IT2042 INFORMATION SECURITY

UNIT II - SECURITY INVESTIGATION

NEED FOR SECURITY

The purpose of information security management is to ensure business continuity and

reduce business damage by preventing and minimizing the impact of security incidents. The
Audit Commission Update report (1998) shows that fraud or cases of IT abuse often occur due to
the absence of basic controls, with one half of all detected frauds found by accident. An
Information Security Management System (ISMS) enables information to be shared, whilst
ensuring the protection of information and computing assets.

At the most practical level, securing the information on your computer means:

 Ensuring that your information remains confidential and only those who should access
that information, can.

 Knowing that no one has been able to change your information, so you can depend on its
accuracy (information integrity).

 Making sure that your information is available when you need it (by making back-up
copies and, if appropriate, storing the back-up copies off-site).

BUSINESS NEEDS FIRST

Information security performs four important functions for an organization:

1. Protects the organization’s ability to function

2. Enables the safe operation of applications implemented on the organization’s IT systems.

3. Protects the data the organization collects and uses.

4. Safeguards the technology assets in use at the organization.

1. Protecting the functionality of an organization

 Decision makers in organizations must set policy and operate their organizations
in compliance with the complex, shifting legislation that controls the use of
technology.

2. Enabling the safe operation of applications

 Organizations are under immense pressure to acquire and operate integrated,

efficient, and capable applications
 The modern organization needs to create an environment that safeguards
applications using the organization’s IT systems, particularly those applications
that serve as important elements of the infrastructure of the organization.
SCE 1 DEPARTMENT OF CSE
IT2042 INFORMATION SECURITY

3. Protecting data that organizations collect & use

 Protecting data in motion

 Protecting data at rest

 Both are critical aspects of information security.

 The value of data motivates attackers to seal, sabotage, or corrupt it.

 It is essential for the protection of integrity and value of the organization’s data

4. Safeguarding Technology assets in organizations

 Must add secure infrastructure services based on the size and scope of the
enterprise.
 Organizational growth could lead to the need for public key infrastructure,
PKI, an integrated system of software, encryption methodologies.

THREATS

To protect an organization’s information, you must

1. Know yourself

(i.e) be familiar wit the information to be protected, and the systems that store,
transport and process it.

2. Know the threats you face

To make sound decisions about information security, management must be

informed about the various threats facing the organization, its application, data and
information systems.

A threat is an object, person, or other entity, that represents a constant danger to an asset.

Threats to Information Security

Categories of threat Examples

Acts of human error or failure -- Accidents, employee mistakes

Compromises to intellectual property -- Piracy, copyright infringement

Deliberate acts of espionage or trespass -- Unauthorized access and/or/data collection

SCE 2 DEPARTMENT OF CSE

IT2042 INFORMATION SECURITY

Deliberate acts of information extortion -- Blackmail or information disclosure

Deliberate acts of sabotage or vandalism -- Destruction of systems or information

Deliberate acts of theft -- Illegal confiscation of equipment or

information

Deliberate software attacks -- Viruses, worms, macros, denial-of-service

Forces of nature -- Fire, flood, earthquake, lightning

Deviations in quality of service -- ISP, power ,or WAN service providers

Technical hardware failures or errors -- Equipment failure

Technical software failures or errors -- Bugs, code problems, unknown loopholes

Technological obsolescence -- Antiquated or outdated technologies

2.3.2 Threats

1. Acts of Human Error or Failure:

 Acts performed without intent or malicious purpose by an authorized user.

 because of in experience ,improper training,

 Making of incorrect assumptions.

One of the greatest threats to an organization’s information security is the organization’s own
employees.

 Entry of erroneous data

 accidental deletion or modification of data

 storage of data in unprotected areas.

SCE 3 DEPARTMENT OF CSE

  Failure to protect information can be prevented with

- Training

- Ongoing awareness activities

-Verification by a second party

- Many military applications have robust, dual- approval controls built in .

