UNIT II_RISK_MITIGATION_PROCESS.pdf

Transcript

20

UNIT II
RISK MITIGATION PROCESS
2.0 Learning Outcomes
2.1 Curriculum Mapping
2.2 Information Assurance in System Development and Acquisition
2.3 Information Assurance Awareness, Training, and Education (AT&E)
2.4 Physical and Environmental Security Controls
2.5 Preventive Information Assurance Tools
2.6 Access Control

2.0 LEARNING OUTCOMES
Upon completion of this module, the student should be able to:
1) Develop understanding on how to integrate information assurance activities into
the system development life cycle to ensure proper identification, design,
integration, and maintenance of applicable information assurance controls
throughout an information system’s life cycle.
2) Develop understanding on the roles in the information assurance plan and how
they fit into cybersecurity, information protection, information security, and
finally information assurance.
3) Design a model for implementing physical and environmental security to protect
an organization’s physical infrastructure, its equipment, and its facilities, as well
as its employees, from physical events, threats, or incidents.
4) Discuss the tools and techniques for cases in which an organization chooses to
prevent undesirable impact.
5) Apply techniques commonly used for access control.
2.1 CURRICULUM MAPPING
Instruction:
You map the ILOs to the COs by writing the CO code provided before the articulated ILO.
Course Outcomes
1) Explain key concepts of information security such as design principles,
cryptography, risk management, and ethics fundamental to integrating
effective information assurance;
2) Discuss legal, ethical, and professional issues in information security;
3) Identify appropriate techniques to tackle and solve problems in the
discipline of information security; and
Apply various security and risk management tools for achieving
information security and privacy.

Intended Learning Outcomes
_____ 1. Develop understanding on how to integrate information assurance
activities into the system development life cycle to ensure proper
identification, design, integration, and maintenance of applicable
information assurance controls throughout an information system’s life
cycle.
_____ 2. Develop understanding on the roles in the information assurance
plan and how they fit into cybersecurity, information protection,
information security, and finally information assurance.
 21

_____ 3. Design a model for implementing physical and environmental
security to protect an organization’s physical infrastructure, its
equipment, and its facilities, as well as its employees, from physical
events, threats, or incidents.
_____ 4. Discuss the tools and techniques for cases in which an
organization chooses to prevent undesirable impact.
_____ 5. Apply techniques commonly used for access control.
2.2 INFORMATION ASSURANCE IN SYSTEM DEVELOPMENT AND ACQUISITION
Overview of the System Development Life Cycle
The system development life cycle is the overall process of creating, implementing, and
decommissioning information systems through a multistep process from initiation,
analysis, design, implementation, and maintenance to disposal.
In this phase, the need for a system is established, and the
Initiation
requirement capabilities of the system are stated.
In this phase, a system based on the user’s input, time, and
Acquisition/ financial constraints is purchased, outsourced, or developed.
development This phase often consists of other defined cycles, such as the system
development cycle or the acquisition cycle.
This phase involves vigorous initial testing. Once satisfactory results
Implementation
are obtained, the system is installed or integrated.
During this phase, the system is made to perform the intended task
Operation/
and maintained. The system is also modified by adding new
maintenance
hardware and software when needed.
This stage occurs when the system fails to cater to new expectations
Disposal or requirements. Here, the system is disposed of and usually
replaced by a new system.
Table 2-1: Activities in a System Development Life Cycle
Integrate information assurance activities into the system development life cycle to
ensure proper identification, design, integration, and maintenance of applicable
information assurance controls throughout an information system’s life cycle. Table 2-2
summarizes the activities in all phases of the system development life cycle.
Security Activities and Definitions in the System Development
Activities
A. Initiation Phase
- Ensure that the information assurance team is involved.
- Establish the security requirements based on the sensitivity and categorization
(classification) of information.
- Conduct initial risk assessment.
B. Development/Acquisition Phase
- Analyze the security functional requirements.
- Conduct formal risk assessment in greater depth than the initial risk assessment.
- Determine the budget (costs of hardware, software, personnel, and training)
- Develop a user/operational manual for the system.
- Develop technical test cases.
C. Implementation Phase
- Develop test data (a copy of some parts of real data can be used).
- Check that the functionality is exactly as specified in the system and can be used to
its optimum level.
- Ensure that after system testing and employee training, the system may be integrated
at the operational site.
D. Operation/Maintenance Phase
- Schedule proper audits.
 22

- Monitor to ensure that security controls continue to be effective and function as
expected (reviewing logs and reports).
E. Disposal Phase
- Determine the archiving method.
- Make sure there is written approval from the senior management to destroy
information.
- Delete, erase, and overwrite data as necessary.
- Dispose of hardware and software as directed by
the existing policy.
Table 2-2: Secure System Development Life Cycle (SSDLC) in Information Assurance
List of Software Security Vulnerabilities and Weaknesses
Common types of software security weaknesses.
1. Bugs
2. Exposure of sensitive data
3. Flaws in Injection
4. Buffer overflow
5. Security misconfiguration
6. Broken access control
7. Insecure deserialization
8. Broken/Missing Authentication
Bugs, in general, cause the software to behave in an unexpected manner. Pretty much
all software contains minor (or major) bugs. Hackers can easily take advantage of some
software bugs and cause much harm if you do not fix security vulnerabilities. While it is
usually impossible to ship software with 0 bugs, it’s important to find and fix any
serious bugs, especially ones that could pose a security risk.
Exposure of sensitive data. Sensitive data includes things such as account numbers,
addresses, financial data, health information, usernames, and passwords. All this data
must be protected to keep it from falling into the wrong hands. Personal or sensitive data
has to be protected with encryption and access controls to prevent unauthorized people
from accessing it. If the software fails to protect this personal data due to
security vulnerabilities, hackers who gain access to this information can use it to commit
fraud and other crimes.
Flaws in Injection. Injection flaws result in cyber attackers injecting malicious code into
an application. This kind of software security vulnerability occurs when untrusted data
is sent along with a query or command to an interpreter, which in turn will make the
targeted system to execute unexpected commands. This kind of attack can also result in
hackers gaining access to protected data stored in the database without the right
authorization.
Buffer overflow. Yet another common type of software security weakness, buffer
overflow occurs when an attempt is made to store data that is too big for the memory
space allocated. Attackers can use this software coding mistake, where the storage
capacity of a program is overwritten, to take control of or to access your system. This
vulnerability tends to be more common in software written in C and C++. Many
programming languages have automatic protection against buffer overflow attacks.
Security misconfiguration. One of the most common issues in software
development, security misconfiguration is a result of incomplete configurations and
default configurations that are not secure. For example, open cloud storage or
misconfigured HTTP headers. In order to avoid this kind of software security weakness,
you need to make sure you have properly configured your OS, frameworks, and
applications. Likewise, all this must be updated whenever necessary.
Broken access control. Broken user restrictions can cause severe software weaknesses.
For example, if you have an admin panel for your website, you want to restrict that area
 23

