Académique Documents
Professionnel Documents
Culture Documents
Trainer’s Handbook
Security Analyst
SSC/ Q0901
1
Trainer’s Handbook – Security Analyst
2
Trainer’s Handbook – Security Analyst
3
Trainer’s Handbook – Security Analyst
NASSCOM
4E-vandana Building (4th Floor)
11, Tolstoy Marg, Connaught Place
New Delhi 110 001, India
T 91 11 4151 9230; F 91 11 4151 9240
E ssc@nasscom.in
W www.nasscom.in
Disclaimer
The information contained herein has been obtained from sources reliable to NASSCOM.
NASSCOM disclaims all warranties to the accuracy, completeness or adequacy of such
information. NASSCOM shall have no liability for errors, omissions, or inadequacies, in the
information contained herein, or for interpretations thereof. Every effort has been made to
trace the owners of the copyright material included in the book. The publishers would be
grateful for any omissions brought to their notice for acknowledgements in future editions of
the book.
No entry in NASSCOM shall be responsible for any loss whatsoever, sustained by any person
who relies on this material. The material in this publication is copyrighted. No parts of this
report can be reproduced either on paper or electronic media, unless authorized by
NASSCOM.
4
Trainer’s Handbook – Security Analyst
Foreword
The Indian IT-ITeS industry has built its reputation in the global arena on several differentiators, chief
among them being the availability of manpower. Organizations across the world recognize the value
India brings to every engagement with its vast and readily available pool of IT professionals. Global
entities have found it extremely effective to leverage this significant resource in order to enjoy a
competitive edge and innovation benefits.
In the coming years, the landscape is expected to shift in ways that reveal more exciting opportunities.
The world will require people with advanced technology skills and domain knowledge, set against a
backdrop of heightened labour mobility across occupations and markets. India is largely
acknowledged to be heir apparent to the benefits of a demographic dividend over the coming
decades, which has the potential to see the nation emerge as one of the world’s largest population
base of employable youth. With many other countries set to face the effects of an aging and
retirement-ready workforce, India is poised to become a sought after destination for those seeking
higher value add and specialized services.
Global markets are on their way towards revival and recovery, and this is well reflected in the proactive
recruitment measures taken by IT-ITeS organizations in India in recent times. India’s IT-BPM industry
is on track to achieve its target of USD 225 billion by 2020. From a base on about 3.1 million employees
in FY2014, the industry is expected to add another 2 million additional employees by 2020. Indirect
employment generated by 2020 is expected to be 3X the total direct employment number is between
13-16 million by 2020.
To realize India’s potential of emerging as a skills hub of the world, a significant amount of foresight
and work is requisite. It is imperative that stakeholders engage in a concerted effort to undertake the
transformation of the labour pool estimated to enter the market into skilled and employable talent.
Enabling the creation of a future industry-ready cohort will give the IT-ITeS industry an edge in
leadership and sustainability.
One of the growing areas of global interest and concern is Information/ Cyber Security. This led to the
identification of the “hot skills” du jour, resulting in the formal creation of a Qualification Pack (QP) or
job role framework for the role of a Security Analyst. The QP is designed to capture the skills required
by the IT-BPM industry for an entry level position in this field.
To ensure the creation of an academic course that is both relevant and viable, IT-ITeS Sector Skills
Council NASSCOM (SSC NASSCOM) partnered with key industry stakeholders, including Cyber Eye
Research, Cypher Cloud, Deloitte, First American, HCL, HDFC, IBM, ISC2, Karvy Analytics, NIIT
University, PwC, Symantec, TCS, Wells Fargo, and the Data Security Council of India (DSCI) for design
of the curricula and courseware. In addition, the program addresses the need for faculty support, and
achieves this by acquainting trainers with the latest advancements in pedagogy.
We wish the universities and colleges all the very best in their endeavor.
R Chandrashekhar
President
NASSCOM
5
Trainer’s Handbook – Security Analyst
Acknowledgements
NASSCOM would like to thank its member company representatives within the Security Analyst
Special Interest Group (SIG) Council for believing in our vision to enhance the employability of the
available engineering student pool. SSC NASSCOM facilitates this by developing and enabling the
implementation of courses relevant to projected industry needs. The aim is to address two key
requirements, of closing the industry-academia skill gap, and of creating a talent pool that can
reasonably weather future externalities in the IT-BPM industry.
NASSCOM believes that this is an initiative of great importance for all stakeholders concerned – the
industry, academia, and the students. The tremendous amount of work and ceaseless support offered
by the members of this SIG in developing a meaningful strategy for the content and design of program
training materials has been truly commendable.
We would like to particularly thank Cyber Eye Research Labs, DSCI, First America, Karvy Analytics, and
Symantec for bringing much needed focus to this effort.
NASSCOM recognizes the fantastic contributions of Mr. Ram Ganesh at Cyber Eye Research labs; Mr.
Ashok Polapragada and Mr. Ranjit Kumar at Karvy Analytics; Mr. Dwaraka Ramana K at First American;
Dr Giri T at Cypher Cloud, Mr. Nanda Kumar Sarvade, Mr. Vinayak Godse and Mr. Aditya Bhatia at
DSCI.
We acknowledge with sincere gratitude the immense contribution of the SIG member companies,
Deloitte, HCL, HDFC, IBM, ISC2, NIIT University, PwC, Symantec, TCS, Wells Fargo for their part in the
creation of this course and its accompanying training materials.
We extend our thanks to PROGILENCE Capability Development Pvt. Ltd. for producing this course
publication.
Dr Sandhya Chintala
6
Trainer’s Handbook – Security Analyst
Prologue
The tectonic shifts in the digital world have resulted in parallel shifts in our relationship with
technology, accompanied by a heightened awareness of security concerns. For instance, functions
such as protecting an individual or entity from digital security threats, or devising robust security
measures that will help maintain the integrity of data, are growing areas of importance.
It is not surprising then that the field of Cyber Security has grown swiftly over the past few years,
especially in view of its implications for developing meaningful business strategies or government
policy. There is a rise in key services that now include guarding sensitive information within a company
or body, implementing required security measures to avoid breaches, avoiding any flaws in security
systems, and preventing unauthorized access to networks. What remains to be addressed is the
projected demand for a relevant and qualified workforce. The creation of a job role framework for the
Security Analyst role is a welcome endeavor that will contribute towards bridging any shortfall.
The content of this book caters to a holistic set of skilling areas, including the study of core
technologies currently adopted in this field and the industry as a whole, and the development of
familiarity with professional environments that students will likely to operate in after graduation. It
incorporates a blend of domain concepts, hands-on practice sessions, and sessions covering auxiliary
skills such as communication and problem solving skills. The incorporated aspects of the facilitator
guide and student handbook are expected to act as effective companions in the learning process. This
mixture is designed to prepare students for the transition from the academic to the professional in an
industry-relevant manner.
This first edition of the publication has been developed by NASSCOM in conjunction with industry
leaders who have operated and studied the field of Cyber Security extensively. I congratulate the team
effort in successfully creating material that will be widely available, accessible and applicable. The
Security Analyst course will be offered to B.Tech candidates who can register to take it in any semester
beginning with the second half of their third year.
This publication will act as an important resource for students as they prepare for the new tide, and
this in turn will contribute to keeping our workforce in the forefront.
Vice Chancellor
JNTUH
7
Trainer’s Handbook – Security Analyst
8
Trainer’s Handbook – Security Analyst
9
Trainer’s Handbook – Security Analyst
The qualification SSC/Q0901 is part of the IT- ITeS Sector and the IT Services subsector.
This qualification eligibility requirements and National Occupational Standards are listed below.
Security Analyst
Job Role
This job role is applicable in both national and international scenarios
Credits(NVEQF/NVQF/NSQF) Version number 0.1
Sector IT-ITeS Drafted on 30/04/13
Sub-sector IT Services Last reviewed on 30/04/13
NSQF level 7
Minimum Educational Qualifications Diploma in Engineering or any graduate course
Maximum Educational Qualifications Bachelor's Degree in Science/Technology/Computers
Training Certification in Information systems or related fields, Basic soft
(Suggested but not mandatory) skills training
Experience
0-2 years of work experience/internship in security
Compulsory:
1. SSC/N0901 (Contribute to managing information security)
2. SSC/N0902 (Co-ordinate responses to information security
incidents)
3. SSC/N0903 (Install and configure information security
devices)
4. SSC/N0904 (Contribute to information security audits)
5. SSC/N0905 (Support teams to prepare for and undergo
information security audits)
Applicable National Occupational 6. SSC/N9001 ( Manage your work to meet requirements)
Standards (NOS) 7. SSC/N9002 (Work effectively with colleagues )
8. SSC/N9003 (Maintain a healthy, safe and secure working
environment)
9. SSC/N9004 (Provide data/information in standard
formats)
10. SSC/N9005 (Develop your knowledge, skills and
competence)
Optional:
Not Applicable
10
Trainer’s Handbook – Security Analyst
Information Security Overview, Threats and Attack Vectors, Types of Attacks, Common Vulnerabilities
and Exposures (CVE), Security Attacks, Fundamentals of Information Security, Computer Security
Concerns, Information Security Measures etc.
Unit II : Fundamentals of Information Security
What is Data Leakage and statistics, Data Leakage Threats, Reducing the Risk of Data Loss, Key
Performance Indicators (KPI), Database Security etc.
Unit IV : Information Security Policies, Procedures and Audits
Security Roles & Responsibilities, Accountability, Roles and Responsibilities of Information Security
Management, team-responding to emergency situation-risk analysis process etc.
Text Books:
Prescribed books:-
1. Management of Information Security by Michael E.Whitman and Herbert J.Mattord
References:-
1. http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
2. http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
11
Trainer’s Handbook – Security Analyst
Security Metrics and Reporting, Common Issues and Variances of Performance Metrics, Introduction
to Security Audit, Servers and Storage devices, Infrastructure and Networks, Communication Routes,
Information Security Methodologies (Black-box, White-box, Grey-box), Phases of Information Security
Audit and Strategies, Ethics of an Information Security Auditor etc.
Unit II : Information Security Audit Tasks, Reports and Post Auditing Actions
Pre-audit checklist, Information Gathering, Vulnerability Analysis, External Security Audit, Internal
Network Security Audit, Firewall Security Audit, IDS Security Auditing, Social Engineering Security
Auditing, Web Application Security Auditing, Information Security Audit Deliverables & Writing
Report, Result Analysis, Post Auditing Actions, Report Retention etc.
Unit III : Vulnerability Management
12
Trainer’s Handbook – Security Analyst
Computer Security Logs, Configuring& Analyzing Windows Logs, Log Management-Functions &
Challenges, Centralized Logging and Architecture, Time Synchronization – NTP/NIST etc.
Network Reconnaissance Incidents, Network Scanning Security Incidents, Network Attacks and
Security Incidents, Detecting DoS Attack, DoS Response Strategies, Preventing/stopping a DoS Incident
etc.
Unit VI : Handling Malicious Code Incidents
Text Books:
Prescribed books:-
1. Managing Information Security Risks, The Octave Approach by Christopher Alberts, and Audrey
Dorofee
2. “Cryptography and Network Security (4th Edition) by (Author) William Stallings.”
References:-
1. https://www.sans.org/reading-room/whitepapers/incident/security-incident-handling-small-
organizations-32979
13
Trainer’s Handbook – Security Analyst
The above equipment has to be made available for classwork and for research work in non-class
hours. The equipment has to have relatively high speed and current OS and other software
applications.
Students need to have adequate number of terminals for individual use for adequate number of
hours.
The equipment needs to be installed in keeping with all health and safety measures. Any routine
breakdowns should be promptly addressed.
14
Trainer’s Handbook – Security Analyst
Table of Contents
Facilitator’s Guide …17
3. SSC/ N 0903 Install, configure and troubleshoot information security devices …315
4. SSC/ N 0904: Contribute to information security audits ; SSC/ N 0905: Support teams to
prepare for and undergo information security audits…………………………………………..523
15
Trainer’s Handbook – Security Analyst
i. Effective Communication
ii. Working Effectively
7. SSC/ N 9003: Maintain a healthy, safe and secure working environment …685
i. Importance of Self-Development
ii. Knowledge and Skills Required for the Job
iii. Avenues of Self-Development
iv. Planning for Self-Development
Annexures …839
1. Security Assessment Template
2. Case studies
3. Assessment Criteria
16
Trainer’s Handbook – Security Analyst
Facilitator’s Guide
Training Methodology
Formative Assessment
Learning Principles
Instructional Methods
17
Trainer’s Handbook – Security Analyst
TRAINING METHODOLOGY
The Training Methodology to be selected keeping in mind the background and ability levels
of the students as well as the adult learning principles.
Focus will be on :
encouraging the learners to discover the information through research, activities and
questioning techniques.
providing an opportunity to every participant to practice and perform the practical
criteria that they are expected learn in the session
incorporating the following principles in the training methodology
Teacher’s Role
The role of a Teacher in this program is to - “Assist each participant to reach an acceptable
workplace competency standard through effective training. “
In order to do that the teacher must first ensure that s(he) is fully competent to take on this
role. i.e the teacher has the right Knowledge, Skill and Attitude as a Facilitator and a Subject
Matter Expert.
18
Trainer’s Handbook – Security Analyst
19
Trainer’s Handbook – Security Analyst
20
Trainer’s Handbook – Security Analyst
FORMATIVE ASSESSMENT
of assessment criteria with one sheet for such an exercise can be enhanced if
each presenter. The aim of filling in the students are asked to reflect on their
sheet will be to give feedback rather than performance and write an account of the
marks. For every presentation, all students manner by which they will modify their
fill in one sheet and at the end, simply hand performance on the next occasion.
the sheets to the presenter. The value of
23
Trainer’s Handbook – Security Analyst
24
Trainer’s Handbook – Security Analyst
LEARNING PRINCIPLES
Here are some Learning Principles and Use a Variety of Teaching Methods
Techniques to use them.
To engage all learners, it is best to vary the
Create a Supportive Environment methods in which information is
Techniques: communicated.
Techniques:
1. call each trainee by name throughout
training 1. group discussion (small and large)
2. listen to each person's questions and 2. skill practice (role-play)
viewpoints 3. lecture
3. never belittle an individual 4. case study
4. always be courteous and patient 5. panel/guest expert
5. assure individuals that mistakes are 6. Group Activities
part of the learning process 7. question/answer
6. look for opportunities to validate each 8. demonstration
person 9. technology (media, video, computer,
7. encourage trainees to support one interactive)
another in learning endeavors
8. ensure that the physical space is as
Provide Structured Learning
comfortable as possible.
Opportunities
Empower trainees to be self-directed
Emphasize Personal Benefits of
learners as they strive to fulfill objectives
Training of the training, by teaching them how to
Techniques: master the content and to become aware
1. have each participant develop their of their own learning process.
own personal goals for this training Techniques:
2. encourage participants to write down
1. structured note-taking
specific actions they will take in
2. problem-solving exercises
response to this training.
3. brainstorming
4. progress logs
Use Training Methods that Require 5. evaluating own work and the work of
Active Participation others
6. have them analyze the way they went
Techniques:
about doing a learning project
1. limit lecturing to trainees 7. encourage participants to
2. encourage participation and sharing of support/train one another
experiences
3. use questioning techniques
Provide Immediate Feedback on
4. weave discussion sections with
exercises that require trainees to Practice
practice a skill or apply knowledge.
25
Trainer’s Handbook – Security Analyst
26
Trainer’s Handbook – Security Analyst
INSTRUCTIONAL METHODS
27
Trainer’s Handbook – Security Analyst
group stops being productive in terms week’s questions and the readings I
of relevant inputs. set? Off you go.”
Summarise what has been They are also useful when a difficult
discussed, identifying the critical topic or some awkwardness has
learning points and issues.
brought a session to a standstill. In such
Structures for promoting discussion a situation, set a brief task or question
Rounds : A round simply involves for pairs
everyone sitting in a circle and to work
commenting briefly on a particular on. For
topic in turn.
For example it might concern:
“Questions I would like answered.…”
“Points on which I would like example: What are the difficult areas of
clarification.…” this topic? What appears to be the best
Rounds work well at the start of a approach to take?
session as they involve each person Triads are more resourceful and
speaking once before anyone speaks a rigorous for challenging activities,
second time. This establishes a more perhaps because at any give time one
balanced pattern of interaction and of the three is neither speaking nor
makes it much more likely that being directly spoken to, and so can
individuals will speak again later. have half an eye on the question or
Taking your turn in rounds can be task the group is supposed to be
threatening in a large group, and working on.
students unfamiliar with rounds should Brainstorms : Brainstorming is a very
be allowed to “pass” when it is their good method for a situation where the
turn. aim is to expand people’s thinking in an
Buzz groups, pairs and triads : Buzz area and
groups are simply small groups of two
or three students formed
spontaneously to discuss a topic for a
short period.
In a pair, it is almost impossible for a
student to stay silent and once generate ideas. In brainstorming, any
students have spoken “in private” they idea is welcomed and no justification is
are much more likely to speak needed. This method is particularly
afterwards “in public” in the whole appropriate at the beginning of a topic
group. to identify existing knowledge and
Buzz groups are very useful to get provide a framework for learning.
However, brainstorming must be well-
things going, for example: “To start off,
conducted, with certain ground rules
how well did you progress with last clearly adhered to. These are:
28
Trainer’s Handbook – Security Analyst
o All ideas are accepted without Identify the crucial steps of the activity
justification. and break it down into basic operations
o People cannot comment on and procedures.
other people’s suggestions. Remember that what is easy and
o One person acts as the comprehensible to you will be less so
coordinator and writes up for most learners. Therefore, try to
comments on the board and simplify without sacrificing essential
keeps a reasonable order on skill components.
proceedings. Organise the equipment needed and
After an agreed period of time, or prepare any teaching aids that will help
learners understand what is involved.
when no more suggestions are
forthcoming, the group turns its Carrying out the demonstration
attention to the total list, either
Make sure everyone can see.
accepting it as a statement of a range Describe what you intend to do and
of possibilities or discussing selected why. Arouse the interest of learners.
items that seem most useful. Reveal the main steps of the activity
and identify the likely problem areas.
Accompany each step with a verbal
3. Demonstration description, and attempt to show the
skill from the operator’s point of view.
Demonstration is a However, do keep to the main points.
widely used and Too much talking will distract students
effective method for from the visual demonstration.
teaching of skills at all Adjust the speed of your movements to
levels. Like explanation, suit your learners, especially if they are
watching and then copying. Watch for
it is always linked in
their responses and actions and alter
some way to other your pace accordingly.
instructional strategies. Inspire confidence in learners as you go
For example, learners are unlikely to learn along. This way they will be willing and
keen to have a go.
effectively from demonstration alone.
Try not to over-impress or be too
They will need guided practice and
absorbed in your own demonstration.
feedback on how they are doing. Remember that you are trying to help
The following is a guide for planning and learners achieve competence. Over-
indulgence in your skills may rob some
conducting a demonstration session.
learners of self-confidence when they
Pre - demonstration planning try to practise the skill.
On finishing the demonstration, check
Be clear in your mind about what you that the process has been fully
are trying to demonstrate. understood. Ask participants to recap
Analyse the skill(s) you intend to the main points of the activity. This will
demonstrate: help to identify gaps in knowledge and
reinforce learning.
29
Trainer’s Handbook – Security Analyst
framing the problem, and the work. Posters can involve a design or
assumptions and valuations that proposal, lists of pros and cons of an
underpin these differences. approach, or the main features of a case
Use good discussion management study.
techniques.
Introduce relevant theoretical De-briefing this group work can take the
knowledge, showing linkages of form of displaying the posters. Group
concepts and principles. members may briefly introduce or explain
Summarize the key issues and clarify the contents of their posters. Posters can
any points of concern.
be especially quick and effective as a
means of sharing experimental and
9. Poster board tours laboratory work where different groups
have undertaken different experiments.
Groups work together
on a task, but also Once the posters are displayed, students
produce a poster can “tour” them, asking for clarification or
summarizing the adding comments and questions.
outcomes of their
34
Trainer’s Handbook – Security Analyst
35
Trainer’s Handbook – Security Analyst
An Introduction:
The Industry, Sub-sector, Occupation &
Career
37 | P a g e
Trainer’s Handbook – Security Analyst
INTRODUCTION
The Industry, Sub-sector, Occupation
& Career
Lesson Plan
Suggested Learning Activities
Training Resource Material
1.1. An Overview of the IT-BPM Industry
1.2. An Overview of the IT Services Sub-Sector
1.3. About Information Security and it’s Roles
38 | P a g e
Trainer’s Handbook – Security Analyst
LESSON PLAN
39 | P a g e
Trainer’s Handbook – Security Analyst
Activity 1:
Ask students to introduce themselves and state why they have chosen
this course.
Note down all the unique reasons on the board.
Highlight why Information security or Cyber Security is the right choice
for them.
Activity 2:
Activity 3:
40 | P a g e
Trainer’s Handbook – Security Analyst
IT-BPM Industry
42 | P a g e
Trainer’s Handbook – Security Analyst
43 | P a g e
Trainer’s Handbook – Security Analyst
Figure 3: Contribution of
44 | P a g e
Trainer’s Handbook – Security Analyst
The IT Services sub-sector started off in After starting off, the IT Services sub-
India with a focus on basic application sector, served mostly the North American
development and maintenance. The sub- market until the 1990s.
sector has now grown and includes While North America continues to be a
significant footprints in traditional
major importer of Indian IT services, the
segments which include custom sub-sector has witnessed entry into other
application development, application
markets, in order to mitigate risk as well as
management, IS outsourcing and software to expand markets thus servicing clients in
testing. a greater number of geographical areas
With time, the sector has expanded to like Latin America, the Asia Pacific and
provide end-to-end IT solutions and Europe.
includes consulting, testing services, The client base in these markets is a
infrastructure services and system
healthy mix between BFSI, Manufacturing,
integration in the offering. Retail, Telecom and all key Industry
verticals.
45 | P a g e
Trainer’s Handbook – Security Analyst
The IT-BPM industry is standing at a watershed While the recovery has gathered pace in the
moment in history. In FY 2014, the industry last few months, companies are becoming
achieved a stellar landmark of crossing US 118 increasingly conscious that in the globally
billion in revenues. However, with the industry connected world, the “new normal” will be
slowly reaching a stage of maturity and with a characterised by business volatility. The ups
business model closely aligned to exports, it and downs will be more frequent and
faces the brunt of the economic shake-up like companies need to learn how best to manage
the one observed in 2008, which redefined the this volatility.
economic order amongst nations.
46 | P a g e
Trainer’s Handbook – Security Analyst
47 | P a g e
Trainer’s Handbook – Security Analyst
48 | P a g e
Trainer’s Guide– Security Analyst SSC/N0901
SSC/ N 0901:
Contribute to Managing Information Security
49
Trainer’s Guide– Security Analyst SSC/N0901
50
Trainer’s Guide– Security Analyst SSC/N0901
51
Trainer’s Guide– Security Analyst SSC/N0901
KA13. standard tools and templates available and how to use the same.
