Cyber-Security

RUC-201
[Unit – III]

Dr. Abhay Shukla

Syllabus:
Developing Secure Information Systems, Application Development Security, Information Security, Governance & Risk Management, Security
Architecture & Design, Security Issues in Hardware, Data Storage & Downloadable Devices, Physical Security of IT Assets, Access Control,
CCTV and intrusion Detection Systems, Backup Security Measures.
 Information system Development
• An information system goes through a series
of phases from conception to implementation.
– This process is called the Software-Development
Life-Cycle.
• Software-development life-cycle is used to
facilitate the development of a large software
product in a systematic, well-defined, and
cost-effective way.
 Secure information system development
• Secure information system are developed by
integrating risk analysis and management
activities at the start of the system development
(SDLC) and continuing throughout.
• Security can be integrated into any (and ideally
all) of these phases.
• In most organizations that use a variant of the
waterfall model,
• security is included with the toll gate style
mentioned previously, often at the end of each
phase before moving to the next one.
 Secure information system
development
• Integrating security at the initial phase
• Integrity security at the Development Phase
• Integrity security at the Implementation Phase
• Integrity security at the Maintenance Phase
• Integrity security at the Disposal Phase
Secure SDLC
 Integrating Security at Initial Phase
• Initial phase is where the decision is taken to develop a system.
• In this phase security consideration primarily involves business risk related to
confidentiality, integrity and availability.
• security is looked at more in terms of business risks with input from the
information security office.
• This phase include initiating project security planning, processes,
assessing the business impact of an activity

• Security must be implemented from Initial phase of business requirements

in terms of confidentiality, integrity, and availability;
• Define the threats and possible security constraints for business.
• Determination of information categorization.
• Determination of any privacy requirements.
 Integrating Security at Development Phase
• Development phase is where the shape of the information system is actually built.
• Primary security activities at development stage of system development include risk
assessment, security control selection and documentation.
• Role of the Phase :
– Security architecture design preparation,
– security control development,
– security documentation and development

Key security activities of development phase

• Conduct the risk assessment and use the results to supplement the baseline
security controls;
– Analyze security requirements;
– Perform functional and security testing;
– Prepare initial documents for system certification and accreditation; and
– Design security architecture.
 Integrating Security at Implementation Phase
• Implementation/Assessment is the third phase of the SDLC.
• During this phase, the system will be installed and evaluated in the organization’s
operational environment.

Key security activities of Implementation phase

• Integrate the information system into its environment;

• Plan and conduct system certification activities in synchronization with testing
of security controls; and
• Complete system accreditation activities.
 Integrating Security at Maintenance Phase
• In this phase, systems are in place and operating, enhancements and/or
modifications to the system are developed and tested, and hardware and/or software
is added or replaced.
• The operational system is periodically assessed to determine how the system can be
made more effective, secure, and efficient.
• Operations continue as long as the system can be effectively adapted to respond to
an organization’s needs while maintaining an agreed-upon risk level .
Key security activities of maintenance phase
• Conduct an operational readiness review;
• Manage the configuration of the system ;
• Institute processes and procedures for assured operations and continuous
monitoring of the information system’s security controls; and
• Perform reauthorization as required.
Integrating security at the Disposal Phase

• Disposal phase is the final stage in the SDLC.

• where the legacy systems are replaced by newer systems.
 Application development security
• Secure development of application is a practice to
ensure that the code and processes that go into
developing applications are as secure as possible.
Secure development entails the utilization of several
processes, including the implementation of a
Security Development Lifecycle (SDL) and secure
coding itself.
• Some of the primary issues to the secure
development of applications are as follows
• Less trained/skilled developers
• Difficulty of finding the right information related to
specific security measures for particular applications.
 Information security Governance and
Risk Management
• Information security needs to be governed
and managed properly because information
has become one of the most critical business
driver in recent years.
• Information systems are the subject to serious
threats that can have adverse effect on the
organizational operations.
Risk Management

Risk management is the continuing process to

identify, analyze, evaluate, and treat loss
exposures and monitor risk control and financial
resources to mitigate the adverse effects of loss.
Risk management Process
 Risk management
• Assessing: assessment of risk means to analyze the level of risk and the level
of security provided with our organization.

