a deliberate attack Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact Corrective controls reduce the effect of an attack Detective controls discover attacks and trigger preventative or corrective controls.
11
UNIT -2 TOPIC 1: Application security Application security security is the use use of software, software, hardware, hardware, and procedural procedural methods to protect applications from external threats. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats. Actions taken to ensure application application security security are sometimes sometimes called called countermeasures . The most basic software countermeasure is an application firewall that that limits the execution of files or the handling of data by specific installed programs. The most common hardware countermeasure is a router that that can prevent the IP address of an individual computer from being directly visible on the Internet. Other countermeasures include conventional firewalls, encryption/decryption programs, anti-virus programs, spyware detection/removal programs and biometric authentication systems. Application security security can be enhanced by rigorously defining enterprise enterprise assets, identifying what each application does (or will do) with respect to these assets, creating a security profile for each application, identifying and prioritizing potential threats and documenting adverse events and the actions taken in each case. This process is known as threat modeling. In this context, a threat is any potential or actual adverse event that can compromise the assets of an enterprise, including both malicious events, such as a denial-of-service (DoS) attack, and unplanned events, such as the failure of a storage device.
12
TOPIC 2: Data Security Considerations Backups : Enterprise level backups are becoming the fundamental way to safeguard your data. Gone are the days where you can have a tape drive hooked up to every machine in order to back it up. Now you might have 1 server backing up 20, 50, 100 or more clients, some backup solutions even allow thousands of clients on a single server. The primary reason for this is centralization: of media, of administration, of access. It is much easier to change 100 tapes on 1 machine than it is to change 1 tape on 100 machines. It is easier to collect data and spot problems from a central server than it is to monitor 100 machines. Along with the greater ease in management management that Enterprise Enterprise Level Backups Backups provide, comes a greater threat to security. Centralized service means centralized access. If an intruder gains access to your backup server he gains access to the collected data from all of that server clients. This is an important security risk, one that should be considered and planned for. Not every risk can be accounted for, good computer security is always a compromise between usability and precautions. A good overview of the security risks of Enterprise level backup can provide you with the groundwork needed to make the decisions for your environment.
S ecur ec ure e data data dis di s pos al methods : Information systems store data on a wide variety of storage media, including: internal and external hard drives; internal solid-state memory, removable flash memory cards and flash drives; floppy, ZIP and other types of removable magnetic disks; tapes, cartridges and other linear magnetic media; optical storage using CDs and DVDs; and paper.
13
To prevent unauthorized access, it is critical that data be rendered unreadable when it or the device on which it resides are no longer needed. This is required by law (and common sense) for all computers and media containing sensitive information. information. Note that different kinds of data storage media require different methods for secure removal or destruction, destructi on, some simple but others complex. Do it incorrectly and the data remains for prying eyes to discover. Proof that secure disposal is not easy comes from this simple fact: insecure disposal is one of the most common causes of sensitive data being compromised. Not coincidentally, it is one of the most common methods by which identity theft occurs. What is really secure? For each storage medium there are more and less secure methods.
P aper aper media Paper containing sensitive information should be shredded. Every office (and home) should have access to a shredder or a secure shredding service. Shredders are cheap. "Dumpster-diving" "Dumpster-d iving" for data is common. Secure recycling containers are distributed around the medical campus for just this reason. reason. Alternatively, Alternatively, paper records records can be pulverized pulverized (rendered (rendered into into a powder by grinding), macerated (rendered into pulp by chemicals) or incinerated (burned). This is appropriate for extremely sensitive information. information .
E lectronic lectronic media media The appropriate "cleaning" method for electronic media depends on the type. The main division is between "magnetic media" and "optical media." Though both contain information in electronic form, the methods for secure disposal are very different.