B. Technical The user/ individual on the job needs to know and understand:
KB1. fundamentals of information security and how to apply them,
Knowledge including:
networks
communication
application security
KB2. different types of backups for security devices and applications and
how to carry out backups.
KB3. common issues and variances of performance metrics that require
action and whom to report these.
KB4. how to identify and resolve information security vulnerabilities and
issues.
52
Trainer’s Guide– Security Analyst SSC/N0901
The Units
The module for this NOS is divided in ten units based on the learning objectives as given below:
UNIT I: Information Security and Threats
1.1. Information Security
1.2. Information Assets & Threats
53
Trainer’s Guide– Security Analyst SSC/N0901
24
Trainer’s Guide– Security Analyst SSC/N0901
UNIT I
Information Security and Threats
Lesson Plan
Suggested Learning Activities
Training Resource Material
1.1. Information Security
1.2. Information Assets & Threats (Virus, Worms, Trojans, Other
Threats, Network Attacks)
33
Trainer’s Guide– Security Analyst SSC/N0901
Lesson Plan
34
Trainer’s Guide– Security Analyst SSC/N0901
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
35
Trainer’s Guide– Security Analyst SSC/N0901
36
Trainer’s Guide– Security Analyst SSC/N0901
Information security analysts can find analysts so they could find themselves
themselves working with IT companies, working at a wide variety of different
financial and utility companies and institutions. A number of companies
consulting firms. They may also find operate ‘Security Operation Centers
positions with government organizations. (SOCs)’ for carrying out data security
Any company or organization with data to services for captive or client services.
protect may hire information security
37
Trainer’s Guide– Security Analyst SSC/N0901
Major Skills of
Security Analyst
• Understanding security policy
• Data & Traffic Analysis
• Identifying Security Events –> How & when to alarm
• Incident Response
Foundation and
Background
• Network infrastructure knowledge
• Diverse device configuration ability
• Security configuration knowledge
• Data management & teamwork
Challenges for
Security Analyst
• Not tied to a product or solution
• Complex knowledge – Not one specific process is correct or product solution
• Diverse set of skills are needed
38
Trainer’s Guide– Security Analyst SSC/N0901
theft
fraud/ forgery
unauthorized information access
interception or modification of data
and data management systems
The above concerns are materialised in the event of a breach caused by exploitation of
vulnerability.
Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures,
internal controls, or implementation that could be exploited or triggered by a threat
source.
‘Threat agent or actor’ refers to the intent and method targeted at the intentional
exploitation of the vulnerability or a situation and method that may accidentally trigger
the vulnerability.
A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target.
‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet,39
Trainer’s Guide– Security Analyst SSC/N0901
Types of attacks
• Virus
Virus is a malicious program able to inject its code into other programs/ applications or data
files and the targeted areas become "infected". Installation of a virus is done without user's
consent, and spreads in form of executable code transferred from one host to another.
Types of viruses include Resident virus, non-resident virus; boot sector virus; macro virus;
file-infecting virus (file-infector); Polymorphic virus; Metamorphic virus; Stealth virus;
Companion virus and Cavity virus.
• Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to
spread itself. In its design, worm is quite similar to a virus - considered even its sub-class.
Unlike the viruses though worms can reproduce/ duplicate and spread by itself. During this
process worm does not require to attach itself to any existing program or executable.
40
Trainer’s Guide– Security Analyst SSC/N0901
Different types of worms based on their method of spread are email worms; internet
worms; network worms and multi-vector worms.
• Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to
their similarity in operation strategy. Trojans are a type of malware software that
masquerades itself as a not-malicious even useful application but it will actually do damage
to the host computer after its installation. Unlike virus, Trojans do not self-replicate unless
end user intervene to install.
42
Trainer’s Guide– Security Analyst SSC/N0901
……Let us discuss a recent news about a new version of a notorious virus that
takes over a system until money is paid as ransom which has been detected
by cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family,
say experts, is notorious for infecting computers of gamers. The malicious
program is now targeting online consumers and businesses via email
attachments which block access to a computer system until a sum of money,
specifically in dollars, is paid as ransom. If the victim delays, the ransom is
doubled. Detected in February 2015, TeslaCrypt began infecting systems in
the US, Europe and Southeast Asian countries. It then occurred in Indian
cities including Delhi and Mumbai. Two businessmen from Agra were
targeted this year, from whom the extortionist demanded more than
$10,000. In the last six months, two cases were reported in Agra, where the
malware locked down its victim's most important files and kept them
hostage in exchange for a ransom to unlock it.
43
Trainer’s Guide– Security Analyst SSC/N0901
Network worms: spread over open The results of Trojan activities can vary
and unprotected network shares. greatly - starting from low invasive ones
that only change the wallpaper or desktop
Multi-vector worms: having two or
icons through Trojans which open
more various spread capabilities.
backdoors on the computer and allow
other threats to infect the host or allow a
Types of Trojans hacker remote access to the targeted
computer system. It is up to Trojans to
Computer Trojans or Trojan horses are cause serious damage on the host by
named after the mythological Trojan horse deleting files or destroying the data on the
from Trojan War, in which the Greeks give system using various ways (like drive
a giant wooden horse to their foes, the format or causing BSOD). Such Trojans are
Trojans. As soon as Trojans drag the horse usually stealthy and do not advertise their
inside their city walls, Greek soldiers sneak presence on the computer.
out of the horse's hollow belly and open
The Trojan classification can be based upon
the city gates, allowing their soldiers to
performed function and the way they
capture Troy. Computer Trojan horse
breach the systems. An important thing to
works in way that is very similar to such
keep in mind is that many Trojans have
strategy - it is a type of malware software
multiple payload functions so any such
that masquerades itself as not-malicious
classification will provide only a general
even useful application but it will actually
do damage to the host computer after its overview and not a strict boundary. Some
installation. of the most common Trojan types are:
Remote Access Trojans
Trojans do not self-replicate since its key
difference to a virus and require often end (RAT) aka Backdoor. Trojan - this
user intervention to install itself - which type of Trojan opens backdoor on the
happens in most scenarios where user is targeted system to allow the attacker
remote access to the system or even
being tricked that the program he is
complete control over it. This kind of
installing is a legitimate one (this is very
Trojan is most widespread type and
often connected with social engineering
often has as well various other
attacks on end users). One of the other
functions. It may be used as an entry
common method is for the Trojan to be
point for DOS attack or for allowing
spammed as an email attachment or a link
worms or even other Trojans to the
in an email. Another similar method has
the Trojan arriving as a file or link in an system. A computer with a
instant messaging client. Trojans can be sophisticated backdoor program
spread as well by means of drive-by installed may also be referred to as a
downloads or downloaded and dropped by "zombie" or a "bot". A network of
other Trojans itself or legitimate programs such bots may often be referred to as
that have been compromised. a "botnet" (see part 3 of the Security
1:1 series). Backdoor. Trojans are
44
Trainer’s Guide– Security Analyst SSC/N0901
45
Trainer’s Guide– Security Analyst SSC/N0901
46
Trainer’s Guide– Security Analyst SSC/N0901
This type of Trojan can be either Trojan-Spy – this Trojan has a similar
targeted to extort money for "non- functionality to the Info stealer or
existing" threat removal or in other Trojan-PSW and its purpose is to spy
cases the installation of the program on the actions executed on the target
itself injects other malware to the host host. These can include tracking data
machine. FakeAV applications can entered via keystrokes, collecting
perform fake scans with variable screenshots, listing active processes/
results, but always detect at least one services on the host or stealing
malicious object. They may as well passwords.
drop files that are then ‘detected’. The
Trojan-ArcBomb -These Trojans are
FakeAV application is constantly archives designed to freeze or slow
updated with new interfaces so that
performance or to flood the disk with
they mimic the legitimate anti-virus a large amount of “empty” data when
solutions and appear very
an attempt is made to unpack the
professional to the end users. archived data. So-called archive
47
Trainer’s Guide– Security Analyst SSC/N0901
48
Trainer’s Guide– Security Analyst SSC/N0901
Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc.
They are designed to cause damage to a targeted computer or cause a certain degree of
operational disruption.
Rootkit are malicious software designed to hide certain processes or programs from
detection. Usually acquires and maintains privileged system access while hiding its
presence in the same time. It acts as a conduit by providing the attacker with a backdoor
to a system
Spyware is a software that monitors and collects information about a particular user,
computer or organisation without user’s knowledge. There are different types of
spyware, namely system monitors, trojans (keyloggers, banker trojans, inforstealers),
adware, tracking cookies etc.
Tracking cookies are a specific type of cookies that are distributed, shared and read
across two or more unrelated websites for the purpose of gathering information or
potentially to present customized data to you.
49
Trainer’s Guide– Security Analyst SSC/N0901
Creepware is a term used to describe activities like spying others through webcams (very
often combined with capturing pictures), tracking online activities of others and listening
to conversation over the computer's microphone and stealing passwords and other data.
Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the
severity of the damage causes and as well the speed of spreading. Blended threat defines
an exploit that combines elements of multiple types of malware components. Usage of
multiple attack vectors and payload types targets to increase the severity of the damage
causes and as well the speed of spreading.
A. COHEN B. NORTON
C. SMITH D. McAfee
ANSWER : …………………………………………………………..
50
Trainer’s Guide– Security Analyst SSC/N0901
Network attacks
either alters, disables or destroys
Network attack is usually defined as an
resources or data.
intrusion on the network infrastructure
Outside attack: when attack is
that will first analyse the environment and
performed from outside of the
collect information in order to exploit the
existing open ports or vulnerabilities. This organization by unauthorized
may include unauthorized access to entity it is said to be an outside
organisation resources. attack.
Inside attack: if an attack is
Characteristics of network attacks:
performed from within the
Passive attacks: they refer to company by an "insider" that
attack where the purpose is only to already has certain access to the
learn and get some information network it is considered to be an
from the system, but the system inside attack.
resources are not altered or Others such as end users targeted
disabled in any way. attacks (like phishing or social
Active attacks: in this type of engineering): these attacks are not
network attack, the perpetrator directly referred to as network
accesses and either alters, disables attacks, but are important to know
or destroys resources or data due to their widespread
occurrences.
Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing
Buffer
DoS attack ICMP smurf Man-in-the-
overflow Botnet
& DDoS attack Denial of serv middle attack
attack
Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
51
Trainer’s Guide– Security Analyst SSC/N0901
52
Trainer’s Guide– Security Analyst SSC/N0901
The recommendations to protect your company against phishing and spear phishing
include:
1. Never open or download a file from an unsolicited email, even from someone you
know (you can call or email the person to double check that it really came from
them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentication whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking
for a reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal
information on a website to make sure your data will be encrypted.
53
Trainer’s Guide– Security Analyst SSC/N0901
ARP spoofing (ARP Poisoning) – process of sending fake ARP messages in the
network. The purpose of this spoofing is to associate the MAC address with the
IP address of another legitimate host causing traffic redirection to the attacker
host. This kind of spoofing is often used in man-in-the-middle attacks.
DNS spoofing (DNS Cache Poisoning) – an attack where the wrong data is
inserted into DNS Server cache, causing the DNS server to divert the traffic by
returning wrong IP addresses as results for client queries.
Email spoofing – a process of faking the email's sender "from" field in order to
hide real origin of the email. This type of spoofing is often used in spam mail or
during phishing attack.
Search engine poisoning – attackers take advantage of high profile news items
or popular events that may be of specific interest for certain group of people to
54
Trainer’s Guide– Security Analyst SSC/N0901
spread malware and viruses. This is performed by various methods that have in
purpose achieving highest possible search ranking on known search portals by
the malicious sites and links introduced by the hackers. Search engine poisoning
techniques are often used to distribute rogue security products (scareware) to
users searching for legitimate security solutions for download.
55
Trainer’s Guide– Security Analyst SSC/N0901
56
Trainer’s Guide– Security Analyst SSC/N0901
parties are not aware of the attacker cookie to gain access and
presence and believing the replies authenticate to remote server by
they get are legitimate. For this attack impersonating legitimate user.
to be successful, the perpetrator must Cross-side scripting attack (XSS
successfully impersonate at least one
attack) – the attacker exploits the XSS
of the endpoints. This can be the case vulnerabilities found in web server
if there are no protocols in place that
applications in order to inject a client
would secure mutual authentication side script onto the webpage that can
or encryption during the either point the user to a malicious
communication process. website of the attacker or allow
Session hijacking attack – this attack attacker to steal the user's session
is targeted as exploit of the valid cookie.
computer session in order to gain
SQL injection attack – the attacker
unauthorized access to information uses existing vulnerabilities in the
on a computer system. The attack
applications to inject a code/ string
type is often referred to as cookie for execution that exceeds the
hijacking as during its progress, the
allowed and expected input to the
attacker uses the stolen session SQL database.
Bluetooth related attacks
Bluesnarfing – this kind of attack allows the malicious user to gain unauthorized
access to information on a device through its bluetooth connection. Any device
with bluetooth turned on and set to "discoverable" state may be prone to
bluesnarfing attack.
Bluejacking – this kind of attack allows the malicious user to send unsolicited
(often spam) messages over bluetooth enabled devices.
57
Trainer’s Guide– Security Analyst SSC/N0901
Few recent cyberattacks (or Network attacks) that shook some big businesses around the
globe:
March 2015
58
Trainer’s Guide– Security Analyst SSC/N0901
Anthem
February 2015
One of the nation’s largest health insurers said that the personal
information of tens of millions of its customers and employees, including
its chief executive, was the subject of a “very sophisticated external
cyberattack.”
The company added that hackers were able to breach a database that
contained as many as 80 million records of current and former customers,
as well as employees. The information accessed included names, Social
Security numbers, birthdays, addresses, email and employment
information, including income data.
Sony Pictures
November 2014
A huge attack that essentially wiped clean several internal data centers
and led to cancellation of the theatrical release of "The Interview," a
comedy about the fictional assassination of the North Korean leader Kim
Jong-un. Contracts, salary lists, film budgets, entire films and Social
Security numbers were stolen, including -- to the dismay of top executives
-- leaked emails that included criticisms of Angelina Jolie and disparaging
remarks about President Obama.
Staples
October 2014
The office supply retailer said hackers had broken into the company’s
network and compromised the information of about 1.16 million credit
cards.
59
Trainer’s Guide– Security Analyst SSC/N0901
60
Trainer’s Guide– Security Analyst SSC/N0901
UNIT II
Fundamentals of Information
Security
Lesson Plan
Suggested Learning Activities
Training Resource Material
2.1 Elements of information security
2.2 Principles and concepts – data security
2.3 Types of controls
61
Trainer’s Guide– Security Analyst SSC/N0901
Lesson Plan
You need to know and understand: KA6, KA7, KA8. Peer 4 hrs PCs/Tablets/Lapto
review with faculty with classroom ps
KA5. how to analyse root causes appropriate feedback. session and 4 Labs availability
of information security issues hrs research (24/7)
Internet with WiFi
KA6. how to carry out KB1 – KB4 (Min 2 Mbps
information security assessments Going through the security Dedicated)
standards over Internet by Networking
KB4. how to identify and resolve visiting sites like ISO, PCI Equipment-
information security vulnerabilities DSS etc., and understand Routers & Switches
and issues various methodologies and Firewalls and
usage of algorithms Access Points
Access to all
security sites like
ISO, PIC DSS
Commercial Tools
like HP Web
Inspect and IBM
AppScan etc.,
Open Source tools
like sqlmap, Nessus
etc.,
62
Trainer’s Guide– Security Analyst SSC/N0901
Ask students to and investigate the various types of threats to network security,
Application Security, Communication Security. Also list the various counter measures or
security devices that may be used to address these. Present the same in class.
Activity 2:
Ask students to research various information security service companies’ websites and
understand the various security services they offer. Carry out a comparison of the various
services or products offered and list their features and benefits.
Activity 3:
Ask the students to research various categories if controls and state what are the various
controls within each category. Let them discuss in groups the benefits and limitation of
examples each type of control within a category.
Activity 4:
Ask the students to research various elements of a decision tree and an algorithm. Ask
them to create algorithms and decision trees for various situations in case of planning for
security of information assets.
63
Trainer’s Guide– Security Analyst SSC/N0901
64
Trainer’s Guide– Security Analyst SSC/N0901
predefined trust level in the network, then order to include new players in the
the communication system will be telecommunication value chain such as
trustable all the time, thus allowing a users offering their machines to build an
trusted and secure service deployment. infrastructure-less network. For example,
However, such trust models are very in the context of ad hoc networks, we
difficult to design and the trust level is could imagine that ad hoc users become
generally a biased concept presently. It is distributors of content or provide any
very similar to the human based trust other networked services1, being a sort of
model. Note that succeeding in building service providers. In this case, an
such trust models will allow infrastructure appropriate charging and billing system
based networks but especially needs to be designed.
infrastructure-less or self-organized
A network security system usually consists
networks such as ad hoc sensors to be
of many components. Ideally, all
trusted enough to deploy several
components work together, which
applications. This will also have an impact
minimizes maintenance and improves
on current business models where the
security.
economic model would have to change in
Communication security
Application Security
Application security (AppSec) is the use of solution to the problem of software risk.
software, hardware and procedural AppSec helps identify, fix and prevent
methods to protect applications from security vulnerabilities in any kind of
external threats. AppSec is the operational software application irrespective of the
function, language or platform
65
Trainer’s Guide– Security Analyst SSC/N0901
A software vulnerability can be defined as a programmatic function that processes critical data
in an insecure way. These “holes” in an application can be exploited by a hacker, spy or
cybercriminal as an entry point to steal sensitive, protected or confidential data.
Begin with software security testing to find and assess potential vulnerabilities:
66
Trainer’s Guide– Security Analyst SSC/N0901
Testing and remediation form the baseline running business critical software. Properly
response to insecure applications, but the managed, a good application security
critical element of a successful AppSec program will move your organization from
effort is ongoing developer training. a state of unmanaged risk and reactive
Security conscious development teams security to effective, proactive risk
write bulletproof code, and avoid common mitigation.
errors. For example, data input validation
– the process of ensuring that a program Communications Security
operates with clean, correct and useful Communications Security (COMSEC)
data. Neglecting this important step, and ensures the security of
failing to build in standard input validation telecommunications confidentiality and
rules or “check routines” leaves the integrity – the two information assurance
application open to common attacks such (IA) pillars. Generally, COMSEC may refer
as cross-site scripting and SQL injection. to the security of any information that is
When undertaken correctly, Application transmitted, transferred or
Security is an orderly process of reducing communicated.
the risks associated with developing and
Physical Security: This ensures the safety of, and prevents unauthorized access to,
cryptographic information, documents and equipment.
67
Trainer’s Guide– Security Analyst SSC/N0901
Confidentiality
Integrity Availability
Information States
Information has three basic states, at any confidentiality, integrity and availability.
given moment, information is being These attributes of information represent
transmitted, stored or processed. The the full spectrum of security concerns in an
three states exist irrespective of the media automated environment. They are
in which information resides. Information applicable for any organization
systems security concerns itself with the irrespective of its philosophical outlook on
maintenance of three critical sharing information.
characteristics of information:
Transmission
Information
States
Processing Storage
68
Trainer’s Guide– Security Analyst SSC/N0901
71
Trainer’s Guide– Security Analyst SSC/N0901
The following types of non-repudiation services are defined in international standard ISO
14516:2002 (guidelines for the use and management of trusted third party services).
72
Trainer’s Guide– Security Analyst SSC/N0901
73
Trainer’s Guide– Security Analyst SSC/N0901
Central to information security is the sense to try and fix the situation.
concept of controls, which may be Corrective controls vary widely,
categorized by their functionality depending on the area being targeted,
(preventive, detective, corrective, and they may be technical or
deterrent, recovery and compensating) administrative in nature.
and plane of application (physical,
administrative or technical). Deterrent controls
By functionality: Deterrent controls are intended to
discourage potential attackers.
Preventive controls Examples of deterrent controls include
notices of monitoring and logging as well
Preventive controls are the first controls as the visible practice of sound
met by an adversary. These try to information security management.
prevent security violations and enforce
access control. Like other controls, these Recovery controls
may be physical, administrative or
technical. Doors, security procedures Recovery controls are somewhat like
and authentication requirements are corrective controls, but they are applied
examples of physical, administrative and in more serious situations to recover
technical preventive controls from security violations and restore
respectively. information and information processing
resources. Recovery controls may
Detective controls include disaster recovery and business
continuity mechanisms, backup systems
Detective controls are in place to detect and data, emergency key management
security violations and alert the
arrangements and similar controls.
defenders. They come into play when
preventive controls have failed or have Compensating controls
been circumvented and are no less
crucial than detective controls. Compensating controls are intended to
Detective controls include cryptographic be alternative arrangements for other
checksums, file integrity checkers, audit controls when the original controls have
trails and logs and similar mechanisms. failed or cannot be used. When a second
set of controls addresses the same
Corrective controls threats that are addressed by another
set of controls, it acts as a compensating
Corrective controls try to correct the
control.
situation after a security violation has
occurred. Although a violation occurred,
but the data remains secure, so it makes
74
Trainer’s Guide– Security Analyst SSC/N0901
marketing group, even if that user has a Centralized vs. Decentralized Access
security clearance level higher than Control
confidential (for example, secret or top
Further distinction should be made
secret). This concept is known as
between centralized and decentralized
compartmentalization or ‘need to know’.
(distributed) access control models. In
Although MAC based systems, when used environments with centralized access
appropriately, are thought to be more control, a single, central entity makes
secure than DAC based systems, they are access control decisions and manages the
also much more difficult to use and access control system whereas in
administer because of the additional distributed access control environments,
restrictions and limitations imposed by the these decisions are made and enforced in
operating system. MAC based systems are a decentralized manner. Both approaches
typically used in government, military and have their pros and cons, and it is generally
financial environments where higher than inappropriate to say that one is better than
usual security is required and where the the other. The selection of a particular
added complexity and costs are tolerated. access control approach should be made
MAC is implemented in Trusted Solaris, a only after careful consideration of an
version of the Solaris operating organization’s requirements and
environment intended for high security associated risks.
environments.
Security Vulnerability Management
Role-Based Access Control (RBAC)
Security vulnerability management is the
In the role based access control model, current evolutionary step of vulnerability
rights and permissions are assigned to assessment systems that began in the early
roles instead of individual users. This 1990s with the advent of the network
added layer of abstraction permits easier security scanner S.A.T.A.N. (Security
and more flexible administration and Administrator’s Tool for Analyzing
enforcement of access controls. For Networks) followed by the 1st commercial
example, access to marketing files may be vulnerability scanner from ISS. While early
restricted only to the marketing manager tools mainly found vulnerabilities and
role, and users Ann, David, and Joe may be produced lengthy reports, today’s best-in-
assigned the role of marketing manager. class solutions deliver comprehensive
Later, when David moves from the discovery and support the entire security
marketing department elsewhere, it is vulnerability management lifecycle.
enough to revoke his role of marketing
manager, and no other changes would be A vulnerability can occur anywhere in the
necessary. When you apply this approach IT environment, and can be the result of
to an organization with thousands of many different root causes. Security
employees and hundreds of roles, you can vulnerability management solutions
see the added security and convenience of gather comprehensive endpoint and
using RBAC. Solaris has supported RBAC network intelligence, and apply advanced
since release 8. analytics to identify and prioritize the
vulnerabilities that pose the most risk to
critical systems. The result is actionable
76
Trainer’s Guide– Security Analyst SSC/N0901
data that enables IT security teams to focus components may present existing or new
on the tasks that will most quickly and security concerns and weaknesses i.e.
effectively reduce overall network risk with vulnerabilities. It may be product/
the fewest possible resources. component faults or it may be inadequate
configuration. Malicious code or
Security vulnerability management is a
unauthorized individuals may exploit those
closed-loop workflow that generally
vulnerabilities to cause damage, such as
includes identifying networked systems
disclosure of credit card data. Vulnerability
and associated applications, auditing
management is the process of identifying
(scanning) the systems and applications for
those vulnerabilities and reacting
vulnerabilities and remediating the
appropriately to mitigate the risk.
vulnerabilities. Any IT infrastructure
Vulnerability assessment and management is an essential piece for managing overall IT risk
because:
Persistent threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.
