Unit 2
Unit 2
SECURITY INVESTIGATION
Business need
Technology need
Any organization will have confusion in deciding which of the above need should be
compromised. Business needs should always be given higher priority. Compromising business
needs for the sake of security may hinder the development of the organization.
Primary mission of information security to ensure systems and contents stay the
same .If no threats, could focus on improving systems, resulting in vast improvements in ease
of use and usefulness. Attacks on information systems are a daily occurrence, and the need for
information security increases as the sophistication of such attacks increase.
2. BUSINESS NEEDS
The needs for securing the information asset of an organization are listed below:
Protects the organization’s ability to function
2.2 Information Security
The top level management is responsible for framing a security policy that is suitable
to the organizations needs.
The measures taken by the management in securing the information will lower the
occurrences of people issues.
All the communities of interest in the organization must understand the importance of
information security and should insist the top management to follow a proper security
policy.
The impact of information loss and the cost of the security process must be analyzed
by the management before framing a security policy.
Enabling Safe Operation
They must take great care in creating integrated, efficient, and capable applications.
The environment in which the applications function must safeguard the applications in
all dimensions.
The management is responsible for framing policies and enforcement of decisions that
support the infrastructures of the organization.
The infrastructure may vary from e-mails to Instant Messenger (IM) applications.
To avoid this people handling any application must be given proper training and
education regarding the application by the experts.
Though the IT department is responsible for handling all data and information, the
management must involve all the departments of the organization in making choices
and enforce decisions regarding the security.
Security Investigation 2.3
Protecting Data
It is the most valuable asset and the most difficult one to secure.
Organization must ensure proper security to both data in motion and data in rest.
Without data, an organization loses its record of transactions and/or its ability to
deliver value to its customers.
Loss of confidential data may lead to great disasters which would pave way to
framing of new security policy from the scratch.
Developing a new security policy after data loss would consume more resources.
Technology assets are costly and its installation is also very expensive.
Organizations must have secure infrastructure services based on the size and scope
of the enterprise and the technologies they use.
More robust solutions may be needed to replace the out dated security programs.
PKI (Public Key Infrastructure) is one among the security measure that safeguards
the data.
3. THREATS
A threat is an object, person, or other entity that represents a constant danger to an
asset.
Management must have a detailed knowledge of the various kinds of threats the
organization would face.
The management must ensure that sufficient protection is given to its information
through framing policy, giving proper educating and training to people, and
technology controls (replacing the out dated technologies by the recent trends).
2.4 Information Security
A business firm can build more effective security strategies by identifying and
ranking the severity of the potential threats to its act of securing the information.
The number of attacks that came across the Internet rose from 70% in
2001 to 74% in 2002 .
The above mentioned survey details clearly shows the ignorance of the top
management, middle management and employees in securing their information
assets.
Inadvertent acts
Deliberate acts
Acts of God
Technical failures
Management failures
The above mentioned group, classify the threats in broad sense. The following
categories could help an organization to identify the threats to be assessed in a very
detailed manner:
Act of Human Error or Failure (accidents, employee mistakes)
Compromises to Intellectual Property (piracy, copyright infringement)
Deliberate Acts of Espionage or Trespass(unauthorized access and/or data
collection
Deliberate Acts of Information Extortion (blackmail of information disclosure)
Deliberate Acts of Sabotage or Vandalism (destruction of systems or
information)
Deliberate Acts of Theft (illegal confiscation of equipment or information)
Deliberate Software Attacks(viruses, worms, macros, denial of service)
Forces of Nature (fire, flood, earthquake, lightning).
Quality of Service Deviations from Service Providers(power and WAN service
issues)
Technical Hardware Failures or Errors (equipment failure)
Technical Software Failures or Errors (bugs, code problems, unknown
loopholes)
Technological Obsolescence (antiquated or outdated technologies)
Each organization must prioritize the real and present dangers listed above based on
the security situation, strategy and level of exposure.
Threat group 1: Inadvertent acts
The attacker does not have any malicious intent or his attack could not be proven in
the categories of theft. These acts are termed as inadvertent acts. Acts of human error
2.6 Information Security
or failure, deviations in the quality of service from service providers will come under
this group.
a) Acts of Human Error or Failure
This includes acts done without malicious intent by an authorized person in the
organization.