14
Many people are under the impression that all they need to do is "delete" a file from a computer's hard drive or other storage media. Unfortunately, Unfortunat ely, that's almost never sufficient. sufficient . In most cases,"delete" cases,"del ete" simply changes indexing information about a file, sort of like marking through the entry in a book's table of contents but leaving the pages behind. Emptying the "recycle bin" or the "trash" folder of deleted files is usually also ineffective. These methods remove the pointers (indexes) to the deleted files, but the data itself still remains on the storage media as unallocated space. Even if the unallocated space is subsequently used by new files, there are sophisticated scanning methods that could be used to recover data previously stored in those locations. Some un-rewritable media, like CD-Rs and DVD-Rs, can't have their contents deleted in any case. Inoperable media, like a crashed hard drive, may be so corrupted that you cannot access it using normal computer operations; but it still may have data on it that can be recovered by others.
Demag Demag netizi netizing ng mag netic netic media media Removable magnetic "disks" (floppies, ZIP disks, and the like) and linear magnetic media (tape reels, cartridges) can be "degaussed" -- that is, demagnetized. demagnetize d. An appropriately-sized appropriatel y-sized and -powered "degausser" is required. For each particular type of magnetic storage and size of degausser there is a minimum erasing time. As with disposal of paper information, information, there are trade-offs rather rather than absolute standards for "erasing" magnetic media. The more powerful and lengthy the degaussing process applied to any given type of storage media, the less likely it is to be subsequent recovered by others. Note that degaussing can make the media inoperable, so this method is not recommended if the media needs to be reused and/or has resale value.
15
Over-writing mag mag netic netic media media "Fixed" internal magnetic storage, such as computer hard drives, as well as external "mini" and "micro" hard drive storage, can be cleaned by software that uses uses an over-writing over-writi ng or "wiping" processes. USB "flash drive" devices and plug-in memories like CompactFlash, Memory Stick, Secure Digital, and SmartMedia can also be cleaned in this way. Special software is used to over-write all the usable storage locations. The simplest method is a single over-write; additional security is provided by multiple over-writes with variations of all 0s, all 1s, complements (opposite of recorded characters) and/or random characters so that recovery even by the most sophisticated methods becomes almost impossible. There are a few free public domain programs like DBAN that perform secure over-writes. There are also many commercial offerings.
Mang ling lin g mag mag netic media You can take a hammer or a high-speed drill to your hard drive, USB drive or other device. Chances are excellent that you'll render it inoperable in short order. But be warned that recovery of data from physically mangled magnetic devices is still possible. possible. Physical destruction destruction is generally something that that must be done by a trained person to be completely effective, particularly for hard drives. Floppy disks can be broken open and the internal magnetic disk cut up. As with optical media (see next discussion), caution is required to avoid personal injury from flying plastic parts, etc., and it is still theoretically possible to recover data even from a mangled disk.
Optic Opti c al medi medi a "Write-many" optical media (such as CD-RWs and DVD-RWs) can be processed via an over-write method similar to that for magnetic media. However, the vast majority of optical media in use are of the "write once" type -- notably the ubiquitous ubiquito us CD-Rs and DVD-Rs. They cannot be over-
16
written. Because such media media are optical rather than magnetic, neither can they be degaussed. So, as with paper, only only physical destruction destruction will do. Many higher-capacity higher-capacity paper shredders are rated for CD/DVD destruction for exactly this reason. It's a good investment to upgrade to a shredder that is CD/DVD capable if you regularly rely on optical media for your data storage. As with magnetic magnetic media, you you can perform perform a physical physical attack. Cutting a CD CD or DVD with scissors is an alternative if you have only a few to do. But note that cut-up discs have been successfully reassembled and read, so cut them into multiple pieces and, ideally, dispose of the pieces in different trash receptacles. Breaking discs in half with your hands can send dangerous shards of plastic flying. Burning discs (or microwaving them) can release toxic fumes. Don't ever do this!
C omput omputer er recycling prog ram rams For a whole system, some manufacturers (like Dell and Apple), and many retailers of computer equipment, offer recycling programs that meet both security and environmental concerns. These programs will process the entire old system for disposal, including cleaning the hard drive and any other storage media, when you trade it in as part of a new purchase.
A r c hival hi val S torag e: In computers, archival storage is storage for data that may not be actively needed but is kept for possible future use or for record-keeping purposes. Archival storage is often provided provided using the same system as that used for backup storage. Typically, archival and backup storage can be retrieved using a restore process.
