LEGAL AND SECURITY ISSUES IN ICT

LESSON OUT COMES

Information Security Controls

Types of Information security Controls. ie

1. Logical Controls

2. Physical & Administrative controls

 INFORMATION SECURITY CONTROLS
q The concept of information security controls refers to the measures,
safeguards, policies, and procedures implemented to protect the confidentiality,
integrity, and availability of information assets within an organization. These
controls are designed to mitigate risks, prevent unauthorized access or
disclosure, and ensure the overall security of sensitive information.
q A security control, also known as a safeguard or countermeasure, is a
mechanism put in place to mitigate risk and protect the confidentiality,
integrity, and availability (CIA) of an asset. This section reviews fundamental
terminology such as control class and control functionality.
q Information security controls can be categorized into various types based on
their purpose and function. Here are the commonly recognized categories of
information security controls:
TYPES OF INFORMATION SECURITY
CONTROLS

Logical Controls

Physical & Administrative controls

 LOGICAL CONTROL
q Logical controls refer to the security
measures implemented at the logical or data
level to protect information assets within an
organization. These controls focus on
managing and controlling access to sensitive
data and ensuring the integrity,
confidentiality, and availability of
information.
q A logical access control system requires the
validation of an individual's identity through
some mechanism, such as a PIN, card,
biometric, or other token. It has the
capability to assign different access privileges
to different individuals depending on their
roles and responsibilities in an organization.
EXAMPLES LOGICAL CONTROLS

