Module - 4 Information Systems Operations and Management Chapter 2 Information Systems Operations

Operation Helpdesk & User Assistance Operations Performance Measurement

Help desk is a resource intensive function implemented by the IT department, to support users for using Information systems. IT department Some important operations performance metrics are as follows –
caters to users with various services such as –
Availability
Availability is Measurement of continued operation of Information System for a user.
IT department caters to users with Help desk personnel can be contacted by Helpdesk personnel, help the user for various Mean Time Between Failure (MTBF) over a period of time is the metrics of IS system
various services such as – the user in the following manners– hurdles related to the Information systems and availability. It measures the system performance and serviceability to the users of an
• a. Email • a. Intercom try to resolve them as given below – organisation.
• b. Internet • b. Call Centre • a. Password reset
• c. ERP • c. Email Incident
• b. Soware related issues
• d. Database Management System • d. Chatting Incident is a deviation from the normal operations of an IS system. Any incident
• c. Drive related issues
• e. Active Directory • e. Video Conferencing occurred, needs remedial action to restore back the operations of the IS system. e
• d. Network related issues
• f. PC Desktop and Peripherals • f. Messenger Chatting restoration time of the system, including incident period, is the measure of downtime
• e. Database related issues
• g. Soware • g. Physically attending the user of the system.
• f. Email related issues
• h. Network • g. Internet related issues Quality
Levels of Help desk support - Quality of an IS System is a measure of the intended performance in intended time at
ere are following types of help desk support categories available, either through a call centre or in-house help desk facility - intended place.
Productivity
Level 0 Helpdesk - Level 1 Helpdesk - IS system productivity is a measure of rate of doing work of a resource such as a system
Mostly, Level 0 support is automated and self- Level 1 support is given for other basic services such as con guration changes, or human resource. is needs to be measured in combination of quality.
service type of support, wherein a user can solve troubleshooting. Users can talk to helpdesk personnel related to issues such as password
the problem him/herself. Self-services such reset support, email support. If helpdesk personnel is unable to resolve the issue, then the Return on Investment (ROI)
password/s resetting fall in this category of help issue is escalated to the next level i.e. Level 2. Level 1 support is considered as “ rst aid” Return on Investment (ROI), measures the gain or loss generated on an investment
desk. support. relative to the amount of money invested. ROI is usually expressed as a percentage.
Value Creation
Level 2 Helpdesk - Level 3 Helpdesk -
If a system provides desired functioning, is cost effective with desired productivity and
Level 2 support is provided by supervisory staff Level 3 support is next level of advanced trouble shooting. If an incident is not solved
quality, then then the system is said to be creating a “value” for it’s users.
of Level 1 personnel, for escalated issues such and gets elevated to this level, it is considered as a “Problem” and resolution may require
as advance troubleshooting and installation of substantial changes to the system. Change management process may be invoked for this
computing devices or soware. level of support.
Level 4 Helpdesk -
Level 4 support is generally given by the device manufacturer or system developer. If an issue has come to this level, it may be required to be
resolved by launching a new release or version of the device or product.

Note:-

58 www.prokhata.com
CA Rajat Agrawal
 Chapter 3 Soware Operations & Management Module - 4 Information Systems Operations and Management

CHAPTER 3:
SOFTWARE OPERATIONS & MANAGEMENT
Introduction to Soware Infrastructure

Hardware System Soware Application Soware User

All the commands issued in application soware Command Line
Interface
Application Programming Interface (API) are given to the underlying operating system, which Interpreter (CLI)
API provides interfaces to an application completes the command on underlying hardware. DOS
Motherboard Other System Soware
programmer, which are used in programs, so
that, application soware is able to “connect” Graphical User
Installed on Hard disk Packaged Soware – Packaged Soware – Communication Interface (GUI)
Firmware to System Soware. technical use (Middle- Commerce (routine Soware
Commands and Windows
Device driver Operating System Objectives ware) office work) Internet browser,
controls CPU (Central MS Office, Open Office,
soware Intermediary between a •Process Management (Processor Transaction servers, Email soware, chat
Processing Unit) and Office collaboration
Peripherals user of a computer and the Management) Message queuing soware
memory of the system. soware e.g. work ow etc
like printers, computer •Memory Management soware, Databases
scanners, USB hardware. Windows, Unix, •File Management – e.g. SQL Server,
hard drives, Linux, iOS etc •I/O-System Management Oracle, Readymade web
•Secondary
Secondary storage Management development platforms Engineering Soware Knowledge Soware
•Networking – e.g. IBM’s Web-sphere, Computer Aided Design provide information processing
• Protection System Microso (CAD), Computer such as Knowledge Management
•Command-Interpreter
Command-Interpreter System or BizTalk, Joomla, Aided Manufacturing System (KMS), Expert System and
GUI Microso Sharepoint (CAM) Simulation Soware etc.
Soware Testing
Team of soware testers perform soware testing rigorously within a stipulated time-frame and generate defaults report for soware development team. Soware developers do not test their own programs (apart from Unit Testing).

Soware Testing Type Soware testing approaches Soware testing Levels

Manual Testing Automation Testing Hybrid Testing White Box Testing Black Box Testing Grey Box Testing Unit Testing
Tester performs Automation tools such Human perspective is Tester, who is Functional testing Performs both Black Each program(unit) is tested performed by the developer him/herself.
these tests on a test as Selenium, HP-UFT tested during manual knowledgeable about tester does not know Box and to some Integration/Interface Testing
site by preparing test and Ranorex etc. testing whereas internal working of the the internal structure extent White Box (not Top Down Approach, Bottom Up Approach, Sandwich Approach: start
cases and test data. are available, to test automated testing tests soware, performs the of the soware. Tester fully) testing. at top or bottom level and depending on situation move downward or
Results of the test a soware. used for manually cumbersome testing. submits input to the upward.
are documented and modern web-based tests e.g. performance soware and expects
undesired functioning systems. testing with large data. speci ed output. System Testing
is informed to Generally for technical performance, volume of data etc.
developers (e.g. User Acceptance Testing (UAT)
defects, bugs, invalid User department, for which the soware is developed, is given the
cases etc) soware on a test site for user-level testing.

Note:-

Points to Remember :

www.prokhata.com 59
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 3 Soware Operations & Management
Soware Maintenance
Soware maintenance is any changes done to a soware aer it is in operation. Error corrections, Alteration, Deletion, performance Optimization, Security patches updation.

Categories of Maintenance Soware Maintenance Process Challenges of Maintenance

Preventive maintenance Scope of Maintenance Job Change

Proactive approach. Soware developer may do preventive maintenance e purpose of soware maintenance may be preventive, corrective, Programmers who originally developed the soware may not be
since they know design and/or programming level shortcomings. adaptive and perfective. available and new developers may take time to understand work done
Currective Maintenance Plan of the Maintenance by original developers.
Reactive approach. When a defect or error arises in working of a User department along with IT department(in-house or outsourced) Structure of the soware
soware, corrective measure is taken by making changes to program(s). make a proposal for the maintenance activity. Business impact of Hurdles in maintenance because developed programs may be
Adaptive Maintenance change, cost, time and resources needed are discussed and planned. person(programmer)-dependent.
Making soware suitable for new environment, especially, upgraded Soware Maintenance Understanding of Scope of Work
hardware and operating system. Stakeholders are informed about the maintenance schedule and If requirements gathering (of soware) is not done correctly and in an
Perfective Maintenance expected window of downtime. Any delay or scope creep (additional atomic (lowest possible level) manner with users, then soware may not
Proactive approach. Soware developers on their own may keep on scope) makes soware maintenance activity unproductive to the work as desired. Soware baselining should be done along with user
changing the soware and releasing new versions. organisation. department to avoid such situations.
a. Making alteration for betterment e. Scalability Soware testing Scalability issue
b. Fast processing f. Agile Aer maintenance is done soware testing is performed. Capable to expanding business and technical situations. E.g. faster or
c. Addition of features, g. Well documentation Go-Live enhanced hardware.
d. Portability i. Security enhancement Aer successful maintenance and subsequently testing, the soware
is made “Go live” and available for user department and various
stakeholders for day-to-day use.

Note:-

60 www.prokhata.com
CA Rajat Agrawal
 Chapter 3 Soware Operations & Management Module - 4 Information Systems Operations and Management
System Architecture
DBMS- Database Management System
Data Object oriented
User Web Server Application Business tier or logic tier RDBMS is
Facts and gures about Person entity: Employee, student, patient
Presentation tier / Server Relational most widely
a situation. Data needs
public facing tier used Place entity: State, region, branch etc
to be processed with a Network,
Sequential Query Language (SQL) Database Server program (processing Object entity: Machine, Building, Automobile etc
instructions) to Hierarchical,
Components Event entity: Sale, Registration, Renewal etc.
get meaningful Type of Database
information. Entity Concept entity: Account, Course, Work Centre, Desk
Data De nition Language Data Manipulation Language
DDL – Create table, Drop table, Alter DML – 4 commands Insert, Update, Design of data stored in the database on a
Physical Schema:
table Delete, Select records in a table secondary storage
Data Control Language Logical design of the database into rows and
DCL – Grant access or Revoke access Conceptual columns. mapped to the physical schema.
Schema
Security Schema: used by database designers, DBAs and
Multiple views, Key Reference, ACID Test, Data Integrity, programmers in soware development.
Other related security controls: User views the database at user level. used to
External Schema:
i. Strong and Multifactor authentication interact with the users.
ii. Segregation of web server and RDBMS server
iii. Encrypted data in database
iv. Use of Web application Firewall
RDBMS Table
Rows
Column
Tuple

v. Patching
Relation: Relation is shown through one or more tables.
vi Audit logging
DBMS views Metadata: Data about data similar to index of a book.
Developers ensure name Primary Key No tow row have the same primary key
dependent, content dependent Column/s which can uniquely identify
and context dependent controls Primary key cannot be null
a record(tuple) in a database table.
through views. ACID Properties: A is Atomicity, C is Consistency, I is Isolation Keys If a link (referential link) is established
Foreign Key
and D is Durability. Column in a table which is the primary key cannot be deleted or
Multiuser and
Atomicity primary key of another table. is is modi ed.
Concurrent Access Data Integrity
Concurrency controls “Either a transaction is completed or not done at all”. business for a “Referential Integrity” between
Maintained by programming
(such as ACID transaction has one or more debit and one or more credit the two tables.
various constraints applied
transactions) need to Transaction should be de ned in such a way that both the
to data “check” constraint on Isolation of data and application
be ensured so that, debit/s and credit/s are completed or none takes place.
age column can be set to 18 Data isolation is possible in an RDBMS because the conceptual(logical) schema
transactions are properly to 60 years, Consistency cannot be seen by database designer or DBA or programmer. It is internally
updated in database Transaction should be de ned in such a way that it leaves the mapped to physical schema by RDBMS soware.
tables. database in consistent state.
Normalization
Isolation
Record-design technique developed by Dr Codd to avoid certain design
RDBMS supports transactions of many users at the same time.
anomalies. Process of breaking down a table into more tables until the other
transaction should be de ned in such a way that, another transaction
columns in the table are dependent only on the key/s columns of the table.
does not have effect on any other transaction.
Transaction
Durability
Transaction is a unit of work done on a database. Inserting a record in a table is
longevity of the transaction is committed i.e. completed and saved, it is
an “Insert” transaction.
written to the persistent storage, is secordary storage or hard disk.

Points to Remember :

www.prokhata.com 61
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management
Local Area Network (LAN)
Room or a building
TCP/IP protocol is
given in the following
A user submits his/her
data to be sent to another
connected computer.
Chapter 3 Soware Operations & Management
Network Services
Interconnected Computers
Wide Area Network (WAN) Metropolitan Area Network Personal Area Network (PAN) Storage area Network (SAN) Virtual Private Network
Different geographic areas. Requires services of a network service (MAN) Personal workspace storing large amount of data (VPN)
provider. Requires services of a network service provider. Metropolitan area such as a city
TCP/IP DARPA Network Services ISO OSI
Application Layer Transport Layer Internet Layer Link Layer When packets nally reach the destination,
data is taken and broken TCP layer assures data Internet Layer (IP and other routing Link layer converts the packets into assembled back into data and are given to the
down into packets by delivery to the nal receiver protocol) provides a correct path to the bits and puts them on wire (copper application soware of the nal receiver. e
the Application Layer by taking acknowledgement packets by routing them through network of wire or bre optic etc) or throughair, packets go through reverse journey from Link
of TCP/IP. of each data packet. devices such as switches, routers, servers etc. by using Ethernet protocol. Layer to IP to TCP and then to Application Layer.