2. Compromises to Intellectual Property

 Intellectual Property is defined as the ownership of ideas and control over the tangible
or virtual representation of those ideas.
 Intellectual property includes trade secrets, copyrights, trademarks, and patents.
 Once intellectual property has been defined and properly identified, breaches to IP
constitute a threat to the security of this information.
 Organization purchases or leases the IP of other organizations.
 Most Common IP breach is the unlawful use or duplication of software based intellectual
property more commonly known as software Piracy.
 Software Piracy affects the world economy.
 U.S provides approximately 80% of world’s software.

In addition to the laws surrounding software piracy, two watch dog organizations
investigate allegations of software abuse.

1. Software and Information Industry Association

(SIIA) (i.e)Software Publishers Association

2. Business Software Alliance (BSA)

 Another effort to combat (take action against) piracy is the online registration
process.

3. Deliberate Acts of Espionage or Trespass

 Electronic and human activities that can breach the confidentiality of information.
 When an unauthorized individual’s gain access to the information an organization is
trying to protect is categorized as act of espionage or trespass.
 Attackers can use many different methods to access the information stored in an
information system.

1. Competitive Intelligence[use web browser to get information from market

research]

2. Industrial espionage(spying)

SCE 4 DEPARTMENT OF CSE

 3. Shoulder Surfing(ATM)

Trespass

 Can lead to unauthorized real or virtual actions that enable information gatherers to enter
premises or systems they have not been authorized to enter.
 Sound principles of authentication & authorization can help organizations protect
valuable information and systems.
 Hackers-> “People who use and create computer software to gain access to information
illegally”
 There are generally two skill levels among hackers.
 Expert Hackers-> Masters of several programming languages, networking protocols,
and operating systems .
 Unskilled Hackers

4. Deliberate Acts of information Extortion (obtain by force or threat)

 Possibility of an attacker or trusted insider stealing information from a computer system

and demanding compensation for its return or for an agreement not to disclose the
information.

5. Deliberate Acts of sabotage or Vandalism

 Destroy an asset or

 Damage the image of organization

 Cyber terrorism-Cyber terrorists hack systems to conduct terrorist activities through

network or internet pathways.

6. Deliberate Acts of Theft

 Illegal taking of another’s property-- is a constant problem.

 Within an organization, property can be physical, electronic, or intellectual.

 Physical theft can be controlled by installation of alarm systems.

 Trained security professionals.

 Electronic theft control is under research.

7. Deliberate Software Attacks

 Because of malicious code or malicious software or sometimes malware.

SCE 5 DEPARTMENT OF CSE

  These software components are designed to damage, destroy or deny service to the target
system.

 More common instances are

 Virus, Worms, Trojan horses, Logic bombs, Backdoors.

 “The British Internet Service Provider Cloudnine” be the first business “hacked out of
existence”

Virus

 Segments of code that performs malicious actions.

 Virus transmission is at the opening of Email attachment files.

 Macro virus-> Embedded in automatically executing macrocode common in word

processors, spreadsheets and database applications.

 Boot Virus-> infects the key operating files located in the computer’s boot sector.

Worms

 A worm is a malicious program that replicates itself constantly, without requiring another
program to provide a safe environment for replication.
 Worms can continue replicating themselves until they completely fill available resources,
such as memory, hard drive space, and network bandwidth.
 Eg: MS-Blaster, MyDoom, Netsky, are multifaceted attack worms.
 Once the worm has infected a computer , it can redistribute itself to all e-mail addresses
found on the infected system.
 Furthermore, a worm can deposit copies of itself onto all Web servers that the infected
systems can reach, so that users who subsequently visit those sites become infected.

Trojan Horses

 Are software programs that hide their true nature and reveal their designed behavior only
when activated.

SCE 6 DEPARTMENT OF CSE

 Trojan horse
arrives via E-
mail or software
such as free
games

Trojan horse releases its payload, monitors computer activity, installs back do
Trojan horse is activated when the software or attachment is executed.

Figure 7.3.1 Trojan horse Attack

Back Door or Trap

Door

 A Virus or Worm has a payload that installs a backdoor or trapdoor component in a

system, which allows the attacker to access the system at will with special privileges.

Eg: Back Orifice

Polymorphism

 A Polymorphic threat is one that changes its apparent shape over time, making it
undetectable by techniques that look for preconfigured signatures.

 These viruses and Worms actually evolve, changing their size, and appearance to elude
detection by antivirus software programs.

