MODULE - II - THE NEED FOR SECURITY

2.1 NEED FOR SECURITY

The purpose of information security management is to ensure business continuity and

reduce business damage by preventing and minimizing the impact of security incidents. The
Audit Commission Update report (1998) shows that fraud or cases of IT abuse often occur due to
the absence of basic controls, with one half of all detected frauds found by accident. An
Information Security Management System (ISMS) enables information to be shared, whilst
ensuring the protection of information and computing assets.

At the most practical level, securing the information on your computer means:

 Ensuring that your information remains confidential and only those who should access
that information, can.

 Knowing that no one has been able to change your information, so you can depend on its
accuracy (information integrity).

 Making sure that your information is available when you need it (by making back-up
copies and, if appropriate, storing the back-up copies off-site).

2.2 BUSINESS NEEDS FIRST

Information security performs four important functions for an organization:

1. Protects the organization’s ability to function

2. Enables the safe operation of applications implemented on the organization’s IT systems.

3. Protects the data the organization collects and uses.

4. Safeguards the technology assets in use at the organization.

1. Protecting the functionality of an organization

 Decision makers in organizations must set policy and operate their organizations
in compliance with the complex, shifting legislation that controls the use of
technology.

2. Enabling the safe operation of applications

 Organizations are under immense pressure to acquire and operate integrated,

efficient, and capable applications

1 DEPARTMENT OF CSE
  The modern organization needs to create an environment that safeguards
applications using the organization’s IT systems, particularly those applications
that serve as important elements of the infrastructure of the organization.

3. Protecting data that organizations collect & use

 Protecting data in motion

 Protecting data at rest

 Both are critical aspects of information security.

 The value of data motivates attackers to seal, sabotage, or corrupt it.

 It is essential for the protection of integrity and value of the organization’s data

4. Safeguarding Technology assets in organizations

 Must add secure infrastructure services based on the size and scope of the
enterprise.
 Organizational growth could lead to the need for public key infrastructure,
PKI, an integrated system of software, encryption methodologies.

2.3 THREATS

To protect an organization’s information, you must

1. Know yourself

(i.e) be familiar wit the information to be protected, and the systems that store,
transport and process it.

2. Know the threats you face

To make sound decisions about information security, management must be

informed about the various threats facing the organization, its application, data and
information systems.

A threat is an object, person, or other entity, that represents a constant danger to an asset.

2 DEPARTMENT OF CSE
2.3.1 Threats to Information Security

Categories of threat Examples

Acts of human error or failure -- Accidents, employee mistakes

Compromises to intellectual property -- Piracy, copyright infringement

Deliberate acts of espionage or trespass -- Unauthorized access and/or/data collection

Deliberate acts of information extortion -- Blackmail or information disclosure

Deliberate acts of sabotage or vandalism -- Destruction of systems or information

Deliberate acts of theft -- Illegal confiscation of equipment or

information

Deliberate software attacks -- Viruses, worms, macros, denial-of-service

Forces of nature -- Fire, flood, earthquake, lightning

Deviations in quality of service -- ISP, power ,or WAN service providers

Technical hardware failures or errors -- Equipment failure

Technical software failures or errors -- Bugs, code problems, unknown loopholes

Technological obsolescence -- Antiquated or outdated technologies

2.3.2 Threats

1. Acts of Human Error or Failure:

 Acts performed without intent or malicious purpose by an authorized user.

 because of in experience ,improper training,

 Making of incorrect assumptions.

One of the greatest threats to an organization’s information security is the organization’s own
employees.

 Entry of erroneous data

 accidental deletion or modification of data

 storage of data in unprotected areas.

3 DEPARTMENT OF CSE
  Failure to protect information can be prevented with

- Training

- Ongoing awareness activities

-Verification by a second party

- Many military applications have robust, dual- approval controls built in .

2. Compromises to Intellectual Property

 Intellectual Property is defined as the ownership of ideas and control over the tangible
or virtual representation of those ideas.
 Intellectual property includes trade secrets, copyrights, trademarks, and patents.
 Once intellectual property has been defined and properly identified, breaches to IP
constitute a threat to the security of this information.
 Organization purchases or leases the IP of other organizations.
 Most Common IP breach is the unlawful use or duplication of software based intellectual
property more commonly known as software Piracy.
 Software Piracy affects the world economy.
 U.S provides approximately 80% of world’s software.

In addition to the laws surrounding software piracy, two watch dog organizations
investigate allegations of software abuse.