so only admin users can access it. If such restrictions are not enforced properly, hackers
and other unauthorized people can easily take advantage of that vulnerability and access
sensitive data or gain control of your system.
Insecure deserialization. Insecure deserialization is a security weakness that is used
by hackers to carry out injection attacks and DDoS attacks. In this type of vulnerability,
untrusted data is used to implement attacks.
Broken/Missing Authentication. Weaknesses in session management and credential
management result in broken authentication, which means an attacker is able to
compromise passwords or other information to access a user’s account. Improperly
implemented authentication and session management can result in this kind of software
vulnerability.
What Is Secure Coding?
Secure coding is to design and develop software by avoiding the weaknesses that lead to
security-related vulnerabilities by adhering to the specified security standards, and
industry best practices.
Reasons for Inadequate Security Implementation
In general, the following are a few reasons for inadequate security implementation in the
application.
 Priority is given for Functional Release than Security aspects.
 Ignorance or No Awareness about Software Security and Hackers.
 Not enough clarity on the Program or on the Software Design itself.
 The complexity of the Program.
 Not enough data, information on the live system where it will be deployed.
 No consideration of Security in the SDLC phases.
 Insufficient knowledge and understanding of the specifics of the language used in
the software.
 Not enough knowledge to the team and developers about Security Coding
Guidelines.
We know that it is not that all Developers and Testers are aware of the Security of an
application and may not have an in-depth understanding of security vulnerabilities and
exploits, especially to the application that they would be working upon. Generally, they
will be familiar with, ‘How to code functionally’ but not all of them know ‘How to code
securely’.
Hence, the very important aspect for the organization to adopt Secure Coding Practices
in their software is to first ‘Train People’. Therefore, training their team on Secure
Coding Aspects, Best Security Coding Practices and the Correct Tool usage is very
important.
The most important Design Principle of Software Security is to ‘Implement Security by
Design and Default’.
Common Programming Errors to be Avoided
Few common Programming Errors that need to be avoided are listed below:
 Improper Neutralization of Special Elements used in an SQL Command (‘SQL
Injection’).
 Buffer Copy without Checking the Size of Input (‘Classic Buffer Overflow’).
 Missing Authentication for Critical Function.
 Missing or Incorrect Authorization.
 Use of Hard-coded Credentials.
 Missing Encryption of Sensitive Data.
 Unrestricted Upload of File with Dangerous Type.
 Reliance on Untrusted Inputs in a Security Decision.
 Execution with Unnecessary Privileges.
 Cross-Site Request Forgery (CSRF).
 24

 Download of Code Without Integrity Check.
 Incorrect Calculation of Buffer Size.
 Improper Restriction of Excessive Authentication Attempts.
 URL Redirection to Untrusted Site (‘Open Redirect’).
 Uncontrolled Format String.
 Use of a One-Way Hash without a Salt.
Checklist for Secure Code Practices
Last, but not the least, after considering all the above points of Secure Software
Development aspects, the Developers need to follow the Checklist established for the
Secure Code Practices to ensure that things are not missed out. Given below are a few
but not an exhaustive list.
Input Validation:
 Do not trust input, consider centralized input validation.
 Do not rely on client-side validation.
 Be careful with canonicalization issues.
 Constrain, reject, and sanitize input. Validate for type, length, format, and range.
Authentication:
 Partition site by anonymous, identified, and authenticated area.
 Use strong passwords.
 Support password expiration periods and account disablement.
 Do not store credentials (use one-way hashes with salt).
 Encrypt communication channels to protect authentication tokens.
 Pass forms authentication cookies only over HTTPS connections.
Authorization:
 Use least-privileged accounts.
 Consider authorization granularity.
 Enforce separation of privileges.
 Restrict user access to system-level resources.
 Use OAuth 2.0 protocol for Authentication and Authorization.
 Carryout API Validation.
 Whitelist allowable methods.
 Protect privileged actions and sensitive resource collections.
 Protect against Cross-site resource forgery (CSRF).
Session Management:
 Create a Session identifier on the server.
 Terminate the session with the Logoff.
 Generate a new session on re-authentication.
 Set the ‘secure’ attribute for cookies transmitted over TLS.
Cryptography:
 Use cryptography while ‘Data in transit, Data in storage, Data in motion, Message
Integrity’.
 Do not develop your own. Use tried and tested platform features.
 Keep unencrypted data close to the algorithm.
 Use the right algorithm and key size.
 Avoid key management (use DPAPI).
 Cycle your keys periodically.
 Store keys in a restricted location.
Logging and Auditing:
 Identify malicious behavior.
 Know what good traffic looks like.
 25

