Foundation of Information Security

SPSaS 2102
Learning Module

Module 08:
Information security
technology components

Introduction

Progress, be it simple or complex, always comes down to a combination of People,

Process and Technology. Whilst any of these can be the original trigger; the outcome
always affects all three.

Page 124
 Foundation of Information Security
SPSaS 2102
Learning Module

The Industrial revolution was a good example where new technologies (industrial
engines) fundamentally re-designed manufacturing processes (production lines) and had
far reaching impacts on the people employed (not all of it good one might add) through
the dis-aggregation of skills, the re-balancing of power in favor of owners, urbanization
etc. and we cannot deny the fact that cyber security is a business issue. This means that
Management is accountable for ensuring that its organization’s cyber security strategy
meets business objectives and is adopted as a strategic risk. Discussions of cyber risk at
board level should include identifying which risks to avoid, accept, mitigate or transfer
(such as through cyber insurance), as well as reviewing specific plans associated with
each approach. The three fundamental domains of an effective cyber security strategy
are: people, processes and technology also these three key areas that will make or break
a good Information Security setup/ Infrastructure.

Enterprise Information Security Program Elements

(Pillars of Information Security)

• People – are the most difficult portion of the program because everyone from the
CEO on down needs to play his part to ensure an effective program
• Process – are the glue that binds the people and technology components of your
program. The process must be very clear for everyone in the organization to follow
them.
• Technology – is often confusing and can sometimes establish false sense of
security in your organization.

Figure 1: Enterprise IS program Elements

Page 125
 Foundation of Information Security
SPSaS 2102
Learning Module

According to Dutton J., 2017 it is a common misconception that cyber security is all about
technology (hardware and software). Technology is obviously a massive part of cyber
security, but alone it is not enough to protect you from modern cyber threats. A specific
enterprise may have the technology in place but if they don’t have proper processes and
haven’t trained their staff on how to use technology then they create vulnerabilities.

Cyber security consists of technologies, processes and measures that are designed to
protect individuals and organizations from cybercrimes. Effective cyber security reduces
the risk of a cyber-attack through the deliberate exploitation of systems, networks and
technologies. Cyber security is a sub-section of information security.

ISO 27001 – the standard that advocates the three pillars of cyber security

ISO 27001 is the international standard for an ISMS, and advocates the combination of
these three pillars (people, process and technology). Creating an ISO 27001 ISMS will
ensure every aspect of cyber security is addressed within your organization. ISO 27001 is
rapidly gaining momentum as the world’s leading cyber security standard, offering robust
defenses to those who implement it, as well as helping them win new business through
their commitment to security.

IT Governance’s ISO 27001 DIY packages enable any organization to implement ISO
27001 from anywhere in the world. Each package is a carefully selected mix of training,
tools and consultancy that help organizations with different internal competencies
implement the Standard.

7 Information Security Technology Components

According to Egan, M. & Mather, T. (2004) there are seven Information Security
Technology Components the following components are listed below:

1. Authentication, Authorization, & Accounting (AAA)

2. Firewalls/virtual private network (VPN)
3. Anti-virus software
4. Vulnerability management
5. Intrusion detection
6. Content filtering
7. Encryption

Page 126
 Foundation of Information Security
SPSaS 2102
Learning Module

1. Authentication, Authorization, & Accounting (AAA)

• Ensures only authorized staff, customers, vendors, or partners can access your
systems
• Authentication is a process that determines who you are.

- Something you know such as password, something that you have such as a token, and
something that you are such as your fingerprints with biometrics and where you are such
as GPS satellites to locate you.

• Authorization determines what you can access.

- Enables system administrators to restrict some special privileges to certain roles or

functions that employees perform within an organization.

• Accounting is the tool to audit these processes.

- Enables you to review who is accessing your systems and what are they doing.

Techopedia explains Authentication Authorization and Accounting (AAA)

Authentication refers to unique identifying information from each system user, generally in
the form of a username and password. System administrators monitor and add or delete
authorized users from the system.