1. Software and Information Industry Association (SIIA)

(i.e)Software Publishers Association

2. Business Software Alliance (BSA)

 Another effort to combat (take action against) piracy is the online registration
process.

3. Deliberate Acts of Espionage or Trespass

 Electronic and human activities that can breach the confidentiality of information.
 When an unauthorized individual’s gain access to the information an organization is
trying to protect is categorized as act of espionage or trespass.
 Attackers can use many different methods to access the information stored in an
information system.

1. Competitive Intelligence[use web browser to get information from market

research]

2. Industrial espionage(spying)

4 DEPARTMENT OF CSE
 3. Shoulder Surfing(ATM)

Trespass

 Can lead to unauthorized real or virtual actions that enable information gatherers to enter
premises or systems they have not been authorized to enter.
 Sound principles of authentication & authorization can help organizations protect
valuable information and systems.
 Hackers-> “People who use and create computer software to gain access to information
illegally”
 There are generally two skill levels among hackers.
 Expert Hackers-> Masters of several programming languages, networking protocols,
and operating systems .
 Unskilled Hackers

4. Deliberate Acts of information Extortion (obtain by force or threat)

 Possibility of an attacker or trusted insider stealing information from a computer system

and demanding compensation for its return or for an agreement not to disclose the
information.

5. Deliberate Acts of sabotage or Vandalism

 Destroy an asset or

 Damage the image of organization

 Cyber terrorism-Cyber terrorists hack systems to conduct terrorist activities through

network or internet pathways.

6. Deliberate Acts of Theft

 Illegal taking of another’s property-- is a constant problem.

 Within an organization, property can be physical, electronic, or intellectual.

 Physical theft can be controlled by installation of alarm systems.

 Trained security professionals.

 Electronic theft control is under research.

7. Deliberate Software Attacks

 Because of malicious code or malicious software or sometimes malware.

5 DEPARTMENT OF CSE
  These software components are designed to damage, destroy or deny service to the target
system.

 More common instances are

 Virus, Worms, Trojan horses, Logic bombs, Backdoors.

 “The British Internet Service Provider Cloudnine” be the first business “hacked out of
existence”

7.1 Virus

 Segments of code that performs malicious actions.

 Virus transmission is at the opening of Email attachment files.

 Macro virus-> Embedded in automatically executing macrocode common in word

processors, spreadsheets and database applications.

 Boot Virus-> infects the key operating files located in the computer’s boot sector.

7.2 Worms

 A worm is a malicious program that replicates itself constantly, without requiring another
program to provide a safe environment for replication.
 Worms can continue replicating themselves until they completely fill available resources,
such as memory, hard drive space, and network bandwidth.
 Eg: MS-Blaster, MyDoom, Netsky, are multifaceted attack worms.
 Once the worm has infected a computer , it can redistribute itself to all e-mail addresses
found on the infected system.
 Furthermore, a worm can deposit copies of itself onto all Web servers that the infected
systems can reach, so that users who subsequently visit those sites become infected.

7.3 Trojan Horses

 Are software programs that hide their true nature and reveal their designed behavior only
when activated.

6 DEPARTMENT OF CSE
 Trojan horse releases its
Trojan horse Trojan horse is
payload, monitors
arrives via E- activated when
computer activity,
mail or software the software or
installs back door, or
such as free attachment is
transmits information to
games executed.
hacker

Figure 7.3. Trojan horse Attack

7.4 Back Door or Trap Door

 A Virus or Worm has a payload that installs a backdoor or trapdoor component in a

system, which allows the attacker to access the system at will with special privileges.

Eg: Back Orifice

Polymorphism

 A Polymorphic threat is one that changes its apparent shape over time, making it
undetectable by techniques that look for preconfigured signatures.

 These viruses and Worms actually evolve, changing their size, and appearance to elude
detection by antivirus software programs.
7.5 Virus & Worm Hoaxes

Types of Trojans

 Data Sending Trojans

 Proxy Trojans

 FTP Trojans

 Security software disabler Trojans

 Denial of service attack Trojans(DOS)

Virus

 A program or piece of code that be loaded on to your computer, without your

knowledge and run against your wishes.

7 DEPARTMENT OF CSE
Worm

 A program or algorithm that replicates itself over a computer network and usually
performs malicious actions.

Trojan Horse

 A destructive program that masquerade on beginning application, unlike viruses,

Trojan horse do not replicate themselves.

Blended threat

 Blended threats combine the characteristics of virus, worm, Trojan horses &
malicious code with server and Internet Vulnerabilities.

