Security of information asset

Chapter # : 05 - CISAChapter # : 05 - CISA 11
Security of InformationSecurity of Information
ASSETSASSETS

• Logical Access ExposuresLogical Access Exposures
• Trojan HorsesTrojan Horses
• Rounding DownRounding Down
• Salami TechniquesSalami Techniques
• VirusVirus
• WormsWorms
• Logic BombsLogic Bombs
• Trap DoorsTrap Doors
• Asynchronous AttacksAsynchronous Attacks
• Data LeakageData Leakage
• Wire-TappingWire-Tapping
• PiggybackingPiggybacking
• Computer ShutdownComputer Shutdown
• Daniel of ServicesDaniel of Services
LOGICAL ACCESS EXPOSURESLOGICAL ACCESS EXPOSURES ::

• Logical Access Control Software :Logical Access Control Software :
To prevent unauthorized access and modificationTo prevent unauthorized access and modification
to sensitive data and critical functions. It shouldto sensitive data and critical functions. It should
be applied to networks, operating systems,be applied to networks, operating systems,
databases and application systemsdatabases and application systems
• General OS Access Control Functions:General OS Access Control Functions:
• Apply user ID and authenticationApply user ID and authentication
• Logon on specific terminalLogon on specific terminal
• Multi-level accessMulti-level access
• Individual accountability and auditabilityIndividual accountability and auditability
• Create or change user profilesCreate or change user profiles
• Log EventsLog Events
• Log User ActivitiesLog User Activities
• Report capabilitiesReport capabilities

• Identification and Authentications :Identification and Authentications :
Based on, somethingBased on, something You KnowYou Know, something, something
You haveYou have and somethingand something You AreYou Are
– Logon-IDs and PasswordsLogon-IDs and Passwords
Something you knowSomething you know
– Token Devices, One Time Access ControlToken Devices, One Time Access Control
Something you haveSomething you have
– Biometrics Security Access Control (through FingerBiometrics Security Access Control (through Finger
Prints, Eye Retina)Prints, Eye Retina)
Something you areSomething you are

• Features of Passwords :Features of Passwords :
• It should be easy to remember for user butIt should be easy to remember for user but
• Difficult for perpetrator to guessDifficult for perpetrator to guess
• Initial Password should be changed on first time log-onInitial Password should be changed on first time log-on
• In result of entering wrong password ID should be heldIn result of entering wrong password ID should be held
• Re-activation of ID should be on writtenRe-activation of ID should be on written
request/approval by security administrator.request/approval by security administrator.
• Password encryption and should be shadowedPassword encryption and should be shadowed
• Changed periodicallyChanged periodically
• Must be unique to each user ID.Must be unique to each user ID.
• Unused IDs should be deactivated and logged offUnused IDs should be deactivated and logged off
• Ideally length of Password is 5 to 8 charactersIdeally length of Password is 5 to 8 characters
• Usage of Alphabets, Numeric, Lower case and specialUsage of Alphabets, Numeric, Lower case and special
LOGICAL ACCESS EXPOSURESLOGICAL ACCESS EXPOSURES : I&A: I&A

• Token Devices, Once-Time PasswordsToken Devices, Once-Time Passwords
• Biometrics :Biometrics :
• Palm : ridges, valleys etcPalm : ridges, valleys etc
• Hand Geometry : 3 dim perspective of handHand Geometry : 3 dim perspective of hand
• Iris : Eyes colored portion surroundedIris : Eyes colored portion surrounded
• RetinaRetina
• Finger PrintsFinger Prints
• FaceFace
• SignaturesSignatures
• Voice RecognitionVoice Recognition

• Single Sign-on (SSO)Single Sign-on (SSO)
• Advantages :Advantages :
• No need to remember multiple PWDsNo need to remember multiple PWDs
• Improves administrators ability to manage user profilesImproves administrators ability to manage user profiles
• Reduces Administrative overheadsReduces Administrative overheads
• Reduces the time taken by userReduces the time taken by user
• Disadvantages :Disadvantages :
• Support for all major OS is difficultSupport for all major OS is difficult
• Significant cost associated with SSO developmentSignificant cost associated with SSO development
• Single point of failure and total compromise of anSingle point of failure and total compromise of an
organization’s IS assetsorganization’s IS assets

