UNIT 1

Information Security Management

General Overview of Information Security

Information Security:
Information systems should be secured from unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or destruction. The core function of this occupation
is to ensure the confidentiality, integrity and availability of data to the right users within/outside
of the organization.

In this context, confidentiality is a set of rules that limits access to information, integrity is the
assurance that the information is trustworthy and accurate, and availability is a guarantee of
reliable access to the information by authorized people.

Application Security: Application Security roles are responsible for ensuring stable and secure
functioning of the applications. Application Security professionals perform the following
functions in an organization:
 Knowing threats
 Securing the network, host and application
 Incorporating security into the software development process

Important terms, Roles and Responsibilities of Information Security:

1. Risk, Audit and Compliance
Risk Management roles are responsible for assessing, measuring, and managing the security risks
to information security of an organization. These conduct assessments for security threats and
vulnerabilities, determine deviations from acceptable pre-defined configurations, enterprise or
local policy, assess the level of risk, develop and/or recommend appropriate mitigation
countermeasures in operational and non-operational situations. Key responsibilities also include
measuring the maturity of an organization to ensure that proper security controls are incorporated
when developing and running Information-security systems. These also perform
scheduled/unscheduled audits on the organization‟s security systems and processes and ensure
compliance.

2. Security Testing
 Security Testing involves devising testing standards and cases of confidentiality, integrity,
authentication, availability, authorization and non-repudiation of information. Security Testing
professionals perform scheduled and ad-hoc tests to assess vulnerability and/or safety of an
organization’s information systems.

3. Incident Management
Incident Management roles work towards restoring normal service operations in an organization
to minimize the adverse effect on business operations, thus ensuring that the best possible level
of service quality and availability is maintained. Incident management professionals manage and
protect computer assets, networks and information systems to answer the key question “what to
do, when things go wrong”.

4. Business Continuity Management/Disaster Recovery (BCP/DR):

BCP/DR roles are responsible for improving system availability and integration of IT operational
risk management strategies for an organization.
 Development, implementation, testing and maintenance of the business continuity
 Recommendation and proof of concept for recovery options
 Assessments and audits for BCP/DR

5. Network Security
Network Security roles are responsible for defining and implementing overall network security
that includes baseline configuration, change control, security standards and process
implementation.

6. Privacy
Privacy roles are responsible for defining and managing data/information/IP policies etc. for an
organization. These roles require knowledge of information security norms and data privacy
norms and regulations.

Note on Information Security occupation:

Information Security related job roles may be performed in any of the following setups:
 Consulting
 Managed services
 Internal function within the organization

In each of these set-ups, the essential functions and the highlighted tracks remain the same,
however, the delivery style and hence skills vary slightly, depending upon the set-up. Privacy
professionals help define and implement privacy standards, build privacy awareness to protect an
organization’s information assets.

7. IT Forensics
IT Forensics roles collect, process, preserve, analyze and present computer-related evidence in
support of network vulnerability mitigation, and/or criminal, fraud, counter-intelligence or law
enforcement investigations.
Information Security analyst – overview:

With the pervasive growth and use of digital information, much of which is confidential, there
has also been growth in incidents of information theft, including cyber-attacks by hackers. This
has happened both in governments and in private companies. This has necessitated the need for
the position of information security analyst.

Those who work as information security analysts are responsible for keeping information safe
from data breaches using a variety of tools and techniques. Information security analysts protect
information stored on computer networks, in applications etc. They do this with special software
that allows them to keep track of those who can access and who have accessed data. Also, they
may perform investigations to determine whether or not data has been compromised, the extent
of it and related vulnerabilities.
 An entry level position may operate the software to monitor and analyze information.
 At senior level positions, one may carry out investigative work to determine whether a security
breach has occurred.
 At higher levels people design systems and architecture to address these vulnerabilities.

The field of information security has seen significant growth in recent times, and the number of
job opportunities in this area is likely to increase in the near future. Recent incidents of
information theft from large companies like Target, Sony and Citibank has shown the risks and
challenges of this field and this necessitates the growing need for information security and
professionals in this field. We are now witnessing the rising background level of data leakage
from governments, businesses and other organizations, families and individuals. A larger part of
an information security analyst’s work involves monitoring data use and access on a computer
network.

Security analysts focus on three main areas:

1. Risk assessment (identifying risks or issues an organization may face)
2. Vulnerability assessment (determining an organization’s weaknesses to threats)
3. Defense planning (designing the protection architecture and installing security systems such
as firewalls and data encryption programs)

Information security analysts can find themselves working with IT Companies, financial and
utility companies and consulting firms. They may also find positions with government
organizations. Any company or organization with data to protect may hire information security
analysts so they could find themselves working at a wide variety of different institutions. A
number of companies operate „Security Operation Centers (SOCs)‟ for carrying out data security
services for captive or client services.

Why information security?

With the pervasive growth and use of digital information, much of which is confidential, there
has been also a growth in incidents of information theft, including cyber-attacks by hackers. This
has happened both in governments and in private companies. This has necessitated the need for
keeping information safe from data breaches using a variety of tools and techniques.
 Role of a security analyst in information technology

Major Skills of Security Analyst Understanding security policy

• Data & Traffic Analysis
• Identifying Security Events –> How & when to alarm
• Incident Response

Foundation and Background

• Network infrastructure knowledge
• Diverse device configuration ability
• Security configuration knowledge
• Data management & teamwork

Challenges for Security Analyst

• Not tied to a product or solution
• Complex knowledge – Not one specific process is correct or product solution
• Diverse set of skills are needed

Threat and Attack vectors:

Threat
A potential for violation of security exists when there is a circumstance, capability, action, or
event that could breach security and cause harm. That is, a threat is a possible danger that might
exploit vulnerability.

Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act that
is a deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system.

Threats to information assets

Risk is the potential threat, and process of understanding and responding to factors that may lead
 to a failure in the confidentiality, integrity or availability of an information system constitute risk
management. The key concerns in information assets security are:
Confidentiality: Prevention of unauthorized disclosure or use of information assets.
Integrity: Prevention of unauthorized modification of information assets
Availability: Ensuring authorized access of information assets when required for the duration
required
The above concerns are materialized in the event of a breach caused by exploitation of
vulnerability.
 theft
 Fraud and forgery
 Unauthorized information access
 interception or modification of data and data management systems

Information Security: It can be defined as “measures adopted to prevent the unauthorized use,
misuse, modification or denial of use of knowledge, facts, data or capabilities”. Three aspects of
IS are:
 Security Attack: Any action that comprises the security of information
 Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a
security.
 Security Service: It is a processing or communication service that enhances the security of
the data processing systems and information transfer. The services are intended to counter
security attacks by making use of one or more security mechanisms to provide the service.

SECURITY ATTACK
 any action that compromises the security of information owned by an organization
 information security is about how to prevent attacks, or failing that, to detect attacks on
information-based systems
 often threat & attack used to mean same thing
 have a wide range of attacks
 can focus of generic types of attacks
 Passive attack
 Active attack
a.) PASSIVE ATTACK
A Passive attack attempts to learn or make use of information from the system, but does not
affect system resources.

Two types:
1. Release of message content
It may be desirable to prevent the opponent from learning the contents (i.e sensitive or
confidential info) of the transmission.
2. Traffic analysis
A more subtle technique where the opponent could determine the location and identity of
communicating hosts and could observe the frequency & length of encrypted messages being
exchanged there by guessing the nature of communication taking place. Passive attacks are very
difficult to detect because they do not involve any alternation of the data. As the communications
take place in a very normal fashion, neither the sender nor receiver is aware that a third party has
read the messages or observed the traffic pattern. So, the emphasis in dealing with passive
attacks is on prevention rather than detection.

ACTIVE ATTACK
Active attacks involve some modification of the data stream or creation of a false stream. An
active attack attempts to alter system resources or affect their operation.
Four types:
Masquerade: Here, an entity pretends to be some other entity. It usually includes one of the
other forms of active attack.

Replay: It involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect.

Modification of messages: It means that some portion of a legitimate message is altered, or

that messages are delayed to produce an unauthorized effect.
Ex: “John’s acc no is 2346” is modified as “John’s acc no is 7892”
Denial of service: This attack prevents or inhibits the normal use or management of
communication facilities.
Ex: a: Disruption of entire network by disabling it
b: Suppression of all messages to a particular destination by a third party.

Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are
difficult to detect, measures are available to prevent their success. On the other hand, it is quite
difficult to prevent active attacks absolutely, because of the wide variety of potential physical,
software and network vulnerabilities. Instead, the goal is to detect active attacks and to recover
from any disruption or delays caused by them.

INTERRUPTION
An asset of the system is destroyed or becomes unavailable or unusable. It is an attack on
availability.

Examples:
 Destruction of some hardware
 Jamming wireless signals
 Disabling file management systems

INTERCEPTION
An unauthorized party gains access to an asset.
Attack on confidentiality.
Examples:
 Wire tapping to capture data in a network.
 Illicitly copying data or programs
 Eavesdropping

MODIFICATION
When an unauthorized party gains access and tampers an asset. Attack is on Integrity.