Antivirus Program

 A Utility that searches a hard disk for viruses and removes any that found.

8. Forces of Nature

 Fire: Structural fire that damages the building. Also encompasses smoke damage
from a fire or water damage from sprinkles systems.
 Flood: Can sometimes be mitigated with flood insurance and/or business
interruption Insurance.
 Earthquake: Can sometimes be mitigated with specific causality insurance
and/or business interruption insurance, but is usually a separate policy.
 Lightning: An Abrupt, discontinuous natural electric discharge in the
atmosphere.
 Landslide/Mudslide: The downward sliding of a mass of earth & rocks directly
damaging all parts of the information systems.
 Tornado/Severe Windstorm
 Huricane/typhoon
 Tsunami
 Electrostatic Discharge (ESD)
 Dust Contamination

Since it is not possible to avoid force of nature threats, organizations must implement
controls to limit damage.

 They must also prepare contingency plans for continued operations, such as disaster
recovery plans, business continuity plans, and incident response plans, to limit losses in
the face of these threats.

8 DEPARTMENT OF CSE
9. Deviations in Quality of Service

 A product or service is not delivered to the organization as expected.

 The Organization’s information system depends on the successful operation of many
interdependent support systems.
 It includes power grids, telecom networks, parts suppliers, service vendors, and even the
janitorial staff & garbage haulers.
 This degradation of service is a form of availability disruption.

Internet Service Issues

 Internet service Provider(ISP) failures can considerably undermine the availability of

information.
 The web hosting services are usually arranged with an agreement providing minimum
service levels known as a Service level Agreement (SLA).
 When a Service Provider fails to meet SLA, the provider may accrue fines to cover losses
incurred by the client, but these payments seldom cover the losses generated by the
outage.

Communications & Other Service Provider Issues

 Other utility services can affect the organizations are telephone, water, waste water, trash
pickup, cable television, natural or propane gas, and custodial services.
 The loss of these services can impair the ability of an organization to function.
 For an example, if the waste water system fails, an organization might be prevented from
allowing employees into the building.
 This would stop normal business operations.

Power Irregularities

 Fluctuations due to power excesses.

 Power shortages &
 Power losses

This can pose problems for organizations that provide inadequately conditioned
power for their information systems equipment.

 When voltage levels spike (experience a momentary increase),or surge ( experience

prolonged increase ), the extra voltage can severely damage or destroy equipment.
 The more expensive uninterruptible power supply (UPS) can protect against spikes and
surges.

10. Technical Hardware Failures or Errors

 Resulting in unreliable service or lack of availability

 Some errors are terminal, in that they result in unrecoverable loss of equipment.
 Some errors are intermittent, in that they resulting in faults that are not easily repeated.

9 DEPARTMENT OF CSE
11. Technical software failures or errors

 This category involves threats that come from purchasing software with unknown, hidden
faults.
 Large quantities of computer code are written, debugged, published, and sold before all
their bugs are detected and resolved.
 These failures range from bugs to untested failure conditions.

12. Technological obsolescence

 Outdated infrastructure can lead to unreliable and untrustworthy systems.

 Management must recognize that when technology becomes outdated, there is a risk of
loss of data integrity from attacks.

2.4 ATTACKS

 An attack is an act of or action that takes advantage of a vulnerability to compromise a

controlled system.
 It is accomplished by a threat agent that damages or steals an organization’s information
or physical asset.
 Vulnerability is an identified weakness in a controlled system, where controls are not
present or are no longer effective.
 Attacks exist when a specific act or action comes into play and may cause a potential
loss.

2.4.1 Malicious code

 The malicious code attack includes the execution of viruses, worms, Trojan horses, and
active Web scripts with the intent to destroy or steal information.
 The state –of-the-art malicious code attack is the polymorphic or multivector, worm.
 These attack programs use up to six known attack vectors to exploit a variety of
vulnerabilities in commonly found information system devices.

2.4.2 Attack Replication Vectors

1. IP scan & attack

2. Web browsing

3. Virus

4. Unprotected shares

5. Mass mail

6. Simple Network Management Protocol(SNMP)

10 DEPARTMENT OF CSE
1. IP scan & attack

 The infected system scans a random or local range of IP addresses and targets any of
several vulnerabilities known to hackers.

2. Web browsing

 If the infected system has write access to any Web pages, it makes all Web content files
(.html,.asp,.cgi & others) infectious, so that users who browse to those pages become
infected.

3. Virus

 Each infected machine infects certain common executable or script files on all computers
to which it can write with virus code that can cause infection.