Regulation
Risk management
Mature organizations treat it as a key risk management component. Organizations that follow
mature IT security principles understand the importance of risk management.
the rise of attacks that target these risk and compliance with policy. This
components. incorporates the basis of the action to be
agreed on between the relevant line of
Database scanners check database
business and the security team.
configuration and properties to verify
whether they comply with database Risk analysis
security best practices. Web application
“Fixing” the issue may involve acceptance
scanners test an application’s logic for
of the risk, shifting of the risk to another
“abuse” cases that can break or exploit the
party or reducing the risk by applying
application. Additional tools can be
remedial action, which could be anything
leveraged to perform more in-depth
from a configuration change to
testing and analysis.
implementing a new infrastructure (e.g.
All three scanning technologies (network, data loss prevention, firewalls, host
application and database) assess a intrusion prevention software).
different class of security weaknesses, and
Elimination of the root cause of security
most organizations need to implement all
weaknesses may require changes to user
three.
administration and system provisioning
Risk assessment processes. Many processes and often
several teams may come into play (e.g.
Larger issues should be expressed in the
configuration management, change
language of risk (e.g. ISO 27005),
management, patch management etc.).
specifically expressing impact in terms of
Monitoring and incident management
business impact. The business case for any
processes are also required to maintain the
remedial action should incorporate
environment.
considerations relating to the reduction of
Vulnerability enumeration
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE
Identifiers) for publicly known information security vulnerabilities. CVE’s common
identifiers make it easier to share data across separate network security databases and
tools, and provide a baseline for evaluating the coverage of an organization’s security
tools. If a report from one of your security tools incorporates CVE identifiers, you may
then quickly and accurately access fix information in one or more separate CVE
compatible databases to remediate the problem.
The Common Vulnerability Scoring System (CVSS) provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities. Its quantitative
model ensures repeatable, accurate measurement while enabling users to see the
underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS
is well suited as a standard measurement system for industries, organizations and
governments that need accurate and consistent vulnerability impact scores.
78
Trainer’s Guide– Security Analyst SSC/N0901
super critical in the software security Decision tree and algorithms may be used
world. A number of automated solutions for further detailed analysis as tools. To
are also available for various types of RCA. learn more about it, visit:
For example, HP's web application security https://www.sans.org/reading-
testing technology which can link XSS room/whitepapers/detection/decision-
issues to a single line of code in the tree-analysis-intrusion-detection-how-to-
application input handler. guide-33678 .
5 4.4 4.7
4.5
4 3.5
3.5
3 2.8
2.5 1.9
2
1.5
1
0.5
0
80
Trainer’s Guide– Security Analyst SSC/N0901
UNIT III
Data Leakage and Prevention
Lesson Plan
Suggested Learning Activities
Training Resource Material
3.1 Introduction Data Leakage
3.2 Organisational Data Classification, Location and Pathways
3.3 Content Awareness
3.4 Content Analysis Techniques
3.5 Data Protection
3.6 DLP Limitations
3.7 DRM – DLP Conundrum
3.1.
81
Trainer’s Guide– Security Analyst SSC/N0901
Lesson Plan
You need to know and understand: KA12. Going through 4 hrs KA1 to KA13:
KA12. your organization’s various organizations
information security systems and websites and understand PCs/Tablets/Laptops
tools and how to access and the policies and Labs availability (24/7)
maintain these guidelines. (Research) Internet with WiFi
(Min 2 Mbps
KA13. standard tools and KA12. Project charter, Dedicated)
templates available and how to use Architecture (charts), Networking
these Project plan, Poster Equipments- Routers &
presentation and Switches
KB4. how to identify and resolve execution plan. Firewalls and Access
information security vulnerabilities Points
and issues KA13. Creation of Access to all security
templates based on the sites like ISO, PIC DSS
learnings from KA1 to Commercial Tools like
KA12. HP Web Inspect and
IBM AppScan etc.,
KB1 – KB4
Open Source tools like
1. Going through the sqlmap, Nessus etc.,
security standards over
Internet by visiting sites
like ISO, PCI DSS etc.,
and understand various
methodologies and
usage of algorithms
82
Trainer’s Guide– Security Analyst SSC/N0901
Activity 2:
Ask students to identify work behaviours and practices that can lead to data leakage in a
work context. Also encourage students to look at their own environment and identify
various confidential and personal information and how their own practices and habits can
cause data leakage.
Activity 3:
Ask students to research various organisations that offer products and services in the Data
Leakage Prevention and Data Risk Management. Compare the two, note down and
present the various offerings, tools and their features, benefits and limitations.
Activity 4:
Data at Rest
Data in Motion
Data in Use
Ask students to find examples of data around them and in their daily lives that are
categorised in these three. Ask them to state risks of data leakages and the various
sources of it.
83
Trainer’s Guide– Security Analyst SSC/N0901
Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data, and other information depending
on the business and the industry. Data leakage poses a serious issue for companies as the
number of incidents and the cost to those experiencing them continue to increase.
Data leakage is enhanced by the fact that 1. Direct losses: They refer to tangible
transmitted data (both inbound and damage that is easy to measure or to
outbound), including emails, instant estimate quantitatively. Indirect losses, on
messaging, website forms and file the other hand, are much harder to
transfers among others, are largely quantify and have a much broader impact
unregulated and unmonitored on their in terms of cost, place and time.
way to their destinations. Furthermore, in
2. Indirect losses: They include violations
many cases, sensitive data are shared
of regulations (such as those protecting
among various stakeholders such as
customer privacy) resulting in fines;
employees working from outside the
settlements or customer compensation
organization’s premises (e.g. on laptops),
fees; litigation involving lawsuits; loss of
business partners and customers. This
future sales; costs of investigation and
increases the risk that confidential
remedial or restoration fees. Indirect
information will fall into unauthorized
losses include reduced share price as a
hands. Whether caused by malicious intent
result of negative publicity; damage to a
or an inadvertent mistake by an insider or
company’s goodwill and reputation;
outsider, exposure of sensitive information
customer abandonment; and exposure of
can seriously hurt an organization. The
intellectual property (business plans, code,
potential damage and adverse
financial reports and meeting agendas) to
consequences of a data leakage incident
competitors.
can be classified into two categories:
84
Trainer’s Guide– Security Analyst SSC/N0901
Device control, access control and encryption are used to prevent access by an unauthorized user.
These are the simplest measures that can be taken to protect large amounts of personal data
against malicious outsider and insider attacks.
Designated DLP solutions are intended to DLP solutions are typically implemented
detect and prevent attempts to copy or using mechanisms such as exact data
send sensitive data, intentionally or matching, structured data fingerprinting,
unintentionally, without authorization, statistical methods (e.g. machine learning),
mainly by personnel who are authorized to rule and regular expression matching,
access the sensitive information. A major published lexicons, conceptual definitions
capability of such solutions is an ability to and keywords.
classify content as sensitive. Designated
Data Leakage Prevention (DLP) solutions, are often referred to as Information Leak Prevention
(ILP), Data Leak/ Loss Prevention (DLP), Outbound Content Compliance, Content Monitoring and
Filtering, Content Monitoring and Protection (CMP) or Extrusion Prevention.
85
Trainer’s Guide– Security Analyst SSC/N0901
Data at rest: it resides in files systems, distributed desktops and large centralized data
stores, databases or other storage centers.
Data at the endpoint or in use: it resides at network endpoints such as laptops; USB
devices; external drives; CD/ DVDs; archived tapes; MP3 players; iPhones or other
highly mobile devices.
Data in motion: it moves through the network to the outside world via email, instant
messaging, peer-to-peer (P2P), FTP or other communication mechanisms.
86
Trainer’s Guide– Security Analyst SSC/N0901
8% 4%
15%
NPI ( e.g. Customer Data)
Confidentiality Info
12% HTTP
3%
1% Email
5%
42% Networked Printer
10%
End Point
11% Internal Mail
16% IM
Webmail
Others
Source: http://www.networksunlimited.com
87
Trainer’s Guide– Security Analyst SSC/N0901
The DLP market is also split between DLP as a feature and DLP as a solution. A number of
products, particularly email security solutions, provide basic DLP functions, but aren't complete
DLP solutions. The difference is:
88
Trainer’s Guide– Security Analyst SSC/N0901
89
Trainer’s Guide– Security Analyst SSC/N0901
Once the content is accessed, there are employees buying online. More advanced
seven major analysis techniques used to tools look for combinations of information,
find policy violations, each with its own such as the magic combination of first
strengths and weaknesses. name or initial with last name, credit card
or social security number that triggers a
1. Rule based/ Regular expressions: This is
disclosure. Make sure you understand the
the most common analysis technique
performance and security implications of
available in both DLP products and other
nightly extracts vs. live database
tools with DLP features. It analyses the
connections.
content for specific rules, such as 16 digit
numbers that meet credit card checksum Its advantages are: structured data from
requirements, medical billing codes or databases.
other textual analyses. Most DLP solutions
Strengths: very low false positives (close to
enhance basic regular expressions with
0). Allows you to protect customer/
their own additional analysis rules (e.g. a
sensitive data while ignoring other, similar
name in proximity to an address near a
data used by employees (like their
credit card number).
personal credit cards for online orders).
Its advantages are: as a first-pass filter or
Weaknesses: nightly dumps won't contain
for detecting easily identified pieces of
transaction data since the last extract. Live
structured data like credit card numbers,
connections can affect database
social security numbers and healthcare
performance. Large databases affect
codes/ records.
product performance.
Strengths: rules process quickly and can be
3._Exact file matching: With this
easily configured. Most products ship with
technique you take a hash of a file and
initial rule sets. The technology is well
monitor for any files that match that exact
understood and easy to incorporate into a
fingerprint. Some consider this to be a
variety of products.
contextual analysis technique since the file
Weaknesses: prone to high false positive contents themselves are not analysed.
rates. Offers very little protection for
Its advantages are: media files and other
unstructured content like sensitive
binaries where textual analysis isn't
intellectual property.
necessarily possible.
2._Database fingerprinting: Sometimes
Strengths: works on any file type, low false
called Exact Data Matching – this
positives with a large enough hash value
technique takes either a database dump or
(effectively none).
live data (via ODBC connection) from a
database and only looks for exact matches. Weaknesses: trivial to evade. Worthless
For example, you could generate a policy for content that's edited, such as standard
to look only for credit card numbers in your office documents and edited media files.
customer base, thus ignoring your own
90
Trainer’s Guide– Security Analyst SSC/N0901
91
Trainer’s Guide– Security Analyst SSC/N0901
92
Trainer’s Guide– Security Analyst SSC/N0901
The goal of DLP is to protect content throughout its lifecycle. In terms of DLP, this includes
three major aspects:
• Data at Rest includes scanning of storage and other content repositories to identify
where sensitive content is located. We call this content discovery. For example, you can
use a DLP product to scan your servers and identify documents with credit card
numbers. If the server isn't authorized for that kind of data, the file can be encrypted
or removed or a warning sent to the file owner.
• Data in Motion is sniffing of traffic on the network (passively or inline via proxy) to
identify content being sent across specific communications channels. For example, this
includes sniffing emails, instant messages and web traffic for snippets of sensitive
source code. In motion, tools can often block based on central policies depending on
the type of traffic.
• Data in Use is typically addressed by endpoint solutions that monitor data as the user
interacts with it. For example, they can identify when you attempt to transfer a sensitive
document to a USB drive and block it (as opposed to blocking use of the USB drive
entirely). Data in use tools can also detect things like copy and paste or use of sensitive
data in an unapproved application (such as someone attempting to encrypt data to
sneak it past the sensors).
Many organizations first enter the world of products limited themselves to basic
DLP with network based products that monitoring and alerting, but all current
provide broad protection for managed and products include advanced capabilities to
unmanaged systems. It’s typically easier to integrate with existing network
start a deployment with network products infrastructure and provide protective, not
to gain broad coverage quickly. Early just detective controls.
93
Trainer’s Guide– Security Analyst SSC/N0901
94
Trainer’s Guide– Security Analyst SSC/N0901
95
Trainer’s Guide– Security Analyst SSC/N0901
sniff SSL connections. You will need to passive network monitoring, proxy points,
make changes on your endpoints to deal email servers and remote locations. While
with all the certificate alerts, but you can processing/ analysis can be offloaded to
now peer into encrypted traffic. For Instant remote enforcement points, they should
Messaging, you'll need an IM proxy and a send all events back to a central
DLP product that specifically supports management server for workflow,
whatever IM protocol you're using. reporting, investigations and archiving.
Remote offices are usually easy to support
TCP Poisoning
since you can just push policies down and
The last method of filtering is TCP reporting back, but not every product has
poisoning. You monitor the traffic and this capability. The more advanced
when you see something bad, you inject a products support hierarchical
TCP reset packet to kill the connection. This deployments for organizations that want
works on every TCP protocol but isn't very to manage DLP differently in multiple
efficient. For one thing, some protocols will geographic locations or by business unit.
keep trying to get the traffic through. If you International companies often need this to
TCP poison a single email message, the meet legal monitoring requirements which
server will keep trying to send it for three vary by country. Hierarchical management
days, as often as every 15 minutes. The supports coordinated local policies and
other problem is the same as bridging. enforcement in different regions, running
Since you don't queue the traffic at all, by on their own management servers and
the time you notice something bad, it communicating back to a central
might be too late. It's a good stop-gap to management server. Early products only
cover non-standard protocols, but you'll supported one management server but
want to proxy as much as possible. now we have options to deal with these
distributed situations with a mix of
Internal Networks
corporate/ regional/ business unit policies,
Although technically capable of monitoring reporting and workflow.
internal networks, DLP is rarely used on
internal traffic other than email. Gateways Data At Rest
provide convenient choke points. Internal While catching leaks on the network is
monitoring is a daunting prospect from fairly powerful, it's only one small part of
cost, performance, and policy the problem. Many customers are finding
management/ false positive standpoints. A that it's just as valuable, if not more
few DLP vendors have partnerships for valuable, to figure out where all that data
internal monitoring, but this is a lower is stored in the first place. We call this
priority feature for most organizations. content discovery. Enterprise search tools
Distributed and Hierarchical Deployments might be able to help with this, but they
really aren't tuned well for this specific
All medium to large enterprises and many problem. Enterprise data classification
smaller organizations have multiple tools can also help, but based on
locations and web gateways. A DLP discussions with a number of clients, they
solution should support multiple don't seem to work well for finding specific
monitoring points, including a mix of policy violations. Thus we see many clients
96
Trainer’s Guide– Security Analyst SSC/N0901
opting to use the content discovery only be emailed when encrypted, never be
features of their DLP products. The biggest shared via HTTP or HTTPS, only be stored
advantage of content discovery in a DLP on approved servers and only be stored on
tool is that it allows you to take a single workstations/ laptops by employees on
policy, and apply it across data no matter the accounting team. All of this can be
where it's stored, how it's shared, or how specified in a single policy on the DLP
it's used. For example, you can define a management server.
policy that requires credit card numbers to
Content discovery consists of three components:
Storage discovery: scanning mass storage, including file servers, SAN and NAS.
Once a policy violation is discovered, the DLP tool can take a variety of actions:
Alert/ report: create an incident in the central management server just like a network
violation.
Warn: notify the user via email that they may be in violation of policy.
Quarantine/ notify: move the file to the central management server and leave a text file
with instructions on how to request recovery of the file.
Quarantine/ encrypt: encrypt the file in place, usually leaving a plain text file describing
how to request decryption.
Quarantine/ access control: change access controls to restrict access to the file.
Remove/ delete: either transfer the file to the central server without notification or just
delete it.
98
Trainer’s Guide– Security Analyst SSC/N0901
Key capabilities existing products vary widely in functionality, but we can break out
three key capabilities:
1. Monitoring and enforcement within the network stack: this allows enforcement of
network rules without a network appliance. The product should be able to enforce the
same rules as if the system were on the managed network as well as separate rules
designed only for use on unmanaged networks.
2. Monitoring and enforcement within the system kernel: by plugging directly into the
operating system kernel you can monitor user activity, such as copying and pasting
sensitive content. This can also allow products to detect (and block) policy violations
when the user is taking sensitive content and attempting to hide it from detection,
perhaps by encrypting it or modifying source documents.
3. Monitoring and enforcement within the file system: this allows monitoring and
enforcement based on where data is stored. For example, you can perform local
discovery and/ or restrict transfer of sensitive content to unencrypted USB devices.
99
Trainer’s Guide– Security Analyst SSC/N0901
The following features are highly desirable and rules as the network servers/
when deploying DLP at the endpoint: appliances.
Rules (policies) should adjust based
Endpoint agents and rules should
on where the endpoint is located
be centrally managed by the same
(on or off the network). When the
DLP management server that
controls data in motion and data at endpoint is on a managed network
with gateway DLP, redundant local
rest (network and discovery).
rules should be skipped to improve
Policy creation and management
performance.
should be fully integrated with
Agent deployment should integrate
other DLP policies in a single
with existing enterprise software
interface.
deployment tools.
Incidents should be reported to,
Policy updates should offer options
and managed by a central
management server. for secure management via the DLP
management server or existing
Endpoint agent should use the
enterprise software update tools.
same content analysis techniques
Endpoint limitations
Realistically, the performance and storage limitations of the endpoint will restrict the types of
content analysis supported and the number and type of policies that are locally enforced. For
some enterprises, this might not matter depending on the kinds of policies to be enforced, but
in many cases endpoints impose significant constraints on data in use policies.
100
Trainer’s Guide– Security Analyst SSC/N0901
While DLP solutions can go far in helping an agents, network appliances and
enterprise gain greater insight over and crawlers must have access to, and be
control of sensitive data, stakeholders able to utilize, the appropriate
need to be apprised of limitations and gaps decryption keys. If users have the
in DLP solutions. Understanding these ability to use personal encryption
limitations is the first step in the packages where keys are not managed
development of strategies and policies to
by the enterprise and provided to the
help compensate for the limitations of the
DLP solution, the files cannot be
technology.
analyzed. To mitigate this risk, policies
Some of the most significant limitations should forbid the installation and use
common among DLP solutions are: of encryption solutions that are not
Encryption — DLP solutions can only centrally managed, and users should
inspect encrypted information that be educated that anything that cannot
they can first decrypt. To do this, DLP be decrypted for inspection (meaning
101
Trainer’s Guide– Security Analyst SSC/N0901
that the DLP solution has the Mobile devices — With the advent of
encryption key) will ultimately be mobile computing devices, such as
blocked. smartphones, there are
communication channels that are not
Graphics — DLP solutions cannot
easily monitored or controlled. Short
intelligently interpret graphics files.
message service (SMS) is the
Short of blocking or manually
communication protocol that allows
inspecting all such information, a
text messaging, and is a key example.
significant gap will exist in an
Another consideration is the ability of
enterprise’s control of its information.
many of these devices to utilize Wi-Fi
Sensitive information scanned into a
or even become a Wi-Fi hotspot
graphics file or intellectual property
themselves. Both cases allow for out-
(IP) that exists in a graphics format,
of-band communication that cannot be
such as design documents would fall
monitored by most enterprises. Finally,
into this category. Enterprises that
the ability of many of these devices to
have significant IP in a graphics format
capture and store digital photographs
should develop strong policies that
and audio information presents yet
govern the use and dissemination of
another potential gap. While some
this information. While DLP solutions
progress is being made in this area, the
cannot intelligently read the contents
significant limitations of processing
of a graphics file, they can identify
power and centralized management
specific file types, their source and
remain a challenge. Again, this
destination. This capability, combined
situation is best addressed by the
with well-defined traffic analysis can
development of strong policies and
flag uncharacteristic movement of this
supporting user education to compel
type of information and provide some
appropriate use of these devices.
level of control.
Multilingual support — A few DLP
Third-party service providers — When
solutions support multiple languages,
an enterprise sends its sensitive
but virtually all management consoles
information to a trusted third party, it
support only English. It is also true that
is inherently trusting that the service
for each additional language and
provider mirrors the same level of
character set, the system must support
control over information leaks since
processing requirements and time
the enterprise’s DLP solutions rarely
windows for analysis increase. Until
extend to the service provider’s
such time that vendors recognize
network. A robust third-party
sufficient market demand to address
management program that
this gap, there is little recourse but to
incorporates effective contract
seek other methods to control
language and a supporting audit
information leaks in languages other
program can help mitigate this risk.
than English. Multinational enterprises
102
Trainer’s Guide– Security Analyst SSC/N0901
The only recourse for most enterprises is the adoption of behavioral policies and
physical security controls that complement the suite of technology controls that is
available today, such as:
• Solution lock-in — At this time there is no portability of rule sets across various DLP
platforms, which means that changing from one vendor to another or integration with an
acquired organization’s solution can require significant work to replicate a complex rule
set in a different product.
• Limited client OS support — Many DLP solutions do not provide endpoint DLP agents
for operating systems such as Linux and Mac because their use as clients in the enterprise
is much less common. This does, however, leave a potentially significant gap for
enterprises that have a number of these clients. This risk can only be addressed by
behavior oriented policies or requires the use of customized solutions that are typically
not integrated with the enterprise DLP platform.
• Cross application support — DLP functions can also be limited by application types. A
DLP agent that can monitor the data manipulations of one application may not be able to
do so for another application on the same system. Enterprises must ensure that all
applications that can manipulate sensitive data are identified and must verify that the DLP
solution supports them. In cases where unsupported applications exist, other actions may
be required through policy, or if feasible, through removal of the application in q uestion.
The Open Security Foundation's and commercial entities, which often have
DataLossDB gathers information about been able to provide statistical analysis
events involving the loss, theft or exposure with graphical presentations.
of personally identifiable information (PII).
DataLossDB's dataset, in current and The charts below are provided in "as-is"
previous forms, has been used in research format based on the current dataset
maintained by the Open Security
by numerous educational, governmental
Foundation and DataLossDB.