Examples:
 Changing data file
 Altering a program and the contents of a message

FABRICATION
An unauthorized party inserts a counterfeit object into the system. Attack on Authenticity. Also
called impersonation

Examples:
 Hackers gaining access to a personal email and sending message
 Insertion of records in data files
 Insertion of spurious messages in a network

SECURITY SERVICES
It is a processing or communication service that is provided by a system to give a specific kind of
production to system resources. Security services implement security policies and are
implemented by security mechanisms.

1. Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. It is used to prevent the
disclosure of information to unauthorized individuals or systems. It has been defined as
“ensuring that information is accessible only to those authorized to have access”.
The other aspect of confidentiality is the protection of traffic flow from analysis.
Ex: A credit card number has to be secured during online transaction.

2. Authentication
This service assures that a communication is authentic. For a single message transmission, its
function is to assure the recipient that the message is from intended source. For an ongoing
interaction two aspects are involved. First, during connection initiation the service assures the
authenticity of both parties. Second, the connection between the two hosts is not interfered
allowing a third party to masquerade as one of the two parties. Two specific authentication
services defines in X.800 are
1. Peer entity authentication: Verifies the identities of the peer entities involved in
communication. Provides use at time of connection establishment and during data
transmission. Provides confidence against a masquerade or a replay attack
2. Data origin authentication: Assumes the authenticity of source of data unit, but does not
provide protection against duplication or modification of data units. Supports applications
like electronic mail, where no prior interactions take place between communicating entities.

3. Integrity
Integrity means that data cannot be modified without authorization. Like confidentiality, it can
be applied to a stream of messages, a single message or selected fields within a message. Two
types of integrity services are available. They are
1. Connection-Oriented Integrity Service: This service deals with a stream of messages,
assures that messages are received as sent, with no duplication, insertion, modification,
reordering or replays. Destruction of data is also covered here. Hence, it attends to both
message stream modification and denial of service.
2. Connectionless-Oriented Integrity Service: It deals with individual messages regardless of
larger context, providing protection against message modification only.
An integrity service can be applied with or without recovery. Because it is related to active
attacks, major concern will be detection rather than prevention. If a violation is detected and the
service reports it, either human intervention or automated recovery machines are required to
recover.

4. Non-repudiation
Non-repudiation prevents either sender or receiver from denying a transmitted message. This
capability is crucial to e-commerce. Without it an individual or entity can deny that he, she or it
is responsible for a transaction, therefore not financially liable.

5. Access Control
This refers to the ability to control the level of access that individuals or entities have to a
network or system and how much information they can receive. It is the ability to limit and
control the access to host systems and applications via communication links. For this, each entity
trying to gain access must first be identified or authenticated, so that access rights can be tailored
to the individuals.
6. Availability
It is defined to be the property of a system or a system resource being accessible and usable upon
demand by an authorized system entity. The availability can significantly be affected by a variety
of attacks, some amenable to automated counter measures i.e authentication and encryption and
others need some sort of physical action to prevent or recover from loss of availability of
elements of a distributed system.

SECURITY MECHANISMS:
According to X.800, the security mechanisms are divided into those implemented in a specific
protocol layer and those that are not specific to any particular protocol layer or security service.
X.800 also differentiates reversible & irreversible encipherment mechanisms. A reversible
encipherment mechanism is simply an encryption algorithm that allows data to be encrypted and
subsequently decrypted, whereas irreversible encipherment include hash algorithms and message
authentication codes used in digital signature and message authentication applications

SPECIFIC SECURITY MECHANISMS:

Incorporated into the appropriate protocol layer in order to provide some of the OSI security
services,
a. Encipherment: It refers to the process of applying mathematical algorithms for converting
data into a form that is not intelligible. This depends on algorithm used and encryption keys.
b. Digital Signature: The appended data or a cryptographic transformation applied to any data
unit allowing to prove the source and integrity of the data unit and protect against forgery.
c. Access Control: A variety of techniques used for enforcing access permissions to the system
resources.
d. Data Integrity: A variety of mechanisms used to assure the integrity of a data unit or stream
of data units.
e. Authentication Exchange: A mechanism intended to ensure the identity of an entity by
means of information exchange.
f. Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
g. Routing Control: Enables selection of particular physically secure routes for certain data
and allows routing changes once a breach of security is suspected.
e. Notarization: The use of a trusted third party to assure certain properties of a data exchange.
Types of attacks

Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.
Threat agent or actor refers to the intent and method targeted at the intentional exploitation of
the vulnerability or a situation and method that may accidentally trigger the vulnerability.
A threat vector is a path or a tool that a threat actor uses to attack the target.
Threat targets are anything of value to the threat actor such as PC, laptop, PDA, tablet, mobile
phone, online bank account or identity.

Threat classification
Microsoft has proposed a threat classification called STRIDE from the initials of threat
categories:
a.) Spoofing: (affects authenticity)
It is a fraudulent or malicious practice in which communication is sent from an unknown
source disguised as a source known to the receiver.
b.) Tampering: (affects integrity)
It is a process of modifying data through unauthorized channels.
c.) Repudiation: (affects non-repudiability)
It is the ability of users to deny their performed specific actions or transactions. It involves in
carrying out a transaction in such a way that there is no proof.
d.) Information disclosure (privacy breach or data leak) (affects confidentiality)
It is a security incident in which sensitive, protected or confidential data is copied,
transmitted, viewed, stolen or used by an unauthorized person.
e.) Denial of service(DoS): (affects availability)
It is a security event that occurs when an attacker prevents legitimate users from accessing
specific computer systems, devices, services or other IT resources.
f.) Elevation of privilege(EoP): (affects authorization)
Giving an attacker authorization permissions beyond those initially granted.
Ex: changing “read-only” permission to “read and write” permission

Threat agents (individuals and groups) can be classified as follows:

Non-Target specific: Non-Target specific threat agents are computer viruses, worms, Trojans
and logic bombs.
Employees: staff, contractors, operational/ maintenance personnel or security guards who are
annoyed with the company.
Organized crime and criminals: criminals target information that is of value to them, such as
bank accounts, credit cards or intellectual property that can be converted into money. Criminals
will often make use of insiders to help them.
Corporations: corporations are engaged in offensive information warfare or competitive
intelligence. Partners and competitors come under this category.
Unintentional human error: accidents, carelessness etc.
Intentional human error: insider, outsider etc.
Natural: Flood, fire, lightning, meteor, earthquakes etc.
 Types of attacks

• Virus
Virus is a malicious program able to inject its code into other programs/ applications or data
files and the targeted areas become "infected". Installation of a virus is done without user's
consent, and spreads in form of executable code transferred from one host to another.
Types of viruses include Resident virus , non-resident virus; boot sector virus; macro virus;
file-infecting virus (file-infector); Polymorphic virus; Metamorphic virus; Stealth virus;
Companion virus and Cavity virus.

• Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to spread
itself. In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the
viruses though worms can reproduce/ duplicate and spread by themselves. During this
process worm does not require to attach itself to any existing program or executable. Different
types of worms based on their method of spread are email worms; internet worms; network
worms and multi-vector worms.

• Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy. Trojans are a type of malware software that masquerades itself as
a not-malicious even useful application but it will actually do damage to the host computer after
its installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install.

Types of Virus
1. Depending on virus "residence", we can classify viruses in following way:
a. Resident virus - virus that embeds itself in the memory on a target host. In such way it
becomes activated every time the OS starts or executes a specific action.
b. Non-resident virus - when executed, this type of virus actively seeks targets for infections
either on local, removable or network locations. Upon further infection it exits. This way is
not residing in the memory any more.
c. Boot sector virus
A boot sector virus is a type of virus that infects theboot sector of floppy disks or the
Master BootRecord (MBR) of hard disks (some infect the boot sector of the hard disk
instead of the MBR).
d. Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc.
documents. This type of virus is executed as soon as the document that contains it, is
opened. This corresponds to the macro execution within those documents which under
normal circumstances is automatic.

