This course is designed to equip the learner with knowledge and skills in information security management issues. By the end of the course, the learner should be able to: Identify and manage ICT security risks Identify and implement secure network design.lan and implement disaster reco"ery measures and!lan and implement ICT security policies.
This course is designed to equip the learner with knowledge and skills in information security management issues. By the end of the course, the learner should be able to: Identify and manage ICT security risks Identify and implement secure network design.lan and implement disaster reco"ery measures and!lan and implement ICT security policies.
This course is designed to equip the learner with knowledge and skills in information security management issues. By the end of the course, the learner should be able to: Identify and manage ICT security risks Identify and implement secure network design.lan and implement disaster reco"ery measures and!lan and implement ICT security policies.
INF 440: ICT SECURITY Aim: This course is designed to equip the learner with knowledge and skills in information security management issues. Expected Learnin O!tc"me# By the end of the course, the learner should be able to: Identify and manage ICT security risks Identify and implement secure network design !lan and implement disaster reco"ery measures and !lan and implement ICT security policies. !re#requisite: I$% &&': Business (pplications !rogramming, I$% &)*: Computer $etworks C"!r#e C"ntent +ey concepts in Information ,ecurity. Information ,ecurity in $etworked -nterprises. Threats and "ulnerabilities analysis. -ffecti"e ,ystem (dministration. !olicies. .isk management. ICT ,ecurity planning. /perational issues in ICT security 0incident handling, training, backups etc1. !hysical security. !ersonnel issues. Types and uses of security de"ices. $etwork ,ecurity 0identification and authentication, logical access control, .outers, !ro2ies, and %irewalls audit trails and cryptography1. 3etection of security breaches. Business Continuity and 3isaster .eco"ery !lanning. ,ecurity for -lectronic Commerce, %inancial $etworks, Intranets and -2tranets. ,ecurity (cross 3ifferent /perating ,ystems and !latforms. A##e##ment Continuous (ssessment Tests 0C(Ts1: 4*5 -nd of ,emester 6ritten -2aminations: )*5 Learnin Materia$# In%"rmati"n S&#tem# Sec!rit& Hand'""( )I#aca 1 LECTURE * +ART I: ,e& c"ncept# in In%"rmati"n Sec!rit& In%"rmati"n #ec!rit& is the practice of defending information from unauthori7ed access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is also defined as preser"ation of confidentiality, integrity and a"ailability of information. /ther properties, such as authenticity, accountability, non#repudiation and reliability can also be in"ol"ed. Two ma8or aspects of information security are: IT #ec!rit&: 0(lso computer security1, It is responsible for keeping all of the technology within the company secure from malicious cyber attacks that often attempt to breach into critical pri"ate information or gain control of the internal systems. In%"rmati"n a##!rance: The act of ensuring that data is not lost when critical issues arise. These issues include: natural disasters, computer9ser"er malfunction, physical theft, or any other instance where data has the potential of being lost. -a#ic princip$e# C"n%identia$it& Is a set of rules or a promise that limits access or places restrictions on certain types of information. Confidentiality refers to limiting information access and disclosure to authori7ed users ## :the right people: ## and pre"enting access by or disclosure to unauthori7ed ones ## :the wrong people.: (uthentication methods like user#I3s and passwords, that uniquely identify data systems; users and control access to data systems; resources, underpin the goal of confidentiality. Interit& 3ata integrity means maintaining and assuring the accuracy and consistency of data o"er its entire life#cycle. 3ata cannot be modified in an unauthori7ed or undetected manner. Integrity is "iolated when a message is acti"ely modified in transit. A.ai$a'i$it& This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. <igh a"ailability systems aim to remain a"ailable at all times, pre"enting ser"ice disruptions due to power outages, hardware failures, and system upgrades. -nsuring a"ailability in"ol"es pre"enting denial#of#ser"ice attacks, such as a flood of incoming messages to the target system essentially forcing it to shut down. N"n)rep!diati"n It implies that one party of a transaction cannot deny ha"ing recei"ed a transaction nor can the other party deny ha"ing sent a transaction. +re.enti"n .#/ detecti"n ,ecurity efforts to assure confidentiality, integrity and a"ailability can be di"ided into those oriented to pre"ention and those focused on detection whose aim is to rapidly disco"er and correct lapses that could not be ## or at least were not ## pre"ented. It is critical to remember that :appropriate: or :adequate: le"els of confidentiality, integrity and a"ailability depend on the conte2t, 8ust as does the appropriate balance between pre"ention and detection. 2 The nature of the efforts that the information systems support the natural, technical and human risks to those endea"ors go"erning legal, professional and customary standards ## all of these will condition how CI( standards are set in a particular situation. C"mm"n Term# Ri#( is the likelihood that something bad will happen that causes harm to an informational asset 0or the loss of the asset1. V!