 Audit and log activity through all of the application tiers.
 Secure access to log files.
 Back up and regularly analyze the log files.
Output Encoding:
 Carryout ‘Input Validation (XML, JSON….).
 Use Parameterized query.
 Carry out ‘Schema validation’.
 Carry out Encoding (XML, JSON..).
 Send Security Headers.
2.3 INFORMATION ASSURANCE AWARENESS, TRAINING, AND EDUCATION (AT&E)
Some examples of information assurance risks attributed to employees include the
following:
 Using weak passwords
 Downloading malware
 Using of out-of-date antivirus signatures and software
 Being unaware of becoming targets of social engineering attacks
However, with a proper information assurance AT&E development program, users
become the organization’s strongest information assurance asset. The AT&E program
ensures that employees understand personal responsibility and organizational policies.
It allows them to better use and protect information system resources entrusted to them.
An effective AT&E program has four stages: literacy, awareness, training, and education
(LATE). Not all employees will progress through the entire program to education nor is
progression of all employees to education necessary for effectiveness. However, the AT&E
program will not succeed if literacy is not established. Employees must have a common
vocabulary to be able to communicate about information assurance.
Purpose of the AT&E Program
The purposes of information assurance AT&E are as to:
 circulate and ensure effective implementation of the organization’s information
assurance policies, procedures, and guidelines
 cultivate a strong information assurance culture by making employees aware of
their responsibilities with regard to information assurance
 emphasize the fact that the organization is taking information assurance seriously
and therefore will train its employees about the importance of protecting the
organization’s information assets
 encourage employees to seek additional education about information assurance
 encourage employees to be more information assurance–conscious in their daily
tasks, for example, by considering information assurance risks when making
business decisions
 highlight management’s support for and commitment to information assurance
 inform employees about information assurance risks and controls in a general sense
and provide more specific information and guidance where necessary
Benefits of the AT&E Program
The following are the benefits introduced by awareness, training, and education
programs:
 raises an organization’s reputation and brand.
 minimizes the severity and number of information assurance incidents.
 provides better protection for assets.
 reduces the risk of lawsuits against the organization.
Design, Development, and Assessment of Programs
- Before organizations embark on any information security awareness or training
programs, take steps to ensure proper information assurance processes and
 26

information assurance roles and responsibilities have been established. This will
reveal that the organization is ready and committed to pursue the information
assurance initiatives with the employees’ support.
- A well-designed AT&E program begins with a needs analysis. Organizations should
develop an AT&E strategy based on the results of this assessment.
- Develop awareness and training materials to support the plan in the next phase.
Security awareness and training materials are widely available on the Web and can
be customized to any particular organization’s culture and strategic needs.
- Survey forms, evaluation forms, and independent observations can always be used as
input.
Types of Learning Programs
The types of programs usually consist of awareness, training, and education. There is
also a subtle difference between training and education. The former emphasizes more on
skill development especially in using the information system. The latter is more general
in the sense that it imparts general knowledge, preparing the audience for a more
mature life in managing security of information.
 Information Assurance Awareness. An Information Security Awareness Program is an
organized effort to make employees and customers aware of risks to personal and
institutional information and information technology, and to provide them with the
skills and knowledge necessary to avoid those risks.
 Information Assurance Training. Training aims to teach or improve an individual’s skill,
knowledge, or attitude, which allows a person to carry out a specific function, while
awareness aims to focus an individual’s attention on an issue or a set of issues.
Awareness explains “what” needs to be done and training explains “how” it should be
done.
 Information Assurance Education. In a training environment, the employee is taught
to use specific skills as part of specific job performance. In an education context,
the employee would be encouraged to examine and evaluate not only skills and
methods of work but fundamental operating principles and tenants upon which
job skills are based. A formal education program allows for acquisition of
knowledge, skills, and proper understanding of their role at the holistic level. This
will cultivate development of right behaviors, values, and wisdom.
Why an Information Security Awareness Program?
- Community members must understand security and privacy compliance requirements.
- Breaches can have serious legal and financial implications.
- Certain breaches must be investigated and reported promptly.
- Community members have a critical role in risk mitigation.
- Attackers are focusing on community members; it is important that they understand
the risks to their credentials, and other dangers.
- Community members need to understand how to work with security solutions.
Security Education and Awareness Procedures
1) Purpose: Security education and awareness refers to the methodology followed for
training, educating, and generating awareness for information technology security in
the workplace.
2) Scope: In accordance with the “security standards” incorporated into the Health
Information Portability and Accountability Act, security education and awareness
methods must be an integral part of the College of Public Health Information
Technology procedures and guidelines. Documented procedures for security
education and training reduce the risk that key information technology assets are
accessed inadvertently or inappropriately by persons without authority.
 27

3) Applicability: Security education and awareness plan is applicable to all College of
Public Health departmental administrators and supervisors responsible for
supervising employees and students. The Office of Information Technology is also
applicable as a participant/administrator of security education and awareness
procedures. Employees and students must participate, learn, and adhere to security
procedures.
4) Guidelines
- Required: All College of Public Health departmental administrators and supervisors
must understand the importance of security education and awareness, including the
process of educating employees and students.
- Required: Good communication between departmental administrators and the
College of Public Health Office of Information Technology is required, including the
process and procedures for security education and awareness.
- Required: All collegiate faculty, staff, and students must be willing to participate,
learn, and adhere to security procedures.
5) Security Education and Awareness Plan
The collegiate Office of Information Technology recommends the following practices for
educating faculty, staff, and students with regards to IT security. The majority of these
recommendations come from the advice of the National Institute for Standards and
Technology (NIST).
- Promotional/Specialty Items: Awareness relies on reaching broad audiences with
attractive packaging techniques. Messages or motivational slogans can easily serve as
refreshers on promotional or specialty trinket items, such as: badge holders, biometric
devices, calendars, coffee cups, first-aid kits, flags, frisbees, golf tees, greeting cards,
magnets, mousepads, notes and note pads, postcards, security screensavers, and t-shirts.
- Motivational Slogans: Examples of motivational slogans include:
Security is everyone’s responsibility!
SEC_RITY is not complete without U!
- Logon Access Banners

- Hands-on Training
- Videos
- Computer-based Awareness Materials
- Web-based Awareness Materials
- Posters or Flyers
 28

