Comp&IW-Term-II B5 Final PDF

RESTRICTED STUDENTS’ TEXT AT & ANT- 01 COMPUTER & IW FUNDAMENTAL (Common Subject for 48 Weeks TPT) JUN 2021 IPT / TERM-II Authority: Air HQ /18910/4/Trg (G-II) BM-II Dated 15 Jun 21 CS /IPT /T-II/COMP & IW/NOV 21/ ………. COMMUNICATION TRAINING INSTITUTE DESIGNED FOR TRAINING COURSE USE - DO NOT QUOTE AS AUTHORITY RESTRICTED RESTRICTED 2 Compiled by : Sgt N Rajashekhar Edited by : WO D Singh Edited on : Jun 21 Checked by : Sqn Ldr RS Girish RESTRICTED RESTRICTED 3 AT & ANT- 01 COMPUTER & IW FUNDAMENTALS (COMMON SUBJECT) IPT – TERM –II CONTENTS Chap Page No of Subject Syllabus Index No. No. periods Troubleshooting of IAF Domain 1 CS/COMP&IW-II-1 05 4 PC 2 Cyber Security CS/COMP&IW-II-2 09 3 3 Cyber Threat CS/COMP&IW-II-3 20 3 4 Defensive Cyber Security CS/COMP&IW-II-4 31 3 5 Cyber Security in IAF CS/COMP&IW-II-5 41 5 6 Vayusenix CS/COMP&IW-II-6 65 1 7 Introduction to i-Keys CS/COMP&IW-II-7 69 1 8 Computer Typing-II CS/COMP&IW-II-8 74 4 RESTRICTED RESTRICTED 4 Due for Revision on: JUN 2024 AMENDMENT RECORD Sl No. Date Amendment Details Authority RESTRICTED RESTRICTED 5 CHAPTER–1 BASIC TROUBLESHOOTING OF DOMAIN PC Objective  At the end of the lesson, trainees will learn about:-  Very Common Domain PC errors  Their troubleshooting procedures 1.1 Basic Troubleshooting of Domain PC 1. Logging into a computer is such a routine part of the day that it is easy to not even think about the login process. Even so, things can and occasionally does go wrong when users log into Windows. The PC logon failures are caused by various reasons and they can be solved by using the troubleshooting procedures as discussed below. 2. System Clock. A workstation's clock can actually cause a logon failure. If the clock is more than five minutes different from the time on the domain controllers, then the logon will fail. 3. At the beginning of the authentication process, the user enters their username and password. The workstation then sends a request to the Key Distribution Server. This request contains several different pieces of information, including:- (a) The user’s identification. (b) The name of the service that the user is requesting (in this case it’s the Ticket Getting Service). (c) An authenticator that is encrypted with the user’s master key. The user’s master key is derived by encrypting the user’s password using a one way function. 4. When the Key Distribution Server receives the request, it looks up the user’s Active Directory account. It then calculates the user’s RESTRICTED RESTRICTED 6 master key and uses it to decrypt the authenticator (also known as pre authentication data). 5. When the user’s workstation created the authenticator, it places a time stamp within the encrypted file. Once the Key Distribution Server decrypts this file, it compares the time stamp to the current time on its own clock. If the time stamp and the current time are within five minutes of each other, then the Kerberos Authentication Server Request is assumed to be valid, and the authentication process continues. If the time stamp and the current time are more than five minutes apart, then Kerberos assumes that the request is a replay of a previously captured packet, and therefore denies the logon request. When this happens, the following message is displayed: “ The system cannot log you on due to the following error: There is a time difference between the client and server. Please try again or consult your system administrator.” 6. The solution to the problem is to set/ adjust the workstation’s clock settings (time) to match the domain controller’s clock (time). 7. DNS Server Failure. If none of the users can logon into the network/ domain PC, and if domain controllers and global catalog servers are functional, then a DNS server failure might have occurred. The Active Directory is completely dependent on the DNS services. 8. The DNS server contains host records for each computer on the network. The computers on the network use these host records to resolve computer names to IP addresses. If a DNS server failure occurs, then host name resolution will also fail, eventually impacting the logon process. 9. There are two things that one has to know about DNS failures in regard to troubleshooting logon problems. First, the logon failures may not happen immediately. The Windows operating system maintains a DNS cache, which includes the results of previous DNS queries. This cache prevents workstations from flooding DNS servers with name resolution requests for the same objects over and over. RESTRICTED RESTRICTED 7 10. In many cases, workstations will have cached the IP addresses of domain controllers and global catalog servers. Even so, items in the DNS cache do eventually expire and will need to be refreshed. The logon problems may most likely be noticed when cached host records begin to expire. 11. The other thing that one has to notice about DNS server failures is that often times there are plenty of other symptoms besides logon failures. Unless machines on the network are configured to use a secondary DNS server in the event that the primary DNS server fails, the entire Active Directory environment will eventually come to a grinding halt. Although there are exceptions, generally speaking, the absence of a DNS server on an Active Directory network basically amounts to a total communications breakdown. POINTS TO REMEMBER  A workstation's clock can cause a logon failure. If the clock is more than five minutes different from the time on the domain controllers, then the logon will fail.  If none of the users can logon into the network/ domain PC, and if domain controllers and global catalog servers are functional, then a DNS server failure might have occurred. The Active Directory is completely dependent on the DNS services. RESTRICTED RESTRICTED 8 Self Assessment MCQ 1. If the time stamp and the current time are within …… minutes of each other, then the Kerberos Authentication Server Request is assumed to be valid. (a) 5 (b) 10 (c) 15 (d) 20 Ans: (a) DTQ 1. What is basic trouble shooting of domain PC ? RESTRICTED RESTRICTED 9 CS/COMP&IW-II-2 CHAPTER–2 CYBER SECURITY Objective  At the end of the lesson, trainees will learn about:-  Definition of Information, need for security of information and critical information infrastructure (CII).  Confidentiality, integrity and availability (CIA).  Concept of threat, vulnerability and risk.  Concepts of policy, process & people, strategy, baselines, guidelines and procedures with respect to cyber security. 2.1 1. Computer security, also known as cyber security or IT security is the protection of information systems from theft or damage to the hardware, software and to the information on them, as well as from disruption or misdirection of the services they provide. 2. It includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data & code injection and due to malpractice by operators, whether intentional, accidental. 3. The field is of growing importance due to the increasing reliance on computer systems in most societies and the growth of "smart" devices, including s m a r t phones, Internet and wireless network such as Bluetooth and Wi-Fi. 4. Information. Information is the organized or classified data which has some meaningful values for the receiver. Information is RESTRICTED RESTRICTED 10 the processed data on which decisions and actions are based. Examples are: Time Table, Merit List, Report card, Headed tables, printed documents, pay slips, receipts, reports etc. For the decision to be meaningful, the processed data must qualify for the following characteristics. (a) Timely. Information should be available when required. (b) Accuracy. Information should be accurate. (c) Completeness. Information should be complete. 5. Need for Security of Information. Information security is all about protecting the CIA Triangle i.e. Confidentiality, Integrity and Availability of information. Consider these questions:- (a) Do you have information that needs to be kept confidential or secret? (b) Do you have information that needs to be accurate? (c) Do you have information that must be available when you need it? 6. If answer i s yes to any of these questions, then every personnel have a need for information security. We need information security to reduce the risk of unauthorized information disclosure, modification, and destruction. 7. Assets. Any digital material owned by an enterprise or individual including text, graphics, audio, video and animations. A digital asset is owned by a company if it was created on the computer by its employees. Images scanned into the computer are also a digital asset. We can broadly classify assets in the following categories:- (a) Information Assets. Every piece of information about any organization falls in this category. This information has been collected, classified, organized and stored in various forms like database, data files, operational and support procedure and achieved information. RESTRICTED RESTRICTED 11 (b) Software Assets. Like Application software and system software etc. (c) Physical Assets. These are computer equipment like servers, desktops and notebook computers etc. Communication equipment like Modems, routers, EPABXs and fax machines, Storage media like Magnetic tapes, hard disks, CD/DVD etc. and Technical equipment like Power supplies, air conditioners. Critical Information Infrastructure (CII) 8. A critical information infrastructure means "any physical or virtual information system, no matter where such system exists, that controls, processes, transmits, receives or stores electronic information in any form, including data, voice or video, that is vital to the functioning of critical infrastructure or owned or operated by or on behalf of a state or local government or organization”. 9. The CII, to a large degree, consist of information and telecommunications sector, and includes components such as telecommunications, computers/software, the Internet, satellites, fiber-optics etc. 2.2 CONFIDENTIALITY, INTEGRITY AND AVAILABILITY (CIA) 10. A well-structured, enterprise-wide information security program must ensure that the core concepts of availability, integrity and confidentiality are supported by adequate security controls designed to ease or reduce the risks of loss, disruption or corruption of information. Each of the security principles of the CIA triad is defined as follows. RESTRICTED RESTRICTED 12 Fig 2.1 (a) Confidentiality. Confidentiality supports the principle of “least privilege” by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis. An important measure that the security architect should use to ensure confidentiality of information is data classification. A sample control for protecting confidentiality is to encrypt information. (b) Integrity. Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes. Information stored in files, databases, systems, and networks must be relied upon to accurately process transactions and provide accurate information. Controls are put in place to ensure that information is modified through accepted practices. (c) Availability. Availability is the principle that ensures that information is available and accessible to users when needed. The two primary areas affecting the availability of systems are:- (i) Denial-of-Service (DoS) attacks. (ii) Loss of service due to a disaster, which could be man-made (e.g., poor capacity planning resulting in system crash, outdated hardware, and poor testing resulting in system crash after upgrade) or natural (e.g., earthquake, Tornado, blackout, hurricane, fire, and flood). RESTRICTED RESTRICTED 13 Threat, Vulnerability and Risk 11. Threat. Threat is “any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service”. Threat sources can be grouped into a few categories i.e. Human, natural, technical, physical and environmental etc. 12. Vulnerabilities. Vulnerability is an inherent weakness in an information system, security procedures, internal controls or implementation that could be exploited by a threat source. In the field, it is common to identify vulnerabilities as they are related to people, processes, data, technology, and facilities. Examples of vulnerabilities could include:- (a) Absence of a receptionist, mantrap, or other physical security mechanism upon entrance to a facility. (b) Non-updating of Patching and configuration of an organization’s information systems. 13. Risk Assessment. Risk is a function of threats, vulnerabilities, likelihood and impact. Risk assessments may also be qualitative, quantitative, or a hybrid of the two. Qualitative risk assessments define risk in relative terms such as “high,” “moderate,” or “low”. Quantitative risk assessments attempt to provide specific measurements and impacts with money/finance representing the expected loss. In many cases, these methods are combined to get the best of both worlds. 14. Risk Avoidance. Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. 15. Risk Mitigation. Risk mitigation is the practice of the elimination of or the significant reduction in the level of risk presented. RESTRICTED RESTRICTED 14 2.3 Policy, Process and People 16. The Security Policy describes a common set of practices, based on international standards and allows in the protection of government assets. The primary goal of the Information Security Policy is to prevent or minimize the likelihood and impact of information security breaches and to enhance the protection of information and information resources. Information security breaches that can impact organizations operations include:- (a) Unauthorized access to information. (b) Unauthorized or unintentional disclosure or leakage of information. (c) Data tampering or vandalism (d) Destruction or interference with computing systems leading to system outages or failures. 17. The use of the Information Security Policy leads to the coordination of effort to protect information and results in stronger confidence. The Information Security Policy is:- (a) A common measure for improvements in protecting information and information resources. (b) An indication of good information security practices that should be common within organization. (c) A set of coordinated standards and guidelines to prevent, detect or correct activities that might result in an information security breach. (d) In the extreme, a tool for dealing with misconduct or inappropriate behaviour. RESTRICTED RESTRICTED 15 Computer Security Policy Categories and Types 18. Once you have determined the value of your data, you need to develop a set of policies to help protect it. These policies are called security policies and may apply to users, the IT department and the organization in general. 19. The first items that should be defined are the policies related to the use and handling of your data. This will help you determine defensive measures and procedures. The policies are categorized into three different areas listed below: (a) User Policies. Define what users can do when using your network or data and also define security settings that affect users such as password policies. The user policies include:- (i) Password Policies. This policy is to help keep user accounts secure. It defines how often users must change their passwords, how long they must be, complexity rules (types of characters used such as lower case letters, upper case letters, numbers, and special characters), and other items. (ii) Proprietary Information Use. Acceptable use of any proprietary information owned by the company. Defines where it can be stored and where it may be taken, how and where it can be transmitted. (iii) Internet Usage. Use of internet mail use of programs with passwords or unencrypted data sent over the internet. (iv) System Use. Program installation, no instant messaging, no file sharing. Restrictions on use of your account or password (not to be given away). (v) User device must be checked for viruses/Trojans and must have firewall and antivirus. RESTRICTED RESTRICTED 16 (b) IT Policies. Define the policies of the IT department used to govern the network for maximum security and stability. These policies include general policies for the IT department which are intended to keep the network secure and stable. (i) Virus incident and security incident. (ii) Backup Policies. Define what to back up, who backs it up, where it is stored, how long it is stored, how to test backups, what program is used to do backups. (iii) Client Update Policies. Update clients how often and using w h a t means or tools. (iv) Server configuration, patch update, and modification policies (security). (v) Firewall Policies. What ports to block or allow, how to interface to it or manage it, who has access to the control console. (c) General Policies. High level policies defining who is responsible for the policies along with business continuity planning and policies. Organization continuity plan - Includes the following plans:- (i) Crisis Management. What to do during the (any) crisis which may threaten the organization. (ii) Disaster Recovery. Sub functions:- (a) Server recovery (b) Data recovery (c) End-user recovery (d) Phone system recovery (e) Emergency response plan (f) Workplace recovery RESTRICTED RESTRICTED 17 Baselines 20. The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. Baselines are also used to define the minimum level of protection required. Guidelines 21. Guidelines are recommended actions and operational guides to users, IT staff, operations staff and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel or physical security. Procedures 22. Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members and others who may need to carry out specific tasks. Many organizations have written procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more. 23. Procedures are considered the lowest level in the documentation chain because they are closest to the computers and users (compared to policies) and provide detailed steps for configuration and installation issues. RESTRICTED RESTRICTED 18 POINTS TO REMEMBER  Computer security, also known as cyber security or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.  Every piece of information about your organization falls in Information assets category.  CII means "any physical or virtual information system that controls, processes, transmits, receives or stores electronic information in any form, which is vital to the functioning of critical infrastructure or owned by government or organization.  Confidentiality supports the principle of “least privilege” by providing that only authorized individuals should have access to information on a need-to-know basis.  Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes.  Availability is the principle that ensures that information is available and accessible to users when needed.  The Security Policy describes a common set of practices, based on international standards and allows in the protection of government assets. RESTRICTED RESTRICTED 19 Self Assessment MCQ Q1. CII stands for ……………. (a) Critical Information Infrastructure (b) Control Information Infrastructure (c) Control Internet Infrastructure (d) Critical Information Internet Q2. Security Policy describes a common set of practices, based on international standards and allows in the protection of government assets. (a) Security rule (b) Security Policy (c) Government Rule (d) Local Policy MCQ Ans: 1(a), 2(b) DTQ Q1. Why do we need information Security? Q2. What is Critical Information infrastructure? Q3. Explain CIA triad in brief? Q4. Write some example of vulnerability? Q5. Write points for information security breaches? Q6. Write general IT policies? RESTRICTED RESTRICTED 20 CS/COMP&IW-II-3 CHAPTER-3 CYBER THREAT Objective  At the end of the lesson, trainees will learn about:-  Introduction to cyber threat in cyber space, actors and motive.  Attack methodology and attack vectors in cyber space.  Introduction to social media, cyber war and cyber weapons. 3.1 Introduction to Cyber Threat 1. Cyber threats are action by persons who attempt unauthorized access to a control system device and/or network using a data communications pathway. This access can be directed from within an organization by trusted users or from remote locations by unknown persons using the Internet/intranet. Threats can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and malicious intruders. Cyberspace 2. Cyberspace is a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures. In effect, cyberspace can be thought of as the interconnection of human beings through computers and telecommunication, without regard to physical geography. 3. Cyberspace is a conceptual electronic space unbounded by RESTRICTED RESTRICTED 21 distance or other physical limitations. 4. Amongst individuals on cyberspace, there is believed to be a code of shared rules and ethics mutually beneficial for all to follow, referred to as cyber ethics. 