Protection of Information ASSETS

Chapter # : 05 - CISAChapter # : 05 - CISA 11

Protection of Information Protection of Information ASSETSASSETS

Chapter No. 5 Chapter No. 5

To evaluate Logical, Environmental and IT Infrastructure To evaluate Logical, Environmental and IT Infrastructure Securities to safeguarding information assets against Securities to safeguarding information assets against

unauthorized Use, Disclosure, Modification, Damage Or unauthorized Use, Disclosure, Modification, Damage Or LossLoss


• Logical Access ExposuresLogical Access Exposures• Trojan Horses Trojan Horses • Rounding DownRounding Down• Salami TechniquesSalami Techniques• VirusVirus• WormsWorms• Logic BombsLogic Bombs• Trap DoorsTrap Doors• Asynchronous AttacksAsynchronous Attacks• Data LeakageData Leakage• Wire-TappingWire-Tapping• PiggybackingPiggybacking• Computer ShutdownComputer Shutdown• Daniel of ServicesDaniel of Services

LOGICAL ACCESS EXPOSURESLOGICAL ACCESS EXPOSURES : :


• Logical Access Control Software :Logical Access Control Software : To prevent unauthorized access and modification To prevent unauthorized access and modification

to sensitive data and critical functions. It should to sensitive data and critical functions. It should be applied to networks, operating systems, be applied to networks, operating systems, databases and application systemsdatabases and application systems • General OS Access Control Functions:General OS Access Control Functions:• Apply user ID and authenticationApply user ID and authentication• Logon on specific terminalLogon on specific terminal• Multi-level accessMulti-level access• Individual accountability and auditabilityIndividual accountability and auditability• Create or change user profilesCreate or change user profiles• Log EventsLog Events• Log User ActivitiesLog User Activities• Report capabilitiesReport capabilities



• Identification and Authentications :Identification and Authentications :

Based on, something Based on, something You KnowYou Know, something , something You haveYou have and something and something You AreYou Are

– Logon-IDs and PasswordsLogon-IDs and Passwords

Something you knowSomething you know– Token Devices, One Time Access Control Token Devices, One Time Access Control

Something you haveSomething you have

– Biometrics Security Access Control (through Finger Biometrics Security Access Control (through Finger Prints, Eye Retina)Prints, Eye Retina)

Something you areSomething you are



• Features of Passwords :Features of Passwords :• It should be easy to remember for user butIt should be easy to remember for user but• Difficult for perpetrator to guess Difficult for perpetrator to guess • Initial Password should be changed on first time log-onInitial Password should be changed on first time log-on• In result of entering wrong password ID should be heldIn result of entering wrong password ID should be held• Re-activation of ID should be on written Re-activation of ID should be on written

request/approval by security administrator.request/approval by security administrator.• Password encryption and should be shadowedPassword encryption and should be shadowed• Changed periodicallyChanged periodically• Must be unique to each user ID.Must be unique to each user ID.• Unused IDs should be deactivated and logged offUnused IDs should be deactivated and logged off• Ideally length of Password is 5 to 8 charactersIdeally length of Password is 5 to 8 characters• Usage of Alphabets, Numeric, Lower case and special Usage of Alphabets, Numeric, Lower case and special

LOGICAL ACCESS EXPOSURESLOGICAL ACCESS EXPOSURES : I&A: I&A


• Token Devices, Once-Time PasswordsToken Devices, Once-Time Passwords• Biometrics :Biometrics :

• Palm : ridges, valleys etcPalm : ridges, valleys etc• Hand Geometry : 3 dim perspective of handHand Geometry : 3 dim perspective of hand• Iris : Eyes colored portion surroundedIris : Eyes colored portion surrounded• RetinaRetina• Finger PrintsFinger Prints• FaceFace• SignaturesSignatures• Voice RecognitionVoice Recognition



• Single Sign-on (SSO)Single Sign-on (SSO)• Advantages :Advantages :

• No need to remember multiple PWDsNo need to remember multiple PWDs• Improves administrators ability to manage user profilesImproves administrators ability to manage user profiles• Reduces Administrative overheadsReduces Administrative overheads• Reduces the time taken by userReduces the time taken by user