Minor mistakes committed by the employees can easily lead to the following:
disclosing classified data
entry of erroneous data
unintentional or accidental deletion or modification of data
storage of data in insecure and unprotected areas
failure to protect information
All of the above mentioned threats can easily be prevented by exercising suitable
controls like making the user to type a critical command twice, making the accessing
procedures more complex, verification of commands by another party.
Security Investigation 2.7
Communications
Power irregularities
Internet Service Issues
Loss of Internet service can lead to considerable loss in the availability of information
since the organizations have staff and telecommuters working at remote locations.
Globalization has resulted in working at remote site for the organization.
Non availability of internet services may affect the normal functioning of the
organization since the services done at the remote site may not be available in time.
When an organization outsources its web servers, the outsourcer assumes
responsibility for:
All Internet Services
The hardware and operating system software used to operate the web
site.
The services rendered by the outsourcer will be recorded and duly signed by the
outsourcer and the chief of the organization. This document is known as Service Level
Agreement (SLA). This is an agreement stating the minimum service levels.
The SLA’s may be in printed form or in electronically signed form.
Deviations in issuing internet services could be easily tracked using this document and
legal measures could be taken.
Communications and Other Services
Apart from technical services like internet, other utility services also have a potential
impact on the functioning of the organization.
cleaning service
transportation
The threat of loss of services the above mentioned service lead to the inability of the
proper functioning of the organization.
Power Irregularities
Apart from providing uninterrupted power supply, the quality of power being supplied
is vital for the efficient functioning of electrical and electronic equipments used by the
organization.
The fluctuations in voltage levels can harm all the equipments in the organization
which may cause permanent damage to machineries and equipments.
The following classifications are made based on the increase, decrease, or cease of
voltage levels:
spike – momentary increase
surge – prolonged increase
sag – momentary low voltage
brownout – prolonged drop
fault – momentary loss of power
blackout – prolonged loss
The electronic and electrical equipment susceptible to voltage fluctuations must be
given proper voltage regulating controls to manage power quality.
Threat group 2: Deliberate acts
The activities by the people or organization to engage in purposeful acts to harm the
organization will come under deliberate acts.
a) Acts of Espionage/Trespass
Espionage literally means the activity of spying a person’s activity, thereby
using the stolen information to the advantage of the spy.
In terms of information security espionage is defined as human or electronic
activities that breach the confidentiality of an organization’s information.
2.10 Information Security
Expert hacker
a. The hacker who develops software scripts and codes to exploit the
organization ’s information asset is termed as expert hacker.
b. He/ She is usually a master of many skills.
c. He will often create applications that attack the software owned by
the organization and will share the confidential and disclosed
information with others.
Script kiddies( Unskilled Hackers)
a. The hacker with limited skill who don’t develop any strategy for
hacking but will use the expert- written software or strategy to exploit
an organization‘s information system.
b. They don’t possess a detailed knowledge about the system but will
attempt to hack the system.
Apart from the above mentioned rule breakers, the following types of espionage is also
common in modern world:
Cracker - An individual who “cracks” or removes the protective mechanism
that is designed to prevent unauthorized duplication. He will pave way to the
hacker to access the system by breaking the protection mechanism.
Phreaker – An individual who hacks the public telephone network and gains
information from the communication.
Hackers could also be classified into two broad categories based on their profiles:
Traditional Hacker profile- Hacker would be within the age limit of 13-18,
positively a male with a limited supervision who spends all his leisure time in
the system.
Modern Hacker profile-Hacker would be within the age limit of 12-60, whose
background will be unknown. He may possess good technical skill and may be
located internal or external to the organization.
2.12 Information Security
The most common extortion could be found in credit card number theft.
The attacker may demand monetary benefits from the owner or may seek any other
favor in return for the non-use of the stolen information.
This type of threat is a criminal offense and governments have framed laws against
this form of information theft.
c) Deliberate Acts of Sabotage (damaging machines) or Vandalism
The attacker could damage either the physical components of the organization like
machineries or they could spoil the reputation of the organization.