Authorization refers to the process of adding or denying individual user access to a

computer network and its resources. Users may be given different authorization levels
that limit their access to the network and associated resources. Authorization
determination may be based on geographical location restrictions, date or time-of-day
restrictions, frequency of logins or multiple logins by single individuals or entities. Other
associated types of authorization service include route assignments, IP address filtering,
bandwidth traffic management and encryption.

Accounting refers to the record-keeping and tracking of user activities on a computer

network. For a given time period this may include, but is not limited to, real-time
accounting of time spent accessing the network, the network services employed or
accessed, capacity and trend analysis, network cost allocations, billing data, login data for
user authentication and authorization, and the data or data amount accessed or
transferred.

Examples of AAA protocols include:

x Diameter, a successor to Remote Authentication Dial-In User Service (RADIUS)

x Terminal Access Controller Access-Control System (TACACS)

Page 127
 Foundation of Information Security
SPSaS 2102
Learning Module

x Terminal Access Controller Access-Control System Plus (TACACS+) a proprietary

Cisco Systems protocol that provides access for network servers, routers and other
network computing devices.

Types of AAA servers include:

x Access Network AAA (AN-AAA) which communicates with radio network

controllers
x Broker AAA (B-AAA), which manages traffic between roaming partner networks
x Home AAA (H-AAA)

2. Firewalls/virtual private network (VPN)

• Prevents unauthorized traffic from entering your network

• Form the electronic perimeter around your computing environment
• Have filters that only allow certain types of network traffic to flow into your
company’s network and discard any other data that does not meet present criteria.
• VPN tools to create secure, private connection

Firewall technology:

- Packet filtering firewalls - provide protection by interrogating the header or address info
of a packet or message to identify potential issues (not examine the body or referred to as
‘payload’)

- Statefull inspection firewalls- monitor the state of transaction to verify the

destination’s inbound packet matches to the source outbound request
- Application layer or proxy firewalls- read and rewrite each packet to ensure that
only valid messages pass through.

Firewall Communication for Enterprise Manager

Firewalls protect a company's IT infrastructure by providing the ability to restrict network

traffic by examining each network packet and determining the appropriate course of
action. Firewall configuration typically involves restricting the ports that are available to
one side of the firewall, for example the Internet. It can also be set up to restrict the type
of traffic that can pass through a particular port such as HTTP. If a client attempts to
connect to a restricted port (a port not covered by a security `rule') or uses a protocol that
is incorrect, then the client will be disconnected immediately by the firewall. Firewalls can
also be used within a company Intranet to restrict user access to specific servers.

Page 128
 Foundation of Information Security
SPSaS 2102
Learning Module

The various components of Enterprise Manager 9i (Console, Oracle Management Server,

and Intelligent Agents) can be deployed on different nodes, which in turn can be
separated by firewalls. This section describes how firewalls can be configured to allow
communication between the different components of Enterprise Manager. The three most
common deployments are covered:

x Firewall Between the Console and Management Server

x Firewall Between the Management Server and Agent(s) on Monitored Nodes
x Firewalls and Network Address Translation (NAT)

Firewall between the Console and Management Server

In this configuration, the Enterprise Manager Console and Management Server are
separated by a firewall.

Figure 2: Console and Management Server on Opposite Sides of a Firewall

To enable network communication between the Enterprise Manager Console and

Management Server, several network ports must be opened in the firewall to allow TCP
traffic. The port range of 7771-7777 covers all these. If the Console is running in a
browser, then the firewall needs to allow HTTP traffic over port 3339 from the Enterprise
Manager Website HTTP server to any browser client. Functional assignments for these
ports are shown in the following table.

Port Number Usage

3339 Communication between the Enterprise Manger HTTP server and the

Page 129
 Foundation of Information Security
SPSaS 2102
Learning Module

Port Number Usage

Enterprise Manager browser client.
7771, 7773, Communication between the Enterprise Manager Console and the
7776 Management Server.
7774 Communication between the Oracle Applications Manager and the
Management Server.
7775, 7777 Communication between the paging server and the Management Server.

Table 1. Port Usage

Special configuration is not required for either the Console or the Management Server in
this case.

