Warning and Disclaimer. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. Josef Pieprzyk, Jennifer Seberry, Thomas Hardjono - pdf download free book. Fundamentals Of Computer Security PDF, Fundamentals Of Computer Security. FUNDAMENTALS Thomas R. Peltier Justin Peltier John Blackley . The Computer Security Institute (CSI) has been the leader in the information security.
|Language:||English, Spanish, Dutch|
|Genre:||Academic & Education|
|ePub File Size:||21.75 MB|
|PDF File Size:||12.30 MB|
|Distribution:||Free* [*Register to download]|
Request PDF on ResearchGate | Fundamentals of Computer Security | From the Publisher: The book studies modern concepts of Computer Security. Fundamentals of computer security pdf. Fundamentals of Computer Security Josef Pieprzyk, Thomas Hardjono, Jennifer Seberry Publisher. Computer Security Fundamentals, Third Edition. Copyright © 2. http:// echecs16.info pdf.
They are also charged with a duty of care — this means that senior management is required to protect the assets of the enterprise and make informed business decisions. An effective information protection program will assist senior management in meeting these duties. Information protection must be cost effective. Implementing controls based on edicts is counter to the business climate. Before any control can be proposed, it will be necessary to confirm that a significant risk exists.
Another principle that can help is performing adequate and frequent backups of the information on the systems. When the user causes loss of the integrity of the information resident on the system, it may be easiest to restore the information from a tape backup made the night before.
Tape backups are one of the essential tools of the information security manager and can often be the only recourse against a successful attack.
For most employees it is difficult to imagine a fellow employee coming into work every day under a ruse, but it does happen. It becomes very difficult to find the source of internal attacks without alerting the attacker that you suspect him of wrong-doing.
The best line of defense against fraud and theft by your internal employees is to have well-defined policies. Policies can make it easier for the information security manager to collect data on the suspected wrong-doer to prove what bad acts the employee has performed. If you have well-defined policies in your organization, the information security manager can use forensic techniques to gather evidence that will help provide proof of who performed the attack.
While the entire breadth of forensics is beyond the scope of this book, we do spend a little time here discussing forensics from a high level. Computer forensics allows a trained person to recover evidence from computer systems. The first rule of computer forensics is: The first goal of computer forensics is to leave the system in as pristine condition as possible. This may run counter-intuitive to the technology professional whose instincts want to look at the system to determine exactly what is going on and how it happened.
Every time the technical professional moves the mouse or touches the keyboard to enter a command, the system is changing. This makes the evidence gathered from the system more suspect. After all, how would one determine what was done by the suspected employee and what was done by the professional investigating the activity?
There are many places that evidence of the activity may be left. Firewalls, server logs, and the client workstation are all places that should be investigated to determine if any evidence remains. When it comes to the client workstation, the first step in computer forensics is very nontechnical. In this first step the security or support staff should be contacted to see what details they know about the system. One of the biggest potential problems would be if the client is using a hard drive encryption utility.
We talk more about encryption in a later chapter of this book. Assuming that you are able to confirm that there is no hard drive encryption on the suspect system, the next step is as mentioned above — pull the plug. Now, if the system is a laptop, pulling the plug will not shut down the system; it will just run off of a battery. In the case of the laptop, you need to pull the plug and remove the battery as well.
In any case, once the system is powered off, the hard drive in the system should be turned over to a qualified professional. Please note that there are actually many more steps in the forensic process that are just beyond on the scope of this book. A bit-stream backup is different from a regular tape backup in that it makes an exact copy of the hard drive. A bit-stream backup does not just copy the files and the file system; it copies everything. The blank space, the slack space, file fragments, and everything else get copied to a second hard drive.
The reason for this is that all the data recovery processes will be done on the second hard drive, leaving the original hard drive in its pristine state and it will not be modified. All data recovery processes performed on the system will also be performed on the backup copy of the hard drive. Once the copy is made, a comparison of the hard drives will be done using an integrity technology called an MD5 hash see Figure 2.
It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.
Once the MD5 hashes are made from each hard drive, the corresponding values can then be compared. If these values are the same, then the two drives are identical; if the MD5 values are different, then the bitstream backup failed and the drives are different.
MD5 hashes are quite commonly used to verify the integrity of a file. The values can be used to ensure that a file was not modified during download and can also be used as a component of a digital signature. After the hard drives have been compared and found to be identical, the forensic professional would then begin looking at the hard drive for evidence that the attack was launched from that machine.
The forensics professional will try to recover deleted files, will look for file fragments in slack space, and will also look through the data files on the suspect system to see if any evidence is present. If any evidence is found on the system, the forensic professional will document the evidence and turn it into a final written report.
Because we have been looking at the damage that internal employees can carry out against our information systems, let us look at the other community that can also cause destruction to our data — the outsiders. The three primary groups are hackers, crackers, and phreaks. A hacker is a user who penetrates a system just to look around and see what is possible.