These threats can range from petty vandalism to organized sabotage that is pre
planned.
The damage to the image of the organizations can lead to losing consumer
confidence and sales thereby affecting the business.
The value of information suffers when it is copied and taken away without the
owner’s knowledge.
Physical theft can be controlled by wide a variety of control measures used from
locked doors to guards or alarm systems.
Electronic theft is a more complex problem to manage and control that the
organizations may not even know that it has occurred.
Intellectual theft is even more complex to detect. It’s very difficult to protect the
intellectual properties.
Software attacks are very hard to detect and the control measures taken to prevent
this type of attack must be updated periodically.
Intellectual property is defined as the ownership of ideas and control over the
tangible or virtual representation of those ideas.
Forces of nature or acts of God are dangerous because they are unexpected and
occur with very little warning.
They disrupt not only the lives of individuals, but also the storage, transmission,
and use of information and all devices associated with information.
It is not possible to avoid many of these threats. But management must implement
controls to limit the damage and also prepare contingency plans for continued
operations even after the occurrence of these natural disasters.
These defects can cause the system to perform outside the expected parameters,
resulting in unreliable service or lack of availability.
Some errors are terminal, (i.e.) they result in the unrecoverable loss of the
equipment.
Some errors are intermittent, (i.e.) they only periodically manifest themselves,
resulting in faults that are not easily repeated.
b) Technical software failures or errors
This category of threats comes from purchasing software with unrevealed faults.
Large quantities of computer code are written, debugged, published, and sold. Not
all bugs were resolved in that code.
The faults may range from bugs to total failure of the software.
Sometimes, these items could not be termed as errors, but they may be purposeful
shortcuts left by the programmers for honest or dishonest reasons.
Threat group 5: Management Failures
a) Technological Obsolescence
2. Malicious insiders
3. Exploited vulnerabilities
4. Careless employees
5. Mobile devices
6. Social networking
7. Social Engineering
8. Zero-day exploits - Zero-day exploits are when an attacker can compromise a
system based on a known vulnerability but no patch or fix exists, and they have
become a very serious threat to information security.
9. Cloud computing security threats
10. Cyber espionage
Spies
Non-professional hackers
Activists
Nation-state intelligence services (e.g., counterparts to the CIA, etc.)
Malware (virus/worm/etc.) authors
The following are the major types of attacks:
Malicious code
Hoaxes
Back doors
Password crack
Brute force
Dictionary
Denial of Service(DOS) or Distributed Denial of Service(DDOS)
Spoofing
Man-in –the middle attack
Mail bombing
Spam
Social engineering
Sniffers
Timing attack
Buffer overflow
a) Malicious code
This kind of attack includes the execution of viruses, worms, Trojan horses, and active
web scripts with the intent to destroy or steal information.
The state of the art in attacking systems in the year 2002 is the multi-vector worm
using up to six attack vectors to exploit a variety of vulnerabilities in commonly found
information system devices.
There are six categories of malicious code:
Security Investigation 2.21
IP Scan and Attack- The infected system scans range of IP address and finds
the vulnerable systems as targets for attack.
Web browsing- If the infected system has granted write access to web pages, it
will make all the web content infectious.
Virus- The infected system will infect the executable and script files of all
systems in the network.
Shares- It first detects the various vulnerabilities in the file system and copies
the viral content to all the reachable locations.
Mass mail- Sending e-mails to all the address found in the address book of
infected system.
Simple Network Management Protocol (SNMP) - Exploiting the
vulnerabilities in SNMP protocol.
b) Hoaxes
A hoax is an indirect approach to attack computer systems (i.e.) the transmission of
a virus hoax, with a real virus attached to it.
A hoax will look like a legitimate message but the attack will be hidden or masked.
These viruses would be sent to the addresses in our e-mail’s address book thus
infecting many users along the way.
c) Backdoors
An attacker can gain access to a system or network resource using a known or
previously unknown and newly discovered access mechanism through backdoors
of the system.
The backdoors are unknowingly set by the maintenance staff or system engineers.
This type of attack is very hard to find since the same programmer who has
devised the logic of the system will try to attack the system through the trap doors
or back doors he has previously set up.
d) Password crack
Password crack is attempting to reverse calculate a password.
