Risk management involves assessing security risks, determining their potential impacts, and taking steps to mitigate them. There are proactive and reactive approaches to risk management. Proactive risk management identifies risks before incidents occur using techniques like risk assessment, while reactive risk management responds after problems are found. Information security risk management involves assessing technical risks through methods like quantitative and qualitative risk assessment as well as frameworks like OCTAVE and COBIT. Network security uses tools like firewalls and intrusion detection systems to control access and monitor networks for threats.

1. INFORMATION SECURITY MANAGEMENT:
A. SECURITY RISK ASSESSMENT AND MANAGEMENT:
 RISK: Risk is potential harm that may arise from some current process. Risk is accessed
by identifying threats and vulnerabilities and determining the impact for each risk.
 RISK MANAGEMENT: Risk management is the process of understanding and responding
to factors that may lead to failure in the confidentiality, integrity or availability of an
information system. There are three steps of risk management:
1. Risk Assessment.
2. Risk Mitigation.
3. Risk Evaluation.
ie:
a) Identification and evaluation of risk.
b) Identifying the levels of risk.
c) Weakness of the risk.
 Factors of the risk management are as follows:
1. Risk Avoidance: Implementing actions to reduce the risk.
2. Risk Reduction: Implementing actions to reduce the risk.
3. Risk Spreading: Distributing risk across various programs.
4. Risk Transfer: Ensuring the costs incurred by loss taken place.
5. Risk Acceptance: It is a knowledgeable determination to view risk and managing it as
best level.
 REACTIVE APPROACH TO RISK MANAGEMENT: Reactive risk management is brought
into action once an accident happens or problems are identified after the audit. The
accident is investigated and measures are taken to avoid similar events happening in the
future. Reactive risk management catalogues all previous accidents and documents
them to find the errors which lead to the accident.
 PROACTIVE APPROACH TO RISK MANAGEMENT: It can be defined as “Adaptive, closed
loop feedback control strategy based on measurement, observation of the present
safety levels. Identifies all relevant risk types before an incident occurs.
 FEATURES OF PROACTIVE AND REACTIVE RISK MANAGEMENT:
1. TIMEFRAME: Reactive risk management solely depends on past accidental
analysis and response. Proactive risk management combines a mixed method of
past, present and future predictions before finding solutions to avoid risks.
2. FLEXIBILITY: Reactive risk management does not support prediction, creativity
and problem-solving ability of humans which makes it less flexible to changes

2. and challenges. Proactive risk management includes creative thinking and
prediction. Further, it depends on the accident source to reduce the accident.
 RISK ASSESSMENT: It is the first process in the risk management methodology. Risk
assessment methodology includes primary step as:
1. System Characteristics.
2. Threat Identification.
3. Vulnerability Identification.
4. Control Analysis.
5. Likelihood Determination.
6. Impact Analysis.
7. Risk Determination.
8. Control Recommendations.
9. Results Documentation.
 QUANTITATIVE RISK ASSESSMENT: Standard way of measuring risks in many fields such
as insurance, but it is not commonly used to measure risk in information systems. Two
of the reasons are:
1. Difficulties in identifying and assigning values to assets.
2. Lack of statistical information that would make it possible to determine
frequency.
 It looks upon methodologies used by financial institutions and insurance companies.
 Quantitative risk can be expressed as:
ALE=SLE*ARO
 Annualized Loss Expectancy (ALE): It is the expected monetary loss that can be
expected for an asset due to a risk being realized over a one-year period.
 Single Loss Expectancy(SLE): It is the value of a single loss of the asset. This is the impact
of the loss.
 Annualized Rate of Occurrence (ARO): It is how often the loss occurs.
 This is not cost-effective way to perform a quantitative risk assessment for an IT system,
due to difficulty in obtaining accurate and complete information.
 If the information is reliable, this type of assessment is extremely powerful tool to
communicate risks to all level of management.
 QUALITATIVE RISK ASSESSMENT: It supports the uncertainty and impact values of risk
in subjective or qualitative terms. It typically gives risk results as “High”, “Moderate” and
“Low”.
1) Identifying Threats: Some common threat source includes:
a) Natural Threats: Flood, Earthquakes, Hurricanes etc.
b) Human Threats: Threats caused by human beings including unintentional
network-based attacks, virus infection and unauthorized access.
ALE=SLE*ARO

