Brookfield Educational and Research Institute

( Milan Nagar Shantipur, Goalpara, Assam 783121)

Project Report on Cyber Security Management

System (CSMS)
By
Bipasha Kalita
Roll no.03
Class XII (Arts)

Submitted to : Miss Shruti Mazumdar

 Acknowledgement 

I would like to express my special thanks of gratitude to my teacher Miss Shruti

Maumder who gave me the golden opportunity to do this project on the topic
Cyber Security Management System (CSMS). It helped me in doing a lot of
Research and I came to know about a lot of things related to this topic.
Finally, I would also like to thank my parents and friends who helped me a lot in
finalizing this project within the limited time frame.

DATE : 1st August 2022

PLACE : Brookfield Educational and Research Institute

Bipasha Kalita

Roll no. 03

Class XII (Arts)

 Abstract

The world relies on technology more than ever before. As a result, digital data creation has
surged. Today, businesses and governments store a great deal of that data on computers and
transmit it across networks to other computers. Devices and their underlying systems have
vulnerabilities that, when exploited, undermine the health and objectives of an organization.
A data breach can have a range of devastating consequences for any business. It can unravel a
company’s reputation through the loss of consumer and partner trust. The loss of critical data,
such as source files or intellectual property, can cost a company its competitive advantage. Going
further, a data breach can impact corporate revenues due to non-compliance with data protection
regulations. It’s estimated that, on average, a data breach costs an affected organization $3.6
million. With high-profile data breaches making media headlines, it’s essential that organizations
adopt and implement a strong cybersecurity approach.
Cyber attacks come in all shapes and sizes. Some may be overt ransomware attacks (hijacking
important business products or tools in exchange for money to release them), while some are
covert operations by which criminals infiltrate a system to gain valuable data only to be
discovered months after-the-fact, if at all. Criminals are getting craftier with their malicious
deeds and here are some of the basic types of cyber attacks affecting thousands of people each
day.

CONTENTS
Introduction..................................................................................................................1
Hacker Means.....................................................................................................1
Social Engineering..............................................................................................1
Scanners..............................................................................................................1
Password Cracking.............................................................................................2
IP Spoofing.........................................................................................................2
Trojan Horses.....................................................................................................2
The Cyber Security Management System..................................................................3
Policy .............................................................................................................................4
Password Management.......................................................................................4
Anti-Virus ..........................................................................................................5
Incident Handling ..............................................................................................5
Backup and Recovery ........................................................................................5
Proprietary Information .....................................................................................5
Technology ...................................................................................................................6
Perimeter Defense..............................................................................................7
Firewalls.................................................................................................8
Intrusion Detection Systems..................................................................9
Virtual Private Networks......................................................................10
Encryption .......................................................................................................11
Summary ....................................................................................................................12
References...................................................................................................................13