Internet Services DNS service An E-mail service

When Internet was new, users were connecting t a web site by typing web Outgoing mails
In Home In Organisation site’s IP address in the browser. E.g. http://9.9.9.9. However, as Internet grew, Simple Mail Transfer Protocol service.
it was difficult for users to remember IP addresses. erefore, a DNS (Domain
Broadband Leased telephone System Service) server was introduced, which stores in a database, name of all Incoming emails
Line/MPLS web sites and their respective IP addresses. When a user types a URL (Uniform
Resource Locator) – e.g. http://anywebsite.com, then DNS server provides the Post Office Protocol version 3 Internet Message Access Protocol WebMail
IP address of the website and then browser connects to that IP address. (POP3) Client (IMAP) Email access over
Emails, once downloaded are Mails are retained on the server, even the internet browser.
deleted from the server. aer they are downloaded.
Web service Directory Services Print services DBMS Service Video Conferencing
Organisations can establish integration When organisations need to control • Print server runs print service to make a pool of DBMS provides efficient and With increasing bandwidth facilities, at
of web application with another all the desktops, laptops or other network printers installed in the organisation. smooth process of data storage reducing costs, provided by service providers
organisation. is is done through computing devices, resources and • Print server allows authenticated users to connect, and retrieval. and improved telecommunication technologies,
launching a web service with the help provide proper authentication and either by the print server itself or get authenticated video conferencing can be wide spread and can
of API (Application Programming security, they implement directory by directory services. also be used by small and medium enterprises.
Interface). services. Microso Active Directory, • Print server installation enables an organisation to
Sun Microsystem’s iPlanet Directory enforce printing policy for controlling printing to
services and Novell’s eDirectory, are be done on various printers.
some popular solutions available for • Print server also provides monitoring of print jobs
such controlled access. and provides statistics related to it.

Note:-

62 www.prokhata.com
CA Rajat Agrawal
 Chapter 3 Soware Operations & Management Module - 4 Information Systems Operations and Management
Backup Strategies
Backup Considerations

1. Backup Policy 2. What to Backup 3. Backup 4. Backup Storage 5. Backup Retention 6. Testing 7. Training 8. Tape Control
Organisations should Decide which data should be Frequency Location Period tested regularly so that Not all data will be backed by IT Many organisations
establish backup policy backed up. E.g. Ecommerce critical data may stored safely and Backup policy decides when needed it can Department. Users may have their use magnetic tapes for
for guiding IT department data, nancial data, employee’s be backed up every securely preferably at how long backup/s be correctly restored. important data stored in their laptops backing up of data. and
and users. de ne retention data, email data, data of day, every hour or a separate geographic should be retained. Organisations setup or desktops. It is the user’s responsibility may require a tape library
period of the backup data. various applications, system immediately (known location. Another copy separate systems for to backup this data. erefore, adequate management system. is
To implement the policy, logs and system con guration as mirroring of data). of the backup can be restoring backup training must be provided to the users system allows automated
management needs to les etc. are critical in nature kept near the primary data and test it about backup policy and backup system. tape backup, management
develop backup procedures and need to be backed up on site, so that if needed, it for correctness of IT personnel also needs training on and restoration of data on
as well. priority basis. can be easily procured. restoration. backup policy and backup procedures. tapes.
Backup Methods
1. A Full backup 2. Incremental Backup 3. Differential Backup 4. Virtual Full Backups
Full database is taken everytime irrespective of earlier backup. Backup of changes only done to the data. Every incremental backup is Backup is taken of all the changes happened A synchronised backup, wherein rst time
It requires more time and storage then other backup types. stored on the media as a separate data. aer the last full backup. a full backup is taken and subsequently
Incremental backup is the fastest & requires least storage amongst all of the It requires more time & storage than whenever change takes place, the backup is
backup methods. incremental backup but less than full backup. synchronised for the changes.
Patch Management
Part of soware maintenance:
1.Acquiring the patch from vendor or vendor approved agency, 2. Testing the patch on a test site, 3. Installing the patch, 4. Reporting about the updation, 5. Audit of patch

Characteristics Bene t
Sound Policy and Patch Scanner Efficient Patch Deployment Review & Report Risk Mitigation Compliances to Soware System Productivity With Latest
Procedure Find out missing Tested in a test environment Comparison between patch mitigates security risks Standards Integrity improves productivity Features
patches and generate before they can be applied on scanner report and patch related to viruses, Trojans, Updating soware of a system, since it improves usage of
a report for review, production site/s. Patching testing report. Review and other security aws latest patches with may incorporate new new features which
by IT team. desktops and laptops can of these reports indicate which were inadvertently is now becoming technology features. are provided by
be done efficiently through bene ts of patches installed. present in the soware. a compliance soware developers.
Active Directory. Soware developers are requirement,
continuously improving their
soware for functionality,
Note:- security, bugs removal.

Points to Remember :

www.prokhata.com 63
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 4 Incident Response and Management
CHAPTER 4:
INCIDENT RESPONSE AND MANAGEMENT
Incident Handling & Response
Incident is de ned as deviation from normal operation of a process. ere are many incidents such as– Cyber attack by hackers, Breach in cyber security, Attack on National Critical Infrastructure, Virus or Malware induction, Hacking &
Advance Persistent threat, Miscon guration of System, Soware malfunction & Human error in IT department.
Organisations need to prepare themselves for handling and responding to these incidents. Organisations need resources, planning and systematic preparation in this regard.
Organisations usually face lot of challenges such as- Identi cation of IT assets, Identi cation of an incident, Analysis of incidents, Scan through bulk of Information and logs, Criteria for zeroing on an incident, IT assets actually damaged
due to incident, loss of data, Source of incident, Modus Operandi, Impact analysis, Forensic Investigation of incident and collecting evidence, Fixing the responsibility.
Incident Response Process

Prepare Identi cation Containment Recovery Follow up

1A. Administrative Preparation:-
Incident policy, procedures, standards and
guidelines, Identi cation of the IT Assets which
are critical to an organisation, Training for incident
response team, Awareness for employees, Impact
Analysis, Knowledge of business, Brand value,
Political system of the country, Laws & Regulations.
1B. Technical Preparation:-
Risk assessment and Risk Management, Data
Classi cation, Assessment of Con dentiality,
Integrity and availability of Data, Technology
Infrastructure, Dependency on certain technology
providers, Controls, Possible vulnerabilities, Cyber
reats, Cyber security posture, Possible source/s of
threats.
Identify an incident and then take
action accordingly. Identifying
an incident can be handled by
Incident Response Team.
An Incident Response Team can
do the following - Notice any
suspicious events, SIEM; DLP; IPS/
IDS and rewall, Generate cyber-
security Audit reports, Resolve
anomalies reported by SOC.
Incidents can be analysed as- Time
of occurrence, How was it detected
i.e., What impact it is going to have
on IT asset, Source of this incident.
Isolation of the victimised system and not
allowing the incident to spread across many
systems. Terminating all sessions of users
logged, Blocking the source, Block the Socket,
Changing of Administrator or root password.
Eradication
Eradication activities will start, consist of –
i. Marking of infected system, ii.
Disconnection from the network, iii. Copying
logs manually to a USB drive, iv. Malware/
Trojan/Bot etc need to be analysed, v. Disable
the infected accounts of Users, vi. Disable
carrier ports, vii. Collect the evidence, viii.
Clean the system, ix. Re-Scan the system
Incident response team has to assure that,
the system performance shall be normal i.e.
no deviation, all the risks are mitigated with
necessary controls such as patching, antivirus
updating, optimisation of ports and services.
Following Recovery process
i.. Reconnection of the network of the isolated
system, ii. All controls restored, iii. Re-Loading
Operating system, applications, antivirus, iv.
Re-con guring, v. Infected les/folders need to
be replaced, vi. All disabled accounts of users
need to be restored, vii. All logs are directed
to SOC again, viii. Check the integrity of the
system ix. Scan the system.
Incident response team of the organisation
preserves the evidence (with proper
integrity) for the follow up activities such
as -Conducting the root cause analysis,
Search for the culprit, Investigation, Legal
action, Damage control for reputation
restoration, Trend analysis.
Lessons learnt
Post-facto activity incoporated in the
system and security policies, procedures
and guidelines.
Documentation
Incidents should be documented with the
inputs received, evidences collected, facts,
gures, lessons learnt etc..

Bene ts of Incident Management Cyber-Security Framework

i. Immediate response ensures quick
resolution of the incident,
ii. Minimising impact of incident/s,
iii. Keeping intact the Reputation of
the organisation,
iv. Avoiding damage to Brand
Image,
v. Con dence of the investors /
stakeholders,
vi. Business continuity.
India’s National Security Policy 2013 - e National Cyber-Security Policy 2013 was released on July 2, 2013 by the Government of India.
Policy Objectives
• Create a secure cyber ecosystem in the country
• 24 x 7 mechanism for obtaining strategic
information regarding threats to ICT
• To enhance the protection and resilience of
Nation's critical information infrastructure by
operating a 24x7 National Critical information
Infrastructure Protection Centre (NCIIPC)
• To create a workforce of 500,000 professionals
skilled in cyber security in the next 5 years.
• To provide scal bene ts to businesses for
adoption of standard security practices
• To enable effective prevention, investigation
and prosecution of cyber-crime
• To create a culture of cyber security
Strategies
• To designate a National nodal agency to coordinate all matters related to cyber security
• Chief Information Security Officer (CISO), responsible for cyber security
• To encourage all organizations to develop information security policies
• To ensure that all organizations earmark a speci c budget for implementing cyber security initiatives
• To provide scal schemes and incentives to encourage entities to install, strengthen and upgrade information infrastructure
• To prevent occurrence and recurrence of cyber incidents by way of incentives for technology development, cyber security compliance and
proactive actions.
• To establish a mechanism for sharing information
• To promote adoption of global best practices in information security
• To create infrastructure for conformity assessment and certi cation of compliance to cyber security best practices, standards and guidelines
• To enable implementation of global security best practices in formal risk assessment and risk management processes
• To create National level systems,
• To operate a 24x7 National Level Computer Emergency Response Team (CERT-In)
• To operationalize 24x7 sectorial CERTs
• To implement Cyber Crisis Management Plan for dealing with cyber related incidents
• To conduct and facilitate regular cyber security drills business continuity management and cyber crisis management plan
• To encourage wider usage of Public Key Infrastructure (PKI) within Government
• To engage information security professionals / organisations to assist e-Governance

64 www.prokhata.com
CA Rajat Agrawal
 Chapter 4 Incident Response and Management Module - 4 Information Systems Operations and Management
Security Operation Centre (SOC)
Detect, alert and respond to all the activities of IS Infrastructure
SOC Characteristics
Policy, Standards and Guidelines Technology
Organisation must have a sound Technology plays important role in operations of SOC for Log Analysis, Network Analysis, Monitorin
Monitoring
Agent
policy related to the SOC and its Malware Analysis, Forensic Analysis, Cryptosystems, signature database updates, packet Logs
Logs & Level-1
Computer Events SEM
activities. ltering, packet inspection, data analytics and reverse engineering systems.
It takes the following steps to acquire correct technology – Collection
Top management support
Top management should provide 1. Preparing speci cations for technology by SOC team. Co cter
Collecter
Collecter
continuous support in terms of 2. Discussions with various Vendors. Logs SIEM Alertt Incident
investment, resources and people to 3. Getting POCs (Proof of Concept) from vendors. Tool
To
the SOC. Top management should 4. Preparation of Feasibility study report by SOC team. Server Agent
5. Getting quotations/tenders from Vendors based on RFP. Incident
have a meeting at least once in a IS Infrastruct
Infrastructure
Infrastru cture Report Team
Quarter with CISO. 6. Initiating procurement process.
7. Finalising vendor. SIM
Investment 8. PO (Purchase order) to vendor and getting con rmation. Level-l-2
Level-2
Leve
SOC requires adequate investment, 9. Signing Contract with vendor. (Analyse)
(Analyse
for 24x7 operations. Investment may 10. Implementation of Technology by SOC team along with vendor experts.
be for purchasing equipment, Agent
11. Training provided by vendor to SOC.
devices, soware etc (Capex) and Database
day-to-day operational expenditure Environment Analytics & Reporting Physical Controls Investigation
(Opex). Objectives of the SOC use data SOC should also have general physical
SOC should align analytics to create controls & speci c physical controls.
People with business insightful metrics and SOCs are augmented with a different Agent
Two levels of employees. Level 1 ey objectives. performance measures. physical space with no sign boards of the
will be monitoring 24x7. organisation.
Level 2 doing deep analysis of alerts Continuous Improvement Network
and incidents. SOC is always under continuous monitoring of the organisation for the necessary Equipment
Process & Procedures improvements.
To have documented proper Following actions should be taken for continuous improvement of SOC –
procedures and guidelines for speedy 1. Periodic assessment of upgrading skills
IB-CART
identi cation and resolution of cyber 2. 360-degree feedback of SOC from various stakeholders
security incidents. 3. Lessons learned by SOC team aer every incident
4. Augmentation of new technology as per need
5. Budget provisions as needed CERT-in External Intelligence Security Database
6. Top management support
SIEM Tool and their Utility
Deployment of SIEM Tool SIEM Tools Utility
Scope of Work (SOW) SIEM tool provides the following
advantages a. Discover vulnerabilities
Operation: Security: Compliance: SIEM Core b. Uncover threats
• To do continuous monitoring, detecting, alerting Collects logs arranges them in a common SIEM provided auto generated reports related e SIEM core is the logic of the SIEM, which c. Monitoring
and responding to cyber-security incidents. format, assesses them, correlates them to security posture of an organisation can is composed of multiple soware. d. Compliance
• SIEM tool should enable SOC for continuous and then develops the security posture be taken up for audits. For the compliance SIEM core handles the following areas - e. Security pro le
operations for 24x7 throughout year. of the IS infrastructure. e security purpose auditee must ensure the following- 1. Risk Assessment for IS infrastructure f. Internal Intelligence
• Number of correlated les to be stored and kind posture is provided to cyber security a. Asset list maintained in a company vis-a-vis 2. Correlation of events collected by the g. Alerts
of reports need to be provided. team of the organisation as a feedback. asset that SIEM is monitoring collector and external intelligence h. Reporting
Use case details b. Scope of work 3. Any Deviation in normal operations of IS i. Incident Management
c. Logs and events Infrastructure j. Forensic Investigation
d. SOC detail processes 4. Data Mining & Data Analysis
e. Security posture database 5. Real-Time Monitoring and alerts
SIEM f. Reporting 6. Cyber Security posture
g. Latency in conversion of alert into incident 7. Correlated data for Forensic & Investigation
IS Infrastructure Report 8. Reports
www.prokhata.com 65
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 4 Incident Response and Management
Computer Emergency Response Team (CERT)

US government, started in 1988, Government of India started CERT-In operational in January 2004.

