2. WIIFY
1. Why Security?
2. What are the sources of compromise?
3. Four virtues of Security.
4. The 9 rules of Security.
5. What is Information Security, it’s goal and impact.
6. Common Security definitions/terms.
7. 10 Security Domains by ‘International Information Systems Security
Certification Consortium’ (ISC)2.
8. 3 Steps to success in Security.
9. Resources on web.
10.What do I do as a user?
11.Q&A.
2
3. Why Security?
3
• Case 1
The City of Joburg on 25 Oct night announced a breach of its network and
shut down its website and all e-services as a precautionary measure. Key
city systems were shut down, including online services, bill payments, and
more.
• Case 2
Database of Debit Card Payment System of Middle East Bank is hacked.
The organized gang alters the available balances of card holders and
duplicates the cards. The cash withdrawn from 17 countries is small
amounts was in total US $18 Million in 2 days.
4. Serious Matters
We all are at risk. This statement is not meant to
instill fear, but simply to properly represent the
state of IT in our modern world. Security can no
longer be a question. It can no longer be ignored,
dismissed, or treated like thorn in our side. At any
given moment, an adequate amount of security is
all that stands between our precious data and that
wave of relentless and talented intruders striking
out at our valuable resources.
“Why would anyone hack us?’ is no longer a
defense, and, “Do we really need to secure
ourselves?” is no longer a question. We all are
targets. We all are vulnerable. We are under
attack, and without security, the only questions
are where and when will we be struck, and just
how badly will it hurt.
4
5. Don’t be so Sure!
Usual pretext for not paying attention to Security.
• I have antivirus installed.
• I do not buy anything online.
• We have nothing important stored except Client’s data.
• It will never happen to me.
• I am online for very short time just for checking emails.
• Why someone will steal my data and what are they going to
do with it. We’ll pull them in the court?
5
6. IT Security Areas
• Information Security
• Network Security
• Cyber/Internet Security
• Physical Security
• Application Security
• Database Security
• Cloud Security
• Mobile Security
• Telecom Security
• Software Security
• Storage Security
• Web Security
6
7. What are the sources of compromise?
• Inside Job: 32% from internal employees, 28% ex-employees and
partners and 50% from employees misusing access privileges.
• Spyware: Most spyware comes in as direct result of user behavior.
• Desktop/Laptop/Smart Devices: It’s like locking the doors and
windows of the house - with the burglar still in the basement.
• Put simply, to keep the burglar out of the basement, organizations
need to remove the ability of employees to let the burglars in, in the
first place. They need to implement tamper-proof solutions that users
cannot easily evade – no matter what the external inducements.
Do you know you are tracked?
Big Data Analytics Organizations and Cyber criminals are watching.
Install the Collusion for your browser and experience how you are
tracked.
7
8. The four virtues of Security
1. Daily Consideration – Security MUST be a daily consideration in every area.
2. Community Effort – Security MUST be a community effort.
3. Higher Focus – Security practices MUST maintain a generalized focus.
4. Education – Security practices MUST include some measure of training for
everyone.
How do we practice these virtues?
Make security a continual thought. Encourage others to be continually mindful
of security. Formally include security in all new projects and project
implementations.
Keep informed. Inform others. Keep up-to-date. Inform end-users. Make group-
based decisions.
Learn and share the concepts. Think in terms of the bigger picture. Follow the
practices of higher security. Follow the concept of the written practice.
Good software installation practices. Good awareness practice. Good web
browsing practice. Good confidentiality practices.
8
9. The nine rules of Security
1. Rule of Least Privilege.
2. Rule of Change.
3. Rule of Zero Trust.
4. Rule of the Weakest Link.
5. Rule of Separation.
6. Rule of the Three-Fold Process (IMM).
7. Rule of Preventive Action.
8. Rule of Immediate and Proper Response.
9. Rule of Encryption
9
10. What is Information Security (InfoSec)?
10
InfoSec is the practice of defending
information from unauthorized access, use,
disclosure, disruption, modification,
perusal, inspection, recording or
destruction.
Program/Process and not a project.
Never is 100%.
Risk Management to maintain and improve
Security Posture.
Changing Security Landscape.
Threats.
Countermeasures.
11. GOAL and Impact of Information Security
11
GOAL - To ensure the
Confidentiality, Integrity and
Availability (CIA) of critical
systems and confidential
information.
Impact due to information
security failure:
Service Liability
Financial Liability
Legal Issues
Adverse impact on Image
Adverse impact on Brand
Adverse business impact
12. Common Security Definitions
12
Vulnerability is a software, hardware, or procedural weakness that may provide an
attacker the open door he is looking for to enter a computer or network and have
unauthorized access to resources within the environment.
Threat is any potential danger to information or systems. The threat is that someone or
something, will identify a specific vulnerability and use it against the company or
individual.