Firewall Between the Management Server and Agent(s) on Monitored Nodes

In this configuration, the Intelligent Agent that runs on the managed node and the
Management Server are on opposite sides of the firewall, as shown in the following
illustration.

Figure 3: Firewall between the Management Server and Agent

To enable network communication between the Management Server and Intelligent

Agents on managed targets, several network ports must be opened in the firewall to allow
TCP traffic. Functional assignments for these ports are shown in the following table.

Page 130
 Foundation of Information Security
SPSaS 2102
Learning Module

Port
Number Usage
1748, 1754 Management Server communicating with the Agent to discover new
targets.
7772 Agent communicating with the Management Server.
7773 Agent communicating with the Management Server via SSL.

Table 2. Port Usage

No special setup and configuration is required for the Management Server or Intelligent
Agents in this situation.

If the Management Server and administered database (or other managed target) are
separated by a firewall, then the Management Server acts as a proxy for the Enterprise
Manager Console, resulting in the remote database viewing the Management Server as
the client. For this reason, there must be a SQL*Net proxy between the Management
Server and the administered database. If the Console is launched in Standalone Mode,
there must be a SQL*Net proxy between the Console and the Management Server, and
between the Management Server and ALL collections services (Data Gatherer)
connections.

Firewalls and Network Address Translation (NAT)

Some firewalls use a feature called Network Address Translation (NAT). This feature
masks the true IP address of a client by translating it to a different IP address. Packets
sent from a remote client to a server through the firewall will be known to the server by
this translated address. As the client and server communicate, the NAT software handles
the mapping of the true IP address to its translated address. Of the two Enterprise
Manager configurations previously discussed, only an Enterprise Manager Console and
Management Server can be separated by firewalls using NAT. No changes are required
for Enterprise Manager to support NAT in this configuration.

The Management Server and Intelligent Agent cannot be separated by firewalls using
NAT because the Management Server and Agent communication includes the other's
host address information, which is stored in the data packet rather than in the IP header.
Since NAT only looks for (and translates) addresses in the IP header, NAT will not work
with Management Server/Agent communication.

Virtual Private Network Configuration for Enterprise Manager

Virtual Private Networks (VPNs) allow remote employees to connect in a secure fashion
to a corporate server located in the corporate Local Area Network (LAN) using the routing
infrastructure provided by a public network (such as the Internet). From the user's
Page 131
 Foundation of Information Security
SPSaS 2102
Learning Module

perspective, the VPN is a point-to-point connection between the user's computer and a
corporate server. The nature of the intermediate network is irrelevant to the user because
it appears as if the data is being sent over a dedicated private link.

Figure B-3 Virtual Private Network

Figure 4: Virtual Private Network

In order to provide a secure point-to-point channel of communication, VPN software

includes services such as user authentication and data encryption. It also implements
security standards defined by the IP Security (IPSEC) protocol. IPSEC is a series of
guidelines for the protection of Internet Protocol (IP) communications. It specifies
standardized ways for securing private information transmitted over public networks.
Communication between security systems developed by different vendors is possible if
they comply with the IPSEC standards.

To create secure VPNs, VPN software typically operates in IPSEC Tunnel Mode. In this
mode, data sent from a client is first encrypted and then encapsulated before being
transmitted over an insecure, public network such as the Internet. Upon arriving at its
destination, VPN software unpacks, decrypts and authenticates the data received, then
forwards it on to its final destination.

Many e-businesses use both VPNs and firewalls as part of their security infrastructure. In
these configurations, the firewall must allow IPSEC-compliant traffic to pass through (port
500 is used by default). Application data that is sent via VPN is first encapsulated and
tunnelled through port 500 in the firewall, unpacked, and sent to its final destination.
Targets that have been set up to use VPN thus avoid having to open up additional ports in

Page 132
 Foundation of Information Security
SPSaS 2102
Learning Module

the firewall. Applications that run on VPN-enabled nodes can also communicate safely
and securely across the firewall.