- Briefings, Articles, Newsletters and Magazines
- Exhibits
6) Contacts and Technical Experts
The Five Elements of a Successful Security Awareness Program
1. Education On the Different Types of Cyber Threats
o SPAM-This is not just limited to direct email anymore. You might receive an invite
from a “friend” to add them on LinkedIn. Major social networks we trust are a
common way for hackers to hide behind false identity and catch you in a weak
moment.
o MALWARE- Most simply defined as “malicious software,” malware is any type of
software designed to cause harm to a device such as worms, viruses, trojans and
rootkits.
o PHISHING-This is the practice hackers use to essentially cast a wide net of bait and
pull in whatever they catch. Phishing consists of emails that look genuine but
include dangerous links that steal passwords or personal information.
o WHALING- Whaling attacks specifically aim for high-profile individuals, such as
politicians or CEOs of large corporations with high-profile access to data and
financial information. However, small business owners aren’t exempt.
o FRAUD PREVENTION- Businesses can face fraud in a number of ways. Identity
theft tends to be the most prominent method with over 4.8 million reported cases
in 2020. Other methods of fraud include: return fraud, money fraud, workers
comp fraud and payroll fraud.
2. Email, Internet, Social Media And Privacy Policies
- It is important to explicitly outline rules for browsing and social media usage on
company devices, and while using company email addresses. The browsing habits
of your employees can be one of the largest threats your company faces in the fight
against malicious cyber schemes.
- It is crucial that your cybersecurity training includes rules on “What Not to Click”
and when to be hyper aware of social media emails that request a login.
- Certain websites are higher risks than others. So, to ensure complete safety, include
training on what websites and social networks might be off limits while on the
clock. Better yet, invest in software that flags suspicious emails and websites.
3. Secure Password Policies Combined with Multifactor Authentication
- Your passwords are the key to your cyber kingdom, and hackers have plenty of ways
to try to crack the code. The primary way cyber bullies obtain important
passwords is by making educated and calculated guesses until they get it right.
Educate your employees on the major Do’s and Don’ts in creating secure
passwords.
- The most important passwords are both professional and personal email and social
network passwords. If a hacker gains access to anyone’s email password they now
 29

have the liberty to click “Forgot My Password” on just about any account you’ve
created.
- Scary, right? Make sure your employees are well-versed in creating solid, secure
passcodes (or better yet, passphrases).
- The gold standard for password security occurs when a secure password is
combined with multifactor authentication (MFA). MFA, sometimes called two-
factor authentication (2FA), is an additional electronic authentication method
required to access a device, website or application. MFA methodology stems from a
combination of three elements to authenticate a user's identity: knowledge,
possession and inherence.
- Application of MFA often varies and most services allow users to choose between a
handful of authentication methods. Common MFA methods include one-time
passwords (OTP) generated from a physical token, authenticator app or SMS
message. Biometric authentication methods such as fingerprint or facial scans are
becoming more common, especially in the mobile space.
4. Threat Recognition and Response Training
- Phishing techniques have come a long way since the, “You’ve been selected to
receive $100,000, we just need your wiring info” tactic.
- For example, if employees receive an email that notifies them of a suspicious log-in
attempt to their Google account, have them take another look. Often, these links
can send users to a new page where inputting their login information grants the
hacker the access they’re looking for.
- Suspicious activity can also include urgent requests that invoke an impulse click or
downloadable PDF links that are corrupted. Regardless of the tactic, employees
must have an incident response plan.
- What to do if you spot a suspicious email: notify your IT team immediately and do
not click. Delete the email from your inbox or forward it to a secure inbox to be
analyzed.
- Just remember, always be on the lookout for unknown senders.
5. Regular Vulnerability Testing
- As a part of your ongoing training, you can implement risk assessment on your
computer networks and applications to pinpoint failure areas before they happen.
- Highly trained professionals can administer vulnerability testing for you, identifying
areas that compromise the privacy of your data and cause damage on multiple
fronts.
- Create periodic emails and clickable links that simulate phishers to see if your
employees are still alert and up to date in recognizing phony accounts and
requests. By scheduling weekly, bi-weekly or monthly simulated attacks, your
employees will actually become defense assets.
2.4 PHYSICAL AND ENVIRONMENTAL SECURITY CONTROLS
Physical and environmental security protects an organization’s physical infrastructure,
its equipment, and its facilities, as well as its employees, from physical events, threats,
or incidents. The main threats for physical and environmental security are:
 Energy, for example, electricity
 Equipment, for example, mechanical or electronic component failure
 Fire and Chemical, for example, explosion, smoke, or industrial pollution
 Human, for example, riot, war, terrorist attack, or bombing
 Natural Disaster, for example, earthquake, volcano, landslide, or tornado
 Pandemic disease, for example, bacteria or virus
 Radiation, for example, electromagnetic pulse
 Weather, for example, sandstorm, humidity, flood, or lightning
 30

Benefits
Organizations benefit by establishing physical and environmental security
controls/countermeasures to protect information in storage, transit, and processing.
These countermeasures help protect information-processing systems from the following
events:
 Environmental disruption. Natural disasters and man-made environmental problems
are regarded as some of the most prevalent threats today. For example, fire can
destroy buildings. Floods can cause damage to infrastructure, assets, and data.
 Interruptions to service. Serious business interruption may cause business disaster. If
an organization faces services disruptions because of breaches of physical security,
the organization’s reputation will be at stake. This may lead to loss of public
confidence.
 Loss of system integrity. If intruders are able to gain physical access to hardware
components, they may be able to bypass logical access controls. With this access,
they may perform malicious acts on systems and components. These activities can
cause loss of information system availability, confidentiality, and integrity.
 Physical damage. The acts of sabotage or vandalism can impair hardware
components. Damaged media may raise concerns on data confidentiality, integrity,
and availability.
 Physical theft. In the event of loss of hardware components because of physical theft
(or robbery), organizational functions may be interrupted particularly if the
organization does not have backup or fails to replace stolen components in a timely
manner.
 Unauthorized disclosure of information. Insufficient physical security controls may
enable intruders to obtain easy access to an organization’s information assets. This
will place the security of classified information at risk.
Physical and environmental security is best managed using a layered defense approach.
The layered defense approaches for physical and environmental security are divided into
two broad areas:
 Physical security of premises and offices
 Physical security of equipment
Physical Security of Premises and Offices
 Physical Security of Premises. The first line of defense in safeguarding employees,
information resources, and property is the security perimeter. Examples of ways to
provide physical protection are fences and creating layered physical barriers
around the premises and information-processing facilities, including a manned
reception area, security guards, or intrusion alarm systems. Perimeter protection
also includes deploying lockable doors and windows, grills for windows, and fire
escapes.
 Physical Entry Controls. Physical entry controls restrict access to information-
processing resources by allowing only authorized individuals in the area. Minimal
physical entry controls should include the positive identification of all employees,
vendors, and visitors at each point of entry. The following provides further
explanation about access controls for employees and visitors:
- Employee access Restriction of employee access depends on the need for access,
job function, and responsibilities. Positive identification and access control are
mandatory; therefore, all employees should be required to wear some form of
visible identification (ID badge) at all times whenever they are on the premises.
 31