The etiquette of hackers is that after they have penetrated the system, they will notify the system administrator to let the administrator know that the system has a vulnerability. It is often said that a hacker just wants security to be improved on all Internet systems. The next group, the crackers, are the group to really fear.
A cracker has no etiquette on breaking into a system. Crackers will damage or destroy data if they are able to penetrate a system. The goal of crackers is to cause as much damage as possible to all systems on the Internet. The phreaks can then use the free phone access to disguise the phone number from which they are calling, and also stick your organization with the bill for long-distance phone charges.
The ways a hacker will attack a system can vary tremendously. Each attacker has his own bag of tricks that can be used to break into a system. There are several books on just the subject of hacking currently available, but we will cover the basic hacker methodology briefly here. The basic hacker methodology has five main components: It might seem odd to think of a methodology for hackers; but as with anything else, time matters.
So to maximize time, most hackers follow a similar methodology. The first phase in the methodology is the reconnaissance phase. In this phase, the attacker tries to gain as much information as possible about the target network. There are two primary ways an attacker can do this: Most attackers would generally begin with passive attacks. These passive attacks can often generate a lot of good information about the network or organization the hacker wants to attack.
The attacker would look for contact information for key employees this can be used for social engineering , information on the types of technology used at the organization, and any other nugget of information that could be used in an attack.
After the attacker has gone through the Web site, he would probably move to Internet search engines to find more information about the network he wishes to attack.
He would be looking for bad newsgroup postings, posts at sites for people who are upset with the company, and any other details Copyright by CRC Press, LLC. The attacker would then look for information in the DNS servers for the attack organization. This would provide a list of server and corresponding IP addresses. Once this is done, the hacker would move to active attacking. To perform an active reconnaissance attack, a hacker would perform ping sweeps, SNMP network scans, banner grabbing, and other similar attacks.
The attacks would help the attacker weed out the number of dead IP addresses and find the live hosts to move on to the next phase — scanning. An attacker would begin scanning, looking for holes to compromise to gain access to the network. The attacker would scan all servers that are available on the Internet, looking for known vulnerabilities. These vulnerabilities could be in a poorly written Web-enabled application or from applications that have known security vulnerabilities in them.
Once an attacker has compiled a list of vulnerabilities, he would then move on to the next stage — gaining access.
There are many ways for an attacker to gain access to the target network. Once the attacker has access, all he wants to do is make sure that he can keep it.
To maintain access, an attacker would commonly upload a custom application onto the compromised server. This application would then be a back door into the target organization, and would allow the attacker to come and go at will. In addition to uploading new programs, an attacker can alter existing programs on the system.
The advantage of doing this is that a well-informed administrator may know the files on his system and he might recognize that new files have been installed on his servers. By modifying already-existing files, the system would appear to be unmodified at first glance.
A common way of doing this is with a group of files called a rootkit. A rootkit allows an attacker to replace normal system files with files of the same name that also have Trojan horse functionality.
The new system files would allow the attacker in just as if he added additional files to the target server. An attacker may not need long access to the system and he might just wish to download the existing programs or data off the target server. Once an attacker has determined his mechanism for getting back into the server, the last step in the hacker methodology is to cover his tracks.
This would hide his access from the system administrator and would also leave less evidence behind in case the system administrator wishes to have a forensics examination performed on the compromised host. The level of skill of an attacker is often apparent in this phase.
A crude attacker might delete an entire log file, thus making it easy for the system administrator to determine that someone has been in the system; but a more skillful attacker might just modify his log entries to show that the traffic was originating from a different IP address. Malicious code is defined as any code that is designed to make a system perform any operation with the knowledge of the system owner.
There are many different types of malicious code. This chapter discusses a few of the more common ones, including virus, worm, Trojan horse, and logic bomb. The most commonly thought of type of malicious code is the virus. A virus is a code fragment, or a piece of code, that can be injected into target files.
A virus then waits, usually until the file is opened or accessed, to spread to another file where the malicious code is then injected into that file. With a virus-infected system, one can often find in excess of 30, infected files.
There are many different types of viruses; there are viruses that attack the boot sector of the hard drive, there are file system infectors, there are macro viruses that use the Office scripting functionality, and there are viruses for all major operating systems. Another type of malicious code is the worm. A worm is typically a complete file that infects in one place on a given system and then tries to replicate to other vulnerable systems on the network or Internet.
A number of the highly publicized attacks have been worms. Nimda is one example of a recent, highly publicized attack that was a worm. Trojan horses are a different type of malicious code and can be quite deceiving to the end user. A Trojan horse appears to have a legitimate function on the surface, but also has malicious code underneath. There are a number of freeware programs on the Internet that allow an attacker to insert malicious code into most of the common executables.