17
TOPIC 3: Data Security Technology Firewall :
A firewall is a system designed designed to prevent prevent unauthorized unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering entering or leaving the intranet intranet pass through through the firewall, firewall, which examines each message and blocks those that do not meet the specified security criteria. Hardware firewalls can be purchased as a stand-alone product but are also typically found in broadband routers, and should be considered an important part of your system and network set-up. Most hardware firewalls will have a minimum of four network ports to connect other computers, but for larger networks, business networking firewall solutions are available. Software firewalls are installed on your computer (like any software) and you can customize it; allowing you some control over its function and protection features. A software firewall will protect your computer from outside attempts to control or gain access your computer.
VPN:
VPN or virtual private network, is a network that is constructed by using public wires — usually the Internet — to connect to a private network, such as a company's internal network. There are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. A VPN is designed to provides provides a secure, encrypted encrypted tunnel tunnel in which to transmit the data between the remote user and the company network. The information transmitted between the two locations via the encrypted tunnel cannot be read by anyone else because the system contains several
18
elements to secure both the company's private network and the outside network through which the remote user connects through.
Intrusion detection (ID):
It is a type of security management system for computers and networks. An ID system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). ID uses vulnerability assessment (sometimes refered to as scanning), which is a technology developed to assess the security of a computer system or network. Intrusion detection functions include: Monitoring and analyzing both both user and system activities vulnerabilities Analyzing system system configurations configurations and vulnerabilities Assessing system system and file integrity Ability to recognize patterns typical of attacks Analysis of abnormal abnormal activity activity patterns patterns user policy violations Tracking user
Access Control: Control:
It is the selective restriction of access to a place or other resource. resource . The act of accessing may may mean consuming, entering, or using. Permission to access a resource is called authorization . When a credential is presented to a reader, the reader sends the credential’s information, usually a number, to a control panel, a highly reliable processor. The control panel compares the credential's number to an access control list, grants or denies the presented request, and sends a transaction log to a database. When access is denied based on the access control list, the door remains locked. If there is a match between the credential and the access control list, the control panel operates a relay that in turn unlocks the door.
19
The control panel also ignores a door open signal to prevent an alarm. Often the reader provides feedback, such as a flashing red LED for an access denied and a flashing green LED for an access granted. There are three types (factors) of authenticating information:
something the user knows, e.g. a password, pass-phrase or PIN
something the user has, such as smart card or a key fob
something the user is, such as fingerprint, verified by biometric measurement
TOPIC 4: Security Threats
Computer security threats are relentlessly inventive. Masters of disguise and manipulation, these threats constantly evolve to find new ways to annoy, steal and harm. Arm yourself with information and resources to safeguard against complex and growing computer security threats and stay safe online.
Computer Virus Threats
Perhaps the most well known computer security threat, a computer virus is a program written to alter the way a computer operates, without the permission or knowledge of the user. A virus replicates and executes itself, usually doing damage to your computer in the process. Learn how to combat computer virus threats and stay safe online.
20
Spyware Threats
A serious computer computer security security threat, spyware is any program that that monitors monitors your online activities or installs programs without your consent for profit or to capture personal information. We’ve amassed a wealth of knowledge
that will help you combat spyware threats and stay safe online.
Hackers & Predators
People, not computers, create computer security threats and malware. Hackers and predators are programmers who victimize others for their own gain by breaking into computer systems to steal, change or destroy information as a form of cyber-terrorism. What scams are they using lately? Learn how to combat dangerous malware and stay safe online.
Phishing Threats
Masquerading as a trustworthy person or business, phishers attempt to steal sensitive financial or personal information through fraudulent email or instant messages. How can you tell the difference between a legitimate message and a phishing scam? Educate yourself on the latest tricks and scams.
Trojan Horse
Trojan, in computing is any malicious computer program which misrepresents itself as useful, routine, or interesting in order to persuade a victim to install it.
21
Logic Bombs
Logic bombs are small programs or sections of a program triggered by some event such as a certain date or time, a certain percentage of disk space filled, the removal of a file, and so on. For example, a programmer could establish a logic bomb to delete critical sections of code if she is terminated from the company. Logic bombs are most commonly installed by insiders with access to the system.