INTRODUCTION
Cyber Security Management System (CSMS) means a systematic risk-based approach
defining organizational processes, responsibilities and governance to treat risk associated with
cyber threats to vehicles and protect them from cyber-attacks.
The topic of computer security is a prominent one in the world today. Nearly every day we read
or hear terms like “hacker”, “computer virus”, “Internet worm” etc. Never before has the globe
felt so small. The tentacles of cyberspace reach into our homes and offices by way of the
Internet, opening up the farthest reaches of the world to us, to our business partners and our
children. At the same time, this waxing connectedness leaves us vulnerable to intruders because
the computers, software and networks we use have weaknesses that are easily exploitable. We
become preoccupied with protecting information because we stand to lose a great deal. While
most hackers delight in benign intrusion, some can truly be characterized as cyber criminals.
These are the ones whose actions can result in lost revenue, lost opportunity, ill will and incident
handling expenses for the victimized company. These are the creators of malicious code that
could steal an individual’s identity or destroy cherished family records on a home computer. It is
not our purpose here to speculate on the motivation of these intrusive individuals, or to analyze
their character. Instead, we will focus on what they do and how they do it in hopes of developing
a system to effectively counteract their nefarious deeds.
The cyber security management process is a known “system” of interrelated elements that act in
concert with one another to achieve the over-arching goal of the system itself -- to protect the
confidentiality, integrity and availability of information. Figure 1 shows a conceptual map that
organizes and represents knowledge of many of these system elements. While not all of the
elements of the map will be discussed in this paper, primary attention is given to policy and
technology. Driven by policy, the cyber security management process applies technology and
requires effective planning in order to achieve the goal.
Policy
Despite commendable advances in protection, detection and response within the computer
security industry, the risk of cyber attack is still high today. Computer Emergency Response
Team (CERT®) statistics show that in the first three quarters of 2001 alone nearly 35,000
incidents and almost 2,000 vulnerabilities were reported3 . It seems as though our information
assets face a building storm of clever attacks from villainous hackers. Policy is what can provide
a beacon in this storm of cyber risk and help an organization put in place multi-level, in-depth
defenses. Sound policy is a core element of the cyber security management system (see Figure
1). Without it, extensive implementations of routers, firewalls and intrusion detection systems
are misguided. Indeed, policy steers the application of technology within this system. Two
important analysis efforts are required before a cyber security policy can be determined. The first
of these involves a rigorous inventory of the organization’s information assets. The nature of all
networks, servers, desktop workstations and data should be well understood and documented
before policy is set forth. It is important also to analyze how the organization’s information
assets are used by its employees, partners and stakeholders. Such inputs render an information
security policy legitimate. According to security policy experts Carol Kramer of the SANS
Institute and Stephen Northcutt at the Global Incident Analysis Center, it is important that a
cyber information protection policy cover the areas of password management, anti-virus
solutions, incident handling, data backups and the protection of proprietary information.

Password Management
Passwords are a first line of defense when it comes to controlling access to protected systems and
information. It is important to know the idiosyncrasies and limitations of account administration
when it comes to your operating systems, database servers and applications. The following
should be researched and analyzed thoroughly before establishing policy in a formal way:
· Procedures for protecting password files and administrator accounts
· Random password generation, one-time passwords and two-factor authentication
· Length of a password’s life
· Password expiration and renewal
· Procedures for cleansing ex-employee access
· Length and qualities of acceptable passwords

Anti-Virus
An effective cyber security management policy considers where vulnerabilities exist for an
organization’s resources before formalizing processes and procedures. This is especially true for
exposures to the outside, i.e. Internet, community. Once weaknesses are identified, the policy
will specify both commercial and internally developed solutions to prevent the introduction of
malicious code on the company’s perimeter defense systems, servers and desktops, how
deployment is to unfold, and who is responsible for deployment. It is not enough, however, to
merely understand the weaknesses and adopted solutions. It is important also to analyze what
will transpire once a virus is detected, and the sequence of measures to be taken during the
handling of an incident. All employees should feel responsible for reporting evidence of an
intrusion or attack. An effective, formal anti-virus policy clearly states the simple steps required
to report an incident.

Incident Handling
Policy should cover the very practical steps that an organization needs to take when a cyber
security incident occurs. Documented incident handling tasks are aimed first at securing
information assets – minimizing damage -- as quickly as possible. Beyond providing immediate,
on-the-scene protection, written incident-handling tasks will strengthen organizational learning
and may assist the cyber security professional in the pursuit and prosecution of criminals. It is
always a good idea to practice incident handling and continually update procedures so that when
these are needed in live situations they will be proven and reliable.

Backup and Recovery

With so much having been written and so many nightmares having been documented in the
information age regarding the loss of valuable corporate data, it is perplexing that some outfits
still do not have a formal policy for creating and recovering from backups. Policy needs to
emphasize the fundamental importance of backup and recovery processes for desktops, file
servers and mainframes. Again, responsibilities should be clearly documented. Batch processing
and storage capacity planning need to be integral parts of the operational planning process. A
plan for disaster recovery from offsite backups should be considered. In addition to adequately
protecting backup media in limited-access facilities, enlightened organizations will recover from
backups in simulated environments as a matter of practice, with an eye toward perfecting the
procedures.