$nera'i$it& is a weakness that could be used to endanger or cause harm to an informational asset. ( t0reat is anything 0manmade or act of nature1 that has the potential to cause harm. The likelihood that a threat will use a "ulnerability to cause harm creates a risk. 6hen a threat does use a "ulnerability to inflict harm, it has an impact Impact is a loss of a"ailability, integrity, and confidentiality, and possibly other losses 0lost income, loss of life, loss of real property1. It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called :re#id!a$ ri#(:. ( risk assessment is carried out by a team of people who ha"e knowledge of specific areas of the business. T0e ri#(# in in%"rmati"n #&#tem# !hysical loss of data. =ou may lose immediate access to your data for reasons ranging from floods to loss of electric power. =ou may also lose access to your data for more subtle reasons: the second disk failure, for e2ample, while your .(I3 array reco"ers from the first. >nauthori7ed access to your own data and client or customer data. .emember, if you ha"e confidential information from clients or customers, you?re often contractually obliged to protect that data as if it were your own. Interception of data in transit. .isks include data transmitted between company sites, or between the company and employees, partners, and contractors at home or other locations. =our data in someone else?s hands. 3o you share your data with third parties, including contractors, partners, or your sales channel@ 6hat protects your data while it is in their hands@ 3ata corruption. Intentional corruption might modify data so that it fa"ors an e2ternal party: think Tro8an horses or keystroke loggers on !Cs. >nintentional corruption might be due to a software error that o"erwrites "alid data. -mail Interception -mail ,poofing 6eb 3ata Interception $etwork A Bolume In"asion Carketing 3ata 9 ,pam A Dunk Cail Biruses, 6orms, Tro8an <orses !assword Cracking Cail bomb 3enial of ,er"ice 03o,1 !iracy of Intellectual !roperty Information Security Principles of Success '. There Is $o ,uch Thing as (bsolute ,ecurity # Ei"en enough time, tools, skills, and inclination, a hacker can break through any security measure F. CI( triad # !rotect the confidentiality of data 3 &. 3efense in depth # ,ecurity implemented in o"erlapping layers that pro"ide the three elements needed to secure assets: pre"ention, detection, and response. The weaknesses of one security layer are offset by the strengths of two or more layers 4. 6hen Geft on Their /wn, !eople Tend to Cake the 6orst ,ecurity 3ecisions # Takes little to con"ince someone to gi"e up their credentials in e2change for tri"ial or worthless goods. Cany people are easily con"inced to double#click on the attachment H. %unctional and (ssurance .equirements # %unctional requirements # 3escribe what a system should do. (ssurance requirements # 3escribe how functional requirements should be implemented and tested Does the system do the right things in the right way? Verification: the process of confirming that one or more predetermined requirements or specifications are met Validation: a determination of the correctness or quality of the mechanisms used in meeting the needs ). ,ecurity Through /bscurity Is $ot an (nswer # Cany people belie"e that if hackers don?t know how software is secured, security is better. (lthough this seems logical, it?s actually !ntr!e/ /bscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all I. ,ecurity J .isk Canagement:# ,ecurity is not concerned with eliminating all threats within a system or facility but with e$iminatin (n"1n t0reat# and minimi2in $"##e# if an attacker succeeds in e2ploiting a "ulnerability. Ri#( ana$&#i# and ri#( manaement are centra$ t0eme# to securing information systems. .isk assessment and risk analysis are concerned with p$acin an ec"n"mic .a$!e "n a##et# t" 'e#t determine appr"priate c"!ntermea#!re# that protect them from losses K. Sec!rit& C"ntr"$#: !re"entati"e, 3etecti"e, and .esponsi"e # ( security mechanism ser"es a purpose by pre.entin a c"mpr"mi#e, detectin t0at a c"mpr"mi#e "r c"mpr"mi#e attempt is underway, or re#p"ndin t" a c"mpr"mi#e while it is happening or after it has been disco"ered. L. Comple2ity Is The -nemy of ,ecurity: The more comple2 a system gets, the harder it is to secure '*. %ear, >ncertainty, and 3oubt 0%>31 3o $ot 6ork in ,elling ,ecurity: Information security managers must 8ustify all in"estments in security using techniques of the trade. ''. 6hen spending resources can be 8ustified with good, solid business rationale, security requests are rarely denied 'F. !eople, process, and technology controls are essential elements of security practices including operations security, applications de"elopment security, physical security, and cryptography '&. /pen 3isclosure of Bulnerabilities Is Eood for ,ecurity:# +eeping a gi"en "ulnerability secret from users and from the software de"eloper can only lead to a false sense of security. The need to know trumps the need to keep secrets in order to gi"e users the right to protect themsel"es '4. Computer security specialists must not only know the technical side of their 8obs but also must understand the principles behind information security These principles are mi2ed and matched to describe why certain security functions and operations e2ist in the real world of IT Exerci#e 6hat are the elements of a good security program@ 6hy is it difficult to secure information systems@ 4 +ART II In%"rmati"n Sec!rit& in Net1"r(ed Enterpri#e# =our typical security engineer may say it must ha"e %ire1a$$#, intr!