IT Security Concepts

D. Chakravarty,
d_chakravarty@bsnl.co.in
Advanced Level Telecom Training Centre, Ghaziabad

12/19/2013

Course Name / Topic Name

Times of India: 02 Oct, 2013

ALTTC, Ghaziabad
5

Information Security
ISO /IEC: 27001:2013 defines this as the preservation of:

Confidentiality
Ensuring that information is accessible only to those authorized
to have access

Integrity
Safeguarding the accuracy and completeness of information and
processing methods

Availability
Ensuring that authorized users have access to information and
associated assets when required
6

12/19/2013

Course Name / Topic Name

Confidentiality

Difficult to maintain

Integrity

Difficult to maintain

Availability
8

12/19/2013

Very good

Course Name / Topic Name

Information Security Threats

Motives for attack

10

Intelligence
Financial Gain
Bragging Rights / trophies
Gaining Access
Thrill
Political Hacktivism
Fun and Games

12/19/2013

Course Name / Topic Name

Classification of Info Security Threats

Transmission Threats: Eavesdropping/Sniffers, Emanations, Dos, Covert
channel, Spoofing, Tunneling, Masquerading/man-in-the middle attacks

Malicious Code Threats: Virus, Worms , Trojans , Spyware/adware, Logic

Bombs, Backdoors

Password Threats: Password crackers

Social engineering: Dumpster diving, Impersonation, Shoulder surfing
Physical Threats: Physical access, Spying
Application Threats: Buffer overflows, SQL Injection, Cross-side Scripting,
Improper usage/Un-authorized access: Hackers: Greyhats, Whitehats, Black
hats, Internal intruders, Defacement , Open Proxy, Spam, Phishing

Other Threats : Data remanence, Mobile code

11

12/19/2013

Course Name / Topic Name

How to Secure Information?

It involves
The security at all levels viz

12

Network
OS
Application
Data

Hacking is not difficult

Attack tools are available
Ready made exploits
Attack Tools (e.g.)
Port Scanners (Fport, Hping2 ..)
Vulnerability Scanners (Retina)
Password Crackers (John the Ripper..)

13

Security Attacks
Gather Information :ping, dig, finger, tracert
Find vulnerabilities
Start with mild tools

14

Security Incidents - Reasons

Malware (Malicious Codes)
Known Vulnerabilities
Configuration Errors

15

Various Malicious Codes

16

Virus
Worms
Trojan Horses
Bots
Key Loggers

17

12/19/2013

Course Name / Topic Name

18

12/19/2013

Course Name / Topic Name

ALTTC, Ghaziabad

19

12/19/2013

Course Name / Topic Name

ALTTC, Ghaziabad

Some known Vulnerability

Patch: MS03-026
Jul. 16, 2003

Aug. 11, 2003

MSBlaster.A

26 days
Patch: MS02-039
Jul. 24, 2002

Jan. 25, 2003

Slammer

185 days
Patch: MS00-078
Oct.17, 2000

Sept. 18, 2001

Nimda

336 days

Window of time from patch availability to outbreak is shrinking

20

Window

12/19/2013

Course Name / Topic Name

Vulnerable Configurations

21

Default Accounts
Default Passwords
Un-necessary Services
Remote Access
Logging and Audit Disabled

IT Security Management
1.
2.
3.
4.

22

Start With a Focused Methodology

Evaluate the Organization's IT Infrastructure
Explore Departmental and IT Controls
Identify Gaps and Establish Controls

Create Usage Policy Statements

Outline Users Roles and Responsibilities

Identify specific actions that can result in punitive
actions; Actions and methods to avoid them should
be articulated.
Outline Partner Use Statement
Outline Administrator Use Statement

24

Conduct A Risk Analysis

Identify Risk to Network, Network Resources
and Data.
Identify Portions of the Network, Assign a threat
rating to each portion and apply appropriate
level of security.
Assign each network resource Low, Medium or
High Risk Level
Identify the types of Users for each resource

25

Monitoring Security of Network

Monitor for any changes in Configuration of High

risk Devices
Monitor Failed Login Attempts
Unusual Traffic
Changes to the Firewall Configuration
Connection setups through Firewalls
Monitor Server Logs

26

Approach to Info Security: Defense in Depth

27

27

Security at Network Level

Firewalls, IDS and IPS are used
for Perimeter Defense

Access Control Policy is Implemented.

Control all internal and external traffic.

28

Security at OS Level
Keep up-to-date Security Patches and update
releases for OS
Install up-to-date Antivirus Software
Harden OS by turning off unnecessary clients,
Services and features

29

Security at Application Level

Keep up-to-date Security Patches and update releases
for Application Package
Dont Install Programs of unknown origin
Precautions with Emails
Protection from Phishing attacks
Securing Web Browsers

30

Security at Database Level

31

User Management
Password Management
Managing Allocation of Resources to Users
Backup and Recovery
Auditing

Password Management

Password
history

Account
locking

User

Setting up
profiles

Password
expiration
and aging

32

Password
verification

Setting Resource Limits

Number of Concurrent Sessions
Elapsed Connect Time
Period of Inactive Time

33

Backup and Recovery Issues

Protect the database from numerous types of
failures
Increase Mean-Time-Between-Failures (MTBF)
Decrease Mean-Time-To-Recover (MTTR)
Minimize Data Loss

34

Auditing
Auditing is the monitoring of selected user data
base actions and is used to :-

Investigate suspicious database activity

Manage your audit trail

Monitor the growth of the audit trail

Protect the audit trail from unauthorized
access

35

Audit vs. Assessment vs. Pen Test

Audits
Auditing compares current practices against a set of standards.
Industry groups or security institutions may create those standards.
Organizational management is responsible for demonstrating that the
standards they adopt are appropriate for their organization

Assessments
An assessment is a study to locate security vulnerabilities and identify

corrective actions.
An assessment differs from an audit by not having a set of standards to test
against.
It differs from a penetration test by providing the tester with full access to the
systems being tested.

Penetration Testing
A set of procedures designed to bypass the security controls of a system or
organization
Real life test of the organizations exposure to known security threats
Performed to uncover the security weakness of a system
Focuses on exploiting network and systems vulnerabilities that an
unauthorized
user would exploit
36
12/19/2013
Course Name / Topic Name

Summary of Action Plan

37

Secure Physical Access

Remove Unnecessary Services
Antivirus Software
Secure Perimeter
Apply Patches in Time
Data Backup
Encrypt Sensitive Data
Install IDS
Proper Network Administration
Proper Monitoring

BSNL Information Security Policy

BSNL has formulated its Information Security
Policy and circulated for its implementation during
December 2008. The BISP consists of two sections:
Section A:
This provides the directives and policies that
would be followed in ICT facilities within BSNL to
provide secure computing environment for BSNL
employees and business to run. The policies are
formulated around 11 domains of security. These
are
38

BSNL Information Security Policy

Section A
1. Information Classification and Control
2. Physical and Environmental Security
3. Personnel Security
4. Logical Access Control
5. Computing Environment Management
6. Network Security
7. Internet Security
8. System Development and Maintenance
9. Business Continuity Planning
10. Compliance
11. Third Party and Outsourcing Services
39

BSNL Information Security Policy

Section B
This provides the technical solution support to
the policies mentioned within the policy
document. It is intended to allow policy makers
and architects within BSNL to prepare solutions
around the various security requirements as
proposed in Section A.

40

41

12/19/2013

Course Name / Topic Name

THANK YOU!