5. Cyberspace includes:- (a) Physical infrastructures and telecommunications devices. (a) Computer systems. (c) Networks between computer systems. (d) Networks of networks that connect computer systems. (e) The access nodes of users and intermediaries routing nodes. Actors and Motive 6. The threat landscape has rapidly expanded over the past few years, and shows no signs of contracting. With major establishments in both the public and private sectors falling victim to cyber-attacks, it is critical for organizations to identify the motivations, modus operandi (MO) and objectives of adversaries in order to adequately and effectively defend their networks. The examples of cyber attack are hacking, cyber crime, cyber espionage, phishing etc. Attack Methodology and Attack Vectors 7. Attack Methodology. Attack Methodology Analysis (AMA) was developed specifically for performing threat assessments on computer-based networks. AMA is the process of identifying components of control systems, identifying vulnerabilities in those components, mapping existing exploits or attack tools to those vulnerabilities, and analyzing the gap between current defensive capabilities for those vulnerabilities and accessible exploit technology. Threat is measured using the following formula:- RESTRICTED RESTRICTED 22 Threat = Level of Vulnerability + Value of System 8. Value of Systems. A computerized host, including the computers on a control system network, can have different values in an organization. The data on a box might have significant economic or functional value to an organization, the loss or corruption of the data would greatly impact business or control system operations. The value of the system as a target for a cyber-adversary is what is considered in AMA. 9. AMA can be used to generate the value for systems by analyzing easily accessible technical information. AMA is an actor- independent threat assessment technique that allows control system defenders to utilize known information regarding system value and level of vulnerability to determine threat level. 10. Attacker Process. Attackers follow a fixed methodology. To beat a hacker, you have to think like one, so it’s important to understand the methodology. The steps a hacker follows can be broadly divided as:- (a) Performing survey. (b) Scanning and listing. (c) Gaining access. 11. Attack Vector. It is the approach used to assault a computer system or network. It can also be called as “method or type of attack”. For example; an operating system or Web browser may have a flaw that is exploited by a Web site. Human shortcomings are also used to engineer attack vectors. For example, a novice user may open an e-mail attachment that contains a virus. 12. If vulnerabilities are the entry points, then attack vectors are the ways attackers can launch their assaults or try to infiltrate. In the broadest sense, the purpose of the attack vectors is to implant a piece of code that makes use of vulnerability. This code is called the payload. RESTRICTED RESTRICTED 23 13. Most known attack vectors can be classified in one of three categories of interaction: low, medium or high. In today’s world most focus is on low-interaction vectors. 14. Low Interaction Vector. These are vectors that require attackers to do much of the work ahead of time. Most of the effort is simply reconnaissance, figuring out the where and how of the attack. Victims need to do little for these attacks to be successful. Many of the vectors in this category require Internet applications. Examples are Phishing, buffer overflow or brute force attack etc. Cyber Crime 15. Cyber Crime refers to any criminal act involving a computer system, in this instance the term refers to crime carried out for the purpose of financial gain. Financial institutions and their clients are most frequently targeted by cyber criminals, and card payment and online banking fraud are the lifeblood of this type of attack. 16. Cyber-criminals seek information by using following methods:- (a) ATM and Point-of-Sale (PoS) Skimming. It is the method of stealing bank and PIN information when cards are used at ATMs, credit/debit card terminals and other card readers. (b) Code Injection. It is the method of introducing malicious code into a computer program to redirect the system's actions. (c) Key Logging. It is the method of using a program to record computer keystrokes in order to gain confidential information. (d) Phishing. It is the method of creating fraudulent socially engineered electronic content (websites, emails, etc.) that is from a seemingly legitimate source, enticing victims to provide confidential information. RESTRICTED RESTRICTED 24 3.2 Social Media 17. Social media are web-based communication tools that enable people to interact with each other by both sharing and consuming information. 18. A particular site could be classified as social site, if it has at least one of following features:- (a) User Account. If a site allows visitors to create their own accounts that they can log in. (b) Profile Pages. Since social media is all about communication, a profile page is often necessary to represent an individual. It often includes information about the individual user, like a profile photo, feed of recent posts, recommendations, recent activity and more. (c) Friends, Followers, Groups etc. Individuals use their accounts to connect with other users. They can also use them to subscribe to certain forms of information. (d) News Feeds. When users connect with other users on social media, they're basically saying, "I want to get information from these people." That information is updated for them in real-time via their news feed. (e) Notifications. Any site or app that notifies users about specific information and users have total control over these notifications and can choose to receive the types of notifications that they want. (f) Information Updating, Saving or Posting. If a site or an application allows you to post absolutely anything, with or without a user account, then it's social. It could be a simple text-based message, a photo upload, a YouTube video, a link to an article etc. RESTRICTED RESTRICTED 25 Case Study: Honey Trapped 19. LAC Nasty, got a Face book friend request from a pretty woman based in the United Kingdom three years ago. He thought himself the luckiest of young men when the friendship took a spicy turn that included dirty talks late night. Already addicted to social media, he began to remain online almost through the day for the woman, McNaughtDamini, to come online and fulfill his fantasies. 20. McNaught's profile on Facebook showed her to be a resident of Beeston, Leeds, and an executive for an investigative magazine there. Nasty was titillated by the intimate chatter made all the more naughty by the woman's strong British accent. They soon moved from text chats to audio and photo exchanges on Whatsapp. 21. During one such tete-a-tete, McNaught seductively asked the LAC for some information on the IAF, apparently for the news magazine she worked for. She had earlier even interviewed him for the magazine, so an enamored Nasty thought nothing of divulging the info. In fact, he thought it a bonus when she said she would pay him for any material he passed to her. 22. One day, the woman asked him if he could give her some details about one very important unit of IAF. He refused, knowing how strategically important this unit is to the IAF. He could as well have been hit by a missile, for the woman suddenly turned from coy to vicious; confronting him with recordings of the chats and documentation of the information he had shared earlier. 23. Too late, Nasty realized he had become the latest victim of an ISI honey trap. Threatened with exposure, he had no option but to RESTRICTED RESTRICTED 26 pass on crucial IAF-related dope to an ISI handler he was introduced to. Every time he moved stations for training - Belgaum to Chennai, and lately to Delhi the ISI dogged him, sometimes over Facebook and Whatsapp, but also via Skype. Thrice in Belgaum, six times in Chennai and also in Delhi, Nasty leaked sensitive data on air force exercises, movement of aircraft and deployment of various flying units, his major lapse being supplying the position and other details of fighter jets at important units. 24. Incriminating evidence including bank account details and mobile phones used to stay in touch with the ISI handlers was seized. LAC Nasty was dismissed by IAF and placed under arrest by police subsequently. He was brought to Delhi on transit remand and taken into further custody. An FIR under the Officials Secrets Acts has been registered in this connection at the interstate cell of the crime branch. 25. What has got the cops more worried is the modus operandi adopted by the ISI wherein they use the virtual world and identities to lay honey traps. 26. Social Networking. Social network is a social structure made up of individuals or organizations called nodes, which are connected by one or more specific types of interdependency, such as friendship, common interest, and relationships of beliefs etc. Social networking sites are not only to communicate or interact with other people globally, but also one effective way for business promotion. Examples are Facebook, MySpace etc. 27. Cyber Threats In Social Networking Websites. Lately, social networks attract thousands of users who represent potential victims to attackers from the following types:- (a) Phishing and Spammers. Phishing and spammers use social networks for sending fake messages to victims "friend". Cyber criminals and fraudsters use the social networks for capturing user data and then carrying out their social- engineering attacks. Terrorist groups create online communities for spreading their thoughts, propaganda, views RESTRICTED RESTRICTED 27 and conducting recruitment. (b) Privacy Related Threats. Variety of information on personal home pages may contain very sensitive data such as birth dates, home addresses, and personal mobile numbers and so on. This information can be used by hackers who use social engineering techniques to get benefits of such sensitive information and steal money. (c) Traditional Networks Threats. Generally, there are two types of security issues: One is the security of people and another is the security of the computers. Since social networks have enormous numbers of users and store enormous amount of data, they are natural targets of attacks. Moreover, online social attacks include identity theft, insult, stalking, injures to personal dignity and cyber bulling. Hackers create false profiles and mimic personalities or brands or to insult a known individual within a network of friends. 