UNIT_2_210301502_INFORMATION SECURITY.pdf

Full Transcript

BCA
SEMESTER – 5
210301502
INFORMATION SECURITY
 0301602 INFORMATION SECURITY

UNIT MODULES WEIGHTAGE

1 INTRODUCTION AND NEED FOR INFORMATION 20 %
SECURITY

2 PHYSICAL AND OPERATIONS SECURITY 20 %

3 TELECOMMUNICATIONS, NETWORK AND 20 %
INTERNET SECURITY AND APPLICATION
DEVELOPMENT SECURITY
4 ACCESS CONTROL SYSTEM AND 20 %
METHODOLOGY AND CRYPTOGRAPHY

5 LAW, INVESTIGATIONS AND ETHICS 20 %
Unit -2 Physical and Operations Security

Physical Security
− Introduction
− Understanding the Physical Security Domain
− Physical Security Threats
− Providing Physical Security
Operation Security
− Introduction
− Operations Security Principles
− Operations Security Process Controls In Action
Unit -2 Physical Security

Introduction
− We must overlooked connection between Physical
System (Computer hardware) and Logical systems
(software) in order to protect logical systems.
− If we can't protect our hardware, we can't protect
the programs and data running on hardware.
Unit -2 Physical Security

Introduction
− Physical Security Deals with
Building
Computer Rooms
Devices
Etc...
− Physcial security involves protecting site from natural
and man made physical threats through proper plan
that secure devices from unauthorized physical contact.
Unit -2 Physical Security

Understanding the Physical Security Domain
− The physical security domain includes the more traditional
safeguards against threats, both intentional and
unintentional, to the physical environment and the
surrounding infrastructure.
− Example – Entry procedure for Goverment / Private
Company
− The level of physical security is typically proportional to
the the value of the property that is being protected.
− High level research generally use more sophisticated
physical security checks, including biometrics as the
primary level.
Unit -2 Physical Security

Following areas need to understand to implement physical
security.
− How to choose a secure site (location) and
guarantee the correct design ?
− How to secure a site against unauthorised access?
− How to protoect equipment against theft ?
− How to protect the people and property within an
installation ?
Unit -2 Physical Security Threats

The major categories of physical security threats, as
defined in the CBK (Common Body of Knowledge) are:
1) Weather
Tarnadoes, hurricanes, floods, fire, snow, ice, heat,
cold, humidity and so forth....
2) Fire / Chemical
Explosion, toxic waste/gases, smoke, fire.
3) Earth Movement
EarthQuakes, mudslides
Unit -2 Physical Security Threats
The major categories of physical security threats, as defined in
the CBK (Common Body of Knowledge) are:
4) Structural Failure
Building collapse due to moveing objects (car, planes,
trucks) or natural objects (snow, ice, flood)
5) Energy
Loss of power, radiation, magnetic wave interference....
6) Biological
Virus, bacteria, infestations of animals ect...
7) Human
Strikes, sabotage, terrorism, war.......
Unit -2 Providing Physical Security
Five areas of physical security that address the
aforementioned types of physical security threats:
1) Educating Personnel
2) Administrative controls
3) Physical controls
4) Technical Controls
5) Environmental / life safety controls
Unit -2 Providing Physical Security
1) Educating Personnel
An educated staff, made aware of the potential for theft
and misuse of facilities and equipment.
Employees should be reminded periodically of the
importance of helping to secure their surroundings including:
Physical & environmental consideration to protect
computer systems.
Emergency & disaster plans
Monitoring unauthorised use of equipments
Reporting unusual & suspicious activity
Recognizing security objectives.
Unit -2 Providing Physical Security
1) Educating Personnel
An organization can educate its staff on the
importance of their physica security through the use of
self – paced or formal instruction, bulletins, posters,
training films or awareness days.
Unit -2 Providing Physical Security
2) Administrative Access Controls
Administrator access controls, addresses the procedural
and codified application of physical contorls.
Restricting Work Area
A physical security plan – identify the access rights to
the site
Escort Requirements and Visitor Control
Company have long had some kind of procedure for
requiring visitors to “sign in” and specify a purpose
for their visit and wait for an escort that authorizes
their presence before grantingaccess to the visitors.
Unit -2 Providing Physical Security
Site Selection
Site designers and planners must make at tleast the
following considerations when deciding on the location
for a facility.
Visibility
Locale considerations
Natural Disasters
Transportation
Unit -2 Providing Physical Security
3) Physical Security controls
Here need to controls the perimeter of the data center,
employee and visitor badging etc.
Perimeter Security Controls
Badging (Icard)
Key and combination Locks
Security Dogs
Lighting
Unit -2 Providing Physical Security
4) Technical Controls
The more prominent technical controls include
Smart / dumb cards
Audit trails / access logs
Intrusion detection
Perimeter instrusion Detectors
Motion Detectors
Biometric access conrtrols
Unit -2 Providing Physical Security
5) Environmental / Life-Safety Controls
The more prominent technical controls include
Power
Fire Detection and Suppression
Heating, Ventilation and Air Conditioning
Unit -2 Operations Security

Introduction
− Operations security is used to identify the controls
over software, hardware, media, and the operators
and administrators who possess elevated access
privileges to any of these resources.
Unit -2 Operations Security

Introduction
− Operations security is primarily concerned with data
center operations processes, personnel and
techology and is needed to protect assets from
threats during normal use.
Unit -2 Operations Security

