MODULE II SECURITY INVESTIGATION

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues
- An Overview of Computer Security - Access Control Matrix, Policy-Security policies,
Confidentiality policies, Integrity policies and Hybrid policies

NEED FOR SECURITY

The purpose of information security management is to ensure business continuity
and reduce business damage by preventing and minimizing the impact of security
incidents.
The Audit Commission Update report (1998) shows that fraud or cases of IT
abuse often occur due to the absence of basic controls, with one half of all
detected frauds found by accident.
An Information Security Management System (ISMS) enables information to be
shared, whilst ensuring the protection of information and computing assets.

At the most practical level, securing the information on your computer means:

 Ensuring that your information remains confidential and only those

who should access that information, can.
 Knowing that no one has been able to change your information, so you
can depend on its accuracy (information integrity).
 Making sure that your information is available when you need it (by
making back-up copies and, if appropriate, storing the back-up copies
off-site).

BUSINESS NEEDS FIRST

Information security performs four important functions for an organization:

 Protects the organization’s ability to function

 Enables the safe operation of applications implemented on the
organization’s IT systems.
 Protects the data the organization collects and uses.
 Safeguards the technology assets in use at the organization.

Protecting the functionality of an organization

Decision makers in organizations must set policy and operate their
organizations in compliance with the complex, shifting legislation that
controls the use of technology.
Enabling the safe operation of applications
Organizations are under immense pressure to acquire and operate integrated,
efficient, and capable applications
The modern organization needs to create an environment that safeguards
applications using the organization’s IT systems,
(particularly those applications that serve as important elements of the
infrastructure of the organization.)
 Protecting data that organizations collect & use

 Protecting data in motion

 Protecting data at rest
 Both are critical aspects of information security.
 The value of data motivates attackers to seal, sabotage, or corrupt it.
 It is essential for the protection of integrity and value of the
organization’s data

Safeguarding Technology assets in organizations

 Must add secure infrastructure services based on the size and scope of
the enterprise.
 Organizational growth could lead to the need for public key
infrastructure, PKI, an integrated system of software, encryption
methodologies.

THREATS
To protect an organization’s information, you must
 Know yourself
(i.e) be familiar wit the information to be protected, and the systems that store,
transport and process it.
 Know the threats you face
To make sound decisions about information security, management must be
informed about the various threats facing the organization, its application, data
and information systems.
A threat is an object, person, or other entity, that represents a constant danger to an
asset.
Threats to Information Security

Categories of Threat

 Acts of human error or Failure

 Compromises to Intellectual Property
 Deliberate Acts of Espionage or Trespass
 Deliberate Acts of information Extortion (obtain by force or
threat)
 Deliberate Acts of sabotage or Vandalism
 Deliberate Acts of Theft
 Deliberate Software Attacks
 Forces of Nature
 Deviations in Quality of Service
 Technical Hardware Failures or Errors
 Technical software failures or errors
 Technological obsolescence
Categories of Threats
Acts of Human Error or Failure:
Acts performed without intent or malicious purpose by an authorized
user.
E.g.. Accidents, employee mistakes
because of
 in experience,
 improper training,
 Making of incorrect assumptions.
One of the greatest threats to an organization’s information
security is the organization’s own employees.
 Entry of erroneous data
 accidental deletion or modification of data
 storage of data in unprotected areas.
Failure to protect information can be prevented with
 Training
 Ongoing awareness activities -Verification by a second
party
Many military applications have robust, dual- approval
controls built in
Compromises to Intellectual Property
Intellectual Property is defined as the ownership of ideas and control
over the tangible or virtual representation of those ideas.
E.g. Piracy, Copyright infringement

 Intellectual property includes trade secrets, copyrights,

trademarks, and patents.
 Once intellectual property has been defined and properly
identified, breaches to IP constitute a threat to the security of this
information.
 Organization purchases or leases the IP of other organizations.
 Most Common IP breach is the unlawful use or duplication of
software based intellectual property more commonly known as
software Piracy.
 Software Piracy affects the world economy.
U.S provides approximately 80% of world’s software.

