20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
Introduction to Security Management by Ashok Panwar
1. Computer Security and
Cryptography
Didactic Material for
Free Distribution
Introduction to Security Management
Presented By:-
Ashok Panwar
Technical Officer in ECIL(NPCIL)
Tarapur, Mumbai
2. Logical & Physical Data Protection
All data must be protected applying:
Logical Security
◦ Use of protecting tools for the information in the same
environment on which this is generated or transmited.
◦ Authentication protocols between client and server.
◦ Application of standards in networks, etc.
◦ Risks prevention measures must be included also in this
chapter through the setting up of security policies,
contigency plans, the application of normatives, the current
legislation, etc.
Physical Security
◦ Procedures of physical protection of the system: staff
access, fires, floods, earthquakes, etc.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 2
3. Physical Security in PC Environment’s
Anchoring to desktops.
Locks.
Cards with alarm.
Special Adhesive Labels.
Floppy drive blocking.
Keyboard protectors.
Hardware access control card.
Continuos power supply.
Ground connection (GFCI).
Elimination of the estatic... etc.
Things to consider
in PC
environments
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 3
4. Risk analysis: strategic plan
It is the process of identification and evaluation of the
risk that it is suffered on an attack and the data loss, time
and working hours, comparing it with the cost that
involves the prevention of this event.
Its analysis does not only lead to stablish an adequate
security level, but permits to know better the system that
we are going to protect.
You can download this tool that manages risk analysis from the
link indicated below:
http://www.csi.map.es/csi/pdf/magerit_ingles.pdf
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 4
5. Risk analysis information
Information obtained in risks analysis:
◦ Precise determination of the sensible resources in the
organization.
◦ Identification of system menaces.
◦ Identification of specific vulnerabilities in the system.
◦ Identification of possible losses.
◦ Identification of the probability that one loss happens.
◦ Derivation of effective contraindications.
◦ Identification of security tools.
◦ Implementation of an efficient security system regarding
costs and time.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 5
6. Basic ecuation for risk analysis
¿ B P L ?
◦ B: is the load or expense that means prevention of an
specific loss due to a vulnerability.
◦ P: is the probability that such vulnerability is affected
and that specific loss happens.
◦ L: is the impact or total cost that means the specific
loss due to the vulnerability that has been affected.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 6
7. How much shall we invest in security?
If B P L
A prevention measure must be implemented.
If B P L
A prevention measure is not necessary.
... At least mathematically. Nevertheless, an unforeseen accident like
computing consecuences in some companies after September the 11th can
always happen. However, it makes no sense to invest more money in the
protection of the asset than its own total value.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 7
8. Effectivity of measure costs
Measures and control tools must have a cost less than the
value of the possible losses and the impact of these if the
risk we feared it´s produced.
Basic law: the cost of the control should be less than the
asset protected. Something obvious that as managers as
security responsibles of the company should adecuately
estimate to their reality. In several cases, the real problem
resides in the difficulty to estimate precisely the
economic impact that can suppose the fact that such risk
occurs.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 8
9. Factor L in the risk equation
Factor L (in B P L)
The factor of total impact L is difficult to evaluate. It
includes damages to information, to machines,
losses due to reparation, to the need to start the
system again, losses due to working hours, etc.
There will allways be a part of subjective assesment.
Data loss can lead to a loss of opportunities due to
the fact named cascade effect.
It should exist an specialized comittee into the
organization, internal or external, able to evaluate all
the possible losses and to quantify them.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 9
10. Factor P in the risk equation
Factor P (in B P L)
Factor P is related to the determination of the
total impact L and depends on the environment
on which the possible loss is. As this value is
difficult to quantify, such probability can be
associated to a known tendency or frequency.
◦ Once P is known for a given L, the probability of
relative loss is obtained from occurrency PL that will
be compared with B, the weight that would suppose to
implant the respective prevention measure.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 10
11. Factor B in the risk equation
Factor B (in B P L)
Indicates what is required in order to prevent a loss.
For example, it can be the quantity of money that we
will arrange to mitigate the possible loss.
◦ Example: the prevention load needed so that a
computing system minimizes the risk of its servers
being attacked includes the adecuated software and
hardware installation, one firewall, an intruders
detection system, a secure network configuration, a
tracking policy for access and passwords, qualified
technical staff, etc. All these things import an specific
quantity of money.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 11
12. Quantification of protection
¿ B P L ?
How much protection is it necessary?
◦ In our example: what network configuration to use, on
which environment to work, what type of firewalls, etc.
That will depend on the level of security that our company
desire, think addecuate or that the market set.
How will we protect ourselves?