• Framing: Framing the risk means to sense the threat and inform all the
related activities that execute in a sequential manner to be ready to control
and avert a possible damage.
• In this activity we analyze the possible risk associated with the security of
information system and organization, and then try to define certain action
for individual case.
• Monitoring: It involves continuously checking the information system and
keeping an eye on other threat and vulnerability that maybe encountered by
the organization.
• It also helps in analyzing whether the system is continuously secure or not.
• Responding: Responding to risk means to take preventive or corrective
measures so that system can kept protected from any kind of threats, whether
internal or external.
 Differences between Risk Management, Risk
Assessment, and Risk Analysis
Risk Management
Risk management is the continuing process to identify, analyze,
evaluate, and treat loss exposures and monitor risk control and
financial resources to mitigate the adverse effects of loss.
Risk Assessment
Risk assessment includes processes and technologies that identify,
evaluate, and report on risk-related concerns. the risk assessment
process is a “key component” of the risk management process. it is
primarily concerned with the Identification and Analysis phases.
Risk Analysis
Risk analysis can be considered the evaluation component of the
broader risk assessment process, which determines the significance of
the identified risk concerns.
 Security architecture and Design
• Security Architecture and Design of a system means a
bundle of following components:-hardware, software
and operating system and how to use those
component to design, architect, and evaluate secure
computer systems

• Security Architecture and Design is a three-part

domain.
1. The first part covers the hardware and software required
to have a secure computer system
2. The second part covers the logical models required to
keep the system secure
3. and the third part covers evaluation models that quantify
how secure the system really is.
 Secure System Design Concept
• We can design a secure system by
implementing software and hardware
specifically and including following principles

– Layering
– Abstraction
– Security domains
– The ring model
– Open-closed systems
• Layering
• Layering separates hardware and software functionality into
modular tiers.
• A generic list of security architecture layers is as follows :

1. Hardware (bottom layer)

2. Kernel and device drivers
3. Operating System
4. Applications (Top Layer)
• Abstraction: Abstraction hides unnecessary
details from the user.
• Complexity is the enemy of security:
– the more complex a process is, the less secure it is. That
said, computers are tremendously complex machines.
• Abstraction provides a way to manage that
complexity.
– For example ,while music is being played from a file through the
speaker of the computer system. The user is only concerned with
playing of music just with click without knowing the internal working
of music player.
• Security Domains : A security domain is the list
of objects a subject is allowed to access.
• With respect to kernels, two domains are user mode and
kernel mode.

– Kernel mode (also known as supervisor mode) is where

the kernel lives, allowing low-level access to memory,
CPU, disk, etc. It is the most trusted and powerful part of
the system.

– User mode is where user accounts and their processes

live. The two domains are separated: an error or security
lapse in user mode should not affect the kernel.
• The Ring Model:
• The ring model is a form of CPU hardware layering that separates and
protects domains (such as kernel mode and user mode) from each other.
• Many CPUs, such as the Intel 86 family, have four rings, ranging from ring 0
(kernel) to ring 3.

• The rings are (theoretically) used as follows:

Ring 0: Kernel
Ring 1: Other OS components that do not fit into ring 0
Ring 2: Device drivers
Ring 3: User applications
• Open and Closed Systems:
• An open system uses open hardware and standards, using
standard components from a variety of vendors.
– Ex - Assembled Desktop computer

• Close systems- only use proprietary hardware or software

from specific vendor.
– Ex- Branded Desktop (HP)
 Secure hardware architecture
• Secure Hardware Architecture focuses on the physical
computer hardware required to have a secure system.
• The hardware must provide confidentiality, integrity, and
availability for processes, data, and users.
 Security issues in 1.hardware, 2.data
storage and 3.downloadable device
• Securing computer system means to protect all of its
components that includes
– hardware, software, storage devices, operating system and
peripheral devices.
• Each component has its own vulnerability or weakness.
– Hardware parts can be stolen and destroyed .
• Security of every component of the system is equally
important.
– We need to be able to control our computer system
completely so that the information asset can be protected.
 Security Issues in Hardware
• Hardware is the component on which the entire computer system is based this
include processor, hard drive and monitor.
• Hardware mainly faces security issues related to stealing, destruction, gaining
unauthorized access and breaking the security code of conduct.
• Any breaking of code of conduct needs proper security measures such as
placing the hardware with your controlled environment.

