Module IV – Information

Systems Security and

Domains of IT
Infrastructure
Information Systems
Security

• An Information system consists

of the hardware, operating
system and an application
software that work together to
collect, process, and store data
for individuals and organizations.
 Risks, Threats and Vulnerabilities

• Risk - is the likelihood that something but

will happen to an asset. It is the level of
exposure to some event that has an effect
on an asset. In the context of IT security,
and asset can be a computer, a database
or a piece of Information, examples of
risks include the following:
• Losing data
• Losing business because a disaster has
destroyed your building
• Failing to comply with laws and regulations
• Threat - a threat is any action that could
damage an asset Information system face,
what natural and human induced threats,
the threat of flood earthquake or severe
storms require organizations to create
plans to ensure that business operation
continues and that organization can
recover
• Vulnerability - is a weakness that allows
a threat to be realized or to have an effect
on an asset.
• Vulnerability can often result in legal
liabilities. Any vulnerability that allows a
threat to be realized may result in legal
action. Since computers must run software
to be useful and since humans write
software, software programs inevitably
contain errors. Thus, software vendors
must protect themselves from the
liabilities of their own vulnerabilities with
• End-User License Agreement (EULA) –
are license agreements between a user
and a software vendor. EULAs protect the
software vendor from claims arising from
the behavior of imperfect software. EULAs
typically contain a warranty disclaimer.
This limits their liability from software bugs
and weaknesses that hackers can exploit.
 Tenets of Information
System Security
• Confidentiality – only authorized
users can view information.
• Integrity – only authorized users
can change information.
• Availability – Information is
accessible by authorized users
whenever they
• request the information.
 Identity Theft

1.Elements make up a person’s identity

• Full name
• Mailing address
• Date of birth
• Social Security Number
• Bank Name
• Bank Account Number
• Credit Card Account Number
• Medical Record Number
• Mortgage account Number
• Insurance Policy Number
• Securities and Investment Account Numbers
• Confidentiality – is a common term.
It means guarding information from
everyone except those with rights to
it. :
• Integrity - deals
is, data that are not accurate or not valid -
are of no use, for some organizations, data
Information are intellectual property
assets. Examples include copyright,
patents, secret formulas and customer
databases.
• Availability - is a common term in
everyday life. For example, you probably
pay attention to the availability of your
internet service, tv service or cell phone
service. In the context of Information
security. Availability is generally expressed
as the amount of time users can use a
system, application, and data.
• Up time - is the total amount of time that a
system application and data are accessible.
Uptime is typically measured in units of seconds,
minutes and hours within a given calendar
month. Often time uptime is expressed as a
percentage of time available.
• Downtime - is the total amount of time that a
system, application, and data are not accessible.
Down time is also measured in units of seconds,
minutes and hours of a calendar month.
Availability - is a mathematical calculation where
A = (Total Uptime)/ (Total Uptime + Total
Downtime).
• Mean time to failure (MTTF) – is the average
• Mean time to repair (MTTR) - is the
average amount of time between failure
for a particular system, application, or
component. The goal is to bring the
system back up quickly.
• Mean time between failures (MBTF) –
is the predicted amount of time between
failures of an IT system during operation.
• Recovery time objective – RTO is the
amount of time it takes to recover and
make a system, application, and data
available for use after an outage. Business
continuity plans typically define RTO for
What is IT
infrastructure?
IT infrastructure is the system of
hardware, software, facilities
and service components that
support the delivery of
business systems and IT-
enabled processes.
Domains of IT Infrastructure
 USER DOMAIN
The people who access an organizations
information system
• Roles and tasks. Users can
access systems applications
and data depending upon
their defined access rights.
Employees must conform to
the staff manual and policies.
• Risks: Users can display
data in application
(intentionally or not) and
delete all files.
• Responsibilities - Employees are
responsible for the use of IT assets. New
legislation means that for most
organizations it's a best practice to
introduce and AUP.
• Accountability – Typically an
organization's human resources
department is accountable for
implementing proper employee
background checks. This should be
performed for individual authors who will
be accessing sensitive data.
 Workstation Domain
Can be a desktop computer, a laptop computer, a special-purpose
terminal, or any other device that connects to your network

Roles and tasks - The workstation

domain also needs additional layers of
defense, tactic referred to as defense in
depth.