The only way to help stop the Trojan horses is to educate the end user to not open file attachments unless they know exactly what the attachment will do. This means that the code could be waiting for a period of time e. A well-known example of a logic bomb was the Michelangelo attack. Enter the denial-of-service attack. In these attacks, the hacker would launch an attack from his system against the target server or network. While all these attacks remain successful on some target networks today, most organizations have implemented technology to stop these attacks from causing a service disruption in their organizations.
In February , DoS attacks hit the next level. In this month, a number of high-profile targets were taken offline by the next generation of DoS attacks — the distributed denial of service DDoS attack.
These zombie hosts were devices that were compromised and had code uploaded onto them that would allow for a master machine to contact them, and have them all release the DoS attack at the same time. There were tens of thousands of zombie hosts available and the attacker could use a number of common tools from which to launch the attack. These tools were pretty straightforward to use and allowed an attacker to release a devastating attack against the target.
The new DDoS attacks are very difficult to defend against. Most of the tools denied service not by overwhelming the processing server, but by flooding the telecommunications lines from the Internet service provider ISP.
Most organizations are still vulnerable to this type of attack. The mechanism that has curtailed most DDoS attacks is by trying to minimize the number of zombie-infected hosts available. As soon as a new and better infection mechanism surfaces, another round of DDoS attacks is sure to spring up.
Such attacks can be very simple or very complex. Gaining access to information over the phone or through Web sites that you visit has added a new dimension to the role of the social engineer. This section examines ways in which people, government agencies, military organizations, and companies have been duped into giving information that has opened them up to attack.
Low-tech as well as the newer forms of electronic theft are discussed. Social engineering is the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of an inappropriate trust relationship with insiders. The goal of social engineering is to trick someone into pr oviding valuable information or access to that information or resource.
The social engineering exploiter preys on qualities of human nature, such as: We have trained our employees well. Make sure the customer is satisfied. The best way to a good appraisal is to have good responses from those needing assistance. Most of our employees want to be helpful and this can lead to giving away too much information. Human nature is to actually trust others until they prove that they are not trustworthy. If someone tells us that he is a certain person, we usually accept that statement.
We must train our employees to seek independent proof. Too many of us have seen negative reaction by superiors because verification of identity took too long or because some official was offended. Management must support all employees who are doing their assignment and protecting the information resources of the enterprise. Sometimes we get lazy. We post passwords on the screen or leave important material lying out for anyone to see. What scares most companies about social engineers is that the sign of truly successful social engineers is that they receive what they are looking for without raising any suspicion.
It is the bad social engineers we know about, not the good ones. People are usually the weakest link in the security chain. In the s, we were told that if we installed access control packages, we would have security. In the s, we were encouraged to install effective antivirus software to ensure that our systems and networks were secure.
In the s, we were told that firewalls would lead us to security. Now in the 21st century, it is intrusion detection systems or public key infrastructure that will lead us to information security. In each and every iteration, security has eluded us because the silicon-based products must interface with carbon-based units. It is the human factor that will continue to appear in our discussion on social engineering.
A skilled social engineer will often try to exploit this weakness before spending time and effort on other methods to crack passwords or gain access to systems. Why go to all the trouble of installing a sniffer on a network when a simple phone call to an employee will gain the needed user id and password. Social engineering is the most difficult form of attack to defend against because it cannot be defended with hardware or software alone.
A successful defense will require an effective information security architecture, starting with policies and standards and following through with a vulnerability assessment process.
One of the most ingenious methods was first introduced into the Internet in February The user attempting to log on to the system was met with the normal prompt, and, after entering the correct user id and password, had the system begin the prompt all over again.
What happened was that a social engineer managed to get a program installed in front of the normal sign-on routine, gathered the information, and then passed the prompt to the real sign-on process. According to published articles at the time, more than 95 percent of regular users had their access codes compromised.
Today we see the use of Web sites as a common ploy to offer something free or a chance to win something on the Web site or to gain important information.
At a Michigan firm in , the network administrator installed a k information Web site that required employees to register with the site to obtain information on their k program. After giving such information as account id, password, social security number, and home address, the Web site returned a message that indicated it was still under Copyright by CRC Press, LLC.
Within a week, nearly every employee with a k plan, including senior management, had attempted to register on the Web site. Other forms of social engineering have been classified into various groups.
The first two are Impersonation and Important User. These are often used in combination with one another. Using an easily accessible military computer directory, she was able to obtain the name of the individual in charge.
She used her basic knowledge of military systems and terminology as she called a military base to find out the commanding officer of the secret compartmentalized information facility.
Using this information, she changed tactics. She switched from being nonchalant to authoritative. Her boss, the major, was having problems accessing the system and she wanted to know why. Using threats, she got the access and, according to her, was in the system within 20 minutes. Pretending to be someone you are not, or schmoozing your way to the information you need; these are typical examples of how social engineers work to obtain the information they need.