In addition to the laws surrounding software piracy,

two watch dog organizations, investigate allegations of software abuse.
 Software and Information Industry Association (SIIA)
 (i.e) Software Publishers Association
 Business Software Alliance (BSA)
Another effort to combat (take action against) piracy is the online
registration process.
Deliberate Acts of Espionage or Trespass
Electronic and human activities that can breach the confidentiality of
information.
 E.g. Unauthorized access and data collection
Espionage
When an unauthorized individual’s gain access to the information
an organization is trying to protect is categorized as act of
espionage or trespass.
Attackers can use many different methods to access the
information stored in an information system.
 Competitive Intelligence
 Industrial espionage(spying)
 Shoulder Surfing(ATM)
Trespass
Can lead to unauthorized real or virtual actions that enable
information gatherers to enter premises or systems they have not
been authorized to enter.
Sound principles of authentication & authorization can help
organizations protect valuable information and systems.
Hackers
“People who use and create computer software to gain access to
information illegally”
There are generally two skill levels among hackers.
Expert Hackers Masters of several programming languages,
networking protocols, and operating systems.
Unskilled Hackers

Deliberate Acts of information Extortion (obtain by force or threat)

Possibility of an attacker or trusted insider stealing information from a
computer system and demanding compensation for its return or for an
agreement not to disclose the information.
(blackmail/information disclosure)
Deliberate Acts of sabotage or Vandalism
Wilful destruction of asset or information with intend to
 Destroy an asset
 Damage the image of organization
 Cyber terrorism
Cyber terrorists hack systems to conduct terrorist activities
through network or internet pathways.
Deliberate Acts of Theft
Illegal taking of another’s property
E.g.. illegal confiscation of systems or information
Within an organization, property can be
 Physical,
 Electronic, /
 Intellectual.
Physical theft can be controlled by:-
 installation of alarm systems.
 Trained security professionals.
Electronic theft control is under research.
Deliberate Software Attacks
Malicious code or malicious software or malware. designed to damage,
destroy or deny service to the target system.
E.g. Virus, Worms, Macros, Denial of Service
More common instances are
 Virus
 Worms
 Trojan horses
 Logic bombs
 Backdoors.
Virus
Segments of code that performs malicious actions.
Macro virus
Embedded in automatically executing macrocode common in
word processors, spreadsheets and database applications.
Boot Virus
infects the key operating files located in the computer’s boot
sector.
Worms
A worm is a malicious program that replicates itself constantly,
without requiring another program to provide a safe environment
for replication.
Worms can continue replicating themselves until they completely
fill available resources, such as memory, hard drive space, and
network bandwidth.
Eg: MS-Blaster, MyDoom, Netsky, are multifaceted attack
worms.
Once the worm has infected a computer, it can redistribute itself
to all e-mail addresses found on the infected system.
Furthermore, a worm can deposit copies of itself onto all Web
servers that the infected systems can reach, so that users who
subsequently visit those sites become infected.
Trojan Horses
Are software programs that hide their true nature and reveal their
designed behaviour only when activated.

