Information Security

A Practical Approach

Indian Elango

1
Information Security
Concepts

2
Understanding Information Security

• Information is an asset which like any other

business assets, has value to an
organisation and needs to be protected.
• Information security is the practice of
preventing unauthorized access, use,
disclosure, disruption, modification,
inspection, recording or destruction of
information.

3
Goals of Information Security

• Security Goals Are Confidentiality, Integrity, and

Availability
4
 Information Security Challenges

• Confidentiality and Privacy - Ensuring that only the

intended recipients can read the information.
• Authentication - Ensuring that information is
actually sent by the stated sender.
• The recognized impact of a security breach
• The skills gap
• The explosive growth in endpoints
• Security and technology is changing rapidly

5
Information Security Risks

6
Risks

• Preventing loss of disclosure of data while

sustaining authorized access.
• The possibility that something could
happen to damage, destroy or disclose or
other resources is known as Risk

7
Risk factors

• Dependency on security monitoring software

• Inadequate system logging
• Technology innovations that outpace security
• Outdated operating systems
• Lack of encryption
• Data on user-owned mobile device
• Lack of management support
• The human factor – the weakest link
• Bring your own device policy (BYOD) and the
cloud
• No information security training
• Lack of a recovery plan

8
Who are the Attackers?

• Nation-states
• Individual crackers
• Black hat groups
• Terror groups
• Script kiddies

9
Types of Attacks

• Web application attacks

• SQL injection attacks
• Social engineering
• Botnets
• Distributed Denial of Service attack (DDoS)
• Phishing attacks
• Malware, spyware, ransomware.

10
Steps of an Attack

• Footprinting
• Scanning
• Escalating privileges
• Gaining the access
• Attack
• Covering Tracks

11
System Threats and Risks

• Trojan • Phishing
• Virus • Cookies
• Worms • DDos
• Spyware • Browser Hijackers
• Keylogger • Lack of Input validation
• Adware
• Backdoor
• Exploit

12
 Network Vulnerabilities

• SQL injection
– Attacker sends simple text-based attacks that exploit the
syntax of the targeted interpreter
• Broken Authentication and session management
– Attacker uses leaks or flaws in the authentication or session
management functions (e.g., exposed accounts, passwords,
session IDs) to impersonate users.
• Cross Site Scripting (XSS) (CSS)
– Attacker sends textbased attack scripts that exploit the
interpreter in the browser.

13
 Network Vulnerabilities contd..

• Security Misconfigurations
– Attacker accesses default accounts, unused pages, unpatched
flaws, unprotected files and directories, etc. to gain
unauthorized access to or knowledge of the system. Sensitive
data exposure
– anonymous external attackers as well as users with their own
accounts that may attempt to compromise the system.
• Cross site request forgery
– Attacker creates forged HTTP requests and tricks a victim into
submitting them via image tags, XSS, or numerous other
techniques.
• Missing functional level access control
– Anyone with network access can send your application a
request

14
Understanding Social Engineering

• Manipulating individuals into divulging

confidential or personal information that
may be used for fraudulent purposes.

15
 Importance of
Auditing
• IT audit is important because
• It gives assurance that the IT systems are
adequately protected
• It provides reliable information to users and
• The infrastructure is properly managed to
achieve their intended benefits

16
Infrastructure and connectivity

17
18
19
20
Network Monitoring and Defenses

21
 Network Monitoring

• Monitoring traffic patterns to obtain

information about a network.
• Packet sniffing is the act of capturing packets
from the network for extracting useful
information from the packet contents.
• Effective packet sniffers can extract
usernames, passwords, email addresses,
encryption keys, credit card numbers, IP
addresses, system names, and so on.

22
 Understanding IDS

• IDS is the process of monitoring the events

occurring in your network and analyzing them for
signs of possible incidents, violations, or
imminent threats to your security policies
• A device or application that analyzes whole
packets, both header and payload, looking for
known events. When a known event is detected a
log message is generated detailing the event.

23
 Understanding IPS

• An Intrusion Prevention System (IPS) is a network

security/threat prevention technology that
examines network traffic flows to detect and
prevent vulnerability exploits.
• A device or application that analyzes whole
packets, both header and payload, looking for
known events. When a known event is detected
the packet is rejected.

24
 Understanding Protocol Analyzers

• A protocol analyzer is a tool (hardware or

software) used to capture and analyze signals
and data traffic over a communication channel
• Wireshark
• Network Miner
• Network Monitor

25
Implementing a Secure Network

26
Implementing a Secure Network

• Defining Security Baseline

• System Hardening
• Network Hardening
• Application Hardening

27
 Defining Security Baseline

• Baselines are descriptions of

implementations of security processes and
standards to ensure that a consistent level
of security is maintained throughout the
organization

Examples of Baselines
– Configurations for intrusion detection systems
– Configurations for Firewalls
– System Hardening

28
 System Hardening

• System hardening is removing

unnecessary services and patching the
systems.

29
 Network Hardening

• All network services that are not required should

be disabled
• This is a fundamental part of Network hardening

30
Application Hardening

Application hardening is a process to

changing the default application
configuration in order to achieve greater
security

Default credentials for most of the devices

also pose threat to the applications

31
32
Securing Network and
Environment

33
Securing Network and Environment

• Understanding Physical Security

• Understanding Business Continuity Planning
• Developing Policies, Standards, and
Guidelines
• Security Standards

34
Understanding Physical Security

Physical security is the physical access

control matters including fences, gates,
lights, cameras, locks, mantraps, and
guards.