◦ A house can be protected with doors, locks, steel bars in
windows, alarm systems, etc.
◦ In an information system we may apply physical
protections, security politicies, contingency and recovery
plans, access control, firewalls, IDs, use of cipher,
authentication, signatures, secure gateways, etc.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 12
13. Steps of a risk analysis
1. Identification cost of
possibles losses (L)
Identificating menaces
2. Determine susceptibility.
The probability of loss (P)
3. Identification of possible
actions (expenses) and their
implications (B).
Choosing actions to
implement.
¿ B PL ?
The cycle
is
closed
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 13
14. Some security policies
• Administrative Policies
– Administrative procedures.
• Access control policies
– Access privileges of the user or program.
• Flow information policies
– Rules under which individuals communicate
each other into the system.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 14
15. Administrative aspects
• Administrative policies
– Administrative type procedures are stablished
into the organization like for example in
programs development: modularity in
applications, sistematic revision, etc.
– Shared responsabilities for all users are
established, every single one on its level.
– This follows on from the awareness stage
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 15
16. Access control
• Access control policies
– Minor privilege policy
• Strict access to determinated objects, with minimum privileges for
the users.
– Sharing policy
• Maximum privilege access on which every user can access to all
objects.
– Granularity
• Number of accesible objects. We speak then of gross and thin
granularity.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 16
17. Flow control policies
• Flow control policies
– Information that it´s accessed, sent and received
by:
• Clear channels or hidden channels? ¿Secure or not?
– What aspect must be promoted?
• Confidentiality or integrity?
• Disponibility? ... Non repudiation?
• Depending on every organization and its working environment and
services offered, differencies will exist. In some systems some will
have priority over others, according to how secret information will be.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 17
18. Security models
• Bell LaPadula model (BLP)
– Rigid. confidentiality and with authority.
• Clark-Wilson model (CW)
– Commercial orientation: integrity.
• Take-Grant model (TG)
– Special rights: to take and to grant.
• Others: Goguen-Meseguer model (no interference between
users); matrix access model (status and transitions between
status: type Graham-Dennig; type Harrison-Ruzzo-
Ullman), Biba, Chinese Wall, etc.
They will
be soon
defined on
next slides
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 18
19. Bell LaPadula model BLP
• Writing downwards is forbidden.
• Reading upwards is forbidden.
• This is known as principle of tranquility.
No reading upwards Maximum secret
user enabled with
a level of secret Secret
No writing downwards Unclassified
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 19
20. Clark Wilson model CW
• It is based on integrity policies
– Elements of restricted data.
• A consistency checking must be done over these.
– Elements of non restricted data.
– Transformation procedures.
• It treats both elements.
– Integrity verification procedures.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 20
21. Take Grant model TG
• It describes through oriented graphs:
– the vertix is an object or subject.
– an arc is a right.
• It takes care only of those rights that can be transfered.
Every security policy is intended to strenght any property of the information.
Given that this chapter is an introduction only, it is recommended to any
reader interested on these themes the bibliography that can be found on the
Internet.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 21
22. Criteria and security normatives
• Evaluation Criteria TSEC
– Trusted Computer System Evaluation Criteria, also known as
Orange Book.
• Evaluation Criteria ITSEC
– Information Technology Security Evaluation Criteria.
• Evaluation Criteria CC
– Common Criteria: it includes both previous.
• International normative 17799
– It develops a protocol with minimum security conditions with
a wide espectre.
You'll find an interesting reading about Common Criteria applications
on the documents below
http://niap.bahialab.com/cc-scheme/
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 22
23. Laws about computing security in Spain
• In the Real Decree 994/1999 (June, 11th) about “Security Measures
on automated files that contain personal character data” functions for
the Security Responsible are defined.
• Organic Data Protection Law (in spanish LOPD) is developed in
Spain in December, 1999, and is applied since 2002.
• An Agency for the Data Protection ADP is created to watch over the
execution of this law through the realization of auditories, at least
every two years. The ADP is formed by 9 people.
• Functions and obligations for the File Responsible and for the person
In Charge of Treatment.
• Infractions are classified as slight, serious and very serious with
sanctions of 60.000 €, 300.000 € and 600.000 € each one.
• It stablishes a set of obligatory execution procedures so that besides
protecting people´s privacity, the principles of physical and logical
security in information technologies are carried out.
http://www.agpd.es/index.php?idSeccion=77 Link to the Spanish Data Protection Agency:
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 23
24. Levels of responsibility in security
• File responsible: is the entity, institution or juridical person who owns
personal character data and therefore must watch over the security of them.