4. Unprotected shares

 Using vulnerabilities in file systems and the way many organizations configure them, the
infected machine copies the viral component to all locations it can reach.

5. Mass Mail

 By sending E-mail infections to addresses found in the address book, the infected
machine infects many users, whose mail -reading programs also automatically run the
program & infect other systems.

6. Simple Network Management Protocol (SNMP)

 By using the widely known and common passwords that were employed in early versions
of this protocol, the attacking program can gain control of the device. Most vendors have
closed these vulnerabilities with software upgrades.

2.4.3 Examples

Hoaxes

 A more devious approach to attacking the computer systems is the transmission of a virus
hoax with a real virus attached.
 Even though these users are trying to avoid infection, they end up sending the attack on
to their co-workers.

Backdoors

 Using a known or previously unknown and newly discovered access mechanism, an

attacker can gain access to a system or network resource through a back door.
 Sometimes these entries are left behind by system designers or maintenance staff, and
thus referred to as trap doors.

11 DEPARTMENT OF CSE
  A trap door is hard to detect, because very often the programmer who puts it in place also
makes the access exempt from the usual audit logging features of the system.

Password Crack

 Attempting to reverse calculate a password is often called cracking.

 A password can be hashed using the same algorithm and compared to the hashed results,
If they are same, the password has been cracked.
 The (SAM) Security Account Manager file contains the hashed representation of the
user’s password.

Brute Force

 The application of computing & network resources to try every possible combination of
options of a password is called a Brute force attack.
 This is often an attempt to repeatedly guess passwords to commonly used accounts, it is
sometimes called a password attack.

Spoofing

 It is a technique used to gain unauthorized access to computers, where in the intruder

sends messages to a computer that has an IP address that indicates that the messages are
coming from a trusted host.

Data: Payload IP source: IP destination:

192.168.0.25 100.0.0.75

Original IP packet

From hacker’s system

Data: Payload IP source: IP destination:

100.0.0.80 100.0.0.75

Spoofed (modified)

IP packet

12 DEPARTMENT OF CSE
 Hacker modifies Spoofed packet
source address sent to target
to spoof firewall

Firewall allows packet in, mistaking it for legitimate traffic

Figure 2.4.3.1 IP spoofing

Dictionary

 This is another form of the brute force attack noted above for guessing passwords.
 The dictionary attack narrows the field by selecting specific accounts to attack and uses
a list of commonly used passwords instead of random combinations.

Denial –of- Services(DOS) & Distributed Denial –of- Service(DDOS)

 The attacker sends a large number of connection or information requests to a target.

 This may result in the system crashing, or simply becoming unable to perform ordinary
functions.
 DDOS is an attack in which a coordinated stream of requests is launched dagainst a target
from many locations at the same.

Man-in-the –Middle

 Otherwise called as TCP hijacking attack.

 An attacker monitors packets from the network, modifies them, and inserts them back
into the network.
 This type of attack uses IP spoofing.
 It allows the attacker to change, delete, reroute, add, forge or divert data.
 TCP hijacking session, the spoofing involves the interception of an encryption key
exchange.

SPAM

 Spam is unsolicited commercial E-mail.

 It has been used to make malicious code attacks more effective.
 Spam is considered as a trivial nuisance rather than an attack.
 It is the waste of both computer and human resources it causes by the flow of unwanted
E-mail.

13 DEPARTMENT OF CSE
Mail Bombing

 Another form of E-mail attack that is also a DOS called a mail bomb.
 Attacker routes large quantities of e-mail to the target.
 The target of the attack receives unmanageably large volumes of unsolicited e-mail.
 By sending large e-mails, attackers can take advantage of poorly configured e-mail
systems on the Internet and trick them into sending many e-mails to an address chosen by
the attacker.
 The target e-mail address is buried under thousands or even millions of unwanted e-
mails.

Sniffers

 A sniffer is a program or device that can monitor data traveling over a network.
 Unauthorized sniffers can be extremely dangerous to a network’s security, because they
are virtually impossible to detect and can be inserted almost anywhere.
 Sniffer often works on TCP/IP networks, where they are sometimes called “packet
Sniffers”.

Social Engineering

 It is the process of using social skills to convince people to reveal access credentials or
other valuable information to the attacker.
 An attacker gets more information by calling others in the company and asserting his/her
authority by mentioning chief’s name.

Buffer Overflow

 A buffer overflow is an application error that occurs when more data is sent to a buffer
than it can handle.
 Attacker can make the target system execute instructions.