Risks: The workstation’s OS can have

a known software vulnerability that
allows a hacker to connect remotely
and teal data. A workstation’s browser
can have software vulnerability which
allows unsigned scripts to silently
install malicious software.
• Responsibilities – An organization’s
desktop support group is responsible for
the Workstation domain. Enforcing defined
standards is critical to ensuring the
integrity of user workstations and data.
The IT security personnel must safeguard
controls within the Workstation Domain.
• • Accountability – An organization’s IT
desktop manager is typically accountable
for allowing employees the greatest use of
the Workstation Domain. The director of IT
security is generally in charge of ensuring
that the Workstation Domain conforms to
 LAN DOMAIN
Is a collection of computers connected to one another or to a
common connection medium.

• Contains all the

workstations, hubs,
switches and routers.
The LAN is a trusted zone
• A worm can spread
through the LAN and
infect all computers in it.
• Unauthorized uses can
access the organization
‘s workstations in a LAN
• Weak passwords can be
cracked.
 Physical part of the LAN Domain:

• Network Interface Card (NIC)

• Ethernet LAN
• Unshielded Twisted Pair Cabling
• LAN Switch
• File server and print server
• Wireless Access Point (WAP)
• Roles or task – The LAN Domain includes both
physical network components and logical
configuration of services.
• Physical components: - Cabling
• - NICs – Network Interface Controller
• - LAN switches
• - Wireless Access Point (WAPS)
• Responsibilities - The LAN support group is in
charge of the LAN Domain. This includes both the
physical components and logical elements. LAN
system Administrators must maintain and support
department’s file and print services and configure
access controls for users.
• Accountability – The LAN manager’s duty is to
 LAN TO WAN DOMAIN
It is where IT infrastructure links to wide area network and the
Internet.

• Roles and Tasks – the LAN to WAN

domain includes both the physical
pieces and logical design of security
appliances. It is one of the most
complex areas to secure within an IT
infrastructure.
• Risks: A hacker can penetrate your IT
infrastructure and gain access to your
internal network.
If users are allowed to visit malicious
websites. They can mistakenly
download malicious software
The roles and tasks required within the LAN to WAN
domain include managing and configuring the
following:

1.IP Routers – is a network device that is used to

transport IP packets to and from the Internet and
WAN. Path determination decisions forward IP
packets.
2.IPstatefulfirewalls–
anIPstatefulfirewallisasecurityapplianceused to
filter inbound IP packets based on various ACL
definitions configured for IP, TCP, and UDP packet
headers. A stateful firewall can examine IP, TCP,
or UDP packet headers for filtering.
3. Demilitarizedzone(DMZ)-
TheDMZisaLANsegmentinLANtoWAN domain that
acts as a buffer zone for inbound and outbound IP
traffic. External servers such as web servers, proxy
servers and e-mail servers can be placed here for
greater isolation and screening of IP traffic.
4. ntrusionDetectionsystem(IDS)–
AnIDSsecurityapplianceexamines IP data streams
for common attack and malicious intent patterns.
IDS are passive, going only so far as to trigger an
alarm, but they will not actively block traffic.
5. Intrusion Prevention Systems (IPS) – an IPS
does the same thing as an IDS but can block IP data
streams identified as malicious. IPs can end the
actual communication session, filter by source, IP
addresses, and block access to the targeted host.
6. Proxy servers – A proxy server acts as a
middleman between a workstation and the essential
target. Traffic goes to the intermediary server that is
acting as the proxy. Data can be analyzed and
properly screened before they are relayed into the
IT infrastructure by what are called proxy firewalls
or application gateway firewalls
7. Webcontentfilter–
Thissecurityappliancecanpreventcontentfrom
entering an IT infrastructure based on filtering of
domain names or keywords within domain names.
8. E-mail content filter and quarantine system
– This security appliance can block content within
emails or unknown file attachments for proper
antivirus screening and quarantining. Upon review,
the email and attachments can be forwarded to the
user.
• Responsibilities – The network security group is
responsible for the LAN to WAN domain. This
includes both the physical components and
logical elements. Group members are responsible
for applying the defined security controls.
• Accountability – Your organization’s WAN
network manager has a duty to manage the LAN-
to-WAN Domain. The director of IT security
ensures that the LAN-to-WAN domain security
policies, standards, procedures, and guidelines
are used.
 WAN Domain
Consists of the Internet and semi-private lines.

