Chapter 5

▪ Risk assessment: A determination of the extent to which an organization’s information

assets are exposed to risk.
▪ Risk control: Process of taking carefully reasoned steps to ensure the confidentiality,
integrity, and availability of the components of an information system.
▪ Risk identification: Formal process of examining and documenting risk in information
systems
▪ Risk management: The process of identifying risk, assessing its relative magnitude, and
taking steps to reduce it to an acceptable level.

❖ An Overview of Risk Management:

- Know yourself: identify, examine, and understand the information and
systems currently in place.
- Know the enemy: identify, examine, and understand the threats facing the
organization.
❖ Communities of interest are responsible for:
• Evaluating current and proposed risk controls.
• Determining which control options are cost effective for the organization.
• Acquiring or installing the needed controls.
• Ensuring that the controls remain effective.

▪ Risk appetite: The quantity and nature of risk that organizations are willing to accept as
they evaluate the trade-offs between perfect security and unlimited accessibility.
▪ Residual risk: The risk to information assets that remains even after current controls
have been applied.

❖ Components of risk identification:

1. Planning and Organizing the Process.
2. Identifying, Inventorying, and Categorizing Assets:
▪ Iterative process: Begins with the identification and inventory of assets,
including all elements of an organization’s system (people, procedures, data
and information, software, hardware, networking).
• Important asset attributes:
o People: position name/number/ID; supervisor; security clearance
level; special skills.
o Procedures: description; intended purpose; relation to
software/hardware/networking elements; storage location for
reference; storage location for update.
o Data: classification; owner/creator/manager; data structure size; data
structure used; online/offline; location; backup procedures employed.
Chapter 5

• What information attributes to track depends on:

o Needs of organization/risk management efforts.
o Needs of the security and information technology communities.
▪ Inventory process: involves formalizing the identification process in some
form of organizational tool.
• Asset Categorization:
o People comprise employees and nonemployees.
o Procedures either do not expose knowledge useful to a potential
attacker or are sensitive and could allow adversary to gain advantage.
o Data components account for the management of information in
transmission, processing, and storage.
o Software components are applications, operating systems, or security
components.
o Hardware: either the usual system devices and peripherals or part of
information security control systems.
3. Classifying, Valuing, and Prioritizing Information Assets:
• Information owners are responsible for classifying their information assets.
• Information classifications must be reviewed periodically.
• Classifications include confidential, internal, and external.
4. Data Classification and Management:
• Management of classified data includes storage, distribution, transportation,
and destruction.
• Information Asset Valuation:
o Information asset prioritization:
- Create weighting for each category based on the answers to
questions.
- Prioritize each asset using weighted factor analysis.
- List the assets in order of importance using a weightedfactor
analysis worksheet.
5. Identifying and Prioritizing Threats.
6. Specifying Asset Vulnerabilities:
Chapter 5

❖ Major stages of risk assessment:

1. Planning and organizing risk assessment:
• The goal at this point is to create a method for evaluating the relative risk of
each listed vulnerability.
2. Determining the Loss Frequency:
▪ Loss Frequency: describes an assessment of the likelihood of an attack
combined with expected probability of success.
3. Evaluating Loss Magnitude:
▪ Loss Magnitude: also known as event loss magnitude or asset exposure.
- Combines the value of information asset with the percentage of asset lost in
the event of a successful attack.
• Difficulties involve:
o Valuating an information asset.
o Estimating the percentage of information asset lost during best-case,
worst-case, and most likely scenarios.
4. Calculating Risk:

5. Assessing Risk Acceptability:

▪ Residual risk: risk remaining to the information asset even after the existing
control is applied.
- If risk appetite is less than the residual risk, it must look for additional
strategies to further reduce the risk.
- If risk appetite is greater than the residual risk, it must proceed to the latter
stages of risk control.
• Documenting the Results of Risk Assessment:
o The goal of this process has been to identify the information assets of
the organization that have specific vulnerabilities and create a list of
them, ranked for focus on those most needing protection first.
▪ Worksheet describes: asset, asset relative value, vulnerability, loss
frequency, and loss magnitude.
Chapter 5

❖ The Open FAIR Approach to Risk Assessment:

• Identify scenario components.
• Evaluate loss event frequency.
• Evaluate probable loss magnitude.
• Derive and articulate risk.
❖ Risk Control:
- Once the ranked vulnerability risk worksheet is complete, the organization
must choose one of five strategies to control each risk:
• Defense: Accomplished through countering threats, removing asset
vulnerabilities, limiting asset access, and adding protective safeguards.
• Transference: This strategy attempts to shift risk to other assets,
processes, or organizations.
• Mitigation: Attempts to reduce the impact of an attack rather than
reduce the success of the attack itself.
- Approach includes three types of plans:
o Incident response (IR) plan: define the actions to take while
incident is in progress.
o Disaster recovery (DR) plan: the most common mitigation
procedure; preparations for the recovery process.
o Business continuity (BC) plan: encompasses the continuation
of business activities if a catastrophic event occurs.
• Acceptance: Doing nothing to protect a vulnerability and accepting the
outcome of its exploitation.
• Termination: Directs the organization to avoid business activities that
introduce uncontrollable risks.