Trap doors
Trap doors, also referred to as backdoors , are bits of code embedded in programs by the programmer(s) to quickly gain access at a later time, often during the testing or debugging phase. If an unscrupulous programmer purposely leaves this code in or simply forgets to remove it, a potential security hole is introduced. Hackers often plant a backdoor on previously compromised systems to gain later access. Trap doors can be almost impossible to remove in a reliable manner. Often, reformatting the system is the only sure way.
E-Mail Virus
An e-mail virus virus is computer computer code sent sent to you as an e-mail an e-mail note attachment which, if activated, will cause some unexpected and usually harmful effect, such as destroying certain files on your hard disk and causing the attachment to be remailed to everyone in your address book. Although not the only kind of computer virus, e-mail virus, e-mail viruses are the best
22
known and undoubtedly cause the greatest loss of time and money overall. The best two defenses against e-mail viruses for the individual user are: (1) a policy of never opening (for example, double-clicking on) an e-mail attachment unless you know who sent it and what the attachment contains, and (2) installing and using anti-virus software to scan any attachment before you open it.
Macro Virus
A macro virus virus is a computer computer virus that that "infects" a Microsoft Word Word or similar similar application and causes a sequence of actions to be performed automatically when the application is started or something else triggers it. Macro viruses tend to be surprising but relatively harmless. A typical effect effect is the undesired undesired insertion insertion of some comic text text at certain points when writing a line. A macro virus virus is often spread spread as an e-mail e-mail virus. A well-known well-known example example in March, 1999 was the Melissa virus virus.
Worm
A computer worm worm is a standalone standalone malware malware computer computer program program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network,
23
even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Denial of Service (DoS)
A denial of service service (DoS) attack attack is an incident incident in which a user or organization is deprived of the services of a resource they would normally expect to have. In a distributed denial-of-service, large numbers of compromised systems (sometimes called a botnet) attack a single target. Although a DoS DoS attack does does not usually usually result in the theft of information information or other security loss, it can cost the target person or company a great deal of time and money. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. A denial of service attack can also destroy programming and files in affected computer systems. In some cases, DoS attacks have forced Web sites accessed by millions of people to temporarily cease operation. A few of the better-know better-known n attacks based based on the buffer buffer characteristics characteristics of a program or system include: 1. Sending e-mail messages that have attachments with 256-character file names to Netscape and Microsoft mail programs 2. Sending oversized Internet Control Message Protocol (ICMP) packets (this is also known as the Packet Internet or Inter-Network Groper (PING) of death) 3. Sending to a user of the Pine e-mail program a message with a "From" address larger than 256 characters
24
TOPIC 5: Threats to E-Com- Electronic Payment System E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration, or destruction. 6 dimensions of e-commerce security: 1. 2. 3. 4. 5. 6.
Integrity: prevention against unauthorized data modification modificatio n Nonrepudiation: Nonrepudiati on: prevention against any one party from reneging on an agreement after the fact Authenticity: Authenticity: authentication authentication of data source Confidentiality: Confidentiality: protection against unauthorized data disclosure Privacy: provision of data control and disclosure Availability: prevention prevention against data delays or removal
E-COMMERCE THREATS
Threats: anyone with the capability, technology, opportunity, and intent to do harm.Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element.Terrorists, insiders, disgruntled employees, and hackers are included in this profile (President's Commission on Critical Infrastructure Infrastructure Protection) Concern
2001
2000
Loss of Privacy/confidentiality, data misuse/abuse
28%
25%
Cracking, eavesdropping, spoofing, rootkits
25%
20%
Viruses, Trojans, worms, hostile ActiveX and Java
21%
26%
System unavailability, denial of service, natural disasters, power interruptions
18%
20%
Di g ital ital S ig nat nature A digital signature signature (not to be confused confused with a digital digital certificate) certificate) is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document.