2. Another classification of viruses can result from their characteristics:

a. File-infecting virus (file-infector) – this is a classic form of virus. When the infected file is
being executed, the virus seeks out other files on the host and infects them with malicious
code. The malicious code is inserted either at the beginning of the host file code (prepending
 virus), in the middle (mid-infector) or in the end (appending virus). A specific type of
viruses called "cavity virus" can even inject the code in the gaps in the file structure itself.
The start point of the file execution is changed to the start of the virus code to ensure that it
is run when the file is executed. Afterwards the control may or may not be passed on to the
original program in turn. Depending on the infections routing the host file may become
otherwise corrupted and completely non- functional. More sophisticated viral forms allow
through the host program execution while trying hiding their presence completely (see
polymorphic and metamorphic viruses).

b. Polymorphic virus
A polymorphic virus is a complicated computer virus that affects data types and functions.
It is a self-encrypted virus designed to avoid detection by a scanner. Upon infection,
the polymorphic virus duplicates itself by creating usable, albeit slightly modified, copies
of itself.

c. Metamorphic virus - this virus is capable of changing its own code with each infection.
The rewriting process may cause the infection to appear different each time but the
functionality of the code remains the same. The metamorphic nature of this virus type
makes it possible to infect executables from two or more different operating systems or even
different computer architectures as well. The metamorphic viruses are ones of the most
complex in build and very difficult to detect.

d. Stealth virus - memory resident virus that utilizes various mechanisms to avoid from
detection. This avoidance can be achieved for example, by removing itself from the infected
files and placing a copy of itself in a different location. The virus can also maintain a clean
copy of the infected files in order to provide it to the antivirus engine for scan while the
infected version still remains undetected. Furthermore, the stealth viruses are actively
working to conceal any traces of their activities and changes made to files.

e. Multipartite virus – this attempts to attack both the file executables as well as the master
boot record of the drive at the same time. This type may be tricky to remove as even when
the file executable part is clean it can re-infect the system all over again from the boot sector
if it wasn't cleaned as well.

f. Camouflage virus – this virus type is able to report as a harmless program to the antivirus
software. In such cases where the virus has similar code to the legitimate non-infected files
code the antivirus application is being tricked that it has to do with the legitimate program as
well. This would work only but in case of basic signature based antivirus software.
Nowadays, antivirus solutions have become more elaborate whereas the camouflage viruses
are quite rare and not a serious threat due to the ease of their detection.

g. Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of
the infected file but instead uses the empty spaces within the program files itself (that exists
there for variety of reasons). This way the length of the program code is not being changed
 and the virus can more easily avoid detection. The injection of the virus in most cases is not
impacting the functionality of the host file at all. The cavity viruses are quite rare though.

Source - News Articles……Let us discuss a recent news about a new version of a notorious virus
that takes over a system until money is paid as ransom which has been detected by cyber experts.
Version 2.0 of the TeslaCrypt ransomware encryptor family, say experts, is notorious for
infecting computers of gamers. The malicious program is now targeting online consumers and
businesses via email attachments which block access to a computer system until a sum of money,
specifically in dollars, is paid as ransom. If the victim delays, the ransom is doubled. Detected in
February 2015, TeslaCrypt began infecting systems in the US, Europe and Southeast Asian
countries. It then occurred in Indian cities including Delhi and Mumbai. Two businessmen from
Agra were targeted this year, from whom the extortionist demanded more than $10,000. In the
last six months, two cases were reported in Agra, where the malware locked down its victim's
most important files and kept them hostage in exchange for a ransom to unlock it.

Types of Worms
The most common categorization of worms relies on the method how they spread:
a. Email worms: spread through email messages, especially through those with attachments.
b. Internet worms: spread directly over the internet by exploiting access to open ports or
system vulnerabilities.
c. Network worms: spread over open and unprotected network shares.
d. Multi-vector worms: having two or more various spread capabilities.

Types of Trojans
Computer Trojans or Trojan horses are named after the mythological Trojan horse from
Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as
Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly
and open the city gates, allowing their soldiers to capture Troy. Computer Trojan horse works in
way that is very similar to such strategy - it is a type of malware software that masquerades itself
as not-malicious even useful application but it will actually do damage to the host computer after
its installation.

Trojans do not self-replicate since its key difference to a virus and require often end user
intervention to install itself - which happens in most scenarios where user is being tricked
that the program he is installing is a legitimate one (this is very often connected with social
engineering attacks on end users).

One of the other common methods is for the Trojan to be spammed as an email attachment or a
link in an email. Another similar method has the Trojan arriving as a file or link in an instant
messaging client. Trojans can be spread as well by means of drive-by downloads or downloaded
and dropped by other Trojans itself or legitimate programs that have been compromised.
The results of Trojan activities can vary greatly - starting from low invasive ones that only
change the wallpaper or desktop icons through Trojans which open backdoors on the computer
and allow other threats to infect the host or allow a hacker remote access to the targeted
computer system. It is up to Trojans to cause serious damage on the host by deleting files or
destroying the data on the system using various ways (like drive format or causing BSOD). Such
Trojans are usually stealthy and do not advertise their presence on the computer. The Trojan
classification can be based upon performed function and the way they breach the systems. An
important thing to keep in mind is that many Trojans have multiple payload functions so any
such classification will provide only a general overview and not a strict boundary.
Some of the most common Trojan types are:

1. Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor
on the targeted system to allow the attacker remote access to the system or even complete
control over it. This kind of Trojan is most widespread type and often has as well various
other functions. It may be used as an entry point for DOS attack or for allowing worms or
even other Trojans to the system. A computer with a sophisticated backdoor program
installed may also be referred to as a "zombie" or a "bot". A network of such bots may often
be referred to as a "botnet”. Backdoor. Trojans are generally created by malware authors
who are organized and aim to make money out of their efforts. These types of Trojans can be
highly sophisticated and can require more work to implement than some of the simpler
malware seen on the Internet.

2. Trojan-DDoS - this Trojan is installed simultaneously on a large number of computers in

order to create a zombie network (botnet) of machines that can be used (as attackers) in a
DDoS attack on a particular target.

3. Trojan-Proxy -
It is a type of Trojan horse designed to use the victim's computer as a proxy server.

4. Trojan-FTP – this Trojan is designed to open FTP ports on the targeted machine allow
remote attacker access to the host. Furthermore, the attacked can access as well network
shares or connections to further spread other threats.

5. Destructive Trojan – this is designed to destroy or delete data. It is much like a virus.

6. Security Software Disabler Trojan – this is designed to stop security programs like
antivirus solutions, firewalls or IPS either by disabling them or killing the processes. This
kind of Trojan functionality is often combined with destructive Trojan that can execute data
deletion or corruption only after the security software is disabled. Security Software
Disablers are entry Trojans that allow next level of attack on the targeted system.

7. Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide
attacker with confidential or sensitive information from compromised host and send it to a
predefined location (attacker). The stolen data comprise of login details, passwords, PII,
 credit card information etc. Data sending Trojans can be designed to look for specific
information only or can be more generic like Key-logger Trojans.

8. Keylogger Trojan – this is a type of data-sending Trojan that is recording every keystroke of
the end user. This kind of Trojan is specifically used to steal sensitive information from
targeted host and send it back to attacker. For these Trojans, the goal is to collect as much
data as possible without any direct specification what the data will be.

9. Trojan-PSW (Password Stealer) – this is a type of data-sending Trojans designed

specifically to steal passwords from the targeted systems. In its execution routine, the Trojan
will very often first drop a key-logging component onto the infected machine.

10. Trojan-Banker – a Trojan designed specifically to steal online banking information to allow
attacker further access to bank account or credit card information.

11. Trojan-IM – a type of data-sending Trojan designed specifically to steal data or account
information from instant messaging programs like MSN, Skype etc.
12. Trojan-Game Thief – a Trojan designed to steal information about online gaming account.

13. Trojan Mail Finder – a Trojan used to harvest any emails found on the infected computer.
The email list is being then forwarded to the remote attacker.

14. Trojan-Dropper –The purpose of Trojan Droppers, as the name suggests, is to install
malicious code on a victim's computer.

15. Trojan-Downloader – a Trojan that can download other malicious programs to the target
computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders
that are encountered will attempt to download content from the internet rather than the local
network. In order to successfully achieve its primary function, a downloader must run on a
computer that is inadequately protected and connected to a network.

16. Trojan-Spy – this Trojan has a similar functionality to the Info stealer or Trojan-PSW and
its purpose is to spy on the actions executed on the target host. These can include tracking
data entered via keystrokes, collecting screenshots, listing active processes/ services on the
host or stealing passwords.

17. Trojan-ArcBomb –
The Trojan Arc-Bomb is a type of Trojan horse virus. Trojan Arc-Bombs have been known
to disguise themselves as a computer game. Although they have been known to be video
games they have been also known to disguise themselves as different program such as a
word document or PowerPoint.

18. Trojan-Clicker or Trojan-AD clicker – Trojan that continuously attempts to connect to

 specific websites in order to boost the visit counters on those sites. More specific
functionality of the Trojan can include generating traffic to pay-per-click web advertising
campaigns in order to create or boost revenue.

19. Trojan-SMS – a Trojan used to send text messages from infected mobile devices to
premium rate paid phone numbers.

20. Trojan-Ransom

This type of Trojan modifies data on the victim computer so that the victim can no longer use
the data, or it prevents the computer from running correctly. Once the data has been “taken
hostage” (blocked or encrypted), the user will receive a ransom demand.

The ransom demand tells the victim to send the malicious user money; on receipt of this, the
cyber criminal will send a program to the victim to restore the data or restore the computer’s
performance.

……In an another incident detected by Kaspersky Labs, Pune, the TeslaCrypt Ransomware
encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan notorious for infecting
computer gamers, it displays an HTML page in the web browser which is an exact copy of
CryptoWall 3.0, another notorious ransomware program. TeslaCrypt were detected in February
2015 and the new ransomware Trojan gained immediate notoriety as a menace to computer
gamers. Amongst other types of target files, it tries to infect typical gaming files: game saves, user
profiles, recoded replays etc. That said, TeslaCrypt does not encrypt files that are larger than 268
MB. Few more examples of ransomware Trojans are - CryptoLocker, CryptoWall, CoinVault,
TorLocker, CoinVault and CTB-Locker.