❖ Justifying Controls:
- There are several ways to determine the advantages/disadvantages of a
specific control.
- Items that affect cost of a control or safeguard include cost of development
or acquisition, training fees, implementation cost, service costs, and cost of
maintenance.
▪ Asset valuation: involves estimating real costs associated with design,
development, installation, maintenance, protection, recovery, and defense
against loss.
• Expected loss per risk stated in the following equation:
“Annualized loss expectancy (ALE) = single loss expectancy (SLE) × annualized
rate of occurrence (ARO)”
• SLE = asset value × exposure factor (EF).
Chapter 5

❖ The Cost-Benefit Analysis (CBA) Formula:

- CBA determines if an alternative being evaluated is worth the cost incurred
to control vulnerability.
• CBA = ALE (prior) – ALE (post) – ACS.
- ALE (prior): is the annualized loss expectancy of risk before implementation
of control.
- ALE (post): is the estimated ALE based on control being in place for a period
of time.
- ACS: is the annualized cost of the safeguard.

❖ Benchmarking and Best Practices:

▪ Benchmarking: is an alternative method to economic feasibility analysis that
seeks out and studies practices used in other organizations to produce
desired results in one’s own organization.
- One of two measures typically used to compare practices:
• Metrics-based measures: based on numerical standards.
• Process-based measures: more strategic and less focused on
numbers.
▪ Standard of due care: when adopting levels of security for a legal defense,
the organization shows it has done what any prudent organization would do
in similar circumstances.
▪ Best business practices: security efforts that provide a superior level of
information protection.
• Problems with the application of benchmarking and best practices:
- Organizations don’t talk to each other (biggest problem).
- No two organizations are identical.
▪ Baselining: is the comparison of past security activities and events against an
organization’s future performance.

❖ Feasibility Studies:
• Organizational: Assesses how well the proposed IS alternatives will
contribute to an organization’s efficiency, effectiveness, and overall
operation.
• Operational: Assesses user and management acceptance and support, and
the overall requirements of the organization’s stakeholders.
• Technical: Assesses if organization has or can acquire the technology
necessary to implement and support proposed control.
• Political: Defines what can/cannot occur based on the consensus and
relationships among communities of interest.
Chapter 5

❖ Documenting Results:
- each information asset-threat pair should have documented control strategy
that clearly identifying any remaining residual risk.

❖ The NIST Risk Management Framework:

- NIST framework describes risk management as a comprehensive process
• Addresses how organization frame risk to produce risk management strategy
to:
o Frame risk.
o Assess risk.
o Respond to determined risk.
o Monitor risk ongoing basis.
Chapter 6

▪ Access Control: A selective method by which systems specify who may use a particular
resource and how they may use it.
▪ Mandatory access controls (MACs): A required, structured data classification scheme
that rates each collection of information as well as each user.
• Access control approaches:
- Discretionary access controls (DACs): Access controls that are implemented at the
discretion or option of the data user.
- Nondiscretionary controls: Access controls that are implemented by a central
authority.

- In general, all access control approaches rely on the following four mechanisms,
which represent the four fundamental functions of access control systems:
1. Identification: I am a user of the system.
▪ Identification: The access control mechanism that requires the
validation and verification of an unauthenticated entity’s purported
identity.
2. Authentication: I can prove I’m a user of the system.
▪ Authentication: The access control mechanism that requires the
validation and verification of an unauthenticated entity’s purported
identity.
• Authentication factors:
o Something you know:
▪ Password: a private word or a combination of
characters that only the user should know.
▪ Passphrase: a series of characters, typically longer than
a password, from which a virtual password is derived.
o Something you have:
▪ Dumb card: ID or ATM card with magnetic stripe.
▪ Smart card: contains a computer chip that can verify
and validate information.
o Something you are:
▪ Strong authentication.
3. Authorization: Here’s what I can do with the system.
• Authorization: The access control mechanism that represents the
matching of an authenticated entity to a list of information assets and
corresponding access levels.
• Authorization can be handled in one of three ways:
- Authorization for each authenticated user
- Authorization for members of a group
- Authorization across multiple systems
Chapter 6

4. Accountability: You can track and monitor my use of the system.

▪ Accountability: The access control mechanism that ensures all actions
on a system—authorized or unauthorized—can be attributed to an
authenticated identity. Also known as auditability.

▪ Biometrics: Approach based on the use of measurable human characteristics/traits to

authenticate identity.

❖ Access Control Architecture Models:

1. Trusted computing base (TCB): Used to enforce security policy.
▪ ITSEC: An international set of criteria for evaluating computer systems.
2. Bell-LaPadula confidentiality model.
3. Biba integrity model: Designed to prevent corruption of higher integrity entities.
4. Clark-Wilson integrity model.
5. Graham-Denning access control model: Composed of set of objects, set of subjects,
and set of rights.
▪ Firewalls: a combination of hardware and software that filters specific information from
moving between the untrusted network and the trusted network.
• Firewalls Processing Modes:
1. Packet filtering firewalls: examine the header information of data
packets that come into network.
- Packet-filtering firewalls can be implemented as static
filtering, dynamic filtering, and stateful inspection firewalls.
2. Application layer proxy firewalls:
• Three subsets of packet-filtering firewalls:
o Static filtering requires that filtering rules be developed and
installed within the firewall.
o Dynamic filtering allows firewall to react to an emergent event
and update or create rules to deal with that event.
o Stateful packet inspection (SPI) firewalls keep track of each
network connection between internal and external systems.
3. media access control layer (MAC) layer firewalls:
- Designed to operate at media access control sublayer of
network’s data link layer.
- Make filtering decisions based on specific host computer’s
identity.
4. Hybrids firewalls:
- Combine elements of other types of firewalls.
Chapter 6

- Enables an organization to make security improvement

without completely replacing existing firewalls.