Back Door or Trap Door

A Virus or Worm has a payload that installs a backdoor or
trapdoor component in a system, which allows the attacker to
access the system at will with special privileges.
Eg: Back Orifice
 Polymorphism
A Polymorphic threat is one that changes its apparent shape over
time, making it undetectable by techniques that look for
preconfigured signatures.
These viruses and Worms actually evolve, changing their size, and
appearance to elude detection by antivirus software programs.
Virus & Worm Hoaxes
Types of Trojans
 Data Sending Trojans
 Proxy Trojans
 FTP Trojans
 Security software disabler Trojans
 Denial of service attack Trojans(DOS)
Virus
A program or piece of code that be loaded on to your computer,
without your knowledge and run against your wishes.
Worm
A program or algorithm that replicates itself over a computer
network and usually performs malicious actions.
Trojan Horse
A destructive program that masquerade on beginning application,
unlike viruses, Trojan horse do not replicate themselves.
Blended threat
Blended threats combine the characteristics of virus, worm,
Trojan horses & malicious code with server and Internet
Vulnerabilities.
Antivirus Program
A Utility that searches a hard disk for viruses and removes any
that found.
Forces of Nature
Fire: Structural fire that damages the building. Also encompasses smoke
damage from a fire or water damage from sprinkles systems.
Flood: Can sometimes be mitigated with flood insurance and/or
business interruption Insurance.
Earthquake: Can sometimes be mitigated with specific causality
insurance and/or business interruption insurance, but is usually a
separate policy.
Lightning: An Abrupt, discontinuous natural electric discharge in the
atmosphere.
Landslide/Mudslide: The downward sliding of a mass of earth & rocks
directly damaging all parts of the information systems.
Tornado/Severe Windstorm
Hurricane/typhoon
Tsunami
Electrostatic Discharge (ESD)
Dust Contamination
 Since it is not possible to avoid force of nature threats, organizations
must implement controls to limit damage.
They must also prepare contingency plans for continued operations, such
as disaster recovery plans, business continuity plans, and incident
response plans, to limit losses in the face of these threats.
Deviations in Quality of Service
A product or service is not delivered to the organization as expected.
The Organization’s information system depends on the successful
operation of many interdependent support systems.
It includes power grids, telecom networks, parts suppliers, service
vendors, and even the janitorial staff & garbage haulers.
This degradation of service is a form of availability disruption.
Internet Service Issues
ü Internet service Provider(ISP) failures can considerably undermine the
availability of information.
ü The web hosting services are usually arranged with an agreement
providing minimum service levels known as a Service level Agreement
(SLA).
ü When a Service Provider fails to meet SLA, the provider may accrue
fines to cover losses incurred by the client, but these payments seldom
cover the losses generated by the outage.
Communications & Other Service Provider Issues
ü Other utility services can affect the organizations are telephone, water,
waste water, trash pickup, cable television, natural or propane gas, and
custodial services.
ü The loss of these services can impair the ability of an organization to
function.
ü For an example, if the waste water system fails, an organization might
be prevented from allowing employees into the building.
ü This would stop normal business operations.
Power Irregularities
ü Fluctuations due to power excesses.
ü Power shortages &
ü Power losses
This can pose problems for organizations that provide inadequately
conditioned power for their information systems equipment.
When voltage levels spike (experience a momentary increase),or
surge ( experience prolonged increase ), the extra voltage can severely
damage or destroy equipment.
The more expensive uninterruptible power supply (UPS) can protect
against spikes and surges.
Technical Hardware Failures or Errors
Resulting in unreliable service or lack of availability
Some errors are terminal, in that they result in unrecoverable loss of
equipment.
Some errors are intermittent, in that they resulting in faults that are not
easily repeated.
 Technical software failures or errors
This category involves threats that come from purchasing software
with unknown, hidden faults.
Large quantities of computer code are written, debugged, published,
and sold before all their bugs are detected and resolved.
These failures range from bugs to untested failure conditions.
Technological obsolescence
Outdated infrastructure can lead to unreliable and untrustworthy
systems.
Management must recognize that when technology becomes outdated,
there is a risk of loss of data integrity from attacks.
ATTACKS
Attack
An attack is an act of or action that takes advantage of a vulnerability to
compromise a controlled system.
It is accomplished by a threat agent that damages or steals an organization’s
information or physical asset.
Vulnerability
an identified weakness in a controlled system, where controls are not present
or are no longer effective.
Attacks exist when a specific act or action comes into play and may cause a potential
loss.
Malicious code
The malicious code attack includes the execution of viruses, worms, Trojan
horses, and active Web scripts with the intent to destroy or steal information.

The state –of-the-art malicious code attack is the polymorphic or multi-vector,

worm.
These attack programs use up to six known attack vectors to exploit a variety
of vulnerabilities in commonly found information system devices.

Attack Replication Vectors

 IP scan & attack

 Web browsing
 Virus
 Unprotected shares
 Mass mail
 Simple Network Management Protocol(SNMP)

IP scan & attack

The infected system scans a random or local range of IP addresses and
targets any of several vulnerabilities known to hackers.
Web browsing
If the infected system has write access to any Web pages, it makes all
Web content files (.html,.asp,.cgi & others) infectious, so that users who
browse to those pages become infected.
 Virus
Each infected machine infects certain common executable or script files
on all computers to which it can write with virus code that can cause
infection.
Unprotected shares
Using vulnerabilities in file systems and the way many organizations
configure them, the infected machine copies the viral component to all
locations it can reach.
Mass Mail
By sending E-mail infections to addresses found in the address book, the
infected machine infects many users, whose mail -reading programs also
automatically run the program & infect other systems.
Simple Network Management Protocol (SNMP)
By using the widely known and common passwords that were employed
in early versions of this protocol, the attacking program can gain control
of the device. Most vendors have closed these vulnerabilities with
software upgrades.
Hoaxes
A more devious approach to attacking the computer systems is the transmission
of a virus hoax with a real virus attached.
Even though these users are trying to avoid infection, they end up sending the
attack on to their co-workers.
Backdoors
Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource
through a back door.