IT Act 2008 - 70B Indian Computer Emergency Response Team to serve as national agency for incident
response.
• Central Government appoint an agency called the Indian Computer Emergency Response Team.
• Central Government shall provide the agency with a Director General other officers and employees.
• e salary and allowances and terms and conditions of the Director General may be prescribed.
• Performing the following functions:
a. collection, analysis and dissemination of information on cyber incidents
b. forecast and alerts of cyber security incidents
c. Emergency measures
d. Coordination of cyber incidents response activities
e. Issue guidelines, advisories of cyber incidents
• Any service provider who fails to provide the requested information or comply with the requirements shall
be subject to a punishment of one year imprisonment or a ne of one lakh rupees, or both.
Indian Banks – Centre for Analysis of Risks and reat (IB-CART)
IB-CART was established in 2014 to address cybersecurity in the banking sector. It has a total of 90 users
from over 60 public, private and foreign banks in India. e IB-CART advisory council has 9 members with
representation from public and private sector banks and CERT-IN.

66 www.prokhata.com
CA Rajat Agrawal
 Chapter 1 Introduction to Protection of Information Assets Module - 5 Protection of Information Assets
CHAPTER 1:
INTRODUCTION TO PROTECTION OF INFORMATION ASSETS
Risk Response Cyber/Computer Attacks
Avoid Backdoor Logic Bomb
Response by deciding not to use technology for select business operation. It is a Bypass which is a means of access for authorised access. ey are Malicious Legitimate programs, to which malicious code has been added. eir
Transfer program that listens for commands on a certain TCP or UDP port. Backdoors destructive action is programmed to “blow up” on occurrence of a logical
Where organizations pass on the responsibility of implementing controls allow an attacker to perform a certain set of actions on a host, such as acquiring event. Anti-malware and use of application from trusted source may be
to another entity. For example, insuring against nancial losses with passwords or executing arbitrary commands. Use of licensed soware, patch preventive controls.
insurance company by paying suitable premium. updates, disabling default users & debugging function and using anti-malware Piggybacking
soware are the controls against backdoor. Unauthorized access using a terminal that is already logged on with an
Accept
Blue Jacking authorized ID and le unattended. idle session timeout.
If risk assessed is within the risk appetite, management may decide not to
Sending of unsolicited messages over Bluetooth to Bluetoothenabled devices. Salami e
implement control and accept the risk.
Turning off Bluetooth, selecting hidden mode, and ignoring and/or deleting Minor attacks those together results in a larger attack. By having proper
Mitigate messages, can prevent blue jacking.
To implement controls by incurring additional cost to reduce the assessed segregation of duties and proper control over code it may be prevented.
Buffer Over ow
impact to bring it within acceptable limits. Sensitive Data Exposure
An Anomaly where a program, while writing data to a buffer, overruns the buffer's
Information Security Objectives Data may be compromised without extra protection, such as encryption
boundary and overwrites adjacent memory locations. Run-time protection features
at rest or in transit, and requires special precautions when exchanged
Con dentiality are controls for buffer over ow.
with the browser. Data leakage prevention tools may prevent.
Preserves authorized restrictions on information access and disclosure, Cyber Stalking
including means for protecting personal privacy and proprietary Use of the Internet or other electronic means to stalk or harass an individual, Injection
information. group, or organization. Maintaining cyber hygiene and avoid disclosing sensitive Occur when untrusted data is sent to an interpreter as part of a command
information are preventive control. or query. Input validation, security audits and vulnerability, threat and
Integrity
risk (VTR) are peventive controls.
Guards against improper information modi cation or destruction, and Cyber Terrorism
includes ensuring information non-repudiation and authenticity. Use of the Internet to conduct violent acts that result in, or threaten, loss of life Trojan
Availability or signi cant bodily harm. Passive defense for this attack is essentially target Self-contained, no replicating program that, while appearing to be
Ensures timely and reliable access to and use of information. hardening. benign, actually has a hidden malicious purpose. Sound policies and
procedures should be in place and anti-malware soware should be
reat Modeling Tools Cyber Warfare
installed.
Process by which potential threats can be identi ed, enumerated, and Use of technology to attack a nation, causing comparable harm to actual warfare.
mitigations can be prioritized. Attack vector is a path or means by which an Limiting employee access to classi ed information and installing soware updates Virus
attacker can gain unauthorized access to a computer or network to deliver a may help to prevent this attack. Virus self-replicates triggered through user interaction, such as opening
payload or malicious outcome. a le or running a program. Sound policies and procedure anti-malware
Data Diddling
OWASP soware.
Changing of data before or during entry into the computer system. File encryption
It works to improve the security of soware. OWASP Top 10 is a standard checksum or message digest may prevent such attacks. Compiled Viruses
awareness document for developers and web application security. Denial of Service Executed by an operating system & includes le infector viruses,
Globally recognized by developers as the rst step towards more secure Attempt to make a machine or network unavailable to its intended users Web which attach themselves to executable programs; boot sector viruses,
coding. application rewall may help toprevent DOS attack. which infect the master boot records of hard drives.
DREAD Model DNS Spoo ng Interpreted Viruses
Categories Description Data is introduced into a (DNS) resolver's cache, causing the name server to Executed by an application, macro viruses take advantage of macro
D Damage potential How many assets can be affected? return an incorrect IP address, diverting traffic to the attacker's computer. Keeping programming language to infect application documents and
R Reproducibility How easily the attack can be reproduced? resolver private and protected is one of the controls against DNS spoo ng. document templates, while scripting viruses infect scripts that are
E Exploitability How easily the attack can be launched? understood by scripting languages processed by services on the OS.
Email Spoo ng
A Affected users What is the number of affected users? Creation of email messages with a forged sender address. core email protocols Worm
D Discoverability How easily the vulnerability can be found? do not have any mechanism for authentication, making it common for spam and Self-replicating, self-contained program Sound policies and procedure
phishing emails Con guring reverse proxy may detect email spoo ng antimalware.
STRIDE Model
Identity e Network Service Worms Mass Mailing Worms
reat Desired Property
Deliberate use of someone else's identity Use of strong password, multi factor Takes advantage of vulnerability in a Similar to an email-borne
S Spoo ng (False identity) Authenticity
authentication, monitoring transactions of the account are some preventive control network service to propagate itself. virus but is self- contained.
T Tampering Integrity
R Repudiation Non-repudiation Keystroke Logger Web Defacement
I Information disclosure(Leak of Data) Con dentiality Monitors and records keyboard use. to retrieve the data from the host, Use of key Attack on a website that changes the visual appearance of a website or a
encryption soware and installing anti malware. web page. Security audits and vulnerability, threat and risk (VTR).
D Denial of service Availability
www.prokhata.com 67
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 1 Introduction to Protection of Information Assets
Information Systems Controls
Control is de ned as Mechanism that provides reasonable assurance that business objective will be achieved and undesired events are prevented, detected or corrected. Information system auditing includes reviewing the implemented system
or providing consultation and evaluating the reliability of operational effectiveness of controls. It ensure the desired outcome from business process is not affected.
1. Need for Control 2. Objectives of Control 4. Types of Internal Controls
•Organizational Costs of Data Loss. Control objective is de ned as "Statement of the desired result or purpose to be achieved by
•Incorrect Decision Making implementing control procedures in a particular IT process or activity". Two main purposes: Preventive Controls Detective Controls Corrective Controls
•Costs of Computer Abuse • Outline the policies of the organization Design to create a desired level or Designed to build a Designed to reduce the
•High Costs of Computer Error • A benchmark for evaluating whether control objectives are met. resistance and its goal is to Predict the historical evidence of impact or correct an error
•Maintenance of Privacy e objective of controls is to reduce or if possible, eradicate the causes of the exposure to probable loss. potential problems before they occur. the events or activities once it has been detected.
•Controlled evolution of computer Some categories of exposures are: Control considerations : Include – Employing quali ed directly related to the directly related to bringing
Use •Errors or omissions in data, procedure, processing, judgment •Lack of understanding of IS risks personnel, segregation of duties, reliability. Ex. Hash back business operations
•Information Systems auditing and comparison. amongst management & user. access control, documentation etc. totals, Check Points, etc. to normal. Ex. Backup &
•Asset Safeguarding •Improper authorizations and improper accountability with •Absence or inadequate IS control Restoration procedure etc.
•Data Integrity regards to procedures, framework. Control Rating By An Auditor:
•System Effectiveness •processing, judgment and comparison. •Complexity
Complexity of implementation Very High : Controls are implemented and are extremely effective.
•System Efficiency •Inefficient activity in procedures, processing and comparison. of controls. High : Controls are implemented and are highly effective.
3. Internal Controls Moderate : Controls are implemented and are moderately effective.
Internal Control Framework: Comprises policies, procedures, practices, and organizational structure that gives reasonable assurance to Low : Low effectiveness.
achieve business objectives.Controls are broken into discrete activities and supporting processes, which can be either manual or automated. Negligible : Controls are not implemented.
Risk and Control Ownership
Each risk should have an owner, owner is a person or position that has close interests in the processes affected due to risks. e owner/s of the risk/s also own any control/s associated with those risks and is accountable for monitoring their
effectiveness. It ensure that all risks have been addressedthrough appropriate controls and that all controls are justi ed by the risks that mandate the requirements for those controls.
Periodic Review and Monitoring of Risk and Controls
Aer implementation of the risk responses, management needs to monitor the actual activities to ensure that the identi ed risk stays within an acceptable threshold. To ensure that risks are reviewed and updated organizations must have a
process that will ensure the review of risks. e best processes are:

e risk assessment exercise may be conducted All incidents and lesson learned must be Change management processes should proactively review the possible New initiatives and projects must be considered
aer prede ned period say at least annually. used to review the identi ed risk risks and ensure that they are part of organization’s risk register. only aer risk assessment.
Controls Assessment Control Self-Assessment Role of IS Auditor in Information Risk Management
The rst step is to review e actual testing of the controls is performed by Facilitator for conducting risk assessment workshops to provide objective assurance to the board on the effectiveness of an organization’s Risk
the risk register & control staff whose day-to day role is within the area of the Management framework plan the audit cycle according to the perceived risk. i.e. plan for higher frequency for high-risk business processes areas.
catalogue and ensure organization that is being examined as they have
that associated risk is the greatest knowledge of how the processes operate.
Key roles that an auditor can perform are: ere are activities, which an auditor should not perform, to maintain his
responded appropriately. e two common techniques for performing the
1. To give assurance on risk management process independence:
next step is to review control evaluations are:
2. To give assurance that the risks are being evaluated correctly 1. Setting the risk appetite
procedure documents. 1.Workshops 2.Surveys or questionnaires.
3. Evaluate Risk Management process 2. Imposing risk management process
4. Review the management of key risks. 3. Taking decision on risk responses
4. To implement risk response on management’s behalf.

68 www.prokhata.com
CA Rajat Agrawal
 Chapter 2 Administrative Controls of Information Assets Module - 5 Protection of Information Assets
CHAPTER 2:
ADMINISTRATIVE CONTROLS OF INFORMATION ASSETS
Information Security Management Senior Management Commitment and Support
Ensure con dentiality, integrity and availability (CIA) of information assets. Commitment and support of senior management are imperative for successful establishment and continuance of an information security management
e primary control for implementing protection strategy is de ning and program. Executive management endorsement of essential security requirements provides the basis for ensuring that security expectations are met at all levels
implementing information security policy. of the enterprise.
Key elements of information security management include: Critical Success Factors to Information Security Management
• Senior management commitment and support,
• Policies and procedures, Alignment with business Organizational culture Establish and Adoption of standard Spend resources wisely
• Organization structure and roles and responsibilities, objectives Ensure that the framework enforce an Enable organization to have and transparently
• Security awareness and education, e Management needs to establish followed to implement, information consistent implementation Expenditures on controls
• Monitoring, security policy in line with business maintain, monitor and security program across the enterprise. It helps should be prioritized
• Compliance, objectives, to ensure that all Information improve Information Focus is protecting in providing assurance that all and unnecessary
• Incident handling and response. Security elements are strategically Security is consistent with information assets required aspects of information resource utilization may
• Continual improvement aligned. the organizational culture. of the organization. security have been covered. be avoided.
Information Security Organization
• Information security is responsibility of entire organization and accountability of senior management.
• e position must be strategically placed within the Organization and visibly supported by top management while carrying out the duties in an effective and independent manner.
• De ning security responsibilities for every person and position as part of his/her role within organization and documented in their job description.