- Visitor access. Permit visitor access only to those areas where they have specific
and official purposes. A record of visitors who enter the premises should be
maintained. The dates and times of their admissions and departures should be
logged. This recording may be accomplished with a card access control system,
a sign-in log, or other mechanisms.
 Securing Offices, Rooms, and Facilities. Secure areas are frequently called enclaves.
For example, network and communications equipment rooms or human resources
offices are enclaves that may require additional controls. Physical security is an
ideal tool for compartmenting information; consider using badge readers or cipher
locks that require a unique code, key, and/or badge for entry. By combining a
badge with a key code, the organization has a two-factor physical access system.
 Working in Secure Areas. The physical security should accommodate third parties
working in the area. A secure work area may include closed circuit television
(CCTV) and card-controlled doors.
 Public Access Delivery and Loading Areas. It is important that access to areas such
as entry, delivery, and loading areas is limited to authorized individuals. If
possible, separate these entrance and exit areas from secure areas to minimize
threats.
 Duress. In high-risk environments, organizations should establish a duress alarm
or code that gives a covert alert about an increased risk situations. For example, a
physical security alarm causes the security operations center to call a guard
station. The operations personnel asks the guard if everything is okay. The guard
responds, “Everything is fine; the zebra system is down again.” The operation
center immediately dispatches law enforcement to the guard’s location. What
happened? The term “zebra system is down” is a predesignated signal to indicate
the guard was under duress. Perhaps someone was threatening the guard and
telling him he must tell the operations center “everything is fine” while thieves
attempted to rob the organization. To be effective, duress codes must be
maintained confidentially within the organization, and their implementation must
be practiced by those who routinely use them. A duress alarm response procedure
should be in place to ensure that every alarm is handled properly and
immediately.
 Physical Security of Equipment. Organizations should physically protect
information-processing equipment to minimize the risk of unauthorized access to
information, as well as to safeguard against loss or damage. For example, if
someone has physical access to your network equipment, it is easier for them to
modify the security profile of the equipment than by trying to do it electronically
from offsite.
 Equipment Placement and Protection. Organizations should secure equipment from
environmental threats, hazards, and opportunities for unauthorized access.
Organizational
assets face destruction from exposure to fire, smoke, water, and other hazards, so
information and information processing resources should be protected with a
diverse set of countermeasures:
- Fire Installing fire sensors, heat sensors, smoke sensors, fire extinguishers, or
sprinkler systems can reduce risks from fire hazards.
-Sprinklers. Water-based sprinklers should be dry pipe systems that do not have
water in normal conditions. They work by displacing the oxygen in the room.
 32

However, the gasses may be dangerous to personnel, and special training is
necessary. The systems should sound an alarm for the fire, as well as alert
personnel to leave the area before the fire-fighting material is deployed.
-Smoke. Smoke may originate from malfunctioning computer systems or electrical
fires, such as those caused by power transformers. Install smoke detectors both
inside computer rooms and directly outside; ensure the smoke detectors work in
the plenum areas above and below the room. Not only can the smoke damage
sensitive equipment, but it may also cause a false alarm and set off fire
suppression systems.
-Water. Water can damage power supply facilities and information-processing
equipment. There are two types of sprinkler systems: wet and dry. In wet systems,
the pipes are always charged with water, while dry systems fill with water only if
there is evidence of a fire. A “wet” pipe sprinkler system may cause damage by
simple leakage or breakage from natural disasters.
 Supporting Utilities. Organizations require supporting utilities such as electric
power, heating and air conditioning, and telecommunications equipment, which if
disrupted lead
to a loss of availability.
 Heating, ventilation, and air conditioning (HVAC). Computer systems that manage
critical information should have air-conditioning units that provide continuous
monitoring and recording of temperature and humidity. Humidity must be
managed to minimize static electricity from low humidity and equipment damage
from condensation from high humidity. Install heat sensors inside the computers,
in the computer rooms, and directly outside the rooms to warn of any noticeable
rise in temperature, through either an audible or a visible alarm.
Equipment Maintenance. Organizations should perform maintenance of information
processing equipment based on the manufacturer‘s recommended service intervals and
specifications. The task of fixing and servicing the equipment should be done only by
authorized personnel. Record all faults noticed, documented, and maintained. All
maintenance services to the equipment either onsite or sent off the premises also need to
be recorded and tracked.
Physical Security of Equipment Off-Premises. Use of any equipment outside an
organization’s premises should be authorized by management. Prior to granting
authorizations, management should carefully consider the risks of working outside the
organization. Users should also be educated about the approved methods of handling
equipment off-premises, for example, using procedures to respond to locking down,
damage, loss, and theft of equipment.
Secure Disposal and Reuse of Equipment
Proper protection and disposal of sensitive or confidential information is important. Take
proper precautions to ensure that all information stored in the equipment is eradicated
prior to donation or disposal. It is advisable that equipment with hard disks containing
sensitive information should not be passed on. Equipment sent for repair is equally
prone to unauthorized reading of data from deleted storage devices. Therefore, the device
should undergo thorough erasing and overwriting to wipe out the data instead of via the
standard delete function. If this is not practical, ship it for repair without the disk drive.
Clear Desk and Clear Screen Policy
On another physical security front, the implementation of a clear desk and clear screen
 33