#i"n detecti"n or any number of security focused technologies. Ceanwhile a security tester may suggest that it is c"nd!ctin penetrati"n te#tin to pro"ide assurances that security widgets are working well. Information security is about adopting the right measures and controls for a gi"en entity at a gi"en point in time. Threats change and "ulnerabilities are introduced or remo"ed, demanding that security e"ol"es simply to keep pace. *: App"intin a #ec!rit& "%%icer -"ery organi7ation should assign a security officer e"en if the role is gi"en to an indi"idual who wears multiple hats. Garger organi7ations may establish a dedicated position # the chief security officer who presides o"er a team of specialists addressing the different areas of information security. The security officer is the central point for managing proacti"e and reacti"e information security tasks. The day to day acti"ities for the indi"idual resources that work in the domain will depend on the si7e and focus of an organi7ation but ultimately the security officer role should be accountable for the following: Strate& ## identifying the security posture an organisation wishes to maintain and how this will be achie"ed. Operati"n# ## monitoring of security alerts and management of security assets, for e2ample intrusion detection, 8ump hosts, firewalls and scanning tools. Arc0itect!re ## ensuring security is designed into the businesses technology and processes. C"n#!$tati"n ## pro"iding consultation to pro8ects or business units by way of requirements, re"iews, recommendations and risk assessment. Ana$&#i# ## researching products or specific technical issues to assist in pro"isioning of technology or remediation of "ulnerabilities. Te#tin ## pro"iding security testing such as penetration testing for pro8ects and rolling assurance e2ercises. Emerenc& Re#p"n#e ## responding to emergency security incidents such as the compromise of information assets or the loss of ser"ice through a denial of ser"ice attack. +r"ramme manaer ## acting as the business sponsor for a rolling security programme of work. 3: Sec!rit& rep"rtin .eporting pro"ides a :heartbeat: for information security across an organisation. It ensures the right people remain up to date on the latest incidents, threats and initiati"es that will influence the security posture. .egular reporting ensures those that are accountable for securing information assets are aware of the risks they may ha"e inherited and the rigour in the controls that protect them. ,ecurity reports must be written for their audience and this is an area where security professionals often fall down. The content must be accurate but presented at a le"el that can be consumed by the target audience. .eports destined for technologists with an appreciation of the hands on should be literal and e2plain any "ulnerabilities and controls in technical terms. Those intended for managers with a technical background should be e2plained conceptually and include references to technical detail that supports any conclusions. 5 Those intended for parties outside the technology group such as the C-/ or chief risk officer should wholly focus on the business impact where the conclusions are 8ustified by a well#designed and established. 4: 5e.e$"p ".ernance %or an organisation to maintain a consistent security posture people within that organisation must ha"e clear instructions that tells them how to beha"e. Eo"ernance ensures that people are aware how they should conduct themsel"es and if well constructed encourages them to beha"e in a way that maintains or may e"en impro"e security. There are useful standards such as those produced by International ,tandards /rganisation, $ational Institute for ,tandards and Technology and the Eo"ernment Communications . 4: 5e.e$"p a #ec!rit& incident manaement p$an -"ery organisation will e2perience a security incident. The impact of that incident and the likelihood of it repeating is directly impacted by how an organisation manages it. 6as the incident clearly identified, "alidated and contained@ 6as the "ulnerability that led to it identified and is there a plan to remediate or apply additional countermeasures@ 6as the incident reported to an appropriate authority inside the organisation and do any e2ternal parties need to be notified@ These are but a few questions that are answered through a well formed security incident management plan. The plan should identify a front door for people reporting potential incidents. %rom there it should define an auditable process that "alidates the incident and initiates a response team well placed to deal with it. The owner of the plan is the security officer who remains a central part of the response team. The plan will dictate how the incidents progress is recorded and what if any information is disclosed to a wider audience. Typically it will empower the response team to operate outside go"ernance, bypassing change control and other processes that are designed for business as usual rather than an unforeseen emergency. 