• ControlsControls
• Technical Qualified Operators,Technical Qualified Operators,
• Job rotation (wherever possible)Job rotation (wherever possible)
• Restricted operation of operators over operatorRestricted operation of operators over operator
activity logs etc.activity logs etc.
• Audit trail of all operator activities and itsAudit trail of all operator activities and its
periodical review by operations management.periodical review by operations management.
• Availability of documented Network operationsAvailability of documented Network operations
standards and protocols to operators andstandards and protocols to operators and
periodical review to ensure compliance.periodical review to ensure compliance.
• Analysis for workload balance, fast responseAnalysis for workload balance, fast response
time and system efficiencytime and system efficiency
• Encryption should be used wherever requiredEncryption should be used wherever required
NETWORK INFRASTRUCTURE SECURITYNETWORK INFRASTRUCTURE SECURITY ::

• LAN SecurityLAN Security
– Threats :Threats : Loss of Data & Programs, less versionLoss of Data & Programs, less version
control, Exposure to external Activities, viruses,control, Exposure to external Activities, viruses,
Improper disclosure of data, Violating SoftwareImproper disclosure of data, Violating Software
License, Illegal access by impersonating orLicense, Illegal access by impersonating or
masquerading, Internal user's Spoofingmasquerading, Internal user's Spoofing
– Remedies :Remedies : Declaring ownership of programs,Declaring ownership of programs,
files and storage, Limiting access to read only,files and storage, Limiting access to read only,
Record and File locking, enforcingRecord and File locking, enforcing
ID/Passwords procedures.ID/Passwords procedures.
– Dial Up ControlDial Up Control : Encrypted Passwords, Dial-: Encrypted Passwords, Dial-
back modems for verificationback modems for verification

• Client Server Security :Client Server Security :
– Disabling the floppy drivesDisabling the floppy drives
– Network Monitoring devices to inspect activitiesNetwork Monitoring devices to inspect activities
– Data EncryptionData Encryption
– Application level Access control programsApplication level Access control programs

• Internet Threats :Internet Threats :
– DisclosureDisclosure
– Masquerade or Spoofing (Disguise IP address etc)Masquerade or Spoofing (Disguise IP address etc)
– Unauthorized accessUnauthorized access
– Loss of IntegrityLoss of Integrity
– Denial of service (Sys Flooding of messages / requests and keepDenial of service (Sys Flooding of messages / requests and keep
machines busy)machines busy)
– Theft of service and resourcesTheft of service and resources
• Internet Security Controls:Internet Security Controls:
– Risk assessment of web based application.Risk assessment of web based application.
– Security awarenessSecurity awareness
– Firewall standardsFirewall standards
– Intrusion Detection standards securityIntrusion Detection standards security
– Remote Access for coordinating and controlling centrallyRemote Access for coordinating and controlling centrally
– Encryption techniquesEncryption techniques
– Monitoring usage of unauthorized usage and notification to them.Monitoring usage of unauthorized usage and notification to them.

• Firewall Security SystemsFirewall Security Systems ::
• General FeaturesGeneral Features
• Firewall TypesFirewall Types
Router Packet FilteringRouter Packet Filtering
Application firewallApplication firewall
Stateful inspectionStateful inspection
• Firewall IssuesFirewall Issues
• Creates false sense of securityCreates false sense of security
• Other entry points, connections direct though ModemsOther entry points, connections direct though Modems
• Mis-configurationMis-configuration
• Firewall without screening router is uselessFirewall without screening router is useless
• Irregular monitoring of activitiesIrregular monitoring of activities
• Irregular maintenance of Firewall policiesIrregular maintenance of Firewall policies

• Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS) ::
• Components of IDSComponents of IDS
Sensor, Analyzer, An administrator ConsoleSensor, Analyzer, An administrator Console
A user interfaceA user interface
• FeaturesFeatures
Intrusion DetectionIntrusion Detection
Gathering EvidenceGathering Evidence
Automated responseAutomated response
Security PolicySecurity Policy
Interface with system toolsInterface with system tools
Security Policy managementSecurity Policy management
• LimitationsLimitations
Weaknesses in the policy definitionWeaknesses in the policy definition
Application level vulnerabilitiesApplication level vulnerabilities
Backdoors into applicationBackdoors into application
Weakness in identification and authentication schemesWeakness in identification and authentication schemes
• Honeypots and HoneynetsHoneypots and Honeynets
Software application pretend to be unfortunately hackedSoftware application pretend to be unfortunately hacked
Network of honeypots making a false network for hackers to hack andNetwork of honeypots making a false network for hackers to hack and
caughtcaught

