Phases of the SDLC

Investigation of the System − The officials/directives working at the highest

level of management in the organization initiate this procedure. In order to carry out
this procedure, the project's objectives and aims must be determined first. An
Information Security Policy is created, which includes descriptions of security apps
and programs deployed, as well as their implementations in the system of the
organization.
Analysis of the System − This phase does a comprehensive document analysis of
the documents obtained during the System Investigation phase. Existing security
policies, programs, and software are examined to see whether there are any
weaknesses or vulnerabilities in the system. Threats that may arise in the future are
also considered. This method is solely responsible for risk management.
Logical Planning − The Logical Design phase is concerned with the creation of
tools and blueprints that are used in the implementation of different information
security rules, as well as their applications and software. In order to avoid future
losses, backup and recovery plans are also created. The procedures to take in the
event of a calamity are also prepared. During this phase, the choice to outsource the
firm project is made. It is determined if the project can be finished inside the
organization or whether it must be outsourced to another company for completion.
Physical Layout − The technical teams get the tools and blueprints required for
the software implementation and system security application. Various solutions are
researched during this step for any unanticipated concerns that may arise in the
future, and they are analyzed and written down to address the majority of the
vulnerabilities that were overlooked during the analysis phase.
Implementation − Whether the project is in-house or outsourced, sufficient
documentation of the product is produced in order to fulfill the standards established
for the project to be met. The project's implementation and integration are carried
out with the assistance of numerous teams that rigorously verify whether the
product fits the system requirements given in the system documentation.
Maintenance − After the security program has been implemented, it must be
ensured that it is working effectively and that it is being monitored appropriately. In
order to fight emerging risks that may go unnoticed at the time of creation, the
security software must be maintained up to date.

DEVIATION IN THE QUALITY OF SERVICES: n organization’s information

system depends on the successful operation of many interdependent support
systems. Deviations in quality of service can result from incidents such as a backhoe
taking out a fiber-optic link for an ISP. The backup provider may be online and in
service, but may be able to supply only a fraction of the bandwidth the organization
needs for full service. This degradation of service is a form of availability
disruption.Internet Service Issues • In organizations that rely heavily on the
Internet and the World Wide Web to support continued operations, Internet service
provider failures can considerably undermine the availability of information. • Many
organizations have sales staff and telecommuters working at remote locations. •
When these offsite employees cannot contact the host systems, they must use
manual procedures to continue operations. • When an organization places its Web
servers in the care of a Web hosting provider, that provider assumes responsibility
for all Internet services as well as for the hardware and operating system software
used to operate the Web site. • These Web hosting services are usually arranged
with an agreement providing minimum service levels known as a Service Level
Agreement (SLA). • When a service provider fails to meet the SLA, the provider may
accrue fines to cover losses incurred by the client.Communications and Other
Service Provider Issues • Other utility services can affect organizations as well. •
Among these are telephone, water, wastewater, trash pickup, cable television,
natural or propane gas, and custodial services. • The loss of these services can
impair the ability of an organization to function. • For instance, most facilities require
water service to operate an air-conditioning system. Power Irregularities •
Irregularities from power utilities are common and can lead to fluctuations such as
power excesses, power shortages, and power losses. • This can pose problems for
organizations that provide inadequately conditioned power for their information
systems equipment • A momentary low voltage or sag, or a more prolonged drop in
voltage, known as a brownout, can cause systems to shut down or reset, or
otherwise disrupt availability. • Complete loss of power for a moment is known as a
fault, and a more lengthy loss as a blackout. • Because sensitive electronic
equipment—especially networking equipment, computers, and computerbased
systems—are vulnerable to fluctuations, controls should be applied to manage power
quality. With small computers and network systems, quality power-conditioning
options such as surge suppressors can smooth out spikes. • The more expensive
uninterruptible power supply (UPS) can protect against spikes and surges as well as
against sags and even blackouts of limited duration.