All passwords could be cracked if a copy of Security Account Manager (SAM)
file is obtained.
SAM file contains the user’s password in hashed notation. The same algorithm that
is used to hash the password could reverse hash the password.
e) Brute force
2.22 Information Security
This type of attack is more prevalent in systems that use the security measures as
recommended by the manufacturers.
To prevent this attack, the number of times a user enters the password must be
confined to a small number.
f) Dictionary
The dictionary password attack narrows the field by selecting specific accounts to
attack and uses a list of commonly used passwords (the dictionary) to guide
guesses.
Pre preparation phase will occur in DDOS attack, in which thousands of systems
are compromised. Those compromised systems will turn as zombies.
The systems that render services with TCP as its underlying protocol are more
prone to DDOS attack.
Security Investigation 2.23
This technique is used to gain unauthorized access. The intruder sends messages to
a computer with an IP address indicating that the message is coming from a trusted
host.
The intruder will change the IP address in the packet header to make the packet
appear as legitimate one.
The firewalls and routers are some of the protection mechanisms against IP
spoofing.
Figure 7: IP Spoofing
i) Man-in-middle
2.24 Information Security
An attacker sniffs packets from the network, modifies them, and inserts them back
into the network without the knowledge of both the sender and receiver is called as
man-in-middle attack. This is otherwise known as TCP hijacking attack.
The attacker can change, delete, reroute, add, forge or divert the data sent.
To enter into the communicating network, the attacker uses IP spoofing to gain a
valid IP address.
In TCP hijacking, the attacker may intercept even the keys exchanged and thus use
the key to decrypt the information.
Spam is considered more as a nuisance causing our mail to get overloaded rather
than as an attack.
But it may open the doors for some types of attacks.
k) Mail bombing
In this type of attack, the attacker routes large number of e-mail to the target and
floods the inbox.
This type of attack could be done by exploiting the vulnerabilities in the network
such as flaws in SMTP.
Security Investigation 2.25
The mails reaching the target systems will have forged header data that could not
be detected by poorly configured firewalls.
l) Sniffers
A program and/or device that can monitor data traveling over a network are called
sniffers.
Sniffers can be used both for legitimate network management functions and for
stealing information from a network.
When the sniffers are sent in TCP networks, they are termed as packet sniffers.
It is very tedious to detect a sniffer program invaded inside a network because it
could be inserted anywhere in the network.
When sniffers are present in a locally connected network, like the intranet of an
organization, the vulnerability of the attack will increase two folds, since the data
travelling in a local connection will be in clear text form not in encrypted form.
Some of the above mentioned data may be sensitive information like passwords.
m) Social Engineering
The process of using social skills to convince people to reveal access credentials or
other valuable information to the attacker within the context is called as social
engineering.
As mentioned earlier people are the weakest link of an organization.
Invaders may lure the organizational structure and may try to get information from the
employees.
Kevin Mitnick served several years in a federal prison. Upon his release, he opened
his own consulting firm, advising companies on how to deter people like him.
n) Buffer overflow
This is actually an application error that occurs when more data is sent to a buffer than
its limit.
When the buffer overflows, the attacker can make the target system execute
instructions, or the attacker can take advantage of some other unintended consequence
of the failure and get the information.
2.26 Information Security
This buffer overflow could sometimes result in Denial-of-Service attack. When the
buffer overflow occurs, the system may restart.
Other way of getting information while buffer overflows is: the attacker could gain
control over the system as a legitimate user.
o) Timing Attack
This type of attack occurs by exploring the web browser’s cache memory.
In this type of attack, the attacker will create malicious cookie in the web page that
will collect information about visitors and will store them.
This is a common phenomenon in password-protected sites.
Another form of attack is attempting to intercept cryptographic elements to determine
keys and encryption algorithms.
The information security professionals must be aware of the various laws and
legislations that could be enforced within the scope of the organization‘s legal and
ethical boundaries.
A clear knowledge about the laws will reduce the risks and losses faced by the
organization.
Proper education should be given by the top management to all the employees
handling information to keep the organization focused towards legal aids in securing
the information.
Laws and Ethics in Information Security
There are primary differences between laws and ethics.