• Disadvantages :Disadvantages :• Support for all major OS is difficultSupport for all major OS is difficult• Significant cost associated with SSO developmentSignificant cost associated with SSO development• Single point of failure and total compromise of an Single point of failure and total compromise of an

organization’s IS assetsorganization’s IS assets



• ControlsControls• Technical Qualified Operators, Technical Qualified Operators, • Job rotation (wherever possible)Job rotation (wherever possible)• Restricted operation of operators over operator Restricted operation of operators over operator

activity logs etc.activity logs etc.• Audit trail of all operator activities and its Audit trail of all operator activities and its

periodical review by operations management.periodical review by operations management.• Availability of documented Network operations Availability of documented Network operations

standards and protocols to operators and standards and protocols to operators and periodical review to ensure compliance.periodical review to ensure compliance.

• Analysis for workload balance, fast response Analysis for workload balance, fast response time and system efficiencytime and system efficiency

• Encryption should be used wherever required Encryption should be used wherever required

NETWORK INFRASTRUCTURE SECURITYNETWORK INFRASTRUCTURE SECURITY : :


• LAN SecurityLAN Security– Threats :Threats : Loss of Data & Programs, less version Loss of Data & Programs, less version

control, Exposure to external Activities, viruses, control, Exposure to external Activities, viruses, Improper disclosure of data, Violating Software Improper disclosure of data, Violating Software License, Illegal access by impersonating or License, Illegal access by impersonating or masquerading, Internal user's Spoofingmasquerading, Internal user's Spoofing

– Remedies :Remedies : Declaring ownership of programs, Declaring ownership of programs, files and storage, Limiting access to read only, files and storage, Limiting access to read only, Record and File locking, enforcing Record and File locking, enforcing ID/Passwords procedures.ID/Passwords procedures.

– Dial Up ControlDial Up Control : Encrypted Passwords, Dial- : Encrypted Passwords, Dial-back modems for verificationback modems for verification



• Client Server Security :Client Server Security :– Disabling the floppy drivesDisabling the floppy drives– Network Monitoring devices to inspect activitiesNetwork Monitoring devices to inspect activities– Data Encryption Data Encryption – Application level Access control programsApplication level Access control programs



• Internet Threats :Internet Threats :– DisclosureDisclosure– Masquerade or Spoofing (Disguise IP address etc)Masquerade or Spoofing (Disguise IP address etc)– Unauthorized accessUnauthorized access– Loss of IntegrityLoss of Integrity– Denial of service (Sys Flooding of messages / requests and keep Denial of service (Sys Flooding of messages / requests and keep

machines busy)machines busy)– Theft of service and resourcesTheft of service and resources

• Internet Security Controls:Internet Security Controls:– Risk assessment of web based application.Risk assessment of web based application.– Security awarenessSecurity awareness– Firewall standards Firewall standards – Intrusion Detection standards security Intrusion Detection standards security – Remote Access for coordinating and controlling centrallyRemote Access for coordinating and controlling centrally– Encryption techniquesEncryption techniques– Monitoring usage of unauthorized usage and notification to them.Monitoring usage of unauthorized usage and notification to them.



• Firewall Security SystemsFirewall Security Systems ::• General FeaturesGeneral Features• Firewall TypesFirewall Types

Router Packet FilteringRouter Packet Filtering

Application firewallApplication firewall

Stateful inspectionStateful inspection

• Firewall IssuesFirewall Issues• Creates false sense of securityCreates false sense of security• Other entry points, connections direct though ModemsOther entry points, connections direct though Modems• Mis-configurationMis-configuration• Firewall without screening router is uselessFirewall without screening router is useless• Irregular monitoring of activitiesIrregular monitoring of activities• Irregular maintenance of Firewall policiesIrregular maintenance of Firewall policies



• Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS) ::• Components of IDSComponents of IDS

Sensor, Analyzer, An administrator ConsoleSensor, Analyzer, An administrator ConsoleA user interfaceA user interface

• FeaturesFeaturesIntrusion DetectionIntrusion DetectionGathering EvidenceGathering EvidenceAutomated responseAutomated responseSecurity PolicySecurity PolicyInterface with system toolsInterface with system toolsSecurity Policy managementSecurity Policy management

• LimitationsLimitationsWeaknesses in the policy definitionWeaknesses in the policy definitionApplication level vulnerabilitiesApplication level vulnerabilitiesBackdoors into applicationBackdoors into applicationWeakness in identification and authentication schemesWeakness in identification and authentication schemes