Information extortion occurs when an attacker either threatens to steal, or

actually steals, information from a company. The perpetrator demands payment for
not stealing the information, for returning stolen information, or for agreeing not to
disclose the information.
Sabotage and vandalism are deliberate acts that involve defacing an
organization’s Web site, possibly damaging the organization’s image and causing its
customers to lose faith. One form of online vandalism is a hacktivist or cyberactivist
operation. These are cases of high-tech civil disobedience to protest the operations,
policies, or actions of an organization or government agency.
Theft of Equipment or Information: Computing devices and storage devices are
becoming smaller yet more powerful with vastly increased storage. As a result, these
devices are becoming easier to steal and easier for attackers to use to steal
information. One form of theft, known as dumpster diving, involves the practice of
rummaging through commercial or residential trash to find information that has been
discarded. Paper files, letters, memos, photographs, IDs, passwords, credit cards,
and other forms of information can be found in dumpsters. Unfortunately, many
people never consider that the sensitive items they throw in the trash may be
recovered. Such information, when recovered, can be used for fraudulent purposes.
Attacks
Virus Segment of computer code that performs malicious actions by attaching to
another computer program.
Worm Segment of computer code that performs malicious actions and will
replicate, or spread, by itself (without requiring another computer program).
Phishing Attack Phishing attacks use deception to acquire sensitive personal
information by masquerading as official looking e-mails or instant messages.
Spear Phishing Attack Phishing attacks target large groups of people. In spear
phishing attacks, the perpetrators find out as much information about an individual
as possible to improve their chances that phishing techniques will be able to obtain
sensitive, personal information.
Denial-of-Service Attack Attacker sends so many information requests to a
target computer system that the target cannot handle them successfully and
typically crashes (ceases to function).
Distributed Denialof-Service Attack An attacker first takes over many
computers, typically by using malicious software. These computers are called
zombies or bots. The attacker uses these bots-which form a botnet-to deliver a
coordinated stream of information requests to a target computer, causing it to crash.
Trojan Horse Software programs that hide in other computer programs and
reveal their designed behavior only when they are activated.
Back Door Typically a password, known only to the attacker, that allows him or
her to access a computer system at will, without having to go through any security
procedures (also called a trap door).
Logic Bomb Segment of computer code that is embedded within an organization’s
existing computer programs and is designed to activate and perform a destructive
action at a certain time or date.
Intrusion detection is the process of monitoring the events occurring in a
computer system or network and analyzing them for signs of possible incidents,
which are violations or imminent threats of violation of computer security policies,
acceptable use policies, or standard security practices. An intrusion detection system
(IDS) is software that automates the intrusion detection process. An intrusion
prevention system (IPS) is software that has all the capabilities of an intrusion
detection system and can also attempt to stop possible incidents
DETECTION TYPES: Signature-Based Detection: (sometimes called a
knowledge-based IDPS or a misuse-detection IDPS) examines network traffic in
search of patterns that match known signatures—that is, preconfigured,
predetermined attack patterns. Signaturebased IDPS technology is widely used
because many attacks have clear and distinct signatures, for example: (1)
footprinting and fingerprinting activities use ICMP, DNS querying, and e-mail routing
analysis; (2) exploits use a specific attack sequence designed to take advantage of a
vulnerability to gain access to a system; (3) DoS and DDoS attacks, during which the
attacker tries to prevent the normal usage of a system, overload the system with
requests so that the system’s ability to process them efficiently is compromised or
disrupted.Anomaly-Based Detection- An IDS that looks at network traffic and
detects data that is incorrect, not valid, or generally abnormal is called
anomalybased detection. This method is useful for detecting unwanted traffic that is
not specifically known. For instance, anomalybased IDS will detect that an Internet
protocol (IP) packet is malformed. It does not detect that it is malformed in a
specific way, but indicates that it is anomalous. Stateful Protocol Inspection:
similar to anomaly based detection, but it can also analyze traffic at the network and
transport layer and vender-specific traffic at the application layer, which anomaly-
based detection cannot do. o examine authentication sessions for suspicious activity
as well as for attacks that incorporate “unexpected sequences of commands, such as
issuing the same command repeatedly or issuing a command without first issuing a
command upon which it is dependent, as well as ‘reasonableness’ for commands
such as minimum and maximum lengths for arguments.”
Network Intrusion Detection System (NIDS) is one common type of IDS that
analyzes network traffic at all layers of the Open Systems Interconnection (OSI)
model and makes decisions about the purpose of the traffic, analyzing for suspicious