103
Trainer’s Guide– Security Analyst SSC/N0901
104
Trainer’s Guide– Security Analyst SSC/N0901
105
Trainer’s Guide– Security Analyst SSC/N0901
each other. DRM encrypts files and organizations must complement and
controls access privileges dynamically as a empower the existing security
file is in use. DLP detects patterns and can infrastructure with a data centric security
restrict movement of information that solution that protects data in use
meets certain criteria. Rather than being persistently. That is where DRM comes in.
competitive, the reality is that many DRM ensures that only intended recipients
can view sensitive files regardless of their
organizations can use them as location. This assures protection of data
complementary solutions. DLP’s ability to beyond controlled boundaries so that an
scan, detect data patterns and enforce organization is always in control of its
appropriate actions using contextual information. DRM policy stays with the
awareness reduces the risk of losing document even if it is renamed or saved to
sensitive data. A drawback of DLP is that it another format, like a PDF. This provides a
does not provide any protection in case more complete solution to limit the
users have to send confidential possibility of a data breach.
information legitimately to a business By integrating DLP and DRM, organizations
partner or customer. DLP cannot protect may be able to:
information once it is outside the allow DLP to scan DRM-protected
organization’s perimeter. DLP is very good documents, and apply DLP policies
at monitoring the flow of data throughout enforce DLP policy engines to
an organization and applying predefined encrypt or reclassify a file to create
policies at endpoint devices or the a DRM protected document
network. The policies can log activities, secure data persistently and reduce
send warnings to end users and the risk of losing it from both
administrators, quarantine data or block it insiders and outsiders.
altogether. DLP alone cannot control data in
use by authorized internal or
The challenge is that most businesses need external users. Adding DRM
to share sensitive data with outside ensures that vulnerabilities are
people. Considering most data leaks minimized and that an organization
originate from trusted insiders who have can immediately deny access to any
or had access to sensitive documents, file regardless of its location.
106
Trainer’s Guide– Security Analyst SSC/N0901
UNIT IV
Information Security Policies,
Procedures, Standards and Guidelines
Lesson Plan
Suggested Learning Activities
Training Resource Material
4.1. Information Security Policies
4.2. Key Elements of a Security Policy
4.3. Security Standards, Guidelines and Frameworks
4.4. Laws, Regulations and Guidelines
107
Trainer’s Guide– Security Analyst SSC/N0901
Lesson Plan
You need to know and understand: KA1. QA session and a 8 hrs PCs/Tablets/Lapto
Descriptive write up on ps
KA1. your organization’s understanding. Labs availability
policies, procedures, standards and
(24/7)
guidelines for managing KA2 Group presentation
Internet with WiFi
information security and peer evaluation along
(Min 2 Mbps
KA2. your organization’s with Faculty.
Dedicated)
knowledge base and how to access
and update this KA4 Performance Access to all
evaluation from Faculty security sites like
KA4. the organizational
and Industry with reward ISO, PCI DSS,
systems, procedures and
points. Center for Internet
tasks/checklists within the domain
Security
and how to use these KA12. Faculty and peer
KA12. your organization’s Security Templates
review. from ITIL, ISO
information security systems and
tools and how to access and KA13. Faculty and peer
maintain these review.
KA13. standard tools and
templates available and how to use KB1 - KB4
these Group and Faculty
KB1. fundamentals of evaluation based on
information security and how to anticipated out comes.
apply these, including: Reward points to be
• networks allocated to groups.
• communication
• application security
108
Trainer’s Guide– Security Analyst SSC/N0901
Divide students into groups and ask them to research and collate various security
policies available across various organisations.
Let them categorise various policies and highlight the differences between these
based on context including sector, size of organisation, types of information or
data they possess, country, etc.
Ask the students to compile a list of component that are similar across policies.
Engage them in a discussion as to why they think these elements are similar or
dissimilar and what is the impact of the variances.
Activity 2:
Divide the students into groups and ask them to research various standards of
data security that area available.
Ask them to categorise the various standards based on the area they pertain to.
Ask the students to develop standards for various aspects of their student life and
education, get them to make a plan for advocacy and promotion of these
standards so that more and more people adopt them. Let them list down key
imperatives and challenges for the successful adoption and recognition of their
proposed standards
Activity 4:
Ask the students to explore the various laws and regulations that are applied in
the areas of information security. Let them present key features of the laws and
cite cases where these were violated and cases were filed in breach of law. Let
them present findings in the class, discussing the details of the case and
interesting facets of it.
109
Trainer’s Guide– Security Analyst SSC/N0901
Security policies are the foundation of your Technical security policies: these
security infrastructure. Without them, you include how technology should be
cannot protect your company from configured and used.
possible lawsuits, lost revenue and bad
publicity, not to mention basic security Administrative security policies:
attacks. A security policy is a document or these include how people (both
set of documents that describes, at a high
end users and management)
level, the security controls that will be
should behave/ respond to
implemented by the company.
security.
Policies are not technology specific and do
three things for an organisation: Persons responsible for the
implementation of the security policies
Reduce or eliminate legal liability to are:
employees and third parties.
Director of Information Security
Protect confidential, proprietary
Chief Security Officer
information from theft, misuse,
Director of Information Technology
unauthorized disclosure or
Chief Information Officer
modification.
Prevent waste of company computing Information in an organisation will be both
resources. electronic and hard copy, and this
information needs to be secured properly
Organisations are giving more priority to
against the consequences of breaches of
development of information security
confidentiality, integrity and availability.
policies, protecting their assets is one of
the prominent things that needs to be Proper security measures need to be
considered. Lack of clarity in InfoSec implemented to control and secure
policies can lead to catastrophic damages information from unauthorised changes,
which cannot be recovered. So an deletions and disclosures. To find the level
organisation makes different strategies in of security measures that need to be
implementing a security policy applied, a risk assessment is mandatory.
successfully. An information security policy
Security policies are intended to define
provides management direction and
what is expected from employees within
support for information security across the
an organisation with respect to
organisation.
information systems.
There are two types of basic security
The objective is to guide or control the use
policies:
of systems to reduce the risk to
information assets. It also gives the staff
110
Trainer’s Guide– Security Analyst SSC/N0901
who are dealing with information systems Security policies are tailored to the specific
an acceptable use policy, explaining what mission goals.
is allowed and what not. Security policies
of all companies are not same, but the key
motive behind them is to protect assets.
A security policy should determine rules and regulations for the following systems:
Encryption mechanisms
Access control devices
Authentication systems
Firewalls
Anti-virus systems
Websites
Gateways
Routers and switches
Necessity of a security policy
It is generally impossible to accomplish a to your users exactly how they can and
complex task without a detailed plan for cannot use the network, how they should
doing so. treat confidential information, and the
proper use of encryption, you are reducing
A security policy is that plan that provides
your liability and exposure in the event of
for the consistent application of security
an incident.
principles throughout your company. After
implementation, it becomes a reference Further, a security policy provides a
guide when matters of security arise. written record of your company’s policies
if there is ever a question about what is
A security policy indicates senior
and is not an approved act.
management’s commitment to maintain a
secure network, which allows the IT staff to Security policies are often required by third
do a more effective job of securing the parties that do business with your
company’s information assets. Ultimately, company as part of their due diligence
a security policy will reduce the risk of a process. Some examples of these might be
damaging security incident. In the event of auditors, customers, partners and
a security incident, certain policies, such as investors. Companies that do business
an Incident Response Policy may limit your with your company, particularly those that
company’s exposure and reduce the scope will be sharing confidential data or
of the incident. connectivity to electronic systems, will be
concerned about your security policy.
A security policy can provide legal
protection to your company. By specifying
111
Trainer’s Guide– Security Analyst SSC/N0901
Lastly, one of the most common reasons policies can be modified at a later time i.e.
why companies create security policies not to say that you can create a violent
today is to fulfill regulations and meet policy now and a perfect policy can be
standards that relate to security of digital developed some time later.
information.
It is also mandatory to update the policy
Once the security policy is implemented, it based upon the environmental changes
will be a part of day-to-day business that an organization goes into when it
activities. Security policies that are progresses.
implemented need to be reviewed
The policy updates also need to be
whenever there is an organizational communicated with all employees as well
change. Policies can be monitored by
as the person who authorized to monitor
depending on any monitoring solutions like policy violations as they may flag for some
SIEM and the violation of security policies
scenarios which have been ignored by the
can be seriously dealt with. There should organization.
also be a mechanism to report any
violations to the policy. Management is responsible for
establishing controls and should regularly
While developing these policies, it is review the status of controls.
obligatory to make them as simple as
possible because complex policies are less Below is a list of some of the security
secure than simple systems. Security policies that an organization may have:
Change Control Policy How changes are made to directories or the file server
Encryption Policy How data are encrypted, the encryption method used etc.
Promiscuous Policy Firewall Management Policy
Permissive Policy
Special Access Policy
Prudent Policy Network Connection Policy
Paranoid Policy
Network Business Partner Policy
Acceptable Use Policy
User Account Policy
Others
Data Classification Policy
Intrusion Detection Policy
Remote Access Policy
Virus Prevention Policy
Information Protection Policy
Laptop Security Policy
Personal Security Policy
Cryptography Policy
Acceptable Usage Policy (AUP) is the policy that one should adhere to while accessing the
network. Some of the assets that this policy covers are mobile, wireless, desktop, laptop and
tablet computers, email, servers, internet etc. For each asset, we need to look at how we can
protect it, manage it, authorised persons to use and administer the asset, accepted methods of
communication in these assets etc.
Once a reasonable security policy has been a secure channel between two entities.
developed, an engineer has to look at the Some encryption algorithms and their
country’s laws, which should be levels (128,192) will not be allowed by the
incorporated in security policies. One government for a standard use. Legal
example is the use of encryption to create experts need to be consulted if you want
113
Trainer’s Guide– Security Analyst SSC/N0901
to know what level of encryption is allowed if security policies are derived for a big
in an area. This would become a challenge organisation spread across the globe.
Some of the laws, regulation and standards used for policy definition include:
The PCI Data Security Standard (PCIDSS)
The Health Insurance Portability and Accountability Act (HIPAA)
The Sarbanes-Oxley Act (SOX)
The ISO family of security standards
The Graham-Leach-Bliley Act (GLBA)
fewer. Clarity must be a priority in security placed on each page of the policy. At a
policies so that a policy isn’t minimum, this information should include:
misunderstood during a crisis or otherwise policy name, creation date, target
misapplied, which could lead to a critical audience and a clear designation that the
vulnerability. policy is company confidential.
• A security policy must be consistent with
applicable laws and regulations. In some Security Policy Implementation
countries there are laws that apply to a
company’s security practices, such as Once a policy has been created, perhaps
those covering the use of encryption. Some the hardest part of the process is rolling it
states have specific disclosure laws or out to the organization. This step must be
regulations governing the protection of well planned and undertaken thoughtfully.
citizens’ personal information, and some First and most importantly, a security
industries have regulations governing policy must be backed by the company’s
security policies. It is recommended that senior management team. Without their
you research and become familiar with any support, the cooperation needed across
regulations or standards that apply to your departments will likely doom the
company’s security controls. implementation. Department heads must
be involved, and specifically, Human
• A security policy should be reasonable. Resources and Legal Services must play an
The point of this process is to create a integral part. Make sure you have
policy that you can actually use rather than management buy-in before you get too far
one that makes your company secure on along in the process. If the position doesn’t
paper but is impossible to implement.
already exist, an Information Security
Keep in mind that the more secure a policy Officer or IT Security Program Manager
is, the greater the burden it places on your
should be designated at your company
users and IT staff to comply with. Find a who is responsible for implementing and
middle ground in the balance between
managing the security policy. This can be
security and usability that will work for an existing manager. This designation is
you.
sometimes not practical at smaller
• A security policy must be enforceable. A companies, but regardless, one person,
policy should clearly state which actions who has the authority to make executive
are permitted and which of those are in decisions, needs to own and be
violation of the policy. Further, the policy accountable for your company’s security
should spell out enforcement options policy. Remember that your security policy
when non-compliance or violations are must be officially adopted as company
discovered, and must be consistent with policy. It should be signed and recorded in
applicable laws. A security policy can be the same way your company makes any
formatted to be consistent with your major decision, including full senior
company’s internal documentation, management approval. Next, go through
however certain information should be
115
Trainer’s Guide– Security Analyst SSC/N0901
each policy and think about how it will be Often, users create security issues because
applied within the organization. they simply don’t understand that what
they are doing is risky or against the
Make sure that the tools are in place to
security policy. Users must be provided any
conform to the policy. For example, if the
user level policies, and must acknowledge
policy specifies that a certain network be
monitored, make sure that monitoring in writing that they have read and will
adhere to the policies. If possible,
capabilities exist on that network segment.
coordinate this with Human Resources so
If a policy specifies that visitors must agree
that the policies can be included with any
to the Acceptable Use Policy before using
other HR documents that require a user
the network, make sure that there is a
signature. No matter how well
process in place to provide visitors with the
implemented, no policy will be 100%
Acceptable Use Policy. In this phase, if you
applicable for every scenario, and
discover something impractical, create a
exceptions will need to be granted.
plan to make appropriate changes to either
Exceptions, however, must be granted only
the network or the policy. Understand that
in writing and must be well documented. It
policies differ from processes and
should be made clear from the outset that
procedures.
the policy is the official company standard,
You will need to carefully consider the and an exception will only be granted
necessary security processes and when there is an overwhelming business
procedures after you have your policy need.
finished. For example, the Backup Policy
After the security policy has been in place
may detail the schedules for backups and
for some period, which can be anywhere
off-site rotation of backup media, however
from three months to a year, the
it won’t say exactly how these tasks are to
company’s information security controls
be accomplished. Additionally, certain
procedures must be created to support the should be audited against the applicable
policies. Make sure that each policy is
policies. For example, how should your
being followed as intended and is still
users respond if they suspect a security
appropriate to the situation. If
incident? How will you notify your users if
discrepancies are found or the policies are
they are noncompliant with a specific
no longer applicable as written, they must
policy? How will exemptions to the policy
be changed to fit your company’s current
be requested and approved? Work with
requirements. After the initial review
the necessary departments within your
company (Legal, IT, HR etc.) to establish process, you should regularly review the
security policy to ensure that it still meets
procedures to support your policies. User
your company’s requirements. Create a
education is critical to a successful security
process so that the policy is periodically
policy implementation. A training session
reviewed by the appropriate persons. This
should be held to go over the policies that
should occur both at certain intervals (i.e.
will impact users as well as provide basic
once per year), and when certain business
information security awareness training.
changes occur (i.e. the company opens in a
116
Trainer’s Guide– Security Analyst SSC/N0901
new location). This will ensure that the differentiate the new document from past
policy does not get “stale”, and will versions; and distribute any modified user
continue to be a useful management tool level policies to your users. Clearly
for years to come. When changes need to communicate the policy changes to any
be made, be sure to: update the revision affected parties.
history section of the document to
117
Trainer’s Guide– Security Analyst SSC/N0901
118
Trainer’s Guide– Security Analyst SSC/N0901
119
Trainer’s Guide– Security Analyst SSC/N0901
Internal control is affected by people; it must be adopted through the organization and
is not simply a policy document that gets filed away.
An internal control can provide only reasonable assurance, not absolute assurance to
the management and board of a business. A control cannot ensure success.
Monitor
Information and
Communication
Control Activities
Risk Assessment
Control Environment
non-profit organization that leads the which necessitates using other sources to
development of COBIT through develop standards and procedures for
committees consisting of experts from implementing the controls. In other words,
universities, governments and auditors COBIT won’t tell you the best way to
across the globe. The COBIT framework is configure AES encryption for your wireless
a series of manuals and implementation infrastructure, but it will provide you with
guidelines for creating a full IT governance, a mechanism for identifying where and
auditing and service delivery program for why you need to apply it based on risk.
any organization. The role of COBIT in IT governance is to
COBIT is not a replacement but an provide a model that takes the guesswork
augmentation to COSO, and maps directly out of how to bridge the gap between
to COSO from an IT perspective. Although business and IT goals. COBIT considers
COSO covers the whole enterprise from an business the customer of IT services.
accounting perspective, it does so by Business requirements (needs) ultimately
providing high level objectives that require drive the investment in IT resources, which
the business to figure out how to in turn need processes that can deliver
accomplish them. COBIT on the other enterprise information back to the
hand, works with COSO by fully detailing business. At the foundation of COBIT is the
the necessary controls required and how cyclical nature of business needing
to measure and audit them. The built-in information and IT delivering information
auditable nature of COBIT is why it has services.
become one of the leading IT governance
Information is what IT provides to the
frameworks as it gets as close as can be business and COBIT defines the following
expected to a turnkey governance seven control areas as business
program. COBIT does not dig down into the requirements for information:
actual tasks and procedures however,
Reliability of information: data correctly represents the state of the business and
transactions.
122
Trainer’s Guide– Security Analyst SSC/N0901
124
Trainer’s Guide– Security Analyst SSC/N0901
Using COBIT requires customization to audits based on COBIT to ensure that all
better align with the company aspects of the IT process are performed.
implementing it. COBIT is not designed as COBIT is also an invaluable resource when
a governance strategy in a box, but as a writing the audit report because it allows
reference for building a process focused the auditor to justify and compare his
system, utilizing international standards findings to a well-respected standard.
and good practices. Companies still need ITIL
to determine a risk management
methodology and build out a technical The Information Technology Infrastructure
infrastructure to automate the various Library (ITIL) provides documentations for
COBIT processes identified. COBIT’s real best practices for IT Service Management.
value is in providing the management, ITIL was created in the late 1980s by Great
measurement and organizational glue to Britain’s Office of Government Commerce
tie these functions together. to standardize Britain’s government
agencies and to follow security best
IT auditors like to use COBIT mainly practices. A study was conducted and
because it creates a well-documented set
generated a significant amount of
of processes and controls that can be information (roughly 40 books) that
assessed along with the metrics and became known as ITIL. The books were
requirements for each control. COBIT’s revised and consolidated in 2004 and
usefulness is also apparent when the became a series of eight books focused on
organization under audit does not use
IT services management. This version 2 of
COBIT as a governance framework because ITIL became popular among organizations
an auditor can build checklists and plan
125
Trainer’s Guide– Security Analyst SSC/N0901
126
Trainer’s Guide– Security Analyst SSC/N0901
127
Trainer’s Guide– Security Analyst SSC/N0901
The Deming Cycle is simple yet powerful, and ISO 27001 applies it to security management
in the following manner:
Step 1. Plan: Establish the ISM according to the policies, processes and objectives of the
organization to manage risk.
Step 2. Do: Implement and operate the ISM.
Step 3. Check: Audit, assess and review the ISM against policies, objectives and
experiences.
Step 4. Act: Take action to correct deficiencies identified for continuous improvement.
ISO 27001 provides guidance for setting up company that goes down the path of
an ISMS and an excellent checklist for certification.
assessing compliance with the standard by The second ISO standard is ISO 27002:2005
specifying what controls need to be in
Security Techniques Code of Practice,
place. An organization can be certified which consists of international best
through an approved assessment and
practices for securing systems. This
registration organization as being in standard provides best practice
compliance with 27001. There are over
information about everything from Human
3,000 companies certified against ISO Resources security needs to physical
27001. Many companies choose security and it represents the detailed
certification as a mechanism to “prove” implementation requirements for ISO
their competence in building an 27001.
information security program, but also
because certification provides proof for ISO 27002 is full of good high level
SOX and other legal compliance information that can be used as a source
frameworks that the company has met the document for any generalized audit or
requirements of those laws. The other assessment. It consists of security controls
benefit of ISO 27001 is its global across all forms of data communication,
acceptance as an accepted standard that is including electronic, paper and voice
required for conducting business with (notes tied to pigeons are not included).
some companies, which can provide a
unique business opportunity for a
128
Trainer’s Guide– Security Analyst SSC/N0901
The ISO standards define a solid The CSRC is currently directed by the
benchmark for assessing a company’s United States Congress to create standards
information security practices, but as with for information security in response to
most of high level control documents, it laws such as the Information Technology
doesn’t give the auditor details about Reform Act of 1996, the Federal
security architecture or implementation Information Security Management Act of
guidance. 27002 is a great internationally 2002 (FISMA) and HIPAA. Although FISMA
recognized standard to refer back to for is a federal law and not enforceable in the
control requirements in an audit report or private sector, private companies can reap
findings document, and makes excellent the benefits of the many excellent
source material for an auditor’s checklist. documents NIST has created for FISMA
compliance.
NIST
Federal Information Processing Standards
The National Institute of Standards and
Publications (FIPS) standards are a series of
Technologies (NIST) is a federal agency of
standards that government agencies must
the United States government, tasked with
follow by law according to FISMA. FIPS
helping commerce in the U.S. by providing
standards include encryption standards,
weights and measurements, materials
information categorization and other
references and technology standards. If
requirements. FIPS also mandates
you have configured your computer to use
standards for technology through a
an atomic clock source from the internet
certification program. Hardware and
to synchronize time to, then you have used
software involved in encrypting data via
a NIST service. NIST also provides
AES for example, must be FIPS 140-2 (level
reference samples of over 1,300 items,
2) compliant to be used by the federal
including cesium 137, peanut butter and
oysters. The division within NIST, most government.
interesting from an information security The NIST Special Publications (800 series
standpoint is the Computer Security documents) are a treasure trove of good
Resource Centre (CSRC), which is the information for auditors, systems
division tasked with creating information administrators and security practitioners
security standards. of any size company. These documents
129
Trainer’s Guide– Security Analyst SSC/N0901
give guidance and provide specific standards. The documents are also revised
recommendations about how to address a on a regular basis as new technologies
wide range of security requirements. become adopted.
These documents are created by academic Table below provides a list of some of the
researchers, security consultants and
most widely used NIST 800 series
government scientists. They are reviewed documents. This list is not exhaustive, and
by the security community through a draft
there are new documents added all of the
process that allows anyone to provide time, so check the NIST website on a
comments and feedback on the regular basis for updates and new drafts.
documents before they are made
130
Trainer’s Guide– Security Analyst SSC/N0901
The Cyber Security Research and written and provide a sufficient level of
Development Act of 2002 requires that detail down to the actual configuration
NIST develop checklists to help minimize level to use as a checklist while also
the security risks of hardware and software explaining why the particular
used by the federal government. These configuration option needs to be
checklists show detailed configurations of implemented.
many hardware and software platforms CIS refers to its best practice documents as
including Cisco. SP 800-70 outlines the benchmarks and has two categories:
format, goals, and objectives of the
checklists and how to submit a checklist if Level 1 benchmarks consist of the
you build one that you would like to share. minimum level of security that needs
NIST provides these checklists in Security to be configured that any skilled
Content Automation Protocol (SCAP) administrator can implement.
format, and can be loaded into a SCAP Level 2 benchmarks focus on particular
validated scanner for automated auditing. applications of security based on the
There are a number of scanning vendors type of system or manner in which the
that support SCAP such as Qualys and system is used. Proper security
Tenable (Nessus Scanner). For a complete depends on understanding risk, which
list of scanning vendors and downloadable determines at what level you need to
checklists, visit http://checklists.nist.gov. protect an asset. Laptops, for example,
Centre for Internet Security have a different risk profile than
servers, which are explored in the Level
The Centre for Internet Security (CIS) is a
2 benchmark section in detail.
not-for-profit group dedicated to creating
security best practices and configuration The CIS benchmarks are often used for
guidance for companies to help reduce the configuration level auditing of technology
risk of inadequately securing corporate for proper implementation of security
systems. CIS provides peer-reviewed features and good defensive practices.
configuration guides and templates that Many compliance laws dictate high level
administrators and auditors can follow controls, but never go into the details of
when securing or testing the security of a how to actually perform the tasks
target system. These guides are well necessary. These benchmarks developed
131
Trainer’s Guide– Security Analyst SSC/N0901
Applications SANS
Database servers The SANS (SysAdmin, Audit, Network,
Operating systems Security) Institute is by far one of the best
Routers sources of free security information
Supporting documents available on the Internet today.