❖ Firewall Architectures:
- Firewall devices can be configured in several network connection architectures.
• Best configuration depends on three factors:
1. Objectives of the network.
2. Organization’s ability to develop and implement architectures.
3. Budget available for function.
• Three common architectural implementations of firewalls:
1. Single bastion hosts: Usually implemented as a dual-homed host, which
contains two network interface cards (NICs): one that is connected to
external network and one that is connected to internal network.
2. Screened host: Combines packet-filtering router with a separate,
dedicated firewall.
3. Screened subnet: Commonly consists of two or more internal firewalls
behind packet-filtering router.
• Screened subnet performs two functions:
- Protects DMZ systems and information from outside
threats.
- Protects the internal networks by limiting how external
connections can gain access to internal systems.

❖ Selecting the Right Firewall:

- When selecting the firewall, consider the following factors:
1. Which type of firewall technology offers the right balance between
protection and cost for the needs of the organization?
2. What features are included in the base price?
3. How easy is it to set up and configure the firewall?
4. Can the firewall adapt to the growing network in the target organization?
- Most important factor is provision of required protection.
- Second most important issue is cost.

❖ Configuring and Managing Firewalls:

• Firewall rules:
1. Firewalls operate by examining data packets and performing comparison
with predetermined logical rules.
2. The logic is based on a set of guidelines most commonly referred to as
firewall rules.
Chapter 6

3. Most firewalls use packet header information to determine whether a

specific packet should be allowed or denied.

▪ Content Filters: A software program that allows administrators to restrict content that
comes into or leaves a network.
- Primary purpose to restrict internal access to external material.

❖ Remote Access:
▪ War dialer: automatic phone-dialing program that dials every number in a
configured range and records number if a modem picks up.
▪ Remote Authentication Dial-In User Service (RADIUS): centralizes responsibility
for user authentication in a central RADIUS server.
▪ Diameter: emerging alternative derived from RADIUS.
▪ Terminal Access Controller Access Control System (TACACS): validates user’s
credentials at centralized server based on client/server configuration.
▪ Kerberos: Provides secure third-party authentication.
• Consists of three interacting services:
o Authentication server (AS)
o Key Distribution Center (KDC)
o Kerberos ticket granting service (TGS)
▪ SESAME.
❖ Virtual Private Networks (VPNs):
- Private and secure network connection between systems.
• Three VPN technologies defined:
1. Trusted VPN.
2. Secure VPN.
3. Hybrid VPN.
• VPN must accomplish:
1. Encapsulation of incoming and outgoing data
2. Encryption of incoming and outgoing data
3. Authentication of remote computer.
• VPN modes:
1. Transport mode:
- Data within IP packet are encrypted, but header information is
not.
- Allows user to establish secure link directly with remote host.
2. Tunnel mode:
- Establishes two perimeter tunnel servers to encrypt all traffic that
will traverse an unsecured network.
ITIS360-Chapter 7

Chapter 7:

Intrusion Detection and Prevention Systems IDPSs

 Intrusion: occurs when an attacker attempts to gain entry into or disrupt the normal
operations of an organization’s information systems.
 Intrusion prevention: consists of activities that deter an intrusion.
 Intrusion detection: consists of procedures and systems that identify system intrusions.
 Intrusion reaction: encompasses actions an organization undertakes when intrusion event is
detected.
 Intrusion correction: activities complete restoration of operations to a normal state and seek to
identify source and method of intrusion.
 Intrusion detection systems detect a violation of its configuration and activate alarm.
 Many IDPSs enable administrators to configure systems to notify them directly of trouble via e-
mail or pagers.
 Systems can also be configured to notify an external security service organization of a “break-
in.”
 Some IDPS terminology:
 Alarm clustering and compaction • Alarm filtering • Alert/alarm • Confidence value •
Evasion • False attack stimulus • False negative • False positive • Noise
 Why use IDPS?
1. Intrusion detection:
o Primary purpose to identify and report an intrusion
o Can quickly contain an attack and prevent/mitigate the loss or damage
o Detect and deal with preambles to attacks
2. Data collection allows the organization to examine what happened after an intrusion
and why.
3. Serves as a deterrent by increasing the fear of detection.
4. Can help management with quality assurance and continuous improvement
 Types of IDPSs:
1. Network-based IDPSs: focused on protecting network information assets , it has two
subtypes
 Wireless IDPS focuses on wireless networks
 Monitors and analyzes wireless network traffic
 Issues associated with it include physical security, sensor range, access point
and wireless switch locations, wired network connections, cost, AP, and
wireless switch locations
 Network behavior analysis (NBA) IDPS examines traffic flow on a network in an
attempt to recognize abnormal patterns.
 Identify problems related to the flow of traffic
 Types of events commonly detected include denial-ofservice (DoS) attacks,
scanning, worms, unexpected application services, and policy violations
 Offer intrusion prevention capabilities that are passive, inline, and both
passive and inline
ITIS360-Chapter 7

 Resides on a computer or an appliance connected to a segment of an organization’s

network; looks for indications of attacks
 Done by using special implementation of TCP/IP stack:
 In the process of protocol stack verification, NIDPSs look for invalid data packets.
 In the application protocol verification, higher-order protocols are examined for
unexpected packet behavior or improper use
Advantages:
1. Good network design and placement of NIDPS can enable an organization to monitor a
large network with few devices
2. NIDPSs are usually passive and can be deployed into existing networks with little
disruption to normal network operations
3. NIDPSs are not usually susceptible to direct attack and may not be detectable by
attackers

Disadvantages:

1. Can become overwhelmed by network volume and fail to recognize attacks

2. Require access to all traffic to be monitored
3. Cannot analyze encrypted packets
4. Cannot reliably ascertain if an attack was successful or not
5. Some forms of attack are not easily discerned by NIDPSs, specifically those involving
fragmented packets