activity. Most NIDSs are easy to deploy on a network and can often view traffic from
many systems at once. A term becoming more widely used by vendors is “Wireless
Intrusion Prevention System” (WIPS) to describe a network device that monitors and
analyzes the wireless radio spectrum in a network for intrusions and performs
countermeasures which monitors network traffic for particular network segments or
devices and analyzes the network and application protocol activity to identify
suspicious activity. It can identify many different types of events of interest. It is
most commonly deployed at a boundary between networks, such as in proximity to
border firewalls or routers, virtual private network (VPN) servers, remote access
servers, and wireless networks. The NIDS are also called passive IDS since this kind
of systems inform the administrator system that an attack has or had taken place,
and it takes the adequate measures to assure the security of the system. The aim is
to inform about an intrusion in order to look for the IDS capable to react in the post.
Report of the damages is not sufficient. It is necessary that the IDS react and to be
able to block the detected doubtful traffics. These reaction techniques imply the
active IDS. Adv: Good network design and placement of NIDPS devices can enable
an organization to use a few devices to monitor a large network.NIDPSs are usually
passive devices and can be deployed into existing networks with little or no
disruption to normal network opera. Disad: A NIDPS can become overwhelmed by
network volume and fail to recognize attacks it might otherwise have detected.
Some IDPS vendors are accommodating the need for ever faster network
performance by improving the processing of detection algorithms in dedicated
hardware circuits to gain a performance advantage. Additional efforts to optimize
rule set processing may also reduce overall effectiveness in detecting a
Wireless A wireless local area network (WLAN) IDS is similar to NIDS in that it can
analyze network traffic. However, it will also analyze wireless-specific traffic,
including scanning for external users trying to connect to access points (AP), rogue
APs, users outside the physical area of the company, and WLAN IDSs built into APs.
As networks increasingly support wireless technologies at various points of a
topology, WLAN IDS will play larger roles in security. Many previous NIDS tools will
include enhancements to support wireless traffic analysis. Some forms of IDPS are
more mature than others because they have been in use much longer.
Networkbased IDPS and some forms of host-based IDPS have been commercially
available for over ten years. Network behavior analysis software is a somewhat
newer form of IDPS that evolved in part from products created primarily to detect
DDoS attacks, and in part from products developed to monitor traffic flows on
internal networks. Wireless technologies are a relatively new type of IDPS,
developed in response to the popularity of wireless local area networks (WLAN) and
the growing threats against WLANs and WLAN clients.
Network behavior anomaly detection (NBAD) views traffic on network
segments to determine if anomalies exist in the amount or type of traffic. Segments
that usually see very little traffic or segments that see only a particular type of traffic
may transform the amount or type of traffic if an unwanted event occurs. NBAD
requires several sensors to create a good snapshot of a network and requires
benchmarking and baselining to determine the nominal amount of a segment’s
traffic. The NIDS-HIDS combination or the so called hybrid gathers the features of
several different IDS. It allows, in only one single tool, to supervise the network and
the terminals. The probes are placed in strategic points, and act like NIDS and/or
HIDS according to their sites. All these probes carry up the alerts then to a machine
which centralize them all, and aggregate the information of multiple origins.
The Host Intrusion Detection System According to the source of the data to
examine, the Host Based Intrusion Detection System can be classified in two
categories:  The HIDS Based Application. The IDS of this type receive the data in
application, for example, the logs files generated by the management software of
the database, the server web or the firewalls. The vulnerability of this technique lies
in the layer application.  The HIDS Based Host. The IDS of this type receive the
information of the activity of the supervised system. This information is sometimes in
the form of audit traces of the operating system. It can also include the logs system
of other logs generated by the processes of the operating system and the contents
of the object system not reflected in the standard audit of the operating system and
the mechanisms of logging. These types of IDS can also use the results returned by
another IDS of the Based Application type. Host-based intrusion detection systems
(HIDS) analyze network traffic and system-specific settings such as software calls,
local security policy, local log audits, and more. A HIDS must be installed on each
machine and requires configuration specific to that operating system and software.
Host-Based, which monitors the characteristics of a single host and the events
occurring within that host for suspicious activity. Examples of the types of
characteristics a host-based IDPS might monitor are network traffic (only for that
host), system logs, running processes, application activity, file access and
modification, and system and application configuration changes. Host-based IDPSs
are most commonly deployed on critical hosts such as publicly accessible servers and
servers containing sensitive information.