28. Social Engineering. Social engineering is the art of manipulating people so that they share confidential information. The types of information these criminals are seeking can vary. 3.3 Cyber War and Cyber Weapons 29. Cyber Warfare. Cyber warfare can be defined as "actions by a nation/state to penetrate another nation's computers or networks for the purposes of causing damage or disruption." 30. In cyber warfare, a nation/state penetrates another nation’s network with the help of following cyber threats:- (a) Traditional Threats. These threats typically arise from state employing recognized military capabilities and forces in well-understood forms of military conflict. Within cyberspace, these threats may be less understood due to the continuing evolution of technologies and methods. (b) Irregular Threats. They can use cyberspace as an RESTRICTED RESTRICTED 28 unconventional asymmetric means to counter traditional advantages. (c) Catastrophic (Disastrous) Threats. It involves the acquisition, possession, and use of weapons of mass destruction (WMD) or methods producing WMD-like effects. Such catastrophic effects are possible in cyberspace because of the existing linkage of cyberspace to critical infrastructure systems. (d) Natural Threats. They can damage and disrupt cyberspace include acts of nature, such as floods, hurricanes, lightning a n d tornados. These types of events often produce highly destructive effects. (e) Accidental Threats. These are unpredictable and can take many forms. From a cutting a fiber optic cable of a key cyberspace node, to unintentional introduction of viruses, accidental threats unintentionally disrupt the operation of cyberspace. 31. Cyber Weapon. A cyber weapon is a malware agent employed for military, paramilitary or intelligence objectives. Cyber weapons include computer viruses and software that can be used to penetrate enemy networks. Defining these tools as weapons, as opposed to systems or processes, allows the military to apply the same authorization controls as they apply to conventional weapons such as guns and tanks. 32. The following malware agents generally meet the criteria as weapon; have been formally referred to in this manner by industry security experts, government or military statements. (a) Duqu (b) Flame (malware) (c) Great Cannon (d) Stuxnet RESTRICTED RESTRICTED 29 (e) Wiper (malware) is a new 'cyber'-phrase that has emerged recently, adding to the already cluttered glossary of cyber warfare. POINTS TO REMEMBER  Cyber threats to a control system refer to persons who attempt unauthorized access to a control system device and/or network using a data communications pathway.  Cyber threat is any identified effort directed toward access to manipulation of, or impairment to the integrity, confidentiality, security, or availability of data, an application or a federal system, without lawful authority.  Cyberspace is a conceptual electronic space unbounded by distance or other physical limitations.  AMA is the process of identifying components of control systems, identifying vulnerabilities in those components, mapping existing exploits or attack tools to those vulnerabilities, and analyzing the gap between current defensive capabilities for those vulnerabilities and accessible exploit technology.  A cyber weapon is a malware agent employed for military, paramilitary or intelligence objectives. RESTRICTED RESTRICTED 30 Self Assessment MCQ Q1. Attack Methodology Analysis (AMA) comes under………………. (a) Social engineering (b) Attack Methodology (c) Cyber Weapon (d) Attack Vector MCQ Ans: 1(b) DTQ Q1. What is Cyberspace? Q2. What is attack methodology analysis (AMA)? Q3. Explain social media? Q4. Write name of probable cyber weapons? RESTRICTED RESTRICTED 31 CS/COMP&IW-II-4 CHAPTER-4 DEFENSIVE CYBER SECURITY : PHYSICAL SECURITY Objective  At the end of the lesson, trainees will learn about:-  Physical security and access controls for defensive cyber security.  Personnel security, incident management and handling.  Information system audit for defensive cyber security. 4.1 Physical Security and Access Controls 1. Importance of Physical Security. Without paying proper attention to the physical security of information asset, your IT assets and infrastructure are always under security threats from known or unknown sources or from accidental hazards. 2. It is not necessary that all the physical security risk to IT assets can be only from physical break into the IT server or assets room, but there are major risk related to environmental risks such as fire, flood, earthquake etc. To control the physical security of all IT assets you need to identify all the assets that you consider sensitive and important for your organization. The physical security of IT assets can be broadly categorized based on the following criteria:- (a) Security of Asset Location. The location of the information asset room need to physical secured. It is always a good practice not to disclose the location of your server room to public. The lesser people know about the location of your server room the better. There should be one RESTRICTED RESTRICTED 32 entry to your server room including one emergency exit door. Secondly, the entrance of the access door should not be directly visible to the location of your office where the majority of the officials work. (b) Human Access Control. Prior approval need to be taken for all the personnel before entering the server room. There can be an exception to the daily maintenance team. But it is better to have the presence of a supervisor when maintenance works are carried out. All the personnel need to be physically verified and must carry an identity card, if possible implement digital access control or any biometric access control. Finally, there should be close circuit camera both in and outside of the asset room and you need to make sure the access to the digital recording devices are properly monitored and logged. (c) Environmental Control. You need to make sure that all the equipment installed inside the server rooms are being audited regularly. Make sure there are at least two emergency power-off switches for the server room itself-one inside and the other outside the room. 3. Physical Controls. These controls range from doors, locks, and windows to environment controls, construction standards, and guards. 4. Physical controls must adhere to the same basic principles of other forms of controls: separation of duties and least privilege. For example, it may be necessary to segment the job role of various employees to ensure that no single point of failure or collusion potentially allows threat agents to enter unchecked. 5. All access rights and privileges should be regularly reviewed and audited. This should include random checks on seemingly authorized users, control devices, approval processes and training of employees responsible for physical security. 6. Access Controls. There are literally hundreds of different access approaches, control methods, and technologies, both in the RESTRICTED RESTRICTED 33 physical world and in the virtual electronic world. Each method addresses a different type of access control or a specific access need. For example, access control solutions may incorporate identification and authentication mechanisms, filters, rules, rights, logging and monitoring, policy and a plethora of other controls. However, despite the diversity of access control methods, all access control systems can be categorized into seven primary categories. The seven main categories of access control are:- (a) Directive. Controls designed to specify acceptable rules of behavior within an organization. (b) Deterrent. Controls designed to discourage people from violating security directives. (c) Preventive. Controls implemented to prevent a security incident or information breach. (d) Compensating. Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level. (e) Detective. Controls designed to signal a warning when a security control has been breached. (f) Corrective. Controls implemented to remedy circumstance, mitigate damage, or restore controls (g) Recovery. Controls implemented to restore conditions to normal after a security incident. Personnel Security, Incident Management and Incident Handling 7. Personnel Security. Personnel security is a system of policies and procedures which seek to manage the risk of staff (permanent, temporary or contract staff) exploiting or intending to exploit, their legitimate access to an organization’s assets or premises for unauthorized purposes. Robust personnel security helps an organization to the following:- RESTRICTED RESTRICTED 34 (a) Employ reliable people. (b) Minimize the chances of staff becoming unreliable once they have been employed. (c) Detect suspicious behavior and resolve security concerns once they emerge. 8. Challenges of Personnel Security. Personnel security is an extremely challenging area of security. In order to function, an organization must allow access to sensitive data. But in an instant, a trusted employee can become an attacker. 9. Objectives of Personnel Security. Generally, there are two high-level objectives of a personnel security. The first is to protect sensitive information by securely managing the “life-cycle” of employment. The life-cycle has three phases, i.e. pre-employment, during employment and post-employment. 10. Core Elements of Personnel Security. By analyzing a combination of best practices, real incidents and regulatory requirements, several key areas cover in a personnel security policy to best protect the organization. Following are the “Six Pillars” to personnel security:- (a) Pillar 1: Screening. Screening is the process of verifying a prospective employee’s credentials and suitability for the job. Most often this is in the form of a background check. The general idea is to make sure that former criminals are not hired or placed in positions of trust within the organization. (b) Pillar 2: Contracts. Controls related to contracts include employment agreements, non-compete agreements, non- disclosure agreements and intellectual property agreements. Contracts are designed to protection intellectual properly from being stolen or lost. RESTRICTED RESTRICTED 35 (c) Pillar3: Security Policy Acknowledgement. Every employee or contractor with access to information must be made aware of the information security policies that apply to them. In most organizations, this includes a high-level “Code of Conduct” as well as acceptable use policies such as Internet Acceptable Use. (d) Pillar 4: Security Education. One of the most often ignored aspect of personnel security is awareness and education. Employees must be trained on basic information security principles so they can recognize common threats such as phishing attacks. Study after study has demonstrated that human error is at the root cause of a majority of data breaches. In addition to basic security education, employees should also be trained on the information security policies of the organization. (e) Pillar 5: Monitoring. Although employees are by definition trusted by the organization, their behavior still must be monitored at some level. The type and level of monitoring depends on many factors, including the sensitivity of the data being used. (f) Pillar 6: Termination Procedures. The final essential component of personnel security is having proper termination procedures in place and enforced. Once an employee is no longer employed (or has indicated that they are going to leave), both logical and physical access must be terminated. In addition, the exit process usually involves the return of organizational property such as laptops or access badges. 