2. Contents
History of Information Security
Information Security Definition and Concept
AAA & CIA models
Threats and Risks
Some security guidelines
3. The story of the Internet worm
On November 2, 1988, Robert Morris, Jr., a
graduate student in Computer Science at Cornell,
wrote an experimental, self-replicating, self-
propagating program called a worm and injected it
into the Internet.
He chose to release it from MIT, to disguise the fact
that the worm came from Cornell.
Morris soon discovered that the program was
replicating and reinfecting machines at a much
faster rate than he had anticipated.
Ultimately, many machines at locations around the
country either crashed or became “unreponsive”.
4. When Morris realized what was happening, he
contacted a friend at Harvard to discuss a solution.
Eventually, they sent an anonymous message from
Harvard over the network, instructing programmers
how to kill the worm and prevent reinfection.
However, because the network route was blocked,
this message did not get through until it was too
late.
Computers were affected at many sites, including
universities, military sites, and medical research
facilities. The estimated cost of dealing with the
worm at each installation ranged from $200 to more
than $53,000.
5. The program took advantage of a hole in the debug
mode of the Unix sendmail program, which runs on
a system and waits for other systems to connect to it
and give it email.
People at the University of California and MIT had
copies of the program and were actively
disassembling it (returning the program back into its
source form) to try to figure out how it worked.
Teams of programmers worked non-stop to come up
with at least a temporary fix, to prevent the
continued spread of the worm.
The information didn't get out as quickly as it could
have, however, since so many sites had completely
disconnected themselves from the network.
6. After a few days, things slowly began to return to
normalcy and everyone wanted to know who had
done it all. Morris was later named in The New York
Times as the author of incidents.
Robert T. Morris was convicted of violating the
computer Fraud and Abuse Act (Title 18), and
sentenced to three years of probation, 400 hours of
community service, a fine of $10,050, and the costs
of his supervision. His appeal, filed in December,
1990, was rejected the following March.
http://www-swiss.ai.mit.edu/6805/articles/morris-worm.html
7. After the incident, Morris was suspended from
Cornell for acting irresponsibly according to a
university board of inquiry. Later, Morris would obtain
his Ph.D. from Harvard University for his work on
modeling and controlling networks with large
numbers of competing connections.
Robert Morris is currently an assistant professor
at MIT (apparently they forgave him for launching
his worm from their network) and a member of
their Laboratory of Computer Science in the
Parallel and Distributed Operating Systems
group. He teaches a course on Operating
System Engineering and has published
numerous papers on advanced concepts.
8. What is Security
Security: “The quality or state of being secure—to
be free from danger”
Security is The protection of information and its
critical elements, including systems and
hardware that use, store, and transmit that
information
Necessary tools: policy, awareness, training,
education, technology
9. Layers of security
A successful organization should have multiple
layers of security in place:
Physical security - To protect the physical items, objects, or
areas of an organization from unauthorized access and
misuse.
Personal security - To protect the individual or group of
individuals who are authorized to access the organization
and its operations.
Operations security - To protect the details of a particular
operation or series of activities
10. Communications security - To protect an organization’s
communications media, technology, and content.
Network security - To protect networking components,
connections.
Information security- To protect the confidentiality, integrity
and availability of information assets, whether in storage,
processing or transmission.
It is achieved via the application of policy, education,
training and awareness, and technology.
16. Access Control
Access control can be defined as a policy,
software component, or hardware component
that is used to grant or deny access to a
resource.
Example of hardware components: A smart
card, a biometric device, or network access
hardware
17. Access Control
Services must be accessible to appropriate
users
Do you have adequate privileges to access
this information?
18. Access control
ISP A
ISP D
ISP C
ISP BMr. Anonymous FIT E-learning
Student V
Are Mr. T
allowed to
view course
contents?
20. Auditing
Auditing is the process of tracking and
reviewing events, errors, access, and
authentication attempts on a system.
Protection mechanism: logging system,
history.
21. Auditing
Develop a path and trail system in the logging
of the monitored events that allows to track
usage and access, either authorized or
unauthorized.
It improves security and allows for better
audit policies and rules
22. Example: Enable auditing for logon
events
Go to Administrative Tools | Local Security Policy
Navigate to Local Policies | Audit Policy
25. ISO 27002:2005 defines Information Security as the
preservation of:
– Confidentiality
Ensuring that information is
accessible only to those
authorized to have access
– Integrity
Safeguarding the accuracy and
completeness of information
and processing methods
– Availability
Ensuring that authorized
users have access to
information and associated
assets when required
I
N
F
O
R
M
A
T
I
O
N
A
T
T
R
I
B
U
T
E
S
9/10/201
5
25
Mohan Kamat
33. Availability: Can I reach the destination?
ISP A
ISP D
ISP C
ISP B FIT E-learning
Student V
Can I
access
FIT
during
midterm
?