Timing Attack

 Works by exploring the contents of a web browser’s cache.

 These attacks allow a Web designer to create a malicious form of cookie, that is stored on
the client’s system.
 The cookie could allow the designer to collect information on how to access password-
protected sites.

14 DEPARTMENT OF CSE
2.5 LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION SECURITY

2.5.1 Law and Ethics in Information Security

 Laws are rules that mandate or prohibit certain behavior in society; they are drawn from
ethics, which define socially acceptable behaviors. The key difference between laws and
ethics is that laws carry the sanctions of a governing authority and ethics do not. Ethics in
turn are based on Cultural mores.
 Types of Law

 Civil law

 Criminal law

 Constitutional Law

 Statutory Law or Administrative Law

 Public law, Case Law and Precedent

2.5.2 Relevant U.S. Laws – General

 Computer Fraud and Abuse Act of 1986

 National Information Infrastructure Protection Act of 1996
 USA Patriot Act of 2001
 Telecommunications Deregulation and Competition Act of 1996
 Communications Decency Act (CDA)
 Computer Security Act of 1987

Privacy

 The issue of privacy has become one of the hottest topics in information
 The ability to collect information on an individual, combine facts from separate sources,
and merge it with other information has resulted in databases of information that were
previously impossible to set up
 The aggregation of data from multiple sources permits unethical organizations to build
databases of facts with frightening capabilities

Privacy of Customer Information

 Privacy of Customer Information Section of Common Carrier Regulations

 Federal Privacy Act of 1974
 The Electronic Communications Privacy Act of 1986
 The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known as
the Kennedy-Kassebaum Act
 The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999

15 DEPARTMENT OF CSE
Table 2.5.2.1 Key U.S Laws of Interest to Information Security Professionals

ACT SUBJECT DATE DESCRIPTION

Communications Telecommunications 1934 Regulates interstate and

Act of 1934,updated foreign
by Telecommunications.
Telecommunications
Deregulation &
Competition Act

Computer Fraud & Threats to 1986 Defines and formalizes

Abuse Act computers laws to counter threats
from computer related acts
and offenses.

Computer Security Federal Agency 1987 Requires all federal

Act of 1987 Information Security computer systems that
contain classified
information to have surety
plans in place, and requires
periodic security training
for all individuals who
operate, design, or manage
such systems.

Economic Trade secrets. 1996 Designed to prevent abuse

Espionage Act of of information gained by an
1996 individual working in one
company and employed by
another.

Electronic Cryptography 1986 Also referred to as the

Communications Federal Wiretapping Act;
Privacy Act of 1986 regulates interception and
disclosure of electronic
information.

Federal Privacy Act Privacy 1974 Governs federal agency use

of 1974 of personal information.

Gramm-Leach- Banking 1999 Focuses on facilitating

Bliley Act of 1999 affiliation among banks,
insurance and securities
firms; it has significant

16 DEPARTMENT OF CSE
 impact on the privacy of
personal information used
by these industries.

Health Insurance Health care privacy 1996 Regulates collection,

Portability and storage, and transmission
Accountability Act of sensitive personal health
care information.

National Criminal intent 1996 Categorized crimes based

Information on defendant’s authority to
Infrastructure access computer and
protection Act of criminal intent.
1996

Sarbanes-Oxley Act Financial Reporting 2002 Affects how public

of 2002 organizations and
accounting firms deal with
corporate governance,
financial disclosure, and
the practice of public
accounting.

Security and Use and sale of 1999 Clarifies use of encryption

Freedom through software that uses or for people in the United
Encryption Act of enables encryption. states and permits all
1999 persons in the U.S. to buy
or sell any encryption
product and states that the
government cannot require
the use of any kind of key
escrow system for
encryption products.

U.S.A. Patriot Act Terrorism 2001 Defines stiffer penalties for

of 2001 prosecution of terrorist
crimes.