Threat agent could be an intruder accessing the network through a port on the
firewall, a process accessing data in a way that violates the security policy, a tornado
wiping out a facility, or an employee making an unintentional mistake that could expose
confidential information or destroy a file’s integrity.
Risk is the likelihood of a threat agent taking advantage of a vulnerability and the
corresponding business impact.
Exposure is an instance of being exposed to losses from a threat agent.
Countermeasure or safeguard, is put into place to mitigate the potential risk.
.
13. Common Security Terms
• Anti-Virus - A security program that can run on a computer or mobile device
and protects you by identifying and stopping the spread of malware on your
system.
• Drive-by Download - These attacks exploit vulnerabilities in your browser or
it's plugins and helper applications when you simply surf to an attacker-
controlled website.
• Exploit Code that is designed to take advantage of a vulnerability. An exploit is
designed to give an attacker the ability to execute additional malicious
programs on the compromised system.
• Firewall - A security program that filters inbound and outbound network
connections.
• Malware Stands for 'malicious software'. It is any type of code or program
cyber attackers use to perform malicious actions.
• Patch is an update to a vulnerable program or system.
• Phishing is a social engineering technique where cyber attackers attempt to
fool you into taking an action in response to an email.
13
15. Security Domains - (ISC)2
15
1. Access Control.
2. Application Security.
3. Business Continuity and Disaster Recovery Planning.
4. Cryptography.
5. Information Security and Risk Management.
6. Legal, Regulations, Compliance, and Investigations.
7. Operations Security.
8. Physical (Environmental) Security.
9. Security Models and Architecture.
10. Telecommunications and Network Security.
16. Access Control
Access controls are security features that control how users and systems
communicate and interact with other systems and resources. They protect the
systems and resources from unauthorized access and can be components that
participate in determining the level of authorization after an authentication
procedure has successfully completed.
Aim of Access Controls:
Identification : Method of establishing the subject
(e.g. Username, any other public information, systems, etc).
Authentication : Method of proving ones identify
(e.g. use of biometric, passphrase token, private information, etc).
Authorization : Determines that the proven identity has some set of
characteristics associated with it that gives it the right to access the
requested resources.
Access Control Models: DAC, MAC, RBAC.
Access Control Layers: Administrative, Physical, Technical/Logical.
16
17. Access Control – Quick Test
1. The basic functionality of a malicious code is
to…
a. Upgrade the operating system
b. Execute itself in the client system
c. Spoof
d. Denial of Service
2. What is AAA of access control system?
a. Access, Accept and Apply.
b. Authorization, Authentication and Accountability.
c. Authentication, Authorization and Accountability.
d. Application, Acceptance and Approval.
17
18. Application Security
18
Applications are usually developed with functionality in mind and not security. Security and
Functionality need to be incorporated during design and development. Both application and
environment controls need to be used to ensure application security. ‘Security by Design’
should be the mantra for robust and secure applications.
Application Controls
Data modeling.
Object oriented programming.
Reusable and disturbed codes.
Client/ Server Model.
Data Types, Format and Length.
Environment Controls
Database modeling / Database management.
Relational databases and database interfaces.
DMZ – De military zones.
Access restriction.
Change Management.
Software (code) Escrow.
20. Application Security – Quick Test
1. An attack is a…
a. Vulnerability
b. Threat
c. Technique
d. Compromise
2. Encapsulation is a …
a. Wrapper
b. Threat
c. Software application
d. Class
20
21. Business Continuity and Disaster Recovery Plan
Checklist review
Structured walk-through
Simulation test
Parallel test
Full interruption test
21
The goal of disaster recovery is to minimize the effects of a disaster and take the necessary steps
to ensure that the critical resources, personnel, and business processes are able to resume
operation in a timely manner. The goal of business continuity planning is to provide methods and
procedures for dealing with longer-term outages and disasters to ensure business is back to
normal.
Business Impact Analysis (BIA) is the crucial first step for business continuity and disaster
recovery planning. This encompasses a detailed risk assessment and risk analysis. Qualitative and
quantitative information needed to gathered and then properly analyzed and interpreted.
Phases of plan development : Phases of plan implementation:
Identify business critical resources
Estimate potential disasters
Selecting planning strategies
Implementing strategies
Testing and revising the plan
22. Business Continuity and Disaster Recovery Plan –
Quick test
22
1. The primary focus of the Business Continuity Plan is…
a. Integrity
b. Authenticity
c. Availability
d. Business growth
2. The Recovery Point Objective (RPO) estimates…
a. The timeframe within which to resume operations
b. The data recovery point
c. The resources required for business continuity
d. The time required to develop a BCP
23. Cryptography
23
Cryptography is a method of storing and transmitting data in a form that only those it is
intended for can read and process. It is considered a science of protecting information by
encoding it into an unreadable format.