Virus & Worm Hoaxes

Types of Trojans

 Data Sending Trojans

 Proxy
Trojans

 FTP Trojans

SCE 7 DEPARTMENT OF CSE

  Security software disabler Trojans

 Denial of service attack Trojans(DOS)

Virus

 A program or piece of code that be loaded on to your computer, without your

knowledge and run against your wishes.

SCE 8 DEPARTMENT OF CSE

Worm

 A program or algorithm that replicates itself over a computer network and usually
performs malicious actions.

Trojan Horse

 A destructive program that masquerade on beginning application, unlike viruses,

Trojan horse do not replicate themselves.

Blended threat

 Blended threats combine the characteristics of virus, worm, Trojan horses &
malicious code with server and Internet Vulnerabilities.

Antivirus Program

 A Utility that searches a hard disk for viruses and removes any that found.

Forces of Nature

 Fire: Structural fire that damages the building. Also encompasses smoke damage
from a fire or water damage from sprinkles systems.
 Flood: Can sometimes be mitigated with flood insurance and/or business
interruption Insurance.
 Earthquake: Can sometimes be mitigated with specific causality insurance
and/or business interruption insurance, but is usually a separate policy.
 Lightning: An Abrupt, discontinuous natural electric discharge in
the atmosphere.
 Landslide/Mudslide: The downward sliding of a mass of earth & rocks directly
damaging all parts of the information systems.
 Tornado/Severe Windstorm
 Huricane/typhoon
 Tsunami
 Electrostatic Discharge (ESD)
 Dust Contamination

Since it is not possible to avoid force of nature threats, organizations must implement
controls to limit damage.

 They must also prepare contingency plans for continued operations, such as disaster
recovery plans, business continuity plans, and incident response plans, to limit losses in
the face of these threats.

SCE 9 DEPARTMENT OF CSE

 Deviations in Quality of Service

 A product or service is not delivered to the organization as expected.

 The Organization’s information system depends on the successful operation of many
interdependent support systems.
 It includes power grids, telecom networks, parts suppliers, service vendors, and even the
janitorial staff & garbage haulers.
 This degradation of service is a form of availability disruption.

Internet Service Issues

 Internet service Provider(ISP) failures can considerably undermine the availability of

information.
 The web hosting services are usually arranged with an agreement providing minimum
service levels known as a Service level Agreement (SLA).
 When a Service Provider fails to meet SLA, the provider may accrue fines to cover losses
incurred by the client, but these payments seldom cover the losses generated by the
outage.

Communications & Other Service Provider Issues

 Other utility services can affect the organizations are telephone, water, waste water, trash
pickup, cable television, natural or propane gas, and custodial services.
 The loss of these services can impair the ability of an organization to function.
 For an example, if the waste water system fails, an organization might be prevented from
allowing employees into the building.
 This would stop normal business operations.

Power Irregularities

 Fluctuations due to power excesses.

 Power shortages &
 Power losses

This can pose problems for organizations that provide inadequately conditioned
power for their information systems equipment.

 When voltage levels spike (experience a momentary increase),or surge ( experience

prolonged increase ), the extra voltage can severely damage or destroy equipment.
 The more expensive uninterruptible power supply (UPS) can protect against spikes and
surges.

Technical Hardware Failures or Errors

 Resulting in unreliable service or lack of availability

 Some errors are terminal, in that they result in unrecoverable loss of equipment.
 Some errors are intermittent, in that they resulting in faults that are not easily repeated.

SCE 10 DEPARTMENT OF CSE

Technical software failures or errors

 This category involves threats that come from purchasing software with unknown, hidden
faults.
 Large quantities of computer code are written, debugged, published, and sold before all
their bugs are detected and resolved.
 These failures range from bugs to untested failure conditions.

Technological obsolescence

 Outdated infrastructure can lead to unreliable and untrustworthy systems.

 Management must recognize that when technology becomes outdated, there is a risk of
loss of data integrity from attacks.

ATTACKS

 An attack is an act of or action that takes advantage of a vulnerability to compromise a

controlled system.
 It is accomplished by a threat agent that damages or steals an organization’s information
or physical asset.
 Vulnerability is an identified weakness in a controlled system, where controls are not
present or are no longer effective.
 Attacks exist when a specific act or action comes into play and may cause a potential
loss.