2. Host-based systems:
 Resides on a particular computer or server (host) and monitors activity only on that system
 Benchmarks and monitors the status of key system files and detects when intruder creates,
modifies, or deletes files
 Advantage over NIDPS: can access encrypted information traveling over network and make
decisions about potential/actual attacks
 Most HIDPSs work on the principle of configuration or change management
Advantages of HIDPSs:

1. Can detect local events on host systems and detect attacks that may elude a network-based
IDPS
2. Functions on host system, where encrypted traffic will have been decrypted and is available
for processing
3. Not affected by use of switched network protocols
4. Can detect inconsistencies in how applications and systems programs were used by
examining records stored in audit logs

Disadvantages of HIDPSs:

1. Pose more management issues

2. Vulnerable both to direct attacks and attacks against the host operating system
ITIS360-Chapter 7

3. Does not detect multihost scanning, nor scanning of non-host network devices
4. Susceptible to some DoS attacks
5. Can use large amounts of disk space
6. Can inflict a performance overhead on its host systems
 IDPS Detection Methods:
1. Signature-based detection (or knowledge-based detection or misuse detection):
 Examines network traffic in search of patterns that match known signatures
 Widely used because many attacks have clear and distinct signatures
 Problem with this approach is that new attack patterns must continually be added to
the IDPS’s database of signatures
 Slow, methodical attack involving multiple events might escape detection
2. Anomaly-based detection (or behavior-based detection):
 Anomaly-based detection collects statistical summaries by observing traffic known to be
normal
 When measured activity is outside the baseline parameters or clipping level, IDPS sends
an alert to the administrator
 IDPS can detect new types of attacks
 Requires much more overhead and processing capacity than signature-based detection
 May generate many false positives
3. Anomaly-based detection:
 SPA: process of comparing known normal/benign protocol profiles against observed
traffic
 Stores and uses relevant data detected in a session to identify intrusions involving
multiple requests /responses; allows IDPS to better detect specialized, multisession
attacks (also called deep packet inspection)
 Drawbacks: analytical complexity, heavy processing overhead, may fail to detect
intrusion unless protocol violates fundamental behavior, may interfere with normal
operations of the protocol
4. Log file monitors:
 Log file monitor (LFM) is similar to NIDPS
 Reviews log files generated by servers, network devices, and even other IDPSs for patterns
and signatures
 Patterns that signify an attack may be much easier to identify when the entire network and
its systems are viewed as a whole
 Requires considerable resources since it involves the collection, movement, storage, and
analysis of large quantities of log data
 IDPS Response Behavior:
 IDPS response to external stimulation depends on the configuration and function; many
response options are available.
 IDPS responses can be classified as active or passive.
 Active response: collecting additional information about the intrusion,
modifying the network environment, and taking action against the intrusion
ITIS360-Chapter 7

Passive response: setting off alarms or notifications, and collecting passive data
through SNMP traps
 Many IDPSs can generate routine reports and other detailed documents.
 Failsafe features protect an IDPS from being circumvented.
 Selecting IDPS Approaches and Products:
 Technical and policy considerations
 Organizational requirements and constraints
 IDPSs product features and quality
 Strengths and Limitations of IDPSs:
Strengths:
1. Monitoring and analysis of system events and user behaviors
2. Testing the security states of system configurations
3. Baselining the security state of a system and tracking changes
4. Recognizing patterns of system events corresponding to known attacks
5. Recognizing activity patterns that vary from normal activity

Limitations:
1.
Detecting new attacks or variants of existing attacks
2.
Effectively responding to attacks by sophisticated attackers
3.
Automatically investigating attacks without human intervention
4.
Resisting attacks intended to defeat or circumvent them
5.
Dealing effectively with switched networks
 Deployment and Implementation of an IDPS:
Implementation:
1. Centralized: All IDPS control functions are implemented and managed in a central location.
2. Fully distributed: All control functions are applied at the physical location of each IDPS
component.
3. Partially distributed: Combines the two; while individual agents can still analyze and respond to
local threats, they report to a hierarchical central facility to enable organization to detect
widespread attacks.

Deployment:

1. Great care must be taken when deciding where to locate components.

2. Planners must select a deployment strategy that is based on a careful analysis of the
organization’s information security requirements and causes minimal impact.
3. NIDPS and HIDPS can be used in tandem to cover the individual systems that connect to an
organization’s network and the networks themselves.
 Deploying network-based IDPSs – NIST recommends four locations for NIDPS sensors
Location 1: Behind each external firewall, in the network DMZ
Location 2: Outside an external firewall
ITIS360-Chapter 7

Location 3: On major network backbones

Location 4: On critical subnets

 Deploying host-based IDPSs

 Proper implementation of HIDPSs can be a painstaking and time-consuming task.
 Deployment begins with implementing most critical systems first.
 Installation continues until either all systems are installed or the organization reaches
planned degree of coverage it will accept
 Measuring the Effectiveness of IDPSs:
 IDPSs are evaluated using four dominant metrics:
 Thresholds
 Blacklists and whitelists
 Alert settings
 Code viewing and editing.
 Honeypots, Honeynets, and Padded Cell Systems:
 Honeypots: decoy systems designed to lure potential attackers away from critical
systems
 Honeynets: several honeypots connected together on a network segment
 Honeypots are designed to:
 Divert an attacker from accessing critical systems
 Collect information about the attacker s activity
 Encourage the attacker to stay on a system long enough for administrators to
document the event and perhaps respond
 Padded cell system: protected honeypot that cannot be easily compromised
Advantages:
 Attackers can be diverted to targets they cannot damage
 Administrators have time to decide how to respond to an attacker
 Attackers’ actions can be easily and more extensively monitored, and records
can be used to refine threat models and improve system protections
 Honeypots may be effective at catching insiders who are snooping around a
network
Disadvantages:
 Legal implications of using such devices are not well understood
 Honeypots and padded cells have not yet been shown to be generally useful
security technologies
 An expert attacker, once diverted into a decoy system, may become angry and
launch a more aggressive attack against an organization system
 Administrators and security managers need a high level of expertise to use these
systems
 Trap and Trace Systems: Use a combination of techniques to detect an intrusion and
trace it back to its source.
ITIS360-Chapter 7