Sometimes these entries are left behind by system designers or maintenance

staff, and thus referred to as trap doors.

A trap door is hard to detect, because very often the programmer who puts it in
place also makes the access exempt from the usual audit logging features of the
system.
Password Crack
Attempting to reverse calculate a password is often called cracking.
A password can be hashed using the same algorithm and compared to the
hashed results,
If they are same, the password has been cracked.
The (SAM) Security Account Manager file contains the hashed representation
of the user’s password.
Brute Force
The application of computing & network resources to try every possible
combination of options of a password is called a Brute force attack.
This is often an attempt to repeatedly guess passwords to commonly used
accounts, it is sometimes called a password attack.
Spoofing
It is a technique used to gain unauthorized access to computers, where in the
intruder sends messages to a computer that has an IP address that indicates that
the messages are coming from a trusted host.

Dictionary
This is another form of the brute force attack noted above for guessing
passwords.
The dictionary attack narrows the field by selecting specific accounts to attack
and uses a list of commonly used passwords instead of random combinations.
Denial –of- Services(DOS) & Distributed Denial –of- Service(DDOS)
The attacker sends a large number of connection or information requests to a
target.
This may result in the system crashing, or simply becoming unable to perform
ordinary functions.
DDOS is an attack in which a coordinated stream of requests is launched
against a target from many locations at the same time.
Man-in-the –Middle
Otherwise called as TCP hijacking attack.
An attacker monitors packets from the network, modifies them, and inserts
them back into the network.
This type of attack uses IP spoofing.
It allows the attacker to change, delete, reroute, add, forge or divert data.
TCP hijacking session, the spoofing involves the interception of an encryption
key exchange.
SPAM
Spam is unsolicited commercial E-mail.
It has been used to make malicious code attacks more effective.
 Spam is considered as a trivial nuisance rather than an attack.
It is the waste of both computer and human resources it causes by the flow of
unwanted E-mail.
Mail Bombing
Another form of E-mail attack that is also a DOS called a mail bomb.
Attacker routes large quantities of e-mail to the target.
The target of the attack receives unmanageably large volumes of unsolicited e-
mail.
By sending large e-mails, attackers can take advantage of poorly configured e-
mail systems on the Internet and trick them into sending many e-mails to an
address chosen by the attacker.
The target e-mail address is buried under thousands or even millions of
unwanted e-mails.
Sniffers
A sniffer is a program or device that can monitor data traveling over a network.
Unauthorized sniffers can be extremely dangerous to a network’s security,
because they are virtually impossible to detect and can be inserted almost
anywhere.
Sniffer often works on TCP/IP networks, where they are sometimes called
“packet
Sniffers”.
Social Engineering
It is the process of using social skills to convince people to reveal access
credentials or other valuable information to the attacker.
An attacker gets more information by calling others in the company and
asserting his/her authority by mentioning chief’s name.
Buffer Overflow
A buffer overflow is an application error that occurs when more data is sent to
a buffer than it can handle.
Attacker can make the target system execute instructions.
Timing Attack
Works by exploring the contents of a web browser’s cache.
These attacks allow a Web designer to create a malicious form of cookie, that
is stored on the client’s system.
The cookie could allow the designer to collect information on how to access
password-protected sites.

LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION

SECURITY
Law and Ethics in Information Security
Laws are rules that mandate or prohibit certain behavior in society; they are drawn
from ethics, which define socially acceptable behaviors. The key difference between
laws and ethics is that laws carry the sanctions of a governing authority and ethics do
not. Ethics in turn are based on Cultural mores.
 Types of Law
Civil law
Criminal law
Tort law
Private law
Public law
Relevant U.S. Laws – General
Computer Fraud and Abuse Act of 1986
National Information Infrastructure Protection Act of 1996
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act of 1996
Communications Decency Act (CDA)
Computer Security Act of 1987
Privacy
The issue of privacy has become one of the hottest topics in information
The ability to collect information on an individual, combine facts from separate
sources, and merge it with other information has resulted in databases of
information that were previously impossible to set up
The aggregation of data from multiple sources permits unethical organizations to
build databases of facts with frightening capabilities
Privacy of Customer Information
Privacy of Customer Information Section of Common Carrier Regulations
Federal Privacy Act of 1974
The Electronic Communications Privacy Act of 1986
The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known
as the Kennedy-Kassebaum Act
The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999
Key U.S Laws of Interest to Information Security Professionals
Export and Espionage Laws
Economic Espionage Act (EEA) of 1996
Security and Freedom Through Encryption Act of 1997 (SAFE)
US Copyright Law
Intellectual property is recognized as a protected asset in the US
US copyright law extends this right to the published word, including electronic
formats
Fair use of copyrighted materials includes
the use to support news reporting, teaching, scholarship, and a number of
other related permissions
the purpose of the use has to be for educational or library purposes, not for
profit, and should not be excessive
Freedom of Information Act of 1966 (FOIA)
 The Freedom of Information Act provides any person with the right to request
access to federal agency records or information, not determined to be of
national security
US Government agencies are required to disclose any requested information
on receipt of a written request
There are exceptions for information that is protected from disclosure, and
the Act does not apply to state or local government agencies or to private
businesses or individuals, although many states have their own version of the
FOIA
State & Local Regulations
In addition to the national and international restrictions placed on an
organization in the use of computer technology, each state or locality may
have a number of laws and regulations that impact operations
It is the responsibility of the information security professional to understand
state laws and regulations and insure the organization’s security policies and
procedures comply with those laws and regulations
International Laws and Legal Bodies
Recently the Council of Europe drafted the European Council Cyber-Crime
Convention, designed
to create an international task force to oversee a range of security functions
associated with Internet activities,
to standardize technology laws across international borders
It also attempts to improve the effectiveness of international investigations
into breaches of technology law
This convention is well received by advocates of intellectual property rights
with its emphasis on copyright infringement prosecution
Digital Millennium Copyright Act (DMCA) Digital Millennium Copyright Act
(DMCA)
The Digital Millennium Copyright Act (DMCA) is the US version of an
international effort to reduce the impact of copyright, trademark, and privacy
infringement
The European Union Directive 95/46/EC increases protection of individuals
with regard to the processing of personal data and limits the free movement
of such data
The United Kingdom has already implemented a version of this directive called
the Database Right
United Nations Charter
To some degree the United Nations Charter provides provisions for
information security during Information Warfare
 Information Warfare (IW) involves the use of information technology to
conduct offensive operations as part of an organized and lawful military
operation by a sovereign state
IW is a relatively new application of warfare, although the military has been
conducting electronic warfare and counter-warfare operations for decades,
jamming, intercepting, and spoofing enemy communications
Policy Versus Law
Most organizations develop and formalize a body of expectations called policy
Policies function in an organization like laws
For a policy to become enforceable, it must be:
Distributed to all individuals who are expected to comply with it
Readily available for employee reference
Easily understood with multi-language translations and translations for
visually impaired, or literacy-impaired employees
Acknowledged by the employee, usually by means of a signed consent form
Only when all conditions are met, does the organization have a reasonable
expectation of effective policy
Ethical Concepts in Information Security
Cultural Differences in Ethical Concepts
Differences in cultures cause problems in determining what is ethical and
what is not ethical
Studies of ethical sensitivity to computer use reveal different nationalities
have different perspectives
Difficulties arise when one nationality’s ethical behaviour contradicts that of
another national group
Ethics and Education
Employees must be trained and kept aware of a number of topics related to
information security, not the least of which is the expected behaviours of an
ethical employee
This is especially important in areas of information security, as many
employees may not have the formal technical training to understand that
their behaviour is unethical or even illegal
Proper ethical and legal training is vital to creating an informed, well prepared,
and low-risk system user
Deterrence to Unethical and Illegal Behaviour
Deterrence - preventing an illegal or unethical activity
Laws, policies, and technical controls are all examples of deterrents
Laws and policies only deter if three conditions are present:
Fear of penalty
Probability of being caught
Probability of penalty being administered