Malicious code

 The malicious code attack includes the execution of viruses, worms, Trojan horses, and
active Web scripts with the intent to destroy or steal information.
 The state –of-the-art malicious code attack is the polymorphic or multivector, worm.
 These attack programs use up to six known attack vectors to exploit a variety of
vulnerabilities in commonly found information system devices.

Attack Replication Vectors

1. IP scan & attack

2. Web browsing

3. Virus

4. Unprotected shares

5. Mass mail

6. Simple Network Management Protocol(SNMP)

SCE 11 DEPARTMENT OF CSE

1. IP scan & attack

 The infected system scans a random or local range of IP addresses and targets any of
several vulnerabilities known to hackers.

2. Web browsing

 If the infected system has write access to any Web pages, it makes all Web content files
(.html,.asp,.cgi & others) infectious, so that users who browse to those pages become
infected.

3. Virus

 Each infected machine infects certain common executable or script files on all computers
to which it can write with virus code that can cause infection.

4. Unprotected shares

 Using vulnerabilities in file systems and the way many organizations configure them, the
infected machine copies the viral component to all locations it can reach.

5. Mass Mail

 By sending E-mail infections to addresses found in the address book, the infected
machine infects many users, whose mail -reading programs also automatically run the
program & infect other systems.

6. Simple Network Management Protocol (SNMP)

 By using the widely known and common passwords that were employed in early versions
of this protocol, the attacking program can gain control of the device. Most vendors have
closed these vulnerabilities with software upgrades.

Examples

Hoaxes

 A more devious approach to attacking the computer systems is the transmission of a virus
hoax with a real virus attached.
 Even though these users are trying to avoid infection, they end up sending the attack on
to their co-workers.

Backdoors

 Using a known or previously unknown and newly discovered access mechanism, an

attacker can gain access to a system or network resource through a back door.
 Sometimes these entries are left behind by system designers or maintenance staff, and
thus referred to as trap doors.

SCE 12 DEPARTMENT OF CSE

  A trap door is hard to detect, because very often the programmer who puts it in place also
makes the access exempt from the usual audit logging features of the system.

Password Crack

 Attempting to reverse calculate a password is often called cracking.

 A password can be hashed using the same algorithm and compared to the hashed results,
If they are same, the password has been cracked.
 The (SAM) Security Account Manager file contains the hashed representation of the
user’s password.

Brute Force

 The application of computing & network resources to try every possible combination of
options of a password is called a Brute force attack.
 This is often an attempt to repeatedly guess passwords to commonly used accounts, it is
sometimes called a password attack.

Spoofing

 It is a technique used to gain unauthorized access to computers, where in the intruder

sends messages to a computer that has an IP address that indicates that the messages are
coming from a trusted host.

Data: Payload IP source: IP destination:

192.168.0.25 100.0.0.75

Original IP packet

From hacker’s system

Data: Payload IP source: IP destination:

100.0.0.80 100.0.0.75

Spoofed (modified)

IP packet

SCE 13 DEPARTMENT OF CSE

 Hacker modifies source address to spoof firewall Spoofed packet sent to target

Firewall allows packet in, mistaking it for legitimate traffic

Figure 2.4.3.1 IP spoofing

Dictionary

 This is another form of the brute force attack noted above for guessing passwords.
 The dictionary attack narrows the field by selecting specific accounts to attack and uses
a list of commonly used passwords instead of random combinations.

Denial –of- Services(DOS) & Distributed Denial –of- Service(DDOS)

 The attacker sends a large number of connection or information requests to a target.

 This may result in the system crashing, or simply becoming unable to perform ordinary
functions.
 DDOS is an attack in which a coordinated stream of requests is launched dagainst a target
from many locations at the same.

Man-in-the –Middle

 Otherwise called as TCP hijacking attack.

 An attacker monitors packets from the network, modifies them, and inserts them back
into the network.
 This type of attack uses IP spoofing.
 It allows the attacker to change, delete, reroute, add, forge or divert data.
 TCP hijacking session, the spoofing involves the interception of an encryption key
exchange.