 Legal drawbacks to trap and trace:

 Enticement: act of attracting attention to a system by placing tantalizing information in
key locations
 Entrapment: act of luring an individual into committing a crime to get a conviction
 Enticement is legal and ethical, entrapment is not
 Scanning and Analysis Tools:
 Scanning tools: typically, are used to collect information that an attacker needs to
launch a successful attack.
 Footprinting: process of collecting publicly available information about a potential
target.
 Fingerprinting: systematic survey of target organization s Internet addresses collected
during the footprinting phase to identify network services offered by hosts in that range.
 Port Scanners: Tools used by both attackers and defenders to identify/fingerprint
computers active on a network and other useful information.
 Firewall Analysis Tools: Several tools automate remote discovery of firewall rules and
assist the administrator/attacker in analyzing them.
 Active vulnerability: scanners examine networks for highly detailed information and
initiate traffic to determine security holes.
 Passive vulnerability: scanners listen in on network and identify the vulnerable versions
of both server and client software.
 Packet Sniffers: Network tool that captures copies of packets from network and
analyzes them.
Chapter 8

Introduction:

-Cryptology: the field of science that encompasses cryptography and cryptanalysis.

-Cryptanalysis: the process of obtaining the plaintext message from a ciphertext

message without knowing the keys used to perform the encryption.

-Cryptography: the process of making and using codes to secure information.

√ Cryptology has an extensive and multicultural history.

√ All popular Web browsers use built-in encryption features for secure e-commerce
applications.

• Encryption tools were officially listed as Auxiliary Military Technology.

Terminology:

• Algorithm
• Code
• Decipher
• Encipher

Plaintext can be encrypted through:

– Bit stream: each plaintext bit is transformed into a cipher bit one bit at a time.

– Block cipher: message is divided into blocks and each is transformed into encrypted
block of cipher bits using algorithm and key.

Substation Cipher: Substitutes or exchanges one value for another

Monoalphabetic substitution: only incorporates a single alphabet in the encryption

process

Polyalphabetic substitution: incorporates two or more alphabets in the encryption

process

Vigenère cipher: advanced type of substitution cipher that uses a simple polyalphabetic
code; made up of 26 distinct cipher alphabets
Chapter 8

Initial alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ yields

Encryption alphabet :DEFGHIJKLMNOPQRSTUVWXYZABC

Plaintext=Ali

Ciphertext = DOL

Transposition Cipher Also known as a permutation cipher;involves simply rearranging the

values within a block based on an established pattern.

Exclusive OR (XOR) A function within Boolean algebra used as an encryption function in

which two bits are compared. (Very simple to implement and simple to break)

• If the two bits are identical, the result is a binary 0.

• If the two bits are not identical, the result is a binary 1.

Vernam Cipher: This cipher uses a set of characters for encryption operations only one
time and then discards it.

To perform:

• The pad values are added to numeric values that represent the
• plaintext that needs to be encrypted
• Each character of the plaintext is turned into a number and a pad value for
that position is added
• If the sum of the two values exceeds 26, then 26 is subtracted from the
total

-Book cipher: ciphertext consists of a list of codes representing page, line, and word

-Running key cipher: uses a book for passing the key to cipher similar to Vigenère
cipher; sender provides encrypted message with sequence of numbers from
predetermined book to be used as an indicator block.

-Templatecipher: involves use of hidden messagein book, letter, or other message;

√ A cryptographic method in which the same algorithm and “secret” are used both to
encipher and decipher the message; also known as private-key encryption
Chapter 8

Symmatric encryption

1- Data Encryption Standard(DES):one of the most popular symmetric encryption

crypto systems.

2- Triple DES (3DES): created to provide security far beyond DES.

3- Advanced Encryption Standard (AES): developed to replace both DES and 3DES

Asymmetric Encryption: A cryptographic method that incorporates mathematical

operations involving the use of two different keys (commonly known as the public key
and the private key)

• One key to encrypt and the other to decrypt

Cryptographic Tools

• Potential areas of use include:

– Ability to conceal the contents of sensitive messages, and – Verify the contents
of messages and
– the identities of their senders

• To be useful
– Tools must embody cryptographic capabilities so that they can be applied to
the everyday world of computing.

• Example of widely used

– Public-Key Infrastructure
– Digital Signatures
– Digital Certificates
– Hybrid Cryptography Systems
Chapter 8

Public–key infrastructure(PKI): integrated system of software, encryption

methodologies, protocols, legal agreement.

PKI protects information assets in several ways:

– Authentication
– Integrity
– Privacy
– Authorization
– Nonrepudiation

Typical PKI solution protects the transmission and reception of secure information by
integrating:

– A certificate authority (CA)

– A registration authority (RA)
– Certificate directories
– Management protocols
– Policies and procedures

Nonrepudiation: the process that verifies the message was sent by the sender and
thus cannot be refuted.

Digital Signature Standard (DSS): is the NIST standard for digital signature algorithm
usage by federal information systems.

Digital Signature: Created in response to rising the need to verify information transferred
via electronic systems.

Digital Certificate: Electronic document containing key value and identifying

information

Distinguished name (DN): uniquely identifies a certificate entity.

Steganography: The process of hiding messages.