Proprietary Information
Every organization has sensitive information that it does not want exposed to certain others –
product designs, promotional plans, human resource strategies, financial forecasts, staff medical
records etc. Cyber security management policy should reinforce a company’s formal information
classifications and specify the rules, guidelines and procedures for the protection of each. It
should be clear to employees what are the consequences of not adequately following these.
Proprietary information needs to be regularly audited in terms of how it is handled, who has
access to it, and the level at which it is protected. Incorporating the areas of password
management, anti-virus, backups and proprietary information protection into an organization’s
cyber security policy can help to establish some common best practices. New mediary Inc.
provides a succinct list of best practices in the publication entitled “Security for Today’s
Enterprise”. Included in the list are the following sensible guidelines:
· Disable default accounts and change their passwords;
· Close vulnerable services and unnecessary ports;
· Assure strong backup procedures;
· Secure system files;
· Use computer security professionals and consortia;
· Simplify the policy for practical application
Valuable policy is always written down in clear, concise, realistic and specific
language. As a fundamental element of the cyber security management process, policy also
requires ongoing evaluation to ensure that it keeps pace with changes in the global information
environment, and with changes in the organization itself. Again, policy supports the goal of
protecting the confidentiality, integrity and availability of an organization’s valuable
information.

Technology
A number of technologies are available today that, when selected and applied as coordinated
elements within the cyber security management system, can offer insurance against unauthorized
access, data loss and DoS attacks, such as those depicted in Figure 2 below. A few of these
technologies are depicted in Figure 1 above – perimeter defense, backup and recovery,
encryption and digital signature. It is important, however, to understand that technology alone
does little to achieve the cyber security management system’s objectives. Rather, it is the
synergistic interplay of technology, policy and planning that maximizes the protection of
information assets.

Perimeter Defense
Perimeter defense mechanisms guard against and detect unauthorized access to information
resources. They appear at the bounds of the asset being protected, whether the resource is a
network, a host system tied to a network, or merely a standalone machine. These solutions
include routers, firewalls, virtual private networks (VPN) and intrusion detection systems (IDS).
Their application comes in the form of hardware, software, or a combination of the two. Also, it
is possible for a solution provider to combine these technologies, e.g. some routers include
firewall capabilities. Perimeter defense solutions make use of standards-based technologies such
as the popular Internet Protocol Security (IPSec). IPSec is the standard for authentication,
encryption and tunneling on the Internet. It ensures the integrity of IP packets flowing across
local area networks (LANs) using “transport” mode and wide area networks (WANs) using
“tunnel” mode6 . Because there is little need within the confines of a LAN to hide address
information, transport mode protects only the packet “payload” – the part of the packet that
contains sensitive userid, password and business data. On the other hand, in order to provide
secure packet exchange across a public WAN where addresses are vulnerable to outsiders, IPSec
applies tunnel mode to hide both the packet’s address information and the payload. Tunnel mode
is generally slower than transport mode because of this added overhead. Figure 3 below shows
two perimeter defense deployments at the bounds of a protected network -- a VPN and a
corporate firewall. Within the protected network, host-based IDS implementations could also be
directly tied to the servers.

Firewalls
A firewall is a device that blocks Internet communications access to a private resource. The
private resource can be a network, a server or a personal computer. A firewall allows unfettered
outbound packets from, say, a protected network to the Internet world, but allows only
appropriate inbound packets. Firewalls are popular and effective, but can be subverted if the
protected resource has a modem configured for auto-answer.

There are two types of firewalls – protocol-level firewalls and application-level firewalls (see the
concept map represented by Figure 4 below). Packet filtering firewalls use a packet’s header to
determine whether the incoming packet is allowable. This approach to traffic management is fast
and simple, but less secure because it provides no means of determining whether or not the
packet header has been spoofed. Dynamic packet filtering firewalls offer improved protection
against spoofing by changing the outbound packet header information on the fly upon exit from
the private resource. “Stateful” inspection firewalls offer an intelligence-based approach that
compares the activity on a port to what is considered normal for that port. Stateful inspection
overhead, however, has an adverse impact on performance.

Application-level firewalls are slower still. However, they offer high levels of protection because
they understand in depth what the application expects and how it performs communication.
Proxies are a very effective type of application-level firewall. Under a proxy configuration, the
user of an application inside a protected network never communicates directly with the outside
world, rather only with the application’s proxy. The proxy then communicates on behalf of the
insider to the outside resource, and vice-versa. In some ways, today’s proxy servers can be
compared to the Pony Express riders of the untamed West who carried messages back and forth
from outpost to outpost!