Laws are rules adopted for determining expected behavior and violation of which will
be an offense.
Ethics are defined as socially acceptable behaviors and violation of which is not an
offense but will cause damage to the person’s repudiation.
Ethics in turn are based on culture. Ethics in one culture may not be acceptable in
another culture. They are more of fixed moral attitudes or customs of a particular
group.
Security Investigation 2.27
But certain actions like theft, murder, assault are considered as unethical and illegal
acts universally.
Types of Law
There are five major types of laws as listed below:
Civil law
Criminal law
Tort law
Private law
Public law
Civil law- They are large volumes of recorded laws to be followed by all citizens of
the country. They also keep a check over the individuals who are violating their duties
towards the country like payment of tax.
Criminal law- These laws handles actions that are harmful to the society. These laws
are exercised by the state. Examples: laws against murder.
Tort law- These laws helps individuals when they are affected personally, physically
or financially by other persons. They could obtain recourse against any individual. In
tort laws evidences are brought by the persons not by the state as in criminal law.
Example: laws against spoiling the repudiation of an organization.
Private law- These laws regulate the relationships between individual and the
organization, family laws, commercial and labor laws. Example: Laws related to
provident fund.
Public law- These laws regulates the structure and administration of governmental
agencies and their relationships with citizens, employees and other governments.
Example: Right to information act.
Relevant U.S. laws
United States is seen as a leader in the development of Information Security. So it has
many legal checks over information threat.
General Computer Crime Laws
The Computer fraud and Abuse Act of 1986 (CFA Act) – This contains many
computer related federal laws and enforcement efforts.
U.S.A. Patriot Act of 2001- This act will deal with electronic technology. The hands
of this act extend to actions related to combat terrorist activities.
Communication Decency Act (CDA) - This law is framed to inculcate decency in the
transmission of electronic media.
Computer Security Act of 1987- This attempts to protect the federal computer
systems by establishing minimal security practices.
Privacy of Customer Information
The organizations collect information from the persons directly, or from separate
sources, or by merging some other information.
The U.S. legal code underlines the responsibilities of protecting the privacy of
information by the organizations that process or move data for hire.
The privacy of Customer Information Section places a check over the usage of
customer information for marketing purposes and the information carriers shall not
disclose the information while rendering services.
Aggregate information is created by combining pieces of data that are not considered
private in themselves but when combined together it may raise a privacy issue. This is
a common activity of cookies placed in web pages.
The Federal Privacy Act of 1974 emphasis the government‘s duty to protect the
individual’s privacy.
Security Investigation 2.29
It’s the government’s duty to protect the privacy of individual’s and business
information and make those agencies responsible if any part of the information is
released without permission of the owner.
However the following agencies are exempted from some of the regulations to perform
some of the administrative duties:
Bureau of the census
National Archives and Records Administration
Congress
Comptroller General
Court orders
Credit agencies
Information to be used to protect the Health or safety of the individual.
The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known
as the Kennedy-Kassebaum Act protects the confidentiality and security of health-care
data.
It enforces many standards and standardizes the exchange of electronic data. All the
health care organizations will be under the HIPPA.
Through these standards the patients has the right to know who has the access to the
information and who has accessed their private information without their consent.
The health-care organizations must frame polices and procedures to maintain the
information security.
The HIPAA assess the organizations for the information security systems, policies and
procedures followed by the organizations.
HIPAA provides guidelines for the usage of electronic signatures to ensure message
integrity, user authentication and non repudiation and also restricts the dissemination
and distribution of health data in any form without proper documented consent.
HIPAA has implemented the following five fundamental principles to cope up with
the changes and advancement in technology :
The customer has the sole control of their medical information.
HIPAA fixes the boundaries on the use of medical information.
2.30 Information Security
The health care agencies are accountable for the privacy of information.
Balance of public responsibility for the use of medical information for a greater
good measured against the impact of disclosure of information.
Security of health related information.
This act gives the customer the right to protect their information from reaching the
third parties without their knowledge.
Also this act paves way for the customers to get a detailed knowledge about the
privacy policies of the financial organizations they are dealing with.
Export and Espionage Laws
These laws attack the theft of information and impose penalties in case of any theft.