policy is an effective control for organization information assets.
Apply the following guidelines:
- Lock away classified material when not in the area.
- Do not leave classified information on unattended printers.
- Log off sessions or protect the system with a key lock whenever personal computers or
computer terminals are left unattended; use passwords and protected screensavers to
provide protection.
- Secure incoming and outgoing mail boxes and unattended fax machines to avoid
unauthorized access.
- Use a suitable storage place (ideally in a cabinet or fire-resistant safe) when paper or
electronic storage media that holds sensitive information is not needed.
2.5 PREVENTIVE INFORMATION ASSURANCE TOOLS
The following sections discuss tools used to establish preventive controls.
Preventive Information Assurance Tools Content Filters
Content Filters. Content filters control the access of end users to portions of the
Internet. These tools allow network administrators to block access selectively to certain
types of web sites based on predefined local policy. For example, video streaming sites
can be blocked to conserve bandwidth. Content filters are implemented by several
industries with differing levels of success and acceptance. In some areas, this practice
has been controversial. Typically, the benefit of blocking malicious web sites outweighs
the social cost of restricting browsing. The most successful implementations of content
filters contain a process through which users can request web sites be unblocked after it
has been analyzed to determine whether it should be opened for use.
Cryptographic Protocols and Tools. Cryptography is a technique for hiding information
by transforming it so that only authorized individuals can access it in its original form.
All others are denied access since they cannot decrypt the information. Cryptographic
tools also provide confidentiality, integrity, and nonrepudiation protection. Encryption
techniques for hosts range from encryption of the entire hard disk, database encryption,
selective folder (group of files) encryption, or individual file encryption. Specially
designed secure network protocols are used to secure data traveling over networks such
as the Internet. Examples of protocols that implement network services include Secure
Sockets Layer (SSL), Transport Layer Security (TLS), and IP Security (IPSec) protocols.
SSL and TLS are preferred information security protocols in web environments, while
IPSec protocols are preferred for implementing virtual private networks (VPNs).
Firewalls. A firewall is a security device in the form of computer hardware or software. It
can help protect your network by acting as an intermediary between your internal
network and outside traffic. It monitors attempts to gain access to your operating system
and blocks unwanted incoming traffic and unrecognized sources.
Network Intrusion Prevention System. NIPS is a type of network security software that
detects malicious activity on a network, reports information about said activity, and
takes steps to block or stop the activity from occurring automatically. NIPS uses packet
inspection as well as anomaly, signature, and policy-based inspections to evaluate
whether the traffic is legitimate or not.
Proxy Servers. Proxy servers act as an intermediary between clients and the Internet by
allowing clients to make indirect connections to other network services through them.
Proxy servers can be configured to require authentication of the end user, restricting
communication to a defined set of protocols, applying access control restrictions, and
carrying out auditing and logging. Care should be used with proxy servers since they can
be used to disguise sources of traffic (anonymized). The simplest form of a proxy server is
called a gateway. They can also be used to cache web content.
 34

Public Key Infrastructure. PKI is a general term that defines the technology used to
encrypt and authenticate data during transmissions. Encryption makes the data
unreadable, allowing only authorized entities to decrypt (i.e. read) them. Authentication
ensures data integrity by proving that 1) the data is not modified during transmission,
and that 2) the sender of the data is who they claim to be. As mentioned above,
authentication is the process of verifying the integrity of data and the identity of the
sender. This is done through a digital certificate.
- Digital Certificates. In the digital world, each entity is associated with a digital
certificate that serves as its identity. An entity does not have to be a person or a
device, it can literally be anything, like a software program, a process, or even an
action. Just as how we prove our identity in the real world with passports and photo
IDs, in the digital world, a digital certificate does the job.
- Certified Authorities. Let us say you want to log in to your online banking account. In
this case, you, as the client, is sending a request to the bank’s server to retrieve your
account information and display it through the web application. In this process, the
bank’s server verifies your digital certificate generated by the certified authority (CA)
trusted by the bank. (Just as how the immigration officer trusts your passport’s
issuance authority.) Certified authorities are usually third-party firms that specialize
in generating digital certificates. For example, Penta Security’s ISign+ is a certified
authority that issues digital certificates trusted by many financial institutions. PKI
works by encrypting data (in this case, digital certificate) with a cryptographic key,
while having a separate key for decrypting it. The point here is to have one key for
encryption and another for decryption. One of them is a private key, held by the key
owner, while the other is a public key, shared with the public. The process works like
this. The owner of the certificate first encrypts it with the private key, then hands
over the public key to the bank. The bank would decrypt it with the public key and
verify the owner’s identity, and authenticate the user to access their account.

An easy-to-understand encryption is an old-fashioned shift cipher (substitution cipher),
or what’s more commonly known as the Caesar cipher. In this type of encryption,
plaintext letters “shift” a set number of spaces depending on the secret key. For example,
the word “CERTIFICATE” becomes the ciphertext “IKXZOLOIGZK” if your key is “6”
because you’ve shifted each letter six spaces.
 35

A basic example of how a shift cipher (Caesar cipher) works.
The main ways that PKI security can be used are:
 Securing emails
 Securing web communications (such as retail transactions)
 Digitally signing software
 Digitally signing applications
 Encrypting files
 Decrypting files
 Smart card authentication
Virtual Private Networks. A VPN creates a secure tunnel between your device (e.g.
smartphone or laptop) and the internet. The VPN allows you to send your data via an
encrypted, secure connection to an external server: the VPN server. From there, your
data will be sent onward to its destination on the internet. Rerouting your internet traffic
through a VPN server has several advantages. First, it helps you hide your identity
online. Second, it secures your data. And third, it allows you to use the internet more
freely. Connecting to a VPN is generally quite simple. After subscribing to a VPN
provider, you download and install the VPN software. You then select a server you want
to connect to and the VPN will do the rest. When the connection has been established,
the following will happen to your data:
1. The VPN software on your computer encrypts your data traffic and sends it to the
VPN server through a secure connection. The data also goes through your Internet
Service Provider, but they can no longer snoop because of the encryption.
2. The encrypted data from your computer is decrypted by the VPN server.
3. The VPN server will send your data on to the internet and receive a reply, which is
meant for you, the user.
4. The traffic is then encrypted again by the VPN-server and is sent back to you.
5. The VPN-software on your device will decrypt the data so you can actually
understand and use it.