34. Availability
Protection mechanisms
Backup and recovery
Firewall
Vulnerability scanning and patching
Intrusion detection and response
Virus scanning
35. W
H
A
T
I
S
R
I
S
K
What is Risk?
Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or
loss to the asset.
Threat: Something/Someone that can potentially
cause damage to the organisation, IT Systems
or network.
Vulnerability: A weakness in the organization, IT
Systems, or network that can be exploited
by a threat.
35
36. • Information Security is “Organizational Problem”
rather than “IT Problem”
• More than 70% of Threats are Internal
• More than 60% culprits are First Time fraudsters
• Biggest Risk : People
• Biggest Asset : People
• Social Engineering is major threat
• More than 2/3rd express their inability to determine
“Whether my systems are currently compromised?”
I
N
F
O
S
E
C
U
R
I
T
Y S
U
R
V
E
Y
9/10/201
5
36
Mohan Kamat
37. High User
Knowledge of IT
Systems
Theft,
Sabotage,
Misuse
Virus Attacks
Systems &
Network
Failure
Lack Of
Documentation
Lapse in
Physical
Security
Natural
Calamities &
Fire
R
I
S
K
S
&
T
H
R
E
A
T
S
9/10/201
5
37
Mohan Kamat
Potential Threats
40. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Access Control - Physical
• Follow Security Procedures
• Wear Identity Cards and Badges
• Ask unauthorized visitor his credentials
• Attend visitors in Reception and Conference Room only
• Bring visitors in operations area without prior
permission
• Bring hazardous and combustible material in secure
area
• Practice “Piggybacking”
• Bring and use pen drives, zip drives, ipods, other storage
devices unless and otherwise authorized to do so
9/10/201
5
40
Mohan Kamat
41. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Password Guidelines
Always use at least 8 character password with combination of
alphabets, numbers and special characters (*, %, @, #, $, ^)
Use passwords that can be easily remembered by you
Change password regularly as per policy
Use password that is significantly different from earlier passwords
Use passwords which reveals your personal
information or words found in dictionary
Write down or Store passwords
Share passwords over phone or Email
Use passwords which do not match above complexity
criteria
9/10/201
5
41
Mohan Kamat
42. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Technology Department is continuously monitoring Internet
Usage. Any illegal use of internet and other assets shall call
for Disciplinary Action.
Do not use internet for viewing, storing or transmitting
obscene or pornographic material
Do not use internet for accessing auction sites
Do not use internet for hacking other computer systems
Do not use internet to download / upload commercial
software / copyrighted material
Use internet services for business purposes only
Internet Usage
9/10/201
5
42
Mohan Kamat
43. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
E-mail Usage
Do not use official ID for any personal subscription purpose
Do not send unsolicited mails of any type like chain letters or
E-mail Hoax
Do not send mails to client unless you are authorized to do so
Do not post non-business related information to large
number of users
Do not open the mail or attachment which is suspected to be
virus or received from an unidentified sender
Use official mail for business purposes only
Follow the mail storage guidelines to avoid blocking of E-mails
If you come across any junk / spam mail, do the following
a) Remove the mail.
b) Inform the security help desk
c) Inform the same to server administrator
d) Inform the sender that such mails are undesired
9/10/201
5
43
Mohan Kamat
44. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Security Incidents
Report Security Incidents (IT and Non-IT) to
Helpdesk through
• E-mail to info.sec@organisation.com
• Telephone : xxxx-xxxx-xxxx
• Anonymous Reporting through Drop boxes
e.g.:
IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-IT Incidents: Unsupervised visitor movement, Information
leakage, Bringing unauthorized Media
•Do not discuss security incidents with any one outside organisation
•Do not attempt to interfere with, obstruct or prevent anyone from reporting
incidents
9/10/201
5
44
Mohan Kamat
45. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Ensure your Desktops are having latest antivirus updates
Ensure your system is locked when you are away
Always store laptops/ media in a lockable place
Be alert while working on laptops during travel
Ensure sensitive business information is under lock and key
when unattended
Ensure back-up of sensitive and critical information assets
Understand Compliance Issues such as
Cyber Law
IPR, Copyrights, NDA
Contractual Obligations with customer
Verify credentials, if the message is received from unknown
sender
Always switch off your computer before leaving for the day
Keep your self updated on information security aspects
9/10/201
5
45
Mohan Kamat
46. Disable Non-essential services,
protocols, processes, programs
Protocols, systems, and processes that rob
systems of resources and allow potential attacks
to occur that could damage your systems.
If they are not being actively used, it is an
unnecessary security risk.
The solution is simply to disable or inactivate the
service, protocol, system, or process which is
not needed