Securing Internet Communication with S-HTTP and SSL

1- Secure Sockets Layer (SSL) protocol: developed by Netscape; uses public-key

encryption to secure channel over public Internet.

2- Secure Hyper text Transfer Protocol(S-HTTP):extended version of Hypertext

Transfer Protocol; provides for encryption of individual messages between client and
server across Internet.
Chapter 8

Securing E-mail with S/MIME, PEM, and PGP

Secure Multipurpose Internet Mail Extensions (S/MIME): builds on Multipurpose

Internet Mail Extensions (MIME) encoding format and uses digital signatures based on
public-key cryptosystems.

PrivacyEnhancedMail(PEM):propose dasstandard to use 3DES symmetric key

encryption and RSA for key exchanges and digital signatures.

Pretty Good Privacy (PGP): uses IDEA Cipher for message encoding.

SecureElectronicTransactions(SET):developed by MasterCard and VISA to protect

against electronic payment fraud.

Internet Protocol Security (IPSec):an open-source protocol framework for security

development .

• IPSec uses several different cryptosystems

– Diffie-Hellman key exchange for key material

– Public-key cryptography for signing the Diffie-Hellman exchanges to guarantee

identity

– Bulk encryption algorithms for encrypting the data

• PGP security solution provides six services:

-message encryption,
-compression,
• -e-mail compatibility,
• -segmentation,
key management
Chapter 8
Chapter 9

• Parker’s seven major sources of physical loss:

1. Extreme temperature: heat, cold

2. Gases: war gases, commercial vapors, humid or dry air, suspended particles
3. Liquids: water, chemicals
4. Living organisms: viruses, bacteria, people, animals, insects
5. Projectiles: tangible objects in motion, powered objects
6. Movement:collapse,shearing,shaking,vibration, liquefaction, flow waves, separation.
7. Energyanomalies:electricalsurgeorfailure, magnetism, static electricity, aging circuitry;
radiation: sound, light, radio, microwave, electromagnetic, atomic

• Organization’scommunitiesroles:

– General management: responsible for facility security

– IT management and professionals: responsible for environmental and access security

– Information security management and professionals: responsible to perform risk

assessments and implementation reviews

▪ Secure facility: physical location with controls implemented to minimize the risk of
attacks from physical threats.

▪ It takes advantage of natural terrain, local traffic flow, and surrounding development
and can complement these with protection mechanisms (fences, gates, walls, guards,
alarms).

• Physical security control.

▪ Walls, fencing, and gates - Some of the oldest and most reliable elements of physical
security; the essential starting point for perimeter control.
▪ Guards - Can evaluate each situation as it arises to make reasoned responses; most
have standard operating procedures.
▪ Dogs - Keen sense of smell and hearing can detect intrusions that human guards cannot
▪ ID cards and badges:

- ID card is typically concealed, and name badge is visible.

- serve as simple form of biometrics.
▪ Locks and keys:

- Two types of locks: 1) mechanical 2) electromechanical.

- Also, can be divided into four categories: manual, programmable, electronic,

biometric.

- Locks fail and alternative procedures for controlling access must be put in place.

- Locks fail in one of two ways:

- Fail-safe lock: A door lock that fails and causes the door to become unlocked.

- Fail-secure lock: a door lock that fails and causes the door to remain locked.

▪ Mantraps

- Small enclosure that has an entry point and a different exit point.
- Individual enters mantrap, requests access, and, if verified, is allowed to exit
mantrap into facility.
- Otherwise, when individual denied entry, the person cannot leave the mantrap
until a security official
- overrides the enclosure’s automatic locks

▪ Electronic monitoring - Equipment can record events in areas where other types of
physical controls are impractical

- May use cameras with video recorders( CCT)

- video monitoring systems have drawbacks: They are Passive , Recordings often
are not monitored in real time.
▪ Alarm and alarm system
- Detect fire, intrusion, environmental disturbance, or an interruption in
services
- Rely on sensors that detect an event
▪ Computer rooms and writing closet
- Require special attention to ensure CIA.
- Logical access controls are easily defeated if attacker gains physical access to
computing equipment.
▪ Physical security control (nonsenses refer to slide if u wish)
Fire suppression systems :devices installedand maintained to detect and respond to a fire,
potential fire, or combustion danger.

Flame point: the temperature of ignition.

Fire suppression systems typically work by DENY an environment of temperature, fuel, or

oxygen

- Water and water mist systems

- Carbon dioxide systems
- Soda acid systems
- Gas-based systems

Fire detection

two category – manual and automatic

three types of fire detection systems: thermal detection, smoke detection, flame detection.

Fire suppression: system can be portable, manual, or automatic apparatus.

Gaseous emission system: two types - carbon dioxide and halon

- Carbon dioxide removes fire oxygen supply

- Halon is clean but has been classified as ozone-depleting substance.

System components: all components in slide 25

HVAC system can cause damage to information system 4 areas

- Temperature
- Filtration
- Humidity
- Static electricity

For HVAC refer to slide (28-36)

Three methods of data transmission

- Direct observation
- Interception of data transmission
- Electromagnetic interception
Mobile computing systems

- Have corporate information stored within them

- Are configured to facilitate user’s access into organization’s secure computing
facilities.

Controls support security and retrieval of lost or stolen laptops

- CompuTrace software, stored on laptop; reports to a central monitoring center

- Burglar alarms are made up of a PC card that contains a motion detector

Remote computing security

Telecommuting:off-sitecomputingusingInternet,dial- up, or leased point-to-point links.

▪ Telecommuter’scomputersmustbemademoresecure than organization’s systems.

Develop physical security in-house or outsource?

- Many qualified and professional agencies

- Benefit of outsourcing includes gaining experience and knowledge of agencies
- Downside includes high expense, loss of control over individual components, and
level of trust that must be placed in another company

Social engineering: use of people skills to obtain information from employees that should not
be released

GOOD LUCK BUDDIES

Chapter 10

• InfoSec blueprint implementation is accomplished by changing the configuration and

operation of an organization’s information systems.

Implementation includes changes to:

- Procedures (through policy)
- People (through training)
- Hardware (through firewalls)
- Software (through encryption)
- Data (through classification)

• Organization translates its blueprint for information security into a project plan.

Major steps in executing a project plan are:

- Planning the project
- Supervising tasks and action steps
- Wrapping up

• Project plan must address project leadership, managerial/technical/budgetary

considerations, and organizational resistance to change.

• Work breakdown structure (WBS) a tool use to create a project plan.

Major project tasks in WBS are:

- Work to be accomplished
- The people or skill sets assigned to perform the task
- Start and end dates for the task
- Amount of effort required for completion
- Estimated capital expenses for the task

Project planning consideration

Financial consideration

• The amount of effort that can be expended depends on available funds

• Cost-benefit analysis must be reviewed and verified prior to the development of project
plan
• public and private organizations have budgetary constraints
Priority consideration

• In general, the most important information security controls should be scheduled first
• Implementation of controls is guided by the prioritization of threats and value of
threatened information assets

Time and scheduling considerations

• Time to order, receive, install, and configure security control

• Time to train the users
• Time to realize control’s return on investment

Staffing consideration

• Need for qualified, trained, and available personnel constrains project plan

Procurement consideration

• Often constraints on the selection of equipment/services , Some organizations require

use of particular service vendors/manufacturers/suppliers

Organization feasibility consideration

• Successful project requires that an organization be able to assimilate proposed changes

• New technologies sometimes require new policies, employee training, and education
• Changes should be transparent to system users unless the new technology is intended
to change procedures (e.g. requiring additional verification).

Training and indoctrination consideration

• Size of an organization and the normal conduct of business may preclude a large training
program for new security procedures/technologies.
• If so, the organization should conduct a phased-in or pilot implementation.

Scope consideration

• Project scope: description of project’s features, capabilities, functions, and quality level,
used as the basis of a project plan.
 • The need for project management

Supervised implementation

• Some organizations may designate a champion from general management community

of interest to supervise the implementation of an information security project plan.
• An alternative is to designate a senior IT manager or CIO to lead implementation
• In final analysis, each organization must find the project leadership best suited to its
specific needs

Executing plan

A project manager can adjust one of three planning parameters for the task being corrected:

• Effort and money allocated

• Elapsed time/Scheduling impact
• Quality or quantity of deliverable

Project wrap-up

• usually handled as a procedural task and assigned to a mid-level IT or information

security manager
• These managers collect documentation, finalizes status reports, and delivers final report
and presentation at wrap-up meeting.
• Goal of wrap-up is to resolve any pending issues, critique overall project effort, and
draw conclusions about how to improve process

Four basic conversation Strategies:

• Direct changeover
- stopping the old method and beginning the new one
• Phased implementation
- only part of the system being brought out and disseminated across an organization
before the next piece is implemented
• Pilot implementation
- the entire security system is put in place in a single office, department, or division
before expanding to the rest of the organization.
• Parallel operations
- involves running two systems concurrently
Relies on the process of project plan evaluation in four layers:

1. Policies
2. Networks
3. Systems
4. Applications

Figure 10-3 The bull’s-eye model

Chapter 12

To manage and operate ongoing security program;

• Managementmodelmustbeadoptedtomanageand operate the ongoing security

program.
• Models are frameworks that structure the tasks of managing particular set of activities
or business functions.

NIST SP 800-100 Information Security Handbook: A Guide for Managers

There are 13 areas of information security management monitoring action:

1-Information security governance

– Agencies should monitor the status of their programs to ensure:

• Ongoing information security activities are providing appropriate support

• Policies and procedures are current
• Controls are accomplishing their intended purpose

2-System Development Life Cycle: the overall process of developing, implementing, and retiring
information systems through a multistep process.

3-Awareness and training

– Tracking system should be design to capture key.

– Tracking compliance involves assessing the status of the program.

– Security policies must continue to evolve.

4-Capital planning and investment control (CPIC)

– Departments required to allocate funding toward highest- priority investments – CPIC

designed to facilitate the expenditure of agency funds

5-Interconnecting systems

– The direct connection of two or more information systems for sharing data and other
information resources

– Can expose the participating organizations to risk

Chapter 12

– If one of the connected systems is compromised, interconnection could be used as

conduit

6-Performance measures

– Metrics should be used for monitoring the performance of information security controls

– Six-phase iterative process

7-Security planning

– One of the most crucial ongoing responsibilities in security management

8-Information technology contingency planning

– Consists of a process for recovery and documentation of procedures

9-Risk management

• – Ongoing effort
• – Tasks include performing risk identification, analysis, and management

10-Certification, accreditation, and security assessments

• – An essential component of any security program

• – The status of security controls is checked regularly
• – Auditing: the review of a system’s use to determine if misuse/malfeasance has
occurred

11-Security services and products acquisition

12-Incident response: incident response life cycle

13-Configuration (or change) management: manages the effects of changes in

configurations, five-step process

The Security Maintenance Model: Designed to focus the organizational effort on maintaining
systems

maintenance model is based on five subjects

1- External monitoring
Chapter 12

2- Internal monitoring
3- anning and risk assessment Pl
4- Vulnerability assessment and remediation
5- Readiness and review
Monitoring the External Environment

• Objective to provide early awareness of new and emerging threats

• Entails collecting intelligence from data sources and then giving the intelligence
context and meaning for use by decision makers in the organization.