132
Trainer’s Guide– Security Analyst SSC/N0901
SANS Top 20: SANS Top 20 is a list of the top 20 vulnerabilities in operating systems and
applications that hackers attack. This information is updated yearly by a large panel of
security experts, and it provides auditors and security practitioners with a good list of
high-risk areas they need to ensure are addressed. Although this list is good, it doesn’t
cover the latest threats, so it should not be used as a checklist, but rather as a tool to
focus your efforts.
SANS security policy samples: If you are looking for sample security policies, this
resource is a goldmine. All of the policies represented are free for use, and in some
cases, you can simply insert the business’s name. These policy templates cover a wide
range of security functional areas and are added to on a regular basis. It is important to
note that security policies are a serious documents and require that legal departments
and HR departments be involved in their adoptions.
133
Trainer’s Guide– Security Analyst SSC/N0901
Internet Storm Center: The Internet Storm Center is a group of volunteer incident
handlers who analyze suspicious Internet traffic from across the globe. They look at
packet traces to determine if a new virus, worm, or other attack vectors have popped
up in the wild. The ISC also compiles attack trend data and the most frequently attacked
ports. Incident handlers are always “on duty,” and you can read their notes as they go
about analyzing attacks.
SCORE: SCORE is a joint project with the CIS to create minimum standards of
configuration for security devices connected to the Internet. These checklists are
available for free and provide sound guidance about necessary technical controls.
Intrusion Detection FAQ: The Intrusion Detection FAQ is a fantastic resource for better
understanding how to identify an attack on your network. FAQs cover the basics of
intrusion detection, details about tools to use, and a detailed analysis of sample attacks.
The SANS website should be considered mandatory reading for auditors who want to better
understand the tools and techniques attackers use to break into systems. Having all of this
knowledge in a single place is useful as auditors tailor their checklists and audit criteria to
address current events and attacks.
134
Trainer’s Guide– Security Analyst SSC/N0901
Auditing G: This section provides information on how to conduct audits while following
the standards of IS auditing.
Auditing procedures: This section provides details on how to audit various types of
systems and processes, providing a sample approach to testing controls such as
firewalls and intrusion detection systems.
The IT Assurance Guide to using COBIT is another excellent resource for how to conduct
an audit using COBIT as the governance framework. Regardless of whether or not the
company being audited uses COBIT, the guide describes how to leverage the controls
identified by COBIT and apply those to the audit process. This enables an auditor to
follow a well-documented framework to ensure that no major areas are missed.
security evaluation and specifies the guidance on ICT security. Together, these
general model of evaluation given by parts can be used to help identify and
various parts of ISO/IEC 15408, which in its manage all aspects of ICT security.
entirety is meant to be used as the basis for ISO 13335 is focused on Information and
evaluation of security properties of IT
Communication Technologies, also called
products. ICT. ISO standard 13335 was created to
It provides an overview of all parts of help businesses improve their information
ISO/IEC 15408, describes the various parts and communication security. There is
of ISO/IEC 15408, defines the terms and currently only one part of the ISO 13335
abbreviations to be used in all parts standard, ISO 13335-1. ISO standard 13335
ISO/IEC 15408, establishes the core is designed to create an IT management
concept of a Target of Evaluation (TOE), framework, including information security
the evaluation context and describes the policies, internal controls, company
audience to which the evaluation criteria approved practices and configuration
are addressed. An introduction to the basic management of hardware and software
security concepts necessary for evaluation components. No one changes information
of IT products is given. and communication technologies without
formal review and approval after thorough
It defines the various operations by which
testing was completed. In addition, ISO
the functional and assurance components
13335 was created in an effort to improve
given in ISO/IEC 15408-2 and ISO/IEC
business continuity, the continuation of
15408-3 may be tailored through the use
business operations in case of a massive
of permitted operations. The key concepts
technical failure, natural disaster or hack
of protection profiles (PP), packages of
attack.
security requirements and the topic of
conformance are specified and the ISO 13335-1
consequences of evaluation and The ICT standard ISO 13335-1 originated as
evaluation results are described. ISO/IEC
a technical report on information security
15408-1:2009 gives guidelines for the before it became a separate ISO standard.
specification of Security Targets (ST) and
ISO 13335-1 is focused on technical
provides a description of the organization
security controls over administrative
of components throughout the model.
procedures and internal corporate rules.
ISO/IEC 13335 (IT Security Management) ISO standard 13335-1 is now the entire ISO
SO/IEC 13335-1:2004 presents the 13335 standard with the other sections
concepts and models fundamental to a either consolidated into ISO 13335-1 or
basic understanding of ICT security, and made into their own standards.
addresses the general management issues Network security controls like firewalls can
that are essential to the successful block traffic from selected IP addresses or
planning, implementation and operation prevent users from accessing specific
of ICT security. Part 2 of ISO/IEC 13335 websites. Built-in data archiving modules
(currently 2nd WD) provides operational attached to routers or network
136
Trainer’s Guide– Security Analyst SSC/N0901
connections automatically save all email estimation of the severity of the risk are set
messages, creating an instant record of during risk analysis. During risk treatment,
communications available if the main the organization decides whether to
email server goes down or if messages are accept the risk, mitigate its effects or work
deleted by unauthorized parties. to prevent the risk from occurring. During
ISO 13335-2 risk monitoring, the group monitors the
risks to the network. Some risks may
ISO 13335-2 originally contained the ISO’s disappear as more security hardware is
guidance on ICT security. The 1990s installed while others may grow due to
version of the standard was broken up into user complacency or evolving security
ISO 13335-1 and 13335-2. The ICT security threats. For example, the risk that a
recommendations in ISO 13335-2 were server’s compromise would shut down a
incorporated into ISO 13335-1 in the 2004 business is reduced when a backup server
update of the standard. off site is created with hot backups of the
ISO 13335-3 organization’s data. If the main server
compromises and is removed from the
ISO 13335-3 was originally the guidelines
network to prevent hackers from using it to
for managing IT security. ISO standard
access other areas, the business simply
13335-3 has been replaced by ISO 27005.
switches over the remote backup server
In essence, what was ISO 13335-3 is now
and keeps going.
part of ISO 27005.
ISO Standard 24762 for Technical Disaster
ISO 13335-4
Recovery
ISO 13335-4 outlined the ISO
ISO/IEC 24762:2008 provides guidelines on
recommended practices of selecting
the provision of information and
technical security controls or IT
communications technology disaster
safeguards. ISO 13335-5 has also been
recovery (ICT DR) services as part of
replaced with ISO 27005.
business continuity management,
ISO 13335-5 applicable to both “in-house” and
ISO 13335-5 was originally a set of “outsourced” ICT DR service providers of
guidelines on network security. ISO 13335- physical facilities and services.
5 was replaced with ISO 18028-1 in 2006. ISO/IEC 24762:2008 specifies:
ISO 18028-1 has since been revised by ISO
the requirements for implementing,
27033-1, released in 2009.
operating, monitoring and maintaining
ISO 27005 ICT DR services and facilities
ISO 27005 replaced several sections of the the capabilities which outsourced ICT
original ISO 13335 standard. ISO 27005 DR service providers should possess
describes how organizations define their and the practices they should follow so
context, the areas for which they are as to provide basic secure operating
responsible. Risks are identified and the
137
Trainer’s Guide– Security Analyst SSC/N0901
138
Trainer’s Guide– Security Analyst SSC/N0901
IEEE Std 1363.2-2008 IEEE Standard Specification for Password-Based Public Key
Cryptographic Techniques
139
Trainer’s Guide– Security Analyst SSC/N0901
o asset management
o human resources security
o physical and environmental security
o communications and operations management
o access control
o information systems acquisition, development and maintenance
o information security incident management
o business continuity management
o compliance
The control objectives and controls in and practical guideline for developing
ISO/IEC 17799:2005 are intended to be organizational security standards and
implemented to meet the requirements effective security management practices
identified by a risk assessment. ISO/IEC and to help build confidence in inter-
17799:2005 is intended as a common basis organizational activities.
The standard has ten domains, which security policy. This is an extremely
address key areas of Information Security important task and should convey total
Management. commitment of top management. The
policy cannot be a theoretical exercise.
1. Information security policy for the
It should reflect the needs of the actual
organization
users. It should be implementable,
This activity involves a thorough easy to understand and must balance
understanding of the organization the level of protection with
business goals and its dependence on productivity. The policy should cover
information security. This entire
exercise begins with creation of the IT
140
Trainer’s Guide– Security Analyst SSC/N0901
all the important areas like personnel, 5. Physical and environmental security
physical, procedural and technical.
Designing a secure physical
2. Creation of information security environment to prevent unauthorized
infrastructure access, damage and interference to
A management framework needs to be business premises and information is
usually the beginning point of any
established to initiate, implement and
security plan. This involves creating
control information security within the
physical security perimeter and entry
organization. This needs proper
control, secure offices; rooms;
procedures for approval of the
facilities, providing physical access
information security policy, assigning
controls and protection devices to
of the security roles and coordination
minimize risks ranging from fire to
of security across the organization.
electromagnetic radiation and
3. Asset classification and control providing adequate protection to
One of the most laborious but essential power supplies and data cables are
task is to manage inventory of all the IT some of the activities. Cost effective
assets, which could be information design and constant monitoring are
assets, software assets, physical assets two key aspects to maintain adequate
or other similar services. These physical security control.
information assets need to be classified 6. Communications and operations
to indicate the degree of protection. management
The classification should result into
appropriate information labelling to Properly documented procedures for
the management and operation of all
indicate whether it is sensitive or
information processing facilities should
critical and what procedure, which is
be established. This includes detailed
appropriate for copy, store, transmit or
operating instructions and incident
destruction of the information asset.
response procedures.
4. Personnel security
Network management requires a range
Human errors, negligence and greed of controls to achieve and maintain
are responsible for most thefts, frauds security in computer networks. This
or misuse of facilities. Various also includes establishing procedures
proactive measures that should be for remote equipment including
taken are: creation of personnel equipment in user areas. Special
screening policies, confidentiality controls should be established to
agreements, terms and conditions of safeguard the confidentiality and
employment and information security integrity of data passing over public
education and training. networks. Special controls may also be
Alert and well-trained employees who required to maintain the availability of
are aware of what to look for can the network services.
prevent future security breaches.
141
Trainer’s Guide– Security Analyst SSC/N0901
142
Trainer’s Guide– Security Analyst SSC/N0901
could cause interruptions to business where one can see a long run business led
processes and depending on the risk approach to Information Security
assessment, preparation of a strategy Management.
plan. The plan needs to be periodically BS 7799 (ISO 17799) consists of 127 best
tested, maintained and re-assessed
security practices (covering 10 Domains
based on changing circumstances. which was discussed above) which Indian
10. Compliance companies can adopt to build their
Security Infrastructure. Even if a company
It is essential that strict adherence is
decides not go in for the certification, BS
observed to the provision of national
7799 (ISO 17799) model helps companies
and international IT laws, pertaining to
maintain IT security through ongoing,
Intellectual Property Rights (IPR),
integrated management of policies and
software copyrights, safeguarding of
procedures, personnel training, selecting
organizational records, data protection
and implementing effective controls,
and privacy of personal information,
reviewing their effectiveness and
prevention of misuse of information
improvement. Additional benefits of an
processing facilities, regulation of
ISMS are improved customer confidence, a
cryptographic controls and collection
competitive edge, better personnel
of evidence.
motivation and involvement, and reduced
Information Technology’s use in business incident impact. Ultimately leads to
has also resulted in enacting of laws that increased profitability.
enforce responsibility of compliance. All
legal requirements must be complied with Security Standards Organizations
to avoid breaches of any criminal and civil Internet Corporation for Assigned
law, statutory, regulatory or contractual Names and Numbers (ICANN)
obligations and of any security
ICANN’s role is to oversee the huge and
requirements.
complex interconnected network of
BS 7799 (ISO 17799) and "It’s" relevance unique identifiers that allow
to Indian Companies: computers on the Internet to find one
Although Indian companies and the another.
Government have invested in IT, facts of To reach another person on the
theft and attacks on Indian sites and Internet you have to type an address
companies are alarming. Attacks and theft into your computer - a name or a
that happen on corporate websites are number. That address has to be unique
high and is usually kept under "strict" so computers know where to find each
secrecy to avoid embarrassment from other. ICANN coordinates these unique
business partners, investors, media and identifiers across the world. Without
customers. that coordination we wouldn't have
Huge losses are sometimes un-audited and one global Internet.
the only solution is to involve a model
143
Trainer’s Guide– Security Analyst SSC/N0901
144
Trainer’s Guide– Security Analyst SSC/N0901
Vision
W3C's vision for the Web involves participation, sharing knowledge, and thereby building
trust on a global scale.
145
Trainer’s Guide– Security Analyst SSC/N0901
149
Trainer’s Guide– Security Analyst SSC/N0901
Broad laws:
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule; Federal
Rules of Civil Procedure (FRCP)
Industry specific laws:
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records;
The Health Information Technology for Economic and Clinical Health Act (HITECH);
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule);
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
150
Trainer’s Guide– Security Analyst SSC/N0901
UNIT V
Information Security Management – Roles
and Responsibilities
Lesson Plan
Suggested Learning Activities
Training Resource Material
5.1. Information and Data Security Team Structure
5.2. Security Incident Response Team
151
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
You need to know and understand: KA1. Going through 2 hrs PCs/Tablets/Lapto
various organizations ps
KA3. limits of your role and websites and Labs availability
responsibilities and who to seek understand the policies (24/7)
guidance from and guidelines. Internet with WiFi
KA4. the organizational (Research) (Min 2 Mbps
systems, procedures and
Dedicated)
tasks/checklists within the domain KA2, KA3. Understand,
and how to use these summarize and
KA11. who to involve when articulate.
managing information security
152
Trainer’s Guide– Security Analyst SSC/N0901
Research various job titles and roles within the data security sub-sector. Meet industry
representatives and compile a list of functions, qualification and experience requirements
for each role. Present the same in class in groups.
Activity 2:
Divide the students into various teams and ask them to research through industry
interactions various teams in place in organisations, from different sectors, assigned to
information security. Compare the variances between different types of companies and
encourage students to debate and deliberate on various aspects of these including
composition, liaising with different departments inside the organisation, interactions with
other organisations, their functions, etc.
153
Trainer’s Guide– Security Analyst SSC/N0901
Board of Directors
The Board of Directors is responsible for protecting the interests of the shareholders of the
corporation. This duty of care (fiduciary responsibility) requires that it understand the risk
to the business and its data. The Board of Directors is responsible for approving the
appropriate resources necessary to safeguard data. It also needs to be kept aware of how
the security program is performing.
CIO/CISO
The CIO/CISO is responsible for aligning the information security program strategy and
vision to business requirements. The CIO/CISO ensures that the correct resources are in
place to adhere to the policies and procedures set forth by the steering committee. This
154
Trainer’s Guide– Security Analyst SSC/N0901
role generally reports to the CEO and Board of Directors and reports how the organization
is performing relative to the company’s goals and similar organizations in the same industry.
Security Director
The security director’s role is to coordinate the efforts for securing corporate assets. The
responsibilities include reporting on the progress of initiatives to executive management
and building the teams and resources to address the various tasks necessary for information
security. This role also acts as a liaison to other aspects of the business to articulate security
requirements throughout the company. The security director manages the teams in
developing corporate data security policies, standards, procedures, and guidelines.
Security Analyst
A security analyst builds the policies, analyses risk, and identifies new threats to the
business. Business continuity and disaster recovery planning are important functions
performed by the analyst to prepare the company for the unexpected. The analyst is also
responsible for creating reports about the performance of the organization’s security
systems.
Security Architect
A security architect defines the procedures, guidelines, and standards used by the company.
Architects help to select the controls used to protect the company’s data and they make
sure that the controls are sufficient for addressing the risk and complying with policy. This
role is also responsible for testing security products and making recommendations about
what will best serve the needs of the company.
Security Engineer
A security engineer implements the controls selected by the security architect. Security
engineers are responsible for the maintenance of firewalls, IPS, and other tools. This
includes upgrades, testing, patching, and overall maintenance of the security systems. This
role might also be responsible for testing the functionality of equipment to make sure that
it operates as expected.
Systems Administrator
A systems administrator is responsible for monitoring and maintaining the servers, printers,
and workstations a company uses. In addition, administrators add and/or remove user
accounts as necessary, control access to shared resources, and maintain company-wide
antivirus software.
Database Administrator
The Database Administrator (DBA) has an important job in most companies. The DBA is
responsible for designing and maintaining corporate databases and also securing access to
the data to ensure its integrity. The ramifications of lax security in this role can be severe,
especially considering the reporting requirements mandated by SOX.
IS Auditor
155
Trainer’s Guide– Security Analyst SSC/N0901
End User
End users have a critical role in security governance that is often overlooked. They must be
aware of the impact their actions can have on the security of the company and be able to
safeguard confidential information. They are responsible for complying with po licies and
procedures and following safe computing practices, such as not opening attachments
without antimalware software running or loading unauthorized software. A solid user
security awareness program can help promote safe computing habits.
1. Board of
Directors
3. CIO/CISO 2. CEO
8. System
5. Security Analyst 10. IS Auditor
Administrator
9. Database
11. End User
Administrator
156
Trainer’s Guide– Security Analyst SSC/N0901
157
Trainer’s Guide– Security Analyst SSC/N0901
158
Trainer’s Guide– Security Analyst SSC/N0901
UNIT VI
Information Security Performance
Metrics
Lesson Plan
Suggested Learning Activities
Training Resource Material
6.1. Introduction – Security Metrics
6.2. Types of Security Metrics
6.3. Using Security Metrics
6.4. Developing the Metrics Process
6.5. Metrics and Reporting
6.6. Designing Information Security Measuring
Systems
159
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
You need to know and understand: KA1. QA session and a 12 hrs PCs/Tablets/Lapto
Descriptive write up on ps
KA1. your organization’s policies, understanding. Labs availability
procedures, standards and guidelines for (24/7)
managing information security KA2 Group presentation Internet with WiFi
and peer evaluation along (Min 2 Mbps
KA2. your organization’s knowledge with Faculty. Dedicated)
base and how to access and update this
Networking
KA10, KA11. Team work Equipments-
KA10. how to access and analyze (IM and chat applications) Routers & Switches
information security performance and group activities (online
metrics Firewalls and
forums) including Access Points
templates to be prepared. Access to all
KA11. who to involve when managing
information security security sites like
KA12. Project charter, ISO, PIC DSS
Architecture (charts), Commercial Tools
KA12. your organization’s information Project plan, Poster
security systems and tools and how to like HP Web
presentation and Inspect and IBM
access and maintain these execution plan. AppScan etc.,
KA13. standard tools and templates Open Source tools
KA13. Creation of like sqlmap, Nessus
available and how to use these templates based on the
KB3. common issues and variances of etc.,
learnings
performance metrics that require action
and who to report these to
160
Trainer’s Guide– Security Analyst SSC/N0901
Activity 1:
Ask the class to make teams and gather as much information from industry and research
the various information security performance metrics they use in their organisations.
Encourage students to discuss the various challenges in identifying, monitoring and
inferencing performance through these metrics.
Activity 2:
Ask students to develop performance metrics for various aspects of their own academic
and non-academic behaviours and track these over a period of a week. Let them draw out
various inferences from this monitoring. Let them present at the end of the week the
object of their study, the metric they chose, and the challenges in implementing these
metrics and their process of inferencing. Encourage the class to debate the inferences and
their validity.
Activity 3:
Ask the students to research the various information security companies offering products
and services for tracking and instituting performance metrics systems in organisations. Ask
students to compare services, present features, benefits and limitations of the same.
161
Trainer’s Guide– Security Analyst SSC/N0901
162
Trainer’s Guide– Security Analyst SSC/N0901
163
Trainer’s Guide– Security Analyst SSC/N0901
164
Trainer’s Guide– Security Analyst SSC/N0901
165
Trainer’s Guide– Security Analyst SSC/N0901
166
Trainer’s Guide– Security Analyst SSC/N0901
An annual, highly-confidential Information Security Report for the CEO, the Board and
other senior management (including Internal Audit). This report might include
commentary on the success or otherwise of specific security investments. A forward-
looking section can help to set the scene for planned future investments, and is a good
opportunity to point out the ever changing legal and regulatory environment and the
corresponding personal liabilities on senior managers.
Quarterly status reports to the most senior body directly responsible for information
security, physical security, risk and/or governance. Traffic light status reports are
common and KPIs may be required, but the Information Security Manager’s
commentary (supplemented or endorsed by that of the CTO/CIO) is a good value add.
Monthly reports to the CTO/CIO, listing projects participated in and security incidents,
along with their monetary value (the financial impacts do not need to be precisely
accurate, they are used to indicate the scale of losses).
167
Trainer’s Guide– Security Analyst SSC/N0901
UNIT VII
Risk Assessment
Lesson Plan
Suggested Learning Activities
Training Resource Material
7.1. Risk Overview
7.2. Risk Identification
7.3. Risk Analysis
7.4. Risk Treatment
7.5. Risk Management Feedback Loops
7.6. Risk Monitoring
169
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
170
Trainer’s Guide– Security Analyst SSC/N0901
The students should be encouraged to research various risks for their institute in the area of
information security. They should prepare a process report highlighting their approach
towards identifying risk, recording, monitoring, analysing and treating risk. The approach
should be shared with the faculty and the report should be submitted for evaluation. The
student or group which addresses a risk effectively especially instigating a real change in
practices, policy, etc. should be recognised and applauded by the faculty.
171
Trainer’s Guide– Security Analyst SSC/N0901
172
Trainer’s Guide– Security Analyst SSC/N0901
Risk identification is the process of bounds the scope by which risks are
determining risks that could potentially identified and assessed.
prevent the program, enterprise, or
There are multiple sources of risk. For risk
investment from achieving its objectives. It
identification, the project team should
includes documenting and communicating
review the program scope, cost estimates,
the concern. The objective of risk
schedule (to include evaluation of the
identification is the early and continuous
critical path), technical maturity, key
identification of events that, if they occur,
performance parameters, performance
will have negative impacts on the project's
challenges, stakeholder expectations vs.
ability to achieve performance or
current plan, external and internal
capability outcome goals. They may come
dependencies, implementation challenges,
from within the project or from external
integration, interoperability,
sources.
supportability, supply-chain
There are multiple types of risk vulnerabilities, ability to handle threats,
assessments, including program risk cost deviations, test event expectations,
assessments, risk assessments to support safety, security, and more. In addition,
an investment decision, analysis of historical data from similar projects,
alternatives, and assessments of stakeholder interviews, and risk lists
operational or cost uncertainty. Risk provide valuable insight into areas for
identification needs to match the type of consideration of risk.
assessment required to support risk-
Risk identification is an iterative process.
informed decision making. For an
As the program progresses, more
acquisition program, the first step is to
information will be gained about the
identify the program goals and objectives,
program (e.g., specific design), and the risk
thus fostering a common understanding
statement will be adjusted to reflect the
across the team of what is needed for
current understanding. New risks will be
program success. This gives context and
identified as the project progresses
through the life cycle.