3. c) Environmental Threats: Power failure, pollution, chemicals and water
damage.
2) Identifying Vulnerabilities:
a) Vulnerability Scanners: Software that can examine an operating system,
network application or code for flaws by comparing the system to a
database or flaw signatures.
b) Penetration Testing: An attempt by human security analyst to exercise
threats against the system. This includes operational vulnerabilities such
as social engineering.
3) Defining Likelihood:
a) Low: 0-25% chances of successful exercise of threat during a one-year
period.
b) Moderate: 26-75% chances of successful exercise of threat during a one-
year period.
c) High: 76-100% chances of successful exercise of threat during a one-year
period.
4) Defining Impact:
a) Low: The loss of confidentiality leads to limited effect on the
organization.
The loss of integrity leads to limited effect on the organization.
The loss of availability leads to limited effect on the organization.
b) Moderate: Confidentiality leads to serious effect on the organization.
Integrity leads to serious effect on the organization.
Availability leads to serious effect on the organization.
c) High: Confidentiality leads to a more severe effect on the organization.
Integrity leads to a more severe effect on the organization.
Availability leads to a more severe effect on the organization.
 MANAGING THE RISK:
i. Mitigation: It involves the fixing of flaws to reduce the likelihood
or impact associated with the flaw.
ii. Transference: It is a process of allowing another group of people
to accept the risk on your behalf. It is not widely done for IT
system but for general systems such as insurance etc.
iii. Acceptance: It allows the systemto operate within a known risk.
The risk is classified in two ways:
 Low risk: This is simply acceptable.
 High risk: It requires high cost of mitigation.

4. iv. Avoidance: It is a process of removing the vulnerability of the
system especially in IT systems.
v. Communicating Risks: In the organization, the risk must be
communicated to the management to resolve the risk and find
solutions. Risk management decisions are based on cost of the
risk. It is compared with the cost risk management strategy.
 OCTAVE APPROACH(OPERATIONALLY CRITICAL THREAT ASSET VULNERABILITY
EVALUATION) APPROACH:
 This approach is developed by software engineering institute.
 It helps the organization to improve the ability to manage and protect
themselves from information security risk.
 It is a workshop-based method rather than tool-based which means the
participants needs to understand the risk and its components rather than using a
tool. There are three phases of workshop:
i. Phase 1: It collects the knowledge about important asset, threats and
various methods as a solution from senior managers.
a) Process 1: Identifies senior management knowledge.
b) Process 2: Identifies operational area management knowledge.
c) Process 3: Identifies staff knowledge.
d) Process 4: Create threat profiles.
ii. Phase 2: It collects the knowledge from operational area managers.
a) Process 5: Identifies key components.
b) Process 6: Evaluates selected components.
iii. Phase 3: It collects the knowledge from the staff.
a) Process 7: Conducting risk analysis.
b) Process 8: Develop a protection strategy.
 COBIT APPROACH(CONTROL OBJECTIVES FOR INFORMATION AND RELATED
TECHNOLOGY)APPROACH:
 It is an IT governance framework and supporting toolset that allows managers to
bridge the gap between control requirements, technical issues and business
risks.
 It uses a maturity mode as a means of assessing the maturity of the processes.
 The model encompasses the following levels:
i. Non-existent.
ii. Initial/ad hoc.
iii. Repeatable but intuitive.
iv. Defined process.
v. Managed and measurable.
vi. Optimized.

5.  COBIT is made up of number of domains are:
1. Plan and Organize(PO):
i. Process 1: Define a strategic IT plan and direction.
ii. Process 2: Define the Information Architecture.
iii. Process 3: Determine Technological Direction.
iv. Process 4: Define the IT Processes, Organization and Relationships.
v. Process 5: Manage the IT Investments.
vi. Process 6: Communicate Management Aims and Direction.
vii. Process 7: Manage IT Human Resources.
viii. Process 8: Manage Quality.
ix. Process 9: Assess and Manage IT risks.
x. Process 10: Manage Projects.
2. Acquire and Implement(AI):
i. Process 1: Identify Automated Solutions.
ii. Process 2: Acquire and Maintain Application Software.
iii. Process 3: Acquire and Maintain Technology Infrastructure.
iv. Process 4: Enable Operation and Use.
v. Process 5: Procure IT resources.
vi. Process 6: Manage Changes.
vii. Process 7: Install and Accredit Solutions and Changes.
3. Deliver and Support(DS):
i. Process 1: Define and Manage Service Levels.
ii. Process 2: Manage Third Party Services.
iii. Process 3: Manage Performance and Capacity.
iv. Process 4: Ensure Continuous Service.
v. Process 5: Ensure Systems Security.
vi. Process 6: Identify and Allocate Costs.
vii. Process 7: Educate and Train Users.
viii. Process 8: Manage Service Desk and Incidents.
ix. Process 9: Manage the configuration.
x. Process 10: Manage Problems.
xi. Process 11: Manage Data.
xii. Process 12: Manage the physical environment.
xiii. Process 13: Manage Operations.
4. Monitor and Evaluate(ME):
i. Process 1: Monitor and Evaluate IT Processes.
ii. Process 2: Monitor and Evaluate Internal Control.
iii. Process 3: Ensure Regulatory Compliance