DataSources

– Acquiring threat and vulnerability data is not difficult

– Turning data into information decision makers can use is the challenge

• External intelligence comes from vendors, computer emergency response teams

(CERTs), public network sources, or membership sites

Monitoring, escalation, and incident response

– Function of external monitoring process is to monitor activity, report results, and
escalate warnings

– Monitoring process has three primary deliverables:

• Specific warning bulletins issued when developing threats

• Periodic summaries of external information
• Detailed intelligence on highest risk warnings

Data collection and management

– Over time, external monitoring processes should capture information about external
environment in appropriate formats

– External monitoring collects raw intelligence, filters for relevance, assigns a relative
risk impact, and communicates to decision makers in time to make a difference

Internal monitoring accomplished by:

– Leading the IT governance process – Real-time

monitoring of IT activity – Monitoring the
internal state of the organization’s networks and systems
Chapter 12

Detecting differences

– Difference analysis: procedure that compares current state of network segment

against known previous state of same segment

Planning and risk management

Primary objective is accomplished by identifying and planning ongoing information

security activities that further reduce risk.

– Establishing a formal information security program review process

– Instituting formal project identification, selection, planning, and management

processes

-Coordinating with IT project teams to introduce risk assessment and review for all IT
projects

– Integrating a mindset of risk assessment throughout the organization

Large projects should be broken into smaller projects for several reasons

– Smaller projects tend to have more manageable impacts on networks and users

– Larger projects tend to complicate the change control process in the implementation phase

– Shorter planning, development, and implementation schedules reduce uncertainty

Security risk assessments

– A key component for driving security program change is risk assessment (RA)

– RA identifies and documents the risk that a project, process, or an action introduces to the
organization and offers suggestions for controls

– Information security group coordinates the preparation of many types of RA documents

Chapter 12

Vulnerability Assessment and Remediation

• Primary goal: identification of specific, documented vulnerabilities and their timely

remediation
• Accomplished by:

– Using vulnerability assessment procedures – Documenting

background information – Tracking vulnerabilities from the
time they are identified – Reporting on the status of vulnerabilities
– Ensuring that the proper level of management is involved

• Four vulnerability assessment processes can help many organizations balance

intrusiveness of vulnerability assessment with the need for a stable and effective
production environment.

1- Penetration testing

• – Is a set of security tests and evaluations that simulate attacks by a malicious

external source (hacker)
• – Penetration test (pen test): usually performed periodically as part of a full
security audit
• – Can be conducted one of two ways: black box or white box

2- Internet vulnerability assessment

• – Designed to find and document vulnerabilities present in an organization’s

public network
• – Steps in the process include:

Planning, scheduling, and notification of penetration testing Target

selection
Test selection Scanning
Analysis
Record keeping

3- Intranet vulnerability assessment

– It is designed to find and document the selected vulnerabilities

– Attackers are often internal members of the organization

Chapter 12

– This assessment is usually performed against critical internal devices

4- Platform security validation

– It is designed to find and document vulnerabilities that may be present because

misconfigured systems are in use within the organization

– These misconfigured systems fail to comply with company policy or standards

Wireless vulnerability assessment

– It is designed to find and document vulnerabilities that may be present in wireless

local area networks of the organization

Documenting vulnerabilities

– Vulnerability database should provide details about reported vulnerability

– Low cost and ease of use

Remediating vulnerabilities
– Objective is to repair flaw causing a vulnerability instance

– Important to recognize that building relationships with those who control

information assets is key to success

– Success depends on the organization adopting team approach to remediation

Acceptance or transference of risk

• – In some instances, risk must be either simply acknowledged as part of the

organization’s business process or transferred to another organization via
insurance
• – Management must be assured that decisions made to accept risk or buy
insurance were made by properly informed decision makers
• – Information security must make sure the right people make risk assumption
decisions with complete knowledge of the impact of the decision
Chapter 12

Threat removal

• – In some circumstances, threats can be removed without repairing

vulnerability
• – Other vulnerabilities may be mitigated by inexpensive controls

Vulnerability repair

• – Best solution in most cases is to repair the vulnerability

• – Applying patch software or implementing a workaround often
accomplishes this
• – Most common repair is the application of a software patch

Primary goal is to keep the information security program functioning as designed

and continuously improving.

Accomplished by: – Policy

review
– Program review – Rehearsals

Digital Forensics

• Used to document what happened during attack on assets and how attack occurred
• It is based on the field of traditional forensics

It involves preservation, identification, extraction, documentation, and interpretation of

digital media

Evidentiary material (EM): any item or information that applies to an organization’s

legal or policy-based case

• Used for two key purposes:

0. To investigate allegations of digital malfeasance
1. To perform root-cause analysis
Chapter 12

• Organization chooses one of two approaches:

– Protect and forget (patch and proceed): defense of data and the systems
that house, use, and transmit it

– Apprehend and prosecute (pursue and prosecute): identification and apprehension

of responsible individuals, with additional attention to collection and preservation of
potential EM that might support administrative or criminal prosecution

Affidavit

• – Sworn testimony that certain facts are in the possession of the investigating officer;
can be used to request a search warrant
• – It summarizes the facts of the case, the items, and the place must be specified

In digital forensics, all investigations follow the same basic methodology once permission
obtained

• – Identify relevant EM
• – Acquire (seize) the evidence without alteration or damage
• – Take steps to assure that the evidence is at every step verifiably authentic
• – Analyze the data without risking modification or unauthorized access
• – Report the findings to the proper authority

Evidentiary Procedures

Strong procedures for handling potential evidentiary material can minimize the probability of
an organization losing a legal challenge.