173
Trainer’s Guide– Security Analyst SSC/N0901
This is the next step in the risk assessment In other words, Risk analysis, which is a
program, Risk Analysis, requires an entity tool for risk management, is a method of
to, conduct an accurate and thorough identifying vulnerabilities and threats, and
assessment of the potential risks and assessing the possible damage to
vulnerabilities to the confidentiality, determine where to implement security
integrity, and availability of electronic safeguards.
protected information held by the entity.
Gather data.
174
Trainer’s Guide– Security Analyst SSC/N0901
175
Trainer’s Guide– Security Analyst SSC/N0901
The organization shares its risk with The practice of eliminating the risk
third parties through insurance by withdrawing from or not
and/or service providers. Insurance becoming involved in the activity
is a post-event compensatory that allows the risk to be realized. For
mechanism used to reduce the example, an organization decides to
burden of loss if the event were to discontinue a business process in
occur. Transference is the shifting of order to avoid a situation that
risk from one party to another. For exposes the organization to risk.
example, when hard-copy
Risk acceptance
documents are moved offsite for
storage at a secure-storage vendor An organization decides to accept a
location, the responsibility and costs particular risk because it falls within
associated with protecting the data its risk-tolerance parameters and
transfers to the service provider. The therefore agrees to accept the cost
cost of storage may include when it occurs. Risk acceptance is a
compensation (insurance) if viable strategy where the cost of
documents are damaged, lost, or insuring against the risk would be
stolen. greater over time than the total
losses sustained. All risks that are not
avoided or transferred are accepted
by default
176
Trainer’s Guide– Security Analyst SSC/N0901
177
Trainer’s Guide– Security Analyst SSC/N0901
verify that planned risk response and the environments in which the
measures are implemented and systems operate.
information security requirements To support the risk monitoring component,
derived from/traceable to organizations describe how compliance is
organizational mission/business verified and how the ongoing effectiveness
functions, federal legislation, of risk responses is determined (e.g., the
directives, regulations, policies, types of tools, techniques, and
and standards, and guidelines, are methodologies used to determine the
satisfied; sufficiency/correctness of risk responses
determine the ongoing and if risk mitigation measures are
effectiveness of risk response implemented correctly, operating as
measures following intended, and producing the desired effect
with regard to reducing risk). In addition,
implementation; and
organizations describe how changes that
identify risk-impacting changes to
may impact the ongoing effectiveness of
organizational information systems
risk responses are monitored.
179
Trainer’s Guide– Security Analyst SSC/N0901
verify compliance;
determine the ongoing effectiveness of risk response measures; and
identify risk-impacting changes to organizational information systems and environments of
operation.
180
Trainer’s Guide– Security Analyst SSC/N0901
UNIT VIII
Configuration review
Lesson Plan
Suggested Learning Activities
Training Resource Material
8.1. Configuration Management
8.2. Organisational SecCM Policy
8.3. Identify CM Tools
8.4. Implementing Secure Configurations
8.5. Unauthorised Access to Configuration Stores
181
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
You must know and understand: KA6, KA7 Performance 4 hrs PCs/Tablets/Lapt
KA6. how to carry out evaluation from Faculty ops
information security assessments and Industry with reward Labs availability
points (24/7)
KA7. how to carry out Internet with
configuration reviews WiFi
KA9. QA session and a (Min 2 Mbps
KA9. different types of Dedicated)
Descriptive write up on
automation tools and how to use Access to all
these understanding.
security sites like
ISO, PCI DSS,
Center for
Internet Security
182
Trainer’s Guide– Security Analyst SSC/N0901
Activity 1:
The students should be divided into groups and asked to research configuration
management tools available in the industry. They should compare and categorise these
tools based on their features, area of strengths and limitations. These should be presented
in class for shared understanding.
Activity 2:
Create a group project by interacting with companies that offer CM tools and prepare a
sequential process map of how the tool functions in order to carry out its functions.
Present the same in class, highlighting the functionality and dependencies of the tools.
183
Trainer’s Guide– Security Analyst SSC/N0901
granularity will vary among organizations information system, the secure baseline
and systems and is balanced against the may address configuration settings,
associated management overhead for software loads, patch levels, how the
each CI. In one organization, it may be information system is physically or logically
appropriate to create a single CI to track all arranged, how various security controls
of the laptops within a system, while in are implemented, and documentation.
another organization, each laptop may Where possible, automation is used to
represent an individual CI. enable interoperability of tools and
uniformity of baseline configurations
Baseline configuration
across the information system.
A baseline configuration is a set of
Controlling configuration changes - Given
specifications for a system, or
the continually evolving nature of an
Configuration Item (CI) within a system,
information system and the mission it
that has been formally reviewed and
supports, the challenge for organizations is
agreed on at a given point in time, and
not only to establish an initial baseline
which can be changed only through change
configuration that represents a secure
control procedures. The baseline
state (which is also cost-effective,
configuration is used as a basis for future
functional, and supportive of mission and
builds, releases, and/or changes.
business processes), but also to maintain a
Security-focused configuration secure configuration in the face of the
management of information systems significant waves of change that ripple
involves a set of activities that can be through organizations.
organized into four major phases –
Monitoring
Planning, Identifying and Implementing
Configurations, Controlling Configuration Monitoring activities are used as the
Changes, and Monitoring. mechanism within SecCM to validate that
the information system is adhering to
Planning - Planning includes developing
organizational policies, procedures, and
policy and procedures to incorporate
the approved secure baseline
SecCM into existing information
configuration. Monitoring identifies
technology and security programs, and
undiscovered/ undocumented system
then disseminating the policy throughout
components, misconfigurations,
the organization.
vulnerabilities, and unauthorized changes,
Identifying and implementing all of which, if not addressed, can expose
configurations - After the planning and organizations to increased risk. Using
preparation activities are completed, a automated tools helps organizations to
secure baseline configuration for the efficiently identify when the information
information system is developed, system is not consistent with the approved
reviewed, approved, and implemented. baseline configuration and when
The approved baseline configuration for an remediation actions are necessary. In
information system and associated addition, the use of automated tools often
components represents the most secure facilitates situational awareness and the
state consistent with operational documentation of deviations from the
requirements and constraints. For a typical baseline configuration.
186
Trainer’s Guide– Security Analyst SSC/N0901
187
Trainer’s Guide– Security Analyst SSC/N0901
188
Trainer’s Guide– Security Analyst SSC/N0901
1) Prioritize Configurations
2) Test Configurations
3) Resolve Issues and Document Deviations
4) Record and Approve the Baseline Configuration
5) Deploy the Baseline Configuration
which the same product is deployed examined individually and either resolved
within an information technology or documented as a deviation from, or
environment. For example, if an exception to, the established common
organization uses a specific operating secure configurations.
system on 95 percent of its
In some cases, changing one configuration
workstations, it may obtain the most
setting may require changes to another
immediate value by planning and
setting, another CI, or another information
deploying secure configurations for
system. For instance, a common secure
that operating system. Other IT
configuration may specify strengthened
products or CIs can be targeted
password requirements which may require
afterwards.
a change to existing single sign-on
ii. Test Configurations applications. Or there may be a
requirement that the OS-provided firewall
Organizations fully test secure
be enabled by default. To ensure that
configurations prior to implementation in
applications function as expected, the
the production environment. There are a
firewall policy may need to be revised to
number of issues that may be encountered
allow specific ports, services, IP addresses,
when implementing configurations
etc. When conflicts between applications
including software compatibility and
and secure configurations cannot be
hardware device driver issues. For
resolved, deviations are documented and
example, there may be legacy applications
approved through the configuration
with special operating requirements that
change control process as appropriate.
do not function correctly after a common
secure configuration has been applied. iv. Record and Approve the Baseline
Additionally, configuration errors could Configuration
occur if OS and multiple application
The established and tested secure
configurations are applied to the same
configuration, including any necessary
component. For example, a setting for an
deviations, represents the preliminary
application configuration parameter may
baseline configuration and is recorded in
conflict with a similar setting for an OS
order to support configuration change
configuration parameter.
control/security impact analysis, incident
Virtual environments are recommended resolution, problem solving, and
for testing secure configurations as they monitoring activities. Once recorded, the
allow organizations to examine the preliminary baseline configuration is
functional impact on applications without approved in accordance with
having to configure actual machines. organizationally defined policy. Once
approved, the preliminary baseline
iii. Resolve Issues and Document
configuration becomes the initial baseline
Deviations
configuration for the information system
Testing secure configuration and its constituent CIs.
implementations may introduce functional
The baseline configuration of an
problems within the system or
information system includes the sum total
applications. For example, the new secure
of the secure configurations of its
configuration may close a port or stop a
constituent CIs and represents the system-
service that is needed for OS or application
specific configuration against which all
functionality. These problems are
changes are controlled.
190
Trainer’s Guide– Security Analyst SSC/N0901
193
Trainer’s Guide– Security Analyst SSC/N0901
194
Trainer’s Guide– Security Analyst SSC/N0901
UNIT IX
Log Correlation and Management
Lesson Plan
Suggested Learning Activities
Training Resource Material
9.1. Event Log Concepts
9.2. Log Management and its need
9.3. Log Management Process
9.4. Configuring Windows Event Log
9.5. IIS Log Files
9.6. Analysis and Response
195
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
You must know and understand: KA1. Going through various 4 hrs PCs/Tablets/Lapt
KA1. your organization’s organizations websites ops
policies, procedures, standards and and understand the Labs availability
guidelines for managing policies and guidelines. (24/7)
information security (Research) Internet with
WiFi
KA2. your organization’s KA2, Understand, summarize (Min 2 Mbps
knowledge base and how to access Dedicated)
and articulate.
and update this Networking
Equipments-
KA4. the organizational KA4, KA5. Peer group, Faculty Routers &
systems, procedures and group and Industry
Switches
tasks/checklists within the domain experts.
Firewalls and
and how to use these Access Points
196
Trainer’s Guide– Security Analyst SSC/N0901
KA5. how to analyze root causes KA8. Peer review with faculty Access to all
of information security issues with appropriate security sites like
feedback. ISO, PIC DSS
KA8. how to correlate devices Commercial
and logs KA9. Going through various Tools like HP
organizations websites Web Inspect and
KA9. different types of IBM AppScan
and understand the
automation tools and how to use etc.,
policies and guidelines.
these Open Source
(Research)
KA10. how to access and analyze tools like sqlmap,
information security performance Nessus etc.,
metrics KA10, KA11. Team work (IM
and chat applications) and
group activities (online
forums) including
templates to be prepared.
The students should research various log report templates and sources which provide
guidance on using log reports. The various information available in the report should be
understood and possible anomalies listed.
Activity 2:
Students should divided in groups. One group should explore the log configurations of their
own server and generate reports from the servers of their own institute each week. These
should be analysed and activity reports and inferences from it presented in class by a
different group each week.
197
Trainer’s Guide– Security Analyst SSC/N0901
199
Trainer’s Guide– Security Analyst SSC/N0901
while others use the logging capabilities of Usage information such as the number of
the OS on which they are installed. transactions occurring in a certain period
Applications vary significantly in the types (e.g., minute, hour) and the size of
of information that they log. The following transactions (e.g., e-mail message size, file
lists some of the most commonly logged transfer size). This can be useful for certain
types of information and the potential types of security monitoring (e.g., a ten-
benefits of each: fold increase in e-mail activity might
indicate a new e-mail–borne malware
Client requests and server responses, threat; an unusually large outbound e-mail
which can be very helpful in reconstructing message might indicate inappropriate
sequences of events and determining their release of information).
apparent outcome. If the application logs
successful user authentications, it is Significant operational actions such as
usually possible to determine which user application startup and shutdown,
made each request. Some applications can application failures, and major application
perform highly detailed logging, such as e- configuration changes. This can be used to
mail servers recording the sender, identify security compromises and
recipients, subject name, and attachment operational failures.
names for each e-mail; Web servers
recording each URL requested and the type Much of this information, particularly for
of response provided by the server; and applications that are not used through
business applications recording which unencrypted network communications,
financial records were accessed by each can only be logged by the applications,
user. This information can be used to which makes application logs particularly
identify or investigate incidents and to valuable for application-related security
monitor application usage for compliance incidents, auditing, and compliance
and auditing purposes. efforts. However, these logs are often in
proprietary formats that make them more
Account information such as successful difficult to use, and the data they contain
and failed authentication attempts, is often highly context-dependent,
account changes (e.g., account creation necessitating more resources to review
and deletion, account privilege their contents.
assignment), and use of privileges. In
addition to identifying security events such
as brute force password guessing and
escalation of privileges, it can be used to
identify who has used the application and
when each person has used it.
201
Trainer’s Guide– Security Analyst SSC/N0901
Log Generation
The first tier contains the hosts that generate the log data. Some hosts run logging client
applications or services that make their log data available through networks to log servers
in the second tier. Other hosts make their logs available through other means, such as
allowing the servers to authenticate to them and retrieve copies of the log files.
Log Monitoring
The third tier contains consoles that may be used to monitor and review log data and the
results of automated analysis. Log monitoring consoles can also be used to generate
reports. In some log management infrastructures, consoles can also be used to provide
management for the log servers and clients. Also, console user privileges sometimes can
be limited to only the necessary functions and data sources for each user.
202
Trainer’s Guide– Security Analyst SSC/N0901
203
Trainer’s Guide– Security Analyst SSC/N0901
space needed for the file without altering Log file integrity checking involves
the meaning of its contents. Log calculating a message digest for each file
compression is often performed when logs and storing the message digest securely to
are rotated or archived. ensure that changes to archived logs are
detected. A message digest is a digital
Log reduction is removing unneeded signature that uniquely identifies data and
entries from a log to create a new log that has the property that changing a single bit
is smaller. A similar process is event in the data causes a completely different
reduction, which removes unneeded data message digest to be generated. The most
fields from all log entries. Log and event commonly used message digest algorithms
reduction are often performed in are MD5 and Secure Hash Algorithm 1
conjunction with log archival so that only (SHA- 1). 25 If the log file is modified and
the log entries and data fields of interest its message digest is recalculated, it will
are placed into long-term storage. not match the original message digest,
indicating that the file has been altered.
Log conversion is parsing a log in one The original message digests should be
format and storing its entries in a second protected from alteration through FIPS-
format. For example, conversion could approved encryption algorithms, storage
take data from a log stored in a database on read-only media, or other suitable
and save it in an XML format in a text file. means. Analysis
Many log generators can convert their own
logs to another format; third party Event correlation is finding relationships
conversion utilities are also available. Log between two or more log entries. The most
conversion sometimes includes actions common form of event correlation is rule-
such as filtering, aggregation, and based correlation, which matches multiple
normalization. – In log normalization, each log entries from a single source or multiple
log data field is converted to a particular sources based on logged values, such as
data representation and categorized timestamps, IP addresses, and event types.
consistently. One of the most common
uses of normalization is storing dates and Event correlation can also be performed in
times in a single format. For example, one other ways, such as using statistical
log generator might store the event time in methods or visualization tools. If
a twelve-hour format (2:34:56 P.M. EDT) correlation is performed through
categorized as Timestamp, while another automated methods, generally the result
log generator might store it in twenty-four of successful correlation is a new log entry
(14:34) format categorized as Event Time, that brings together the pieces of
with the time zone stored in different information into a single place. Depending
notation (-0400) in a different field on the nature of that information, the
categorized as Time Zone. 24 Normalizing infrastructure might also generate an alert
the data makes analysis and reporting to indicate that the identified event needs
much easier when multiple log formats are further investigation. – Log viewing is
in use. However, normalization can be very displaying log entries in a human-readable
resource-intensive, especially for complex format. Most log generators provide some
log entries (e.g., typical intrusion detection sort of log viewing capability; third-party
logs). log viewing utilities are also available.
Some log viewers provide filtering and
aggregation capabilities.
204
Trainer’s Guide– Security Analyst SSC/N0901
205
Trainer’s Guide– Security Analyst SSC/N0901
206
Trainer’s Guide– Security Analyst SSC/N0901
depending on the event, such as that run on your computer, as well as more
whether a user trying to log on to detailed logs that pertain to specific
Windows was successful. Windows services.
Setup events
Computers that are configured as Open Event Viewer by clicking the Start
domain controllers will have additional button Picture of the Start button, clicking
logs displayed here. Control Panel, clicking System and
System events Security, clicking Administrative Tools, and
System events are logged by Windows then double-clicking Event Viewer.
and Windows system services, and are Administrator permission is required if
classified as error, warning, or you're prompted for an administrator
information. password or confirmation, type the
Forwarded events password or provide confirmation.
These events are forwarded to this log
by other computers. Click an event log in the left pane.
Applications and Services Logs vary. They Double-click an event to view the details of
include separate logs about the programs the event.
207
Trainer’s Guide– Security Analyst SSC/N0901
208
Trainer’s Guide– Security Analyst SSC/N0901
regularly, the following message will become active. Change the date by
appear. selecting the drop down menu and
choosing a date from the calendar that
1. After establishing the security log is presented. Change the time by
settings, click the Apply button. scrolling the up and down arrows in the
time dialog box. Follow the same
procedures clicking on the To: drop
down menu and changing the selection
to Events On. Set the date and time for
the last as described above.
209
Trainer’s Guide– Security Analyst SSC/N0901
210
Trainer’s Guide– Security Analyst SSC/N0901
Log File Formats in IIS (IIS 6.0) IIS logs, when properly analysed, provide
information about demographics and
IIS provides six different log file formats
usage of the IIS web server. By tracking
that you can use to track and analyse
usage data, web providers can better tailor
information about your IIS-based sites and
their services to support specific regions,
services. In addition to the six available
time frames or IP ranges. Log filters also
formats, you can create your own custom
allow providers to track only the data
log file format.
deemed necessary for analysis.
The following log file formats and logging
Analyse an IIS Log file
options are available in IIS:
IIS logs contain crucial information for
W3C Extended Log File Format
improving the web site. Log files for an IIS
Text-based, customizable format
server are the key source of information
for a single site. This is the default
for managing the websites hosted on the
format.
server. The log files contain a record of
W3C Centralized Logging All data
each request from a web user and the
from all Web sites is recorded in a
response provided by the IIS server. This
single log file in the W3C log file
data is crucial for marketing, site
format.
performance and security. Logs are often
NCSA Common Log File Format
the only indication that a user is
Text-based, fixed format for a
attempting to hack into your IIS server.
single site.
Patterns and trends can be spotted in this
IIS Log File Format Text-based,
data to help you segment your users for
fixed format for a single site.
marketing opportunities. IIS log analysis is
ODBC Logging Fixed format for a
a critical tool in improving your website.
single site. Data is recorded in an
ODBC-compliant database. Internet Information Services (IIS) 6.0
Centralized Binary Logging Binary- offers a number of ways to record the
based, unformatted data that is not
211
Trainer’s Guide– Security Analyst SSC/N0901
activity of your Web sites, File Transfer Use this line to determine the
Protocol (FTP) sites, Network News corresponding values in each
Transfer Protocol (NNTP) service, and column.
Simple Mail Transfer Protocol (SMTP) Use the date and time to identify
service and allows you to choose the log when the request was created. The
file format that works best for your "sitename" and "computername"
environment. IIS logging is designed to be will indicate what server responded
more detailed than the event logging or to the request.
performance monitoring features of the Identify the visitor to your web
Microsoft® Windows® Server 2003, server by the "c-ip" which is the ip
Standard Edition, Windows® Server 2003, address of the visitors’ computer.
Enterprise Edition, and Windows® Server The "cs-method" column will most
2003, Datacenter Edition, operating often contain either "post" or "get"
systems. IIS log files can include depending on the request made by
information such as who has visited your the visitors’ browser. The fields "cs-
site, what was viewed, and when the uri-stem" and "cs-uri-query" will
information was last viewed. You can denote the resource such as an
monitor attempts to access your sites, image or web page the visitor
virtual folders, or files and determine requested.
whether attempts were made to read or Use the "sc-status" column to
write to your files. IIS log file formats allow determine whether the web server
you to record events independently for any was capable of correctly
site, virtual folder, or file. responding to the request. A link is
provided in the resource section of
Using a text editor, the following steps can this article to a complete list of
be used to analyse the IIS file: response codes.
Use the "cs(User-Agent)" to
Open the log file labeled as determine what type of browser
"ex010110.log" in your text editor. the visitor used, or if the visitor is
The six digits in the log file name actually a search engine. A link to a
are in the format day, month and list of common user agents has
year the file was created. been provided in the resource area
Locate the header information. of this article.
This is a line starting with "#Fields:."
212
Trainer’s Guide– Security Analyst SSC/N0901
213
Trainer’s Guide– Security Analyst SSC/N0901
214
Trainer’s Guide– Security Analyst SSC/N0901
UNIT X
Data Backup
Lesson Plan
Suggested Learning Activities
Training Resource Material
10.1. Data Backup
10.2. Types of Backup
10.3. Backup Procedures
10.4. Types of Storage
10.5. Features of a Good Backup Strategy
215
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
216
Trainer’s Guide– Security Analyst SSC/N0901
The students should backup data available in the institute and evaluate the backup
requirements for the institute. If there isn’t a policy for backup then the same should be
developed by the students and all necessary steps for successful implementation should
be carried out by students.
Activity 2:
The students should be divided into group and asked to prepare a report on difference
between backup of individual data and of security devices and applications. The same
should focus on requirements, challenges, products and means available, advantages and
disadvantages, media used, and other differences.
Activity 3:
The students should research various products and services for backup available in the
industry and compare the benefits, features and limitations of each. The comparison
should be presented in class.
217
Trainer’s Guide– Security Analyst SSC/N0901
218
Trainer’s Guide– Security Analyst SSC/N0901
Full backup just the changed files and new files added
since the last backup.
Full backup is a method of backup where
all the files and folders selected for the Advantages
backup will be backed up. It is commonly Much faster backups
used as an initial or first backup followed Efficient use of storage space as files is
not duplicated. Much less storage space
with subsequent incremental or
used compared to running full backups
differential backups. After several
and even differential backups.
incremental or differential backups, it is
common to start over with a fresh full
backup again. Disadvantages
Restores are slower than with a full
Some also like to do full backups for all backup and differential backups.
backup runs typically for smaller folders or Restores are a little more complicated.
projects that do not occupy too much All backup sets (first full backup and all
storage space. incremental backups) are needed to
perform a restore.
Advantages
Restores are fast and easy to manage as
the entire list of files and folders are in Differential backups
one backup set.