25
The digital equivalent of a handwritten signature or stamped seal, but offering far more inherent security, a digital signature is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence to origin, identity and status of an electronic document, transaction or message, as well as acknowledging informed consent by the signer. In many countries, including the United States, digital signatures have the same legal significance as the more traditional forms of signed documents. The United States Government Printing Office publishes electronic versions of the budget, public and private laws, and congressional bills with digital signatures.
P ubl ublic ic-key -key crypto c ryptogg ra raph phy: y: Public-key cryptography, also known as asymmetric cryptography, is a
class of cryptographic protocols based protocols based on algorithms that algorithms that require two separate keys, keys, one of which is secret (or (or private) and one of which is public . Although different, the two parts of this key pair are mathematically linked. The public key is used, for example, to encrypt plaintext or plaintext or to verify a digital signature; signature; whereas the private key is used for the opposite operation, in these examples to decrypt cipher text or to create a digital signature. The term "asymmetric" stems from the use of different keys to perform these opposite functions, each the inverse of the other – as contrasted with conventional ("symmetric") cryptography which relies on the same key to perform both.
26
27
UNIT – 3 TOPIC 1: Developing Secure Information Systems
Initiation Phase: During the initiation phase, the organization establishes establishes the need for a system and documents its purpose. Security planning should
28
begin in the initiation phase with the identification of key security roles to be carried out in the development of the system. Development/Acquisition Phase: During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed. A key security activity in this phase is conducting a risk assessment and using the results to supplement the baseline security controls. In addition, the organization should analyze security requirements; perform functional and security testing; prepare initial documents for system certification and accreditation; and design the security architecture. architecture. Implementation Phase: In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs or implements the system, and obtains a formal authorization to operate the system. Design reviews and system tests should be performed before placing the system into operation to ensure that it meets all required security specifications. Operations/Maintenance Phase: In this phase, systems and products are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and software components are added or replaced. Disposal Phase: In this phase, plans are developed for discarding system information, hardware, and software and making the transition to a new system. The information, hardware, and software may be moved to another system, archived, discarded, or destroyed. If performed improperly, the disposal phase can result in the unauthorized disclosure of sensitive data. When archiving information, organizations should consider the need for and the methods for future retrieval.
TOPIC 2: Information Security Governance It is not enough to have some security policies and then just concentrate on securing your network. To integrate security within business processes, an
29
organization needs to have a robust information security program that maps to its business drivers, legal and regulatory requirements, and threat profile. Information security governance is similar in nature to corporate and IT governance because there is overlapping functionality and goals between the three. All three work within an organizational structure of a company and have the same goals of helping to ensure that the company will survive and thrive – they just each have different focuses. Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.
In other words, Information security governance governance is all of the tools, personnel and business processes that ensure that security is carried out to meet an organization's specific needs. It requires organizational organizational structure, roles and responsibilities, performance measurement, defined tasks and oversight mechanisms.
TOPIC 3: Systems Security Architecture and Design The security architecture is one component of a product’s overall
architecture and is developed to provide guidance during the design of the product. It outlines the level of assurance that is required and potential impacts that this level of security could have during the development stages and on the product overall.
30
Security Design Principles
Security is a system requirement just like performance, capability, cost, etc.Therefore, it may be necessary to trade off certain security requirements to gain others. Principles of Secure Design
Design security in from the start Allow for future future security enhanceme enhancements nts
Minimize and isolate security controls
Employ least privilege
Structure the security relevant features
Make security friendly
Don’t depend on secrecy for security
Principles for Software Security
Secure the weakest link
Practice defense in depth
Fail securely- If your software has to fail, make sure it does it securely
Follow the principle of least privilege
Compartmentalize- Minimize the amount of damage that can be done by breaking the system into units
Keep it simple- Complex design is never easy to understand
Promote privacy- Try not to do anything that compromises the privacy of the user
Remember that hiding secrets is hard
Be reluctant to trust- Instead of making assumptions that need to hold true, you should be reluctant to extend trust
Use your community resources- Public scrutiny promotes trust
31
Design Principles for Protection Mechanisms
Least privilege- Should only have the rights necessary to complete your task.