SPAM

 Spam is unsolicited commercial E-mail.

 It has been used to make malicious code attacks more effective.
 Spam is considered as a trivial nuisance rather than an attack.
 It is the waste of both computer and human resources it causes by the flow of unwanted
E-mail.
SCE 14 DEPARTMENT OF CSE
Mail Bombing

 Another form of E-mail attack that is also a DOS called a mail bomb.
 Attacker routes large quantities of e-mail to the target.
 The target of the attack receives unmanageably large volumes of unsolicited e-mail.
 By sending large e-mails, attackers can take advantage of poorly configured e-mail
systems on the Internet and trick them into sending many e-mails to an address chosen by
the attacker.
 The target e-mail address is buried under thousands or even millions of unwanted e-
mails.

Sniffers

 A sniffer is a program or device that can monitor data traveling over a network.
 Unauthorized sniffers can be extremely dangerous to a network’s security, because they
are virtually impossible to detect and can be inserted almost anywhere.
 Sniffer often works on TCP/IP networks, where they are sometimes called “packet
Sniffers”.

Social Engineering

 It is the process of using social skills to convince people to reveal access credentials or
other valuable information to the attacker.
 An attacker gets more information by calling others in the company and asserting his/her
authority by mentioning chief’s name.

Buffer Overflow

 A buffer overflow is an application error that occurs when more data is sent to a buffer
than it can handle.
 Attacker can make the target system execute instructions.

Timing Attack

 Works by exploring the contents of a web browser’s cache.

 These attacks allow a Web designer to create a malicious form of cookie, that is stored on
the client’s system.
 The cookie could allow the designer to collect information on how to access password-
protected sites.

SCE 15 DEPARTMENT OF CSE

 LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION SECURITY

Law and Ethics in Information Security

 Laws are rules that mandate or prohibit certain behavior in society; they are drawn from
ethics, which define socially acceptable behaviors. The key difference between laws and
ethics is that laws carry the sanctions of a governing authority and ethics do not. Ethics in
turn are based on Cultural mores.
 Types of Law

 Civil law

 Criminal law

 Tort law

 Private law

 Public law

Relevant U.S. Laws – General

 Computer Fraud and Abuse Act of 1986

 National Information Infrastructure Protection Act of 1996
 USA Patriot Act of 2001
 Telecommunications Deregulation and Competition Act of 1996
 Communications Decency Act (CDA)
 Computer Security Act of 1987

Privacy

 The issue of privacy has become one of the hottest topics in information
 The ability to collect information on an individual, combine facts from separate sources,
and merge it with other information has resulted in databases of information that were
previously impossible to set up
 The aggregation of data from multiple sources permits unethical organizations to build
databases of facts with frightening capabilities

Privacy of Customer Information

 Privacy of Customer Information Section of Common Carrier Regulations

 Federal Privacy Act of 1974
 The Electronic Communications Privacy Act of 1986
 The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known as
the Kennedy-Kassebaum Act
 The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999

SCE 16 DEPARTMENT OF CSE

Table 2.5.2.1 Key U.S Laws of Interest to Information Security Professionals

ACT SUBJECT DATE DESCRIPTION

Communications Telecommunications 1934 Regulates interstate and

Act of 1934,updated foreign
by Telecommunications.
Telecommunications
Deregulation &
Competition Act

Computer Fraud & Threats to 1986 Defines and formalizes

Abuse Act computers laws to counter threats
from computer related acts
and offenses.

Computer Security Federal Agency 1987 Requires all federal

Act of Information Security computer systems that
1987 contain classified
information to have surety
plans in place, and requires
periodic security training
for all individuals who
operate, design, or manage
such systems.

Economic Trade secrets. 1996 Designed to prevent abuse

Espionag Act of of information gained by an
e 1996 individual working in one
company and employed by
another.

Electronic Cryptography 1986 Also referred to as the

Communications Federal Wiretapping Act;
Privacy Act of 1986 regulates interception and
disclosure of electronic
information.

Federal Privacy Act Privacy 1974 Governs federal agency use

of 1974 of personal information.