In 1983, this person was the first to offer the definition of 'Computer Virus'...
A. COHEN
B. B. NORTON
C. C. SMITH
D. D. McAfee
Ans: A-COHEN
-----------------------------------------------------------------------------------------------------------------------

Other security threats

Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They
are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.

Rootkit are malicious software designed to hide certain processes or programs from detection.
Usually acquires and maintains privileged system access while hiding its presence in the same
time. It acts as a conduit by providing the attacker with a backdoor to a system

Spyware is a software that monitors and collects information about a particular user, computer
or organization without user’s knowledge. There are different types of spyware, namely system
monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc.

Tracking cookies are a specific type of cookies that are distributed, shared and read across two
or more unrelated websites for the purpose of gathering information or potentially to present
customized data to you.

Riskware is a term used to describe potentially dangerous software whose installation may pose
a risk to the computer.

Adware in general term adware is software generating or displaying certain advertisements to

the user. This kind of adware is very common for freeware and shareware software and can
analyze end user internet habits and then tailor the advertisements directly to users’ interests.

Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV
software. Also well known, under the names "Rogue Security Software" or "Misleading
Software". This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the "fake" infection.

Spam is the term used to describe unsolicited or unwanted electronic messages, especially
advertisements. The most widely recognized form of spam is email spam.

Creepware is a term used to describe activities like spying others through webcams (very often
combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.

Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the severity
of the damage causes and as well the speed of spreading. Blended threat defines an exploit that
combines elements of multiple types of malware components. Usage of multiple attack vectors
and payload types targets to increase the severity of the damage
causes and as well the speed of spreading

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a catalogue of known security threats. Every
exposure or vulnerability included in the CVE list consists of one common, standardized CVE name.
The catalogue is sponsored by the United States Department of Homeland Security (DHS), and
threats are divided into two categories:
 Vulnerabilities
 Exposures
 1. According to the CVE website, Vulnerability is a mistake in software code that provides an
attacker with direct access to a system or network. For example, the vulnerability may allow
an attacker to pose as a super user or system administrator who has full access privileges.
2. An exposure, on the other hand, is defined as a mistake in software code or configuration that
provides an attacker with indirect access to a system or network. For example, an exposure
may allow an attacker to secretly gather customer information that could be sold.

 The catalogue’s main purpose is to standardize the way each known vulnerability or exposure
is identified. This is important because standard IDs allow security administrators to quickly
access technical information about a specific threat across multiple CVE-compatible
information sources.
 CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance
(OCSIA).
 MITRE, a not-for- profit organization that operates research and development centers
sponsored by the U.S. federal government, maintains the CVE catalogue and public website.
 It also manages the CVE Compatibility Program, which promotes the use of standard CVE
identifiers by authorized CVE Numbering Authorities (CNAs).

CVE-ID Syntax
The new CVE-ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary Digits

NOTE: The variable length arbitrary digits will begin at four (4) fixed digits and expand with arbitrary
digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-
YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there will be no changes
needed to previously assigned CVE-IDs, which all include 4 digits.

This is a standardized text description of the issue(s). One common entry is:
“** RESERVED ** This candidate has been reserved by an organization or individual that will
use it when announcing a new security problem. When the candidate has been publicized, the
details for this candidate will be provided.”

This means that the entry number has been reserved by Mitre for an issue or a CNA has reserved the
number. So in the case where a CNA requests a block of CVE numbers in advance (e.g. Red Hat
currently requests CVEs in blocks of 500), the CVE number will be marked as reserved even though
the CVE itself may not be assigned by the CNA for some time. Until the CVE is assigned AND Mitre
is made aware of it (e.g. the embargo passes and the issue is made public), AND Mitre has researched
the issue and written a description of it, entries will show up as "** RESERVED **"
 Security and Network attacks:

Network attack is usually defined as an intrusion on the network infrastructure that will first
analyze the environment and collect information in order to exploit the existing open ports or
vulnerabilities. This may include unauthorized access to organization resources.

Characteristics of network attacks:

Passive attacks: they refer to attack where the purpose is only to learn and get some information
from the system, but the system resources are not altered or disabled in any way.
Active attacks: in this type of network attack, the perpetrator accesses and either alters, disables
or destroys resources or data.
Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
Inside attack: if an attack is performed from within the company by an "insider" that already
has certain access to the network it is considered to be an inside attack.
Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their widespread
occurrences.

1. Social engineering – refers to a psychological manipulation of people (employees of a

company) to perform actions that potentially lead to leak of company's proprietary or
confidential information or otherwise can cause damage to company resources, personnel or
company image. Social engineers use various strategies to trick users into disclosing
confidential information, data or both. One of the very common technique used by social
engineers is to pretend to be someone else - IT professional, member of the management
team, co-worker, insurance investigator or even member of governmental authorities. The
 mere fact that the addressed party is someone from the mentioned should convince the victim
that the person has right to know of any confidential or in any other way secure information.
The purpose of social engineering remains the same as purpose of hacking. Unauthorized
access gain to confidential information, data theft, industrial espionage or environment/
service disruption.

2. Phishing attack – this type of attack use social engineering techniques to steal confidential
information. The most common purpose of such attack targets victim's banking account
details and credentials. Phishing attacks tend to use schemes involving spoofed emails sent to
users that lead them to malware infected websites designed to appear as real online banking
websites. Emails received by users in most cases will look authentic sent from sources
known to the user (very often with appropriate company logo and localized information).
These emails will contain a direct request to verify some account information, credentials or
credit card numbers by following the provided link and confirming the information online.
The request will be accompanied by a threat that the account may become disabled or
suspended if the mentioned details are not being verified by the user.

3. Social phishing – in the recent years, phishing techniques evolved much to include social
media like Facebook or Twitter. This type of Phishing is often called Social Phishing. The
purpose remains the same – to obtain confidential information and gain access to personal
files. The means of the attack are bit different though and include special links or posts
posted on the social media sites that attract the user with their content and convince them to
click on them. The link redirects then to malicious website or similar harmful content. The
websites can mirror the legitimate Facebook pages so that unsuspecting user does not notice
the difference. The website will require user to login with his real information. At this point,
the attacker collects the credentials gaining access to compromised account and all data on it.
Other scenario includes fake apps. Users are encouraged to download the apps and install
them, apps that contain malware used to steal confidential information. Facebook Phishing
attacks are often much more laboured. Consider the following scenario – link posted by an
attacker can include some pictures or phrase that will attract the user to click on it.The user
clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the post
first before even viewing it. User not suspecting any harm, clicks on the "like" button but
doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the
fake app to access user's personal information. At this point, data is collected and account is
compromised.

4. Spear phishing attack – this is a type of phishing attack targeted at specific individuals,
groups of individuals or companies. Spear phishing attacks are performed mostly with
primary purpose of industrial espionage and theft of sensitive information while ordinary
phishing attacks are directed against wide public with intent of financial fraud. It has been
estimated that in last couple of years targeted spear phishing attacks are more widespread
than ever before.
The recommendations to protect your company against phishing and spear phishing
include:
1. Never open or download a file from an unsolicited email, even from someone you know (you
can call or email the person to double check that it really came from them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentications whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking for a
reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted.

5. Watering hole attack – this is a more complex type of a phishing attack. Instead of the usual
way of sending spoofed emails to end users in order to trick them into revealing confidential
information, attackers use multiple staged approach to gain access to the targeted
information. In first steps, attacker is profiling the potential victim, collecting information
about his or her’s internet habits, history of visited websites etc. In next step attacker uses
that knowledge to inspect the specific legitimate public websites for vulnerabilities. If any
vulnerabilities or loopholes are found, the attacker compromises the website with its own
malicious code. The compromised website then awaits for the targeted victim to come back
and then infects them with exploits (often zero-day vulnerabilities) or malware. This is an
analogy to a lion waiting at the watering hole for his prey.

6. Whaling – it is a type of phishing attack specifically targeted at senior executives or other

high profile targets within a company.

7. Vishing (Voice Phishing or VoIP Phishing) – it is a use of social engineering techniques

over telephone system to gain access to confidential information from users. This phishing
attack is often combined with caller ID spoofing that masks the real source phone number
and instead of it displays the number familiar to the phishing victim or number known to be
of a real banking institution. General practices of Vishing include pre- recorded automated
instructions for users requesting them to provide bank account or credit card information for
verification over the phone.

8. Port scanning – an attack type where the attacker sends several requests to a range of ports
to a targeted host in order to find out what ports are active and open, which allows them to
exploit known service vulnerabilities related to specific ports. Port scanning can be used by
the malicious attackers to compromise the security as well by the IT professionals to verify
the network security.

9. Spoofing – it is a technique used to masquerade a person, program or an address as another

by falsifying the data with purpose of unauthorized access.

A few of the common spoofing types include:

10. IP Address spoofing – This is a process of creating IP packets with forged source IP address
to impersonate legitimate system. This kind of spoofing is often used in DoS attacks (Smurf
 Attack).