11. Incident Management. The primary goal of the Incident Management process is to restore normal service operation as quickly as possible and minimize the adverse impact on operations. Thus, it ensures that the best possible levels of service quality and availability are maintained. Incident Management includes any event which disrupts or which could disrupt a service. The Objectives of Incidence Management is to provide a consistent process to track incidents that ensures the following:- RESTRICTED RESTRICTED 36 (a) Incidents are properly logged. (b) Incidents are properly routed. (c) Incident status is accurately reported. (d) Queue of unresolved incidents is visible and reported. (e) Incidents are properly prioritized and handled in the appropriate sequence. 12. Main Function (Service Desk). Incident management involves several functions. The most important is the service desk or “help desk”. The service desk is the single point of contact for users to report incidents. Without the service desk, users will contact support staff without the limitations of structure or prioritization. A service desk is divided into tiers of support. (a) First-tier is for basic issues, such as password resets and basic computer troubleshooting. (b) Second-tier support involves issues that need more skill, training, or access to complete. Tier-two incidents may be medium- priority issues, which need a faster response from the service desk. 13. Incident Handling. Incident response in its simplest form is the practice of detecting a problem, determining its cause, minimizing the damage it causes, resolving the problem and documenting each step of the response for future reference. The framework for incident handling models consists of the following components: (a) Cyber incident response planning. (b) Incident handling and response. (c) Recovery and feedback. RESTRICTED RESTRICTED 37 14. Incident Handling and Response. When an event becomes an incident, it is essential that a methodical approach be followed. This is necessary given the complexities of dealing with the dynamics of an incident; several tasks must be carried out in parallel as well as serially. Often the output of one phase or stage in the handling of an incident produces input for a subsequent phase. In some cases, previous steps need to be revisited in light of new information obtained as the investigation develops; the process should be viewed as iterative in nature. 4.2 Information Systems Audit 15. Information System Auditor. IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. 16. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide senior company management with an independent view of the controls in place and their effectiveness across the enterprise. Information system auditors do the following analysis/forensics:- (a) Media Analysis. Media analysis involves the recovery of information or evidence from information media such as hard drives, DVDs, CD-ROMs or portable memory devices. This media may have been damaged, overwritten or reused to aid in hiding evidence or useful information. (b) Network Analysis. The term network forensics refers to the analysis and examination of data from network logs and network activity for use as potential digital evidence. (c) Software Analysis. Software analysis or forensics RESTRICTED RESTRICTED 38 refers to the analysis and examination of program code. The code being analyzed can take the form of source code, compiled code (binaries), or machine code. Decompiling and reverse engineering techniques are often used as part of the process. Software analysis encompasses such investigative activities as malware analysis, intellectual property disputes, copyright issue etc. 17. Guidelines. The objective of the IS Audit and Assurance Guidelines is to provide guidance and additional information on how to comply with the IS Audit and Assurance Standards. POINTS TO REMEMBER  Physical security of information assets are always under security threat.  There are literally hundreds of different access approaches, control methods, and technologies, both in the physical world and in the virtual electronic world.  The main categories of access control are: Directive, Deterrent, Preventive, Compensating, Detective, Corrective and Recovery.  Personnel security is a system of policies and procedures which seek to manage the risk of staff exploiting or intending to exploit, their legitimate access to an organization’s assets.  Core elements of personal security are six pillars which are screening, contracts, security policy acknowledgement, security education, and monitoring and termination procedure.  Incident management is the process to restore normal service operation as quickly as possible.  Information system auditor determines whether users, owners, custodians and networks are in compliance with security policies, procedures, standards and other requirements. RESTRICTED RESTRICTED 39 Self Assessment MCQ Q1. ………………. Controls designed to specify acceptable rules of behavior within organization. (a) Deterrent (b) Directive (c) Compensating (d) Preventive Q2. ………………. Controls implemented to restore conditions to normal after security incident. (a) Recovery (b) Directive (c) Compensating (d) Preventive Q3. The pillar(s) of personnel security are ……………….. (a) One (b) Two (c) Five (d) Six Q4. ……………….. is the practice of detecting a problem, its cause and minimizing the damage. (a) Incident Response (b) Incident Handling (c) Incident planning (d) Incident Recovery MCQ Ans: 1(b), 2(a), 3(d), 4(b) RESTRICTED RESTRICTED 40 DTQ Q1. What is physical security of IT assets? Q2. Briefly explain physical controls? Q3. Explain categories of access controls? Q4. What is personnel security? Q5. Briefly explain core categories of personnel security? Q6. Explain incident management? Q7. What is incident handling? Q8. Briefly explain information system auditor? Q9. Write the task of information system auditor? RESTRICTED RESTRICTED 41 CS/COMP&IW-II-5 CHAPTER-5 CYBER SECURITY IN IAF Objective  At the end of the lesson, trainees will learn about:-  Main features of IAP 3903 and IT Act (Revised 2008).  Type of PCs in IAF i.e. AFNET, Internet, Local LAN and Standalone.  Asset and server management policies.  IW awareness, information security in IAF.  IAF case studies and Information security organization at national level 5.1 IAP – 3903 and IT Act (Revised 2008) 1. Introduction to IAP 3903. Information Technology has changed the way the Armed Forces in India operate. The importance of information and the central role it plays in warfare is not new. The information age presents diverse capabilities to Armed Forces. IAF is the pioneer in adopting IT revolution to achieve its operational edge. Security of Information is paramount and therefore IAP 3903 has been provisioned to enforce responsibility and accountability at all levels. The IAP is to be strictly followed in letter and spirit. 2. Goal. The goal of IAP 3903 is to lay down policy for implementing Information Security in order to establish, control, monitor, review and manage information systems, infrastructure and networks in the IAF. RESTRICTED RESTRICTED 42 3. Objective. The objectives of IAP 3903 are:- (a) To provide instructions for Information Assurance (IA) in IAF. (b) To prevent any form of compromise of the Information Systems in IAF operational and functional domains. (c) To layout the guidelines for incident response within the IAF. (d) Formalize actions in the event of crisis / security breach. 4. Contents of IAP 3903. IAP 3903 was first issued in 2006 and after that it was revised in Nov 2012. It consist of 11 chapter including goal. Presently, revision of IAP 3903 is under progress and revised IAP is expected to be issued sooner in this year 2018. 5. Standards. This IAP is based on International Standard ISO / IEC 27002:2005 Information Technology Act 2000, IT (Amendment) Act 2008 and various policies in vogue. 6. Review. This IAP will be reviewed every five years. However, due to the fast changing pace of the cyber space, addendums and implementation guidelines to this Policy will be issued on as required basis through Air HQ Directives. This policy supersedes IAP 3903 issued in 2006. 7. IT Act. The Information Technology Act, 2000 was passed by Parliament and received assent of President of India on 09 Jun 2000. The IT Amendment Act 2008 was passed by parliament and received President of India consent on 05 February 2009. 8. The relevant extracts different sections of IT Act, 2000 and IT (Amendment) Act, 2008 are explained in following Para:- (a) Section 43. It deals with penalty and compensation for damage to computer, computer system, etc. RESTRICTED RESTRICTED 43 (b) Section 65. This section deals with tampering with computer source documents. (c) Section 66A. This section deals with punishment for sending offensive messages through communication service, etc. (d) Section 66B. It deals with punishment for dishonestly receiving stolen computer resource or communication device. (e) Section 66C. It deals with punishment for identity theft. (f) Section 66D. It deals with punishment for cheating by personating by using computer resource. (g) Section 66E. It deals with punishment for violation of privacy. (h) Section 66F. It deals with punishment for cyber terrorism. (j) Section 67. It deals with punishment for publishing or transmitting of material containing obscene/sexually explicit act, etc., in electronic form. (k) Section 73. It deals with penalty for publishing [electronic signature] certificate false in certain particulars. 