Export and Espionage Laws

 Economic Espionage Act (EEA) of 1996

 Security and Freedom Through Encryption Act of 1997 (SAFE)

17 DEPARTMENT OF CSE
US Copyright Law

 Intellectual property is recognized as a protected asset in the US

 US copyright law extends this right to the published word, including electronic formats
 Fair use of copyrighted materials includes
- the use to support news reporting, teaching, scholarship, and a number of
other related permissions
- the purpose of the use has to be for educational or library purposes, not for
profit, and should not be excessive

Freedom of Information Act of 1966 (FOIA)

 The Freedom of Information Act provides any person with the right to request access to
federal agency records or information, not determined to be of national security

- US Government agencies are required to disclose any requested information

on receipt of a written request

 There are exceptions for information that is protected from disclosure, and the Act does
not apply to state or local government agencies or to private businesses or individuals,
although many states have their own version of the FOIA

State & Local Regulations

 In addition to the national and international restrictions placed on an organization in the

use of computer technology, each state or locality may have a number of laws and
regulations that impact operations

It is the responsibility of the information security professional to understand state laws and
regulations and insure the organization’s security policies and procedures comply with those
laws and regulations

2.5.3 International Laws and Legal Bodies

 Recently the Council of Europe drafted the European Council Cyber-Crime

Convention, designed

- to create an international task force to oversee a range of security functions

associated with Internet activities,
- to standardize technology laws across international borders

 It also attempts to improve the effectiveness of international investigations into breaches

of technology law
 This convention is well received by advocates of intellectual property rights with its
emphasis on copyright infringement prosecution

18 DEPARTMENT OF CSE
Digital Millennium Copyright Act (DMCA) Digital Millennium Copyright Act (DMCA)

 The Digital Millennium Copyright Act (DMCA) is the US version of an international

effort to reduce the impact of copyright, trademark, and privacy infringement
 The European Union Directive 95/46/EC increases protection of individuals with regard
to the processing of personal data and limits the free movement of such data
 The United Kingdom has already implemented a version of this directive called the
Database Right

United Nations Charter

 To some degree the United Nations Charter provides provisions for information
security during Information Warfare
 Information Warfare (IW) involves the use of information technology to conduct
offensive operations as part of an organized and lawful military operation by a sovereign
state
 IW is a relatively new application of warfare, although the military has been conducting
electronic warfare and counter-warfare operations for decades, jamming, intercepting,
and spoofing enemy communications

Policy Versus Law

 Most organizations develop and formalize a body of expectations called policy

 Policies function in an organization like laws
 For a policy to become enforceable, it must be:
- Distributed to all individuals who are expected to comply with it
- Readily available for employee reference
- Easily understood with multi-language translations and translations for
visually impaired, or literacy-impaired employees
- Acknowledged by the employee, usually by means of a signed consent form
 Only when all conditions are met, does the organization have a reasonable expectation of
effective policy

2.5.4 Ethical Concepts in Information Security

Cultural Differences in Ethical Concepts

 Differences in cultures cause problems in determining what is ethical and what is not
ethical
 Studies of ethical sensitivity to computer use reveal different nationalities have different
perspectives
 Difficulties arise when one nationality’s ethical behavior contradicts that of another
national group

Ethics and Education

 Employees must be trained and kept aware of a number of topics related to information
security, not the least of which is the expected behaviors of an ethical employee

19 DEPARTMENT OF CSE
  This is especially important in areas of information security, as many employees may not
have the formal technical training to understand that their behavior is unethical or even
illegal
 Proper ethical and legal training is vital to creating an informed, well prepared, and low-
risk system user

Deterrence to Unethical and Illegal Behavior

 Deterrence - preventing an illegal or unethical activity

 Laws, policies, and technical controls are all examples of deterrents
 Laws and policies only deter if three conditions are present:
- Fear of penalty
- Probability of being caught
- Probability of penalty being administered
Information Security Policy, Standards, and Practices
 Policies do not specify the proper operation of equipment or software—this information should be
placed in the standards, procedures, and practices of users’ manuals and systems documentation.
 In addition, policy should never contradict law; policy must be able to stand up in court, if
challenged; and policy must be properly administered through dissemination and documented
acceptance.
 Security policies are the least expensive control to execute, but the most difficult to implement
properly. They have the lowest cost in that their creation and dissemination require only the time and
effort of the management team.
 Even if the management team hires an outside consultant to help develop policy, the costs are
minimal compared to those of technical controls.
 Policies function like laws in an organization because they dictate acceptable and unacceptable
behavior there.
 Like laws, policies define what is right and wrong, the penalties for violating policy, and the appeal
process. Standards, on the other hand, are more detailed statements of what must be done to comply
with policy.
 Standards may be informal or part of an organizational culture, as in defacto standards.
 Or, standards may be published, scrutinized, and ratified by a group, as in formal or de jure
standards. Practices, procedures, and guidelines effectively explain how to comply with policy.
 Governmental agencies view security policy in terms of national security and national policies to
deal with foreign states.
 A security policy can also communicate a credit card agency’s method for processing credit card
numbers.
20 DEPARTMENT OF CSE
  An information security policy provides rules for protection of the organization’s information assets.
Management must define three types of security policy, according to Special Publication (SP)
800-14 of the National Institute of Standards and Technology (NIST):
1. Enterprise information security policies
2. Issue-specific security policies
3. Systems-specific security policies

Figure 2 :relationships among policies, standards, guidelines, procedures, and practices.