Easy to maintain and restore different Differential backups fall in the middle
versions. between full backups and incremental
backup. A differential backup is a backup of
all changes made since the last full backup.
Disadvantages
With differential backups, one full backup
Backups can take very long as each file is
backed up again every time the full is done first and subsequent backup runs
backup is run. are the changes made since the last full
Consumes the most storage space backup. The result is a much faster backup
compared to incremental and than a full backup for each backup run.
differential backups. The exact same Storage space used is less than a full
files are be stored repeatedly resulting in backup but more than Incremental
inefficient use of storage. backups. Restores are slower than with a
full backup but usually faster than
Incremental backups.
Incremental backup
Advantages
Incremental backup is a backup of all Much faster backups then full backups
changes made since the last backup. The More efficient use of storage space then
last backup can be a full backup or simply full backups since only files changed
the last incremental backup. With since the last full backup will be copied
incremental backups, one full backup is on each differential backup run.
done first and subsequent backup runs are
219
Trainer’s Guide– Security Analyst SSC/N0901
Disadvantages
Backups are slower then incremental Disadvantages
backups There is a chance that files in the source
Not as efficient use of storage space as deleted accidentally, by sabotage or
compared to incremental backups. All through a virus may also be deleted from
files added or edited after the initial full the backup mirror.
backup will be duplicated again with
each subsequent differential backup.
Restores are slower than with full Full PC backup
backups.
Full PC backup of full computer backup
Restores are a little more complicated
typically involves backing up entire images
than full backups but simpler than
incremental backups. Only the full of the computer’s hard drives rather than
backup set and the last differential individual files and folders. The drive image
backup are needed to perform a restore. is like a snapshot of the drive. It may be
stored compressed or uncompressed.
Offsite Backup
Any backup where the backup storage medium is kept at a different geographic location from
the source is known as an offsite backup. The backup may be done locally at first on the usual
storage devices but once the storage medium is brought to another location, it becomes an
offsite backup.
delicate hard disk is higher. (does not serviced by multiple redundant Internet
apply to online storage) connection so there is no single point of
failure to bring the service down.
trip to the bank. The term “remote Data is replicated across several storage
backup” is often used loosely and devices and usually serviced by multiple
interchangeably with “online backup” and internet connections so the system is not
“cloud backup”. at the mercy of a single point of failure.
When the service is provided by a good
Advantages commercial data center, service is
Much better protection from natural managed and protection is un-
disasters than local backups. paralleled.
Easier administration as it does not need
a physical trip to the offsite backup
location. Disadvantages
More expensive then local backups
Can take longer to backup and restore
Disadvantages
More expensive then local backups
Can take longer to backup and restore FTP Backup
than local backups
This is a kind of backup where the backup
is done via the File Transfer Protocol (FTP)
Cloud backup over the Internet to an FTP Server.
Typically, the FTP Server is located in a
Cloud backup is a term often used loosely
commercial data center away from the
and interchangeably with Online Backup
source data being backed up. When the
and Remote Backup. This is a type of
FTP server is located at a different location,
backup where data is backed up to a
this is another form of offsite backup.
storage server or facility connected to the
source via the Internet. With the proper Advantages
login credentials, that backup can then be Since this is an offsite backup, it offers
accessed securely from any other protection from fire, floods, earth
computer with an Internet connection. The quakes and other natural disasters.
term “cloud” refers to the backup storage Able to easily connect and access the
backup with just an Internet connection.
facility being accessible from the Internet.
Advantages
Disadvantages
Since this is an offsite backup, it offers
More expensive then local backups
protection from fire, floods, earth
Can take longer to backup and restore.
quakes and other natural disasters.
Backup and restore times are dependent
Able to easily connect and access the
to the Internet connection.
backup with just an Internet connection.
223
Trainer’s Guide– Security Analyst SSC/N0901
224
Trainer’s Guide– Security Analyst SSC/N0901
225
Trainer’s Guide– Security Analyst SSC/N0901
Disadvantages:
Disadvantages: Advantages:
Relatively expensive per GB so can only A very good offsite backup. Not
be used for backing up a small amount affected by events and disasters such
of data as theft, floods, fire etc
CD’s and DVD’s are ideal for storing a list of More expensive than traditional
songs, movies, media or software for external hard drives. Often requires an
distribution or for giving to a friend due to ongoing subscription.
the very low cost per disk. They do not Requires an Internet connection to
make good storage options for backups access the cloud storage.
due to their shorter lifespan, small storage Much slower than other local backups
space and slower read and write speeds.
227
Trainer’s Guide– Security Analyst SSC/N0901
The following are features to aim for when designing your backup strategy:
Able to recover from data loss in all circumstances like hard drive failure, virus
attacks, theft, accidental deletes or data entry errors, sabotage, fire, flood, earth
quakes and other natural disasters.
Able to recover to an earlier state if necessary like due to data entry errors or
accidental deletes.
Able to recover as quickly as possible with minimum effort, cost and data loss.
Require minimum ongoing human interaction and maintenance after the initial
setup. Hence able to run automated or semi-automated.
Local backups are needed due to its Backup Start Time: You would typically
lower cost allowing you to backup a huge want to run your backups when there’s
amount of data. Local backups are also minimal usage on the computers.
useful for its very fast restore speed Backups may consume some computer
allowing you to get back online in resources that may affect performance.
228
Trainer’s Guide– Security Analyst SSC/N0901
Also, files that are open or in use may not storage devices with limited space like
get backed up. USB thumb drives.
Scheduling backups to run after business If you are backing up very private or
hours is a good practice providing the sensitive data to an offsite service, some
computer is left on overnight. Backups backup tools and services also offer
will not normally run when the computer support for encryption. Encryption is a
is in “sleep” or “hibernate mode”. Some good way to protect your content should
backup software will run immediately it fall into malicious hands. When
upon boot up if it missed a scheduled applying encryption, always ensure that
backup the previous night. you remember your encryption key. You
will not be able to restore it without your
So if the first hour on a business day encryption key or phrase.
morning is your busiest time, you would 6. Testing Your Backup
not want your computer doing its A backup is only worth doing if it can be
backups then. If you always shut down restored when you need it most. It is
or put your computer in sleep or advisable to periodically test your
hibernate mode at the end of a work backup by attempting to restore it. Some
day, maybe your lunch time would be a backup utilities offer a validation option
better time to schedule a backup. Just for your backups. While this is a
leave the computer on but logged-off welcome feature, it is still a good idea to
when you go out for lunch. test your backup with an actual restore
once in a while.
Since servers are usually left running 24 7. Backup Utilities & Services
hours, overnight backups for servers are Simply copying and pasting files and
a good choice. folders to another drive would be
4. Backup Types considered a backup. However, the aim
Many backup softwares offer several of a good backup plan is to set it up
backup types like Full Backup, once and leave it to run on its own. You
Incremental Backup and Differential would check up on it occasionally but
backup. Each backup type has its own the backup strategy should not depend
advantages and disadvantages. Full on your ongoing interaction for it to
backups are useful for projects, continue backing up. A good backup
databases or small websites where many plan would incorporate the use of good
different files (text, pictures, videos etc.) quality, proven backup software utilities
are needed to make up the entire and backup services.
project and you may want to keep
different versions of the project.
5. Compression & Encryption
As part of your backup plan, you also
need to decide if you want to apply any
compression to your backups. For
example, when backing up to an online
service, you may want to apply
compression to save on storage cost and
upload bandwidth. You may also want to
apply compression when backing up to
229
Trainer’s Guide– Security Analyst SSC/N0901
https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-
applications-log-files-2074
http://blog.hicube.in/2012/11/07/understanding-log-files-linux-server/
230
Trainer’s Handbook – Security Analyst SSC/N0902
SSC/ N 0902:
Coordinate responses to information security
Incidents
243
Trainer’s Handbook – Security Analyst SSC/N0902
Unit Title
Co-ordinate responses to information security incidents
(Task)
244
Trainer’s Handbook – Security Analyst SSC/N0902
245
Trainer’s Handbook – Security Analyst SSC/N0902
246
Trainer’s Handbook – Security Analyst SSC/N0902
contain
cleanse
recover
close
KB4. how to identify and resolve information security vulnerabilities
and incidents.
KB5. common issues and incidents of information security that may
require action and who to report these to.
KB6. how to obtain and validate information related to information
security issues.
KB7. how to prepare and submit information security reports and who
to share these with.
247
Trainer’s Handbook – Security Analyst SSC/N0902
THE UNITS
The module for this NOS is divided in five units based on the learning objectives as given below:
UNIT I: Incident Response Overview
1.1 Incident Response Overview
1.2 Handling Different Types of Information Security Incidents
1.3 Preparation for Incident Response and Handling Constraints of a Security Audit
248
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT I
Incident Response Overview
249
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan
You need to know and understand: KA1. QA session and a 2Hr in class PCs/Tablets/Laptops
Descriptive write up on assessment & Labs availability
KA5. the purpose of managing 15Hrs offline (24/7)
understanding.
information security incidents Research and Internet with WiFi
KA5. Performance Learning (Min 2 Mbps
KA9. the impact information evaluation from Faculty activity Dedicated)
security incidents can have on your and Industry with
organization
reward points.
KA10. different types of KA9. QA session and a
information security incidents and Descriptive write up on
how to deal with these understanding.
KA14. your organization’s KA10. Classify latest
policies and procedures for sharing threats and
information on security incidents vulnerabilities into CIA
and the importance of complying triad. Classify various
with these threats into incident
categories listed in the
KA15. how to classify and
unit.
priorities information security
incidents KA15. Group and
Faculty evaluation
KB3. different stages of incident based on anticipated
management and your role in
out comes. Reward
relation to these, including:
points to be allocated
• identify
• contain to groups.
• cleanse KA14. KB3 Group and
• recover
faculty evaluation for
• close
highlighting the various
parts and their purpose
of an incident response
plan/tasks of incident
management, using live
researched examples
250
Trainer’s Handbook – Security Analyst SSC/N0902
Activity 1:
Ask the students to research various type of information security incidents from the
internet and populate the various categories of incidents mentioned in the unit with
examples of each. Let them present a few details of these incidents if possible.
Activity 2:
Ask the students visit various company sites and find out their incident response plans and
list out various components of it.
Activity 3:
Divide the students into groups and ask them to create an incident response plan for the
training institute and modify it as they progress through this module.
251
Trainer’s Handbook – Security Analyst SSC/N0902
An incident is a set of one or more security events or conditions that requires action and
closure in order to maintain an acceptable risk profile.
252
Trainer’s Handbook – Security Analyst SSC/N0902
253
Trainer’s Handbook – Security Analyst SSC/N0902
254
Trainer’s Handbook – Security Analyst SSC/N0902
There are five important incident handling The objective of instating an incident
phases: response plan is to provide the roadmap
Preparation: establishing and training for implementing the incidence response
an incident response team, and capability. The incident response plan acts
acquiring the necessary tools and as a defence mechanism against hackers,
resources. malware, human error and a series of
Detection and analysis: detecting other security threats.
security breaches and alerting
organization during any imminent Requirements of incident response plan
attack.
Containment: mitigating the impact of The intervention of an incident response
the incident by containing plan can be the structure to building an
Eradication and recovery: carrying out organization’s incident response
detection and analysis cycle to capability. Emphasis on computing security
eradicate incident and ultimately policies and practices are the main
initiate recovery. objectives of most organization in their
Post-incident activity: preparing overall risk management strategies.
detailed report of the cause and cost of Elements that are recommended as
the incident and future preventive important to an incident response plan
measures against similar attacks. are:
This is similar to the tasks contained within
incident management plans: organization’s mission towards the
• identify plan
• contain organization’s strategies and goals to
• cleanse determine the structure of incident
• recover response capability
senior management approval in the
• close
structuring of the proposed plan
organizational approach to incident
Organizations should have a plan to response
respond to various types of incidents
incident response team’s
detailing various aspects of incident
communication with the rest of the
handling including the above.
organization and with other
organizations
Incident response plan
metrics for measuring the incident
response capability and its
Incident Response Plan is an organization’s
effectiveness
foundation to a formal, focused and
roadmap for maturing the incident
coordinated approach for incident
response capability (regular reviews,
response.
audits and tests etc.)
255
Trainer’s Handbook – Security Analyst SSC/N0902
how the program fits into the overall organize both short and long-term
organization. goals program, including metrics for
measuring the program.
Incident response plan checklist highlight incident handler’s training
needs and other technical
Developing an incident response plan requirements.
checklist can minimize the threat of address existing and new cyber
security breach in the form of attacks in technologies are adequately addressed
websites and servers, or inadvertent in policies and procedure.
leakage of share sensitive data etc. conduct regular reviews, audits and
Instating a structure that ensures the latest tests to protect against security
developments are captured, understood, breach.
evaluated as threats to the business, classify business data in the order of its
documented and distributed will help sensitivity and security requirements.
ensure an effective incident response. An selecting of appropriate incident
incident response plan checklist should be response team structure.
an amalgamation of the following key complying with security-related
practices: incident regulations and law
enforcement procedures
provides a roadmap for implementing
an incident response program based
on the organization’s policy.
256
Trainer’s Handbook – Security Analyst SSC/N0902
258
Trainer’s Handbook – Security Analyst SSC/N0902
Through a routine evaluation of system Determine the actions that would help
logs, a system administrator discovers that prevent this type of incident
XYZ’s data has been exfiltrated from the (preparation).
system by an unauthorized user account. Determine the controls in place that
A remote user has lost his/her laptop. The would help identify this incident, along
user’s job function required that XYZ’s with procedures on how to report the
information be stored on the laptop. incident (detection and analysis).
How to prevent further damage
After a recent office move, it is discovered (containment),
that a locked cabinet containing XYZ’s How to clean the system (eradication).
information is missing. How to restore the system in a secure
manner (recovery).
259
Trainer’s Handbook – Security Analyst SSC/N0902
260
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT II
Incident Response
- Roles and Responsibilities
261
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan
You need to know and understand: KA4 Peer group, Faculty 4 hrs PCs/Tablets/Lapto
KA4. limits of your role and group and Industry classroo ps
responsibilities and who to seek guidance experts. m Labs availability
from where required session (24/7)
KA6 Performance and 2 hrs Internet with WiFi
KA6. who to involve when investigating evaluation from Faculty research (Min 2 Mbps
and co-ordinating responses to and Industry with reward Dedicated)
information security incidents and how to points Access to all
contact them security sites like
KA11. Online exam and
ISO, PCI DSS,
KA11. how to assign and escalate rewards points based on
information on information security reviews from the forums. Center for
incidents Internet Security
KA12. Faculty and peer Security
KA12. different methods and techniques review. Templates from
used when working with others ITIL, ISO
KB5, KB6, KB7 Going
KB5. common issues and incidents of through the security
information security that may require standards over Internet
action and who to report these to by visiting sites like ISO,
PCI DSS etc., and
KB6. how to obtain and validate understand various
information related to information security methodologies and
issues usage of algorithms.
Learn about CIA triad
relating to latest threats
KB7. how to prepare and submit and vulnerabilities
information security reports and who to
share these with
262
Trainer’s Handbook – Security Analyst SSC/N0902
Activity 1:
Activity 2:
Ask students to research various external service providers and services that support
incident team in the organisation in responding to information security incidents.
263
Trainer’s Handbook – Security Analyst SSC/N0902
A team member in an incident response unit is expected to have the basic understanding
of the technologies used and their applications. The individual should be capable of
comprehending and handling the following security incidents:
the type of incident activity that is being reported or seen by the community.
the way in which incident response team services are being provided (the level
and depth of technical assistance provided to the constituency).
the responses that are appropriate for the team (e.g. what policies and procedures
or other regulations must be considered or followed while undertaking the
response).
the level of authority the incident response team has in taking any specific actions
when applying technical solutions to an incident reported to the incident
response team.
266
Trainer’s Handbook – Security Analyst SSC/N0902
IT technical experts (e.g. system and network administrators) can ensure that the
appropriate actions are taken for the affected system, such as whether to disconnect an
attacked system.
Coordinate with relevant legal experts to review incident response plans, policies and
procedures to ensure their compliance with law and federal guidance, including the right
to privacy.
Ensure that incident response policies and procedures and business continuity processes
are in sync.
Coordinate with Physical Security and Facilities Management to access facilities during
incident handling.
267
Trainer’s Handbook – Security Analyst SSC/N0902
Start to create a documented action script that will outline your response steps so your IR
Manager can follow them consistently. Your script should show steps similar to the
following:
STEP # ACTION
1 Incident announced
2 IR Manager alerted
3 IR Manager begins information gathering from affected site
4 IR Manager begins tracking and documentation of incident
IR Manager invokes Assessment Team
5
(Details of call bridge or other communication mechanism)
6 Assessment Team reviews details and decides on Severity Level of incident.
7 IF SEV 1 = PROCEED TO STEP #11.0
8 IF SEV 2 = PROCEED TO STEP #12.0
9 IF SEV 3 = PROCEED TO STEP #13.0
10 IF SEV 4 = PROCEED TO STEP #14.0
FOR SEVERITY LEVEL 1 – Proceed with following sequence
11.0 Determine attack vectors being used by threat
11.1 Determine network locations that are impacted
11.2 Identify areas that fall under “Parent Organization”
11.3 Identify systems or applications that are impacted
FOR SEVERITY LEVEL 2 – Proceed with following sequence
12.0 Determine attack vectors being used by threat
12.1 Alert Incident Officer to Severity 2 threat
http://www.cert.org/csirts/Creating-A-CSIRT.html
http://www.cert.org/csirts/Creating-A-CSIRT.html#practices
O’Reilly Incident Response – Kenneth R. vanWyk and Richard Forno
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
268
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT III
Incident Response Process
269
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan
Ask the class to research the internet and collect ideas and templates on incident report
forms and formats. Meet with industry if possible to understand the usage and applicability
of these.
Activity 2:
Divide the students in groups ask them to prepare an incident report using templates
available for preparing a report for your training institute. Highlight the sources of
information for various parts of the report.
Activity 3:
Provide students with a list of types of companies/organisations and the different kinds of
data available within these. Ask students to prioritize the various types of data using
various considerations stated in the unit.
271
Trainer’s Handbook – Security Analyst SSC/N0902
273
Trainer’s Handbook – Security Analyst SSC/N0902
This process should be repeated until the system has been compromised and if
incident is successfully handled. allowed with the compromise to continue,
Step 5: Containment it may help the attacker to use the
compromised system to attack other
Containment and Quarantine systems.
Various containment strategies may be Identify and isolate the trust model
considered in the following ways:
Potential damage to and theft of Network information systems are
resources vulnerable to threats and benign nodes
Need for evidence preservation often compromised because of unknown,
Service availability (network incomplete or distorted information while
connectivity, services provided to interacting with external sources. In this
external parties etc.) case, malicious nodes need to be identified
Time and resources needed to and isolated from the environment. The
implement the strategy solution to insecure can be found in the
Effectiveness of the strategy (partial establishment of trust. Trust model can be
containment, full containment etc.) formed based on the characteristics,
Duration of the solution (emergency information sources to compute, most
workaround to be removed in four relevant and reliable information source,
hours, temporary workaround to be experience of other members of
removed in two weeks, permanent community etc.
solution etc.)
Step 6: Formulating a response strategy
Quarantine
An analysis of the recoverability from an
Handling an incident may necessitate the incident determines the possible
use of strategies to contain the existing responses that the team may take when
predicament and one such method being handling the incident. An incident with a
redirecting the attacker to a sandbox (a high functional impact and low effort to
form of containment) so that they can recover from is an ideal candidate for
monitor the attacker’s activity, usually to immediate action from the team. In
gather additional evidence. Hence, once a situations involving high end data
274
Trainer’s Handbook – Security Analyst SSC/N0902
Requirements – identification of
Incident prioritization
relevant security requirements, misuse
Functional impact of the incident on
and abuse cases.
the existing functionality of the
Architecture and design – provide
affected systems and future functional
context for architectural risk analysis
impact of the incident if it is not
immediately contained. and guidance for security architecture.
Implementation and development –
Information impact of the incident that
prioritize and guide review activities.
may amount to information exfiltration
Testing and quality assurance –
and impact on organization’s overall
provide context for appropriate risk-
mission and impact of exfiltration of
based and penetration testing.
sensitive information on other
System operation – leverage lessons
organizations if any of the data pertain
learned from security incidents into
to a partner organization.
preventative guidance.
Recoverability from the incident and
Policy and standard generation – guide
how to determine the amount of time
the identification of appropriate
and resources that must be spent on
prescriptive organizational policies and
recovering from that incident.
standards.
Necessity to actually recover from an
incident and carefully weigh that
against the value the recovery effort
275
Trainer’s Handbook – Security Analyst SSC/N0902
Incident prioritization guidelines and time and types of resources that must be
templates spent on recovering from the incident).
• receive initial investigation and data gathering from IT help desk members and
escalate to high strategic level specialist if situation demands.
• use appropriate materials that may be needed during an investigation.
• should become acquainted with various law enforcement representatives
before an incident occurs to discuss conditions under which incidents should be
reported to them.
• maintain record of chain of custody forms should detail the transfer and include
each party’s signature while transferring evidence from person to person.
276
Trainer’s Handbook – Security Analyst SSC/N0902
Handling and rectifying security incident Incident data can also be collected to
work best in a “learning and improving” determine if a change to incident response
model. Therefore, incident handling teams capabilities causes a corresponding change
must evolve to reflect on new threats, in the team’s performance (improvements
improved technology and lessons learned. in efficiency, reductions in costs etc).
Each lesson’s learned brief must include
the following agenda: Incident record keeping
What exactly happened and during Incident record keeping or collecting data
times? that are actionable, rather than collecting
How well did staff and management data simply because they are available will
perform in dealing with the incident? be useful in several capacities to the
Were the documented procedures organization. It may help in deriving at the
followed? Were they adequate? following information:
What information was needed sooner?
Were any steps or actions taken that systemic security weaknesses and
might have inhibited the recovery? threats, as well as changes in incident
What would the staff and management trends.
do differently the next time a similar selection and implementation of
incident occurs? additional controls.
How could information sharing with measure the success of the incident
other organizations have been response team.
improved? expected return on investment from
What corrective actions can prevent the data.
similar incidents in the future?
What precursors or indicators should Step 9: Data collection
be watched for in the future to detect
similar incidents? Chain of custody
What additional tools or resources are
needed to detect, analyze and mitigate Evidences collected should be accounted
future incidents? for at all times whenever evidence is
transferred from person to person, chain
Process change for the future of custody forms should detail the transfer
and include each party’s signature. A
The changing nature of information detailed log should be kept for all
technology and changes in personnel evidence, including the following:
requires the incident response team to
review all related documentation and Identifying information (e.g. the
procedures for handling incidents at location, serial number, model
designated intervals. A study of incident number, hostname, media access
characteristics (data collected of previous control (MAC) addresses and IP
incidents) may indicate systemic security addresses of a computer).
weaknesses and threats as well as changes Name, title, and phone number of each
in incident trends. individual who collected or handled the
evidence during the investigation.