6: Initiate a #ec!rit& pr"ramme "% 1"r( ,ecurity initiati"es require a "ehicle to carry them through design, build and implementation. Erouping them all in a single program of work allows for budgets to be managed more easily and ensures the in"estment in information security is transparent. >pgrades of security de"ices such as firewalls and anti"irus may be included in the programme, as well as any capital in"estment in information security, such as an identity and access management system. The security programme should be primarily focussed on enhancing information security and be funded at a le"el that an organisation considers appropriate. The security officer should ha"e a list of initiati"es in order of priority and the allocated budget should fund those at the top of the list. 7: A##e## t0e #ec!rit& "% a$$ initiati.e# (n unfortunately common obser"ation is that organisations in"est hea"ily in security controls in one area but due to budgetary constraints ignore others. %or e2ample the website may ha"e e2tensi"e technical controls and recei"e frequent security testing while the :trusted: third party connections are left unchecked. /ften this is due to incorrect assumptions being made by the business on what the security implications of an action are. ( security assessment should be focused on empowering the business to decide whether an initiati"e should progress, change direction, be re"iewed at a more detailed le"el or in the most se"ere cases be halted. 8: C"mp$ete peri"d)'a#ed a##!rance ta#(# 6 6hile assessing the security of all initiati"es is a proacti"e way of ensuring security is built in, it is also important to be reacti"e. 6ith the best intent and design, it is possible for "ulnerabilities to be introduced into a technical en"ironment through human error or as the result of an aggregation of technical anomalies. Completing periodic assurance tasks is intended to identify and manage "ulnerabilities that may not ha"e been foreseen. /ne of the most commonly practiced assurance measures is penetration testing. It pro"ides a high le"el of assurance that the tested technology would be resistant to a targeted attack by an skilled attacker. It is howe"er relati"ely e2pensi"e and often tightly scoped. Ei"en the speciali7ed nature of security testing it could be worth considering using a third party security practitioner. ( practitioner can ensure that the scope is appropriate and that the tester is reputable. 9: +r".ide #ec!rit& trainin ,ecurity training is a widely recognised requirement for a mature organisation but all too often the bare minimum is pro"ided, such as an induction session which ensures e"eryone knows they shouldn;t write their password down. Induction training is a great idea but beyond making people aware of the security policy, it should be different for different roles. Cembers of the e2ecuti"e face different threats and employ different countermeasures to those holding a position on the help#desk. The former will likely require a one on one sessions while the later may be inducted as part of a group. 6hile security training may seem e2pensi"e, it is probably one of the best returns on in"estment for an organisation. Euarding against one phishing attempt may be the difference between winning the ne2t big contract or reco"ering from an embarrassing information leak. :: 5e.e$"p a 10i#t$e'$"1er pr"ce## ,ecuring an organisation is not limited to the practices of security specialists. It includes e"eryone from those cleaning the office 0often with unparalleled access1 to those on the board. It includes partner organisations and their staff and their partners and so the list goes on. (long with supporting 0or opposing1 security controls, staff and third party affiliates are a useful source of information about security e"ents. They may obser"e "ulnerabilities or e"en be aware of "ulnerabilities being e2ploited. This information is e2tremely "aluable and should be captured and processed to aid in impro"ing ones security posture. .eporting of shortcomings is not always something that a hierarchy does particularly well. There is little incenti"e for a middle manager to report a shortcoming in an area he9she is responsible for. It may lead to embarrassment or additional work and for these reasons potential risks can be swept under the rug. ( solution is to de"elop a whistleblower process which allows anyone to report a percei"ed security issue to an information security authority in confidence without fear of repercussions. *0: C"n#ider #ec!rit& %!ncti"na$$& ( challenge that faces many organisations is the apparent power that security practitioners require to do their 8ob. They often ha"e super user rights on a system to pro"ide o"ersight or control access and they often report to senior management e"en though they aren;t necessarily e2ecuti"e le"el managers themsel"es. ,ecurity is a functional requirement rather than a hierarchical one. In designing security roles and responsibilities the function of that role must be considered as a focus on hierarchy will weaken an organisation;s ability manage information security well. It can mean the remo"al of critical information flows as security reports are summarised into something more general. It can risk unnecessary spending on security products to imply progress in the absence of consultation to the right le"el. N- In order for each of these items to be effecti"e they must in"ol"e an e2perienced security practitioner and such people aren;t that easy to find. 7 -ngineers can build the firewalls and testers can break them but in the first instance someone is required who can decide whether the firewall is required or not. 8