Segregation of Duties e ‘Four Eyes’ (Two-Person) Principle Rotation of Duties ‘Key Man’ Policy
Having more than one person required to complete a task. For each transaction, there must be at least two individuals necessary for Rotation of employees’ assigned jobs throughout Where a single individual is critical to
No individual should have the ability to carry out every step of its completion. While one individual may create a transaction, the other their employment. Designed to promote exibility the business, insurance policies may
a sensitive business transaction. SoD implements an appropriate higher designation should be involved in con rmation/ authorization In of employees and to keep employees interested be taken out to cover losses resulting
level of checks and balances upon the activities of individuals. this way, strict control is kept over system soware and data, into staying with the company/ organization. from his or her death or incapacity.
Information Security Policies, Procedures, Standards and Guidelines
Information Security policy will de ne management’s intent on how the security objectives should be achieved. Aer policies are outlined, standards are adopted/de ned to set the mandatory rules that will be used to implement the policies.
Guideline is typically a collection of system speci c or procedural speci c "suggestions" for best practice. Information security management, administrators, and engineers create procedures from the standards and guidelines that follow the
policies. Information Security Policy is an overview or generalization of an organization’s security needs.
1. Components of Information Security Policies 3. Controls over Policy
Statement, Scope, Objective, Ownership, Roles and Responsibility, Business requirement of Information security, Policy Exceptions, Compliance & Periodic review. Information security policies need to be
2. Other Common Security Policies maintained, reviewed and updated regularly.
It is necessary to review the security policies
Data Classi cation and Privacy Policies: Password Policy to ensure that they are in line with the senior
•Organization
Organization shall hold non-public personal information in strict con dence except as required or authorized by law and only to such persons e policy de nes High-level management’s intent. Security policies are
who are authorized to receive it. con guration of password to be reviewed periodically, generally annually
•Adopt
Adopt procedures for the administrative, technical and physical safeguarding of all non-public personal information. used within organization to access or, aer incident or, as a part of change
•Any
Any entity that utilizes information provided by the organization to carry out its responsibilities, shall have signed and agreed to abide by the the information assets. For ex. management process.
terms of the data privacy and security policy. •Password length must be more •Periodically, generally annually OR
Acceptable Use of Information Assets Policy: than 8 characters •Aer incident OR
Set of rules that restrict the ways in which the information resources (Data, Application Systems, Technology, Facilities and People) may be used. •Password must meet complexity •As a part of change management process
AUP oen reduces the potential for legal action that may be taken by a user, and oen with little prospect of enforcement. requirements, such as upper
Physical Access and Security Policy 4. Exceptions to the Policy
case, lower case, numeric and Policies are generic and sometimes cannot
Security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and assets from special characters
damage or harm. It involves the use of multiple layers of interdependent systems, which include CCTV surveillance, security guards, Biometric •Password must have de ned be enforced in speci c situations; In such
access, RFID cards, etc. situations, it is necessary to ensure there are
maximum age suitable compensating controls so that the risks
Asset Management Policy
•Password must have de ned mitigated by enforcement of policy are within
De nes the business requirements for Information assets protection. It includes assets like servers, desktops, handhelds, soware, network devices.
Network Security Policy minimum age acceptable level.
Overall rules for organization’s network access, determines how policies are enforced and lays down some of the basic architecture of the company •Password must have history
security/ network security environment. control

www.prokhata.com 69
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 2 Administrative Controls of Information Assets
Information Classi cation
Provide organizations with a systematic approach to protect information consistently across the organization. · Databases, · Data les, · Back-up media, · On-line magnetic media, · Off-line magnetic media, · Paper, · System documentation, ·
User manuals, · Training material, · Operational or support procedures, · Continuity plans, · Fall-back arrangements.
Information follows a life cycle consisting stages such as :- origination, dra, approved/signed, received, stored, processed, transmission, archived, discarded, destruction etc.
Bene ts from Information Classi cation Information Classi cation Policy
• It provides a systematic approach to protecting information consistently • Structure of classi cation schema.
• Help in determining the risk associated in case of loss and thus prevent ‘over-protecting’ and/or ‘under-protecting’. • Information owners and custodians.
• Used to demonstrate that the organization is meeting compliance requirements. • Protection levels for each class of information de ned by schema.
• Ensure that security controls are only applied to information that requires such protection which reduces operational costs of protecting information. Owners are responsible for assigning classi cations to information assets.
• Enforce access control policies by using the classi cation label to determine if an individual can gain access to a piece of information. Information classi cation shall be embedded in the information itself.
Classi cation Schema
Information Description When unauthorized disclosure, alteration Examples
Category or destruction of that data could:
Information is not con dential and can be made public without any implications for Cause low or no risk Product brochures widely distributed | Information widely available in the public
Unclassi ed/ Company. domain, including publicly available Company web site areas | Sample downloads
Public of Company soware that is for sale | Financial reports required by regulatory
authorities | Newsletters for external transmission
• Requires special precautions to ensure the integrity and con dentiality of the data by Cause a moderate level of risk • Passwords and information on corporate security procedures
protecting it from unauthorized modi cation or deletion. • Know-how used to process client information
Sensitive
• Requires higher than normal assurance of accuracy and completeness. • Standard Operating Procedures used in all parts of Company’s business
• All Company-developed soware code, whether used internally or sold to clients
Information received from clients in any form for processing in production by Company. Cause a signi cant level of risk • Client media
Client
e original copy of such information must not be changed in any way without written • Electronic transmissions from clients
Con dential
permission from the client. e highest possible levels of integrity, con dentiality, and • Product information generated for the client by company
Data
restricted availability are vital.
Information collected and used by Company in the conduct of its business to employ Cause a highest level of risk • Salaries and other personnel data
Company
people, to log and ful l client orders, and to manage all aspects of corporate nance. • Accounting data and internal nancial reports
Con dential
Access to this information is very restricted within the company. e highest possible • Con dential customer business data and con dential contracts
Data
levels of integrity, con dentiality, and restricted availability are vital. • Company business plans
e Concept of Responsibility in Information Security Training & Education
A broad program that includes training, education, awareness, and outreach must be developed to deliver
Ownership
a multitude of security messages through various means to all employees. Formal, instructor led training,
For security and control the ownership is delegated to an employee or group of employees who need to use these assets. Users
computer or Internet-based training, videos, conferences, forums, and other technology based and traditional
not only have right to use the asset but also are responsible to ensure that the asset is well maintained, accurate and up to date.
delivery methods are all examples of what must be part of the integrated security training, education, and
Custodianship
awareness program.
Owner may delegate responsibility to a custodian. Owner should clearly state the responsibilities and associated levels of
Important considerations for security awareness training program are:
authority of the custodian on the assets, but nally management responsibility will always reside with the owner.
Controlling Mandatory security awareness
In all information, security areas there are key tasks, which can be called control points. It is at these control points that the actual Ensure that security awareness training is mandatory for all staff
information security mechanism has its application. Training for third parties:
Ensure that all third parties who are having access to an organization's information assets
Human Resources Security
Training is required before access is granted:
e management of human resources security and privacy risks is necessary during all phases of employees’ association with
Security awareness training commences with a formal induction process designed to introduce the
the organization. Following are the some of the recommended safeguards: Job descriptions and screening, User awareness and
organization's information security policies and expectations before access granted to information or services.
training, A disciplinary process, and An exit process must exist.
Acknowledge policy:
Pre-employment: Ensure that all have acknowledged that they have read and understood the organization's information
De ning roles and responsibilities of the job, de ning appropriate access to sensitive information for the job, and security / acceptable use policy.
determining candidate's screening levels. Training at least annually:
During employment: Ensure that all target audience including the third party are given security awareness training at least once
Receive periodic reminders of their responsibilities and receive ongoing, updated security awareness training in a year.
Termination or change of employment:
Access must be revoked immediately upon termination of an employee and third parties from the organization.

70 www.prokhata.com
CA Rajat Agrawal
 Chapter 2 Administrative Controls of Information Assets Module - 5 Protection of Information Assets
Implementation of Information Security Policies Issues and Challenges of Information Security Management
Appropriate implementation of information security policy helps in minimizing internal security breaches that are accidental and unintentional.
Organization’s strategic drivers
Following may help in smooth and successful implementation of information security policies.
Strategic drivers and needs of the organization may con ict with the
Increasing Awareness actions required to ensure that assets and processes remain productive.
Information security department should understand the level of employee awareness in order to determine the effectiveness of information security
policy. Regulatory requirements
Just as the organization must expose itself to its environment to operate, so
Communicating Effectively
must it be willing to accept the limitations imposed by regulators.
Ensuring that employees understand the reason to comply with information security policies communications guidelines include:
• Target communications for various user communities. Information security as an aerthought
• Provide a list of policy updates in the annual training. It is a norm to follow a checklist to understand whether any of the security
• Supplement primary communications vehicles with website and newsletter articles. ‘holes’ remained unplugged.
Simplify Enforcement Lack of integration in system design and security design
• Creating a manageable number of policies & convincing employees to comply with every policy. Development duality is a phenomenon where systems and security design
• Making policies understandable for target audiences by Using language that is suited for target users. are undertaken in parallel rather than in an integrated manner.
• Making it easy to comply
• Integrating security with business processes so employees will not need to bypass security procedures while doing business operations.
• Aligning policies with job requirements
• Generating a higher level of compliance by creating realistic, workable policies shall help.
Integrating Security with the Corporate Culture

Making employees a partner in the security Making security policy part of a larger Tying security policies to company's code of
challenge: compliance initiative: business conduct:
• e security team is there to help them • Work with human resources, legal, and • Educate employees on vital compliance -
instead of to police them. other compliance teams information security for overall success.

www.prokhata.com 71
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 3 Physical and Environmental Controls
CHAPTER 3:
PHYSICAL AND ENVIRONMENTAL CONTROLS
Objectives of Physical Access Controls
An access control system determines who is allowed, where they are allowed, and when they are allowed to enter or exit. Physical access controls restrict physical access to resources and protect them from intentional and unintentional loss
or impairment. Assets to be protected could include: Primary computer facilities, Cooling system facilities, Microcomputers, Telecommunications equipment and lines, including wiring closets Sensitive areas such as buildings, individual
rooms or equipment.

Physical Security reats and Exposures Physical Access Exposures to Assets

reat means occurence of which have an adverse impact on well being of an assets. e perpetrators or source of physical threats can be as follows: Unintentional or Accidental
Sources of Physical Security reats Authorized/Unauthorised unintentionally gaining
e sources of physical access threats can be broadly divided into the following based on the nature of access. e perpetrators or source of physical threats can be as follows: physical access to IS resources.
• Physical access to IS resources by unauthorized personnel • Accidental/Ignorant who unknowingly perpetrates a violation Deliberate
• Authorized personnel gaining access to information systems resources for • Discontented or disgruntled employees. Unauthorized personnel may deliberately gain access for
• which they are not authorized. • Employees on strike or issues at outsourced agency which they are not permitted.
• Interested or Informed outsiders • Employees under termination Losses
• Addicted to substances or gamblers • Experiencing nancial or emotional problems Improper physical access to IS resources may result in
• Authorized personnel having pre-determined rights of access misusing their rights in a manner prejudicial to the interests of the organization losses to organization.