Economy of mechanism- Should be sufficiently small and as simple as to be verified and implemented – e.g., security kernel. Complex mechanisms should be correctly Understood, Modeled, Configured, Implemented and Used
Complete mediation- Every access to every object must be checked
Open design- Let the design be open. Security through obscurity is is a bad idea
Should be open for scrutiny by the community- Better to have a friend/colleague find an error than a foe
Separation of privilege- Access to objects should depend on more than one condition being satisfied s atisfied
Least common mechanism- Minimize the amount of mechanism common to more than one user and depended on by all users
Psychological acceptability- User interface must be easy to use, so that users routinely and automatically apply the mechanisms correctly. Otherwise, they will be bypassed
Fail-safe defaults. Should be lack of access
TOPIC 4: Security Issues in Hardware Understand and accept that hardware-based security is extremely difficult – Just because it's a hardware product does not mean it's secure.
32
Threat Vectors
Interception (or Eavesdropping) – Gain access to protected information without opening the product. Interruption (or Fault Generation) – Preventing the product from functioning normally Modification – Tampering with the product, typically invasive Fabrication/Man-in-the-Middle – Creating counterfeit assets of a product
Attack Goals Goals
Competition (or Cloning) – Specific IP theft to gain marketplace advantage advantage Theft-of-Service – Obtaining service for free that normally requires money User Authentication (or Spoofing) – Forging a user's identity to gain access to a system Privilege Escalation (or Feature Unlocking) – Gaining increased command of a system or unlocking hidden/undocumented features Attacks Against Against
Access control Biometrics Authentication tokens RFID
33
Network appliances Cryptographic accelerators Wireless access points Network adapters/ adapters/NICs NICs PDAs/Mobile devices
D etect ection ion , A c c es s Some of the other topics in this unit like Intrus ion Det Control, B ack up and and S tora oragg e have been covered in previous sections, please refer to those sections for these topics
34
UNIT – 4 TOPIC 1: Security Policy
Security policy is a definition of what it means to be secure for a system, system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people. If it is important to be secure, then it is important to be sure all of the security policy is enforced by mechanisms that are strong enough. There are many organized methodologies and risk assessment strategies to assure completeness of security policies and assure that they are completely enforced. enforced. In complex systems, such as information systems, systems , policies can be decompo decomposed sed into sub-policies to facilitate the allocation of security mechanisms to enforce sub-policies.
E mail P olicy olicy Here are five reasons why your company needs an email policy: 1. Protect against email threats : An email policy helps prevent email threats. A well laid out email policy makes your staff aware of the corporate rules and guidelines, which if followed will protect your company against (spear) phishing attacks and confidentiality leaks, aid compliancy and minimize legal liability. 2. Avoid misconduct : An email policy can help stop any misconduct at an early stage, for instance by asking employees to come forward as soon as they receive an offensive email. Keeping the incidents to a minimum can
35
help avoid legal liability. For instance in the case of Morgan Stanley, the court ruled that a single e-mail communication (a racist joke, in this case) cannot create a hostile work environment and dismissed the case against them. 3. Reduce liability: If an incident does occur, an email policy can minimize the company’s liability for the for the employee’s actions. Previous cases have proven that the existence of an email policy can prove that the company has taken steps to prevent inappropriate use of the email system and therefore can be freed of liability. WorldCom Corp. for instance, faced a court case from two former employees for allowing four racially offensive jokes on its email email system. system. WorldCom successfully successfully defended defended themselves themselves because they had an email policy that spelled out inappropriate content and because they took prompt remedial action against the co-worker who sent the racially harassing e-mails. 4. Educate Email Etiquette : You can use your email policy to educate your employees in email etiquette to ensure that your company conveys a professional image in its email communications. 5. Warn employees of email monitoring : If you are going to use email filtering software to check the contents of your employees’ emails, it is essential to have an email policy that warns your employees that their emails might be monitored. If you do not have such as policy you could be liable for privacy infringement. More about the legality of email monitoring.