11. Email spoofing – This is a process of faking the email's sender "from" field in order to hide
real origin of the email. This type of spoofing is often used in spam mail or during phishing
attack.

12. Search engine poisoning – attackers take advantage of high profile news items or popular
events that may be of specific interest for certain group of people to spread malware and
viruses. This is performed by various methods that have in purpose achieving highest
possible search ranking on known search portals by the malicious sites and links introduced
by the hackers. Search engine poisoning techniques are often used to distribute rogue security
products (scareware) to users searching for legitimate security solutions for download.

13. Network sniffing (Packet Sniffing) – a process of capturing the data packets travelling in
the network. Network sniffing can be used both by IT professionals to analyze and monitor
the traffic for example, in order to find unexpected suspicious traffic, but as well by
perpetrators to collect data send over clear text that is easily readable with use of network
sniffers (protocol analyzers). Best counter measure against sniffing is the use of encrypted
communication between the hosts.

14. Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS
Attack) – an attack designed to cause an interruption or suspension of services of a specific
host/ server by flooding it with large quantities of useless traffic or external communication
requests. When the DoS attack succeeds the server is not able to answer even to legitimate
requests anymore, this can be observed in numbers of ways – slow response of the server,
slow network performance, unavailability of software or web page, inability to access data,
website or other resources. Distributed Denial of Service Attack (DDoS) occurs where
multiple compromised or infected systems (botnet) flood a particular host with traffic
simultaneously.

15. ICMP flood attack (Ping Flood) – the attack that sends ICMP ping requests to the victim
host without waiting for the answer in order to overload it with ICMP traffic to the point
where the host cannot answer to them any more either because of the network bandwidth
congestion with ICMP packets (both requests and replies) or high CPU utilization caused by
processing the ICMP requests. Easiest way to protect against any various types of ICMP
flood attacks is either to disable propagation of ICMP traffic sent to broadcast address on the
router or disable ICMP traffic on the firewall level.

16. Ping of Death (PoD) – this attack involves sending a malformed or otherwise corrupted
malicious ping to the host machine for example, PING having size bigger than usual which
can cause buffer overflow on the system that lead to a system crash.

17. Smurf attack – this works in the same way as Ping Flood attack with one major difference
that the source IP address of the attacker host is spoofed with IP address of other legitimate
 non malicious computer. Such attack will cause disruption both on the attacked host
(receiving large number of ICMP requests) as well as on the spoofed victim host (receiving
large number of ICMP replies).

18. SYN flood attack – this attack exploits the way the TCP 3-way handshake works during the
TCP connection is being established. In normal process, the host computer sends a TCP SYN
packet to the remote host requesting a connection. The remote host answers with a TCP
SYN-ACK packet confirming the connection can be made. As soon as this is received by the
first local host it replies again with TCP ACK packet to the remote host. At this point the
TCP socket connection is established. During the SYN flood attack, the attacker host or more
commonly several attacker hosts send SYN packets to the victim host requesting a
connection, the victim host responds with SYN-ACK packets but the attacker host never
respond with ACK packets as a result the victim host is reserving the space for all those
connections still awaiting the remote attacker hosts to respond, which never happens. This
keeps the server with dead open connections and in the end effect prevent legitimate host to
connect to the server any more.

19. Buffer overflow attack – in this type of attack the victim host is being provided with traffic/
data that is out of range of the processing specs of the victim host, protocols or applications,
overflowing the buffer and overwriting the adjacent memory. One example can be the
mentioned Ping of Death attack where malformed ICMP packet with size exceeding the
normal value can cause the buffer overflow.

20. Botnet – It is a collection of compromised computers that can be controlled by remote

perpetrators to perform various types of attacks on other computers or networks. A known
example of botnet usage is within the distributed denial of service attack where multiple
systems submit as many request as possible to the victim machine in order to overload it with
incoming packets. Botnets can be otherwise used to send out span, spread viruses and
spyware and as well to steal personal and confidential information which afterwards is being
forwarded to the botmaster.

21. Man-in-the-middle attack – the attack is form of active monitoring or eavesdropping on

victims’ connections and communication between victim hosts. This form of attack includes
interaction between both victim parties of the communication and the attacker. This is
achieved by attacker intercepting all part of the communication, changing the content of it
and sending back as legitimate replies. Both parties are not aware of the attacker presence
and believing the replies they get are legitimate. For this attack to be successful, the
perpetrator must successfully impersonate at least one of the endpoints. This can be the case
if there are no protocols in place that would secure mutual authentication or encryption
during the communication process.

22. Session hijacking attack – this attack is targeted as exploit of the valid computer session in
order to gain unauthorized access to information on a computer system. The attack type is
often referred to as cookie hijacking as during its progress, the attacker uses the stolen
 session cookie to gain access and authenticate to remote server by impersonating legitimate
user.

23. Cross-side scripting attack (XSS attack) – the attacker exploits the XSS vulnerabilities
found in web server applications in order to inject a client side script onto the webpage that
can either point the user to a malicious website of the attacker or allow attacker to steal the
user's session cookie.

24. SQL injection attack – the attacker uses existing vulnerabilities in the applications to inject
a code/ string for execution that exceeds the allowed and expected input to the SQL database.

25. Bluetooth related attacks

Bluesnarfing – this kind of attack allows the malicious user to gain unauthorized access to
information on a device through its Bluetooth connection. Any device with Bluetooth turned on
and set to "discoverable" state may be prone to blue snarfing attack.
Bluejacking – this kind of attack allows the malicious user to send unsolicited (often spam)
messages over Bluetooth enabled devices.
Bluebugging – it is a hack attack on a Bluetooth enabled device. Blue bugging enables the
attacker to initiate phone calls on the victim's phone as well as read through the address book,
messages and eavesdrop on phone conversations.

Case study:
Few recent cyber-attacks (or Network attacks) that shook some big businesses around the
globe:
1. Primera Blue Cross March 2015
The company, a health insurer based in Washington State, said up to 11 million customers could
have been affected by a cyberattack last year. Hackers gained access to its computers on May 5,
and the breach was not discovered until Jan. 29, Primera said. The breach could have exposed
members' names, dates of birth, Social Security numbers, mailing and email addresses, phone
numbers and bank account information. The company is working with the F.B.I. and a
 cybersecurity firm too.
2. Anthem February 2015
One of the nation’s largest health insurers said that the personal information of tens of millions
of its customers and employees, including its chief executive, was the subject of a “very
sophisticated external cyberattack.” The company added that hackers were able to breach a
database that contained as many as 80 million records of current and former customers, as well
as employees. The information accessed included names, Social Security numbers, birthdays,
addresses, email and employment information, including income data.
3.Sony Pictures November 2014
A huge attack that essentially wiped clean several internal data centers and led to cancellation of
the theatrical release of "The Interview," a comedy about the fictional assassination of the North
Korean leader Kim Jong-un. Contracts, salary lists, film budgets, entire films and Social
Security numbers were stolen, including -- to the dismay of top executives -- leaked emails that
included criticisms of Angelina Jolie and disparaging remarks about President Obama.
4. Staples October 2014
The office supply retailer said hackers had broken into the company’s network and compromised
the information of about 1.16 million credit cards.

Fundamentals of Information Security

Elements of Information Security:

1. Network Security:
 Network security refers to any activity designed to protect your network. Specifically, these
activities protect the usability, reliability, integrity and safety of your network and data. Effective
network security targets a variety of threats and stops them from entering or spreading on your
network.
 No single solution protects you from a variety of threats. You need multiple layers of security. If
one fails, others still stand. Network security is accomplished through hardware and software.
The software must be constantly updated and managed to protect you from emerging threats.
 A network security system usually consists of many components. Ideally, all components work
together, which minimizes maintenance and improves security.
Network security components often include:
 Anti-virus and anti-spyware software
 Firewall to block unauthorized access to your network
 Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as zero-day or zero-
hour attacks
 Virtual Private Networks (VPNs) to provide secure remote access
 Communication security

VPN, or Virtual Private Network, is a network that is constructed by using public wires -
usually the Internet - to connect to a private network, such as a company's internal network.
There are a number of systems that enable you to create networks using the Internet as the
medium for transporting data. These systems use encryption and other security mechanisms to
ensure that only authorized users can access the network and that the data cannot be intercepted.
In VPN technology, central tunneling is the process of forcing all traffic from a remote VPN
 through a central site. Central tunneling allows additional security as remote VPN users are
protected by a firewall at the central site, and also enables NAT (Network Address
Translations), IDS (Intrusion Detection System), IPS (Intrusion Prevention System)and anti-
virus and spam filtering. Central tunneling does increase bandwidth at the central site.
Zero Day or Zero Hour Vulnerability refers to a hole in software that is unknown to the
vendor. This security hole is then exploited by hackers before the vendor becomes aware and
hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include
infiltrating malware, spyware or allowing unwanted access to user information. The term “zero
day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the
developers. Once the vulnerability becomes known, a race begins for the developer, who must
protect users.