72 www.prokhata.com
CA Rajat Agrawal
 Chapter 3 Physical and Environmental Controls Module - 5 Protection of Information Assets
Physical Security Control Techniques
Choosing and Designing a Secure Site Perimeter Security
Local considerations Guards Perimeter Intrusion Detectors Secured Distribution Carts
What is the local rate of crime. Guards are commonly deployed in perimeter control, Photoelectric Sensors Dry Contact Switches One of the concerns in batch
External services depending on cost and sensitivity of resource to be Photoelectric sensors Metallic foil tape on output control is to get the
e relative proximity of local emergency services. secured. While guards are capable of applying subjective receive a beam of light from windows or metal printed hardcopy reports
Visibility intelligence, they are also subject to the risks of social a light-emitting device, contact switches (which may include con dential
Facilities such as data centres should not be visible or identi able from the engineering. creating a Grid of white on doorframes to materials) securely by the
outside, i.e. no windows or directional sign. Dogs light, or invisible infrared detect when a door intended recipients. Distribution
Windows ey are reliable, and have a keen sense of smell and light. An alarm is activated or window has been trolleys with xed containers
Windows are normally not acceptable in a data centre(if exists it must be hearing but can't make judgement calls. when the beams are broken. opened. secured by locks respective
translucent & shatterproof) to avoid data leakage through electromagnetic Compound Walls and Perimeter Fencing Video Cameras user team holds the keys of the
radiation emitted by monitors. Securing against unauthorized boundary access helps Provide preventive and detective control. It have to relevant container.
Doors in deterring casual intruders. Ineffective against a be supplemented by security monitoring and guards Controlled Single Point Access
Doors in the computer centre must resist forcible entry and have a re-rating determined intruder. for taking corrective action. Identifying and eliminating or
equal to the walls. Emergency exits must be clearly marked and monitored Lighting Identi cation Badge disabling entry from all entry
or alarmed. Extensive outside lighting of entrances or parking areas Special identi cation badge such as employee cards, points except one.
Security Management can discourage casual intruders. privileged access pass, and visitor passes etc. enable Cable Locks
Dead Man Doors tracking movement of personnel. Plastic-covered steel cable that
Controlled user registration procedure Pair of doors. First entry door must close and lock so Manual Logging chain a PC, laptop or peripherals
Rights of physical access are given only to persons entitled thereto, based on that only one person is permitted. Used to reduce the All visitors to the premises are prompted to sign a to the desk or other immovable
the principles of least privileges. risk of piggy backing visitor’s register/log. objects.
Audit trails Bolting Door Locks Electronic Logging Port Controls
Audit trails and access control logs are vital because management needs to It requires traditional metal key to gain entry. Record the date and time of entry and exit of the Devices that secure data ports
know when access attempts occurred and who attempted them. is must Combination or Cipher Locks cardholder by requiring the person to swipe the card (such as a oppy drive
record: Also known as cipher locks, use a numeric keypad or can be made with electronic or biometric devices or a serial or parallel port) and
• e date and time of the access attempt dial to gain entry. Controlled Single Point Access prevent their use.
• Whether the attempt was successful or not Electronic Door Locks Identifying and eliminating or disabling entry from Switch Controls
• Where the access was granted Use electronic card readers, smart card readers or optical all entry points except one. Cover for the on/off switch
• Who attempted the access? scanners to gain entry. It has following advantages: Controlled Visitor Access Peripheral Switch Controls
• Who modi ed the access privileges •Provide high level of securities than others. Pre-designated responsible employee or security Lockable switches that prevent a
Reporting and incident handling procedure •Distinguish between various categories of users. staff escorts all visitors. device such as a keyboard from
Once an Unauthorized event is detected, appropriate procedures should be in ••Restricted through special internal code. Bonded Personnel being used.
place to enable reporting. Security administrator should be kept noti ed. •Duplication is difficult. Contractors or employees being required to execute Biometric Mouse
Emergency Procedures •Can be deactivated from central electronic control a nancial bond. Such bond does not improve Specially designed mouse usable
e implementation of emergency procedures and employee training and mechanism. security but reduces nancial impact due to only by pre-determined/pre-
knowledge of these procedures is an important part of administrative physical •Includes card swallow which aer number of failed improper access/misuse of information resources. registered person based on the
controls. ese procedures should be clearly documented, readily accessible attempts activates audible alarm. Wireless Proximity Readers physiological features
(including copies stored of-site in the event of a disaster), and updated Biometric Door Locks Card reader senses the card in possession of a user Laptops Security
periodically. Enable access based on physiological features such as in the general area (proximity) and enables faster Cable locks, biometric mice/
voice, ngerprint, hand geometry, Retina scan etc. and access. ngerprint/iris recognition and
Human Resource Controls known as more sophisticated method. It has High cost Alarm Systems/Motion Detectors encryption of the data available
ese includes providing identity cards, , provided training in physical security, of acquisition, implementation and maintenance. It is Provide detective controls and highlight security to protect laptops and data
monitoring behaviour etc. One of most important control is process of providing time consuming. breaches to prohibited areas. therein.
access cards to employees, vendor personnel working onsite and visitors.
Smart Cards

Photo-Image Cards Digital-Coded Cards Wireless Proximity Readers

Simple identi cation Contain chips or magnetically encoded Card reader senses the card in
cards with the photo strips. e card reader may be programmed possession of a user in the general
of the bearer to accept or deny entry based on an online area (proximity) and enables
access control computer access.

www.prokhata.com 73
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 3 Physical and Environmental Controls
Auditing Physical Access Controls
Auditing physical access requires that the auditor to review the physical access risks and controls to form an opinion on the effectiveness of these controls. is involves risk assessment, review of documentation and testing of controls.

Risk Assessment Controls Assessment Review of Documentation Testing of Controls is involves:
e auditor should satisfy himself that e auditor based on the risk Planning for review of physical • Tour of organizational facilities • Printer rooms. • Interviewing personnel to get information of
the risk assessment procedure adequately pro le evaluates whether access controls requires examination • Computer storage rooms. • Disposal yards and bins. procedures.
covers periodic and timely assessment physical access controls are in of relevant documentation such as • Communication closets. • All points of entry/exit • Observation of safeguards and physical
of all assets, physical access threats, place and adequate to protect the security policy and procedures, • Backup and Off-site facilities. • Glass windows and walls access procedures.
vulnerabilities of safeguards and exposures. the IS assets against the risks. premises plans, building plans, etc • Review of Physical access procedures including user registration and authorization, special access authorization,
logging, periodic review, supervision etc.
• Employee termination procedures should provide withdrawal of rights such as retrieval of physical devices such as
smart cards, access tokens, deactivation of access rights and its appropriate communication to relevant constituents
in the organization.
• Examination of physical access logs and reports includes examination of incident reporting logs and problem
resolution reports.
Environmental Controls
Environmental threats to information assets include threats primarily relating to facilities and supporting infrastructure, which house and support the computing equipment, media and people. IS Auditor should review all factors that
adversely affect con dentiality, integrity and availability of the information, due to undesired changes in the environment or ineffective environmental controls.

Objectives of Environmental Environmental reats and Exposures

Controls Exposures from environmental threats may lead to total or partial loss of computing facilities, equipment, documentation and supplies causing loss or damage to organizational data and
Objects are same as discussed in information and more importantly people. It may signi cantly and adversely impact the availability, integrity and con dentiality of information.
the section on physical controls. Natural reats and Exposure Man-made reats Exposure
Perspective of environmental exposures • Natural disasters such as earthquakes, oods, volcanoes, • Fire due to negligence and human action • Structural damages due to human action/inaction and
and controls may be categorized as: hurricanes and tornadoes • reats from terrorist activities negligence
• Hardware and Media • Extreme variations in temperature such as heat or cold, • Power – uncontrolled/unconditioned power, blackout, • Electrical and Electromagnetic Interference (EMI) from
• Information Systems Supporting snow, sunlight, etc. transient, spikes, surges, low Generators, motors.
Infrastructure or Facilities • Static electricity • voltage • Radiation
• Documentation • Humidity, vapours, smoke and suspended particles • Equipment failure • Chemical/liquid spills or gas leaks due to human carelessness
• Supplies • Insects and organisms such as rodents, termites and fungi • Failure of Air-conditioning, Humidi ers, Heaters or negligence
• People • Structural damages due to disasters • Food particles and residues, undesired activities in
• Pandemic due to virus etc. computer facilities such as smoking.
Techniques of Environmental Controls
e IS supporting infrastructure and facilities should provide the conducive environment for the effective and efficient functioning of the information processing facility (IPF). Based on the risk assessment, computing equipment, supporting
equipment, supplies, documentation and facilities should be appropriately protected to reduce level of risks from environmental threats
Choosing and Designing a Safe Site

Natural disasters. Windows Doors

While establishing IPF, organization should consider issues related to probability of natural disaster. Not acceptable in the data centre. If exist, must be translucent and shatterproof. Must resist forcible entry and have a re-rating equal to the walls.
Facilities Planning
As part of facilities planning, the security policy should provide for speci c procedures for analysis and approval of facilities building and refurbishment plan. e documentation of physical and geographical location and arrangement of
computing facilities and environmental security procedures should be modi ed promptly for any changes thereto. Access to such documentation should be strictly controlled.

Walls Ceilings Floors Fire-resistant walls, oors and Concealed protective wiring Media protection
Walls must Issues of concern If the oor is a concrete slab, the concerns are the physical weight it can bear and its ceilings Power and Communication Location of media libraries,
have acceptable regarding ceilings are the re rating. Electrical cables must be enclosed in metal conduit, and data cables must e construction of IPF should cables should be laid in reproof cabinets, kind of
re rating. weight-bearing rating be enclosed in raceways, Ideally, an IPF should be located between oors and not at use re resistant materials for separate re-resistant panels media used (fungi resistant,
and the re rating. or near the ground oor, nor should it be located at or near the top oor. walls, oors and ceilings. and ducts. heat resistant)
Emergency Plan
Disasters can cause environmental threats & to mitigate these risks, organizations should have evacuation plans, prominently display evacuation paths, and establish reporting procedures. Regular inspections, testing, and supervision of
environmental controls should be carried out, with results escalated as needed. Emergency evacuation plans should account for the layout of premises, shut down of equipment, & activation of re suppression systems. Incident handling
procedures and protocols should also be included in administrative procedures.

74 www.prokhata.com
CA Rajat Agrawal
 Chapter 3 Physical and Environmental Controls Module - 5 Protection of Information Assets
Maintenance Plans Ventilation and Air Conditioning
MTBF and MTTR: Controlled temperature in the IPF is crucial for the maintenance
A comprehensive maintenance and inspection plan is critical to the success of environmental of internal components of equipment and processing. Dedicated
security and controls. Failure modes of each utility, risks of utility failure, should be identi ed, parameterized and documented. is includes estimating the MTBF power circuits for air conditioning units should be installed, and
(Mean Time between Failures) and MTTR (Mean Time to Repair). Planning for Environmental controls would need to evaluate alternatives with low MTBF or installing intake vents should be protected to prevent toxins from entering
redundant units. Stocking spare parts on site and training maintenance personnel can reduce MTTR. It is better that MTBF should be high and MTTR should be low. the facility.
Power Supplies
Many aspects may threaten power system, the most common being noise and voltage uctuations. Noise in power systems refers to the presence of electrical radiation in the system. ere are several types of noise, the most common being
electromagnetic interference (EMI) and radio frequency interference (RFI). Voltage uctuations are classi ed as Sag (momentary low voltage), Brownout (prolonged low voltage), and Spike (momentary high voltage), Surge (prolonged high
voltage) and Blackouts (complete loss of power).

Uninterruptible power supply (UPS)/generator
UPS consist of battery backup that interfaces with the external power.
On interruption in external power supply, the power continues to supply
from the battery. UPS can be on-line or off-line, but for computerized
environment, on-line UPS is mandated.
Electrical surge protectors/line conditioners
Cleanses the incoming power supply of such quality problems and deliver
clean power for the equipment. ese are most effective control to protect
against short-term reduction in electrical power as well as against a high-
voltage power burst.
Fire Detection and Suppression System
Improper maintenance of temperature leads to damage of internal components.
Power leads from two sub-stations
Electric power lines may be exposed to many environmental and physical
threats. To protect against such exposures, redundant power lines from a
different grid supply should be provided for. Interruption of one power supply
should result in the system immediately switching over to the stand-by line.

Smoke and Fire Detectors Fire Alarms
Smoke and re detectors activate audible Manually activated re
alarms or re suppression systems on sensing a alarms switches should
particular degree of smoke or re. Such detectors be located at appropriate
should be placed at appropriate places, above locations prominently
and below the false ceiling, in ventilation and visible and easily accessible
cabling ducts. In case of critical facilities, such in case of re (but should
devices must be linked to a monitoring station not be easily capable
(such as re station). Smoke detector should of misuse during other
supplement and not replace re suppression times).
systems.
(a) Water Based Systems
Emergency Power Off
When necessity of immediate
power shutdown arises
emergency power-off switches
should be provided. ere
should be one within the
computer facility and another
just outside the computer
facility. Such switches should
be easily accessible
Water Detectors Fire Suppression Systems
Risks to IPF equipment Rated as either Class A, B, or C based upon their material composition. Fires caused by
from ooding and common combustibles (like wood, cloth, paper, rubber, most plastics) are classed as Class A
water logging can be and are suppressed by water or soda acid (or sodium bicarbonate). Fires caused by ammable
controlled by use of liquids
water detectors placed and gases are classed as Class B and are suppressed by Carbon Dioxide (CO), soda acid, or
under false ooring or FM200. Electrical res are classi ed as Class C res and are suppressed by Carbon Dioxide(CO),
near drain hole. or FM200. Fire caused by ammable chemicals and metals (such as magnesium and sodium)
are classed as Class D and are suppressed by Dry Powder (a special smothering and coating
agent). Class D res usually occur only at places like chemical laboratories and rarely occur in
office environments.
(b) Gas Based Systems

Wet pipe sprinklers Dry-pipe sprinklers Pre-action Carbon dioxide FM200

In this case, sprinklers are provided at various places in In these, the water is not kept charged in pipes It combines both the dry and wet pipe Discharge CO2 thus effectively FM200 is an inert gas, does not
the ceiling or on the walls and water is charged in the but pipes remain dry and upon detection of heat systems by rst releasing the water into the cutting of oxygen supply from the damage equipment as water systems
pipes. As generally implemented, a fusible link in the rise by a sensor, water is pumped into the pipes. pipes when heat is detected (dry pipe) and air, which is a critical component do and does not leave any liquid or
nozzle melts in the event of a heat rise, causing a valve is overcomes the disadvantage with wet pipe then releasing the water ow when the link for combustion. recommended only solid residues, not safe for humans as
to open and allowing water to ow. systems of water leakages etc. in the nozzle melts (wet pipe). in unmanned computer facilities it reduces the levels of oxygen.
Auditing Environmental Controls- Include the following activities:
• Inspect the IPF and examine the construction with regard to the type of materials used for construction by referring to the appropriate • Examine power sources and conduct tests to assure quality of power, effectiveness of power conditioning
documentation. equipment, generators, simulate power supply interruptions to testeffectiveness of back-up power.
• Visually examine the presence of water and smoke detectors, examine power supply arrangements to such devices, testing logs, etc. • Examine environmental control equipment such as air-conditioning, dehumidi ers heaters, ionizers etc.
• Examine location of re extinguishers, re- ghting equipment and re lling date of re extinguishers and ensure they are adequate • Examine complaint logs and maintenance logs to assess if MTBF and MTTR are within acceptable levels.
and appropriate. • Observe activities in the IPF for any undesired activities such as smoking, consumption of eatables etc.
• Examine emergency procedures, evacuation plan and marking of re exits. Ifconsidered necessary, the IS Auditor can also require a • As part of the audit procedures, the IS auditor should document all ndings as part of working papers.
mock drill to test the preparedness with respect to disaster. e working papers could include audit assessment, audit plan, audit procedure, questionnaires, and
• Examine documents for compliance with legal and regulatory requirements as regards re safety equipment, external inspection interview sheets, inspection charts, etc
certi cate, shortcomings pointed out by other inspectors/auditors.