The VPN application runs in the background of your computer, tablet, or
smartphone. You can access the internet as you normally would and will not notice
anything different – save for the fact that you will be able to get around online
restrictions.
Preventive Information Assurance Controls
The full suite of preventive information assurance mechanisms that can be used
follows.
1) Backups. A backup is a copy of information assets: data, software, or hardware. It
is an essential preventive process for information assurance; it mitigates risks and
helps to ensure business continuity. A backup makes restoration (restitution)
possible when needed, ensuring that data can be recovered when needed, software
can be recovered during application corruption, and hardware is replaceable
during disaster.
There are also different types of backup, such as full backup, differential backup,
incremental backup, and mirror backup, which can be conducted at different
 36

times.
Backing up systems is important, but more important is the correct restoration of
the backup.
2) Change Management and Configuration Management
If an organization is to remain competitive, it should be prepared to change
continuously since the environment is not static. Change comes from a variety of
sources. The following are sources of change drivers that should be addressed and
managed effectively in the business and IT environment:
- Alliances and partnerships
- Business market demands
- Competitive markets
- Operational issues
- Regulations changes
Change management and configuration management work hand-in-hand. The
change management system defines and controls a configuration. For example,
maintaining accurate configuration information for all the constituent parts of the
IT service and infrastructure involves identifying, recording, and tracking all IT
components. In addition, it includes versions, constituent components, and
relationships of configurations.
3) IT Support. During day-to-day operations, the IT support or help-desk employees
encounter myriad problems. Information technology support should be able to
identify the nature of the problem and determine whether the problem should be
raised to a higher level. Maintenance of logs and appropriate SPC activities may
narrow down the problem.
4) Media Controls and Documentation. Organizations must safeguard all media,
including tapes, disks, and printouts. Operational controls addressing media
protection may include the following:
- Environmental protection against problems relating to fires, air conditioning, and
humidity
- Logging of usage (for example, users should check in and check out the media)
- Maintenance of the media including overwriting or erasing of data and disposal of
media
- Prevention of unauthorized access
- Proper labeling of media providing information such as the owner’s name, date of
creation, version, and classification Storage considerations, such as off-site
locations or in locked server rooms
5) Patch Management. It is part of configuration management. Common practices
for an effective patch management include the following: standardized patch
management policies, procedures, and tools. Examine tools to assist, facilitate,
and automate the patch management process.
- Establishing dedicated resources. One of the most important items in a patch
management process is to ensure that roles and responsibilities are identified
and defined for those involved in maintaining an organization’s systems and
applications.
Their task would be to ensure that these systems and applications are updated
with the current released patches.
- Monitoring and identifying relevant vulnerabilities and patches. Currently,
vulnerabilities and patches appear on a daily basis. Organizations must identify
and monitor vulnerabilities proactively. Ensure software in use is supported by
the vendor and the vendor is contractually required to address security issues
discovered.
 37

- Identifying risk in applying a patch. Apart from considering the criticality of
vulnerability, an organization should consider the importance of the system in
question to operations and the risk of applying a patch. The organization has
the option not to follow the vendor’s advice. This is to ensure that the patch
management process does not disrupt the systems’ operations.
- Testing a patch before installing. Implementing the patch management process
assures the information of the IT infrastructure; however, organizations should
first assess the patches in a test environment. This is to determine the impact
of installing the patch and making certain that it does not disrupt the IT
operations. Such testing will help determine whether a patch functions as
intended and does
not have an adverse effect on the existing system.
2.6 ACCESS CONTROL
This section presents a discussion about the importance and the techniques commonly
used for access control.
1) Access Control: The Benefits. In today’s global business, an authorized user should
have access to required resources at any time and from anywhere (availability).
Access control is the first line of defense to protect the system from unauthorized
modification (integrity). A benefit of access control is that it serves as an auditing tool.
You can use auditing tools to trace information security breaches, incidents, and
events.
2) Access Control Types. There are two broad types of access control: physical and
logical. Organizations usually manage physical access with human, technological, or
mechanical controls. A physical control might be biometric identification technology
used to restrict entry to a property, a building, or a room to authorized persons.
Logical access controls manage access based on processes such as identification,
authentication, authorization, and accountability. Examples of logical access controls
are digital signatures and hashing.
3) Access Control Models. An access control model defines how subjects access
objects. There are three types of access control models: discretionary, mandatory, and
nondiscretionary (also known as role based). An organization’s mission or business
requirements will drive the type of model used. An organization can opt for one of the
following mentioned models or a combination of them. Organizations should also
consider their culture and the nature of business to decide which model to use.
- Discretionary Access Control Model. In a discretionary access control (DAC) model,
the owner of the object determines the access policy. The owner decides which
subjects may access the object and what privileges the subject has. For example,
the file owner on a network defines which subjects (who) can access files and what
privileges a subject can have over those files, such as reading, deletion, or
modification. Windows, Apple, and various Linux systems adopt the DAC model.
DAC Example
 It is through the discretionary model that Sean can share his hard drive with
Michelle so that Michelle can copy all of Sean’s presentations.
 Sean can also block access to his hard drive from his manager since the manager
may not approve of his sharing presentations with other divisions.
 A further weakness of DAC systems is that if Sean receives malicious code, it
executes at Sean’s privilege level.
 Finally, if Sean does not know what every person is involved in, he may
inadvertently give access to the wrong person for the wrong reason. This
necessitates a strong need for information assurance AT&E programs in
organizations using DAC.
 38