WWW S ecu ecurity rity Policy Policy By creating a security policy for your business you can protect your business from most of the common forms of internet threat. The internet can be a great force for good, but unfortunately it can also be the conduit for everything that is bad in the world. While you may be wise to spam emails, phishing emails and files that aren't quite as innocent as they seem, your staff may not be quite so security conscious in their use of the internet. Additionally the growth grow th in social networking net working is a cause for concern conc ern to many
36
employers as these sites can be a huge distraction from day to day work. This is where a security policy comes in to play. When you take on new staff in your business the last thing on your mind is probably, "how do I make sure that my staff are internet safe"? However by creating a security policy you will have laid out clear lines of responsibilities that will ensure you and your team protect the reputation of your business, as well as preventing your business from potential internet attacks, and from claims by an employee that "they didn't know".
The policy basics The objective of an internet security policy is t
Set the boundaries of employee use.
Describe what is deemed acceptable behavior.
Explain processes and procedures employees should adopt to protect and manage your systems.
Assign roles and responsibilities responsibilit ies for staff so everyone knows their respective respecti ve tasks.
Detail the outcomes if the policy is ignored or deliberately breached.
Policy Pol icy R evie view w Proces Proces s
Many problems with procedures that crop up after they’ve been implemented are traceable to inadequate or no review. Let’s say a procedure as written describes an ideal process, performed under
ideal conditions (i.e., real-world conditions aren’t taken into account). If this isn’t caught in the policy review process, the end product will meet requirements only through through luck. Luck being notoriously unreliable, inconsistent, and uncontrollable, you’re clearly better off with a policy review.
37
An Effective Policy Review Process
Why do you review anything ? To ensure the accuracy and completeness of whatever it is you’re reviewing and to make sure everyone has the same
understanding of the policy, process, or situation. In short, to ensure effective communication, which will lead you to the desired outcome.
Effective communication is a big reason why the international quality standard, ISO 9001, mandates design and development reviews (clause 7.3.4). If you don’t review, review, you risk missing any number of product requirements, both stated and unstated, and you risk losing customers. Need another reason to review policies and procedures? No one is perfect and no process is perfect. No one will write the perfect procedure the first time, every time. ONE! — can multitask. Your technical writer wears Furthermore, no one — NO ONE! —
several other t hats, hats, right? That person is bound to temporarily lose focus on the policy or procedure they’re writing when other projects and other managers are continually demanding that their stuff is mission critical, “…so drop everything and work on this this.” .” (Now, where was I?) We all agree, then, that policies and procedures have to be reviewed, right? So, how’s it done? Well, one method that works is based on speech evaluations as
done by Toastmasters. For a Toastmaster, learning how to evaluate a speech – or a written document – is as critical as learning how to give a speech or write one. In your policy review process, whether its written or oral, be sure to lead with those aspects of the procedure where objectives were met or exceeded . If critical procedure review objectives were not, consider possible explanations for that
38
(the writer’s level of experience, competing projects, the amount of information
provided them, clarity of the objectives, etc.).
S am ample ple S ecu ecurr i ty Polic P olic y
39
TOPIC 2: LAWS C op opyri yri g ht Law Copyright is a bundle of rights given by the law to the creators of literary, dramatic, musical and artistic works and the producers of cinematograph films and sound recordings The rights provided under Copyright law include the rights of reproduction of the work, communication of the work to the public, adaptation of the work and translation of the work The scope and duration of protection provided under copyright law varies with the nature of the protected work. The Indian copyright law protects literary works, dramatic works, musical works, artistic works, cinematograph films and sound recordings.
Information Informa tion Technolog Technolog y A ct, 2000
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act of the Indian Parliament (No Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law in India India dealing dealing with cybercrime and cybercrime and electronic commerce. commerce. It is based on the United Nations Model Law on Electronic Commerce 1996 (UNCITRAL Model) recommended by the general assembly of united nations by a resolution dated 30th January 1997 .