Traditional Firewalls

Packet-Filtering Techniques

Application Proxies

Network Address Translation

Port Address Translation

 TRADITIONAL FIREWALLS
q Traditional firewalls are network security devices that act as a barrier
between an internal network and external networks, such as the internet.
They enforce security policies by monitoring and controlling incoming and
outgoing network traffic based on predetermined rules.
q The concept of traditional firewalls is rooted in the concept of packet
filtering. They inspect individual packets of data as they pass through the
firewall and make decisions on whether to allow or block them based on
predefined criteria. These criteria can include source and destination IP
addresses, port numbers, protocol types, and other packet attributes.
q Firewalls work by monitoring and controlling network traffic based on a
set of predefined rules. They act as a barrier between an internal network
(such as a corporate network) and external networks (such as the
internet) to protect the internal network from unauthorized access and
potential threats. Here's a general overview of how firewalls work:
 FIREWALLS KEY CONCEPTS
q Packet Inspection: Firewalls inspect individual packets of data as they pass through the
network. Each packet contains information such as the source and destination IP addresses,
port numbers, and protocol type. The firewall analyzes these packet attributes to determine
whether the packet should be allowed or blocked based on predefined rules.
q Stateful Inspection: Traditional firewalls employ stateful inspection to track the state of
network connections. They maintain information about established connections and use this
data to make more informed decisions about allowing or denying network traffic. The stateful
inspection provides better security by ensuring that inbound traffic corresponds to an
established outbound connection.
q Stateless Inspection: Unlike stateful inspection, which keeps track of the state of network
connections, stateless inspection treats each packet individually and does not maintain
information about previous packets or connections.
q VPN Support: Many traditional firewalls offer Virtual Private Network (VPN) support. This
allows for secure remote access to internal resources by establishing encrypted tunnels over
public networks, such as the internet.VPNs provide secure connectivity for remote users or
branch offices.
 PACKET-FILTERING TECHNIQUES
q Packet filtering is a fundamental concept in network security that involves examining
individual packets of data as they pass through a network device, such as a firewall or router,
and making decisions on whether to allow or block them based on specified criteria. It is a
technique used to enforce network security policies by filtering and controlling network
traffic at the packet level.
q A packet-filtering firewall is a network security feature that controls the flow of incoming
and outgoing network data. The firewall examines each and every packet, which comprises
data and control information, and tests them according to a set of pre-established rules. If
the packet completes the test successfully, the firewall allows it to pass through (going out
or coming into the network) to its destination. The firewall rejects those that don’t pass the
test and allow that the meets the rules. The firewall contains a set of organizational rules and
protocols.
q Packet filtering is a basic and efficient method for network traffic control and security. It
provides a first line of defense by allowing organizations to define and enforce rules that
permit or restrict traffic based on specific attributes. However, packet filtering has its
limitations, such as the inability to inspect packet content beyond the header, making it
vulnerable to certain types of attacks. As a result, organizations often combine packet
filtering with other security measures, such as intrusion detection and prevention systems
(IDPS), to enhance their overall network security posture.
 HERE'S HOW PACKET FILTERING WORKS
q Packet Examination: When a packet of data enters a network device, such as a firewall,
it is inspected by examining various attributes within the packet header. These attributes
typically include source and destination IP addresses, port numbers, protocol types, and
other packet metadata.
q Filtering Rules: Administrators define filtering rules that specify the criteria for
accepting or rejecting packets based on their attributes. These rules are configured on the
network device, such as a firewall or router, and are often based on policies and security
requirements specific to the organization. For example, a rule might allow incoming traffic
on port 80 (HTTP) from specific IP addresses while blocking traffic from all other sources.
q Filtering Decisions: Each packet is compared against the configured filtering rules in a
sequential order. The network device evaluates the packet's attributes and checks if it
matches any of the defined rules. If a matching rule is found, the device applies the
corresponding action (e.g., allow or block) based on the rule's configuration.
q Allow or Block: If a packet matches an "allow" rule, it is permitted to continue its
journey through the network. This means it will be forwarded to its destination. On the
other hand, if a packet matches a "block" rule, it is denied further access and discarded,
preventing it from reaching its intended destination.
q Default Policy: In addition to specific filtering rules, network devices often have a default
policy in place. This policy defines the action to be taken if a packet does not match any of
the configured rules. The default policy is typically set to either "allow" or "block" all
packets that do not have a matching rule.
 APPLICATION PROXIES
q Application proxies, also known as application-level gateways, are security
components that provide an intermediary between clients and servers for
specific applications or protocols. They act as intermediaries at the
application layer of the network stack and facilitate secure communication
between clients and servers.
q An application proxy or application proxy server receives requests
intended for another server and acts as the proxy of the client to obtain
the requested service.You often use an application proxy server when the
client and the server are incompatible for direct connection. For example,
the client cannot meet the security authentication requirements of the
server but need to be permitted some services.
q If you access the Internet through an application proxy, some Universal
Connection applications might use the proxy. However, you must ensure
that you select a configuration method that allows the remainder of your
service information to connect through Universal Connection from your
system to IBM without going through the application proxy.
HOW APPLICATION PROXIES WORKS
 APPLICATION PROXIES
Ø Breaks the TCP/IP connection between a client and server, while IP forwarding is not
required
Ø Hides the internal client IP addresses and only the public IP address of the proxy server is
visible from the external network
Ø Provides detailed access logs
Ø Authenticates uses
Ø Caches information
q The most common type of proxy is the Hypertext Transfer Protocol (HTTP) proxy. Most
HTTP proxies also handle Hypertext Transfer Protocol Secure (HTTPS) and file transfer
protocol (FTP). The Simple Mail Transfer Protocol (SMTP) mail relay is an example of an
application proxy.
q The main drawback of application proxies is that they must support the application for
which they are performing the proxy function. Many TCP/IP applications are not
supported by proxy servers. In addition, application proxies do not typically encrypt
service information.
 NETWORK ADDRESS TRANSLATION
q NAT stands for network address translation. It's a way to map multiple private addresses inside a local network to
a public IP address before transferring the information onto the internet. Organizations that want multiple devices
to employ a single IP address use NAT, as do most home routers.
How Does NAT Work?
q Let’s say that there is a laptop connected to a home network using NAT. That network eventually connects to a
router that addresses the internet. Suppose that someone uses that laptop to search for directions to their favorite
restaurant. The laptop is using NAT. So, it sends this request in an IP packet to the router, which passes that request
along to the internet and the search service you’re using. But before your request leaves your home network, the
router first changes the internal IP address from a private local IP address to a public IP address.Your router
effectively translates the private address you’re using to one that can be used on the internet, and then back again.
Now you know that your humble little cable modem or DSL router has a little, automated translator working
inside of it.
q If the packet keeps a private address, the receiving server won’t know where to send the information back to. This
is because a private IP address cannot be routed onto the internet. If your router were to try doing this, all
internet routers are programmed to automatically drop private IP addresses. The nice thing is, though, that all
routers sold today for home offices and small offices can readily translate back and forth between private IP
addresses and publicly-routed IP addresses.
 TYPES OF NETWORK ADDRESS TRANSLATION