Goal of Cryptosystems:
Confidentiality : Unauthorized parties cannot access the information.
Authenticity : Validating the source of the message to ensure that the sender is properly
identified.
Integrity : Provides an assurance that the data was not modified during transmission.
Nonrepudiation : Prevents the denial of actions by sender and receiver.
Cryptographic Standards: Encryption, Hashing, Digital Signatures, PKI.
Common Cryptography Systems: TLS, SET, IPSec, PGP, S/MIME, SSH, S-HTTP, Kerberos,
Steganography, Digital Watermarking, SecureID, WAP, WPA, WEP.
The goal of designing an encryption technology is to make compromising it too
expensive or too time consuming.
24. Cryptography – Quick Test
1. IEEE 802.11 is a set of standards for …
a. Wired Local Area Network
b. Hyper Text Transport Protocol
c. Secure Transport Layer
d. Wireless Local Area Network
2. Steganography is a…
a. Public Key Infrastructure
b. Private Key
c. Concealing Message
d. Watermarking
24
25. Information Security and Risk Management
Information Security and Risk Management are analogous to each other.
Information security is to preserve CIA of organizational assets. Risk
Management is to identify the threats and vulnerabilities that could impact the
information security and devise suitable controls to mitigate these risks.
25
To ensure that information and vital services are accessible for use when required.
To ensure the accuracy
and completeness of
information to protect
university business
processes.
To ensure protection
against unauthorized
access to or use of
confidential
information.
transmission
27. Information Security and Risk Management – Quick Test
1. In order to have an effective security within
the organization, it is important that the
people or personnel are aware of…
a. Security requirements
b. Security policies and procedures
c. Roles and responsibilities
d. All of the above
2. Which one of the following is a common type
of classification in Government as well as
private/public sector organizations?
a. Top secret
b. Confidential
c. Unclassified
d. Public
27
28. Legal, Regulations, Compliance, and Investigation
28
IT is need to be aware of various legal and regulatory requirements pertaining to the ethical usage
of computers, compliance frameworks across the world, and investigative mechanisms to identify,
protect, and preserve any evidence from computer crimes. The law and regulations depend on the
state or country of operation. Laws are usually based on ethics and are put in place to ensure that
others act in an ethical way.
MOM of a Crime:
Motive is the “Who” and “Why” of a crime.
Opportunity is the “where” and “when” of a crime.
Means is the capabilities a criminal would need to be successful.
Some common types of computer crimes:
Salami – Small crimes with the hope that the larger crime will go unnoticed.
Data diddling – Alteration of existing data.
Password sniffing – Sniff network traffic for passwords.
IP Spoofing – Changing the attackers IP.
Emanations capturing – Capturing electrical pulses and making meaning from them.
Social reengineering – Faking somebody’s identity.
29. Legal, Regulations, Compliance, and Investigation…
29
Assets that Organizations are trying to protect:
Intellectual Property
Trade Secrets
Copyrights
Trademark
Patents
Software piracy
Privacy
Some Acts you will come across:
Health Insurance Portability and Accountability Act
Sarbanes-Oxley Act (SOX) 2001
Gramm-Leach-Bliley Act (GLBA) 1999
Data Protection Act (DPA)
Computer Fraud and Abuse Act
Federal Privacy Act 1972
30. Legal, Regulations, Compliance, and Investigation –
Quick Test
1. Cyber Crime is using…
a. Communication networks to perpetrate crime
b. Phishing techniques
c. Spam emails
d. Unauthorized access
2. The primary objective of a Denial-of-Service attack
is to…
a. Authenticity
b. Availability
c. Authorization
d. Access Control
30
31. Operations Security
31
Operational security has to do with keeping up with implemented solutions, keeping track
of changes, properly maintaining systems, continually enforcing necessary standards and
following through with security practices and tasks. This includes the continual
maintenance of an environment and the activities that should take place on a day-to-day
basis.
Administrative Management
Separation of duties.
Rotation of duties / Job rotation.
Least privilege access / shared access.
Mandatory vacations.
Accountability
Access revalidation.
Health checks.
Capturing and monitoring audit logs.
Auditing.
32. Operations Security…
32
Security Operations and Product Evaluation
Operational assurance.
Life cycle assurance.
Change Management Control
Request for change.
Change approval.
Change documentation.
Change testing and presented.
Change implementation.
Change reporting.
Media Controls : Media management “cradle to grave”.
System Controls : Selected tasks can be performed only by “elevated access”.
Trusted Recovery : System reboots and restarts.
Input and Output Controls : Garbage In, Garbage Out.