www.prokhata.com 75
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 4 Logical Access Controls
CHAPTER 4:
LOGICAL ACCESS CONTROLS
Objectives of Logical Access Controls Paths of Logical Access
To ensure that authorized users can access the information resources as per their role and responsibilities by providing access on “need to Auditor has to identify and document the possible logical access paths permitting access to
know and need to do” basis. It is all about protection of information assets in all three states, namely: rest, in transit and at process. information resources, which may involve testing security at various systems.
Logical Access Attacks and Exposures Access Control Mechanism
e primary function of logical access control is to allow authorized access and prevent unauthorized access. Access control
Masquerading Social Engineering mechanism is actually a three-step process as depicted in the gure below:
It mean Disguising or Impersonation. is is an attack on the weakest link i.e. human .Different
It may be attempted through Stolen means including spoo ng and masquerading resulting in Identi cation: Authentication: Authorization:
logon IDs and passwords, through person revealing con dential information. Identi cation is a process by which a Authentication is a mechanism e authenticated user is allowed
nding security gaps in programs, Phishing user provides a claimed identity to the through which the user’s claim to perform a pre-determined set
or bypassing the authentication User receives a mail requesting to provide authentication system such as an account number. is veri ed by the system. of actions on eligible resources.
mechanism. information. e mail and link appear to be actual
Piggybacking originator. Ignorant users click on the link and provide It is necessary to apply access control at each layer of an organization’s information system architecture to control and monitor access
Unauthorized access to information con dential information. in and around the controlled area.
by using a terminal that is already Vishing Identi cation Techniques
logged on with an authorized ID Uses the similar technique as Phishing over telephone. Identi cation is a process by which a user provides a claimed identity to the system such as an account number. Authentication is the
(identi cation) and le unattended. Key Logger process of verifying that the identity claimed by the user is actually true or false. e three categories of authentication factors are:
Wiretapping Perpetrator installs soware that captures the key sequence Something the user knows (e.g., a password) , Something the user has (e.g., a token or smart card), and Something the user is (a
Tapping a communication cable to used by the user including login information. ere physical / biometric comparison)
collect information being transmitted. are hardware key loggers available that are connected to Individual authentication strength increases when multiple authentication technologiesand techniques are combined and used.
Denial of Service system where keyboard is attached. Single-factor authentication uses any one of these authentication factors. Two-factor or dual factor authentication uses two factors
Perpetrator attempts to send multiple Malware and the three-factor authentication uses all the three factors. Once the user is authenticated, the system must be con gured to
sessions requests, resulting in non- Captures and transmits the information from compromised validate that the user is authorized (has a valid need-to-know) for the resource and can be held accountable for any actions taken. A
availability of sessions for legitimate system. Intentionally causes disruption and harm or default denial policy, where access to the information resource is denied unless explicitly permitted should be mandated.
users. circumvent or subvert the existing system’s function.
Authentication Techniques

1. Passwords and PINs 2. One-Time Passwords 3. Challenge Response System 4. Passphrase

Password One-time passwords solve the problems
is is the most common authentication technique that depends on remembered information. Once the of user-derived passwords. With one-time
system is able to match and is successful for both elds, the system authenticates the user and enables passwords, each time the user tries to log
access to resources based on the access control matrix. However, if a match is not successful,the system on he is given a new password. Even if an
returns a message (such as “Invalid User-id or password”) attacker intercepts the password, he will not
Personal Identi cation Numbers (PINs): be able to use it to gain access because it is
Type of password, usually a 4-digit numeric value. e PIN should be randomly generated such that a good for only one session and predetermined
person or a computer cannot guess it in sufficient time and attempt by using a guess and check method. limited time period. It is more secure.
Logon Mechanism
User identi es himself to the server,
by presenting his user ID. Server then
responds with a challenge, user types
the challenge into the device, device
responds with an output, user sends
that output to the server. It allows the
password to be based on changing
input rather than just time.
A passphrase is similar to a password
in usage, but is generally longer for
added security. Passphrases are
oen used to control both access
to, and operation of, cryptographic
programs and systems, especially
those that derive an encryption key
from a passphrase.

Weaknesses of Logon Mechanism
•Passwords are easily shared.
•Users
Users oen advertently or
inadvertently reveal passwords
•Repeated use of the same password
•If a password is too short or too
easy, it can be guessed
•Password is too long or too
complex, may be forgotton
Recommended Practices for Strong Passwords Attacks on Logon/Password Systems
•System should be con gured to must change password on rst
login. Brute Force Dictionary Attack Trojan Spoo ng Attacks Piggybacking
•System should be con gured to force password change Attacker tries out every Based on the Malicious Attacker plants a Trojan Unauthorized user may wait for
periodically e.g. once in 60 days. possible technique to hit assumption that soware, can program, which masquerades an authorized user to log in and
•System should be con gured for minimum age of the password. on the successful match. users tend to use be used to as the system’s logon screen, leave a terminal unattended..
•Concurrent logins should not be permitted. e attacker may also common words as steal access gets the logon and password is can be controlled by
•Passwords should not be too short and should not use name of use various password passwords which control lists, information and returns automatically logging out
user, pet names, cracking soware tools can be found in a passwords control to the genuine access from the session aer a pre-
•Common words found in dictionary or such other attributes. that assist in this effort. dictionary. control mechanism. determined period of inactivity

76 www.prokhata.com
CA Rajat Agrawal
 Chapter 4 Logical Access Controls Module - 5 Protection of Information Assets
5. Token Based Authentication 6. Biometric Authentication
Biometrics offers authentication based on “what the user is”. Biometrics are automated mechanism, which
Memory tokens Smart tokens uses physiological and behavioural characteristics to determine or verify identity. Fingerprint,Facial Scan
e cards contain visible information such as name, identi cation number, photograph and such A small processor chip, ,Hand Geometry Signature etc are example.
other information about the user and a magnetic strip or memory chip. To gain access to a system, which enables storing Due to the complexity of data, biometrics suffer from two types of error viz. False Rejection Rate (FRR) which
the user in possession of a memory token may be required to swipe his card through a card reader, dynamic information is wrongfully rejecting a rightful user and False Acceptance Rate (FAR) which involves an unauthorized user
which reads the information on the magnetic strip/memory token and passes onto the computer on the card. being wrongfully authenticated as a right user. us, FRR and FAR tend to inversely related. An overall metric
for veri cation to enable access. used is the Crossover/Equal Error Rate, which is the point at which FRR equals FAR.
Authorization Techniques: Operating Systems
Operating systems are fundamental to provide security to computing systems. e operating system supports the execution of applications and any security constraints de ned at that level must be enforced by the operating system. e
operating system must also protect itself because compromise would give access to all the user accounts and all the data in their les. Most operating systems use the access matrix as security model. An access matrix de nes which processes
have what types of access to speci c resources. General operating systems access control functions include:
• Authentication of the user & User Management • Restrict Logon IDs to speci c workstations and / or speci c times • Manage :Password Policy, Account Lockout Policy • Manage audit policy • Log events and report capabilities

Pluggable Authentication Modules File Permissions Access Control Lists (ACL)

• e pluggable authentication module (PAM) framework provides system administrators Every le is owned by a user and can be accessed by
with the ability to incorporate multiple authentication mechanisms into an existing system. its owner, group or public, depending upon access
• Add new authentication service modules without modifying existing applications permissions. When a user creates a le or directory,
• Use a previously entered password for authentication with multiple modules that user becomes the default owner of that le
• A general Authentication scheme independent of the authentication mechanism may be or directory. ree types of le permissions; read,
used. write and execute
Logical Access Control Techniques
Logical Access Controls Policy and Procedures
Access control policy is part of overall information Security policy . It states a set of rules, principles, and practices that determine how access controls are to be implemented.
User Management
When the system receives a request, it determines access by consulting a hierarchy of
rules in the ACL. ACL has one or more access control entries (ACEs), each consisting
of the name of a user or a group of users. e user can also be a role name, such as
programmer or tester. For each of these users, groups, or roles, the access privileges are
stated in a string of bits called an access mask. Generally, the system, administrator or
the object owner creates the access control list for an object.

User Registration
is is generally done based on the job
responsibilities and con rmed by User
manager. is must be approved by
information owner. User registration
process must answer:
• Why the user is granted the access?
• Has the data owner approved the
access?
• Has the user accepted the
responsibility?
Privilege User Management
Access privileges are to be
aligned with job requirements
and responsibilities. ese are
de ned and approved by the
information asset owner.
In these cases manual
monitoring and periodic
reviews are compensating
controls to correct the
situation.
Default Users Management
Applications, operating systems and databases purchased
from vendor have provision for default users with
administrative privileges required for implementation
and/or maintenance of application, OS or database.
It is expected that these password must be changed
immediately as soon as system is implemented. While
reviewing these access controls IS auditor must ensure
that these user ID are either disabled, or passwords
have been changed and suitably controlled by the
organization.
Network Access Control
Process of managing access for use of network-based services
Password Management User Access Rights Management
• Allocations of password which is generally done by system Periodic review of user's access
administrators rights is essential process to detect
• Secure communication of password to appropriate user possible excess rights due to changes
• Force change on rst login by the user so as to prevent possible in responsibilities, emergencies,
misuse by system administrators and other changes. ese reviews
• Storage of password is generally should not be done in plain must be conducted by information
text. Most system stores password as hash of actual password. owner and administrators
• Password expiry must be managed as per policy. Users facilitates by providing available
must change passwords periodically and system should be accesses recorded in system.
con gured to expire the password aer prede ned period.

Policy on use of network services
An enterprise wide applicable
internet service requirements
aligned with the business need policy
based on business needs for using the
Internet services is the rst step.
Segregation of networks
Based on the sensitive information handling
function; say a VPN connection between
a branch office and the head-office this
network is to be isolated from the internet
usage service availability for employees.
Network connection and
routing control
e traffic between networks
should be restricted, based on
identi cation of source and
authentication access policies.
Enforced path
Based on risk assessment, it is necessary to specify the
exact path or route connecting the networks; say for
example internet access by employees will be routed
through a rewall. And to maintain a hierarchical access
levels for both internal and external user logging.
Clock synchronization
Clock synchronization is useful control to ensure
that event and audit logs maintained across an
enterprise are in synch and can be correlated.
In modern networks this function is centralized
and automated.

www.prokhata.com 77
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 4 Logical Access Controls
Application Access Controls Database Access Controls
Applications are most common assets that accesses information. Hence it is necessary to control the accesses to application. Most modern applications provide independent user and DBA can build pro le with settings de ned
access privilege management mechanism for example ERP, Core Banking applications. Ideally database administrators and system administrators are only roles that need to have access to by security policies. ese pro les are then
database and operating system respectively. IS auditors may have to review accesses at all layers i.e. application, database and/or operating systems. e access to information is prevented assigned to roles de nes to performs functions
by application speci c menu interfaces, which limit access to system function. A user is allowed to access only to those items he is authorized to access. on database like view, update, delete, commit.
ese roles are then assigned to users created
Sensitive system isolation Event logging Monitor system use on database. Generally these are stored in
Based on the critical constitution of a system in an enterprise it may even be necessary to run maintain extensive logs for all types Based on the risk assessment a constant user table. Databases also provide storing of
the system in an isolated environment. Monitoring system access and use is a detective control, of events. It is necessary to review if monitoring of some critical systems is password hash for each user thus DBA can
to check if preventive controls discussed so far are working. If not, this control will detect and logging is enabled and the logs are essential. the frequency of the review would access but may not nd out the password of
report any unauthorized activities. archived properly. be based on criticality of operation users.
Operating System Access Control