• The WAN Domain include both

physical components and the logical
design of routers and communication
equipment. It is the second most
complex area to secure within IT
infrastructure.
• Risks: Service provider can have a
major network outage.
• A File Transfer Protocol (FTP) server
that allows anonymous uploads can
host warez from black hat hackers.
• Server can receive a DOS or DDOS
attack.
• A FTP server can allow anonymously
uplaaded illegal software
 WAN Domain Roles, Responsibilities,
and Accountability

Roles and tasks – The WAN Domain

include both physical components and the
logical design of routers and communication
equipment. It is the second most complex
area to secure within IT infrastructure.
• WAN communication links – These are
physical communication links provided as
a digital or optical service terminated at
your facility.
• IP network design – This is the logical
design of the IP network and addressing
schema. This requires network
• IP stateful firewall – This is a security appliance
that is used to filter IP packets and block
unwanted IP, TCP and UDP packet types from
entering or leaving the network. Firewalls can be
installed and workstations or routers or as
• IP router configuration – This is the actual
router configuration information for the WAN
backbone and edge routers used for IP
connections to remote locations.
• Virtual Private Networks – A VPN is a
dedicated encrypted tunnel form one endpoint to
another. The VPN tunnel can be created between
a remote workstation using the public Internet
and a VPN router or secure browser and website.
• Multiprotocol Label Switching (MPLS)
– MPLS is a WAN software feature that
allows customer to maximize performance.
MPLS labels IP packet for rapid transport
through virtual tunnels between
designated endpoints.
• Simple Network Management
Protocol (SNMP) - network monitoring
and management – is used for network
device monitoring alarm and performance.
• Router and equipment maintenance –
A requirement to perform hardware and
firmware updates, upload new operating
Responsibilities – The network engineer is
responsible for the WAN Domain. This
includes both the physical components and
logical elements. Networking engineers and
security practitioners set up the defined
security controls according to defined
policies.

Accountability - Your organization’s IT

network manager must maintain update and
provide technical support for the WAN
Domain. Typically, the director of IT security
ensures that the company meets WAN
 Remote Access Domain
Dangerous yet necessary for mobile workers.

• The domain in which a mobile user can

access the local network (remotely, usually
through VPN.
• Risks: Communication circuit outage can
destroy
• Remote users may be infected with a virus
and not be aware of it. When they connect
to the internal network trough remote
access, the virus can infect the network.
• Remote communication from office can be
unsecured.
• VPN tunneling between remote computer
and ingress/egress router can be hacked.
 Today’s mobile worker depends on the
following:

• Highly available cell phone service –

Mobile workers need cellphone service to
get in touch with office and support teams.
• Real-time access for critical
communications – Use of text messaging
or Instant Messaging (IM) chat on cell
phones provides quick answers to short
questions and does not require users to
completely interrupt what they are doing.
• Access to e-mail from a mobile device
– Integration email with cell phones,
smartphones, tablets, blackberry devices
• Broadband Wi-Fi internet access –
wireless access in major metro areas.
• Local Wi-Fi hotspot – Wi-fi hotspots are
abundant, including in airports, libraries,
coffee shops and retailers. Most are free,
but some require that users pay for
access.
• Broadband Internet Access to home
office – This service is usually bundled
with VoIP telephone and digital TV series.
• Secure remote access to a company’s
IT infrastructure- Remote workers
require secure VPN tunnels to encrypt all
IP data transmissions through the public
 Remote Access Domain Roles,
Responsibilities and Accountability