2.
Application Security:
 Application security (AppSec) is the use of software, hardware and procedural methods to
protect applications from external threats. AppSec is the operational solution to the problem of
software risk. AppSec helps identify, fix and prevent security vulnerabilities in any kind of
software application irrespective of the function, language or platform.
 A good practiced AppSec employs practical and preventative methods to manage software risk,
and align an organization’s security investments with the reality of today’s threats.
AppSec has three distinct elements:
1) Measurable reduction of risk in existing applications
2) Prevention of introduction of new risks
3) Compliance (agreement) with software security mandates
AppSec as a discipline is also becoming more complex the variety of business software
continues to proliferate (increase).
Today’s enterprise software comes from a variety of sources –
 In-house development teams,
 Commercial vendors,
 Outsourced solution providers, and
 Open source projects.

AppSec products must provide capabilities for managing security risk across all of these options
as each of these development and deployment options can introduce security vulnerabilities. An
effective software security strategy addresses both immediate and systemic risk.

The Application Security market has a well-established roadmap right from software security
testing to find and assess potential vulnerabilities as:
 Fixing the Remediation procedures to prioritize.
 Train developers on secure coding practices.
 Control on-going threat intelligence to keep up-to-date.
 Develop continuous methods to secure applications throughout the development life cycle.
 Instantiate policies and procedures that implants good governance.

Testing and remediation form the baseline response to insecure applications, but the critical
element of a successful AppSec effort is on-going developer training. Security conscious
 development teams write bulletproof code, and avoid common errors.
For example, data input validation – the process of ensuring that a program operates with clean,
correct and useful data. By neglecting this important step, and failing to build in standard input
validation rules or “check routines” leaves the application open to common attacks such as cross-
site scripting and SQL injection.

3. Communications Security:
Communications Security (COMSEC) ensures the security of telecommunications
confidentiality and integrity
– the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of
any information that is transmitted, transferred or communicated.
There are five COMSEC security types:
Cryptosecurity: This encrypts data, rendering it unreadable until the data is decrypted.
Emission Security (EMSEC): This prevents the capture of emanations (release) from
equipment, such as cryptographic equipment, thereby preventing unauthorized interception.
Physical Security: This ensures the safety and prevention of unauthorized access to,
cryptographic information, documents and equipment.
Traffic-Flow Security: This hides messages and message characteristics flowing on a network.
Transmission Security (TRANSEC): This protects transmissions from unauthorized access,
thereby preventing interruption and harm.

COMPUTER SECURITY CONCERNS

 People who fall in love with the Net do so for different reasons. Many love the ability to
quickly and cheaply keep up with friends and loved ones via e-mail, while others love the vast
oceans of information or the rush of playing Internet games.
 There are as many bad guys in cyberspace as there are in everyday life, and those shady
characters are constantly prowling the Internet in search of new victims to scam.
 However, the media often exaggerate these dangers. It is extremely unlikely (though not
impossible) that anyone reading this article will fall prey to an Internet crime, and in truth the
risks are not much greater than those associated with many fun activities.
 There are countless ways that thieves and mischief makers can wreak havoc with your sense of
security, but there are just as many ways to keep intruders at bay via safe-surfing techniques or
security software.

Some of the Concerns/Issues of Computer Security

 Hacking unauthorized access to or use of data, systems, server or networks, including any
attempt to probe, scan or test the vulnerability of a system, server or network or to breach
security or authentication measures without express authorization of the owner of the
system, server or network. Members of the University should not run computer programs
that are associated with hacking without prior authorization. Obtaining and using such
programs is not typical of normal usage and may therefore otherwise be regarded as misuse.
  Use of University owned computer equipment, including the network, for illegal activities
including copying Copyright material without permission. The vast majority of files shared
on P2P (peer-to-peer) networks violate copyright law because they were posted without
permission of the artist or label.
 Sending abusive e-mails or posting offensive Web pages.
 Creation or transmission of any offensive or indecent images.
 Giving unauthorized access to University computing resources e.g. allowing an account to
be used by someone not authorized to use it.
 Deliberately creating or spreading computer viruses or worms.
 Unauthorized running of applications that involve committing the University to sharing its
computing resources, e.g. network bandwidth, in an uncontrolled and unlimited way.

To secure a computer system, it is important to understand the attacks that can be made against
it, and these threats can typically be classified into one of the categories below:
1. Backdoors
A backdoor in a computer system, a cryptosystem or an algorithm, is any secret method of
bypassing normal authentication or security controls. They may exist for a number of reasons,
including by original design or from poor configuration. They may also have been added later
by an authorized party to allow some legitimate access, or by an attacker for malicious reasons;
but regardless of the motives for their existence, they create a vulnerability.
2. Denial-of-service attack
Denial of service attacks are designed to make a machine or network resource unavailable to its
intended users. Attackers can deny service to individual victims, such as by deliberately
entering a wrong password enough consecutive times to cause the victim account to be locked,
or they may overload the capabilities of a machine or network and block all users at once. While
a network attack from a single IP address can be blocked by adding a new firewall rule, many
forms of Distributed denial of service (DDoS) attacks are possible, where the attack comes from
a large number of points – and defending is much more difficult. Such attacks can originate
from the zombie computers of a botnet, but a range of other techniques are possible including
reflection and amplification attacks, where innocent systems are fooled into sending traffic to
the victim.
3. Direct-access attacks
Common consumer devices that can be used to transfer data surreptitiously.
An unauthorized user gaining physical access to a computer is most likely able to directly
download data from it. They may also compromise security by making operating system
modifications, installing software worms, key loggers, or covert listening devices. Even when
the system is protected by standard security measures, these may be able to be by passed by
booting another operating system or tool from a CD-ROM or other bootable media. Disk
encryption and Trusted Platform Module are designed to prevent these attacks.
4. Eavesdropping
Eavesdropping is the act of surreptitiously listening to a private conversation, typically between
 hosts on a network. For instance, programs such as Carnivore and NarusInsight have been used
by the FBI and NSA to eavesdrop on the systems of internet service providers. Even machines
that operate as a closed system (i.e., with no contact to the outside world) can be eavesdropped
upon via monitoring the faint electro-magnetic transmissions generated by the hardware;
TEMPEST is a specification by the NSA referring to these attacks.
5. Spoofing
Spoofing of user identity describes a situation in which one person or program successfully
masquerades as another by falsifying data. 38
6. Tampering
Tampering describes a malicious modification of products. So-called "Evil Maid" attacks and
security services planting of surveillance capability into routers[6] are examples.
7. Privilege escalation
Privilege escalation describes a situation where an attacker with some level of restricted access
is able to, without authorization, elevate their privileges or access level. So for example a
standard computer user may be able to fool the system into giving them access to restricted
data; or even to "become root" and have full unrestricted access to a system.
8. Phishing
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and
credit card details directly from users. Phishing is typically carried out by email spoofing or
instant messaging, and it often directs users to enter details at a fake website whose look and
feel are almost identical to the legitimate one. Preying on a victim's trusting; phishing can be
classified as a form of social engineering.

Information Security Measures

Central to information security is the concept of controls, which may be categorized by their
Functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane
of application (physical, administrative or technical).

By functionality:
Preventive controls:
Preventive controls are the first controls met by an adversary. These try to prevent security
violations and enforce access control. Like other controls, these may be physical, administrative
or technical. Doors, security procedures and authentication requirements are examples of
physical, administrative and technical preventive controls respectively.
Detective controls:
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs and similar mechanisms.
Corrective controls:
Corrective controls try to correct the situation after a security violation has occurred. Although a
violation occurred, but the data remains secure, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.
Deterrent controls:
Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls
include notices of monitoring and logging as well as the visible practice of sound information
security management.
Recovery controls:
Recovery controls are somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and information processing
resources. Recovery controls may include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements and similar controls.
Compensating controls:
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of controls addresses the same
threats that are addressed by another set of controls, it acts as a compensating control.

By plane of application:
Physical controls include doors, secure facilities, fire extinguishers, flood protection and air
conditioning.
Administrative controls are the organization’s policies, procedures and guidelines intended to
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems and file encryption among others.

Access Control Models:

Access controls are security features that control how users and systems communicate and
interact with other systems and resources. Access is the flow of information between a subject
and an object. A subject is an active entity that requests access to an object or the data
within an object. E.g.: user, program, process etc. An object is a passive entity that contains
the information. E.g.: Computer, Database, File, Program etc.
Access controls give organization the ability to control, restrict, monitor, and protect resource
availability, integrity and confidentiality Access control is among the most important concepts
in computer security. Access control models define how computers enforce access of subjects
(such as users, other computers, applications and so on) to objects (such as computers, files,
directories, applications, servers and devices).
Three main access control models exist:
 Discretionary(Optional/flexible) Access Control model
 Mandatory Access Control model
 Role Based Access Control model

Discretionary Access Control (DAC)

The Discretionary Access Control model is the most widely used of the three models. In the
DAC model, the owner (creator) of information (file or directory) has the discretion to decide
about and set access control restrictions on the object in question, which may, for example, be a
file or a directory. The advantage of DAC is its flexibility. Users may decide who can access
information and what they can do with it — read, write, delete, rename, execute and so on. At
the same time, this flexibility is also a disadvantage of DAC because users may make wrong
decisions regarding access control restrictions or maliciously set insecure or
inappropriate permissions. Nevertheless, the DAC model remains the model of choice for the
absolute majority of operating systems today, including Solaris.