Automated Terminal log-on User identi cation and Password Use of system utilities Duress alarm to safeguard Terminal/Session Limitation of connection
terminal procedures authentication management system Programs that help to manage users time out time
identi cation e log-on procedure e users must be identi ed and An operating system critical functions of the operating If users are forced to execute Log out the user De ne the available time
Ensures a particular does not provide authenticated in a fool proof could enforce system. system—for example, some instruction under threat, if the terminal slot. Do not allow any
session could only unnecessary help or manner. Depending on risk selection of good addition or deletion of users. the system should provide a is inactive for a transaction beyond this time
be initiated from a information, which assessment, more stringent methods passwords. Internal Obviously, this utility should not means to alert the authorities. de ned period. is period. For example, no
particular location or could be misused by like Biometric Authentication or storage of password be accessible to a general user. Use An example could be forcing will prevent misuse computer access aer 8.00
computer terminal. an intruder. Cryptographic means like Digital should use one-way and access to these utilities should a person to withdraw money in absence of the p.m. and before 8.00 a.m.—
Certi cates should be employed. encryption algorithms be strictly controlled and logged. from the ATM. legitimate user. or on a Saturday or Sunday
Identify Management and Access Controls
Identity Management, also called IDAM, is the task of controlling the User Access Provisioning Lifecycle on Information Systems. It includes the task of maintaining the identity of a user, actions they are authorized to perform. It also includes
the management of descriptive information about the user and how and by whom that information can be accessed and modi ed. e core objective of an IdM system in a corporate setting is: one identity per individual. And once that
digital ID has been established, it has to be maintained, modi ed and monitored throughout what is called the "User access lifecycle." So IdM systems provide administrators with the tools and technologies to change a user's role, to track
user activities and to enforce policies
Privileged Logons
Privileged user is a user who has been allocated powers within the computer system, which are signi cantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and Network
administrator(s) who are responsible for keeping the system available and may need powers to create new user pro les as well as add to or amend the powers and access rights of existing users. Privileged access should be assigned based upon
function and job necessity and are subject to approval by the information owner.
Single Sign-On (SSO)
Single Sign-On addresses the practical challenge of logging on multiple times to access different resources. In SSO, a user provides one ID and password per work session and is automatically logged on to all the required applications. For SSO
security, the passwords should not be stored or transmitted in the clear. SSO can be implemented by using scripts that replay the users’ multiple logins or by using authentication servers to verify a user’s identity. Most popular being LDAP
(Open Source) and Active directory (AD) (Microso directory service based on LDAP) where user groups and roles are de ned for every user and accesses are granted based on access control matrix. ere are some applications like Kerberos
are also available

Active Directory (AD) Kerberos Weakness of Single Sign-on

AD is a directory service implemented by Microso for Windows domain networks.
An AD domain controller authenticates and authorizes all users and computers in a
Windows domain type network. Active Directory makes use of Lightweight Directory
Access Protocol (LDAP) versions 2 and 3, Microso's version of Kerberos, and DNS.
e Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral,
industry standard application protocol for accessing and maintaining distributed
directory information services over an Internet Protocol (IP) network. A common
usage of LDAP is to provide a "single sign on" where one password for a user is shared
between many services, such as applying a company login code to web pages.
Kerberos may be one of the best-tested authentication mechanism available today. Kerberos was intended • It is a single point of failure. One
to have three elements to guard a network’s entrance: authentication, accounting, and auditing. Kerberos is password is compromised, and attacker
effective in open, distributed environments where network connections to other heterogeneous machines can have access to all privileges of users
are supported and the user must prove identity for each application and service. Kerberos assumes a whose password is compromised.
distributed architecture and employs one or more Kerberos servers to provide an authentication service. • Vulnerable to password guessing.
is redundancy can avoid a potential single point of failure issue. e primary use of Kerberos is to verify • Does not protect network traffic.
that users are who they claim to be and the network components they use are contained within their • It is difficult to implement
permission pro le. To accomplish this, a trusted Kerberos server issues “tickets” to users. ese tickets have • Maintaining SSO is tedious and prone
a limited life span and are stored in the user’s credential cache. to human errors.

78 www.prokhata.com
CA Rajat Agrawal
 Chapter 4 Logical Access Controls Module - 5 Protection of Information Assets
Access Controls in Operating Systems
is topic covers how authorization mechanism is applied to subjects and objects. Subject of operating systems are (active) entities that communicate with the system and use its resources. Objects on the other hand are entities of the operating
system that are accessed (requested) by the subject. e access control mechanism should ensure that subjects gain access to objects only if they are authorized to. Depending on areas of usage, there are three types of access control used:

Mandatory access control Discretionary access control Role based access control:
It is a multi-level secure access control In this type of access control, every object has an owner. e owner (subject) grants access to his resources (objects) for other In some environments, it is problematical to determine who the
mechanism. It de nes a hierarchy of levels users and/or groups. ere are two ways how to implement the matrix. Either the system assigns the rights to the objects or to the owner of resources is. In role based systems, users get assigned
of security. A security policy de nes rules subjects. On the other hand capability matrixes are used to store rights together with subjects. In the case of capability matrixes roles based on their functions in that system. ese systems are
by which the access is controlled. we would have to deal with biometrics, so in common operating systems access control lists are used to implement discretionary centrally administered, they are nondiscretionary. An example
access control. is a hospital.
Audit Trail
Primary objective of access controls is x the accountability to individual user for the activities performed by them. is can be done only by generating and reviewing activity logs. Logs are also called ‘audit trail’. It is a record of
system activities that enables the reconstruction and examination of the sequence of events of a transaction, from its inception to output of nal results. Because of their importance, audit logs should be protected at the highest level
of security in the information system.

Internal and external attempts to gain Patterns and history of Unauthorized privileges Occurrences of intrusions and their
unauthorized access to a system accesses granted to users resulting consequences
Auditing Logical Access Controls
Following are some of factors critical while evaluating logical access controls:
• Understanding of an organization’s information security framework
• Selection and implementation of appropriate access controls
• Top management’s commitment
• Management controls
• Explicit access permission to information or systems
• Periodic review / audit of access permission

Audit Test Procedures

Evaluate whether logical
access policies and
standards exist and are
effectively communicated
and implemented.
Interview information
owners, users and custodians
to evaluate their knowledge
and skills on implementation
of logical access controls.
Evaluate the existence and Evaluate the various logical Test the effectiveness Test the Evaluate and review Evaluate mechanisms
implementation of procedures security techniques and and efficiency appropriateness of the documentation for vulnerability
and mechanisms for logical mechanisms for their effective of logical access system con guration of controls over analysis in access
access to ensure protection of implementation, operation and controls and parameter privileged and special control features and
organizational information assets. administration. settings. purpose logons. soware

www.prokhata.com 79
CA Rajat Agrawal
Module - 5 Protection of Information Assets
Network related controls are important since it is the rst layer of architecture that is generally is focus of attacker. erefore networks are also far more vulnerable to external and internal threats than are standalone systems. Organization
level general controls like physical security (cables, intruders trying to connect to network), environmental security (ensuring segregation between electrical and data cables, protecting cables from rodents), access controls, security policies
(acceptable usage of internet) are applicable to network security. In addition one needs to look at network speci c controls
Objective of Network Security Controls: ere are three main objectives of network security controls.
Con dentiality: Maintaining the con dentiality and privacy of information and information assets, Integrity: Maintaining the con dentiality and privacy of information and information assets,Availability:
network resources available to the authorisedstakeholders.
1. Information Gathering
A serious attacker will spend a lot of time obtaining
as much information as s/he can about the target
before launching an attack. e techniques to gather
information about the networks are examined below:
Port scan:
Easy way to gather information is to use a port
scanner. For a particular IP address, reports which
ports respond to messages and which of several
known vulnerabilities seem to be present.
Social engineering:
Involves using social skills and personal interaction
to get someone to reveal security-relevant
information.
Reconnaissance:
Gathering discrete bits of information from various
sources and then putting them together to make
a coherent picture. Ex : Dumpster Diving which
means looking through items that have been
discarded in garbage bins or waste paper baskets.
One might nd network diagrams, printouts of
security device con gurations, system designs and
source code, telephone and employee lists, and more.
Reconnaissance may also involve eavesdropping.
Operating system and application ngerprinting:
Here the attacker wants to know which commercial
server application is running, what version, and
what the underlying operating system and version
are. While the network protocols are standard and
vendor independent, each vendor has implemented
the standard independently, so there may be minor
variations in interpretation and behaviour.
Bulletin boards and chats:
Support exchange of information among the
hackers.
Documentation:
Vendors themselves sometimes distribute
information that is useful to an attacker.
Malware:
Attacker use malware like virus or worms to
scavenge the system receive information over
network.
80 www.prokhata.com
CHAPTER 5:
NETWORK SECURITY CONTROLS
Network reats and Vulnerabilities
2. Exploiting communication subsystem
vulnerabilities
Eavesdropping and wiretapping:
An attacker (or a system administrator) is
eavesdropping by monitoring all traffic passing
through a node. (e administrator might
have a legitimate purpose, such as watching for
inappropriate use of resources.) A more hostile
term is wiretap, which means intercepting
communications through some effort. Passive
wiretapping is just “listening,” just like
eavesdropping. But active wiretapping means
injecting something into the communication
stream
Microwave signal tapping:
An attacker can intercept a microwave
transmission by interfering with the line of sight
between sender and receiver. It is also possible to
pick up the signal from an antenna located close
to the legitimate antenna.
Satellite signal interception:
Potential for interception in satellite
communication are high but due to multiplexed
communication, the cost of extracting is high.
Wireless:
reats arise in the ability of intruders to
intercept and spoof a connection. Wireless
signals are strong upto 60 meters.
Optical ber:
It is not possible to tap an optical system without
detection because Optical ber carries light
energy which does not emanate a magnetic eld.
Zombies and BOTnet:
BOTnets is a term (robotic network) used for
virtual network of zombies. BOTnet operator
launches malware/virus on system that once
activated remains on system and can be activated
remotely.Zombies have been used extensively
to send e-mail spam. is allows spammers to
avoid detection and presumably reduces their
bandwidth costs, since the owners of zombies
pay for their own bandwidth.
Chapter 5 Network Security Controls
assets,Availability: Keeping the information and
3. Protocol Flaws 5. Message Con dentiality reats
Internet protocols are publicly posted for scrutiny. Many problems Mis-delivery:
with protocols have been identi ed by reviewers and corrected before Message mis-delivery happens mainly due to
the protocol was established as a standard. ese aws can be exploited congestion at network elements which causes
by an attacker. For example FTP is known to transmit communication buffers to over ow and packets dropped.
including user id and password in plain text. Sometimes messages are mis-delivered
4. Impersonation because of some aw in the network hardware
To impersonate another person or process. An impersonator may foil or soware.
authentication by any of the following means: Occasionally, however, a destination address
will be modi ed or some router or protocol
Authentication foiled by guessing:
will malfunction, causing a message to be
Guess the identity and authentication details of the target, by using
delivered to someone other than the intended
common passwords, the words in a dictionary, variations of the user
recipient. All of these “random” events are
name, default passwords, etc.
quite uncommon.
Authentication foiled by eavesdropping or wiretapping:
Exposure:
Account and authentication details are passed on the network without
e content of a message may be exposed
encryption, they are exposed to anyone observing the communication.
in temporary buffers, at switches, routers,
Authentication foiled by avoidance:
gateways, and intermediate hosts throughout
A awed operating system may be such that the buffer for typed
the network.
characters in a password is of xed size, counting all characters typed,
Traffic analysis (or traffic ow analysis):
including backspaces for correction. If a user types more characters
Sometimes not only is the message itself
than the buffer would hold, the over ow causes the operating system
sensitive but the fact that a message exists is
to by-pass password comparison.
also sensitive.
Non-existent authentication:
Some systems have “guest” or “anonymous” accounts to allow 6. Message Integrity reats
outsiders to access things the systems want to release to the public. • Changing some or all of the content of a
ese accounts allow access to unauthenticated users. message
Well-Known authentication: • Replacing a message entirely, including the
One system administration account installed, having a default date, time, and sender/ receiver identi cation
password. Administrators fail to change the passwords or delete these • Reusing (replaying) an old message
accounts, creating vulnerability. • Combining pieces of different messages into
Spoo ng and masquerading: one false message
Both of them are impersonation. • Changing the apparent source of a message.
Session hijacking: • Redirecting or destroying or deleting a
Session hijacking is intercepting and carrying on a session begun by message.
another entity. In this case the attacker intercepts the session of one
of the two entities. In an e-commerce transaction, just before a user Attacks:
places his order and gives his address, credit number etc. the session Active wiretrap
could be hijacked by an attacker. Trojan horse impersonation
Man-in-the-middle attack: Compromised host
Man-in-the-middle usually participates from the start of the session,
whereas a session hijacking occurs aer a session has been established.
CA Rajat Agrawal
 Chapter 5 Network Security Controls
7. Web Site Defacement
Web sites are designed so that their code is downloaded and executed in the client (browser). is enables
an attacker to obtain the full hypertext document and all programs and references programs embedded
in the browser. Most websites have quite a few common and well known vulnerabilities that an attacker
can exploit.
8. Denial of Service
Connection ooding:
is is the oldest type of attack where an attacker sends more data than what a communication
system can handle, thereby preventing the system from receiving any other legitimate data. Even if an
occasional legitimate packet reaches the system, communication will be seriously degraded.
Ping of death:
Ping is an ICMP protocol which requests a destination to return a reply, intended to show that the
destination system is reachable and functioning. Since ping requires the recipient to respond to the
ping request, all the attacker needs to do is send a ood of pings to the intended victim. It is possible
to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from
a remote machine.
Traffic redirection:
A router is a device that forwards traffic on its way through intermediate networks between a source
host’s network and a destination’s. So if an attacker can corrupt the routing, traffic can disappear.
DNS attacks:
By corrupting a name server or causing it to cache spurious entries, an attacker can redirect the routing
of any traffic, or ensure that packets intended for a particular host never reach their destination.
Module - 5 Protection of Information Assets
Distributed Denial of Service
In distributed denial of service (DDoS) attack more than one machine are used by the attacker to attack the target. ese multiple
machines are called zombies that act on the direction of the attacker and they don’t belong to the attacker.
reats from Cookies, Scripts and Active or Mobile Code
Cookies:
Cookies are NOT executable. ey are data les created by the server that can be stored on the client machine and fetched
by a remote server usually containing information about the user on the client machine. Anyone intercepting or retrieving
a cookie can impersonate the cookie’s legitimate owner.
Scripts:
Clients can invoke services by executing scripts on servers. A malicious user can monitor the communication between a
browser and a server to see how changing a web page entry affects what the browser sends and then how the server reacts.
e common scripting languages for web servers, CGI (Common Gateway Interface), and Microso’s active server pages
(ASP) have vulnerabilities that can be exploited by an attacker.
Active code:
Active code or mobile code is a general name for code that is downloaded from the server by the client and executed on
the client machine. e popular types of active code languages are Java, JavaScript, VBScript and ActiveX controls. Such
executable code is also called applet. A hostile applet is downloadable code that can cause harm on the client’s system.
Because an applet is not screened for safety when it is downloaded and because it typically runs with the privileges of its
invoking user, a hostile applet can cause serious damage.

