Unit1cs Notes
Unit1cs Notes
INTRODUCTION:
➢ The cost to businesses of stolen, misused, or altered information
can be high, especially if real and purported damages to customers
can be traced back to mismanagement.
➢ The objective of security management is to eliminate or minimize
computer vulnerability to destruction modification, or disclosure.
POLICY
➢ Policy provides the rules that governs how systems should be
configured and how employees of an organisation should act in
normal circumstances and unusual circumstances.
➢ Policy defines how employees should perform certain security-
related duties such as the administration of users.
➢ Policy defines how employees are expected to behave when using
systems that belong to the organization
➢ Security policies can generally be subdivided into many categories,
they are :
1. Computer systems and Networks
2. Personal management
3. Physical security
1.COMPUTER SYSTEM AND NETWORKS :
▪ These policies apply generally to system and network
administrators who are responsible for designing, implementing
and supporting computers and networks.
▪ Examples include password and authentication mechanisms,
system level protection such as antivirus.
2. PERSONAL MANAGEMENT:
➢ These policies apply to individual employees.
➢ These policies tell the employees how to conduct the everyday
business in a secure fashion.
➢ Examples include handling of sensitive or confidential information,
and dealing with social engineering.
3. PHYSICAL SECURITY:
• These policies typically apply to the facilities, and somewhat
peripherally to system and network administrators. They define
what types of physical security controls are to be used.
• Examples include visual surveillance, door entry mechanisms and
audible alarms.
• The security policy tells its audience what must be implemented. It
does not address how it should be implemented.
• security policy vary from organization to organization.
SECURITY POILCY
➢ The implementation of this policy falls on the system and network
administrators with the backing of management.
➢ Security policy defines, the technical requirement for security on
computer system and network equipments. It defines how a system
or network administrator should configure a system with regard to
security.
➢ The security policy should define the requirements to be
implemented by each system.
➢ The policy itself should not define specific configuration for
different operating system.
➢ The security policy should define how users will be identified.
➢ This means that the security policy should either define a standard
for user IDs or point to a system administration procedure that
defines that standard
➢ The security policy should define the standard requirement for
access controls to be placed on electronic files.
➢ Security policy require the following events to be audited.
1. Logins
2. Logouts
3. Failed access to file or system objects
4. Remote access
5. Privileged actions
6. System events
Each system events should also capture the following information:
❖ User ID
❖ Date and time
❖ Process ID
❖ Action performed
❖ Success or failure of the event
➢ The security policy should specify how long the audit records
should be kept and how they should stored.
➢ The security policy should define the type of security device to be
used on such connections.
➢ The security policy should define acceptable encryption
algorithms for use within the organization and point back to the
information policy to show the appropriate algorithms to protect
sensitive information
PHYSICAL SECURITY
➢ Physical security consists of all mechanisms used to ensure that
physical access to the computer systems and networks is restricted
to only authorized users.
➢ The physical security of the organization’s building is a key
component of information security
➢ For example: the data center should have separate physical access
control from the buildings as a whole.
SOCIAL ENGINEERING
➢ Social engineering is the process of convincing an authorized
individual to provide confidential information or access to an
unauthorized individual.
➢ Kevin mitnick, a convicted cyber criminal turned security
consultant, once stated “Don’t relay on network safeguards and
firewalls to protect your information.
SECURITY PROCEDURES
• Procedural security is a set of management and supervisory
controls. It includes rules for the use of computers and data, and
ways to detect unauthorized use.
❖ Data input
❖ Data processing
❖ Network security and management
❖ Program development
❖ Output
❖ Communication
❖ Storage.
Most procedural security measures are based on two established
principles:
➢ Make each employee personally accountable.
➢ Make sure that it takes more then one person to commit a
fraudulent act if a sensitive transaction is made, the organization
should be able to identify the person responsible and hold that
employee personally responsible for the results.
A good procedural security program should include:
➢ A written policy that spells out employee’s responsibilities,
provides a mean to detect violations, and has enough management
control to make sure it properly implemented.
➢ Management controls to make sure the policies are observed, make
sure the employees keep up with the development of computer
system. Control over processes of computer use, and access to
programs and data.
➢ Regular tests of security system, to make sure it is adequate and
employees are observing the proper procedure.