VPN Connections Between the Enterprise Manager Client and Management

Server

As previously discussed, VPNs that comply with IPSEC standards allow the secure
transfer of information over the internet: Remote clients can connect to a secure server
with minimum configuration and maximum security. It is also possible to use VPNs in
conjunction with firewalls. The following example shows a VPN environment with the
Enterprise Manager Console and the Management Server on opposite sides of the
firewall.

Figure 6: Firewall Configuration in a VPN Environment

In this example, both the Console and Management Server machines have VPN software
configured to provide a secure communication channel between the two. Specifically, the
machine running Enterprise Manager client must have the VPN client software installed.
The machine running the Management Server must have the VPN gateway software
installed. Additionally, the firewall must be configured to allow only IPSEC traffic (IPSEC
by default uses port 500). In this configuration, all the network traffic between the Console
and the Management Server will be tunneled automatically through port 500 by the VPN
software.

No additional configuration is required for Enterprise Manager components since the VPN
software handles communication tasks automatically.

When the Enterprise Manager Console is launched, the user may be prompted by a VPN
client software dialog to enter user security information. Once a valid username and

Page 133
 Foundation of Information Security
SPSaS 2102
Learning Module

password are provided to the VPN client, subsequent communication between the
Console and Management Server across the virtual network will appear seamless.

No additional changes are required for the firewall configuration if IPSEC traffic is already
allowed.

VPN Connections between the Management Server and Intelligent Agents

Some VPN providers may allow server processes on different nodes to communicate. In
these configurations, it is possible to deploy the Management Server on one VPN-
enabled node and the Agent on another VPN-enabled node. The same principles as
described in the previous section apply. It is important to note that communication
between the Management Server node and Agent node is bi-directional, so each would
need to function as both a VPN client and VPN server. Hence, both the VPN client and
server software must be installed on each node.

3. Anti-virus software
x Protects your IT assets from malicious code.
x Like the vaccinations that we all receive o prevent certain diseases such as polio
and chicken pox, anti-virus software helps to prevent your computers from
becoming infected by computer viruses, worms, and Trojan horses.
x Hackers create hundreds of new viruses each month, which means that you have
to update your anti-virus software regularly with new virus definitions to ensure that
you will always have the latest cure available.
x Virus can spread by several methods, including email and CDs, but they require an
action on the part of the user, such as opening an email attachment to take effect.

Anti-virus software can identify and block many viruses before they can infect your
computer. Once you install anti-virus software, it is important to keep it up to date.
According to US-CERT Publications here are some security tips in understanding Anti-
Virus software:

What does anti-virus software do?

Although details may vary between packages, anti-virus software scans files or your
computer’s memory for certain patterns that may indicate the presence of malicious
software (i.e., malware). Anti-virus software (sometimes more broadly referred to as anti-
malware software) looks for patterns based on the signatures or definitions of known
malware. Anti-virus vendors find new and updated malware daily, so it is important that
you have the latest updates installed on your computer.
Once you have installed an anti-virus package, you should scan your entire computer
periodically.

Page 134
 Foundation of Information Security
SPSaS 2102
Learning Module

x Automatic scans – Most anti-virus software can be configured to automatically

scan specific files or directories in real time and prompt you at set intervals to
perform complete scans.
x Manual scans – If your anti-virus software does not automatically scan new files,
you should manually scan files and media you receive from an outside source
before opening them. This process includes:

x Saving and scanning email attachments or web downloads rather than

opening them directly from the source.
x Scanning media, including CDs and DVDs, for malware before opening files.

How will the software respond when it finds malware?