They will often contact the help desk and drop names of other employees. The dumpster diver is willing to get dirty to get the information he needs. Too often companies throw out important information.
Sensitive information, manuals, and phone directories should be shredded before disposing. A few years ago, one of the news magazine shows did a session on phone card fraud.
During one sequence, the reporter was given a new phone calling card and told to use it at Grand Central Station in New York City. While she made the call, the undercover police counted at least five people surfing her PIN number. One even turned to the cameraman to make sure he got the number too.
The final two types of human-based social engineering are third-party authorization and tech support. The typical third-party authorization occurs when the social engineer drops the name of a higher-up who has the authority to grant access. Shooter said I should call you to get this information. Remember that most social engineers are internal.
The employees were told that the network was experiencing connection problems, that they had installed a scope on the fiber connections, and then asked the employees to log on to the system. They requested the account id and password to use as a verification that the data was being properly sent. Three employees did not answer the phone call. Eight out of the other nine gave the information requested.
One employee was not able to give out his password because he could not find the Post-It note on which he had it written. Some potential security breaches are so mundane that they hardly seem to be a concern. With all the fires that we have to fight each day and the deadlines we have to meet, sometimes the most obvious are often overlooked: The number-one access point for social engineers is the good old-fashioned password.
After all of the awareness programs and reminder cards, we still find that employee-generated passwords are too short or too easy to guess.
System-generated passwords are too long and employees have to write them down to remember them. Even today, some systems do not require that passwords be changed. We find this most often in e-mail systems and Internet accounts. We recommend an assessment of the password length and interval for change standards; determine if they still meet the current needs of the user community.
Every company has more modems than they know about. Employees and contractors will add a modem to a system and then install products such as pcAnywhere or Carbon Copy to improve their remote access time.
We recommend that war dialers be used at least twice a year to check on modems. Put in place processes that can assist the help-desk employee in verifying who is on the other end of the phone call. There are two problems here: Many hackers use the information they gather from the enterprise Web site to launch attacks on the network. Make certain that the information available will not compromise the information resources of the enterprise.
Our employees have not been trained to challenge strangers. Or if they have been trained, there has not been enough reinforcement of the challenge process. Require that all personnel on site wear appropriate identification. Some organizations require only visitors to wear badges. Therefore, to become an employee, a visitor must simply remove the badge. Sell the principle that employee identification is not just a security measure, but rather a process to protect the employees in the workplace.
By ensuring that only authorized personnel are permitted access, the employees will have a safe work environment. Because there is neither hardware nor software available to protect an enterprise against social engineering, it is essential that good practices be implemented. Some of those practices might include: Policies, procedures, and standards are an important part of an overall antisocial engineering campaign.
To be effective, a policy should: This process must be ongoing and must not exceed six months between reinforcement times. It is not enough to just publish policies and expect employees to read, understand, and implement what is required. They need to be taught to emphasize what is important and how it will help them do their jobs. This training should begin at new employee orientation and continue throughout employment.
When a person becomes an ex-employee, a final time of reinforcement should be done during the exit interview process. It should be updated regularly and should contain new social engineering ploys. These signs might include behaviors such as: When employees do the right thing, make sure they receive proper recognition. Train the employees on who to call if they suspect they are being social engineered.
Apply technology where you can. Consider implementing trace calls if possible, or at least caller ID where available. Control overseas long-distance services to most phones. Ensure that physical security for the building. A social engineer with enough time, patience, and resolve will eventually exploit some weakness in the control environment of an enterprise.
Employee awareness and acceptance of safeguard measures will become our first line of defense in this battle against the attackers.
The best defense against social engineering requires that employees be tested and that the bar of acceptance be raised regularly. Many employees respond positively to anecdotes relating to social engineering attacks and hoaxes. Keep the message fresh and accurate. Include details about the consequences of successful attacks. Do not discuss these attacks in terms of how security was circumvented, but rather their impact on the business or mission of the enterprise.
These attacks can lead to a loss of customer confidence, market share, and jobs. Employees at all levels of the enterprise need to understand and believe that they are important to the overall protection strategy. Without all employees being part of the team, the enterprise, its assets, and its employees will be open to attack from both external and internal social engineers.
With training and support, one can lessen the impact of these kinds of attacks. The reach of the program, how each business unit supports the program, and how every individual carries out his or her duties as specified in the program all determine how effective the program will be. If there are levels or areas in an organization where support is seen as weak, this will cause gaps in the effectiveness of the program and weaken the entire information security structure.
Like an unpopular law the 55 mph speed limit comes to mind , when a requirement to follow good business practices is ignored by some — and effective information security is good business practice, more will come to think they need not comply either. Many organizations have strong and weak areas; a good example might be a financial services organization in which everyone but the stock traders abides by strong information security standards.