Gramm-Leach- Banking 1999 Focuses on facilitating

Bliley Act of 1999 affiliation among banks,
insurance and securities
firms; it has significant

SCE 17 DEPARTMENT OF CSE

 impact on the privacy of
personal information used
by these industries.

Health Insurance Health care privacy 1996 Regulates collection,

Portability and storage, and transmission
Accountability Act of sensitive personal health
care information.

National Criminal intent 1996 Categorized crimes based

Information on defendant’s authority to
Infrastructure access computer and
protection Act of criminal intent.
1996

Sarbanes-Oxley Act Financial Reporting 2002 Affects how public

of 2002 organizations and
accounting firms deal with
corporate governance,
financial disclosure, and
the practice of public
accounting.

Security and Use and sale of 1999 Clarifies use of encryption

Freedom through software that uses or for people in the United
Encryption Act of enables encryption. states and permits all
1999 persons in the U.S. to buy
or sell any encryption
product and states that the
government cannot require
the use of any kind of key
escrow system for
encryption products.

U.S.A. Patriot Act Terrorism 2001 Defines stiffer penalties for

of 2001 prosecution of terrorist
crimes.

Export and Espionage Laws

 Economic Espionage Act (EEA) of 1996

 Security and Freedom Through Encryption Act of 1997 (SAFE)
US Copyright Law

 Intellectual property is recognized as a protected asset in the US

 US copyright law extends this right to the published word, including electronic formats
40
  Fair use of copyrighted materials includes
- the use to support news reporting, teaching, scholarship, and a number of
other related permissions
- the purpose of the use has to be for educational or library purposes, not for
profit, and should not be excessive

Freedom of Information Act of 1966 (FOIA)

 The Freedom of Information Act provides any person with the right to request access to
federal agency records or information, not determined to be of national security

- US Government agencies are required to disclose any requested information

on receipt of a written request

 There are exceptions for information that is protected from disclosure, and the Act does
not apply to state or local government agencies or to private businesses or individuals,
although many states have their own version of the FOIA

State & Local Regulations

 In addition to the national and international restrictions placed on an organization in the

use of computer technology, each state or locality may have a number of laws and
regulations that impact operations

It is the responsibility of the information security professional to understand state laws and
regulations and insure the organization’s security policies and procedures comply with those
laws and regulations

International Laws and Legal Bodies

 Recently the Council of Europe drafted the European Council Cyber-Crime

Convention, designed

- to create an international task force to oversee a range of security functions

associated with Internet activities,
- to standardize technology laws across international borders

 It also attempts to improve the effectiveness of international investigations into breaches

of technology law
 This convention is well received by advocates of intellectual property rights with its
emphasis on copyright infringement prosecution

41
Digital Millennium Copyright Act (DMCA) Digital Millennium Copyright Act (DMCA)

 The Digital Millennium Copyright Act (DMCA) is the US version of an international

effort to reduce the impact of copyright, trademark, and privacy infringement
 The European Union Directive 95/46/EC increases protection of individuals with regard
to the processing of personal data and limits the free movement of such data
 The United Kingdom has already implemented a version of this directive called the
Database Right

United Nations Charter

 To some degree the United Nations Charter provides provisions for information
security during Information Warfare
 Information Warfare (IW) involves the use of information technology to conduct
offensive operations as part of an organized and lawful military operation by a sovereign
state
 IW is a relatively new application of warfare, although the military has been conducting
electronic warfare and counter-warfare operations for decades, jamming, intercepting,
and spoofing enemy communications

Policy Versus Law

 Most organizations develop and formalize a body of expectations called policy

 Policies function in an organization like laws
 For a policy to become enforceable, it must be:
- Distributed to all individuals who are expected to comply with it
- Readily available for employee reference
- Easily understood with multi-language translations and translations for
visually impaired, or literacy-impaired employees
- Acknowledged by the employee, usually by means of a signed consent form
 Only when all conditions are met, does the organization have a reasonable expectation of
effective policy

Ethical Concepts in Information Security

Cultural Differences in Ethical Concepts

 Differences in cultures cause problems in determining what is ethical and what is not
ethical
 Studies of ethical sensitivity to computer use reveal different nationalities have different
perspectives
 Difficulties arise when one nationality’s ethical behavior contradicts that of another
national group