Sometimes the software will produce a dialog box alerting you that it has found malware
and ask whether you want it to “clean” the file (to remove the malware). In other cases,
the software may attempt to remove the malware without asking you first. When you
select an anti-virus package, familiarize yourself with its features so you know what to
expect.
Which software should you use?
There are many vendors who produce anti-virus software, and deciding which one to
choose can be confusing. Anti-virus software typically performs the same types of
functions, so your decision may be driven by recommendations, particular features,
availability, or price. Regardless of which package you choose, installing any anti-virus
software will increase your level of protection.
How do you get the current malware information?
This process may differ depending on what product you choose, so find out what your
anti-virus software requires. Many anti-virus packages include an option to automatically
receive updated malware definitions. Because new information is added frequently, it is a
good idea to take advantage of this option. Resist believing alarmist emails claiming that
the “worst virus in history” or the “most dangerous malware ever” has been detected and
will destroy your computer’s hard drive. These emails are usually hoaxes. You can
confirm malware information through your anti-virus vendor or through resources offered
by other anti-virus vendors.
While installing anti-virus software is one of the easiest and most effective ways to protect
your computer, it has its limitations. Because it relies on signatures, anti-virus software
can only detect malware that has known characteristics. It is important to keep these
signatures up-to-date. You will still be susceptible to malware that circulates before the
anti-virus vendors add their signatures, so continue to take other safety precautions as
well.

4. Vulnerability management
x Regular program to address possible vulnerabilities proactively

Page 135
 Foundation of Information Security
SPSaS 2102
Learning Module

x Is a way of proactively removing weaknesses from your information security

program. An effective security program utilizes automated vulnerability
management tools to identify possible vulnerabilities in your computing
environment.
x Two types of VM tools:

- network based and; (scan network traffic)

- host based (scan physical devices)

Based on WhiteSource blog by Ayala Goldstein (2020) There are things that an enterprise
needs to know in Vulnerability Management since Vulnerability Management is becoming
increasingly important to companies due to the rising threat of cyber security attacks and
regulations like PCI DSS, HIPAA, NIST 800-731 and more. Vulnerability management is a
comprehensive process implemented to continuously identify, evaluate, classify,
remediate, and report on security vulnerabilities.

While vulnerability management isn’t a novel concept for most companies, it’s become
clear that formerly accepted practices — such as quarterly vulnerability scans and
remediation management plans — are severely deficient means of defense.

Today, minimizing your attack surface and overall risk exposure requires a continuous
approach that increases visibility over vulnerabilities and enables rapid remediation.

What is Vulnerability Management?

While the term vulnerability management is often used interchangeably with patch
management, they are not the same thing. Rather, the decision to use a patch, or not,
falls within the broader context of vulnerability management.

Vulnerability management includes much more than scanning and patching. It requires a
holistic view in order to make informed decisions about which vulnerabilities to address
first and how to mitigate them. Most vulnerability management programs focus on four
stages.

The 4 Stages of Vulnerability Management

#1 Identification

The first stage in your vulnerability management program will be to identify all of the
vulnerabilities that exist across your IT ecosystems. In order to achieve this you will need
to define your IT assets and find the right vulnerability scanners for each asset.
Page 136
 Foundation of Information Security
SPSaS 2102
Learning Module

The vulnerability scanner you’ll use to identify vulnerabilities in your network and in your
applications will not be the same. When it comes to application security, you will need to
use at least two different technologies in order to detect vulnerabilities in your proprietary
code and open source libraries.

This is an essential part of vulnerability management and one that is becoming

increasingly challenging as organizations’ IT ecosystems become more expansive,
complex, and interconnected.

According to the Center for Internet Security, organizations should perform automated
vulnerability scans at least once a week. More frequent scanning will give you greater
clarity on the progress of your remediation and help you identify new risks based on
updated vulnerability information.

#2 Evaluation

After you’ve identified the vulnerabilities that exist across your systems, the next step is to
evaluate the risks they pose and determine how to manage them. While it’s important to
understand the risk ratings that your vulnerability management solution provides, such as
Common Vulnerability Scoring System (CVSS) scores, you will also want to understand
other real-world risk factors.

Some additional factors to consider include:

x How easily could someone exploit this vulnerability, and is there published exploit code

available?

x Does the vulnerability directly impact the security of our product?

x What would the business impact be if this vulnerability was exploited?

x Do we have any existing security protocols that would reduce the likelihood/consequence

of these vulnerabilities being exploited?