➢ A standard procedure to deal with anyone caught missing the
system. This can range from minor disciplinary action to criminal
changes if necessary. Be ready to take this action even if it might
mean had publicity for the company .
➢ Constant communication, management officials and members of
the technical staff should stay in touch to discuss security needs
and problems .
BUILDING A SECURITY PLAN
❑ The basic goals of a Network Security system are pretty much like
the security goals for any kind of computer system.
➢ To protect information from accidental destruction or
modification.
➢ To protect information from deliberate destruction or
modification.
➢ Make sure the data is available to authorized users , need it and in
a form can use.
➢ Helping to identify the key managers in each client department.
➢ Devising professional surveys and other means to learn about
employees; current attitudes towards security.
➢ Helping to set up and conduct interviews with department
managers and employees.
➢ Planning and delivering training programs to support the security
program.
SECURITY INFRASTRUCTURE
Data integrity:
• Integrity is a related concept but deals with the generation and
modification of data. Only authorized individuals should ever be
able to create or change (or delete) information.
• In other worth data integrity is concerned with the protection of
any unauthorized alteration or destruction of data. The primary
focus of this goal , then, is the accuracy and legitimacy of the data.
• A common solution for providing data integrity involves the use of
common encryption strategies (such as Internet Protocol Security)
that use such a checksum strategy to ensure that the data sent
equals the data that was received.
Availability:
• The goal of availability is to ensure that the data or the system
itself, is available for use when the authorized user wants it. A
variety of attacks can result in the loss of or reduction in
availability.
• Some of these attacks are amenable to automated counter
measures, such as authentication and encryption, whereas others
require some sort of physical action to prevent or recover from loss
of availability of elements of a distributed system.
Design guidelines
• To ensure that corporate security policies and procedure are in line
with present business objectives.
• If not steps should be taken to implement the necessary change to
these policies and procedures prior to designing and building a
security infrastructure
• Without the full acceptance and support of such corporate
guidelines from executive management , security design cannot
fully reach its potential and in fact due to the lack of both written
guidelines and managerial support
• The policies and procedures are in line with present business
practices, so it is the time to design the infrastructure security
services that will directly support the started guidelines and
requirements
❖ These services include:
❖ Authentication
❖ Authorization
❖ Accounting
❖ Physical access controls
❖ Logical access controls
Authentication:
• Authentication is the process of binding a specific ID to a specific
computer connection.
• The authentication of authorized users prevents unauthorized users
from gaining access to corporate information system
• The use of authentication mechanism can also prevent authorized
users from accessing information that they are not authorized to
view.
• Currently, passwords remain the primary authentication
mechanism for internal system access.
• If passwords are to be used the following a recommended as best
practices
• Password length: Passwords should be a minimum of eight
characters in length
• Password change frequency: Passwords should not be more than
60 days old . In addition, passwords should not be changed for one
day after a password change
• Password history: The last ten passwords should not be reused.
• Password content: Password should not be made up of only letters
but instead include letters, numbers and special punctuation
characters. The system should enforce restrictions when the
passwords are changed
• Passwords should always be stored in encrypted form, and the
encrypted passwords should not be accessible to normal users.
• For extremely sensitive system or information, passwords may not
provide sufficient protection. In these cases, dynamic passwords or
some form of two authentication should be used. Keep in mind that
authentication includes some combination of three things:
• Something person knows, like a password
• Something a person has, like an access card
• Something a person is like a fingerprint
• Two factors authentication is used to counter the weakness that
each type of authentication information has. For example,
passwords may be written down and thus discovered.
• Access cards may be stolen, and biometrics tend to be expensive
and require controlled or trusted access between the user and the
machine.
• All organization systems should be configured to a screen server to
remove information from the screen and require re-authentication
if the user is away from the computer for longer than ten minutes.
• If employees were to leave a computer logged into the network and
unattended, an intruder would be able to use that computer as the
employee unless some form of re-authentication were required.
Authorization:
• Authorization is the process of permitting or denying access to a
specific resource.
• Once identity is confirmed via authentication, specific actions can
be authorized or denied.
• Many types of authorization schemes are used, but the purpose is
the same: determine whether a given user who has been identified
has permissions for a particular object or resource being requested.
• This functionality is frequently part of the operating system and is
transparent to users.