Mandatory Access Control (MAC)

Mandatory access control, as its name suggests, takes a stricter approach to access control. In
systems utilizing MAC, users have little or no discretion as to what access permissions they can
set on their information. Instead, mandatory access controls specified in a system-wide security
policy are enforced by the operating system and applied to all operations on that system. MAC
based systems use data classification levels (such as public, confidential, secret and top secret)
and security clearance labels corresponding to data classification levels to decide in accordance
with the security policy set by the system administrator what access control restrictions to
enforce. Additionally, per group and/ or per domain access control restrictions may be imposed
i.e. in addition to having the required security clearance level, subjects (users or applications)
must also belong to the appropriate group or domain. For example, a file with a confidential label
belonging only to the research group may not be accessed by a user from the marketing group,
even if that user has a security clearance level higher than confidential (for example, secret or top
secret). This concept is known as compartmentalization or ‘need to know’. Although MAC based
systems, when used appropriately, are thought to be more secure than DAC based systems, they
are also much more difficult to use and administer because of the additional restrictions and
limitations imposed by the operating system. MAC based systems are typically used in
government, military and financial environments where higher than usual security is required
and where the added complexity and costs are tolerated. MAC is implemented in Trusted Solaris,
a version of the Solaris operating environment intended for high security environments.

Role-Based Access Control (RBAC)

In the role based access control model, rights and permissions are assigned to roles instead of
individual users. This added layer of abstraction permits easier and more flexible administration
and enforcement of access controls. For example, access to marketing files may be restricted
only to the marketing manager role, and users Ann, David, and Joe may be assigned the role of
marketing manager. Later, when David moves from the marketing department elsewhere, it is
enough to revoke his role of marketing manager, and no other changes would be necessary.
When you apply this approach to an organization with thousands of employees and hundreds of
roles, you can see the added security and convenience of using RBAC. Solaris has supported
RBAC since release 8.
Centralized vs. Decentralized Access Control
Further distinction should be made between centralized and decentralized (distributed) access
control models. In environments with centralized access control, a single, central entity makes
access control decisions and manages the access control system whereas in distributed access
control environments, these decisions are made and enforced in a decentralized manner. Both
approaches have their pros and cons, and it is generally inappropriate to say that one is better
than the other. The selection of a particular access control approach should be made only after
careful consideration of an organization’s requirements and associated risks.
Definitions:
 Risk = Threat X Vulnerability
 Being “at risk" is being exposed to threats.
 Risks are subjective -- the potential to incur consequences of harm or loss of target assets.
 A Risk Factor is the likelihood of resources being attacked.
 Threats are dangerous actions that can cause harm. The degree of threat depends on the
attacker's Skills, Knowledge, Resources, Authority, and Motives.
 Vulnerabilities are weaknesses in victims that allow a threat to become effective.
 A rogue user is an authorized user who, without permission, accessing restricted assets.
 A bogie is an unauthorized user who subverts security systems.
 A cracker breaks into others' computing facilities for their own personal gain - be it
financial, revenge, or amusement.
 A hacktivist is a cracker with a cause. (Example of hactivism: Building Peekabooty to get
around governments blocking websites)
 A terrorist uses fear to blackmail others into doing what they want.
 White Hats are also called “ethical" hackers, such as the Axent (now Symantec) Tiger Team
 Black Hats disregard generally accepted social conventions and laws.
 Script kiddie is a derogatory term for a wannabe cracker who lacks programming skills and
thus relies on prewritten scripts and toolkits for their exploits.
 Journeyman is an experienced hacker: someone who has collected many tools and made
many connections.
 A Puppet Master (wizard) produces exploits.
 Malware is a generic term for malicious software such as trojan horses, worms, and viruses.
 Warez is a nickname for pirated software (illegal copies of copyrighted software).
 Serialz are serial numbers illegally shared used to unlock software.

Manage your work to meet requirements

Time Management Definition

“Time management” is the process of organizing and planning how to divide your time between
specific activities. Good time management enables you to work smarter – not harder – so that you
get more done in less time, even when time is tight and pressures are high. Failing to manage your
time damages your effectiveness and causes stress.
It seems that there is never enough time in the day. But, since we all get the same 24 hours, why is
it that some people achieve so much more with their time than others? The answer lies in good time
management.
The highest achievers manage their time exceptionally well. By using the time-management
techniques in this section, you can improve your ability to function more effectively – even when
time is tight and pressures are high.
Good time management requires an important shift in focus from activities to results: being busy
isn’t the same as being effective. (Ironically, the opposite is often closer to the truth.)
Spending your day in a frenzy of activity often achieves less, because you’re dividing your attention
between so many different tasks. Good time management lets you work smarter – not harder – so
you get more done in less time.

What Is “Time Management?”

“Time management” refers to the way that you organize and plan how long you spend on specific
activities.
It may seem counter-intuitive to dedicate precious time to learning about time management, instead
of using it to get on with your work, but the benefits are enormous:
 Greater productivity and efficiency.
 A better professional reputation.
 Less stress.
 Increased opportunities for advancement.
 Greater opportunities to achieve important life and career goals.
Failing to manage your time effectively can have some very undesirable consequences:
 Missed deadlines.
 Inefficient work flow.
 Poor work quality.
 A poor professional reputation and a stalled career.
 Higher stress levels.
Spending a little time learning about time-management techniques will have huge benefits now –
and throughout your career.

Time Management Aspects

 Planning and goal setting
 Managing yourself
 Dealing with other people
 Your time
 Getting results
The first 4 Interconnect and Interact to give the 5th one – Results

Differentiate between Urgent and Important task

Urgent task
 Assume importance as they demand immediate attention
Important Task
 May become urgent if left undone
 Usually have a long term effect
To judge importance vs. urgency, gauge tasks in terms of
 Impact of doing them
 Effect of not doing them
Main aim of prioritization is to avoid a crisis
We must Schedule our Priorities as opposed to Prioritizing our Schedule
Time Management quadrants
1. Urgent and Important – Do Now
2. Not Urgent and Important – Schedule on your calendar
3. Urgent and Not Important – Delegate, Automate or Decline
4. Not Urgent Not Important – Delegate, Automate or Decline
Work Management
Six steps for expectation setting with the stakeholders
1. Describe the jobs in terms of major outcomes and link to the organization’s need
The first step in expectation setting is to describe the job to the employees. Employees need to feel
there is a greater value to what they do. We need to feel out individual performance has an impact
on the organization’s mission.
Answer this question: My work is the key to ensuring the organization’s success because…
While completing the answer link it to
- Job Description
- Team and Organization’s need
- Performance Criteria
2. Share expectations in terms of work style
While setting expectation, it’s not only important to talk about the “what we do” but also on “how
we expect to do it”. What are the ground rules for communication at the organization?
Sample ground rules
- Always let your tam knows where the problems are. Even if you have a solution, no one likes
surprises.
- Share concerns openly and look for solutions
- If you see your colleagues doing something well, tell them. If you see them doing something
poorly, tell them.
Sample work style questions
- Do you like to think about issues by discussing them in a meeting or having quite time alone?
- How do you prefer to plan your day?
3. Maximize Performance - Identify what is required to complete the work: Supervisor needs /
Employee needs. Set input as well as output expectations
In order to ensure employees are performing at their best, the supervisor needs to provide not only
the resource (time, infrastructure, desk, recognition etc.) but also the right levels of direction (telling
how to do the task) and support (engaging with employees about the task).
4. Establish priorities.
Establish thresh holds and crisis plan
Use the time quadrant to establish priorities. Refer to earlier session.
5. Revalidate understanding.
Create documentation and communication plan to establish all discussion
When you are having a conversation about expectations with stakeholders, you’re covering lot of
details so you’ll need to review to make sure you both have a common understanding of the
commitments you have made.
6. Establish progress check
No matter how careful you have been in setting expectations, you’ll want to follow up since there
will be questions as work progresses.
Schedule an early progress check to get things started the right way, and agreed on
scheduled/unscheduled further checks. Acknowledge good performance and point your ways to
improve
Quality Standards Adherence
Goals and Objectives compliant to SMART

Service Level Agreements

Service Level Agreement (SLA) is a contract between a service provider and its internal or external
customers that documents what services the provider will furnish
SLA measures the service provider’s performance and quality in a number of ways.
Some sample metrics SLAs may specify or include
– the percentage of the time services will be available

being performed in work units

cify performance benchmarks to which actual performance will be periodically compared

In addition to establishing performance metrics, an SLA may include a plan for addressing
downtime and documentation for how the service provider will compensate customers in the event
of a contract breach. SLAs, once established, should be periodically reviewed and updated to reflect
changes in technology and the impact of any new regulatory directives.

Previous year university questions

1. Components of an Information System directly affected by study of computer security:

The six components of an information system which are most directly affected by the study of
computer security are software, hardware, data, people, procedures, and networks.

People would be impacted most by the study of computer security. People can be the weakest link
in an organization's information security program. And unless policy, education and training,
awareness, and technology are properly employed to prevent people from accidentally or
intentionally damaging or losing information, they will remain the weakest link. Social engineering
can prey on the tendency to cut corners and the commonplace nature of human error. It can be used
to manipulate the actions of people to obtain access information about a system.

Procedures, written instructions for accomplishing a specific task, could be another component,
which will be impacted. The information system will be effectively secured by teaching employees
to both follow and safeguard the procedures. Following procedure reduces the likelihood of
employees erroneously creating information insecurities. Proper education about the protection of
procedures can avoid unauthorized access gained using social engineering.
Hardware and software are the components that are historically associated with the study of
computer security. However, the IS component that created much of the need for increased
computer and information security is networking.

1. Software: Perhaps the most difficult part of the system to secure, because most software used is
written by third parties. Also, since the software field is so competitive, many products are
rushed to market before they have been thoroughly tested and debugged. These bugs and
“security holes” quickly are discovered by members of the hacking community and soon
information is spread about “exploits” that take advantage of those “holes,” which are then
implemented by unscrupulous individuals.
2. Hardware: This is specifically the computers themselves. While there are very few ways to use
hardware directly to defeat security, the data stored on the hardware can be stolen by the simple
expedient of stealing the hardware itself. Laptop computers are especially vulnerable to theft.
3. Data: This is the primary target of thieves. Proprietary and confidential personal data is a
particularly lucrative source of income for criminals, especially in the fields of industrial
espionage and identity theft.
4. People: People are often overlooked as a part of an information system. However, they are as
much a part as hardware, software or data. Without people, there would be no need for data or
software, and no use for hardware. However, being human, people make mistakes, or deliberate
acts, that can compromise the security of any system. Proper education and monitoring of
people is necessary to prevent security breaches, whether they be accidental or deliberate.
5. Procedures: Procedures are also overlooked as potential security risks. Deficient design of
procedures, as well as outsiders’ learning existing procedures, can lead to the compromise of
critical data.
6. Networks: Information used by an organization needs to be shared among the members of that
organization. Networking makes sharing of information easy, but at the cost of dramatically
increasing the risk of compromising security. Wireless networks can be monitored by outsider’s
computers with wireless capabilities. Similarly, wired networks can be tapped.
Wide Area networks typically use public telephone or cable lines to transmit data, and these
public lines can also be tapped. These facts, as well as others make it crucial to design
procedures and protocols for users of networks that make data as secure as possible.

Of these six components, Data is the most critical, and therefore the most directly affected by
the study of computer security. However, in order to make data secure, ire is necessary to study
all six components, since they are all related parts of an integrated whole.

2. Information security implementation: Top-down and Bottom-up approaches:

Methods of implementation:
 Bottom-up Approach
Organizations have dealt with the problem of security management through varied
means. Traditionally, enterprises have adapted a bottom-up approach, in which
operational staff initiate the process then propagate their findings upward to
management as proposed policy recommendations. As management has no
information on what is the threat associated, its implications, idea on resource
allocations, possible return and method to implement security, this approach has at
times sparked a fiasco.

 Top-down Approach
On the contrary, a reverse look on the entire issue, the top-down approach is
proving to be highly successful. Here, management understands the seriousness and
initiates the process, which is then systematically, percolated down to operations staff.

Pro and Cons Top-Down & Bottom-up:

 Top-down - Has strong upper-mgmt support –
Pro - Coordination between dept, assured funding, clear planning, implementation process,
ability to influence organizational culture which comes to formal SDLC
 Bottom-up – begin as a grass-root effort – system admin attempt to improve the security of
their system
Pro – technical expertise, works on daily-basis
Cons – coordinated planning from upper, inter department, insufficient resource
• Involvement & support of end users is critical
Top down approach is superior compared to bottom up approach:
The bottom-up approach is a method of establishing security policies that begins as a grass
roots effort in which systems administrators attempt to improve the security of their systems.
Unfortunately, the bottom-up approach seldom works because it lacks critical features such as
participant support and organizational staying power. Unlike bottom-up approach, the top down
approach has a higher probability of success. It is a methodology of establishing security
policies that is initiated by upper management who issue policies, procedures, and process.
Strong upper management support, a dedicated champion usually dedicated funding, a clear
planning and implementation process and the means of influencing organizational culture are
the components that make this strategy better than bottom-upapproach.

3. Security Systems Development Life Cycle (SecSDLC)

 An SDLC is a methodology for the design and implementation of an information system in an
organization widely use in IT org.
 SDLC-based projects may be initiated by events or planned
 At the end of each phase, a review occurs to determine if the project should be continued,
discontinued, outsourced, or postponed
 SecSDLC methodology is similar to SDLC
–Identification of specific threats and the risks they represent
–Design and implementation of specific controls to counter those threats and manage risks
posed to the organization

SDLC: The Software/System Development Life Cycle is a process by which user requirements
are elicited and software satisfying these requirements is designed, built, tested and delivered to the
client.
 Phases of the SecSDLC
1. Investigation in the SecSDLC (S1)
–Phase begins with directive from management specifying the process, outcomes, and goals of
the project and its budget
–Frequently begins with the affirmation or creation of security policies
–Teams assembled to analyze problems, define scope, specify goals and identify constraints
–Feasibility analysis
•Determines whether the organization has the resources and commitment to conduct a
successful security analysis and design
2. Analysis in the SecSDLC (S2)
–Prepare analysis of existing security policies and programs, along with known threats and
current controls
–Analyze relevant legal issues that could affect the design of the security solution
–Risk management begins in this stage
•The process of identifying, assessing, and evaluating the levels of risk facing the organization,
specifically the threats to the information stored and processed by the organization
•A threat is an object, person, or other entity that represents a constant danger to an asset
An attack
–A deliberate act that exploits a vulnerability to achieve the compromise of a controlled system
–Accomplished by a threat agent that damages or steals an organization’s information or
physical assets
An exploit
–A technique or mechanism used to compromise a system
A vulnerability
–An identified weakness of a controlled system in which necessary controls that are not present
or are no longer effective
 Threats to Information Security
3. Design in the SecSDLC (S3)
–Create and develop a blueprint (proposed system-based solution) for security
–Examine and implement key policies
–Evaluate the technology needed to support the security blueprint
–Generate alternative solutions
–Agree upon a final design

Security models may be used to guide the design process

–Models provide frameworks for ensuring that all areas of security are addressed
–Organizations can adapt or adopt a framework to meet their own information security needs

A critical design element of the information security program is the information security
policy
•Management must define three types of security policy
–Enterprise information security policies
–Issue-specific security policies
–Systems-specific security policies

SETA program consists of three elements

–Security education, security training, and security awareness
•The purpose of SETA is to enhance security by
–Improving awareness
–Developing skills and knowledge
–Building in-depth knowledge

Design controls and safeguards

–Used to protect information from attacks by threats
–Three categories of controls: managerial, operational and technical
 a. Managerial controls
–Address the design and implementation of the security planning process, security program
management, risk management, and security control reviews

b. Operational controls cover management functions and lower level planning

–Disaster recovery
–Incident response planning
–Personnel security
–Physical security
–Protection of production inputs and outputs

c. Technical controls
–Address tactical and technical issues related to designing and implementing security in the
organization
–Technologies necessary to protect information are examined and selected

Contingency planning
–Prepare, react and recover from circumstances that threaten the organization
•Types of contingency planning
–Incident response planning (IRP)
–Disaster recovery planning (DRP)
–Business continuity planning (BCP)

4. Physical security (S4)

–Design, implementation, and maintenance of countermeasures that protect the physical
resources of an organization
•Physical resources include
–People
–Hardware
–Supporting information system elements

5. Implementation in the SecSDLC (S5)

–Security solutions are acquired, tested, implemented, and tested again
–Personnel issues are evaluated and specific training and education programs conducted
•Management of the project plan
–Planning the project
–Supervising the tasks and action steps within the project
–Wrapping up the project

Members of the development team

–Champion
–Team leader
–Security policy developers
–Risk assessment specialists
–Security professionals
 –Systems administrators
–End users

Staffing the information security function

–Decide how to position and name the security function
–Plan for the proper staffing of the information security function
–Understand the impact of information security across every role in IT
–Integrate solid information security concepts into the personnel management practices of the
organization
Information security professionals
–Chief information officer (CIO)
–Chief information security officer (CISO)
–Security managers
–Security technicians
–Data owners
–Data custodians
–Data users

Professional certifications
–CISSP
–SSCP
–GIAC
–Security +
–CISM

6. Maintenance and change in the SecSDLC (S6)

–Once the information security program is implemented, it must be operated, properly
managed, and kept up to date by means of established procedures
–If the program is not adjusting adequately to the changes in the internal or external
environment, it may be necessary to begin the cycle again

Aspects of a maintenance model

–External monitoring
–Internal monitoring
–Planning and risk assessment
–Vulnerability assessment and remediation
–Readiness and review
–Vulnerability assessment