It’s also important to know whether any identified vulnerabilities are false positives. With
tools and techniques that enable vulnerability validation, such as penetration testing, you
can identify false positives and focus on the vulnerabilities that pose the biggest risk to
your organization.

#3 Remediation

Page 137
 Foundation of Information Security
SPSaS 2102
Learning Module

After you’ve identified and evaluated vulnerabilities, the next step is to determine how to
prioritize and address them.

Your vulnerability management solution will likely recommend which remediation

technique you should use for each vulnerability. It’s best that your security team, system
owners, and system administrators weigh-in to determine the right strategy.

There are three general routes you can take:

1. Remediation: Completely preventing exploitation by patching, correcting, or replacing

code that contains a vulnerability.

2. Mitigation: Reducing the probability or impact of a vulnerability. This is usually a

temporary solution that organizations use until they can remediate the vulnerability.

3. No action: Acknowledging and accepting the vulnerability. Organizations typically only do

this when the cost of remediating the vulnerability is much higher than the consequences

of it being exploited.

After you’ve finished the remediation process, you can check to see that the vulnerability
was completely resolved by performing another scan.

#4 Reporting

By making vulnerability assessments a routine practice, you’ll gain greater insight into the
efficacy, speed, and cost of your vulnerability management program.

Most vulnerability management systems let you export the data from your various
vulnerability scanners so your security team can more easily understand the security
posture of each asset and track it with time to identify trends like increased vulnerability
detection or decreased remediation velocity.

Consistent reporting will help your security team to comply with your organization’s risk
management KPIs as well as regulatory requirements.

Vulnerability Management Excellence Depends on Continuity

Page 138
 Foundation of Information Security
SPSaS 2102
Learning Module

Vulnerability management is difficult because it must be performed continuously to ensure

that all of your applications and systems are constantly up-to-date and each new
vulnerability is discovered as soon as possible.

Another important aspect you must take into consideration is that in order to change the
mindset of your teams, you need to implement continuous processes that will impact their
day-to-day work. Periodical testing and remediation are not enough if you want to ensure
that you are on top of your security status, or to shift the mindset of your teams.

This type of continuity requires automation. Automating the repetitive tasks to carry out
those practices can save you valuable resources and help avoid human error.

Prioritization Is Key

The goal of security teams is to fix all vulnerabilities detected in the company’s assets.

The problem is that this is nearly an impossible goal, which overloads the system and
makes many teams frustrated with vulnerability management processes.
Therefore, prioritization is the key to a successful implementation of new vulnerability
management programs.

You need to ensure that clear guidelines are set for each asset regarding which
vulnerabilities should be remediated and which should not. Many vulnerability
management consultants can help define a risk based prioritization procedure based on
the company’s assets and market.

5. Intrusion Detection
x IDS (Intrusion Detection System)
x Reacts to unauthorized access to your network
x Monitor traffic and events on your network and clients, looking for patterns that
might indicate an attack is occurring or occurred in the past.

2 methods of identifying intrusion

1. Signature-based recognition

- Would recognize the pattern or signature of this attack and report it.

2. Anomaly detection

- Relies on determining patterns for normal behavior and then detecting behavior that is
different from the norm.
Page 139
 Foundation of Information Security
SPSaS 2102
Learning Module

What is Intrusion Detection System?

Barracuda official website explained that an intrusion detection system (IDS) is a device
or software application that monitors a network for malicious activity or policy violations.
Any malicious activity or violation is typically reported or collected centrally using a
security information and event management system. Some IDS’s are capable of
responding to detected intrusion upon discovery. These are classified as intrusion
prevention systems (IPS).

IDS Detection Types

There is a wide array of IDS, ranging from antivirus software to tiered monitoring systems
that follow the traffic of an entire network. The most common classifications are:

x Network intrusion detection systems (NIDS): A system that analyzes incoming

network traffic.
x Host-based intrusion detection systems (HIDS): A system that monitors important
operating system files.