Intrusion Detection Systems

Another way to fortify perimeter defense is to install an IDS, especially on core systems like e-
mail, web and domain name servers. Intrusion detection systems supplement firewall technology
with strong monitoring and record keeping at both the network and host levels. IDS technologies
monitor network traffic and system logs to compare what’s going on in real-time to the known
methods of hackers. When a suspicious event is detected, an alarm is kicked off immediately.
Often the IDS will take action to suspend or drop the offending connection, all the while
recording as much information as it can to assist the system administrator in later identification
and apprehension. It takes a skilled administrator, however, to configure IDS such that normal
activity does not trigger an alarm, i.e. to avoid “false positives”. IDS solutions, though an
integral component of multi-level protection, can be resource intensive. It takes a large measure
of resources to intercept packets, analyze them against known profiles of malicious code, and
either deflect or pass on the results. This can be problematic when IDS processes are bundled
with firewalls or routers. Today, the concept of providing high-powered security “appliances”
addresses this performance issue. The idea is to enable a hardware-based solution for very
speedy analysis and disposition of incoming packets to a protected network flowing in high
traffic7 . Through the use of application specific integrated circuit (ASIC) technology, security
appliances hold the promise of, perhaps, gigabit speed intrusion detection. Appliance capability
will fortify defenses against today’s DoS attacks, e.g. Ping Floods and SYN Floods and even
distributed DoS (DDoS) attacks like Tribe Floods and Stacheldraht. However, hackers have
shown firm resolve to break new defenses when the bar is raised. This fact argues for creativity
and continual improvement of a multi-level defense system to meet the goal of protecting an
organization’s information assets.

Virtual Private Networks

VPNs provide a secure, dynamic tunnel capability that allows users to make use of both the
Internet and a protected LAN simultaneously without the worry of exposing sensitive
information to cyber criminals. Using IPSec’s tunnel mode, VPNs encrypt the source and
destination addresses of a packet so that these are not exposed to Internet hackers as clear text
but are still usable for routing purposes. This is accomplished through a mechanism called
ecapsulation. Encapsulation is a method whereby the IPSec tunnel capability encrypts the
sensitive IP Header and wraps a protective outer header around it. A VPN also provides
encryption of the packet’s user data payload. Typically, today’s solutions apply the Data
Encryption Standard (DES) algorithm or extended 3DES scheme to maximize the length of keys
used to scramble and unscramble data, although newer standards are emerging, e.g. Advanced
Encryption Standard (AES). AES specifies key lengths of 128-bits, 192-bits and 256-bits8 .

Encryption
Encryption is a technique for transforming text into something visually meaningless and is a
fundamental cyber security management system technology. Objects of encryption include those
pieces of information that, if compromised, could result in adverse effects on an organization’s
valued information assets – userids, passwords, business data, names and addresses of servers
and workstations, etc. In-depth, multi-level cyber security management applies encryption
together with other technologies like perimeter defense solutions, backup and recovery, and
digital signature, as indicated in the Figure 1 concept map. Indeed, encryption is often built into
perimeter defense mechanisms like firewalls and VPNs. Encryption is what results from applied
cryptographic algorithms. A clear overview of cryptographic algorithms is presented in industry
analyst Tom Austin’s book titled PKI: A Wiley Tech Brief. There are two types of cryptographic
algorithms – symmetric algorithms and asymmetric algorithms (see the Figure 5 concept map
below). The latter of these is practically synonymous with the conception of Public Key
Infrastructure (PKI). Both support the notion of keys that are used as input to the algorithm to
create scrambled cipher text from plain (clear) text or to create plain text from cipher text. When
all other factors are equal, key length is an important factor in determining the strength of an
algorithm because the longer the key, the longer it will take a hacker to decipher (and thereby
use) the key illicitly. Symmetric systems are based on the sharing of one secret key between two
persons across a secure channel. One problem with this approach is that, with enough time and
computing power, hackers can bust the shared key. Another problem is that the management and
distribution of symmetric keys is costly. DES uses 56-bit, symmetric keys and encrypts data by
the 8-byte block10. Kerberos is an example of a symmetric key system that strengthens DES
with a trusted Key Distribution Center (KDC) to manage the secret keys between sites and
between the KDC and client sites.