Ethics and Education

 Employees must be trained and kept aware of a number of topics related to information
security, not the least of which is the expected behaviors of an ethical employee

42
  This is especially important in areas of information security, as many employees may not
have the formal technical training to understand that their behavior is unethical or even
illegal
 Proper ethical and legal training is vital to creating an informed, well prepared, and low-
risk system user

Deterrence to Unethical and Illegal Behavior

 Deterrence - preventing an illegal or unethical activity

 Laws, policies, and technical controls are all examples of deterrents
 Laws and policies only deter if three conditions are present:
- Fear of penalty
- Probability of being caught
- Probability of penalty being administered
POLICY PLANNING FOR

SECURITY

 Creation of information security program begins with creation and/or review of

organization’s information security policies, standards, and practices

 Then, selection or creation of information security architecture and the development and
use of a detailed information security blueprint creates plan for future success

 Security education and training to successfully implement policies and ensure secure
environment

Why Policy?

 A quality information security program begins and ends with policy

 Policies are least expensive means of control and often the most difficult to implement

 Some basic rules must be followed when shaping a policy:

– Never conflict with law

– Stand up in court

– Properly supported and administered

– Contribute to the success of the organization

– Involve end users of information systems

Definitions

 Policy: course of action used by an organization to convey instructions from management

to those who perform duties

43
 – Organizational rules for acceptable/unacceptable behavior

– Penalties for violations

– Appeals process

 Standards: more detailed statements of what must be done to comply with policy

 Practices, procedures and guidelines effectively explain how to comply with policy

44
  For a policy to be effective it must be

– Properly disseminated

– Read

– Understood

– Agreed to by all members of organization

Types of Policies

1. Enterprise information Security program Policy(EISP)

2. Issue-specific information Security Policy ( ISSP)

3. Systems-specific information Security Policy (SysSP)

45
Overview of Computer security:-
Computer security refers to protecting and securing computers and their related data, networks,
software, hardware from unauthorized access, misuse, theft, information loss, and other security
issues. The Internet has made our lives easier and has provided us with lots of advantages but it has
also put our system’s security at risk of being infected by a virus, of being hacked, information
theft, damage to the system, and much more.
Technology is growing day by day and the entire world is in its grasp. We cannot imagine even a
day without electronic devices around us. With the use of this growing technology, invaders,
hackers and thieves are trying to harm our computer’s security for monetary gains, recognition
purposes, ransom demands, bullying others, invading into other businesses, organizations, etc. In
order to protect our system from all these risks, computer security is important.

Types of computer security

Computer security can be classified into four types:
1. Cyber Security: Cyber security means securing our computers, electronic devices, networks ,
programs, systems from cyber attacks. Cyber attacks are those attacks that happen when our system
is connected to the Internet.
2. Information Security: Information security means protecting our system’s information from theft,
illegal use and piracy from unauthorized use. Information security has mainly three objectives:
confidentiality, integrity, and availability of information.
3. Application Security: Application security means securing our applications and data so that they
don’t get hacked and also the databases of the applications remain safe and private to the owner
itself so that user’s data remains confidential.
4. Network Security: Network security means securing a network and protecting the user’s
information about who is connected through that network. Over the network hackers steal, the
packets of data through sniffing and spoofing attacks, man in the middle attack, war driving, etc,
and misuse the data for their benefits.