There is also subset of IDS types. The most common variants are based on signature
detection and anomaly detection.

x Signature-based: Signature-based IDS detects possible threats by looking for

specific patterns, such as byte sequences in network traffic, or known malicious
instruction sequences used by malware. This terminology originates from antivirus
software, which refers to these detected patterns as signatures. Although
signature-based IDS can easily detect known attacks, it is impossible to detect new
attacks, for which no pattern is available.
x Anomaly-based: a newer technology designed to detect and adapt to unknown
attacks, primarily due to the explosion of malware. This detection method uses
machine learning to create a defined model of trustworthy activity, and then
compare new behavior against this trust model. While this approach enables the
detection of previously unknown attacks, it can suffer from false positives:
previously unknown legitimate activity can accidentally be classified as malicious.

IDS Usage in Networks

When placed at a strategic point or points within a network to monitor traffic to and from
all devices on the network, an IDS will perform an analysis of passing traffic, and match
the traffic that is passed on the subnets to the library of known attacks. Once an attack is
identified, or abnormal behavior is sensed, the alert can be sent to the administrator.

Page 140
 Foundation of Information Security
SPSaS 2102
Learning Module

Evasion Techniques

Being aware of the techniques available to cyber criminals who are trying to breach a
secure network can help IT departments understand how IDS systems can be tricked into
not missing actionable threats:

x Fragmentation: Sending fragmented packets allow the attacker to stay under the
radar, bypassing the detection system's ability to detect the attack signature.
x Avoiding defaults: A port utilized by a protocol does not always provide an
indication to the protocol that’s being transported. If an attacker had reconfigured it
to use a different port, the IDS may not be able to detect the presence of a trojan.
x Coordinated, low-bandwidth attacks: coordinating a scan among numerous
attackers, or even allocating various ports or hosts to different attackers. This
makes it difficult for the IDS to correlate the captured packets and deduce that a
network scan is in progress.
x Address spoofing/proxying: attackers can obscure the source of the attack by using
poorly secured or incorrectly configured proxy servers to bounce an attack. If the
source is spoofed and bounced by a server, it makes it very difficult to detect.
x Pattern change evasion: IDS rely on pattern matching to detect attacks. By making
slight adjust to the attack architecture, detection can be avoided.

Why Intrusion Detection Systems are Important

Modern networked business environments require a high level of security to ensure safe
and trusted communication of information between various organizations. An intrusion
detection system acts as an adaptable safeguard technology for system security after
traditional technologies fail. Cyber-attacks will only become more sophisticated, so it is
important that protection technologies adapt along with their threats.

6. Content Filtering
x The internet contains a vast amount of information, the majority of which helpful
and appropriate for all audiences.
x Content filtering tools can filter this information ensuring that children or your
employees are not able to access it.
x 2 major categories of tools

1. web/internet filter

2. email filter

x Ensures that personnel do not access inappropriate material using your company’s
network.

Page 141
 Foundation of Information Security
SPSaS 2102
Learning Module

What is content filtering?

Web content filtering according to webroot is the practice of blocking access to web
content that may be deemed offensive, inappropriate, or even dangerous. Families will be
well aware of the need to apply internet content filters to material not suitable for young
children, but content filtering has its place in the business world, too.

How does content filtering work?

Content filtering works by using hardware or software-based solutions to establish rules
about the types of sites that may be visited. Using keywords or other commonalities
between sites, content is grouped into categories—such as sports, gambling, adult,
streaming, and so on—and those sites in undesirable categories are blocked on the
network.
Keeping objectionable content away from children is one of the more obvious use cases
for web content filtering. But DNS filtering—a specific type of content filtering that uses the
DNS layer to filter based on IP addresses—is increasingly being adopted by businesses
as a means of controlling web use and reducing infections. When content is filtered
according to sites known to pose a high risk of malware, those sites can be blocked
before they have the chance to drop malicious payloads. When known distractions like
social media and streaming video sites are blocked, productivity increases.

7. Encryption

• Is the process of converting data into a format that unauthorized person cannot
easily read.
• 2 main forms:

- Symmetric - both parties use the same secret key for encrypting &
decrypting messages

- Asymmetric - (more secure) has public and private key for encryption and
decryption

Encryption prevents someone from eavesdropping on your private messages,

protects network traffic, and facilitates authentication.