q Static NAT
When the local address is converted to a public one, this NAT chooses
the same one. This means there will be a consistent public IP address
associated with that router or NAT device.
q Dynamic NAT
Instead of choosing the same IP address every time, this NAT goes
through a pool of public IP addresses. This results in the router or NAT
device getting a different address each time the router translates the
local address to a public address.
q PAT
PAT stands for port address translation. It’s a type of dynamic NAT, but it
bands several local IP addresses to a singular public one. Organizations
that want all their employees’ activity to use a singular IP address use a
PAT, often under the supervision of a network administrator.
 PORT ADDRESS TRANSLATION
q PAT is an extension of NAT that permits multiple devices on a LAN to be mapped to a single public IP address to
conserve IP addresses.
q PAT is similar to port forwarding except that an incoming packet with destination port (external port) is translated to a
packet different destination port (an internal port). The Internet Service Provider (ISP) assigns a single IP address to the
edge device. When a computer logs on to the Internet, this device assigns the client a port number that is appended to
the internal IP address, giving the computer a unique IP address.
q If another computer logs on the Internet, this device assigns it the same public IP address, but a different port number.
Although both computers share the same public IP address, this device knows which computer to send its packets,
because the device uses the port numbers to assign the packets the unique internal IP address of the computers.
q With Port Address Translation (PAT), a single public IP address is used for all internal private IP addresses, but a
different port is assigned to each private IP address. This type of NAT is also known as NAT Overload and is the typical
form of NAT used in today’s networks. It is even supported by most consumer-grade routers.
q PAT allows you to support many hosts with only few public IP addresses. It works by creating dynamic NAT mapping, in
which a global (public) IP address and a unique port number are selected. The router keeps a NAT table entry for every
unique combination of the private IP address and port, with translation to the global address and a unique port
number.a
PORT ADDRESS TRANSLATION
 OTHER EXAMPLES OF LOGICAL CONTROLS

q Access Control: Access control mechanisms are a fundamental part of logical controls. They
ensure that only authorized individuals or entities can access and interact with information
resources. Access control can be implemented through various means, such as:
§ User Authentication: Usernames, passwords, PINs, or biometric authentication methods (fingerprint,
facial recognition) are used to verify the identity of users before granting access to systems or data.
§ Authorization: Once users are authenticated, authorization determines their level of access rights or
privileges based on their roles or permissions within the system. Role-based access control (RBAC) is
a common method for managing user access privileges.
§ Access Control Lists (ACLs): ACLs define specific permissions or restrictions for individual users or
groups to access or perform certain actions on files, folders, or resources.
§ Single Sign-On (SSO): SSO allows users to authenticate once and access multiple systems or
applications without needing to provide credentials repeatedly.
 OTHER EXAMPLES OF LOGICAL CONTROLS
q Secure Configuration Management: Logical controls also involve ensuring that systems and software are securely
configured to minimize vulnerabilities. This includes:
§ Patch Management: Regularly applying security patches and updates to operating systems, applications, and firmware to address
known vulnerabilities.
§ Secure Default Settings: Configuring systems and software with secure default settings and disabling unnecessary or insecure
services or features.
§ Security Configuration Baselines: Defining and implementing security configuration baselines for various systems and platforms,
following industry best practices or standards.
q Encryption: Encryption is a crucial logical control that protects data confidentiality. It involves transforming data into
an unreadable form using cryptographic algorithms. Only authorized individuals with the corresponding decryption
keys can access and interpret the encrypted data. Examples of encryption techniques include:
§ Symmetric Encryption: A single key is used for both encryption and decryption. It is typically faster but requires secure key
management.
§ Asymmetric Encryption: Two keys, a public key for encryption and a private key for decryption, are used. This method offers
secure key exchange and digital signatures.
 OTHER EXAMPLES OF LOGICAL CONTROLS
q Logging and Auditing: Logging and auditing controls involve the systematic recording and analysis of
system and user activities. This includes:
§ Event Logging: Capturing and storing system logs, including user activities, authentication events, system
events, and network traffic logs.
§ Log Monitoring: Analyzing log data to detect security incidents, identify anomalies, and support forensic
investigations.
§ Regular Auditing: Conducting periodic audits to ensure compliance with security policies, detect
unauthorized activities, and assess the effectiveness of security controls.
 PHYSICAL CONTROLS
q Physical security is a set of measures designed to prevent unauthorized access to a
facility, building, or location and protect against damage or harm to people and assets
within that location. It involves the use of various techniques and technologies to secure
the perimeter of a location, as well as to protect against intrusions and attacks.
q Physical security controls include such things as data center perimeter fencing, locks,
guards, access control cards, biometric access control systems, surveillance cameras, and
intrusion detection sensors.
q Every company with computers has a network and data to protect. These are super
essential, but intangible things that only exist as bytes on a wire or disk. But what about
the rest of the company's physical assets, the stuff? Property, buildings, equipment,
furniture, paperwork, snacks, all the physical things that make up any company's sum
total of assets.
q IT is always concerned with protecting the network, data, and access, but the best
infosec policies, and firewalls, are nothing if someone can get into your building, steal
desktops, paperwork, or even servers. Also, gaining network access is a whole lot easier
if you can just bypass the firewall and plug straight into a network port, so physical
security and infosec are directly related. Physical security controls are the individual
layers of protection that reduce risk to the organization's physical assets.
 EXAMPLES OF PHYSICAL CONTROLS