 Dissemination (distribution): The organization must be able to demonstrate that the policy has been
made readily available for review by the employee. Common dissemination techniques include hard
copy and electronic distribution.
 Mnemonic Method. A user selects a phrase and extracts a letter of each word in the phrase (such as
the first letter or second letter of each word), adding numbers or special characters or both.
Example: “May the force be with you always, young Jedi” becomes Mtfbwya-yJ
 Altered Passphrases. A user selects a phrase and alters it to form a derivation of that phrase. This
method supports the creation of long, complex passwords. Passphrases can be easy to remember due
to the structure of the password: it is usually easier for the human mind to comprehend and
remember phrases within a coherent structure than a string of random letters, numbers, and special
characters.
Example: Never Give Up! Never Surrender! becomes Nv.G.Up!-Nv.Surr!
 Combining and Altering Words. A user can combine two or three unrelated words and change some
of the letters to numbers or special characters.
21 DEPARTMENT OF CSE
 Example: Jedi Tribble becomes J3d13bbl
 Finally, procedures are step-by-step instructions for accomplishing the task specified in the policy.
Procedures: To change your log-in password on our system, perform the following steps:
1) Log in using your current (old) password.
2) On your organizational portal home page, click the [Tools] Menu option.
3) Select [Change Password].
4) Enter your old password in the first field and your new password in the second. The system will ask you
to confirm your new password to prevent you from mistyping it.
5) The system will then report that your password has been updated, and ask you to log out and log back in
with your new password.
Enterprise Information Security Policy
 An enterprise information security policy (EISP) is also known as a general security policy,
organizational security policy, IT security policy, or information security policy. The EISP is an
executive-level document, usually drafted by or in cooperation with the organization’s chief
information officer.
 This policy is usually 2 to 10 pages long and shapes the philosophy of security in the IT environment.
The EISP usually needs to be modified only when there is a change in the strategic direction of the
organization.
 The EISP guides the development, implementation, and management of the security program. It sets
out the requirements that must be met by the information security blueprint or framework.
 It defines the purpose, scope, constraints, and applicability of the security program. It also assigns
responsibilities for the various areas of security, including systems administration, maintenance of
the information security policies, and the practices and responsibilities of users.
According to NIST, the EISP typically addresses compliance in two areas:
1. General compliance to ensure that an organization meets the requirements for establishing a program and
assigning responsibilities therein to various organizational components
2. The use of specified penalties and disciplinary action7 When the EISP has been developed, the CISO
begins forming the security team and initiating necessary changes to the information security program.
EISP Elements Although the specifics of EISPs vary among organizations, most EISP documents should
include the following elements:
● An overview of the corporate philosophy on security Information on the structure of the information
security organization and people who fulfill the information security role
22 DEPARTMENT OF CSE
● Fully articulated responsibilities for security that are shared by all members of the organization
(employees, contractors, consultants, partners, and visitors)
● Fully articulated responsibilities for security that are unique to each role within the organizationIssue-
Specific Security PolicyAn ISSP may cover the following topics, among others:
● E-mail
● Use of the Internet and World Wide Web
● Specific minimum configurations of computers to defend against worms and viruses
● Prohibitions against hacking or testing organization security controls
● Home use of company-owned computer equipment
● Use of personal equipment on company networks (BYOD: bring your own device)
● Use of telecommunications technologies, such as fax and phone
● Use of photocopy equipment
● Use of portable storage devices such as USB memory sticks, backpack drives, game players, music
players, and any other device capable of storing digital files
● Use of cloud-based storage services that are not self-hosted by the organization or engaged under contract;
such services include Google Drive, Dropbox, and Microsoft Live Several approaches are used to create
and manage ISSPs within an organization.
Three of the most common are:
1. Independent ISSP documents, each tailored to a specific issue
2. A single comprehensive ISSP document that covers all issues
3. A modular ISSP document that unifies policy creation and administration while maintaining each
specific issue’s requirements
Components of an ISSP
1. Statement of policy
a. Scope and applicability
b. Definition of technology addressed
c. Responsibilities
2. Authorized access and usage of equipment
a. User access
b. Fair and responsible use
c. Protection of privacy
3. Prohibited use of equipment
a. Disruptive use or misuse
b. Criminal use
c. Offensive or harassing materials
d. Copyrighted, licensed, or other intellectual property
23 DEPARTMENT OF CSE
 e. Other restrictions
4. Systems management
a. Management of stored materials
b. Employee monitoring
c. Virus protection
d. Physical security
e. Encryption
5. Violations of policy
a. Procedures for reporting violations
b. Penalties for violations
6. Policy review and modification
a. Scheduled review of policy procedures for modification
b. Legal disclaimers
7. Limitations of liability
a. Statements of liability
b. Other disclaimers as needed
 Each technology and process is provided for business operations. Use for any other purpose
constitutes misuse of equipment.
 Prohibited Use of Equipment Unless a particular use is clearly prohibited, the organization cannot
penalize its employees for misuse.
The following can be prohibited:
 personal use, disruptive use or misuse, criminal use, offensive or harassing materials, and
infringement of copyrighted, licensed, or other intellectual property.
 Systems Management The systems management section of the ISSP policy statement focuses on the
users’ relationship to systems management.
 Specific rules from management include regulating the use of e-mail, the storage of materials, the
authorized monitoring of employees, and the physical and electronic scrutiny of e-mail and other
electronic documents.
 As the organization’s needs and technologies change, so must the policies that govern their use.
 Limitations of Liability If an employee is caught conducting illegal activities with the organization’s
equipment or assets, management does not want the organization held liable.
 The policy should state that if employees violate a company policy or any law using company
technologies, the company will not protect them, and the company is not liable for their actions.
 It is assumed that such violations occur without knowledge or authorization by the organization.
Systems-Specific Security Policy (SysSP)
 SysSPs often function as standards or procedures to be used when configuring or maintaining
systems. For example, a SysSP might describe the configuration and operation of a network firewall.
 This document could include a statement of managerial intent; guidance to network engineers on the
selection, configuration, and operation of firewalls; and an access control list that defines levels of
access for each authorized user.
 SysSPs can be separated into two general groups, managerial guidance SysSPs and technical
specifications SysSPs, or they can be combined into a single policy document that contains elements
of both.
 Managerial Guidance SysSPs A managerial guidance SysSP document is created by management to
guide the implementation and configuration of technology and to address the behavior of employees
in ways that support information security.