CURRENT TRENDS IN ATTACKS

Exploiting Application Vulnerabilities Advanced Persistent reat (APT)
Application that can be accessd from internet &/or internet might Since malware is speci cally written antivirus may not be able to detect it. is malware is designed to send small bits of information from system to attacker without
contain vulnerabilities & can compromise security of information. getting detected by network based controls like anomaly detection, traffic analysis etc. e attack continues for a longer duration till all required con dential information
about organization is received by the attacker.

Broken authentication:
Application functions
related to authentication
Injection and session management
Injection aws, such as SQL, OS, and LDAP injection occur are oen not
when untrusted data is sent to an interpreter as part of a implemented correctly,
command or query. e attacker’s hostile data can trick the allowing attackers to
interpreter into executing unintended commands or accessing compromise passwords,
data without proper authorization. keys, or session tokens
Cross-site XSS:
application takes untrusted data
and sends it to a web browser
without proper validation or
escaping. XSS allows attackers
to execute scripts in the victim’s
browser which can hijack user
sessions, deface web sites, or
redirect the user to malicious sites.
Insecure deserialization:
A direct object reference occurs when
a developer exposes a reference to
an internal implementation object,
such as a le, directory, or database
key. Without an access control
check or other protection, attackers
can manipulate these references to
access unauthorized data.
Security Sensitive data exposure:
miscon guration: Many web applications do not
Secure settings should be properly protect sensitive data,
de ned, implemented, such as credit cards, tax IDs, and
and maintained, as authentication credentials. Sensitive
defaults are oen data deserves extra protection such
insecure. Additionally, as encryption at rest or in transit,
soware should be kept as well as special precautions when
up to date. exchanged with the browser.

OWASP TOP 10 SECURITY THREATS

Broken access control:
Restrictions on what authenticated users are
allowed to do are oen not properly enforced.
Attackers can exploit these aws to access
unauthorized functionality and/or data,
XML external entities (XXE):
External entities can be used to disclose internal les using the le
URI handler, internal le shares, internal port scanning, remote code
execution, and denial of service attacks.
Using components with known vulnerabilities:
Applications and APIs using components with
known vulnerabilities may undermine application
defenses and enable various attacks and impacts.
Insufficient logging & monitoring:
Insufficient logging and monitoring, missing or ineffective
integration with incident response, allows attackers to
further attack systems, maintain persistence, pivot to
more systems, and tamper, extract, or destroy data.

www.prokhata.com 81
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 5 Network Security Controls
Network Security Control Mechanism - Network Architecture

Segmentation/zoning: Redundancy: Eliminate single points of failure:

A more secure design will use multiple segments. Another key architectural control is redundancy, allowing a function to be performed on more than one Good network architecture provides for its availability by eliminating single points of
Separate segments and servers reduce the potential node. Instead of having a single web server; a better design would have two servers, using a “failover failure. is is true for all critical components including servers, network devices and
harm should any subsystem be compromised. mode”. If one server is used and that server is down for some reason the whole application is not available. communication channels in a network that will compromise its availability, if it fails.

Cryptography:
Method of protecting information and communications through the use of codes so that only those for whom the information is intended can read and process it. two essential elements of cryptography, algorithm and key.

Types of Cryptography Quantum Cryptography

Symmetric key cryptography Science of exploiting quantum mechanical properties to perform cryptographic tasks. e best-known example of quantum
Encryption methods in which both the sender and receiver share the same key. cryptography is quantum key distribution, which offers an information-theoretically secure solution to the key exchange problem.
Asymmetric key cryptography Application of Cryptographic Systems
A pair of keys is used to encrypt and decrypt messages. A public key is used for encryption and a private To address security concerns, we have cryptographic systems like:
key is used for decryption.
Hash function: Secure Socket Layer (SSL) / Transport Layer Security (TLS)
Used to map data of arbitrary size to xed-size values one-way encryption. Provide a secure channel between two machines operating over the Internet or an internal network. SSL protocol is typically
used when a web browser has to securely connect to a web server over the inherently insecure Internet.
Public Key Infrastructure (PKI)
Transport Layer Security (TLS)
Digital Certi cates: •Browser
Browser connects to a web server (website) secured with SSL. Browser requests that the server identify itself.
Certi cate used to verify that a public key belongs to an individual or web site. signatures on a certi cate •Server
Server sends a copy of its SSL Certi cate, including the server’s public key.
are attestations by the certi cate signer that the identity information and the public key belong together. •Browser
Browser checks the certi cate root against a list of trusted CAs If the browser trusts the certi cate, it creates, encrypts, and
Contents of a Typical Digital Certi cate sends back a symmetric session key, encrypted with the server’s public key.
Serial number, Subject, Signature, Issuer, Valid-from, Valid-to, Public key, umbprint algorithm, •Server
Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the
umbprint. session key to start the encrypted session.
Digital Signatures •Server
Server and Browser now encrypt all transmitted data with the session key.
Process that guarantees that the contents of a message have not been altered in transit. When you, the Internet Protocol Security (IPSEC): Virtual Private Network (VPN)
server, digitally sign a document, you add a oneway hash (encryption) of the message content using VPNs connect private networks through untrusted networks like the Internet; they establish a tunnel and use strong encryption
your private key. to provide privacy and strong authentication to guarantee identity, so they are more secure than traditional networks.
Controller of Certifying Authority IPsec
• e Controller of Certifying Authorities (CCA) has established the Root Certifying Authority (RCAI) IPsec is encryption at protects any application data across IP Network. IPsec is useful for implementing virtual private
of India to digitally sign the public keys of Certifying Authorities (CA) in the country. networks and for remote user access through dial-up connection to private networks.
• e CCA certi es the public keys of CAs using its own private key, which enables users in the IPsec operates in two modes:
cyberspace to verify that a licensed CA issues a given certi cate. Transport mode: secure connection between two end points data is encrypted but the header of the packet is not encrypted.
Certifying Authority (CA) Tunnel mode: the entire IP packet is encrypted and a new header is added to the packet for transmission through the VPN
Trusted ird Parties (TTP) to verify and vouch for the identities of entities in the electronic environment. tunnel.
Certi cate Revocation List (CRL) Secure Shell (SSH): used for UNIX systems and encrypts the commands getting transmitted.
list enumerates revoked certi cates along with the reason(s) for revocation. CRL le is itself signed by Secure Multipurpose Internet Mail Extension (SMIME): Internet standard that extends the format of email messages to
the CA to prevent tampering. support text in character sets other than ASCII, as well as attachments of audio, video, images, and application programs.
Remote Access Security
Data networking technologies that are focused on providing the remote user with access into a network, while maintaining the principal tenets of Con dentiality, Availability, and Integrity advantages.
• Reducing networking costs,
• Providing employees with exible work styles,
• Building more efficient ties with customers, suppliers, and employees

Dial Back Procedures Other Controls Authentication Servers

When a user dials into the server and identi es itself, the server records the request Remote users should never store their Popular applications of remote authentication mechanisms depending on centralized/decentralized
and disconnects the call. en server calls the user at a pre-determined number passwords in plain text login scripts on access authentication implementations are TACACS (Terminal Access Controller Access Control System)
and then enables the user to access the resources. A weakness in this procedure is notebooks and laptops. and RADIUS (Remote Authentication Dial in User Service). Some of the features of such systems are:
call forwarding. • Enable secure remote access
• Facilitates centralized user management • Changes to user access rights made easy
• Facilitates centralized access monitoring and control • Provides event logging and extended audit trails

82 www.prokhata.com
CA Rajat Agrawal
 Chapter 5 Network Security Controls
Malicious Code
Malicious code is the name used for any program that adds to, deletes or modi es legitimate soware for the purpose of
intentionally causing disruption. Examples of malicious code include viruses, worms, Trojan Horses, and logic bombs.
Newer malicious code is based on mobile Active X and Java applets.
Viruses
A computer virus is a type of malware (program) that attaches itself to a le and gets transmitted. When executed, it
damages the infected system and also replicates by inserting copies of itself. Viruses oen perform some type of harmful
activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data,
displaying political or humorous messages on the user's screen, spamming their contacts, or logging their keystrokes.
Motives for creating viruses can include seeking pro t; desire to send a political message, personal amusement.
Master boot record (MBR) viruses: Affects the boot sector of storage device further infects when the storage is accessed.
Stealth viruses: Hide themselves by tampering the operating system to fool antivirus
Polymorphic viruses: Can modify themselves and change their identity into two billion different identities thus able to
hide themselves from antivirus soware.
Macro viruses: Most prevalent computer viruses and can easily infect many types of applications, such as Microso
Excel and Word.
Logic bomb/Time bomb: Logic bombs are malicious code added to an existing application to be executed at a later date.
ese can be intentional or unintentional.
Worms
Worms are stand-alone viruses that are they are transmitted independently and executes themselves.
Trojan Horse
Malicious code hidden under legitimate program, such as a game or simple utility. Trojans are primarily used by attackers
to infect the system and then get control remotely to make that system work for them.
Malware Protection Mechanisms
Antivirus
Most of the antivirus soware utilizes a method known as signature detection to identify potential virus infections
on a system. Essentially, they maintain an extremely large database that contains the known characteristics
(signatures) of all viruses.. Antivirus tools have three types of controls :-
1. Active monitor: Monitors traffic and activity to check the viruses.
2. Repair or quarantine: to remove the virus from le/mail or quarantines and reports.
3. Scheduled scan: Users are prompted for scanning the storages to detect virus already present that were not
detected by active monitors.
Incident handling
Incident Handling is an action plan for dealing with virus attack, intrusions, cyber-the, denial of service,
re, oods, and other security-related events. It is comprised of a six step process: Preparation, Identi cation,
Containment, Eradication, Recovery, and Lessons Learned. In case of virus incidents it is most essential to nd out
root cause to ensure that the incident does not recur.
Training and awareness programs:
is covers: Enforcing policy on use of removable devices, Handling of mail attachments, Accessing Internet,
Ensuring antivirus is updated.
CA Rajat Agrawal
Module - 5 Protection of Information Assets
Firewalls
Intranet
An intranet is a network that employs the same types of services, applications, and protocols present in an
Internet implementation, without involving external connectivity. For example, an enterprise network employing
the TCP/IP protocol suite, along with HTTP for information. Resultant protected network may be referred to as
the personnel intranet. Intranet are typically implemented behind rewall environments.
Extranets
An extranet is usually a business-to-business intranet; that is, two intranets are joined via the Internet. ey exist
outside a rewall environment. Extranets employ TCP/IP protocols, along with the same standard applications
and services. Within an extranet, options are available to enforce varying degrees of authentication, logging, and
encryption.
Securing a Firewall
Firewall platforms should be implemented on systems containing operating system builds that have been
stripped down and hardened for security applications. Firewalls should never be placed on systems built with all
possible installation options.
•Any
Any unused networking protocols should be removed from the rewall operating system build.
•Any
Any unused network services or applications should be removed or disabled.
•Any
Any unused user or system accounts should be removed or disabled.
•Applying
Applying all relevant operating system patches is also critical.
•Unused
Unused physical network interfaces should be disabled or removed
Intrusion Detection Systems
Perimeter controls, rewall, and authentication and access controls block certain actions, some users are admitted
to use a computing system. Most of these controls are preventive. Many studies, however, have shown that most
computer security incidents are caused by insiders. Intrusion detection systems complement these preventive
controls as the next line of defence. An intrusion detection system (IDS) is a device, usually another separate
computer, which monitors activity to identify malicious or suspicious events. An IDS is a sensor that raises an alarm
if speci c things occur. e alarm can range from writing an entry in an audit log. e functions performed by IDS
are:
• Monitoring users and system activity
• Auditing system con guration for vulnerabilities and mis-con gurations
• Managing audit trails
Many intrusion detection systems are also capable of interacting with rewalls. For example, if an intrusion
detection system detects a denial of service attack in progress, it can instruct certain rewalls to automatically block
the source of the attack. e two general types of intrusion detection systems are signature based and heuristic.
Signature-based intrusion detection systems perform simple pattern-matching and report situations that match a
pattern corresponding to a known attack type. Heuristic intrusion detection systems, also known as anomaly based,
build a model of acceptable behaviour and ag exceptions to that model; for the future, the administrator can mark
a agged behaviour as acceptable. Intrusion detection devices can be network based or host based. A network-based
IDS is a stand-alone device attached to the network to monitor traffic throughout that network; a host-based IDS
runs on a single workstation or client or host, to protect that one host.
www.prokhata.com 83