q Close-circuit surveillance cameras

q Motor or thermal alarm systems
q Security guards
q Picture IDs Locks
q Locked and dead-bolted steel doors
q Biometrics (includes fingerprint, voice, face, iris,
handwriting, and other automated methods used
to recognize users)
 ADMINISTRATIVE CONTROLS
q Administrative controls refer to policies, procedures, or guidelines that define personnel or business practices in
accordance with the organization's security goals. These can apply to employee hiring and termination, equipment and
Internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness
training for employees also falls under the umbrella of administrative controls.
q While administrative controls may rely on technology or physical controls for enforcement, the term is generally used
for policies and procedures rather than the tools used to enforce them. For example, a BYOD policy is an
administrative control, even though the security checkpoints, scanners, or wireless signal-blocking tools used to
enforce the policy would be physical controls.
q Administrative controls (also called work practice controls) are used in the workplace to reduce or limit the exposure
to a specific hazard. This kind of hazard control works by changing how work is done when elimination, substitution, or
the use of engineering controls is not feasible. In the Hierarchy of Controls, administrative efforts rank fourth for
effectiveness and efficiency. Administrative controls are not seen as effective as other controls because it is at risk for
human error and is typically used as a temporary solution rather than a sustainable, long-term solution.
q Basically, administrative security controls are used for the “human factor” inherent to any cybersecurity strategy. They
can be used to set expectations and outline consequences for non-compliance. Meanwhile, physical and technical
controls focus on creating barriers to illicit access—whether those are physical obstacles or technological solutions to
block in-person or remote access.
 EXAMPLES OF ADMINISTRATIVE CONTROLS

q Training: Workers should be trained to identify hazards, monitor hazard exposure,

and safe procedures for working around the hazard. Additionally, employees should
know how to protect themselves and their co-workers.
q Procedures: The steps in a job process may need to be rearranged or updated to
keep the worker for encountering the hazard. Developing standardized safe work
practices is an important step.
q Maintenance: Having a maintenance schedule for machines known to be hazardous
can keep everything running smoothly and safely. Preventive maintenance will address
any equipment issues before they become a problem.
q Housekeeping: Sustaining a clean and clutter-free space will greatly reduce the risk
of injury and can minimize the severity of an accident.
q Signs: Wall signs and floor signs can be posted or installed to enforce administrative
controls.Visual cues can remind workers which areas are prohibited from entering,
when breaks need to be taken to limit heat exposure, and much more.
 OTHER EXAMPLES OF ADMINISTRATIVE CONTROLS

q Security education training and awareness programs;

q A policy of least privilege (though it may be enforced with technical
controls);
q Bring your own device (BYOD) policies;
q Password management policies;
q Incident response plans (which will leverage other types of controls);
and
q Personnel management controls (recruitment, account generation,
etc.).
 OTHER CLASSIFICATIONS OF INFORMATION SECURITY CONTROLS
q Technical Controls: Technical controls are implemented through technology and
software solutions to protect information systems and data. These controls include
firewalls, intrusion detection and prevention systems (IDS/IPS), encryption mechanisms,
access control mechanisms (e.g., authentication, authorization), antivirus software, secure
coding practices, secure configuration management, and network segmentation. Technical
controls provide safeguards at the system and network level to protect against various
security threats.
q Communication Controls: Communication controls focus on securing the
transmission and exchange of information between systems and networks. These
controls include secure communication protocols (e.g., SSL/TLS), virtual private networks
(VPNs), secure email gateways, secure file transfer protocols (SFTP), and network
encryption. Communication controls protect data in transit and prevent unauthorized
interception or tampering.
q Backup and Recovery Controls: Backup and recovery controls ensure the availability
and integrity of data by implementing regular data backups, offsite storage, data recovery
procedures, and testing the restore process. These controls mitigate the risks associated
with data loss, system failures, or natural disasters, enabling organizations to restore
critical data and resume normal operations.
 OTHER CLASSIFICATIONS OF INFORMATION SECURITY CONTROLS

q Monitoring and Detection Controls: Monitoring and detection controls

involve the continuous monitoring of systems, networks, and activities to
detect and respond to security incidents promptly. They include security
information and event management (SIEM) systems, intrusion detection
systems (IDS), intrusion prevention systems (IPS), log monitoring, and real-
time alerting mechanisms. Monitoring controls enable the identification of
potential security threats and facilitate timely response and remediation.
q Each category of information security controls plays a vital role in protecting
information assets and ensuring the overall security of an organization.
Implementing a combination of controls from different categories helps create
a layered defense approach, strengthening the organization's security posture
and mitigating risks effectively. The selection and implementation of
appropriate controls depend on factors such as the organization's risk
appetite, industry regulations, and the specific security requirements of its
information assets.
THANK YOU
[email protected]