24 DEPARTMENT OF CSE
 Each type of equipment requires its own set of policies, which are used to translate management’s
intent for the technical control into an enforceable technical approach.
 There are two general methods of implementing such technical controls: access control lists and
configuration rules.
 Configuration Rule Policies Configuration rules (or policies) govern how a security system reacts to
the data it receives.
 Rule-based policies are more specific to the operation of a system than ACLs, and they may or may
not deal with users directly.
 Many security systems—for example, firewalls, intrusion detection and prevention systems (IDPSs),
and proxy servers—use specific configuration scripts that represent the configuration rule policy to
determine how the system handles each data element they process.
 Combination SysSPs Many organizations create a single document that combines the managerial
guidance SysSP and the technical specifications SysSP. While this document can Policy
Management Policies are living documents that must be managed.
 It is unacceptable to create such an important set of documents and then shelve them. These
documents must be properly distributed, read, understood, agreed to, uniformly applied, and
managed.
 Good management practices for policy development and maintenance make for a more resilient
organization.
 Responsible Manager Just as information systems and information security projects must have
champions and managers, so must policies.
 The policy manager is often called the policy administrator. Note that the policy administrator does
not necessarily have to be proficient in the relevant technology. While practicing information
security professionals require extensive technical knowledge, policy management and policy
administration require only a moderate technical background.
 The policy administrator must be clearly identified in the policy document as the primary point of
contact for additional information or suggested revisions to the policy.
 Schedule of Reviews Policies can only retain their effectiveness in a changing environment if they
are periodically reviewed for currency and accuracy and then modified accordingly.
 To demonstrate due diligence, an Review Procedures and Practices To facilitate policy reviews, the
policy manager should implement a mechanism by which people can comfortably make
recommendations for revisions, whether via e-mail, office mail, or an anonymous drop box.
 When policies are drafted and published without dates, confusion can arise. If policies are not
reviewed and kept current, or if members of the organization are following undated versions,
disastrous results and legal headaches can ensue.
 Establishing a policy end date prevents a temporary policy from mistakenly becoming permanent,
and it also enables an organization to gain experience with a given policy before adopting it
permanently.

25 DEPARTMENT OF CSE