Introduction
− Specific types of controls are needed to impement the security
necessary to protect assets.
Preventative controls
− reduce the frequency and impact of error and prevent
unautorized intruders.
− Ex : Firewall and Antivirus s/w
Detective Controls
− Discover errors once they have occurred.
Ex : Log Analysis: Regular review of system logs to identify unauthorized
access attempts.
Unit -2 Operations Security

Introduction
− Specific types of controls are needed to impement the security necessary
to protect assets.
Corrective or Recovery controls
− Help mitigate the impact of a loss.
− Ex : Backup and Patch Management
Deterrent Controls
− Encourage compliance with external controls.
− A deterrent control is anything intended to warn a would-be attacker
that they should not attack. This could be a posted warning notice
Ex : Security Policies , Surveillance Cameras
Unit -2 Operations Security

Introduction
− Specific types of controls are needed to impement the
security necessary to protect assets.
Application – level controls
− Minimize and detect software operational irregularities.
Ex : Input Validation , Authentication and Authorization
Transaction – level controls
− Provide control over various stages of a transaction.
Ex : Double-Entry Verification , Audit Trails
Unit -2 Operations Security Principles

The principle of least privilege, or need-to-know
− defines a minimum set of access rights or privileges
needed to perform a specific job description.
Separation of duties
− Is a type of control that shows up in most security
processes to make certain that no single person has
excessive privileges that could be used to conduct
hard-to-detect business fraud.
Unit -2 Operations Security Principles

Separation of duties is one of the six key elements of a strong system
of internal and security controls.
1) Employing competent, trustworthy people with clear lines of
authority and responsibility.
2) Having adequate separation of job and process duties.
3) Having proper procedures for authorizing transactions or
changes to information.
4) Maintaining adequate documents and records.
5) Maintaining appropriate physical controls over assets and
records.
6) Executing independent checks on performance.
Unit -2 Operations Security Principles

Separation of duties (benefits)
− It enables one person's work to server as a
complementary check on another person's work.
− This implies that no one person has complete control
over any transaction or process from beginnig to
end.
Unit -2 Operations Security Controls in Action

To ensure operation security, the individuals in charge of information
security must keep a number of things in mind at all times. There
are :
− Software Support
− Configuration and change management
− Backups
− Media controls
− Documentation
− Maintenance
− Interdependencies
Unit -2 Operations Security Controls in Action
Software Support
− Softeware is the heart of an organization's computer
operations.
− Several elements of control are needed for software
support:
1) Limiting what software is used on a given system.
2) Inspect or test software befoe it is loaded ( This
applies to new software, upgrades, off-the-shelf product
ect.)
3) Software is properly licensed.
4) To assure that software is not modified without proper
autorization.
Unit -2 Operations Security Controls in Action
Media Controls
− Media controls include a variety of measures to
provide physical and environmental protection and
accountability for tapes, diskettess, CD's, Zip etc.
− Extent of media control depends on many factors,
including the type of data, the quantity of media, and
the nature of the user environment.
Unit -2 Operations Security Controls in Action
Media Controls
− Some of the common media controls are described in
the sections below:
Marking
Logging
Integrity Verification
Physical Access Protection
Environmental Protection
Transmittal
Disposition
Unit -2 Operations Security Controls in Action
Marking - Media Controls
− Controlling media may require some form of marking
or physical labeling.
− The label can be used to identify media with special
handling instructions, locate needed information or
log media to support accountability.
− On Road Survellience Camera
Unit -2 Operations Security Controls in Action
Logging - Media Controls
− Logging media supports accountability.
− Logs can include control numbers, the times and
dates of transfers, names and signatures of
individuals involved.
Unit -2 Operations Security Controls in Action
Integrity Verification - Media Controls
− When electronically stored information is read into a
computer system, it may be necessary to determine
whether it has been read correctly or subject to any
modification.
− The integrity of electronic information can be
verified using error detection ad correction.
Unit -2 Operations Security Controls in Action
Physical Access Protection - Media Controls
− Media can be stolen, destroyed, replaced with look-
alike copy or lost.
− So need to locked door, desk, cabinets etc.
− Physical protection of media shoud be extnded to
backup copies stored offsite.
Environmental Protection - Media Controls
− Megnetic media required environmental protection,
because they are sensitive to temperature, liquids,
magnetism etc.
Unit -2 Operations Security Controls in Action
Transmittal - Media Controls
− Media control may be transferred both within the
organization and outside elements.
− Possibilities for securing such transmittal include
sealed and marked envelopes, authorized
messenger or courier.
Unit -2 Operations Security Controls in Action
Disposition - Media Controls
− When media is disposed of, it may be important to
ensure that information is not improperly disclosed.
− The technique of permanently removing information
from media, called sanitization.
− Overwritting
− Degaussing
Is a method to magnetically erase data from
magnetic media.
− Destruction
Unit -2 Operations Security Controls in Action
Documentation
− Security of a system also need to be documented.
− This includes many types of documentation:
Security plans
Contigency plans
Risk analyses
Security policies and procedures
Unit -2 Operations Security Controls in Action
Maintenance
− System maintenance requires either physical or logical
access to the system.
− One of the most common methods that hackers use
to break into systems is through maintenance
accounts.
Unit -2 Operations Security Controls in Action
Interdependencies
− Supports and operations components coexist in most
computer security controls. These components are:
Personnel
Incident Handling
Contingency planning
Security awareness, training and education
Physical and environmental
Technical controls
Assurance