- Role-Based Access Control Model. The role-Based Access Control (RBAC) model uses
a centrally managed set of rules, which grants access to objects based on the roles
of the subject. Since subjects are not assigned permission directly like with other
models, they acquire it through their role (or roles), and the management of access
becomes relatively easier.
- Mandatory Access Control Model. A mandatory access control (MAC) is a more
sophisticated model commonly used to control access to sensitive or controlled
data in systems with multiple levels of classification. In MAC systems, the owner
does not establish the access policy. In fact, the system decides on the access
control based on the information security classification and policy rules. Here
subjects have labels reflecting their category or classification (e.g., secret, top
secret, and confidential), and objects are similarly categorized or classified
MAC Example
 Gereon has a clearance for documents classified secret, but the document he
has
requested has the classification of top secret.
 His access in this case will be denied because his clearance is not equal to, or
higher than, the classification of the object.
 Gereon may also have a secret document that he wants to post to the top-
secret file system.
 In this case, he will be denied because the label of the object he wants to post
is not equal to, or higher than, the file system he wants to use (based on the
Biba rule).
4) Access Control Techniques. Selecting an access control model needs to complement
the selection of proper access control techniques. The following section sheds light on
the techniques that can be used based on the model that has been selected.
- Rule-Based Access Control. A rule-based access control uses simple rules to
determine the result of privileges, which a subject can have over an object. This
just determines what can and cannot be allowed. The configuration rules of
routers are another good example of rule-based access controls, which are the
same for all, rather than specific to an individual. When a particular account or
group attempts to access a resource, the operating system checks the rules
contained in the ACL for that object.
- Access Control Matrix. An access control matrix or access matrix is usually a static,
abstract, formal computer protection and information assurance model used in
computer systems. When implemented, it characterizes the relationship of each
subject to every object in the system. An access control matrix represents the
relationship of subjects and objects in a tabulated form. Each cell (intersection of
the subject and object) defines the privileges for the “right to use” the object by the
subject.
- Access Control Lists. An ACL is another technique used to represent accessibility. An
ACL is a list containing information about the individual or group permission
given to an object; the ACL specifies the access level and functions allowed onto
the object. There are two types of ACLs. Network ACLs are implemented on servers
and routers (layer 3). File system ACLs implement file access by tracking subjects’
access to objects. Clearly, an ACL should be well protected from unauthorized
modification.
- Capability Tables. A capability table is an authorization table that identifies a
subject and specifies the access right allowed to that subject. The rows of the table
list the capabilities that the subject can have with respect to all of the objects. A
capability table is bound to a subject, whereas an ACL is bound to an object.
Capability tables are frequently used to implement the RBAC model.
 39

- Constrained User Interfaces. A constrained user interface is a way to limit access of
subjects to a resource or information by presenting them with only the
information, function, or access to the resource for which they have privileges.
For example, the operating system of an ATM is capable of all kinds of commands,
but a user is presented with the constrained/limited options to do personal
banking.
- Content-Dependent Access Control. This technique is used in databases. As the
name suggests, access to objects is dependent on the content of the objects
themselves. This access control technique aims at controlling the availability of
information by means of views.
Example of a Content-Dependent Access Control
 Jack and Jill are two customer service employees of a bank.
 When Jack logs on to the client complaints system, he can just see the
pending complaint details handled by him but will not be able to see the
pending complaint details handled by Jill.
- Context-Dependent Access Control. Context-dependent access control defines the
access controls of a subject on objects based on a context or situation. A firewall is
a good example of context dependent access control because it understands the
necessary steps of communication pertaining to specific protocols.
5) Access Control Administration. The administration of access controls is critical to
implementing access controls. Access control administration can be centralized or
decentralized. The following section discusses the two modes of access control
administration.
- Centralized Access Control Administration. The central administration may be
contained in a department, unit, or information security administrator. This
management approach ensures uniformity across the organization. This approach
can be slow because all changes are processed by a single entity.
- Decentralized Access Control Administration. Decentralized management gives
control to people who are closer to the objects. This mode is usually faster since
changes are made to a function rather than to the whole organization. It does not
have the organizational momentum caused by just one entity making all the
changes. However, decentralized access control does not ensure uniformity.
 40

CHECK YOUR PROGRESS 2
Instructions:
1) Where do you think security should fit into the SDLC? Why?
2) If a program has no syntax errors, can we assume that it is secure?
3) Select at least two (applicable) and describe how the following physical security of
premises and offices are implemented in a certain institution:
a) Physical Security of Premises
b) Physical Entry Controls
c) Securing Offices, Rooms, and Facilities
d) Working in Secure Areas
e) Public Access Delivery and Loading Areas
f) Duress
g) Physical Security of Equipment
h) Equipment Placement and Protection
i) Supporting Utilities
j) Heating, ventilation, and air conditioning (HVAC)
4) Select at least one (applicable) and describe how an institution implements the
following preventive information assurance controls?
a) Backups
b) Change Management and Configuration Management
c) IT Support.
d) Media Controls and Documentation
e) Patch Management
5) Select at least one (applicable) and describe how the following access control
techniques are implemented by a certain institution?
a) Rule-Based Access Control
b) Access Control Matrix
c) Access Control Lists
d) Capability Tables
e) Constrained User Interfaces
f) Content-Dependent Access Control
g) Context-Dependent Access Control

LABORATORY ACTIVITY 2.1
1) Demonstrate at least one of the secure code practices using a programming language
or tool of your choice.
2) Create a security education and awareness plan in any of the following forms:
a) Promotional/specialty items;
b) hands-on training;
c) videos;
d) computer-based awareness materials;
e) web-based awareness materials;
f) posters or flyers; briefings, articles, newsletters and magazines; and
g) exhibits.