Types of cyber attack

1. Denial of service attack or DOS: A denial of service attack is a kind of cyber attack in which the
attackers disrupt the services of the particular network by sending infinite requests and temporary or
permanently making the network or machine resources unavailable to the intended audience.
2. Backdoor: In a backdoor attack, malware, trojan horse or virus gets installed in our system and
start affecting it’s security along with the main file. Consider an example: suppose you are installing
free software from a certain website on the Internet. Now, unknowingly, along with this software, a
malicious file also gets installed, and as soon as you execute the installed software that file’s
malware gets affected and starts affecting your computer security. This is known as a backdoor.
3.Eavesdropping: Eavesdropping refers to secretly listening to someone’s talk without their
permission or knowledge. Attackers try to steal, manipulate, modify, hack information or systems
by passively listening to network communication, knowing passwords etc. A physical example
would be, suppose if you are talking to another person of your organization and if a third person
listens to your private talks then he/ she is said to eavesdrop on your conversation. Similarly, your
conversation on the internet maybe eavesdropped by attackers listening to your private conversation
by connecting to your network if it is insecure.
4. Phishing: Phishing is pronounced as “fishing” and working functioning is also similar. While
fishing, we catch fish by luring them with bait. Similarly, in phishing, a user is tricked by the
attacker who gains the trust of the user or acts as if he is a genuine person and then steals the
information by ditching. Not only attackers but some certain websites that seem to be genuine, but
46
actually they are fraud sites. These sites trick the users and they end up giving their personal
information such as login details or bank details or card number etc. Phishing is of many types:
Voice phishing, text phishing etc.
5. Spoofing: Spoofing is the act of masquerading as a valid entity through falsification of data(such
as an IP address or username), in order to gain access to information or resources that one is
otherwise unauthorized to obtain. Spoofing is of several types- email spoofing, IP address spoofing,
MAC spoofing , biometric spoofing etc.
6. Malware: Malware is made up of two terms: Malicious + Software = Malware. Malware intrudes
into the system and is designed to damage our computers. Different types of malware are adware,
spyware, ransomware, Trojan horse, etc.
7. Social engineering: Social engineering attack involves manipulating users psychologically and
extracting confidential or sensitive data from them by gaining their trust. The attacker generally
exploits the trust of people or users by relying on their cognitive basis.
8. Polymorphic Attacks: Poly means “many” and morph means “form”, polymorphic attacks are
those in which attacker adopts multiple forms and changes them so that they are not recognized
easily. These kinds of attacks are difficult to detect due to their changing forms.

Steps to ensure computer security

In order to protect our system from the above-mentioned attacks, users should take certain steps to
ensure system security:
1. Always keep your Operating System up to date. Keeping it up to date reduces the risk of their
getting attacked by malware, viruses, etc.
2. Always use a secure network connection. One should always connect to a secure network. Public
wi-fi’s and unsecured networks should be avoided as they are at risk of being attacked by the
attacker.
3. Always install an Antivirus and keep it up to date. An antivirus is software that scans your PC
against viruses and isolates the infected file from other system files so that they don’t get affected.
Also, we should try to go for paid anti-viruses as they are more secure.
4. Enable firewall. A firewall is a system designed to prevent unauthorized access to/from a
computer or even to a private network of computers. A firewall can be either in hardware, software
or a combination of both.
5. Use strong passwords. Always make strong passwords and different passwords for all social
media accounts so that they cannot be key logged, brute forced or detected easily using dictionary
attacks. A strong password is one that has 16 characters which are a combination of upper case and
lower case alphabets, numbers and special characters. Also, keep changing your passwords
regularly.
6. Don’t trust someone easily. You never know someone’s intention, so don’t trust someone easily
and end up giving your personal information to them. You don’t know how they are going to use
your information.
7. Keep your personal information hidden. Don’t post all your personal information on social
media. You never know who is spying on you. As in the real world, we try to avoid talking to
strangers and sharing anything with them. Similarly, social media also have people whom you don’t
know and if you share all your information on it you may end up troubling yourself.
8. Don’t download attachments that come along with e-mails unless and until you know that e-mail
is from a genuine source. Mostly, these attachments contain malware which, upon execution infect
or harms your system.
9. Don’t purchase things online from anywhere. Make sure whenever you are shopping online you
are doing so from a well-known website. There are multiple fraud websites that may steal your card
47
information as soon as you checkout and you may get bankrupt by them.
10. Learn about computer security and ethics. You should be well aware of the safe computing and
ethics of the computing world. Gaining appropriate knowledge is always helpful in reducing cyber-
crime.
11. If you are attacked, immediately inform the cyber cell so that they may take appropriate action
and also protect others from getting attacked by the same person. Don’t hesitate to complain just
because you think people may make your fun.
12. Don’t use pirated content. Often, people try to download pirated movies, videos or web series in
order to get them for free. These pirated content are at major risk of being infected with viruses,
worms, or malware, and when you download them you end up compromising your system security.

48