Counter Security Measures in hardware

To secure H/W from unauthorized access, following mechanism should be
used-
• Biometric access control.
• Authentication token (entry via smart card).
• Radio Frequency Identification (RFID).
• Use VPN to provide complete security over internet.
• Use strong passwords.
• Provide limited access to the devices.
2. Security Issues with Storage Devices
• Data storage devices are used to save
information.
• Devices such as compact disk(CD),
digital versatile disk(DVD), memory
cards, flash drives etc.
2. Security Issues with Storage Devices
• The main issue faced by these devices is-
– Loss and theft of data.
– Improper disposal of data.
– Introduction to malwares in your system.
– Denial of data i.e., attack on availability of data.

• All these issues can be overcome by using following

measures-
– Making people aware of the various kinds of attacks.
– Educating people regarding various cyber laws of the
nation.
– Making the people understandable the importance of
security.
– Implement certain policies and procedures that provide
security for the storage devices and data.
3. Security Issues with Downloadable
(Peripheral) devices (PD)
• E.g. PD-USB: PDA, External Hard Drive
• Security Issues related to them are-
– Stealing of data.
– Destruction of data.
– External attacks(virus etc.).
• Measures include:
– Protection of data from theft/ manipulation
– Protection of devices from being stolen or destroyed
– Protection of environment from undesired access.
 Physical Security of IT Assets
• An IT asset is a piece of software or hardware within an information
technology environment.
• Tracking of IT assets within an IT asset management system can be
crucial to the operational or financial success of an enterprise.
• IT assets are integral components of the organization’s systems and
network infrastructure.Security of data and asset is equally
important.
• Physical security of our asset, especially the IT asset is also very
important.
– there are several issues that need to be countered in order to
apply total security control.
• We may need to lock and other access control techniques to protect
our asset from unwanted users.
 Physical Security of IT Assets(Threats)
• Threats for physical security are as follows:-
(1) Physical access exposure to human beings : Organizations own
employees are one of the main factors to cause physical security threats.
• Can be controlled through
– strong authentication mechanism
– restricted use of resources
– restricted area and building
– Proper standards for verification and validation of user identity.

(2) Physical access exposure to natural disasters:- Natural

disasters may destroy your computer systems or all data storage systems
and might interrupt your network.
– for example fire, lightening, or electronic interruption
– Can’t be controlled, but recovery measures could be taken.
 Physical Security of IT Assets(Measures)
• Measures to ensure physical security of IT assets-
(1)Physical access controls
• Through photo IDs, biometric authentication systems, entry
logs, magnetic locks using electronic keycard, computer
terminal locks.
(2)Electronic and visual surveillance systems
• Through closed circuit television(CCTV), RFID sensors
• CCTV cameras are also called the third eye because if human
being missed noticing some people entering a restricted
zone, these cameras could capture the event or photos.
(3) Intrusion Detection Systems(IDS):-
IDS is a way of dealing with unauthorized access to information
system assets.
 Backup Security Measures
• Following practices should be performed for
maintaining proper data backup security-
– Assigning responsibility, authority and
accountability.
– Assessing risks.
– Developing data protection processes.
– Communicating the processes to the concerning
people.
– Executing and testing the process.
1. Assign Accountability, Responsibility and Authority
• Make storage security a function of overall information security policies
and architecture
• Divide duties where data is highly sensitive.
• ensure that the person authorizing access is not the person charged with
responsibility for execution.
2. Assessing Risk
• Perform a Risk Analysis of the Entire Backup Process.
• Execute a Cost/Benefit Analysis on Backup Data Encryption
• Identify Sensitive Data.
3. Develop Data Protection Process
• Adopt a Multi-Layered Security Approach
. Authentication: Authorization: Encryption Auditing:
• Copy Your Backup Tapes
4. Communicating the processes to the concerning people
• it is important to ensure that the people responsible for carrying out its
security are informed and trained.
• Security policies are the most important aspect of assigning accountability,
responsibility and authority.
5. Executing and testing the process
• Once the end-to-end plan has been developed, defined and communicated
to the appropriate people, it is time to begin execution and testing process.
 Differences between Risk Management, Risk
Assessment, and Risk Analysis
Risk Management
Risk management is the continuing process to identify, analyze,
evaluate, and treat loss exposures and monitor risk control and
financial resources to mitigate the adverse effects of loss.
Risk Assessment
Risk assessment includes processes and technologies that identify,
evaluate, and report on risk-related concerns. the risk assessment
process is a “key component” of the risk management process. it is
primarily concerned with the Identification and Analysis phases.