6. iv. Process 4: Provide IT Governance.
B. SECURITY MANAGEMENTOF ITSYSTEMS:
 NETWORKSECURITY:
 INTRODUCTION TO NETWORK SECURITY: It is used to control major access to computer
network and its services practically. There are three elements of network security such
as:
1. Cryptography.
2. Secure Network Protocols.
3. Access Control Mechanisms.
 TYPES OF NETWORKS:
1. TRUSTED AND UNTRUSTED NETWORK:
 Trusted Networks are the organization is responsible to protect from
various kinds of attacks.
 This type of network includes authorized users within organization to
access and control security measures.
 The use of firewalls helps to identify the type of configuration in an
organization.
 Untrusted Networks are the networks that are known to be outside of
an organization security parameter.
 The organization has no control on such networks and security policies
for such network.
2. SEMI-TRUSTED NETWORK:
 In this, the use of internet is considered as a part of communication. It
also includes proxy servers and domain name systems and it is not used
for sharing confidential information.
 NETWORK ATTACKS:
 In this type of attack, intruder tries to attack the network and get
information about the resources of the network.
 Network attacks can be classified as follows:
a. Interruption: Denial of Service to authorized users.
b. Interception: Unauthorized users are trying to obtain access to the
particular service.
c. Modification: Unauthorized access and tampering with data.
d. Fabrication: It checks the authenticity of users as well as data.
 There are five methods of attacks:
a. Password Attacks: This method is implemented using various
programs such as Trojans, packet sniffers and IP spoofing.

7. Password attacks usually refer to identify a user account or
password for repeated number of times.
b. Network Packet Sniffers: It is a software application that uses
network adapter card that senses all the packets received on
local area network. Most of the network applications distribute
packets in a clear text which allows the attacker to obtain
username and passwords easily.
c. IP spoofing and DOS attack: This attack occurs when the
attacker situated outside the network and seems like a trusted
computer. By using IP address within a particular range of the
network allows the user to get specified resources on the
network.
 DOS Attack: In this attack, the systemreceiving the
request becomes flooded with network traffic and
further the service is not able to respond.
d. Distribution of Sensitive Information: In organization, the
network security policy affects the distribution of data in the
network. The majority of computer attacks often come from
people within the organization or outside the organization.
e. Man-in-the middle attack: The attacker tries to access the
communication and packets being transferred over the
network. Information such as ID, passwords can be easily
intercepted by using websites.
 NETWORK SECURITY DIMENSIONS:
 In networks, protecting confidential information becomes a critical task
for the internet users.
 Some common issues for network security are as follows:
i. Attack against information and physical asset in the organization.
ii. Security of wireless network.
iii. World Wide Web Security.
iv. Intrusion Detection System.
v. Host Security.
 FIREWALLS: It protects the network and controls network traffic and provides restricted
access in a computer network. It consists of hardware and software keeps the track of
user, IP address and maintains the confidentiality of information.
 NEED OF FIREWALL:
i. Remote Login: It is a process of connecting to a computer and access the files
easily.