The stock traders, however, feel that they work under so much pressure that learning and complying with information security standards would be too much of an impediment to their work. In an organization such as this, the management of the stock traders might have enough influence to hold off efforts to enforce compliance. If we use a castle as an analogy for a strong information security program, then having all but one department in compliance with standards is equivalent to leaving open a gate in the castle walls.
Having said that, information security practitioners cannot — by themselves — ensure that the information security program is applied in a uniform way across the entire organization. Building information security policies and standards on that strategy is the next step, and helping the organization achieve compliance with those policies and standards follows. The information security practitioner can help the organization achieve a uniform, enterprisewide security program by leading efforts to create and implement policies and standards, by educating all levels of employees within the organization on acceptable security-related practices, and by acting as a consultant to help business units address specific problems in a way that is consistent with practice in other parts of the organization.
An organization structure must be set up to ensure effective communication — both of policy and standards to the entire organization and of issues from the entire organization to the decision makers. The organization structure should involve: An illustration of the organization structure — and suggested lines of report — is shown in Figure 3.
Each business unit — at some point in its chain of authority to senior management — must be represented in the process to review and approve policies. For the policies to be as robust as possible and to represent the needs of the entire enterprise, each business unit must be represented in two ways: See Table 3. Network Management Physical Personnel Sec. Organization Asset Classification Reviewer Info.
President, Asphalt Ref. Senior Consultant CISO for a sample table in which the responsibilities in the policy development process can be laid out. A simple table, we lay out the o fficers and managers involved in the process on one axis and the policies we intend to review or develop on the other. At each intersection, we place an R — indicating the responsibility to review indicated policy.
Some organizations use a table like this but make a difference between those responsible for only review — where their comments may or may not be included in revisions, at the discretion of the Information Security Manager.
Other may be denoted with a C, which indicates that they have the right to comment on policy and, of course, their comments must be incorporated in revised drafts. Generally, in large organizations, this means that management at the Director or Vice President level approves policy after management and staff at lower levels have reviewed it and provided their comments. The approval at the higher level usually involves a Steering Committee approach discussed later. In the process for drafting and implementing standards, the responsibilities change slightly.
In this case, business units have the responsibility for writing information security standards for their area of responsibility. For example, standards for Personnel security could best be written by Human Resources with input from Information Security, of course.
That person will then advise their representative on the group that approves standards for the enterprise. When policies and standards have been approved, it is the responsibility of each business unit to assist in their implementation. A better practice is for business unit management to learn what is necessary for compliance with information security policies and standards and then use that knowledge to improve the business practices within the unit.
Another responsibility within business units is, of course, the enforcement of compliance. If there is confusion about the difference between compliance itself and the enforcement of compliance, perhaps one can view compliance as a normal practice and enforcement as the action to be taken when one finds noncompliance.
For example, the management of a business unit might consider making compliance with information security policies and standards a performance issue — at least in the exception. While it might — for many reasons — be difficult to have information security made part of the performance improvement and measurement process across an entire organization, it is less difficult to persuade business unit managers that it can be made so in cases where failure to comply has been found.
Consider, for example, a policy statement that says all means of access — IDs, passwords, tokens, etc. It is expected that, even after this month period expires, John Doe will continue to comply with company policies. Reading alone is not the most effective method of absorbing information and, once read, the message of the policies and standards are easily forgotten in the stress of the working day. If an organization wishes its policies and standards to have perpetual effect, it should commit to a perpetual program of reinforcement and information — a security awareness program.
Problems with budget may stop your employee information security awareness program before it gets properly started. Those who control budgets need to show due diligence by demonstrating the effect or the potential return on investment for every dollar spent and information security awareness programs are notoriously difficult to quantify in this way.
What is the return on investment? Increased employee awareness? And how does that contribute to the profitability of the enterprise?
These are difficult numbers to demonstrate. However, if we look at things that an organization would like to avoid, justifying the cost of an employee information security awareness program can get easier. Most information security programs struggle with things such as access control password management, sharing computer sessions, etc. The way to address these issues is through measurement.
These can include password cracking software such as lophtcrack or sampling walk-throughs where a given number of workstations are observed and a record made of how many are left unattended and logged on. Similarly, if your organization wants to improve e-mail habits, observation of e-mail traffic before any security awareness activity will be necessary. As for the content and mechanics of the awareness program, the following general advice should prove useful.
If the message is delivered too often, it will become background noise — easily ignored. Information security awareness programs are basically advertising — with an educational message. The messages might begin with a PowerPoint presentation, which focuses heavily on: In the first year, you should aim to deliver the messages outlined above, plus messages on: To rely on one medium — that is, video, posters, PowerPoint presentations, etc.