The following are the crimes which can be committed against the following groups:
Against Individual
Harassment via Emails
40
Cyber Stalking
Dissemination of obscene material
Defamation
Hacking/Cracking
Indecent Exposure
Individual Property
Computer Vandalism
Transmittiming a Virus
Network Trespassing
Unauthorized Control over Computer System
Hacking/Cracking
Against Organisation
Hacking & Cracking
Possession of unauthorised Information
Cyber- Terrorism against Government Organisation
Distribution of Pirated Software Etc
Against Society at Large
Pornography
Polluting the youth through indecent exposure
Trafficking
41
S oftware Li L i c ens e A software license license is a legal instrument (usually (usually by way way of contract law, law, with or without printed material) governing the use or redistribution of software. Under United States copyright law all software is copyright protected, except material in the public domain. A typical software license grants an end-user permission to use one or more copies of software in ways where such a use would otherwise potentially constitute copyright infringement of the software owner's exclusive rights under copyright law. In addition to granting rights and imposing restrictions on the use of software, software licenses typically contain provisions which allocate liability and responsibility between the parties entering into the license agreement. In enterprise and commercial software transactions these terms often include limitations of liability, warranties and warranty disclaimers, and indemnity if the software infringes intellectual property rights of others. Software licenses can generally be fit into the following categories: proprietary licenses and free and open source. The significant feature that distinguishes them are the terms under which the end-user may further distribute or copy the software.
Informattion S ecurity S tanda Informa ndards rds The term "standard" is sometimes used within the t he context of information security policies to distinguish between written policies, standards and procedures. Organizations Organizations should maintain all three levels of documentation to help secure their environment. Information security policies are high-level statements or rules about protecting people or
42
systems. (For example, a policy would state that "Company X will maintain secure passwords") A "standard" is a low-level prescription for the various ways the company will enforce the t he given policy. (For example, "Passwords "Passwords will be at least 8 characters, and require at least one number.") A "procedure" can describe a step-by-step method to implementing various standards. (For example, "Company X will enable password length controls on all production Windows Windows systems.") This use of the term "standard" differs from use of the term as it relates to information security and privacy frameworks, such as ISO/IEC 27002 or COBIT.
India Indi an Pa P atent A ct What is Patent?
Patent is a monopoly granted by statute of a country for a limited term over a new and useful invention that involves inventive step. Invention may either for a product or process. The rights enjoyed by owner of the patent are proprietary in nature and the patentee or his agent or licensees has the exclusive right to use and have the benefits of patented invention and prevent unauthorized use, during the period of patent protection. Period during which the owner enjoys the benefits is called term of the patent. Registration is a prerequisite for patent protection and the protection granted is territorial in nature i.e., patent granted in a country will give the owner of the patent right only within that country.
Indian Law on Patents
The law governing Patents in India is Patent Act, 1970 as amended in the years 1995 and 1999, along with the patent rules, 1972.
43
Patent Act do not define the term 'Patent' [s.2 (m)], it simply states that means ‘Patent’ means
a patent granted under this Act and includes for the
purposes of sections 44, 49, 50, 51, 52, 54, 55, 56, 57, 58, 63, 65, 66, 68, 69, 70, 78, 134, 140, 153, 154 and 156 and Chapter XVI, XVII & XVIII, and a Patent granted under the Indian Patents and design Act, 1911 (2 of 1911); the Patents (Second Amendment) Bill, 1999 states that “Patent means a patent granted under this Act”.
Patent Act 1970 envisages that 'any invention that has a commercial application and which are not exempted under the Act are eligible for grant of patent. S.2 (j) the Act defines
‘invention’ as: as:
any new and useful –
Ø art, process, method or manner of manufacture; Ø machine apparatus or other Articles; Ø substance produced by manufacture, and includes any new and useful improvement of any of them, and an alleged invention; The Second Amendment Bill, 1999 has introduced a new definition of invention as against 1970, Act, i.e., 2(j) in 1999 Bill:
IMPOR IM POR TANT QU QUE E S TIO TIONS NS What is an information system ? Discuss how does the use of lnternet by organisations support their business processes and activities ? What are the challenges in establishment of secure networks ? Discuss. Explain Public key cryptograph cryptography. y. What are the requirements of payment systems in e-commerce ? Explain the working of credit card transactions in e-commerce.
44
Discuss various types of intrusions possible in a network systems. What are the approaches used for detection of the intrusions ? What is a VPN ? Discuss the scenarios where VPN canbe deployed. Write a short note on Cyber Crimes.
45
46
47
View more...
Comments