Roles and tasks – connect mobile users to their IT

systems through the public Internet. The mobile
user must have a remote IP device able to connect
to the internet.
• The roles tasks required within the Remote
Access Domain include managing and designing
the following:
• Cell phones, smartphones, PDAs, and
Blackberry units – Company issued devices
should be loaded with up-to-date firmware,
operating system software, and patches
according to define policies. Policy should require
use of passwords on this equipment.
• Secure browser software – webpages that use
Hypertext Transfer Protocol Secure (HTTPS) needs
secure browsers. HTTPPS encrypts the data
transfer between secure browser and secure
webpages.
• VPN routers, VPN firewalls, VPN
concentrators – Remote access VPN tunnels end
at the VPN router, VPN firewall of VPN
concentrator, usually within the LAN-to-WAN
Domain. All data are encrypted between VPN
router, firewall, or concentrator.
• Secure Sockets Layer (SSL)/VPN web server
– This encrypted VPN tunnel gives end-to-end
privacy for remote webpage data sharing.
• Authentication Server – A server that performs
Responsibilities – The network engineer or
WAN group is usually in charge of the
Remote Access Domain. This includes both
the hardware components and logical
elements. Network engineers and security
practitioners are in charge of applying
security controls according to policies. These
include maintaining, updating and
troubleshooting the hardware and logical
remote access connection for the Remote
Access Domain. This requires management
of the following:
1.IP routers
2.IP stateful firewalls
• Remote access security controls must use
the following:
• Identification – the process of providing
identifying information, such as username, a
logon ID, or an account number.
• Authentication – This is the process for proving
that a remote user is the user claims to be the
most common authentication method is supplying
a password.
 System Application Domain
This Domain is made up of user-accessed
servers such as e-mail and database.

• Holds all the mission-

critical systems,
applications, and data.
Authorized users may have
access to many
components in this domain
• Risks: A database server
can be attacked by SQL
injection, corrupting the
data. In SQL injection
attack. The attacker can
read the entire database.
SQL injection can also
modify data in the
database
 Examples of applications that may require
second-level authentication include the
following:

• Human resources and payroll – only staff who work on payroll

services need access to this private data and confidential
information.
• Accounting and financial – Executive managers need access to
accounting and financial data to make sound business decisions.
Securing financial data requires unique security controls with
access limited to those who need it.
• Customer relationship management – Customer service reps
need real time access to information that includes customer
purchasing history and private data.
• Sales order entry - sales professional need access to the sales
order-entry and order-tracking system. Private data must be kept
safe.
• US military intelligence and tactics – U.S. military
commanders who make decisions on the battle field use highly
sensitive information Access to that information must meet U.S.
 Scope of the System/Application Domain

6. hysical access to computer rooms, data centers, and wiring

closets. – Set up procedure to allow staff to enter secured data.
7. Serverarchitecture–
applyaconvergeserverdesignthatemploysserver blades and racks to
combine their use and reduce cost.
8. Serveroperatingsystemsandcoreenvironments–
reducethetimethat operating system software is open to attack by
installing software updates and patches.
9. Virtualizationservers–
keepphysicalandlogicalenvironmentsseparate and extend layered
security solutions into the cloud. Virtualization allows you to load
many operating systems and applications using one physical server.
10. Systemadministrationofapplicationservers-
provideongoingserverand system administration for users.
11. Data classification standard – Review data classifications
standards, procedures, and guidelines on proper handling of data.
Maintain safety of private data while in transport and in storage.
12. Software development life cycle – Apply secure software
development life cycle tactics when designing and developing
software.
13. Testing and quality assurance – apply sound software testing,
penetration testing, and quality assurance to fill security gaps and
software weaknesses.
14. Storage, backup, and recovery procedures – follow data
storage, backup, and recovery plans as set by the data classification
standard.
15. Data archiving and retention – Align policies, standards,
procedures, and guidelines to digital storage retention needs.
16. Business continuity plan (BCP) – Conduct a business impact
analysis (BIA) and decide which computer uses are most important
for the business to keep going.
17.Disaster Recovery Plan – Prepare a disaster recovery plan
based on the BCP.