• Responsible of Treatment: it is possible that the previous entity is the one
who manipulates the data (management, backups, etc.) or either this task is
executed by another company. So there is a difference between these two
responsibles.
• Security responsible: people to whom the file responsible has formally
assigned the function to coordinate and to control the applicable security
measures.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 24
25. Responsibility operations in LOPD
• Article 9: Security of data.
– The responsible of the file and, in each case, the responsible
of treatment must adopt the necessary measures with a
technical and organizative nature that guarantee the security
of the personal character data and avoid their alteration,
loss, treatment or non authorized access, taking into account
the status of technology, the nature of the stored data and
the risks that they may suffer, either produced by human
interaction or the physical or natural environment.
Things like being in the “status of technology” and knowing every
type of “risks” are a "headache" indeed for the security responsible.
https://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/Ley%2015_99.pdf
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 25
26. Security levels on the RD 994/1999
• Basic Level: all the files that contain personal character data must
adopt the security measures qualified as basic level.
• Medium Level: the files that contain data relative to the comittee of
penal or administrative infractions, Public Finance, financial services
..., they must gather, besides the basic level measures, those qualified
as medium level.
• High level: the files that contain data about ideology, religion,
believes, racial origin, health or sexual life and so those that contain
data gathered for police purposes without agreement of the affected
people must gather, besides the basic and medium level measures,
those qualified as high level.
The measures referred can be seen into the Spanish Agency for Data
Protection link:
https://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/A.8%29%20Real%20Decreto%20994-1999.pdf
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 26
27. LOPD: some slight infractions
• No attending, for formal reasons, the request of the interested person
for rectification or cancellation of the treatment of personal data when
it is legally possible.
• No proportioning any information that the Agency for the Data
Protection requests in the exercise of the competences that it has
legally attributed, related to non substantive aspects of data
protection.
• No asking for the inscription of the personal character data file into
the Data Protection General Record, when it does not suppose a
serious infraction.
• To Proceed to the personal character data capture of those affected
without proportioning them the information that refers to the article 5
of current law.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 27
28. LOPD: some serious infractions
• To proceed to the creation of unique titularity files or to iniciate the
capture of personal character data for those, without authorization of
general disposition, published in the “Official Bulletin of the Estate”
or the corresponding official diary.
• To proceed to the creation of private titularity files or to iniciate the
capture of personal character data for those people with different
purposes than the ones that constitute the legitimate object of the
company or entity.
• To proceed to the personal character data capture without collecting
the express consent of the affected people, in the cases on that this can
be demanded.
• To maintain the files, places, programs or machines that contain
personal character data without the proper security conditions that are
determined in a reglamentary way.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 28
29. LOPD: some very serious infractions
• Data capture in a dishonest and fraudulent way.
• The communication or hand over of the personal character data, out
of the cases on that they are permitted.
• The temporary or definitive transference of the personal character
data that have been treated or have been captured in order to apply
them to such treatment, targeting countries that do not provide the
same level protection without authorization of the Manager of the de
Data Protection Agency.
• To treat the personal character data in a illegitimate way or with
undervaluation of the applicable principles and guarantees, when
because of that, the fundamental rights are violated.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 29
30. Standard ISO 17799 (UNE-ISO/IEC)
It presents norms, criteria and basic recommendations to
stablish security policies.
These embrace from physical security concepts until logical
security concepts.
Part of the norm ellaborated by the BSI, British Standards
Institution, adopted by International Standards Organization
ISO and the International Electronic Commission IEC.
Document of 70 pages non distribution free.
http://www.computersecuritynow.com/
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 30
31. Environments of standard ISO 17799
It treats about a good practice code for Information Security Management.
• Previous cases
• Introduction
• Object and application field
• Terms and definitions
• Security policy
• Organizative aspects for security
• Classification and control of the files
• Security linked to staff
• Physical and evironmental
security
• Communications and operations
management
• Access control
• Development and maintenance
of systems
• Business continuity management
• Agreement
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 31
32. History of standard ISO 17799
Reference: “Information Security Management: UNE 71502, ISO17799”.
Author: Antonio Villalón, September, 2004, Spain.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 32
33. Contingency plans
• A contingency plan consists of a detailed study and analysis
of the areas that organization consists of and that will be
useful to establish a recovering policy in case of disaster.
– It consists of company strategic data that are reflected in a
document with the purpose of being protected in case of
eventualities.
• Besides increasing security, with an strategic plan the company
also obtains more knowledge about its strenght and weaknesses.