Staff would become used to seeing whatever medium or media were chosen and would begin to ignore it. The key is to use a mix of media and a frequency of message delivery that achieves the level of consciousness of security issues that the organization has chosen. We live in a video generation. News, entertainment, streaming video on the Internet, advertising, and education all come at us in video format.
It makes sense then to consider custom video as a medium for delivering the employee information security awareness message — at least in part. However, there are a number of organizations that offer already-made information security awareness videos. However, most organizations still rely on presentation software such as PowerPoint. Other plusses are that presentation software is easy to use and easy to modify.
You should consider using PowerPoint for your initial employee information security awareness offering and should not plan to use any more PowerPoint presentations during the first year. Too many PowerPoint presentations will quickly kill audience interest in the program. Note that this has the potential to create bandwidth problems and should be discussed with IT before any plans are made.
Most people react well to something they can hold in their hand; and while the readership rate of booklets, etc. From the senior management who sit on the Information Security Steering Committee, to the responsibilities of every employee to practice good information security habits, the infrastructure must be robust and educated in order for the information security program to bring full benefit to the organization.
To round out the committee — to provide the best possible contribution at that level to the information security program — Internal Audit, Legal, Human Resources, and, where appropriate, organized labor should also sit on the committee.
The Information Security Steering Committee generally meets no more than monthly and, in some organizations, as infrequently as quarterly. When major changes in business processes, new business processes, and major new technologies are introduced, it is at the Information Security Steering Committee level that direction for the information security program — with respect to these changes — will be found. Generally, when such a situation is proposed, the management of the Information Security group will propose to the committee their views on what controls should look like in the changed environment and the Information Security Steering Committee will accept or amend those views.
For example, in the case of a merger or acquisition, the information security group will study the proposed action and decide on a strategy to bring the merged or acquired company to the same level of control as the parent organization. The information security group will then present the proposed action to the Information Security Steering Committee, which will approve the strategy or direct that changes be made. As the merger or acquisition proceeds, the Information Security group will report progress and details to the committee on a predefined frequency.
And almost every organization with that outlook has an information security program that is failing. Information security is an organizationwide responsibility that touches every person. While the Information Security unit must act as a source of guidance and advice, the program can only succeed when all parties in the organization recognize their responsibility to protect information and exercise that responsibility.
The protection of information is no more than a part of doing business — as much a part as making sure that more tangible assets as, say, money in a bank or products made by a manufacturing company are physically protected.
It is widely accepted that senior management, under the For eign Corrupt Practices Act, has a responsibility to make sure that information security as an element of risk is adequately addressed in the organization. In some industries — government, financial services, and healthcare spring most quickly to mind — senior management has clearly defined, regulated responsibilities to ensure that information is protected to a level equal to its perceived value to the organization.
Outside the legal requirements, senior management is responsible for: As this section makes clear, Information Security Management is responsible for the information security practices of the information security unit — and nowhere else. For other units, Information Security provides services and advice, but the responsibility for protection of information within those units lies squarely on the management and staff of those units.
The Information Security Management of an organization must be able to: While the responsibility for the creation of policies and standards does not belong to Information Security Management, they should be best equipped to act as an agent to make sure these things are created and to project-manage the effort to implement. There is still some argument over whether or not business continuity planning ought to be a function of information security, and I recognize that there may be some environments where it is not desirable that information security and business continuity planning not be managed by the same organization.
However, given the closeness of the objectives of information security and continuity planning, I wholeheartedly endorse the idea that business continuity planning is a function that should fall under the control of Information Security Management. Just as all business unit managers have the responsibility of making sure that information stored and processed by their unit is protected to a level equal to its value, so Information Security Management must take care of security databases and paper files, and protect them from threats.
The information is owned by other pieces of the organization and so the responsibility for deciding access rules lies with other parts of the organization guided by policies and standards. Information Security Management is only responsible for making sure that those access rules are implemented. In all the above responsibilities, the most important — from my point of view — is the responsibility to acquire and communicate knowledge within the organization.
If business unit managers do not download into the idea that information security is important, then no amount of effort on the part of the Information Security manager will make it work in that unit. Business unit managers support the information security program by: Business unit managers must feed comments to senior management on every information security policy proposed for the organization, because it is the business unit manager who will enforce the policy within the unit.
Standards are more business-unit specific than policies network support writes network security standards, Human Resources writes personnel security standards, etc. While Information Security will provide the metrics and the mechanisms for measuring the effect of the information security program, the business unit managers themselves benefit from taking responsibility for the measurement.
Less negative audit comments and fewer disruptive events are two clear benefits from this kind of proactive stance. Information Security can report violations of policy and standards, but only business unit managers can initiate remedial and disciplinary action in response. The information security education and awareness program can only succeed with the clear cooperation of business unit managers.
First line supervisors often carry out duties delegated by business unit managers and are a key piece of the communication chain that allows an organization to monitor its information security program. First line supervisors: Generally, employees are asked to comply with information security policies and standards and little else. However, information security programs only work well when all employees participate, and employees participate most willingly when they feel they have a real role to play.
Simply complying with policies and standards seems passive and might be done by all employees given enough support from business unit managers and first line supervisors. More active participation from employees can be encouraged in areas such as reporting security concerns — and it should be stated like this.
From general security issues perhaps seen in the press to topics of concern that are specific to the organization, employees should be encouraged to see the process as simply passing on information or asking for clarification. This must be clearly stated in any contract that binds two organizations. Such contractual terms should be the subject of any service level agreement SLA between the downloading organization and any contractor or vendor.
Where contractors or vendors operate in a site operated by the downloading organization, they are subject to the same rules and methods of enforcement as full-time employees of the organization. The reach of the program, how each business unit supports the program, and how every individual carries out his or her duties as specified in the program all determine how effective the program is going to be.
If there are levels or areas in an organization where support is seen to be weak, this will cause gaps in the effectiveness of the program and will weaken the whole information security structure. Like an unpopular law the 55 mph speed limit comes to mind , when a requirement to follow good business practices is ignored by some — and effective information security is good business practice — more will come to think that they need not comply either. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents.
As with any foundation, it is important to establish a strong footing. As will be discussed, a policy performs two roles: The internal portion tells employees what is expected of them and how their actions will be judged. The external portion tells the world how the enterprise is run, that there are policies that support sound business practices, and that the organization understands that protection of assets is vital to the successful execution of its mission.
To some, a policy is the directive of senior management on how a certain program is run, what its goals and objectives are, and to whom responsibilities are assigned. This chapter examines three different forms of policy statements: While this is true from a security perspective, it is not the organization objective. Information is an asset and is the property of the organization. As an asset, management is expected to ensure that an appropriate level of controls are in place to protect this resource.
This program is not established to meet security needs or audit requirements; it is a business process that provides management with the processes needed to perform the fiduciary responsibility. Management is charged with a trust to ensure that adequate controls are in place to protect the assets of the enterprise. An information security program that includes policies, standards, and procedures will allow management to demonstrate a standard of care. As information security professionals, it is our responsibility to implement policies that reflect the business and mission needs of the enterprise.
This chapter examines the reasons why information security policies are needed and how they fit into all elements of the organization. The development of information security policies is not an information technology or audit responsibility, nor do they remain solely in these areas.
This chapter discusses eleven organizationwide policies and, at a minimum, what each should have with reference to information security. The policies initially discussed are high-level Tier 1 organizationwide policies and include the following: We discuss the different levels of Tier 2 policies topic specific and Tier 3 policies application specific throughout the remainder of the book. There are at least eleven Tier 1 policies; this means that a policy is implemented to support the entire business or mission of the enterprise.
There are also Tier 2 policies; these are topic-specific policies and address issues related to specific subject matter. The Tier 3 policies address the requirements for using and supporting specific applications. Later in the book we present examples of a number of each of these policies; for now we present the Tier 1 policy title and a brief description of what the policy encompasses.
It is during the orientation phase that new employees should receive their first introduction to the information security requirements. Included in this process is a Nondisclosure Agreement or Confidentiality Agreement. These agreements require the signatory to keep confidential information secret and generally remain in effect even after the employee leaves the organization. The employment policies should also include condition-of-employment requirements such as background checks for key management levels or certain jobs.
A side part to the Employment policy and the Performance policy is the publication of job descriptions for every job level. These descriptions should include what is expected of employees regarding information security requirements.
See Asset Classification policy. To assure adherence to these standards, employees must have a special sensitivity to conflict-of-interest situations or relationships, as well as the inappropriateness of personal involvement in them. While not always covered by law, these situations can harm the company or its reputation if improperly handled. This is where discussions about due diligence will be addressed. Many organizations restrict conflict-of-interest policy requirements to management levels; all employees should be required to annually review and sign a responsibility statement.
Information security requirements should be included as an element that affects the level of employee performance. As discussed, having job descriptions for each job assignment will ensure that employees are reviewed fairly and completely at least annually on how they do their job and part of that includes information security. As with all policies, it discusses who is responsible for what and leads those individuals to more extensive procedures. This policy is very important for an effective information security program.
Having a policy that establishes who is responsible for administering these sanctions will ensure that all involved in the investigation are properly protected. This is the cornerstone of the information security program and works in close harmony with the enterprisewide Asset Classification Policy and the Records Management Policy. This policy established the concept that information is an asset and the property of the organization, and that all employees are required to protect this asset.
This policy will support the concepts established in the Employee Standards of Conduct, which address employee conduct and include harassment whether sexual, racial, religious, or ethnic. The policy also addresses requests from outside organizations for information. This will include media requests for information as well as representing the organization by speaking at or submitting whitepapers for various business-related conferences or societies.