They are focused in the protection of national security, trade secrets and a variety of
other assets.
The Economic Espionage Act (EEA) of 1996 prevents the illegal sharing of trade
secrets.
This law was passed by the Congress to protect the American ingenuity and
Intellectual property.
The Security and Freedom through Encryption Act of 1999 provides guidance to the
usage of encryption techniques and also prevents the intervention of government in the
encryption activities.
The U.S. Copyright law extends the intellectual property rights to all the published
word documents including the electronic format.
The copyrighted materials could be used only to support news reporting, teaching,
scholarship or any other educational purposes.
With proper permission from the author, it is totally fair to use a part of someone’s
work as reference.
This act gives right to any individual the right to request access to the federal agency
records ( if the records demanded does not deal with national security).
The federal agency must disclose the requested information only on written request.
This law is not applicable to local government agencies, private or business individual.
The above mentioned laws are practiced in national and international levels.
Apart from those laws each state or locality may have a number of other laws and
regulations that supports information security.
A number of different security bodies and laws are available to secure privacy of
information.
But the political complexities between nations and cultural differences makes majority
of the laws to be ineffective.
The laws are discussed below but these laws could not be enforced to its maximum.
2.32 Information Security
This creates an international task force to keep a check over the security in internet
activities and standardize cross cultural technology laws.
The adversaries of this law feel that this could be a threat to the interests of national
agencies over the rights of business, organizations and individuals.
This was framed to reduce the impact of copyright, trademark and privacy
infringement.
The above mentioned right was implemented by the United Nations in the name of
Database Right.
United Nations Charter
Few operations of early information warfare are jamming, intercepting and spoofing
during the periods of war.
Ignorance of policy acceptable but ignorance of law could not be used for self defense
when an individual is found guilty for any activity against the law.
Cultural differences always cause problems while demarcating what is ethical and
what is unethical behavior.
Its very common that ethical behavior in one nation is considered as unethical in
another nation.
This is possible only by framing proper policies, providing education and training and
usage of technology in protecting the assets.
Security Investigation 2.35
The following are the three categories of unethical and illegal behavior:
1. Ignorance:
Ignorance of policies and procedures are excused but ignorance of
laws is not excused.
The only way to eliminate ignorance is education.
Education could be accomplished through design, publication,
dissemination and agreement to organizational policy and laws.
Continuous awareness is brought by reminders, training and
awareness programs.
2. Accident
Authorized individuals may cause harm or damage information
accidentally.
This could be avoided by exercising proper controls that prevents
accidental modification to systems and data.
3. Intent
Indented activities are liable to legal actions whether or not the crime
is performed from ignorance, accident or specific intent.
This could not be avoided but could be fought through litigation,
prosecution and other technical measures.
Deterrence
The laws, policies and other technical controls are various ways of implementing the
deterrence.
2.36 Information Security
However, the holding laws, policies and all other penalties will deter only if the
following conditions are present:
1. Fear of Penalty
The individuals wishing to commit the unethical activity must fear the penalty
being imposed on them.
The individuals must always know that when they commit a criminal activity
there is a strong likelihood that they will be caught.
The severity of penalties and other counter measures would go waste if the
there is no deter among the individuals who commit the criminal activity.
The individuals committing the criminal activity must be aware of the fact that
they will be caught and presented before that hands of the law and will receive
the penalty.
The security professionals must act ethically according to the policies and procedures
of their employees, their professional organizations, and laws of the society.
Individuals caught for violating the code of conduct should be penalized with the loss
of accreditation or certification which would reduce the individuals marketability and
earning power in future.
Security Investigation 2.37
This was formed in the year 1947 and is the most respected professional society.
This society strongly promotes education and provides discounts for student members
to foster their technical development.
ACM’s code of ethics demands the members to perform their duties in the beneficial
manner to a ethical computer professional.
Its code contains references to protecting confidentiality of information, causing no
harm or damage to information through viruses, privacy protection and respecting the
intellectual property rights.
The “Communications of ACM” is a well known professional computing
publication.
2. International Information Systems Security Certification Consortium, Inc (ISC) 2
It is a non profit organization that focuses on the development of security certifications
rather than acting as a professional organization rendering membership services.