33. Operations Security – Quick Test
1. A systematic and procedural way of managing incidents in known
as…
a. Configuration management
b. Incident management
c. Change management
d. System management
2. If an event could possibly violate information security, then such an
event is known as …
a. Problem
b. Confidentiality breach
c. Incident
d. Integrity breach
33
34. Physical (Environmental) Security
34
Physical and Environmental security encompasses a different set of threats, vulnerabilities
and risks than the other types of security. Physical security mechanisms include site design
and layout, environmental components, emergency response readiness, training, access
control, intrusion detection, and power and fire protection. Physical security mechanisms
protect people, data, equipment, systems, facilities and a long list of company assets.
Type of threats:
Natural Environment : Floods, earthquake, storms, etc.
Supply System : Power distribution outages, interruptions, etc.
Man made : Unauthorized access, employee error and accidents, damage, etc.
Politically motivated : Strikes, riots, civil disobedience, etc.
Solutions are planned and designed for:
Prevention
Detection
Suppression / Response
36. Physical (Environmental) Security – Quick Test
1. Which of the following needs to be
considered while designing controls for
physical security…
a. Physical facility
b. Geographic location
c. Supporting facilities
d. All of the above
2. Evacuation procedures should primarily
address…
a. Network
b. Furniture
c. People
d. Computers
36
37. Security Architecture and Design
37
Two fundamental concepts in computers and information security are Policy and Security Model.
While the Policy outlines how data is accessed, the level of security required and the actions that
need to be taken when the requirements are not met, the Security Model is a statement that
outlines the requirements necessary to properly support and implement the policy. Architecture
defines how they are implemented.
Some basic security models:
Bell-LaPadula: [Protects Confidentiality] A subject cannot read data at a higher security level, a
subject cannot write data to a lower security level, a subject that has read & write capability can
perform these functions at the same security level.
Biba: [Protects Integrity] A subject cannot read data at a lower security level, a subject
cannot modify data to a higher security level, a subject cannot modify an object in a higher
integrity level.
Clark Wilson: Subjects can only access objects through authorized programs ,
separation of duties is enforced and auditing is required.
38. Security Architecture and Design – Quick Test
1. A trusted computer system should have…
a. A well-defined security policy
b. Accountability
c. Assurance mechanisms
d. All the above three
2. A security label is NOT…
a. A classification mechanism
b. A labeling of low, medium, high based on security
c. A computer model
d. Used for defining protection mechanisms
38
39. Telecommunications and Network Security
39
IT deals with the security of voice and data communications through local area, wide area, and
remote access networking. The electrical transmission of data amongst systems, whether through
analog, digital or wireless transmission types, various devices, software and protocols.
40. Telecommunication and Network Security – Quick Test
1. A protocol is a …
a. Data encryption standard
b. Layered architecture
c. Communication standard
d. Data link
2. The Internet Protocol (IP) operates in
the …
a. Physical layer
b. Network layer
c. Application layer
d. Communication layer
40
41. The three steps to Success
1. Think about Security.
2. Do something (while still thinking about Security).
3. Continue to think about Security.
Security cannot be afterthought.
Do your best. Adopt good practices else trust in God!
41
42. 10 Essentials of Security
1. THINK before you click.
2. Protect passwords.
3. Know if your job requires higher security standards.
4. Register all computers and devices used for business.
5. Connect to networks safely.
6. Manage and store client and company data securely.
7. Backup and encrypt data wherever it’s stored.
8. Keep your security settings and software up to date.
9. Manage your online privacy settings and THINK before sharing
information.
10.Report security incidents immediately.
42
43. What to do for Security?
(No more No less)
• Make security a headline everyday.
• ManageMenTactfully, Totally, Thoughtfully, Talkatively, Task fully,
Thankfully, with respect to Trust, Time, Technology.
• Communicate, Follow-up, Document, and Update.
• Lead by example.
• Expect unexpected.
• Respond promptly but thoughtfully. Avoid reaction.
• Delegate however empower and support.
43
44. Resources:
• National Institute of Standards and Technology (NIST) – www.nist.gov
• http://www.sourcesecurity.com/
• National Vulnerability Database http://web.nvd.nist.gov/view/vuln/search
• Department of Electronics and Information Technology
http://deity.gov.in/
• Latest IT News and Articles http://www.informationweek.in/home.aspx
• IT Security Experts https://www.isc2.org/
• Information Systems Audit and Control Association
http://www.isaca.org/about-isaca/Pages/default.aspx
• https://www.us-cert.gov/about-us
• https://www.nist.gov/
• https://www.cisecurity.org/
44
45. Homework
An ISF Threat Horizon Report 2019-2021: Recommended read at your
leisure time
45
ISF_Threat
Horizon 2021_Report.pdf
46. Summary
Why security is important and what are the sources of
compromise.
Four virtues and eight rules of security.
What is information security, CIA and BIA.
Common security definitions and terms.
10 Security domains by (ISC)2.
3 Steps for success in security.
What to do for security.
46