5.2 AFNET, Internet, Local LAN and Standalone PCs 9. AFNET. Project AFNET (Air Force Network) is envisaged to provide GIG (Gigabit Information Grid) as a first step towards the Network Centric Operational capability of the IAF. The network for providing multimedia services connecting 161 AF locations (Phase-I) on STM-16 (2.4 Gbps) and multiples of STM-1(155 Mbps), and 69 AF locations in Phase-II has been designed by IAF on MPLS (Multi Protocol Label Switching) technology. The supply, installation, RESTRICTED RESTRICTED 44 configuration and commissioning of the network equipment by M/s BSNL through M/s HCL.The OFC has been laid by BSNL at all the selected AF locations. 10. AFNET is an operational Network envisages for addressing all communication requirements of the IAF encompassing Voice, Data and Video on a converged platform. 11. Features of AFNET. Following are the features of AFNET. (a) The features of AFNET:- (i) Two NOCs. (ii) Media level encryption. (iii) Perimeter security. (iv) Internal security through deployment of active directory. (b) Data centers at five locations with:- (i) Inbuilt high security (ii) Auto backup at each location (iii) Disaster recovery (c) AFIRMS (Air Force Integrated Rapid messaging System) replaced present DMSS (Distributed Message Switching System). (d) A Certificate Agency issuing and managing digital certificate for security of communicated data. (e) IAF wide VoIP based voice communication & provision of IP phones. (f) An IP based exchange region-wise. (g) Backup secure satellite connectivity for the entire network through KU band and upgraded C band Satcom. RESTRICTED RESTRICTED 45 (h) Secure Radio connectivity for important links. 12. Internet. The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite (TCP/IP) to link several billion devices worldwide. It is a network of networks that consists of millions of private, public, academic, business, and government networks of local to global scope, linked by a broad array of electronic, wireless, and optical networking technologies. The Internet carries an extensive range of information resources and services, such as the inter- linked hypertext documents and applications of the World Wide Web (WWW), electronic mail, telephony, and peer-to-peer networks for file sharing. 13. Internet in IAF. In the IAF Internet is also extensively being exploited as mode of communication and information retrieval. However, the increasing global trend of attacking the client side PCs, as opposed to the servers and networks has an impact on the organizations security. 14. Vayusenix. In order to secure the computers of IAF connected to the Internet from persistent cyber-attacks, IW cell had conceived and developed a customized Linux based Operating System for Internet browsing called Vayusenix. The same was released first time for the implementation on all Internet facing computers of the IAF in Oct 2009.Based on user feedbacks / inputs received and mainly due to the non- availability of support for Slax kernel of Linux, Version 2.0 of Vayusenix OS based on Ubuntu kernel was released in Oct 2011. Subsequently Vayusenix ver. 3.0 was released on 10 Oct 14. Vayusenix 4.0 has been designed with user-friendly desktop. 15. Independent LAN. With implementation of AFNET all servers and PCs will be on one single network. However in certain exceptional cases there could be requirement of operating a certain number of PCs and servers in an independent network environment. Necessary approval for such networks has to be obtained from PSOs at Air HQ and AOC- in- C at Command HQ. The IP scheme should be different from the IP scheme of AFNET. The switches used for networking should be manageable, vacant ports should be disabled. RESTRICTED RESTRICTED 46 Authentication, Anti-virus updation and OS patch management should be ensured by network administrator. Security measures in these local LANs should be similar as implemented for AFNET. 16. Standalone PCs. A dedicated standalone PCs will only be used wherever due to unavoidable circumstances. Prior approval is to be obtained from Command HQ. As per IAP-3903(Revised) the places where standalone PCs can exist are:- (a) Computers with AFNET testing. (b) Computer dealing with Top Secret, Secret and Confidential documents. (c) One PC at Station VIP Room. (d) Sanitization PC. Asset and Server Management 17. Asset Management. Information Technology Asset Management is the oversight and management of an organizations IT assets i.e. hardware, software and associated service contracts t h r o u g h o u t their life cycle. It begins with planning and budgeting and continues through disposal of those assets. The goal is to provide precise information about where, how, and how effectively the company's IT budget has been used to provide a foundation for planning future IT purchases. Ultimately, the goal of ITAM is to improve the return on IT investment. 18. Information Technology Asset Management provides the framework for identifying and locating every IT asset that a company owns. That includes every computer, laptop, router, peripheral, server, and so on. It includes every software application that any employee uses. It also includes leased equipment, maintenance agreements, service contracts, and software licensing and upgrades. RESTRICTED RESTRICTED 47 19. Hardware Management. ITAM tracks all hardware assets. Naturally, it includes a record of what devices are in inventory, the quantity, and their locations. This is essential information in combating “drift,” the unplanned, unmonitored movement of electronics from their assigned location or user. Drift may happen as employees change positions or move to different locations, taking their laptops or other electronics with them. It may also happen when an employee needs a piece of equipment to work at home; the equipment may or may not make it back to the office. ITAM hardware tracking can use a variety of methods but these are the most prominent practices. (a) Equipment can be physically tagged. (b) Radio Frequency ID (RFID), in particular, has been an invaluable tool for managing inventory. In fact, RFID has become so standard for inventory control that HP offers Factory Express RFID service, which places RFID tags on computer equipment before it leaves the factory. (c) In addition to knowing where the machines are, ITAM hardware tracking also keeps a record of serial numbers, make and model and specifications, such as configuration, capabilities and custodian names. It knows where the assets are, who is using them, and how. Asset management, though, provides more information and gives a better overall picture. ITAM answers questions about whether the right person has the right equipment for which ITAM executes following: (i) Matches high-end users who need greater capability with the equipment that meets their needs, and doesn't leave expensive, high capacity machines being underutilized elsewhere. (i) Helps make sure employees have the tools they need to do their jobs. (iii) Provides the ability to ensure IT assets are where they need to be, properly equipped and supported. RESTRICTED RESTRICTED 48 (iv) Prevents spending money on unnecessary technology that provides more capability than an employee needs or uses. 20. ITAM is also invaluable in tracking the life cycle of hardware. It identifies which assets are ready for disposal, and when. Technology reaches a point when the cost of repair or maintenance becomes greater than the cost of newer, more up- to-date versions. Being able to predict at what point equipment will need to be replaced is a strong strategic advantage in budgeting. Using knowledge of an item's life cycle to schedule its disposal also creates a unique tax advantage. By replacing technology before it becomes obsolete, displaced equipment can be donated to charitable organizations and fairly used as tax deductions. Of course, replacing equipment before it breaks also prevents downtime, and keeps operation going productively. 21. Software. ITAM mandates the identification of all software in use within an organization - how many copies or licenses does the organization own, as well as what machines the software is installed on and who is using the software. 22. As with hardware tracking, an ITAM system provides a better picture than traditional inventory methods. You not only keep a record of where software is installed, but also reveal how much or how little it is used. Licenses can be transferred or eliminated, reducing unnecessary cost, by using the information gathered by the ITAM program. 23. Proper asset management also ensures that only legal software is used on company machines. It locates pirated or unauthorized software, even if only one employee is using it. An effective ITAM solution protects the company from legal action and penalties resulting from license violations. Eliminating issues with licenses, monitoring when license agreements end, and ensuring that all products used are within license parameters is facilitated by appropriately placed ITAM systems. 24. ITAM information directs IT purchases and disposal of assets, reducing waste and redundancy. It keeps operations functioning RESTRICTED RESTRICTED 49 smoothly, with less chance of disruption because of technology problems. 25. An ITAM system is also extremely valuable in planning IT purchases. Put simply, it allows the best purchases to be made at the best time. (a) First, it eliminates waste and redundancy in purchasing both hardware and software. (b) An ITAM program collects information about what hardware is needed based on patterns of usage so that the data can be compared to the history of equipment purchases and contracts, to determine whether current assets can simply be redistributed instead of purchasing additional equipment. In addition, disposing of unused assets can substantially reduce the organization's tax bill. 26. Maintenance agreements and service contracts are also a significant portion of IT costs. An efficient ITAM program matches the agreements to the equipment they cover, so that when a piece of technology is taken out of service, the additional costs are promptly eliminated as well. 27. Compliance. ITAM is tremendously valuable in ensuring compliance with software licensing agreements and governmental regulations. As mentioned above, it is absolutely necessary to ensure that no pirated or unlicensed software is being used, anywhere in the company, by anyone. If even one computer, used by one employee, contains unregistered software, it means that the company is stealing the software. It leaves the organization vulnerable to significant legal action. ITAM tracks down any unlicensed applications and identifies the individuals using them, so that the company can comply fully with all software vendor license agreements. 