This contains a body that administers and examines the certifications for information
security.
Currently there are two professional certifications being issued by the (ISC) 2 . They
are :
Certification for Information Systems Security Professionals (CISSP)
Systems Security Certifies Professional (SSCP)
The individuals who has received certification from (ISC) 2
are expected to follow the
code of ethics put forth by them.
The four major clauses in their code of ethics are:
Protect society, the commonwealth and the infrastructure.
Act honorably, justly, responsibly, and legally.
Provide diligent and competent service.
Advance and protect the profession.
2.38 Information Security
The (ISC)2 promotes reliability on the ethical and trustworthy nature of the information
security professionals as the guardian of the information they handle.
3. System Administration, Networking and Security Institute (SANS)
The GIAC Security Engineer (GSE) will have combinations of various certifications.
The individuals desiring to obtain any certifications must write a complete practical
assignment that demonstrates their abilities and skills.
Auditing
Control
Security
The membership in this association requires both technical and managerial skills and
this provides IT control practices and standards.
This provides information and certification to support the computer, networking and
information security professional.
Security Investigation 2.39
It is well known among the industry for its annual computer threat survey of threats
which is conducted in cooperation with FBI.
It provides a wide range of technical training classes in the areas of internet security,
intrusion management, network security, forensics and technical networking.
6. Information Systems Security Association (ISSA)
This also holds a code of ethics stating “ promoting management practices that will
ensure the confidentiality, integrity, and availability of organizational
information resources”
7. Internet Society (ISOC)
Initially the global membership was free. Since it was not effective many other ISOC
organizations actives review and promote these issues.
Internet Engineering Task Force (IETF) is one among these that contains members
from computing, networking and telecommunication industries.
IETF is primarily responsible for technical foundations of internet and its standards.
The reviews of these standards are published through Request for Comments (RFC).
RFC’s contains many related information for the development of protocols for internet
and other related technology.
8. Computer Security Division (CSD)
This belongs to National Institute for Standards (NIST) and contains a resource center
called Computer Security Resource Center (CSRC).
CERT/CC analyses the various security issues and publishes alerts the computer
community regarding the various threats in information security.
This acts as research center and also as an outside consultant in the incident response
plans and other security practices.
10. Computer Professionals for Social Responsibility (CPSR)
This is a public organization that contains people with great concern on computing as
its members.
This informs the public and private policy and lawmakers in this field.
Key U.S. Federal Agencies
It also plays a vital role in educating, training and providing information to the public
regarding information security.
National Infra Gard Program was launched to combat cyber and physical threats.
National Security Agency (NSA) is another agency for signal intelligence and
information systems security.
U.S. Secret Service is responsible for detecting and taking measures against the
individuals who involve themselves in computer fraud and false identification crimes.
Liability for a wrongful act must include compensation for the wrong.
When an employee of the organization performs an illegal activity that causes harm to
the organization must be held by the organization financially.
Due care means the employees in an organization knows the acceptable and
unacceptable behaviors and the after effects of legal and illegal actions.
Due diligence is that the organization makes a valid effort to protect others and
maintain the level of effort.
Jurisdiction or long arm Jurisdiction is the court’s right to hear a case in its court.
The name long arm Jurisdiction signifies that the hands of the law extend throughout
the entire state or territory.
2.42 Information Security
REVIEW QUESTIONS
PART – A
1. What is attack?
2. What is hacking?
3. What is security blue print?
4. Define E-mail spoofing
5. What are the four important functions, the information security performs in an
organization?
6. What are the different categories of threat? Give Examples.
7. What are different acts of Human error or failure?
8. How human error can be prevented?
9. What is Intellectual property?
10. How Intellectual property can be protected?
11. What are deliberate acts of espionage or trespass?
12. Who are Hackers? What are the two hacker levels?
13. What is information extortion?
14. What are deliberate acts of sabotage and vandalism?
15. What is Cyber terrorism?
16. What are the deliberate acts of theft?
17. What are deliberate software attacks?
18. What are the forces of Nature affecting information security?
19. What are technical hardware failures or errors?
20. What are technical software failures or errors?
Security Investigation 2.43