8. ii. Viruses: Firewall tries to prevent viruses to spread across the network.
iii. Spam: It contains link to the websites, emails which tries to harm the system.
iv. Application Backdoor: It means providing hidden access to the program for the
data in the network.
v. Macros: It allows repeated execution of commands and often hacker can use
macro to destroy the data.
vi. SMTP Session Hijacking: It is concerned with sending email and requires SMTP
server to communicate between host and actual sender who is involved in
sending spam mails.
vii. Email Bombs: It is a type of personal attack where someone sends the email
thousands of times until the system cannot accept any more messages.
 TYPES OF FIREWALLS:
A. Packet Filter Firewalls: In this firewall, the routers examine every packet flowing
in the network and tries to control the security of network. They look after
destination address and block the packets based on conditions. It has certain set
criteria:
i. Source IP Address.
ii. Destination IP Address.
iii. TCP, UDP Protocols (Source).
iv. TCP, UDP Destination Port.
Packet filter has certain limitations:
i. No logging capability (administrator is not able to determine whether
router or firewall is compromised).
ii. Difficulty in testing packet filtering rules.
iii. Separate mechanism for authentication is required on each host.
B. Application Level Firewalls: In this type of firewall, a host computer is running
proxy server software and manages the flow of packets from one network to
another. It operates at application layer of OSI model. It analyzes every data
packet and decides whether to forward the packet or not.
INTERNET
ROUTER
PC 1 PC 2 PC 3
LAN

9. C. Screened Host Firewall: In this type of firewall, it uses the concept of packet
filtering router and bastion host.
 Bastion Host is a gateway between internal and external network. It also
provides single entrance, exit points to the Internet. It provides services at
network layer and application layer of OSI model. The bastion host is
configured on the local trusted network and packet filter router is
configured on untrusted network.
FIG 1: SCREENED HOST FIREWALL.
ACTUAL
CLIENT
FILE SERVERPROXY
SERVER
ANALYSISOF
APPLICATION
PROTOCOL
PROXY
CLIENT
REQUEST
FORWADED REPLY
REPLY
FORWADED REQUEST
PC
PC PC
PC
INTERNET
PACKETFILTER
ROUTER
INFORMATION SERVER
APPLICATION
GATEWAY
INTERNALNETWORK

10. FIG 2: BASTION HOST.
 DESIGN AND IMPLEMENTATION ISSUES IN FIREWALL:
a) In an organization, the policy of security is configured to support IT architecture.
The firewall is configured to deny all services and provide good audit methods.
b) The objective of organization needs to be implemented and a checklist is
prepared to monitor activities in the organization.
c) It includes design architecture and implementation of firewalls. The cost to
implement firewall is high in terms of configuration.
 POLICIES OF FIREWALL:
a) It blocks unwanted traffic.
b) It hides vulnerable systems that are different to secure from Internet.
c) It keeps the track of data flow in the private network.
d) It can hide critical information such as network topology, user ids etc.
e) Firewalls combined with IDS provides good authentication.
f) It allows us to direct network traffic to trustworthy systems.
 INTRUSION DETECTION SYSTEM(IDS):
o It can detect several intrusions that pass through firewall or local area network
(LAN).
o The security policy in the organization allows firewalls to support IDS, router
security, host security etc.
 CATEGORIES OF IDS:
a) Misuse Detection: It analyzes the information and compares with a database of
attack signatures. It depends on the type of attacks documented and is only
good for network packets.
b) Anomaly Detection: It consists of network traffic state, protocol, packet size
which can be monitored against present state to identify anomalies.
INTERNET ROUTER PROTECTION
NETWORK
BASTION
HOST
ROUTER PERMITS TRAFFICBETWEEN
BASTION HOST
SCREENED HOST
PC

11. c) Network based IDS: It focuses on network traffic and tries to uncover possible
attacks. It detects malicious packets shared by attackers and filters out such
packets. NIDS is not able to detect attacks against a host in which intruder is
logged in.
d) Host based IDS: It is installed on individual work stations to track inappropriate
attacks. In this, IDS examines activity of computers based on systemfiles and
administrative rights.
e) Passive IDS: It detects security breach and logs the information and system
alerts.
f) Reactive IDS: In this, IDS manages suspicious activities such as logging off the
system, configuring firewall to block network traffic etc.
 CHARACTERISTICS OF GOOD IDS:
a) Uptime: In this, the system should have smooth and continuous efficiency
running in the background.
b) Fault Tolerance: In system crash, the entire computer should be capable to
manage the errors and continue with its activities.
c) Robustness: The systemshould be able to monitor itself from suspicious
network activities such as malicious code.
d) Performance: The systemshould be much effective to support all the activities
with effective timeframe.
e) Easy Adaptability: The systemshould adapt to the changing environment by
making changes, addition new applications and supporting new upgrades.
f) Easy Configurability: Every systemshould have support of different patterns and
should be easy to adapt to such set of patterns.