How Encryption Works

Encryption uses algorithms to scramble your information. It is then transmitted to the
receiving party, who is able to decode the message with a key. There are many types of
algorithms, which all involve different ways of scrambling and then decrypting information.

Page 142
 Foundation of Information Security
SPSaS 2102
Learning Module

How are Encryption Keys Generated?

Figure 7: Data encryption

Keys are usually generated with random number generators, or computer algorithms that
mimic random number generators. A more complex way that computers can create keys is
by using user mouse movement to create unique seeds. Modern systems that
have forward secrecy involve generating a fresh key for every session, to add another
layer of security.

Search Encrypt Terms

Key: Random string of bits created specifically for scrambling and unscrambling data.
These are used to encrypt and/or decrypt data. Each key is unique and created via
algorithm to make sure it is unpredictable. Longer keys are harder to crack. Common key
lengths are 128 bits for symmetric key algorithms and 2048 bits for public-key algorithms.

x Private Key (or Symmetric Key): This means that the encryption and decryption keys
are the same. The two parties must have the same key before they can achieve
secure communication.

x Public Key: This means that the encryption key is published and available for anyone
to use. Only the receiving party has access to the decryption key that enables them to
read the message.

Cipher: An algorithm used for encryption or decryption. It is a set of steps that are followed
as a procedure to encrypt information. There are two main types of ciphers, block ciphers
and stream ciphers.

Algorithm: An algorithm is the procedure that the encryption process follows. The specific
algorithm is called the cipher, or code. There are many types of encryption algorithms. The
encryption’s goal and level of security determines the most effective solution. Triple DES,
RSA and Blowfish are some examples of encryption algorithms, or ciphers.

Page 143
 Foundation of Information Security
SPSaS 2102
Learning Module

Decryption: The process of switching unreadable cipher text to readable information.

Cryptanalysis: The study of ciphers and cryptosystems to find weaknesses in them that
would allow access to the information without knowing the key or algorithm.

Frequency Analysis: A technique used to crack a cipher. Those trying to decrypt a

message will study the frequency of letters or groups of letters in a ciphertext. Because
some letters occur more often than others, the frequency of letters can reveals parts of the
encrypted message. While this method was effective in cracking old encryption methods, it
is ineffective against modern encryption.

How Does Search Encrypt Use Data Encryption?

Figure 8: Search encrypt

Search Encrypt uses multiple methods of encryption to ensure maximum security. All
requests to Search Encrypt are made over SSL (secure socket layer), which is the
preferred method for websites that deal with sensitive information like financial information,
social security numbers or passwords.

Unlike basic encryption which would use one key, SSL uses a public and a private key
together to create a secure connection. Sites like Google, that track user data, use this
method to encrypt information about its users.

To protect our users’ information even more, we use a short lived key for client side
encryption of search history. This means that even if someone accesses your computer,
your searches are gone. The short lived key has expired, and then information can’t be
decrypted. Search Encrypt uses this expiring key to ensure perfect forward secrecy.
Search Encrypt is a privacy-based search engine. It was created and designed with
privacy as its number one priority.

Page 144
 Foundation of Information Security
SPSaS 2102
Learning Module

Activity 01: Enumerate and Discuss

1. Provide the 7 IS Technology Components. Define each technologies briefly and
cite valid examples.

Page 145
 Foundation of Information Security
SPSaS 2102
Learning Module

Activity 02: Essay (20pts.)

01. Choose two of the 7 IS technology components. Why do you think it is the best IS
technology solution that every Enterprise should have. Defend your answer. (You
may also discuss the pros and cons from the chosen IS technologies)

Page 146
Foundation of Information Security
SPSaS 2102
Learning Module

02. Explain why Enterprise IS program elements are interconnected and always
dependent to each other. (10pts)

Page 147
 Foundation of Information Security
SPSaS 2102
Learning Module

Activity 03:
1. Identify the 7 IS Technology Components and discuss how it works. You may
also expand the table and/or use separate pages if needed (10 pts each)

Page 148