Risk Analysis
Risk analysis can be considered the evaluation component of the
broader risk assessment process, which determines the significance of
the identified risk concerns.
 Types of Malwares
• Adware:. The least dangerous and most lucrative Malware. Adware
displays ads on your computer.
• Spyware:. Spyware is software that spies on you, tracking your internet
activities in order to send advertising (Adware) back to your system.
• Virus: A virus is a contagious program or code that attaches itself to
another piece of software, and then reproduces itself when that software
is run. Most often this is spread by sharing software or files between
computers.
• Worm: A program that replicates itself and destroys data and files on the
computer. Worms work to “eat” the system operating files and data files
until the drive is empty.
• Trojan: The most dangerous Malware. Trojans are written with the
purpose of discovering your financial information, taking over your
computer’s system resources, and in larger systems creating a “denial-of-
service attack ” Denial-of-service attack: an attempt to make a machine or
network resource unavailable to those attempting to reach it. Example:
AOL, Yahoo or your business network becoming unavailable.
• Rootkit: It is the hardest of all Malware to detect and therefore to remove; many
experts recommend completely wiping your hard drive and reinstalling everything from
scratch. It is designed to permit the other information gathering Malware in to get the
identity information from your computer without you realizing anything

• Back doors: Back doors are much the same as Trojans or worms, except that they
open a “backdoor” onto a computer, providing a network connection for hackers or other
Malware to enter or for viruses or SPAM to be sent.

• Key loggers: Records everything you type on your PC in order to glean your log-in
names, passwords, and other sensitive information, and send it on to the source of the
key logging program. Many times key loggers are used by corporations and parents to
acquire computer usage information.

• Ransom ware: If you see this screen that warns you that you have been locked
out of your computer until you pay for your cyber crimes. Your system is severely
infected with a form of Malware called Ransom ware

• Browser Hijacker: This dangerous Malware will redirect your normal search
activity and give you the results the developers want you to see. Its intention is to make
money off your web surfing.
 Access Control
• Access Control is the process or mechanism
for giving the authority to access the specific
resources, applications and system.
• Access control defines a set of conditions or
criteria to access the system and its resources.
• There are three main accesses Control model
first is Mandatory access control model,
second is Discretionary access control model
and third is Role based access control models.
 Types of Access control
• Mandatory access control (MAC) :
• in this security policy users do not have the
authority to override the policies and it totally
controlled centrally by the security policy
administrator.
• The security policy administrator defines the
usage of resources and their access policy, which
cannot be overridden by the end users, and the
policy, will decide who has authority to access the
particular programs and files.
• MAC is mostly used in a system where priority is
based on confidentiality.
 Types of Access control
• Discretionary access control (DAC) :
• This policy Contrast with Mandatory Access
Control (MAC) which is determined by the
system administrator while DAC policies are
determined by the end user with permission.
• In DAC, user has the complete authority over
the all resources it owns.
• and also determines the permissions for other
users who have those resources and
programs.
 Types of Access control
• Role-based access control (RBAC) :
• This policy is very simple to use.
• In RBAC roles are assigned by the system administrator
statically. In which access is controlled depending on
the roles that the users have in a system.
• (RBAC) is mostly used to control the access to
computer or network resources depending on the roles
of individual users within an organization.
• Due to the static role assignment it does not have
complexity. Therefore it needs the low attention for
maintenance .
 Advantages of CCTV
• • CCTV surveillance cameras provide enhanced security with utmost
clarity and with ease of access.
• • You can keep a track of production processes and other processes in
industries and other production units.
• • They are a must for every retail stores, boutique, super markets and
other shopping areas.
• • The CCTV surveillance systems are not easily damaged by dust, and
severe climatic conditions.
• • During holidays they can be installed at your property thus they
ensure the security of a home without making you worry anymore about
your property when you are away.
• • For people who employ a babysitter at home, this CCTV system
gives you utmost satisfaction about your concerns about your younger
one at home while looked after by a baby sitter.
• • You can connect the CCTV surveillance system to your mobile
phone and can easily access the live streaming of the recordings.