28. The data compiled by an ITAM program allows corporations to maintain regulatory compliance and financial transparency. It allows viewing and reporting compliance in the areas of data integrity and security and, equally important, make it easier to demonstrate compliance, as well. Having systems in place to meet the regulatory requirements permits your clients to carry on RESTRICTED RESTRICTED 50 their day to day business without fear of disruption over questions about compliance—the data is there to examine on demand. 29. The information gathered through ITAM allows strategic decisions to help the process, even during drastic changes. 30. Salient Points about ITAM Program. When you begin to evaluate an ITAM system, there are several important points to keep in mind. (a) Do not think of ITAM as crisis management. ITAM is often brought in as a solution to a temporary problem. Once the issue is resolved, it is no longer a priority. However, ITAM is most useful and profitable when it is part of a process improvement and not a quick fix. (b) It lends itself easily to linking asset management strategy to overall business strategy. 31. The ultimate goal of asset management is to realize savings through improving business and IT processes, and improving decision making. ITAM is a cost-effective, sound practice that allows your clients to do more with less. 32. Server Management. Your server holds valuable information and this need to be protected. Each server must have a person, known as the System Administrator, who is responsible for the management and upkeep of the server. System Administrators must abide by the guidelines in the Responsible Use of Computing and Data Communication Facilities and Services. 33. A Standard Operating Procedure can be formulated with the following goals in mind to ensure the security, reliability and privacy of the Organization’s systems and network. (a) To avoid any situation that may cause the civil liability. (b) To maintain the image and reputation of the Organization. RESTRICTED RESTRICTED 51 (c) To encourage the responsible use of net resources. (d) To preserve the privacy and security of individual users. 34. General Server Procedure. The provisions of the responsible use of computing and data communication facilities and services apply to servers. Computer servers must be run: (a) In a professional and ethical manner. (b) To maintain the privacy and intellectual property rights of the owners of material on the server. (c) In a secure manner such that the material on them is not subject to unauthorized access or change, and that the Server itself may not become a channel for unauthorized access or change of materials on other peoples Servers. 5.3 IW Awareness & Training, Information security in IAF 35. Importance of Security Awareness. Many workplaces today are subject to governmental or industry regulation and failure to comply can result in censure, fines or worse. In some organizations there are legal mandates that require their employees to be trained in and/or “informed” about information security. 36. Implementing a Security Awareness Program. Once it has been decided to implement any security awareness training program, there program has to be planned extensively and organized. There is no “one size fits all” solution; the right choices those are to be covered in any security awareness program are dependent on many factors, including: (a) The computer skill level and existing security knowledge levels of all the personnel. (b) The type and sensitivity of the data that employees RESTRICTED RESTRICTED 52 handle. (c) The existing usage policies covering multiple scenarios such as usage/ handling of network PCs during breaks/lunch, denial or permission to connect their own devices to the company network, software allowed installing, running web technologies such as Java, ActiveX, Flash, etc. (d) Legal or industry mandates that apply to the organization (e) Skill level and workloads of in-house security personnel (f) Budget. 37. Any organization’s goal should be to take personnel beyond the level of mere awareness of security issues, and actually educate them in how to assess the security implications of various situations and how to apply security best practices as they perform their job duties on a daily basis. 38. Training Objective. As with any formal training program, one need to start the curriculum development process by creating a lesson plan and the first step there is defining the training objectives. The objectives form the basis of the lesson plan. Each training objective states a specific behavior or task that the learner should be able to demonstrate after completion of the training. 39. The training objectives should be listed in order of the logical learning sequence. Obviously the learners will need to know the terminology before they can understand technical material, so any individual will want to discuss the meanings of terms such as “virus,” “worm,” “Trojan,” “phishing” and so forth before jumping into explanation of how they can help protect against those threats. These objectives are specific to the organizational environment and personnel working. 40. Lesson Plan. The lesson plan is an expansion on the training objectives. There are many formats that can be used, among which there are some basics in common. The most common format is in the form of an outline. It includes the approximate estimate time RESTRICTED RESTRICTED 53 required to complete the lesson, materials needed by students, teaching aids (PowerPoint, white board, models, demonstration, etc.) to be used by the instructor, student activities and class assignments (role-play ,question and answer, discussion groups, etc.), instructor notes, an introduction, body and summary, and evaluation (test). 41. Information security Roles in IAF. Information Security must be in line with the IAF’s operational goals and objectives. The top leadership needs to assess security issues so that proper objectives can be defined and accordingly resources, time and funding can be provided. It is necessary to carry out risk assessment and risk handling at regular periodicity to ascertain following aspects:- (a) Risk Assessment. In order to identify, quantify and priorities risks against criteria for risk acceptance and objectives relevant to the IAF, risk assessment should be carried out by various user groups / levels. (b) Handling of Security Risks. Based on the iterative criteria set by IAF, the levels of acceptability of risks, after analysis and evaluation, should be firmed up by various stake holders of information security. For each of the identified risks, risk handling mechanism be ordered including the following steps:- (i) Application of effective control measures to reduce risks. (ii) Knowingly and objectively accepting unavoidable risks within IAF gambit. (iii) Risk avoidance by blocking actions causing the risk. (iv) Transfer of associated risks to OEMs / Vendors / Suppliers through proper contract / project management. RESTRICTED RESTRICTED 54 42. As per the GOI policy, at the national level a National Information Security Officer (NISO) is to be designated as the Head of information security for Govt of India. NISO will be responsible for all Departments and Ministries of Govt of India. The NISO is envisaged to have the following responsibilities:- (a) Ensure information security of all departments and ministries of Government of India. (b) Interact with the Network Security Operations Centre (NSOC) Head, Chief Information Security Officers (CISOs) and other security agencies. (c) Assess information security initiatives and provide recommendations. (d) Drive the Information Security Policy guidelines and procedures. (e) Review Information Security Policies. (f) Review the effectiveness of implementation of information security policies. (g) Hold quarterly review of hardening status of operationally critical networks. 43. On similar lines, a Chief Information Security Officer (CISO) should be designated for the IAF. The CISO shall be in the functional chain of both network operations and information warfare elements of the IAF for ensuring proper synergy between network operations, audit and hardening. He would be supported by the concerned appointment holders in network operations / maintenance as well as in information security domains. 44. Key Appointments for Information Security Roles. Cyber security roles should be clearly formulated for the following key appointments for implementation of Information Security Policies. These appointments are at different levels including Air HQ, CMD Hq, NOC & Data Center and station/units levels. For example PD Sigs RESTRICTED RESTRICTED 55 (Air) / D AFNET / DIT / D Ops (IT&N) at Air HQ, CITO at CMD HQ, SITO at Stn. 45. Dte of Ops (IEW) / IAF-CERT shall maintain constant liaison with special interest groups like CERT-IN, ACSE (Army Information Security Establishment) / Navy CERT and other institutions for Information Security related issues and further issue necessary advisories. 5.4 National Information Security Organisation & Case Studies 46. National Crisis Management Committee. The National Crisis Management Committee (NCMC) is an apex body of Government of India for dealing with major crisis incidents that have serious or national ramifications. It will also deal with national crisis arising out of focused cyber-attacks. NCMC is headed by the Cabinet Secretary and comprises of Secretary level officials of Govt. of India. 