• EncryptionEncryption::
• Is a process of converting a plaintext into a secureIs a process of converting a plaintext into a secure
coded form of text (Cipher General Features)coded form of text (Cipher General Features)
• Key Elements of Encryption SystemsKey Elements of Encryption Systems
Encryption AlgorithmEncryption Algorithm
Encryption KeysEncryption Keys
Key LengthKey Length
• Private Key Cryptographic systemPrivate Key Cryptographic system
• Public Key Cryptographic SystemPublic Key Cryptographic System
• Digital SignaturesDigital Signatures
• Digital EnvalopDigital Envalop
• Is used to send encrypted information and relevantIs used to send encrypted information and relevant
keys along with it.keys along with it.

Review network DiagramReview network Diagram
Identify Network DesignIdentify Network Design
Dissemination of policies and standardsDissemination of policies and standards
Experience/knowledge of security operators for internetExperience/knowledge of security operators for internet
legislative issues are considered against usage of internetlegislative issues are considered against usage of internet
based applicationbased application
Review of service level contract in case of outsourcing.Review of service level contract in case of outsourcing.
Hardware and software are well upgraded to counter newHardware and software are well upgraded to counter new
vulnerabilitiesvulnerabilities
– Auditing Remote AccessAuditing Remote Access
– Auditing internet “point of presence”Auditing internet “point of presence”
– Network penetration testsNetwork penetration tests
– Full network assessment reviewsFull network assessment reviews
– LAN network assessmentLAN network assessment
– Development and Authorization of network changeDevelopment and Authorization of network change
– Unauthorized changesUnauthorized changes
– Computer forensicsComputer forensics
AUDITING NETWORK INFRASTRUCTURE SECURITYAUDITING NETWORK INFRASTRUCTURE SECURITY ::

• Environmental Issues and ExposuresEnvironmental Issues and Exposures ::
– Fire, Natural Disasters,Fire, Natural Disasters,
– Power FailurePower Failure
Total FailureTotal Failure
Severely reduced voltageSeverely reduced voltage
Sages, spikes and surgesSages, spikes and surges
Electromagnetic interferenceElectromagnetic interference
– Power SpikePower Spike
– Air conditioning FailureAir conditioning Failure
– Electric ShockElectric Shock
– Equipment FailureEquipment Failure
– Water Damage / FloodingWater Damage / Flooding
– Bomb Threat/attackBomb Threat/attack
ENVIRONMENTAL EXPOSURES AND CONTORLS:ENVIRONMENTAL EXPOSURES AND CONTORLS:

ENVIRONMENTAL EXPOSURES AND CONTORLS:ENVIRONMENTAL EXPOSURES AND CONTORLS:
Controls for Environmental exposuresControls for Environmental exposures ::
– Alarm Control PanelAlarm Control Panel
– Water DetectorsWater Detectors
– Handheld Fire ExtinguishersHandheld Fire Extinguishers
– Manual Fire alarmsManual Fire alarms
– Smoke detectorsSmoke detectors
– Fire Suppression SystemFire Suppression System
Water-based, Halon system, FM-200, COWater-based, Halon system, FM-200, CO22 systemsystem
– Logically Locating the Computer RoomLogically Locating the Computer Room
– Regular Inspection by Fire DepartmentRegular Inspection by Fire Department
– Fire Proof Walls Floors and Ceilings surrounding the computer roomFire Proof Walls Floors and Ceilings surrounding the computer room
– Electrical surge ProtectorElectrical surge Protector
– UPS / GeneratorsUPS / Generators
– Emergency Power Off SwitchEmergency Power Off Switch
– Power leads from two substationsPower leads from two substations
– Wiring in electrical panels and conduitWiring in electrical panels and conduit
– Prohibiting against eating, drinking and smoking within theProhibiting against eating, drinking and smoking within the
information processing facilityinformation processing facility
– Fire resistant office materialFire resistant office material
– Documented and tested emergency Evacuation Plans.Documented and tested emergency Evacuation Plans.

Security of information asset

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Security of information asset

Similar to Security of information asset (20)

More from University of Central Punjab

More from University of Central Punjab (7)

Recently uploaded

Recently uploaded (20)

Security of information asset