35
36
 Business Continuity
Planning
A set of activities, plans and procedures that enable
businesses to:
– Recover from events threatening / destroying
– Continuity of critical business operations
– Repair and replace damaged assets as soon as possible
– Minimize loss occasioned from the event

37
 Disaster Recovery Planning

• While BCP focuses on restoring critical

business functions to normalcy as soon as
possible and with least damage to existing
systems.
• DRP aims at handling recovery process of
dangerous events took place, that impact
business.

38
 Policies, Standards, and Guidelines

• Security Policy is the top most driving force for

information security
• Reflects top management commitment to
information security
• Summarizes the security-philosophy of
organizations

39
 Security Policy – Good practices

• Policies should survive for two to three years

• Do not be too specific in Policy Statements
• Use forceful, directive wording
• Technical implementation details do not belong in
a policy
• Keep each policy as short as possible
• Provide references in the policy to supporting
documents

40
 Security Standards

• Standards are hardware / software / process /

personnel combination mechanisms selected
as the organizations’ method of addressing a
specific security risk

Examples of Standards
– Specific anti-virus software
– Specific access control system
– Specific firewall system

41
 Security Guidelines

• Guidelines are recommendations, white papers,

best practices or best recorded formats for a
security program that is recommended for use by
an organizations provided it is consistent with the
security policy

• Examples of Guidelines
– CoBIT™, ISO series, BS: 7799, etc

42
Cryptograph
y

43
 Cryptosystems

• Symmetric – uses similar keys for encryption and

decryption
• Asymmetric – uses different keys for encryption
and decryption

44
Plain text and Cipher text

1. Plaintext
A message in a readable format
2. Cipher text
Message altered to be unreadable by anyone except the
intended recipients
3. Key
Sequence that controls the operation and behavior of the
cryptographic algorithm
4. Key space
Total number of possible values of keys in a crypto
algorithm

45
 Encryption
The Process
Process of Encryption

46
Symmetric Cryptosystem

1. Symmetric cryptosystem works based on uses a

single key for encryption and decryption
2. The difficulty is key distribution and key
maintenance.
3. This system provides only confidentiality.
4. Symmetric cryptosystem does not provide

• Authentication
• Non repudiation
• Data integrity

47
Asymmetric Cryptosystem

• PKI stands for public key infrastructure which is a

framework.
• PKI consists of:

 Public key
 Private key
 Digital signature
 Hashing

48
Features of Encryption
Confidentiality – No unauthorized access
Authentication – Source Validation
Data Integrity – Data not modified in transit
Non-repudiation – sender cannot deny sending the
message later.

Answers :

Confidentiality – Encryption
Authentication – Digital Certificate
Data Integrity – Hashing / Message Digest
Non-repudiation – Digital Signature

49
Cryptography Standards and Protocols

Symmetric Algorithms
DES
3DES
AES
CAST

Asymmetric Algorithms
RSA
Diffie Hellman
Elgammal
Elliptical Curve (ECC)

50
 Encryption standards

• Data Encryption Standard (DES)

• Advanced Encryption Standard (AES)
• RSA the original public key algorithm
• OpenPGP

51
Hash standards

• MD5
• SHA-1
• SHA-2
• HMAC

52
 Digital Signature standards

• Digital Signature Standard (DSS), based on the

Digital Signature Algorithm (DSA)
• RSA
• Elliptic Curve DSA

53
 Public-key infrastructure (PKI)
standards

• X.509 Public Key Certificates

54
 Wireless Standards

• Wired Equivalent Privacy (WEP)

• Wi-Fi Protected Access (WPA)
• WPA2, uses AES and other improvements on
WEP

55
Security Policies and
Procedures

56
 Access Control

• Access control mechanisms

• Photo – ID cards
• Digitally coded cards
• Magnetic strips
• Smart cards
• Proximity identification devices
• Biometric devices

57
 Identity

• Identity is a claim
• I am Mr.Asokan

• The claim has to be proved by

– Something you know (Password or PIN)
– Something you are (Thumb impression or retina scan)
– Something you have (RSA Token)

58
 Authentication

• Authentication – Verification of the user’s claimed

identity
• Proving an identity claim is called authentication
• Performed by the system to which the user has
presented his identity
• Common form is the password

59
Security
Administration

60
 Physical security management

• Emergency procedures
• Evacuation of personnel & systems
• Emergency system shut down
• Bomb / Terrorist threats
• Test of emergency procedures

61
 Physical security management

• Audit trails and logs

– Record attempts to break physical security
– Time of attempt – result of attempt
– Which physical location / node was used?
– Who attempted?
– Was modified security tested?
• These are detective and not preventive

62
Awareness & Education

• Determine awareness needs depending on

– Current level of awareness
– Organizational security culture
• Formal training sessions design
• Choice of training topics
• Create a course with assessment and
feedback
• Various awareness related activities
• Hands on training
• Measuring awareness effectiveness

63
64
Questions?
Indian Elango
[email protected]

65