• The separation of tasks, from identification to authentication to
authorization, has several advantages. There are many methods to
perform each task, and on many systems several methods are
concurrently present for each task.
• Separation of these tasks into individual elements allows
combinations of implementations to all work together.
• Authentication is a process of verifying properly presented
credentials; the source if the credentials is not a relevant item.
• Different forms of authorization can be implemented, based on the
resource being requested such a database access or router admin
access.
• Any system or resource, be it hardware (router, workstation) or
software component (database system) that requires authorization
can use its own authorization method once authentication for a
connection has been resolved for it.
Accounting
• Accounting refers to the logging and monitoring of actions, events
and subsequent alerts that result from a satisfied condition.
• Most operating systems can be configured to produce accounting
logs used to alert administrators of various system-generated
events
• The most prevalent operating system log utilities are syslog (used
on UNIX-based systems) and Ntevent log (used on Microsoft NT-
based systems).
• The satisfied condition may simply be a UNIX syslog or Microsoft
NT event log setting of WARNING that produces WARNING-
level messages (or of a higher significance) in its log file.
• However, the condition may be as complex as correlating and
collaborating several non-contiguous events from different agent
sources across the corporation such that the resultant alert means
something of importance.
• Regardless of complexity, accounting results can provide us with
the following
➢ Operating system usage details
➢ Application usage details
➢ Internet, Extranet, or Intranet network connectivity
➢ Data for forensic analysis
➢ Data for trending analysis
➢ Data for report generation
• Each of these results is valuable to a corporation for many reasons.
In addition to providing performance forecasts and trending
analysis, events can be used to as certain one's security profile and
to identify existent or potential threats.
• Operating system events can be used to notify security staff
members of failed logon attempts, attempts to gain root or
administrator access, and whether file systems have been mounted
for export to name a few.
Physical access controls
• Physical access controls pertain to the elements of security
infrastructure that typically work in conjunction with one another
to reduce the effects of abuses by humans and acts of God.
• Physical controls are as much operational as they are physical.
• Common physical access controls include standard keys, key cards,
smart cards, identification badges, security cameras, motion
sensors, audible and visual alarms, doors, locks, cages, fences,
signage, security guards and system or device labels.
• The way these elements are put into use determines the quality of
physical access control strategy.
• Operational procedures, as defined in corporate security policies
and procedures documentation, should define how specific
classifications of data and underlying systems are protected.
• These procedures should also state which actions are taken to
notify appropriate personnel in the event of a disaster, define
appropriate forensic procedures as they apply so the importance of
data affected, and state how associated risks may be mitigated.
• In addition to reducing the risk, or effects of a security breach,
disruption of service must also be factored into physical protection
strategy.
Logical Access Controls
• Logical access controls probably receive the most limelight of all
the security infrastructure control availability.
• These controls consist of firewalls, routers, switches, VPNs, and
application-level controls put in place to restrict both system and
network use.
• Logical access controls sometimes utilize authentication and
authorization information to make a determination as to whether
access will be granted or denied upon either the port or protocol
being used.
• Logical access controls can be applied in a variety of ways to
restrict system or network use.
SECURITY MODELS
▪ Concept Of Security Models
▪ Three Main Types Of Classic Security Models
1.Bell-LaPadula model
2.Biba model
3.Clark-Wilson Security model
Concept Of Security Models:
▪ The effective and efficient security models secure the sensitive and
relevant information or data of the organizations.
▪ GOALS OF CONFIDENTIALITY POLICIES Confidentiality
Policies emphasize the protection of confidentiality.
▪ Confidentiality policy also called information flow policy prevents
unauthorized disclosure of information.
What is a Security Model?
▪ A model describes the system – e.g., a high level specification or
an abstract machine description of what the system does.
▪ A security policy – defines the security requirements for a given
system.
▪ Verification techniques that can be used to show that a policy is
satisfied by a system.
▪ System Model + Security Policy = Security Model.
1. Bell-LaPadula model:
• This Model was invented by Scientists David Elliot
Bell and Leonard .J. LaPadula.
• The Bell–LaPadula model focuses on data confidentiality and
controlled access to classified information.
• Bell-LaPadula is a form of Multi-level Security
• MLS--a subject at a high level may not convey information to a
subject at a lower