• Honeypots and HoneynetsHoneypots and HoneynetsSoftware application pretend to be unfortunately hackedSoftware application pretend to be unfortunately hackedNetwork of honeypots making a false network for hackers to hack and Network of honeypots making a false network for hackers to hack and caught caught



• EncryptionEncryption::• Is a process of converting a plaintext into a secure Is a process of converting a plaintext into a secure

coded form of text (Cipher General Features)coded form of text (Cipher General Features)• Key Elements of Encryption SystemsKey Elements of Encryption Systems

Encryption AlgorithmEncryption AlgorithmEncryption KeysEncryption KeysKey LengthKey Length

• Private Key Cryptographic systemPrivate Key Cryptographic system• Public Key Cryptographic SystemPublic Key Cryptographic System• Digital SignaturesDigital Signatures• Digital EnvalopDigital Envalop

• Is used to send encrypted information and relevant Is used to send encrypted information and relevant keys along with it. keys along with it.



Review network DiagramReview network DiagramIdentify Network DesignIdentify Network DesignDissemination of policies and standardsDissemination of policies and standardsExperience/knowledge of security operators for internetExperience/knowledge of security operators for internetlegislative issues are considered against usage of internet legislative issues are considered against usage of internet based applicationbased applicationReview of service level contract in case of outsourcing.Review of service level contract in case of outsourcing.Hardware and software are well upgraded to counter new Hardware and software are well upgraded to counter new vulnerabilitiesvulnerabilities

– Auditing Remote AccessAuditing Remote Access– Auditing internet “point of presence”Auditing internet “point of presence”– Network penetration testsNetwork penetration tests– Full network assessment reviewsFull network assessment reviews– LAN network assessmentLAN network assessment– Development and Authorization of network changeDevelopment and Authorization of network change– Unauthorized changesUnauthorized changes– Computer forensicsComputer forensics

AUDITING NETWORK INFRASTRUCTURE SECURITYAUDITING NETWORK INFRASTRUCTURE SECURITY : :


• Environmental Issues and ExposuresEnvironmental Issues and Exposures ::– Fire, Natural Disasters, Fire, Natural Disasters, – Power FailurePower Failure

Total FailureTotal FailureSeverely reduced voltageSeverely reduced voltageSages, spikes and surgesSages, spikes and surgesElectromagnetic interferenceElectromagnetic interference

– Power Spike Power Spike – Air conditioning Failure Air conditioning Failure – Electric ShockElectric Shock– Equipment FailureEquipment Failure– Water Damage / FloodingWater Damage / Flooding– Bomb Threat/attackBomb Threat/attack

ENVIRONMENTAL EXPOSURES AND CONTORLS: ENVIRONMENTAL EXPOSURES AND CONTORLS:



• Controls for Environmental exposuresControls for Environmental exposures ::– Alarm Control PanelAlarm Control Panel– Water DetectorsWater Detectors– Handheld Fire Extinguishers Handheld Fire Extinguishers – Manual Fire alarmsManual Fire alarms– Smoke detectorsSmoke detectors– Fire Suppression SystemFire Suppression System

Water-based, Halon system, FM-200, COWater-based, Halon system, FM-200, CO22 system system– Logically Locating the Computer RoomLogically Locating the Computer Room– Regular Inspection by Fire DepartmentRegular Inspection by Fire Department– Fire Proof Walls Floors and Ceilings surrounding the computer roomFire Proof Walls Floors and Ceilings surrounding the computer room– Electrical surge ProtectorElectrical surge Protector– UPS / Generators UPS / Generators – Emergency Power Off SwitchEmergency Power Off Switch– Power leads from two substationsPower leads from two substations– Wiring in electrical panels and conduitWiring in electrical panels and conduit– Prohibiting against eating, drinking and smoking within the Prohibiting against eating, drinking and smoking within the

information processing facilityinformation processing facility– Fire resistant office materialFire resistant office material– Documented and tested emergency Evacuation Plans.Documented and tested emergency Evacuation Plans.



Auditing Environmental Controls :Auditing Environmental Controls :– Auditing of all above listed controlsAuditing of all above listed controls

Protection of Information ASSETS

Documents

Transcript of Protection of Information ASSETS