47. National Cyber Response Centre: Indian Computer Emergency Response Team (CERT-In). CERT-In monitors Indian cyberspace and coordinates alerts and warning of imminent attacks and detection of malicious attacks among public and private cyber users and organizations in the country. It maintains 24x7 operations centre and has working relations/collaborations and contacts with CERTs, all over the world; and Sectoral CERTs, public, private, academia, Internet Service Providers and vendors of Information Technology products in the country. It would work with Government, Public & Private Sectors and Users in the country and monitors cyber incidents on continuing basis throughout the extent of incident to analyse and disseminate information and guidelines as necessary. The primary constituency of CERT-In would be organizations under public and private sector domain. RESTRICTED RESTRICTED 56 IAF Case Studies CASE STUDY 1: PHYSICAL SECURITY OF L2 SWITCHES 48. Introduction. The incident occurred at X BRD during the Ex- Sancharkranti. Physical intrusion and tampering of L2 switch caused switch to go down. 49. Situation. Ex-Sancharkranti was planned across the Air Force. All personnel at the Station were sensitized and the physical & software security was at an all-time high. All AFNet Equipment Rooms were under biometric access control & were monitored 24x7. The L2 switches of the Station were locked & keys were kept with the AFNet personnel. 50. Incident. Intruders entered the BRD Tech area after working hours and got access to one of the L2 switches. The intruders could get into the small store room in the lab and tampered with the L2 switch by tampering the locked Rack. The Shift Officer and the duty airmen during their evening check found the intruders near the Equipment Room. Simultaneously, intimation was also received from AFNet staff that the L2 switch at the mentioned location had gone down. 51. Action/Finding. During inspection it was found that the L2 rack was open and the power cord of the L2 switch had been taken out. After reconnecting the power supply, fault was raised with the NOC. The very next day investigation was ordered to find the circumstances in which the L2 switch rack was open even when the checks for physical security of all L2 switches at the Station had been carried out. Investigation revealed that the Sgt responsible for DI of said switches admitted to leaving the keys of racks with the personnel of the sections that were at far off locations. He did this to avoid going for DI and cleaning to these distant locations himself. The Sgt was given extra shift duties as a punishment for having a casual approach and jeopardizing the security of sensitive equipment and the network at large. RESTRICTED RESTRICTED 57 52. After the end of exercise, it was found from the officer posing as an intruder, that the mentioned L2 was opened by forcefully tampering with the locking mechanism of the rack. 53. Lesson Learnt. The personnel working in AFNET and IT sections need to be educated about security policies and procedures. All vital installations are to be under lock & key. Any untoward incident need to be flagged to higher authorities. CASE STUDY 2: MISPLACING SERVER HDD DURING TROUBLESHOOTING 54. Introduction. The incident occurred at one of the Data Centers in IAF during up gradation task. A HDD was accidently taken out of Data Centre and was kept along with other unserviceable HDD. 55. Situation. During Data Centre upgrade, one SNCO found an empty HDD slot in one of the servers and reported the issue to OIC Data Centre. 56. Incident. During one of the blade servers troubleshooting, HDD was being replaced several times. The issue wasn’t resolved and the troubleshooting continued for several days. One day, while troubleshooting, duty mechanic accidently took one of the HDD with him and kept it with Unserviceable HDD. During Data Centre up- gradation all servers running in Data Centre were switched off and moved to alternate racks. Various vendors were involved in Data center up-gradation. When upgradation was over, servers were shifted back to new racks. The Data Centre and servers were cleaned before switching them ON. An SNCO saw empty HDD slot in one of the Blade Server while cleaning it and reported the matter to OIC Data Centre. 57. Action/Finding. OIC Data Centre reported the matter to CTO. Immediately search for the HDD started. Once the HDD was not found a formal investigation was ordered. Meanwhile, a thorough check of all servers, other network infra, Hardware movement register, server log books etc. were scrutinized. It was RESTRICTED RESTRICTED 58 found that during server troubleshooting, a HDD was accidently taken out of Data Centre and was kept along with Unserviceable HDD. Since the blade server was not in use, no logs were generated and there was no LED indication for missing HDD. It was established that the HDD was not missing but was kept with Unserviceable HDDs. 58. Lesson Learnt. Any peripheral device being taken in/ out of the IT Centre should be documented and informed to the S IT O / WOi/c. Relevant registers such as Hardware Movement Register, Fault Register, HDD Record Registers are to be updated meticulously with complete record of what troubleshooting actions were taken and by whom with date and time. Physical audit of all serviceable and unserviceable HDDs are to be carried out quarterly. CASE STUDY 3: PRINTING OF DOCUMENT FROM MOBILE 59. Introduction. Centrally enforced policies on AFNET do not allow access to any USB mass storage device. Despite the policies in vogue and devices being blocked by the antivirus, an air warrior was successful in taking print of a document stored on his USB mobile. 60. Situation. A mobile phone was connected to an AFNET PC to take the print of a document, inspite of all the requisite policies in vogue. 61. Incident. It was informed by SOC that there were log entries of SD card use in one of the AFNET computers and the same was taken on remote for analysis. On investigation, LAC ABC admitted to plugging his mobile phone to the AFNET PC during shift duty, to successfully take printout of a document. 62. Action/Findings. The computer was isolated from network and the mobile with the USB cable was confiscated. SOC asked the Unit to reconnect the PC to AFNET domain to recreate the scenario and analyze the exact reason that had caused the anomaly. On connecting the mobile phone to the PC, the F- secure anti- virus blocked the access to the phone recognizing it as a mass storage RESTRICTED RESTRICTED 59 device. The same was repeated a couple of times, however, every time the mobile phone was blocked. On asking the individual, he told that he had performed the USB tethering operation from his mobile. On doing the same, the PC promptly gave access to the mobile. The document on the mobile was opened and print was taken. However, no log of the print was available in the system. 63. On querying the cause of the incident from SOC, it was revealed that the antivirus had successfully identified the mobile as a mass storage and blocked access. However, USB tethering had caused the mobile to be identified as a Windows Portable Device (WPD), a feature of Win XP/7/8, which had not been blocked by any of the policies. SOC subsequently modified the policies to block all portable devices. The COI awarded punishment of forfeit of 15 days pay to the air warrior. 64. Lesson Learnt. IT security is everybody’s concern and IAF needs to keep itself abreast with latest technologies. Loop holes in our security can be plugged by proactive involvement of each one of us. CASE STUDY 4: INADEQUATE ORIENTATION TOWARDS CYBER SECURITY 65. Introduction. Direct entry medical officers are commissioned directly after passing out from civil medical colleges. No orientation courses are conducted before they report to their Units on posting. 66. Situation. Flt Lt ABC was commissioned in Oct 14. Within a week of his reporting to his unit, he felt that the organisation was not suiting his ambitions and he wanted to put up papers for release. 67. Incident. In Nov 14, HQ $$$ (U), AF, IT cell got a call from SOC that there has been an unauthorised use of mass storage device and virus activity from one of the PCs in SMC. The PC was immediately isolated from the network. A formal investigation was ordered to find out the exact nature of violation that had occurred. RESTRICTED RESTRICTED 60 68. Action/Findings. On investigation it was found that the PC involved in violation was logged on by Sgt XYZ Med Asst. On further enquiry, Sgt XYZ stated that Flt Lt ABC had requested him to logon to the domain in order to type his application. Thereafter, he moved to another room where he was performing his duty. 69. On questioning Flt Lt ABCD, he admitted to the use of the pen drive. He stated that he was not yet allotted with a service number. Hence, he did not have an AFNET logon ID. So, he had requested Sgt XYZ for access to the domain for typing his application. After typing his application he observed that there was no printer attached to the system. To copy the application to another system, he had inserted his pen drive. However, when it did not work he moved to another PC with an attached printer to re-type his application. Both Flt Lt ABC and Sgt XYZ were warned in writing for their actions. 70. Lesson Learnt. An orientation capsule must be planned for all personnel on reporting to their first Unit on posting. They are to be sensitised about the service norms, policies and instructions. It must be impressed upon all personnel that these are to be followed strictly in letter and spirit. Case Study 5: TRAPPED ON FACEBOOK 71. Introduction. I was posted to Dte of $$$ at Air HQs and was privy to a case involving cyber forensics investigation. 72. Incident. An external investigation agency informed IAF about a PC which is transmitting classified data over the Internet to a remote server located outside the country. The name, location of the PC and the name of the Officer was also provided. 73. Finding. An internal probe commenced and the officer’s online profile was investigated and analysed. The officer was very active on Facebook with many online friends. It appeared that one RESTRICTED RESTRICTED 61 day he received a friend request from a beautiful girl and he accepted the request without a second thought. After some days of likes and comments, he began indulging in late night online chats. She gained his confidence over time and sent personal photographs. One day she asked for his help and advice saying that her sister wants to join IAF as pilot. 74. The officer advised her about IAF and life in squadron, during the long online chat sessions. He also gave detailed information about training in IAF. Officer totally unaware that his PC was compromised by one of the files he had received from his online friend. It was found that his computer was receiving commands from a command & control server located in the US. All files from his computer, his contacts, e-mails and browser information were being transferred to the Co

Comp&IW-Term-II B5 Final PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue