ISM UNIT 1 Notes
ISM UNIT 1 Notes
ISM UNIT 1 Notes
Information Security:
Information systems should be secured from unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or destruction. The core function of this occupation
is to ensure the confidentiality, integrity and availability of data to the right users within/outside
of the organization.
In this context, confidentiality is a set of rules that limits access to information, integrity is the
assurance that the information is trustworthy and accurate, and availability is a guarantee of
reliable access to the information by authorized people.
Application Security: Application Security roles are responsible for ensuring stable and secure
functioning of the applications. Application Security professionals perform the following
functions in an organization:
Knowing threats
Securing the network, host and application
Incorporating security into the software development process
2. Security Testing
Security Testing involves devising testing standards and cases of confidentiality, integrity,
authentication, availability, authorization and non-repudiation of information. Security Testing
professionals perform scheduled and ad-hoc tests to assess vulnerability and/or safety of an
organization’s information systems.
3. Incident Management
Incident Management roles work towards restoring normal service operations in an organization
to minimize the adverse effect on business operations, thus ensuring that the best possible level
of service quality and availability is maintained. Incident management professionals manage and
protect computer assets, networks and information systems to answer the key question “what to
do, when things go wrong”.
5. Network Security
Network Security roles are responsible for defining and implementing overall network security
that includes baseline configuration, change control, security standards and process
implementation.
6. Privacy
Privacy roles are responsible for defining and managing data/information/IP policies etc. for an
organization. These roles require knowledge of information security norms and data privacy
norms and regulations.
In each of these set-ups, the essential functions and the highlighted tracks remain the same,
however, the delivery style and hence skills vary slightly, depending upon the set-up. Privacy
professionals help define and implement privacy standards, build privacy awareness to protect an
organization’s information assets.
7. IT Forensics
IT Forensics roles collect, process, preserve, analyze and present computer-related evidence in
support of network vulnerability mitigation, and/or criminal, fraud, counter-intelligence or law
enforcement investigations.
Information Security analyst – overview:
With the pervasive growth and use of digital information, much of which is confidential, there
has also been growth in incidents of information theft, including cyber-attacks by hackers. This
has happened both in governments and in private companies. This has necessitated the need for
the position of information security analyst.
Those who work as information security analysts are responsible for keeping information safe
from data breaches using a variety of tools and techniques. Information security analysts protect
information stored on computer networks, in applications etc. They do this with special software
that allows them to keep track of those who can access and who have accessed data. Also, they
may perform investigations to determine whether or not data has been compromised, the extent
of it and related vulnerabilities.
An entry level position may operate the software to monitor and analyze information.
At senior level positions, one may carry out investigative work to determine whether a security
breach has occurred.
At higher levels people design systems and architecture to address these vulnerabilities.
The field of information security has seen significant growth in recent times, and the number of
job opportunities in this area is likely to increase in the near future. Recent incidents of
information theft from large companies like Target, Sony and Citibank has shown the risks and
challenges of this field and this necessitates the growing need for information security and
professionals in this field. We are now witnessing the rising background level of data leakage
from governments, businesses and other organizations, families and individuals. A larger part of
an information security analyst’s work involves monitoring data use and access on a computer
network.
Information security analysts can find themselves working with IT Companies, financial and
utility companies and consulting firms. They may also find positions with government
organizations. Any company or organization with data to protect may hire information security
analysts so they could find themselves working at a wide variety of different institutions. A
number of companies operate „Security Operation Centers (SOCs)‟ for carrying out data security
services for captive or client services.
Threat
A potential for violation of security exists when there is a circumstance, capability, action, or
event that could breach security and cause harm. That is, a threat is a possible danger that might
exploit vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act that
is a deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system.
Information Security: It can be defined as “measures adopted to prevent the unauthorized use,
misuse, modification or denial of use of knowledge, facts, data or capabilities”. Three aspects of
IS are:
Security Attack: Any action that comprises the security of information
Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a
security.
Security Service: It is a processing or communication service that enhances the security of
the data processing systems and information transfer. The services are intended to counter
security attacks by making use of one or more security mechanisms to provide the service.
SECURITY ATTACK
any action that compromises the security of information owned by an organization
information security is about how to prevent attacks, or failing that, to detect attacks on
information-based systems
often threat & attack used to mean same thing
have a wide range of attacks
can focus of generic types of attacks
Passive attack
Active attack
a.) PASSIVE ATTACK
A Passive attack attempts to learn or make use of information from the system, but does not
affect system resources.
Two types:
1. Release of message content
It may be desirable to prevent the opponent from learning the contents (i.e sensitive or
confidential info) of the transmission.
2. Traffic analysis
A more subtle technique where the opponent could determine the location and identity of
communicating hosts and could observe the frequency & length of encrypted messages being
exchanged there by guessing the nature of communication taking place. Passive attacks are very
difficult to detect because they do not involve any alternation of the data. As the communications
take place in a very normal fashion, neither the sender nor receiver is aware that a third party has
read the messages or observed the traffic pattern. So, the emphasis in dealing with passive
attacks is on prevention rather than detection.
ACTIVE ATTACK
Active attacks involve some modification of the data stream or creation of a false stream. An
active attack attempts to alter system resources or affect their operation.
Four types:
Masquerade: Here, an entity pretends to be some other entity. It usually includes one of the
other forms of active attack.
Replay: It involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect.
Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are
difficult to detect, measures are available to prevent their success. On the other hand, it is quite
difficult to prevent active attacks absolutely, because of the wide variety of potential physical,
software and network vulnerabilities. Instead, the goal is to detect active attacks and to recover
from any disruption or delays caused by them.
INTERRUPTION
An asset of the system is destroyed or becomes unavailable or unusable. It is an attack on
availability.
Examples:
Destruction of some hardware
Jamming wireless signals
Disabling file management systems
INTERCEPTION
An unauthorized party gains access to an asset.
Attack on confidentiality.
Examples:
Wire tapping to capture data in a network.
Illicitly copying data or programs
Eavesdropping
MODIFICATION
When an unauthorized party gains access and tampers an asset. Attack is on Integrity.
Examples:
Changing data file
Altering a program and the contents of a message
FABRICATION
An unauthorized party inserts a counterfeit object into the system. Attack on Authenticity. Also
called impersonation
Examples:
Hackers gaining access to a personal email and sending message
Insertion of records in data files
Insertion of spurious messages in a network
SECURITY SERVICES
It is a processing or communication service that is provided by a system to give a specific kind of
production to system resources. Security services implement security policies and are
implemented by security mechanisms.
1. Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. It is used to prevent the
disclosure of information to unauthorized individuals or systems. It has been defined as
“ensuring that information is accessible only to those authorized to have access”.
The other aspect of confidentiality is the protection of traffic flow from analysis.
Ex: A credit card number has to be secured during online transaction.
2. Authentication
This service assures that a communication is authentic. For a single message transmission, its
function is to assure the recipient that the message is from intended source. For an ongoing
interaction two aspects are involved. First, during connection initiation the service assures the
authenticity of both parties. Second, the connection between the two hosts is not interfered
allowing a third party to masquerade as one of the two parties. Two specific authentication
services defines in X.800 are
1. Peer entity authentication: Verifies the identities of the peer entities involved in
communication. Provides use at time of connection establishment and during data
transmission. Provides confidence against a masquerade or a replay attack
2. Data origin authentication: Assumes the authenticity of source of data unit, but does not
provide protection against duplication or modification of data units. Supports applications
like electronic mail, where no prior interactions take place between communicating entities.
3. Integrity
Integrity means that data cannot be modified without authorization. Like confidentiality, it can
be applied to a stream of messages, a single message or selected fields within a message. Two
types of integrity services are available. They are
1. Connection-Oriented Integrity Service: This service deals with a stream of messages,
assures that messages are received as sent, with no duplication, insertion, modification,
reordering or replays. Destruction of data is also covered here. Hence, it attends to both
message stream modification and denial of service.
2. Connectionless-Oriented Integrity Service: It deals with individual messages regardless of
larger context, providing protection against message modification only.
An integrity service can be applied with or without recovery. Because it is related to active
attacks, major concern will be detection rather than prevention. If a violation is detected and the
service reports it, either human intervention or automated recovery machines are required to
recover.
4. Non-repudiation
Non-repudiation prevents either sender or receiver from denying a transmitted message. This
capability is crucial to e-commerce. Without it an individual or entity can deny that he, she or it
is responsible for a transaction, therefore not financially liable.
5. Access Control
This refers to the ability to control the level of access that individuals or entities have to a
network or system and how much information they can receive. It is the ability to limit and
control the access to host systems and applications via communication links. For this, each entity
trying to gain access must first be identified or authenticated, so that access rights can be tailored
to the individuals.
6. Availability
It is defined to be the property of a system or a system resource being accessible and usable upon
demand by an authorized system entity. The availability can significantly be affected by a variety
of attacks, some amenable to automated counter measures i.e authentication and encryption and
others need some sort of physical action to prevent or recover from loss of availability of
elements of a distributed system.
SECURITY MECHANISMS:
According to X.800, the security mechanisms are divided into those implemented in a specific
protocol layer and those that are not specific to any particular protocol layer or security service.
X.800 also differentiates reversible & irreversible encipherment mechanisms. A reversible
encipherment mechanism is simply an encryption algorithm that allows data to be encrypted and
subsequently decrypted, whereas irreversible encipherment include hash algorithms and message
authentication codes used in digital signature and message authentication applications
Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.
Threat agent or actor refers to the intent and method targeted at the intentional exploitation of
the vulnerability or a situation and method that may accidentally trigger the vulnerability.
A threat vector is a path or a tool that a threat actor uses to attack the target.
Threat targets are anything of value to the threat actor such as PC, laptop, PDA, tablet, mobile
phone, online bank account or identity.
Threat classification
Microsoft has proposed a threat classification called STRIDE from the initials of threat
categories:
a.) Spoofing: (affects authenticity)
It is a fraudulent or malicious practice in which communication is sent from an unknown
source disguised as a source known to the receiver.
b.) Tampering: (affects integrity)
It is a process of modifying data through unauthorized channels.
c.) Repudiation: (affects non-repudiability)
It is the ability of users to deny their performed specific actions or transactions. It involves in
carrying out a transaction in such a way that there is no proof.
d.) Information disclosure (privacy breach or data leak) (affects confidentiality)
It is a security incident in which sensitive, protected or confidential data is copied,
transmitted, viewed, stolen or used by an unauthorized person.
e.) Denial of service(DoS): (affects availability)
It is a security event that occurs when an attacker prevents legitimate users from accessing
specific computer systems, devices, services or other IT resources.
f.) Elevation of privilege(EoP): (affects authorization)
Giving an attacker authorization permissions beyond those initially granted.
Ex: changing “read-only” permission to “read and write” permission
• Virus
Virus is a malicious program able to inject its code into other programs/ applications or data
files and the targeted areas become "infected". Installation of a virus is done without user's
consent, and spreads in form of executable code transferred from one host to another.
Types of viruses include Resident virus , non-resident virus; boot sector virus; macro virus;
file-infecting virus (file-infector); Polymorphic virus; Metamorphic virus; Stealth virus;
Companion virus and Cavity virus.
• Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to spread
itself. In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the
viruses though worms can reproduce/ duplicate and spread by themselves. During this
process worm does not require to attach itself to any existing program or executable. Different
types of worms based on their method of spread are email worms; internet worms; network
worms and multi-vector worms.
• Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy. Trojans are a type of malware software that masquerades itself as
a not-malicious even useful application but it will actually do damage to the host computer after
its installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install.
Types of Virus
1. Depending on virus "residence", we can classify viruses in following way:
a. Resident virus - virus that embeds itself in the memory on a target host. In such way it
becomes activated every time the OS starts or executes a specific action.
b. Non-resident virus - when executed, this type of virus actively seeks targets for infections
either on local, removable or network locations. Upon further infection it exits. This way is
not residing in the memory any more.
c. Boot sector virus
A boot sector virus is a type of virus that infects theboot sector of floppy disks or the
Master BootRecord (MBR) of hard disks (some infect the boot sector of the hard disk
instead of the MBR).
d. Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc.
documents. This type of virus is executed as soon as the document that contains it, is
opened. This corresponds to the macro execution within those documents which under
normal circumstances is automatic.
a. File-infecting virus (file-infector) – this is a classic form of virus. When the infected file is
being executed, the virus seeks out other files on the host and infects them with malicious
code. The malicious code is inserted either at the beginning of the host file code (prepending
virus), in the middle (mid-infector) or in the end (appending virus). A specific type of
viruses called "cavity virus" can even inject the code in the gaps in the file structure itself.
The start point of the file execution is changed to the start of the virus code to ensure that it
is run when the file is executed. Afterwards the control may or may not be passed on to the
original program in turn. Depending on the infections routing the host file may become
otherwise corrupted and completely non- functional. More sophisticated viral forms allow
through the host program execution while trying hiding their presence completely (see
polymorphic and metamorphic viruses).
b. Polymorphic virus
A polymorphic virus is a complicated computer virus that affects data types and functions.
It is a self-encrypted virus designed to avoid detection by a scanner. Upon infection,
the polymorphic virus duplicates itself by creating usable, albeit slightly modified, copies
of itself.
c. Metamorphic virus - this virus is capable of changing its own code with each infection.
The rewriting process may cause the infection to appear different each time but the
functionality of the code remains the same. The metamorphic nature of this virus type
makes it possible to infect executables from two or more different operating systems or even
different computer architectures as well. The metamorphic viruses are ones of the most
complex in build and very difficult to detect.
d. Stealth virus - memory resident virus that utilizes various mechanisms to avoid from
detection. This avoidance can be achieved for example, by removing itself from the infected
files and placing a copy of itself in a different location. The virus can also maintain a clean
copy of the infected files in order to provide it to the antivirus engine for scan while the
infected version still remains undetected. Furthermore, the stealth viruses are actively
working to conceal any traces of their activities and changes made to files.
e. Multipartite virus – this attempts to attack both the file executables as well as the master
boot record of the drive at the same time. This type may be tricky to remove as even when
the file executable part is clean it can re-infect the system all over again from the boot sector
if it wasn't cleaned as well.
f. Camouflage virus – this virus type is able to report as a harmless program to the antivirus
software. In such cases where the virus has similar code to the legitimate non-infected files
code the antivirus application is being tricked that it has to do with the legitimate program as
well. This would work only but in case of basic signature based antivirus software.
Nowadays, antivirus solutions have become more elaborate whereas the camouflage viruses
are quite rare and not a serious threat due to the ease of their detection.
g. Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of
the infected file but instead uses the empty spaces within the program files itself (that exists
there for variety of reasons). This way the length of the program code is not being changed
and the virus can more easily avoid detection. The injection of the virus in most cases is not
impacting the functionality of the host file at all. The cavity viruses are quite rare though.
Source - News Articles……Let us discuss a recent news about a new version of a notorious virus
that takes over a system until money is paid as ransom which has been detected by cyber experts.
Version 2.0 of the TeslaCrypt ransomware encryptor family, say experts, is notorious for
infecting computers of gamers. The malicious program is now targeting online consumers and
businesses via email attachments which block access to a computer system until a sum of money,
specifically in dollars, is paid as ransom. If the victim delays, the ransom is doubled. Detected in
February 2015, TeslaCrypt began infecting systems in the US, Europe and Southeast Asian
countries. It then occurred in Indian cities including Delhi and Mumbai. Two businessmen from
Agra were targeted this year, from whom the extortionist demanded more than $10,000. In the
last six months, two cases were reported in Agra, where the malware locked down its victim's
most important files and kept them hostage in exchange for a ransom to unlock it.
Types of Worms
The most common categorization of worms relies on the method how they spread:
a. Email worms: spread through email messages, especially through those with attachments.
b. Internet worms: spread directly over the internet by exploiting access to open ports or
system vulnerabilities.
c. Network worms: spread over open and unprotected network shares.
d. Multi-vector worms: having two or more various spread capabilities.
Types of Trojans
Computer Trojans or Trojan horses are named after the mythological Trojan horse from
Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as
Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly
and open the city gates, allowing their soldiers to capture Troy. Computer Trojan horse works in
way that is very similar to such strategy - it is a type of malware software that masquerades itself
as not-malicious even useful application but it will actually do damage to the host computer after
its installation.
Trojans do not self-replicate since its key difference to a virus and require often end user
intervention to install itself - which happens in most scenarios where user is being tricked
that the program he is installing is a legitimate one (this is very often connected with social
engineering attacks on end users).
One of the other common methods is for the Trojan to be spammed as an email attachment or a
link in an email. Another similar method has the Trojan arriving as a file or link in an instant
messaging client. Trojans can be spread as well by means of drive-by downloads or downloaded
and dropped by other Trojans itself or legitimate programs that have been compromised.
The results of Trojan activities can vary greatly - starting from low invasive ones that only
change the wallpaper or desktop icons through Trojans which open backdoors on the computer
and allow other threats to infect the host or allow a hacker remote access to the targeted
computer system. It is up to Trojans to cause serious damage on the host by deleting files or
destroying the data on the system using various ways (like drive format or causing BSOD). Such
Trojans are usually stealthy and do not advertise their presence on the computer. The Trojan
classification can be based upon performed function and the way they breach the systems. An
important thing to keep in mind is that many Trojans have multiple payload functions so any
such classification will provide only a general overview and not a strict boundary.
Some of the most common Trojan types are:
1. Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor
on the targeted system to allow the attacker remote access to the system or even complete
control over it. This kind of Trojan is most widespread type and often has as well various
other functions. It may be used as an entry point for DOS attack or for allowing worms or
even other Trojans to the system. A computer with a sophisticated backdoor program
installed may also be referred to as a "zombie" or a "bot". A network of such bots may often
be referred to as a "botnet”. Backdoor. Trojans are generally created by malware authors
who are organized and aim to make money out of their efforts. These types of Trojans can be
highly sophisticated and can require more work to implement than some of the simpler
malware seen on the Internet.
3. Trojan-Proxy -
It is a type of Trojan horse designed to use the victim's computer as a proxy server.
4. Trojan-FTP – this Trojan is designed to open FTP ports on the targeted machine allow
remote attacker access to the host. Furthermore, the attacked can access as well network
shares or connections to further spread other threats.
5. Destructive Trojan – this is designed to destroy or delete data. It is much like a virus.
6. Security Software Disabler Trojan – this is designed to stop security programs like
antivirus solutions, firewalls or IPS either by disabling them or killing the processes. This
kind of Trojan functionality is often combined with destructive Trojan that can execute data
deletion or corruption only after the security software is disabled. Security Software
Disablers are entry Trojans that allow next level of attack on the targeted system.
7. Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide
attacker with confidential or sensitive information from compromised host and send it to a
predefined location (attacker). The stolen data comprise of login details, passwords, PII,
credit card information etc. Data sending Trojans can be designed to look for specific
information only or can be more generic like Key-logger Trojans.
8. Keylogger Trojan – this is a type of data-sending Trojan that is recording every keystroke of
the end user. This kind of Trojan is specifically used to steal sensitive information from
targeted host and send it back to attacker. For these Trojans, the goal is to collect as much
data as possible without any direct specification what the data will be.
10. Trojan-Banker – a Trojan designed specifically to steal online banking information to allow
attacker further access to bank account or credit card information.
11. Trojan-IM – a type of data-sending Trojan designed specifically to steal data or account
information from instant messaging programs like MSN, Skype etc.
12. Trojan-Game Thief – a Trojan designed to steal information about online gaming account.
13. Trojan Mail Finder – a Trojan used to harvest any emails found on the infected computer.
The email list is being then forwarded to the remote attacker.
14. Trojan-Dropper –The purpose of Trojan Droppers, as the name suggests, is to install
malicious code on a victim's computer.
15. Trojan-Downloader – a Trojan that can download other malicious programs to the target
computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders
that are encountered will attempt to download content from the internet rather than the local
network. In order to successfully achieve its primary function, a downloader must run on a
computer that is inadequately protected and connected to a network.
16. Trojan-Spy – this Trojan has a similar functionality to the Info stealer or Trojan-PSW and
its purpose is to spy on the actions executed on the target host. These can include tracking
data entered via keystrokes, collecting screenshots, listing active processes/ services on the
host or stealing passwords.
17. Trojan-ArcBomb –
The Trojan Arc-Bomb is a type of Trojan horse virus. Trojan Arc-Bombs have been known
to disguise themselves as a computer game. Although they have been known to be video
games they have been also known to disguise themselves as different program such as a
word document or PowerPoint.
19. Trojan-SMS – a Trojan used to send text messages from infected mobile devices to
premium rate paid phone numbers.
20. Trojan-Ransom
This type of Trojan modifies data on the victim computer so that the victim can no longer use
the data, or it prevents the computer from running correctly. Once the data has been “taken
hostage” (blocked or encrypted), the user will receive a ransom demand.
The ransom demand tells the victim to send the malicious user money; on receipt of this, the
cyber criminal will send a program to the victim to restore the data or restore the computer’s
performance.
……In an another incident detected by Kaspersky Labs, Pune, the TeslaCrypt Ransomware
encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan notorious for infecting
computer gamers, it displays an HTML page in the web browser which is an exact copy of
CryptoWall 3.0, another notorious ransomware program. TeslaCrypt were detected in February
2015 and the new ransomware Trojan gained immediate notoriety as a menace to computer
gamers. Amongst other types of target files, it tries to infect typical gaming files: game saves, user
profiles, recoded replays etc. That said, TeslaCrypt does not encrypt files that are larger than 268
MB. Few more examples of ransomware Trojans are - CryptoLocker, CryptoWall, CoinVault,
TorLocker, CoinVault and CTB-Locker.
In 1983, this person was the first to offer the definition of 'Computer Virus'...
A. COHEN
B. B. NORTON
C. C. SMITH
D. D. McAfee
Ans: A-COHEN
-----------------------------------------------------------------------------------------------------------------------
Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They
are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.
Rootkit are malicious software designed to hide certain processes or programs from detection.
Usually acquires and maintains privileged system access while hiding its presence in the same
time. It acts as a conduit by providing the attacker with a backdoor to a system
Spyware is a software that monitors and collects information about a particular user, computer
or organization without user’s knowledge. There are different types of spyware, namely system
monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc.
Tracking cookies are a specific type of cookies that are distributed, shared and read across two
or more unrelated websites for the purpose of gathering information or potentially to present
customized data to you.
Riskware is a term used to describe potentially dangerous software whose installation may pose
a risk to the computer.
Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV
software. Also well known, under the names "Rogue Security Software" or "Misleading
Software". This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the "fake" infection.
Spam is the term used to describe unsolicited or unwanted electronic messages, especially
advertisements. The most widely recognized form of spam is email spam.
Creepware is a term used to describe activities like spying others through webcams (very often
combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.
Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the severity
of the damage causes and as well the speed of spreading. Blended threat defines an exploit that
combines elements of multiple types of malware components. Usage of multiple attack vectors
and payload types targets to increase the severity of the damage
causes and as well the speed of spreading
Common Vulnerabilities and Exposures (CVE) is a catalogue of known security threats. Every
exposure or vulnerability included in the CVE list consists of one common, standardized CVE name.
The catalogue is sponsored by the United States Department of Homeland Security (DHS), and
threats are divided into two categories:
Vulnerabilities
Exposures
1. According to the CVE website, Vulnerability is a mistake in software code that provides an
attacker with direct access to a system or network. For example, the vulnerability may allow
an attacker to pose as a super user or system administrator who has full access privileges.
2. An exposure, on the other hand, is defined as a mistake in software code or configuration that
provides an attacker with indirect access to a system or network. For example, an exposure
may allow an attacker to secretly gather customer information that could be sold.
The catalogue’s main purpose is to standardize the way each known vulnerability or exposure
is identified. This is important because standard IDs allow security administrators to quickly
access technical information about a specific threat across multiple CVE-compatible
information sources.
CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance
(OCSIA).
MITRE, a not-for- profit organization that operates research and development centers
sponsored by the U.S. federal government, maintains the CVE catalogue and public website.
It also manages the CVE Compatibility Program, which promotes the use of standard CVE
identifiers by authorized CVE Numbering Authorities (CNAs).
CVE-ID Syntax
The new CVE-ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary Digits
NOTE: The variable length arbitrary digits will begin at four (4) fixed digits and expand with arbitrary
digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-
YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there will be no changes
needed to previously assigned CVE-IDs, which all include 4 digits.
This is a standardized text description of the issue(s). One common entry is:
“** RESERVED ** This candidate has been reserved by an organization or individual that will
use it when announcing a new security problem. When the candidate has been publicized, the
details for this candidate will be provided.”
This means that the entry number has been reserved by Mitre for an issue or a CNA has reserved the
number. So in the case where a CNA requests a block of CVE numbers in advance (e.g. Red Hat
currently requests CVEs in blocks of 500), the CVE number will be marked as reserved even though
the CVE itself may not be assigned by the CNA for some time. Until the CVE is assigned AND Mitre
is made aware of it (e.g. the embargo passes and the issue is made public), AND Mitre has researched
the issue and written a description of it, entries will show up as "** RESERVED **"
Security and Network attacks:
Network attack is usually defined as an intrusion on the network infrastructure that will first
analyze the environment and collect information in order to exploit the existing open ports or
vulnerabilities. This may include unauthorized access to organization resources.
Passive attacks: they refer to attack where the purpose is only to learn and get some information
from the system, but the system resources are not altered or disabled in any way.
Active attacks: in this type of network attack, the perpetrator accesses and either alters, disables
or destroys resources or data.
Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
Inside attack: if an attack is performed from within the company by an "insider" that already
has certain access to the network it is considered to be an inside attack.
Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their widespread
occurrences.
2. Phishing attack – this type of attack use social engineering techniques to steal confidential
information. The most common purpose of such attack targets victim's banking account
details and credentials. Phishing attacks tend to use schemes involving spoofed emails sent to
users that lead them to malware infected websites designed to appear as real online banking
websites. Emails received by users in most cases will look authentic sent from sources
known to the user (very often with appropriate company logo and localized information).
These emails will contain a direct request to verify some account information, credentials or
credit card numbers by following the provided link and confirming the information online.
The request will be accompanied by a threat that the account may become disabled or
suspended if the mentioned details are not being verified by the user.
3. Social phishing – in the recent years, phishing techniques evolved much to include social
media like Facebook or Twitter. This type of Phishing is often called Social Phishing. The
purpose remains the same – to obtain confidential information and gain access to personal
files. The means of the attack are bit different though and include special links or posts
posted on the social media sites that attract the user with their content and convince them to
click on them. The link redirects then to malicious website or similar harmful content. The
websites can mirror the legitimate Facebook pages so that unsuspecting user does not notice
the difference. The website will require user to login with his real information. At this point,
the attacker collects the credentials gaining access to compromised account and all data on it.
Other scenario includes fake apps. Users are encouraged to download the apps and install
them, apps that contain malware used to steal confidential information. Facebook Phishing
attacks are often much more laboured. Consider the following scenario – link posted by an
attacker can include some pictures or phrase that will attract the user to click on it.The user
clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the post
first before even viewing it. User not suspecting any harm, clicks on the "like" button but
doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the
fake app to access user's personal information. At this point, data is collected and account is
compromised.
4. Spear phishing attack – this is a type of phishing attack targeted at specific individuals,
groups of individuals or companies. Spear phishing attacks are performed mostly with
primary purpose of industrial espionage and theft of sensitive information while ordinary
phishing attacks are directed against wide public with intent of financial fraud. It has been
estimated that in last couple of years targeted spear phishing attacks are more widespread
than ever before.
The recommendations to protect your company against phishing and spear phishing
include:
1. Never open or download a file from an unsolicited email, even from someone you know (you
can call or email the person to double check that it really came from them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentications whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking for a
reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted.
5. Watering hole attack – this is a more complex type of a phishing attack. Instead of the usual
way of sending spoofed emails to end users in order to trick them into revealing confidential
information, attackers use multiple staged approach to gain access to the targeted
information. In first steps, attacker is profiling the potential victim, collecting information
about his or her’s internet habits, history of visited websites etc. In next step attacker uses
that knowledge to inspect the specific legitimate public websites for vulnerabilities. If any
vulnerabilities or loopholes are found, the attacker compromises the website with its own
malicious code. The compromised website then awaits for the targeted victim to come back
and then infects them with exploits (often zero-day vulnerabilities) or malware. This is an
analogy to a lion waiting at the watering hole for his prey.
8. Port scanning – an attack type where the attacker sends several requests to a range of ports
to a targeted host in order to find out what ports are active and open, which allows them to
exploit known service vulnerabilities related to specific ports. Port scanning can be used by
the malicious attackers to compromise the security as well by the IT professionals to verify
the network security.
10. IP Address spoofing – This is a process of creating IP packets with forged source IP address
to impersonate legitimate system. This kind of spoofing is often used in DoS attacks (Smurf
Attack).
11. Email spoofing – This is a process of faking the email's sender "from" field in order to hide
real origin of the email. This type of spoofing is often used in spam mail or during phishing
attack.
12. Search engine poisoning – attackers take advantage of high profile news items or popular
events that may be of specific interest for certain group of people to spread malware and
viruses. This is performed by various methods that have in purpose achieving highest
possible search ranking on known search portals by the malicious sites and links introduced
by the hackers. Search engine poisoning techniques are often used to distribute rogue security
products (scareware) to users searching for legitimate security solutions for download.
13. Network sniffing (Packet Sniffing) – a process of capturing the data packets travelling in
the network. Network sniffing can be used both by IT professionals to analyze and monitor
the traffic for example, in order to find unexpected suspicious traffic, but as well by
perpetrators to collect data send over clear text that is easily readable with use of network
sniffers (protocol analyzers). Best counter measure against sniffing is the use of encrypted
communication between the hosts.
14. Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS
Attack) – an attack designed to cause an interruption or suspension of services of a specific
host/ server by flooding it with large quantities of useless traffic or external communication
requests. When the DoS attack succeeds the server is not able to answer even to legitimate
requests anymore, this can be observed in numbers of ways – slow response of the server,
slow network performance, unavailability of software or web page, inability to access data,
website or other resources. Distributed Denial of Service Attack (DDoS) occurs where
multiple compromised or infected systems (botnet) flood a particular host with traffic
simultaneously.
15. ICMP flood attack (Ping Flood) – the attack that sends ICMP ping requests to the victim
host without waiting for the answer in order to overload it with ICMP traffic to the point
where the host cannot answer to them any more either because of the network bandwidth
congestion with ICMP packets (both requests and replies) or high CPU utilization caused by
processing the ICMP requests. Easiest way to protect against any various types of ICMP
flood attacks is either to disable propagation of ICMP traffic sent to broadcast address on the
router or disable ICMP traffic on the firewall level.
16. Ping of Death (PoD) – this attack involves sending a malformed or otherwise corrupted
malicious ping to the host machine for example, PING having size bigger than usual which
can cause buffer overflow on the system that lead to a system crash.
17. Smurf attack – this works in the same way as Ping Flood attack with one major difference
that the source IP address of the attacker host is spoofed with IP address of other legitimate
non malicious computer. Such attack will cause disruption both on the attacked host
(receiving large number of ICMP requests) as well as on the spoofed victim host (receiving
large number of ICMP replies).
18. SYN flood attack – this attack exploits the way the TCP 3-way handshake works during the
TCP connection is being established. In normal process, the host computer sends a TCP SYN
packet to the remote host requesting a connection. The remote host answers with a TCP
SYN-ACK packet confirming the connection can be made. As soon as this is received by the
first local host it replies again with TCP ACK packet to the remote host. At this point the
TCP socket connection is established. During the SYN flood attack, the attacker host or more
commonly several attacker hosts send SYN packets to the victim host requesting a
connection, the victim host responds with SYN-ACK packets but the attacker host never
respond with ACK packets as a result the victim host is reserving the space for all those
connections still awaiting the remote attacker hosts to respond, which never happens. This
keeps the server with dead open connections and in the end effect prevent legitimate host to
connect to the server any more.
19. Buffer overflow attack – in this type of attack the victim host is being provided with traffic/
data that is out of range of the processing specs of the victim host, protocols or applications,
overflowing the buffer and overwriting the adjacent memory. One example can be the
mentioned Ping of Death attack where malformed ICMP packet with size exceeding the
normal value can cause the buffer overflow.
22. Session hijacking attack – this attack is targeted as exploit of the valid computer session in
order to gain unauthorized access to information on a computer system. The attack type is
often referred to as cookie hijacking as during its progress, the attacker uses the stolen
session cookie to gain access and authenticate to remote server by impersonating legitimate
user.
23. Cross-side scripting attack (XSS attack) – the attacker exploits the XSS vulnerabilities
found in web server applications in order to inject a client side script onto the webpage that
can either point the user to a malicious website of the attacker or allow attacker to steal the
user's session cookie.
24. SQL injection attack – the attacker uses existing vulnerabilities in the applications to inject
a code/ string for execution that exceeds the allowed and expected input to the SQL database.
Case study:
Few recent cyber-attacks (or Network attacks) that shook some big businesses around the
globe:
1. Primera Blue Cross March 2015
The company, a health insurer based in Washington State, said up to 11 million customers could
have been affected by a cyberattack last year. Hackers gained access to its computers on May 5,
and the breach was not discovered until Jan. 29, Primera said. The breach could have exposed
members' names, dates of birth, Social Security numbers, mailing and email addresses, phone
numbers and bank account information. The company is working with the F.B.I. and a
cybersecurity firm too.
2. Anthem February 2015
One of the nation’s largest health insurers said that the personal information of tens of millions
of its customers and employees, including its chief executive, was the subject of a “very
sophisticated external cyberattack.” The company added that hackers were able to breach a
database that contained as many as 80 million records of current and former customers, as well
as employees. The information accessed included names, Social Security numbers, birthdays,
addresses, email and employment information, including income data.
3.Sony Pictures November 2014
A huge attack that essentially wiped clean several internal data centers and led to cancellation of
the theatrical release of "The Interview," a comedy about the fictional assassination of the North
Korean leader Kim Jong-un. Contracts, salary lists, film budgets, entire films and Social
Security numbers were stolen, including -- to the dismay of top executives -- leaked emails that
included criticisms of Angelina Jolie and disparaging remarks about President Obama.
4. Staples October 2014
The office supply retailer said hackers had broken into the company’s network and compromised
the information of about 1.16 million credit cards.
VPN, or Virtual Private Network, is a network that is constructed by using public wires -
usually the Internet - to connect to a private network, such as a company's internal network.
There are a number of systems that enable you to create networks using the Internet as the
medium for transporting data. These systems use encryption and other security mechanisms to
ensure that only authorized users can access the network and that the data cannot be intercepted.
In VPN technology, central tunneling is the process of forcing all traffic from a remote VPN
through a central site. Central tunneling allows additional security as remote VPN users are
protected by a firewall at the central site, and also enables NAT (Network Address
Translations), IDS (Intrusion Detection System), IPS (Intrusion Prevention System)and anti-
virus and spam filtering. Central tunneling does increase bandwidth at the central site.
Zero Day or Zero Hour Vulnerability refers to a hole in software that is unknown to the
vendor. This security hole is then exploited by hackers before the vendor becomes aware and
hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include
infiltrating malware, spyware or allowing unwanted access to user information. The term “zero
day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the
developers. Once the vulnerability becomes known, a race begins for the developer, who must
protect users.
2.
Application Security:
Application security (AppSec) is the use of software, hardware and procedural methods to
protect applications from external threats. AppSec is the operational solution to the problem of
software risk. AppSec helps identify, fix and prevent security vulnerabilities in any kind of
software application irrespective of the function, language or platform.
A good practiced AppSec employs practical and preventative methods to manage software risk,
and align an organization’s security investments with the reality of today’s threats.
AppSec has three distinct elements:
1) Measurable reduction of risk in existing applications
2) Prevention of introduction of new risks
3) Compliance (agreement) with software security mandates
AppSec as a discipline is also becoming more complex the variety of business software
continues to proliferate (increase).
Today’s enterprise software comes from a variety of sources –
In-house development teams,
Commercial vendors,
Outsourced solution providers, and
Open source projects.
AppSec products must provide capabilities for managing security risk across all of these options
as each of these development and deployment options can introduce security vulnerabilities. An
effective software security strategy addresses both immediate and systemic risk.
The Application Security market has a well-established roadmap right from software security
testing to find and assess potential vulnerabilities as:
Fixing the Remediation procedures to prioritize.
Train developers on secure coding practices.
Control on-going threat intelligence to keep up-to-date.
Develop continuous methods to secure applications throughout the development life cycle.
Instantiate policies and procedures that implants good governance.
Testing and remediation form the baseline response to insecure applications, but the critical
element of a successful AppSec effort is on-going developer training. Security conscious
development teams write bulletproof code, and avoid common errors.
For example, data input validation – the process of ensuring that a program operates with clean,
correct and useful data. By neglecting this important step, and failing to build in standard input
validation rules or “check routines” leaves the application open to common attacks such as cross-
site scripting and SQL injection.
3. Communications Security:
Communications Security (COMSEC) ensures the security of telecommunications
confidentiality and integrity
– the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of
any information that is transmitted, transferred or communicated.
There are five COMSEC security types:
Cryptosecurity: This encrypts data, rendering it unreadable until the data is decrypted.
Emission Security (EMSEC): This prevents the capture of emanations (release) from
equipment, such as cryptographic equipment, thereby preventing unauthorized interception.
Physical Security: This ensures the safety and prevention of unauthorized access to,
cryptographic information, documents and equipment.
Traffic-Flow Security: This hides messages and message characteristics flowing on a network.
Transmission Security (TRANSEC): This protects transmissions from unauthorized access,
thereby preventing interruption and harm.
People who fall in love with the Net do so for different reasons. Many love the ability to
quickly and cheaply keep up with friends and loved ones via e-mail, while others love the vast
oceans of information or the rush of playing Internet games.
There are as many bad guys in cyberspace as there are in everyday life, and those shady
characters are constantly prowling the Internet in search of new victims to scam.
However, the media often exaggerate these dangers. It is extremely unlikely (though not
impossible) that anyone reading this article will fall prey to an Internet crime, and in truth the
risks are not much greater than those associated with many fun activities.
There are countless ways that thieves and mischief makers can wreak havoc with your sense of
security, but there are just as many ways to keep intruders at bay via safe-surfing techniques or
security software.
To secure a computer system, it is important to understand the attacks that can be made against
it, and these threats can typically be classified into one of the categories below:
1. Backdoors
A backdoor in a computer system, a cryptosystem or an algorithm, is any secret method of
bypassing normal authentication or security controls. They may exist for a number of reasons,
including by original design or from poor configuration. They may also have been added later
by an authorized party to allow some legitimate access, or by an attacker for malicious reasons;
but regardless of the motives for their existence, they create a vulnerability.
2. Denial-of-service attack
Denial of service attacks are designed to make a machine or network resource unavailable to its
intended users. Attackers can deny service to individual victims, such as by deliberately
entering a wrong password enough consecutive times to cause the victim account to be locked,
or they may overload the capabilities of a machine or network and block all users at once. While
a network attack from a single IP address can be blocked by adding a new firewall rule, many
forms of Distributed denial of service (DDoS) attacks are possible, where the attack comes from
a large number of points – and defending is much more difficult. Such attacks can originate
from the zombie computers of a botnet, but a range of other techniques are possible including
reflection and amplification attacks, where innocent systems are fooled into sending traffic to
the victim.
3. Direct-access attacks
Common consumer devices that can be used to transfer data surreptitiously.
An unauthorized user gaining physical access to a computer is most likely able to directly
download data from it. They may also compromise security by making operating system
modifications, installing software worms, key loggers, or covert listening devices. Even when
the system is protected by standard security measures, these may be able to be by passed by
booting another operating system or tool from a CD-ROM or other bootable media. Disk
encryption and Trusted Platform Module are designed to prevent these attacks.
4. Eavesdropping
Eavesdropping is the act of surreptitiously listening to a private conversation, typically between
hosts on a network. For instance, programs such as Carnivore and NarusInsight have been used
by the FBI and NSA to eavesdrop on the systems of internet service providers. Even machines
that operate as a closed system (i.e., with no contact to the outside world) can be eavesdropped
upon via monitoring the faint electro-magnetic transmissions generated by the hardware;
TEMPEST is a specification by the NSA referring to these attacks.
5. Spoofing
Spoofing of user identity describes a situation in which one person or program successfully
masquerades as another by falsifying data. 38
6. Tampering
Tampering describes a malicious modification of products. So-called "Evil Maid" attacks and
security services planting of surveillance capability into routers[6] are examples.
7. Privilege escalation
Privilege escalation describes a situation where an attacker with some level of restricted access
is able to, without authorization, elevate their privileges or access level. So for example a
standard computer user may be able to fool the system into giving them access to restricted
data; or even to "become root" and have full unrestricted access to a system.
8. Phishing
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and
credit card details directly from users. Phishing is typically carried out by email spoofing or
instant messaging, and it often directs users to enter details at a fake website whose look and
feel are almost identical to the legitimate one. Preying on a victim's trusting; phishing can be
classified as a form of social engineering.
Central to information security is the concept of controls, which may be categorized by their
Functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane
of application (physical, administrative or technical).
By functionality:
Preventive controls:
Preventive controls are the first controls met by an adversary. These try to prevent security
violations and enforce access control. Like other controls, these may be physical, administrative
or technical. Doors, security procedures and authentication requirements are examples of
physical, administrative and technical preventive controls respectively.
Detective controls:
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs and similar mechanisms.
Corrective controls:
Corrective controls try to correct the situation after a security violation has occurred. Although a
violation occurred, but the data remains secure, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.
Deterrent controls:
Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls
include notices of monitoring and logging as well as the visible practice of sound information
security management.
Recovery controls:
Recovery controls are somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and information processing
resources. Recovery controls may include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements and similar controls.
Compensating controls:
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of controls addresses the same
threats that are addressed by another set of controls, it acts as a compensating control.
By plane of application:
Physical controls include doors, secure facilities, fire extinguishers, flood protection and air
conditioning.
Administrative controls are the organization’s policies, procedures and guidelines intended to
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems and file encryption among others.
In addition to establishing performance metrics, an SLA may include a plan for addressing
downtime and documentation for how the service provider will compensate customers in the event
of a contract breach. SLAs, once established, should be periodically reviewed and updated to reflect
changes in technology and the impact of any new regulatory directives.
People would be impacted most by the study of computer security. People can be the weakest link
in an organization's information security program. And unless policy, education and training,
awareness, and technology are properly employed to prevent people from accidentally or
intentionally damaging or losing information, they will remain the weakest link. Social engineering
can prey on the tendency to cut corners and the commonplace nature of human error. It can be used
to manipulate the actions of people to obtain access information about a system.
Procedures, written instructions for accomplishing a specific task, could be another component,
which will be impacted. The information system will be effectively secured by teaching employees
to both follow and safeguard the procedures. Following procedure reduces the likelihood of
employees erroneously creating information insecurities. Proper education about the protection of
procedures can avoid unauthorized access gained using social engineering.
Hardware and software are the components that are historically associated with the study of
computer security. However, the IS component that created much of the need for increased
computer and information security is networking.
1. Software: Perhaps the most difficult part of the system to secure, because most software used is
written by third parties. Also, since the software field is so competitive, many products are
rushed to market before they have been thoroughly tested and debugged. These bugs and
“security holes” quickly are discovered by members of the hacking community and soon
information is spread about “exploits” that take advantage of those “holes,” which are then
implemented by unscrupulous individuals.
2. Hardware: This is specifically the computers themselves. While there are very few ways to use
hardware directly to defeat security, the data stored on the hardware can be stolen by the simple
expedient of stealing the hardware itself. Laptop computers are especially vulnerable to theft.
3. Data: This is the primary target of thieves. Proprietary and confidential personal data is a
particularly lucrative source of income for criminals, especially in the fields of industrial
espionage and identity theft.
4. People: People are often overlooked as a part of an information system. However, they are as
much a part as hardware, software or data. Without people, there would be no need for data or
software, and no use for hardware. However, being human, people make mistakes, or deliberate
acts, that can compromise the security of any system. Proper education and monitoring of
people is necessary to prevent security breaches, whether they be accidental or deliberate.
5. Procedures: Procedures are also overlooked as potential security risks. Deficient design of
procedures, as well as outsiders’ learning existing procedures, can lead to the compromise of
critical data.
6. Networks: Information used by an organization needs to be shared among the members of that
organization. Networking makes sharing of information easy, but at the cost of dramatically
increasing the risk of compromising security. Wireless networks can be monitored by outsider’s
computers with wireless capabilities. Similarly, wired networks can be tapped.
Wide Area networks typically use public telephone or cable lines to transmit data, and these
public lines can also be tapped. These facts, as well as others make it crucial to design
procedures and protocols for users of networks that make data as secure as possible.
Of these six components, Data is the most critical, and therefore the most directly affected by
the study of computer security. However, in order to make data secure, ire is necessary to study
all six components, since they are all related parts of an integrated whole.
Top-down Approach
On the contrary, a reverse look on the entire issue, the top-down approach is
proving to be highly successful. Here, management understands the seriousness and
initiates the process, which is then systematically, percolated down to operations staff.
SDLC: The Software/System Development Life Cycle is a process by which user requirements
are elicited and software satisfying these requirements is designed, built, tested and delivered to the
client.
Phases of the SecSDLC
1. Investigation in the SecSDLC (S1)
–Phase begins with directive from management specifying the process, outcomes, and goals of
the project and its budget
–Frequently begins with the affirmation or creation of security policies
–Teams assembled to analyze problems, define scope, specify goals and identify constraints
–Feasibility analysis
•Determines whether the organization has the resources and commitment to conduct a
successful security analysis and design
2. Analysis in the SecSDLC (S2)
–Prepare analysis of existing security policies and programs, along with known threats and
current controls
–Analyze relevant legal issues that could affect the design of the security solution
–Risk management begins in this stage
•The process of identifying, assessing, and evaluating the levels of risk facing the organization,
specifically the threats to the information stored and processed by the organization
•A threat is an object, person, or other entity that represents a constant danger to an asset
An attack
–A deliberate act that exploits a vulnerability to achieve the compromise of a controlled system
–Accomplished by a threat agent that damages or steals an organization’s information or
physical assets
An exploit
–A technique or mechanism used to compromise a system
A vulnerability
–An identified weakness of a controlled system in which necessary controls that are not present
or are no longer effective
Threats to Information Security
3. Design in the SecSDLC (S3)
–Create and develop a blueprint (proposed system-based solution) for security
–Examine and implement key policies
–Evaluate the technology needed to support the security blueprint
–Generate alternative solutions
–Agree upon a final design
A critical design element of the information security program is the information security
policy
•Management must define three types of security policy
–Enterprise information security policies
–Issue-specific security policies
–Systems-specific security policies
c. Technical controls
–Address tactical and technical issues related to designing and implementing security in the
organization
–Technologies necessary to protect information are examined and selected
Contingency planning
–Prepare, react and recover from circumstances that threaten the organization
•Types of contingency planning
–Incident response planning (IRP)
–Disaster recovery planning (DRP)
–Business continuity planning (BCP)
Professional certifications
–CISSP
–SSCP
–GIAC
–Security +
–CISM