The need to implement sound security practices to protect employees, organization property, and information assets is established here.
Included in this policy are the basic security tenets of authorized access to the facility, visitor requirements, property removal, and emergency response plans, which include evacuation procedures. The proper focus for this policy is the establishment of business unit procedures to support restoration of critical business processes, applications, and systems in the event of an outage. Included in the Business Continuity Plan Policy are the needs for business units to: This policy is probably one of the most important for information security and other organization policies and standards.
We can only write policies and establish standards and procedures for employees; all other third parties must be handled contractually. It is very important that the contract language references any policies, standards, and procedures that are deemed appropriate.
Third parties must be handled contractually. Work with the procurement group and legal staff to ensure that download orders and contracts have the necessary language. It would be wise to include a confidentiality or nondisclosure agreement. An example of a confidentiality agreement is included in the Sample Policy and Standards section of this book. Most organizations know that there will be a time when it will be necessary to destroy records. This policy normally establishes: It normally includes the concepts of employee responsibilities, such as the Owner, Custodian, and User.
It is a companion policy to the Records Management Policy in that it adds the last two elements in information records identification. To ensure that appropriate, informed business decisions are made in an open climate of discussion and research, a formal risk analysis process should be implemented to document all management decisions.
By establishing this level of accountability, the enterprise is creating a climate of due diligence throughout the entire organization.
This will allow third parties to examine the process and verify that due diligence was performed. As a security professional, it is very important that due diligence is established as an enterprise objective and guiding principle. Risk analysis will ensure that all decisions are based on the best needs of the enterprise and that prudent and reasonable controls and safeguards are implemented.
With the implementation of more stringent reporting mechanism and laws Sarbanes—Oxley or international standards such as British Standards BS or ISO , the formal adoption of a risk analysis process will assist in proving the enterprise is being managed in a proper manner. Another important element found in most enterprisewide policy documents is a section on Organizational Responsibilities. This section is where the various mission statements of the enterprise organizations reside, along with any associated responsibilities.
For example: Auditing assesses the adequacy of and compliance with management, operating, and financial controls, as well as the administrative and operational effectiveness of organizational units. Information Security IS is to direct and support the company and affiliated organizations in the protection of their information assets from intentional or unintentional disclosure, modification, destruction, or denial through the implementation of appropriate information security and business resumption planning policies, procedures, and guidelines.
Other organizations that should be included in the Organizational Responsibilities section include see Figure 4. Standing committees are established to develop, to present for executive decision, and, where empowered, to implement recommendations on matters of significant, ongoing concern to the enterprise. Certain committees administer enterprise programs for which two or more organizations share responsibility.
The first key responsibility of this committee is the approval and implementation of the Information Security Charter as well as the Information Security Policy and the Asset Classification Policy. In addition to these two enterprisewide policies, the committee is responsible for ensuring that adequate supporting policies, standards, and procedures are implemented to support the information security program.
The ISSC is also the group responsible for reviewing and approving the results of the enterprisewide business impact analysis that establishes the relative criticality of each business process, application, and system used in the enterprise.
The results of the BIA are then used as input to develop business continuity plans for the enterprise and for the business units. The key responsibilities established for the ISSC include: The answer to that question is a resounding yes. Not only are there requirements, but the laws and acts define who is responsible and what they must do to meet their obligations.
The directors and officers of a corporation are required under the Model Business Corporation Act, which has been adopted in whole or in part by a majority of states, to perform two specific duties: The basic principle here is that senior management should not use its position to make a personal profit or gain other personal advantage. The duty of loyalty is evident in certain legal concepts: When presented with a conflict of interest, the individual has an obligation to act in the best interest of all parties.
All matters involving the corporation should be kept in confidence until they are made public. The Model Business Corporation Act established legal standards for compliance. A director shall discharge his or her duties: Because much fraud and falsifying corporate data involves access to computer-held data, liability established under the Guidelines extend to computer-related crime as well. What has caused many executives concern is that the mandatory punishment could apply even when intruders enter a computer system and perpetrate a crime.
Start on. Show related SlideShares at end. WordPress Shortcode. Educationtempe90 Follow. Published in: Full Name Comment goes here. Are you sure you want to Yes No. Be the first to like this. No Downloads. Views Total views. Actions Shares. Embeds 0 No embeds. No notes for slide. Fundamentals of computer security pdf 1. Springer Release Date: This reference work looks at modern concepts of computer security.
It introduces the basic mathematical background necessary to follow computer security concepts before moving on to modern developments in cryptography. The concepts are presented clearly and illustrated by numerous examples. Subjects covered include: The section on intrusion detection and access control provide examples of security systems implemented as a part of operating system. Database and network security is also discussed.