• But if not, it is exposed to suffer a great loss rather more
expensive than the implantation of this plan.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 33
34. Natural disasters and prevention
Natural disasters
◦ Hurricane
◦ Storm
◦ Flood
◦ Twister
◦ Gale
◦ Fire
◦ Earthquake
◦ Others
Prevention measures
◦ Adecuated locations
◦ Protection of walls,
windows, doors
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 34
35. Computing vandalism and prevention
Terrorism
Sabotage
Robbery
Virus
Blackmail
Malware
Prevention measures
◦ Fortification of entrances
◦ Security guard
◦ Security patrols
◦ TV closed circuit
◦ Physical access control
◦ Protection of software and
hardware with antivirus,
firewalls, intruders detection,
etc.
◦ Tracking of the security
policies in the company.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 35
36. Water menaces and prevention
Menaces
◦ Floods due to causes
produced in the company
◦ Floods due to foreign
causes
◦ Small personal incidents
(the common water
bottle or cup of coffe
that falls on
keyboards...)
Prevention measures
◦ Check water pipes
◦ Locate the room with the
most expensive machines
in a place without these
problems
◦ Install emergency drainage
systems
◦ Awareness the employees
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 36
37. Fire menaces and prevention
Menaces
◦ A bad electric installation
◦ Personal oversights like
smoking in computer
rooms
◦ Bad located baskets where
lighted cigarrettes are
thrown
◦ Vulnerabilities of the
system when smoke
Prevention measures
◦ Smoke detectors
◦ Ignifuge materials
◦ Paper warehouse
separated of machines
◦ False ground status
◦ Extinguishers checked
This is the most feared menace
due to its fast destroyer power
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 37
38. What happens in case of catastrophe?
Companies depend nowadays on computing
systems and the data stored there (payrolls,
clients, invoices, ...).
Depend also more on communications through
the networks.
If the computing system fails and this cannot be
recovered, the company may disappear because it
has no time enough to get into the market again
with success expectations, though keeping its own
staff completely.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 38
39. Recovery time on disasters
According to several studies the maximum period of
inactivity that a company can bear without supposing a
risk to its survival is:
◦ Insurance area: 5,6 days
◦ Manufacture area: 4,9 days
◦ Industrial area: 4,8 days
◦ Distribution area : 3,3 days
◦ Financial area: 2,0 days
• If we´ve been told that our bank has security problems and we cannot move
our accounts, the most probably is that we will change to another bank next
day.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 39
40. Losses due to not count on strategic plans
Client losses.
Image loss.
Income losses by benefits.
Income losses by sells and payments.
Income losses by production.
Competitivity loss in the market.
Credibility loss in the area.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 40
41. Basic measures in case of a disaster
Emergency plan
◦ Life, woundeds, assets, personal evacuation.
◦ Inventory sinister resources.
◦ Evaluate the cost of inactivity.
Recovering plan
◦ Actions that tend to return to the situation existing
before the disaster.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 41
42. Alternatives for continuity plan
Alternative installacions
◦ Own services office
◦ Agreement with HW and SW supply company
◦ Reciprocal agreement between two or more companies
◦ Cold boot: own empty room
◦ Hot boot: equiped center
◦ Up Start system: caravan, mobile unit
◦ Hot Start system: twin center
Some solutions can be very expensive. That choice will depend
then of the criticity of the continuity plan.
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 42
43. Questions and exercises (1 of 2)
1. What is and what does mean making a risk analysis?
2. Explain the sense of equations B > PL and B PL.
3. After a study, we obtain B > PL, can we be totally calm if we do
not use any prevention measure?
4. Explain what do mean factors L and P in equation B > PL.
5. Which are the steps to follow in a risk analysis according to the
factors of equation B > PL?
6. In some information management systems sometimes it´s more
important the confidentiality, but in others integrity. Put some
examples on which we can watch this stage. What do you think
about an electronic transaction?
7. Comment the security model of Bell Lapadula. Why is it called the
model of tranquility?
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 43
44. Questions and exercises (2 of 2)
8. You´re the security responsible and you detect that one employee is
stealing confidential information, what would be your reaction?
9. Which can be the losses in a company if you do not count on an
adecuated Contigency Plan and a disaster happens?
10. What is a Contingency Plan and why is it so important?
11. Our business is dedicated part to distribution and part to finance. Is
it strategic to have a Contingency Plan here?
12. Which solutions do we have so that one bank won´t be affected by
a disaster and will be able to continue working with its clients with
a recovering time low or minimum? What would it cost be?
13. Can extreme situations be foreseen like the incident happened on the
twin towers? On what type of companies or institutions this type of
incidents must be taken into account? In a company that sell cars?
Presented By:-
Ashok Panwar
Technical Officer in ECIL
5/2/2019 44