Asymmetric key encryption systems operate on the notion that two, mathematically related keys
are better than one. The underlying asymmetric algorithms are founded in extremely difficult
mathematical problems, with key lengths long enough to support combinations in the many
trillions! One example of an extremely complex mathematical problem used in asymmetric
cryptography is the RSA algorithm. RSA is based on factoring very large integers into prime
factors. Other cryptosystems are based on solving the discrete logarithm problem, e.g. elliptic
curve systems.
Under a symmetric key setup, if Bob and Alice want to exchange a message, each of them must
know the secret key. Asymmetric key management systems allow Bob and Alice to have their
own private keys that nobody else knows about. In addition, both Bob and Alice have a public
key that they share with each other, and anyone else. Alice and Bob can use each other’s public
key to encrypt a message that is decipherable by the other using the other’s private key.
Likewise, the two can use the other’s public key to decrypt a message that the other had
encrypted with their own private key. Figure 5 shows the encryption and decryption processes in
red and blue, respectively. Aside from the algorithms themselves, the substantive difference
between symmetric encryption/decryption and asymmetric encryption/decryption is inherent in
the number and nature of keys used. Regardless, the result guarantees confidentiality through the
use of cipher text. However, the objectives of authenticity and integrity are achieved differently
by the two approaches. The symmetric approach is to create a Message Authentication Code
(MAC) for such purposes, while the asymmetric approach is to create a digital signature. MACs
are generated at the sending location when plain text is input to a symmetric algorithm. The plain
text message and its associated MAC are then sent to a recipient who, having the same
symmetric algorithm as the sender, creates another MAC of the plain text and compares it with
the MAC sent. If the two MACs are identical, the message received has integrity, i.e. it has not
been altered. Conversely, asymmetric algorithms use the concept of digital signature to ensure
authenticity and integrity. The creation and verification processes for digital signature are shown
in Figure 5 using green and dashed arrows, respectively. Asymmetric systems also provide a
good, though not perfect, measure of non-repudiation, i.e. insurance against denial on the part of
Alice or Bob that they “signed” the message.

Summary
The goal of a cyber security management system is to protect the confidentiality,
integrity and availability of information assets. Two relevant cyber security
management system technology categories have been described here – perimeter
defense and encryption. These concepts and solutions are interrelated and often
bundled together in practical application. Again, a thoroughly conceived and
equivalently rendered cyber security management policy helps to move the
application of these technologies forward. The concepts of policy and technology
are primary to an effective cyber security management system. They are
intertwined with each other as well as with other concepts such as planning and
configuration management. All of these concepts must be active in an
organization’s cyber security management system in order to sustain desired levels
of information asset protection.
 REFERENCES

1. Adams, Carlisle and Lloyd, Steve, Understanding Public-Key Infrastructure:

Concepts, Standards, and Deployment Considerations, Indianapolis, IN,
USA, Macmillan Technical Publishing, 1999

2. Austin, Tom, PKI: A Wiley Tech Brief, New York, NY, USA, Wiley
Computer Publishing, John Wiley & Sons, Inc., 2001, pp. 46-48

3. Dumbill, Edd, “Jargon Lexicon”, AmigaGuide, 1994

http://star.informatik.rwth-aachen.de/jargon300/Trojanhorse.html

4. Kramer, Carol, Northcutt, Stephen and Kerby, Fred editors, “Basic Security
Policy: Version 1.6- May 8, 2001”, SANS GIAC, 2001

5. Krawczyk, H. (IBM), Canetti, R. (IBM), Bellare, M. (UC San Diego),

“HMAC: Keyed-Hashing for Message Authentication”, June 1997 www-
cse.ucsd.edu/users/mihir/papers/rfc2104.txt

6. Lo, Joseph, “Trojan Horse Attacks”, 2002

http://www.irchelp.org/irchelp/security/trojan.html