277
Trainer’s Handbook – Security Analyst SSC/N0902
Time and date (including time zone) of should be made aware of the steps that
each occurrence of evidence handling. they should take to preserve evidence. In
Locations where the evidence was addition, evidence should be accounted
stored. for at all times whenever evidence is
transferred from person to person, chain
Step 10: Forensic analysis of custody forms should detail the transfer
Incident handling requires some team and include each party’s signature and a
members to be specialized in particular registry or log be maintained location of
technical areas, such as network intrusion the stored evidence.
detection, malware analysis or forensics. Step 12: Notify external agencies
Many incidents cause a dynamic chain of
events to occur, an initial system snapshot An organization’s incident response team
may do more good in identifying the should plan its incident coordination with
problem and its source than most other those parties before incidents occur to
actions that can be taken at this stage. ensure that all parties know their roles and
Therefore, it is appropriate to obtain that effective line of communication are
snapshots through full forensic disk established.
images, not file system backups. Disk Some of the organizations’ external
images should be made to sanitized write- agencies may include other or external
protectable or write-once media. This incident response teams, law enforcement
process is superior to a file system backup agencies, Internet service providers and
for investigatory and evidentiary purposes. constituents, law enforcements/ legal
Imaging is also valuable in that it is much departments and customers or system
safer to analyse an image than it is to owner etc.
perform analysis on the original system
because the analysis may inadvertently Step 13: Eradication
alter the original. Some of the useful Eliminating components of the incident
resources in forensic aspects of incident such as deleting malware and disabling
analysis may include digital forensic breached user accounts as well as
workstations and/ or backup devices to identifying and mitigating all vulnerabilities
create disk images, preserve log files, and that were exploited follow next to
save other relevant incident data successful containment and quarantine.
During the process, it is important to
Step 11: Evidence protection identify all affected hosts within the
organization so that they can be
Importance of keeping evidence relating remediated. In some cases, eradication is
to information security incidents either not necessary or is performed
Collecting evidence from computing during recovery.
resources presents some challenges. It is Identify data backup holes
generally desirable to acquire evidence
from a system of interest as soon as one Verify data back-up and restore
suspects that an incident may have procedures. Incident response should be
occurred. Users and system administrators aware of the location of back-up date
278
Trainer’s Handbook – Security Analyst SSC/N0902
storage, maintenance, user access and should also focus on longer-term changes
security procedures for data restoration (e.g. infrastructure changes) and ongoing
and system recovery. Following are the work to keep the enterprise as secure as
suggested data back-up sources: possible.
279
Trainer’s Handbook – Security Analyst SSC/N0902
281
Trainer’s Handbook – Security Analyst SSC/N0902
283
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT IV
Handling Malicious Code Incidents
Lesson Plan
Suggested Learning Activities
Training Resource Material
5.1. Incident handling preparation
5.2. Incident prevention
5.3. Detection of Malicious Code
5.4. Containment strategy
5.5. Evidence gathering and handling
5.6. Eradication and Recovery
284
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan
You need to know and understand: KA7 Peer review with 8 hrs PCs/Tablets/Lapto
faculty with appropriate ps
KA7. the importance of tracking
feedback. Labs availability
progress and corrective and
(24/7)
preventative actions for KA10 Team work (IM and Internet with WiFi
information security incidents chat applications) and (Min 2 Mbps
group activities (online Dedicated)
KA10. different types of
information security incidents and
forums) including Access to all
templates to be prepared. security sites like
how to deal with these
ISO, PCI DSS,
Center for Internet
Security
Security Templates
from ITIL, ISO
Divide students in groups and assign them the following task. List various service providers
and products that help in addressing malicious code incidents through prevention and
eradication. Compare features and benefits of various products and service providers.
Present your finding in class and compare the findings with that of your peers.
Activity 2:
Research various OS and the inbuilt provisions to prevent malicious code incidents. Present
the same in class.
285
Trainer’s Handbook – Security Analyst SSC/N0902
Malicious code refers to a program that is covertly inserted into another program with
the intent to destroy data, run destructive or intrusive programs or otherwise
compromise the security or integrity of the victim’s data.
Generally, malicious code is designed to attacks can be divided into five categories:
perform these nefarious functions without viruses, Trojan horses, worms, mobile code
the system’s user knowing. Malicious code and blended.
287
Trainer’s Handbook – Security Analyst SSC/N0902
288
Trainer’s Handbook – Security Analyst SSC/N0902
290
Trainer’s Handbook – Security Analyst SSC/N0902
Detection of malicious code involves the observing antivirus software alerts for
preparation to handle incidents that use detecting various forms of malware,
common attack vectors. Some of the key generates alerts and prevents the malware
aspects useful in determining malicious from infecting hosts.
code detection:
maintaining and using a rich knowledge
screening attack vectors such as base replete with explanations of the
removable media or other peripheral significance and validity of precursors and
device. indicators, such as IDPS alerts, operating
system log entries and application error
keeping a tab on network flow information
codes.
through routers and other networking
devices that can be used to find anomalous following appropriate containment
network activity caused by malware, data procedures which require disconnection of
exfiltration and other malicious acts. host from the network, and cause further
damage.
monitoring alerts sent by most IDPS
products that uses attack signatures to Because malicious code incidents can take
identify malicious activity. The signatures many forms, they may be detected via a
must be kept up to date so that the newest number of precursors and indications.
attacks can be detected. Some precursors and possible responses
are listed below:
Precursor: An alert warns of new malicious code that targets software that the
organization uses.
Response: Research the new virus to determine whether it is real or a hoax. This can be
done through antivirus vendor websites and virus hoax sites. If the malicious code is
confirmed as authentic, ensure that antivirus software is updated with virus signatures for
the new malicious code. If a virus signature is not yet available, and the threat is serious
and imminent, the activity might be blocked through other means, such as configuring
email servers or clients to block emails matching characteristics of the new malicious
code. The team might also want to notify antivirus vendors of the new virus.
291
Trainer’s Handbook – Security Analyst SSC/N0902
Response: Determine how the malicious code entered the system and what vulnerability
or weakness it was attempting to exploit. If the malicious code might pose a significant
risk to other users and hosts, mitigate the weaknesses that the malicious code used to
reach the system and would have used to infect the target host.
Containment strategies vary based on the Incident handlers may need to search for
type of incident. For example, the strategy indications of infection through other
for containing an email-borne malware means such as:
infection is quite different from that of a
performing port scans to detect
network-based DDoS attack. Organizations
hosts listening on a known Trojan
should create separate containment
strategies for each major incident type, horse or backdoor port.
with criteria documented clearly to using antivirus scanning and clean-
facilitate decision making. up tools released to combat a
specific instance of malicious code.
Criteria for determining the appropriate
reviewing logs from email servers,
strategy include:
firewalls and other systems that
Potential damage to and theft of the malicious code may have
resources passed through as well as individual
Need for evidence preservation host logs.
Service availability (e.g. network configuring network and host
connectivity or services provided to intrusion detection software to
external parties) identify activity associated with
Time and resources needed to infections.
implement the strategy auditing the processes running on
Effectiveness of the strategy (e.g. systems to confirm that they are all
partial containment or full legitimate.
containment)
Sending unknown malicious code to
Duration of the solution (e.g.
antivirus vendors: malicious code that
emergency workaround to be
cannot be definitively identified by
removed in four hours, temporary
antivirus software may occasionally enter
workaround to be removed in two the environment. Eradicating the malicious
weeks or permanent solution) code from systems and preventing
additional infections may be difficult or
Containment strategy for malicious code
impossible without having updated
incidents may include:
antivirus signatures from the vendor.
Identifying and isolating other infected Incident handlers should be familiar with
hosts: antivirus alert messages are a good the procedures for submitting copies of
source of information, but not every unknown malicious code to the
infection will be detected by antivirus organization’s antivirus vendors.
software.
Configuring email servers and clients to
block emails: many email programs can be
configured manually to block emails by
293
Trainer’s Handbook – Security Analyst SSC/N0902
particular subjects, attachment names or shut down an email server to halt the
other criteria that correspond to the spread of email-borne viruses.
malicious code. This is neither a foolproof
Isolating networks from the internet:
nor an efficient solution, but it may be the
networks may become overwhelmed with
best option available if an imminent threat
worm traffic when a severe worm
exists and antivirus signatures are not yet
infestation occurs. Occasionally a worm
available.
will generate so much traffic throughout
Blocking outbound access: if the malicious the internet that network perimeters are
code attempts to generate outbound completely overwhelmed. It may be better
emails or connections, handlers should to disconnect the organization from the
consider blocking access to IP addresses or internet, particularly if the organization’s
services to which the infected system may internet access is essentially useless as a
be attempting to connect. result of the volume of worm traffic. This
protects the organization’s systems from
Shutting down email servers: during the
being attacked by external worms should
most severe malicious code incidents with
the organization’s systems already be
hundreds or thousands of internal hosts
infected. This prevents them from
infected, email servers may become
attacking other systems and adding to the
completely overwhelmed by viruses trying
traffic congestion.
to spread via email. It may be necessary to
294
Trainer’s Handbook – Security Analyst SSC/N0902
The primary reason for gathering evidence With respect to legal proceedings, it is
during an incident is to resolve the incident important to clearly document how all
however it may also be needed for legal evidence, including compromised systems,
proceedings. In the case of incident has been preserved. Evidence should be
analysis, the procedure is implemented collected according to procedures that
through the application of hardware and meet all applicable laws and regulations
software and related accessories such as that have been developed from previous
hard-bound notebooks, digital cameras, discussions with legal staff and appropriate
audio recorders, chain of custody forms, law enforcement agencies so that any
evidence storage bags and tags and evidence can be admissible in court. Thus,
evidence tape and to preserve evidence for users and system administrators should be
possible legal actions. made aware of the steps that they should
take to preserve evidence.
295
Trainer’s Handbook – Security Analyst SSC/N0902
Eradication and recovery should be done in scratch. Of course, the system should then
a phased approach so that remediation be secured so that it will not be susceptible
steps are prioritized. to another infection from the same
malicious code. Antivirus software sends
Antivirus systems
alerts when it detects that a host is
Antivirus software effectively identifies infected with malware. It detects various
and removes malicious code infections forms of malware, generates alerts and
however, some infected files cannot be prevents the malware from infecting hosts.
disinfected. (Files can be deleted and Current antivirus products are effective at
replaced with clean backup copies. In case stopping many instances of malware if
of an application, the affected application their signatures are kept up to date. Anti-
can be reinstalled.) If the malicious code spam software is used to detect spam and
provided attackers with root-level access, prevent it from reaching users’ mailboxes.
it may not be possible to determine what Spam may contain malware, phishing
other actions the attackers may have attacks and other malicious content, so
performed. In such cases, the system alerts from anti-spam software may
should either be restored from a previous, indicate attack attempts.
uninfected backup or be rebuilt from
Case Study on Incident Handling Process
The Challenge
A large, multinational organization was alerted by US-CERT/FBI that it had been the
source of a number of credit cards and details being leaked/sold on underground
(carding) forums. After an initial investigation, the organization's security team
discovered a compromised credit-card processing server but, having insufficient
resources and skills in dealing with the incident, called in OSEC.
The Solution
OSEC sent a team of analysts, including Incident Response, Crisis Management, and
Digital Forensics personnel to the organization's head office and data centres to deal
with the incident. Once there, the team initiated full incident response based on the
information supplied by the organization itself as well as law enforcement/authorities.
296
Trainer’s Handbook – Security Analyst SSC/N0902
Now that you know the security challenge that had been faced by US-CERT/FBI, you may
now read the Detection and Eradication process that was adopted to handle the incident in
a controlled manner:
Containment required understanding what data had been exfiltrated, and working back
from there to the compromised resources, as well as examining the rest of the
environment for other footholds that the attackers had. Quickly gaining an
understanding of the network and segmentation, as well as rapidly implementing
network behavioural analysis and performing content inspection between the payment
processing infrastructure and external networks, OSEC detected connections back to
command and control servers that were known to be operated by organized criminal
elements ('carders'). From there, we started performing analysis of the compromised
systems using forensics techniques to determine how and what vulnerabilities had been
exploited to gain access, correlating that with available logging information, all the while
monitoring network flows to both ensure that no additional card information was being
exfiltrated for the purposes of understanding what machines were under their control,
all without alerting the bad guys.
Within a short amount of time, OSEC determined that a third-party web application/site
that was vulnerable to SQL injection had been initially compromised, and then used as a
"base of operations" to penetrate further into the network, ultimately gaining access to
the payment processing segments. By targeting administrators using social engineering
attacks in combination with an Internet Explorer vulnerability, they had then stolen
credentials that could be used to authenticate to payment processing servers, and
utilized privilege escalation vulnerabilities on the servers themselves to harvest credit
card numbers as they were being processed. In addition, they had installed customized
malware that communicated with the command and control servers and exfiltrated data
through encrypted tunnels, in bursts, to evade detection.
297
Trainer’s Handbook – Security Analyst SSC/N0902
OSEC then went about stopping the spread of the malware and compromise, and
expelling the attackers from the network. Once we had determined that the malware
installed would not respond negatively to loss of connectivity to command and control
servers, we quickly: ensured the initial point of compromise (SQL injection) was
corrected scanned for similar common vulnerabilities in externally-visible systems, and
ensured any identified issues were corrected reset all relevant authentication
credentials blocked the attackers at the network perimeter. We then set about
isolating and cleaning each of the compromised hosts as quickly as we could, in
coordination with IT personnel, to ensure that the processing systems were impacted
as little as possible. In most cases, we were able to wipe hosts and perform recovery to
ensure all traces of malware were eradicated, but a number of systems required
manual cleaning, which we undertook with the relevant organizational resources, and
initiated extensive monitoring to ensure no undetected issues remained.
Finally, once the full extent of the breach was understood - particularly what and how
much data had been stolen, OSEC coordinated with PR and Legal personnel to manage
client and other regulatory-body notifications.
Post-Incident Activity
Once the immediate incident had been dealt with, OSEC performed a post-mortem
analysis of the incident, the organization's response, and compared it to OSEC's
internally-developed IR processes, procedures, and frameworks to identify what
needed to be done to ensure IR, vulnerability management, as well as overall
Information Security Management process and procedures were improved such that
future incidents would be minimized We then sat down with the various stakeholders
in the organization that had been involved and discussed the incident and response,
explaining the relevant issues, identifying organizational problems that also needed to
be corrected, as well as future strategies for avoiding incidents and dealing with them
when they occurred, communicating our recommended incident response strategy and
implementation to the organization's senior levels.
The Result
Twelve months after implementing the recommendations, and achieving a practical
incident response program, the organization has not suffered any subsequent
breaches. In addition, it has gained the assurance, through incident response drills, that
should a breach occur, response will be swift and effective.
298
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT V
Handling Network Security Incidents
Lesson Plan
Suggested Learning Activities
Training Resource Material
5.1. Network Reconnaissance Incidents
5.2. Denial of Service Attacks
5.3. Unauthorised Access Incidents
5.4. Inappropriate Usage Incidents
5.5. Multiple Component Incidents
299
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan
Performance Ensuring Work Environment /
Outcomes Measures Duration (Hrs) Lab Requirement
To be competent, you must be able 1. Creation of templates 4 hrs PCs/Tablets/Lapto
to: based on the learnings ps
2. Peer review with Labs availability
PC5. liaise with stakeholders to faculty with (24/7)
gather, validate and provide appropriate feedback. Internet with WiFi
information related to information
(Min 2 Mbps
security incidents, where required
Dedicated)
PC9. update the status of Projection facilities
information security incidents
following investigation/action using
standard templates and tools
You need to know and understand: KA7 Peer review with 8 hrs PCs/Tablets/Lapto
faculty with appropriate ps
KA7. the importance of tracking
feedback. Labs availability
progress and corrective and
(24/7)
preventative actions for KA10 Team work (IM and Internet with WiFi
information security incidents chat applications) and (Min 2 Mbps
group activities (online Dedicated)
KA10. different types of
forums) including Access to all
information security incidents and
templates to be prepared. security sites like
how to deal with these
ISO, PCI DSS,
Center for Internet
Security
Security Templates
from ITIL, ISO
Activity 1:
Present to class different types of incidents that impact network security and research
various service providers who offer services for network incident management. Compare
their offerings.
Activity 2:
Create an action plan for your training institute for addressing network security incidents.
As part of the plan state do’s and don’ts for the network administrator and users.
300
Trainer’s Handbook – Security Analyst SSC/N0902
Intruders over computer networks to gather information about computer systems and
resources. A probe is any attempt launched to detect:
• active hosts and networks that are reachable over a public or an accessible
medium.
• services and applications they are running that could be connected to any
vulnerability that these services and applications may have, which could be
exposed and taken advantage of.
301
Trainer’s Handbook – Security Analyst SSC/N0902
1. Active
2. Passive
An active probe involves some attempted interaction over the network on behalf of the
intruder. This may involve sending a packet directly to a target host or a network or
some intermediary used for the purposes of probing.
A passive probe, on the other hand, would involve an intruder restricting herself to
sniffing and logging traffic, originating from and destined to a potential or an identified
target and obtaining relevant information. The choice of being passive may be due to
reasons of configuration or access or it may be a deliberate act by an intruder to avoid
detection.
This probe by their nature are hard to detect. Any reconnaissance information gained
using such tactics, however, is limited to the traffic visible to an intruder. Active probes
are necessary if an intruder wishes to gather information both timely and of her choice.
303
Trainer’s Handbook – Security Analyst SSC/N0902
304
Trainer’s Handbook – Security Analyst SSC/N0902
306
Trainer’s Handbook – Security Analyst SSC/N0902
307
Trainer’s Handbook – Security Analyst SSC/N0902
Use private IP addresses for all hosts on • create authentication and authorization
internal networks. This will severely standards for employees and contractors
restrict the ability of attackers to establish to follow when developing software. For
direct connections to internal hosts. example, passwords should be strongly
encrypted using a FIPS 140-2 validated
Host security
algorithm when they are transmitted or
• perform regular vulnerability stored.
assessments to identify serious risks and
• establish procedures for provisioning and
mitigate the risks to an acceptable level.
de-provisioning user accounts. These
• disable all unneeded services on hosts. should include an approval process for new
Separate critical services so they run on account requests and a process for
different hosts. If an attacker then periodically disabling or deleting accounts
compromises a host, immediate access that are no longer needed.
should be gained only to a single service.
Physical security
• run services with the least privileges
• Implement physical security measures
possible to reduce the immediate impact
that restrict access to critical resources.
of successful exploits.
Detection and analysis
• use host based firewall software to limit
individual hosts’ exposure to attacks. As unauthorized access incidents can occur
in many forms, they can be detected
• limit unauthorized physical access to
through dozens of types of precursors and
logged-in systems by requiring hosts to
indications.
lock idle screens automatically and asking
users to log off before leaving the office.
308
Trainer’s Handbook – Security Analyst SSC/N0902
Precursor: a new exploit for gaining Precursor: a person or system may observe
unauthorized access is released publicly, a failed physical access attempt (e.g.
and it poses a significant threat to the outsider attempting to open a locked
organization. wiring closet door, unknown individual
using a cancelled ID badge).
Response: the organization should
investigate the new exploit and, if possible, Response: security should detain the
alter security controls to minimize the person, if possible. The purpose of the
potential impact of the exploit for the activity should be determined and it should
organization. be verified that the physical and computer
security controls are strong enough to
Precursor: users report possible social
block the apparent threat. (An attacker
engineering attempts — attackers trying to
who cannot gain physical access may
trick them into revealing sensitive
perform remote computing based attacks
information, such as passwords or
instead.) Physical and computer security
encouraging them to download or run
controls should be strengthened if
programs and file attachments.
necessary.
Response: the incident response team
should send a bulletin to users with
Indications
List of Malicious actions and their
respective indicators:
309
Trainer’s Handbook – Security Analyst SSC/N0902
Indicators:
310
Trainer’s Handbook – Security Analyst SSC/N0902
gained access. Vulnerabilities that were password compromise may force the
used to gain access should be mitigated organization to require all users of an
appropriately. application, system, trust domain or
Additional actions should be performed as perhaps, the entire organization to
merited to identify and address change their passwords.
weaknesses systemically. For example, if configure the network perimeter to
an attacker gained user level access by deny all incoming traffic that is not
guessing a weak password, then not only expressly permitted. By limiting the
should that account’s password be types of incoming traffic, attackers
changed to a stronger password, but also should be able to reach fewer targets
the system administrator and owner and should be able to reach the targets
should consider enforcing stronger using only designated protocols. This
password requirements. If the system was should reduce the number of
in compliance with the organization’s unauthorized access incidents.
password policies, the organization should
secure all remote access methods,
consider revising its password policies.
including modems and VPNs.
Recommendations Unsecured modems provide easily
Key recommendations for handling attainable unauthorized access to
unauthorized access incidents are internal systems and networks.
summarized below: Remote access clients are often
outside the organization’s control,
configure intrusion detection software
granting them access to resources
to alert on attempts to gain
increases risk.
unauthorized access. Network and
put all publicly accessible services on
host based intrusion detection
secured DMZ network segments. This
software (including file integrity
permits the organization to allow
checking software) is valuable for
external hosts to initiate connections
detecting attempts to gain
to hosts only on the DMZ segments,
unauthorized access. Each type of
not to hosts on internal network
software may detect incidents that the
segments. This should reduce the
other types of software cannot so the
number of unauthorized access
use of multiple types of computer
incidents.
security software is highly
disable all unneeded services on hosts
recommended.
and separate critical services. Every
configure all hosts to use centralized
service that is running presents
logging. Incidents are easier to detect if
another potential opportunity for
data from all hosts across the
compromise. Separating critical
organization is stored in a centralized,
services is important because if an
secured location.
attacker compromises a host that is
establish procedures for having all
running a critical service, immediate
users change their passwords. A
311
Trainer’s Handbook – Security Analyst SSC/N0902
access should be gained only to that are probably caused by routine system
one service. administration rather than attacks.
use host based firewall software to When such indications are detected,
limit individual hosts’ exposure to the team should be able to use change
attacks. Deploying host based firewall management information to verify that
software to individual hosts and the indications are caused by
configuring it to deny all activity that is authorized activity.
not expressly permitted should further select containment strategies that
reduce the likelihood of unauthorized balance mitigating risks and
access incidents. maintaining services. Incident handlers
create and implement a password should consider moderate
policy. The password policy should containment solutions that focus on
require the use of complex, ‘difficult- mitigating the risks as much as is
to-guess’ passwords and ensure that practical while maintaining unaffected
authentication methods are services.
sufficiently strong for accessing critical restore or reinstall systems that appear
resources. Weak and default to have suffered a root compromise.
passwords are likely to be guessed or The effects of root compromises are
cracked, leading to unauthorized often difficult to identify completely.
access. The system should be restored from a
provide change management known good backup, or the operating
information to the incident response system and applications should be
team. Indications such as system reinstalled from scratch. The system
shutdowns, audit configuration should then be secured properly so the
changes and executable modifications incident cannot recur.
312
Trainer’s Handbook – Security Analyst SSC/N0902
314
Trainer’s Handbook – Security Analyst SSC/ Q0903
SSC/ N 0903
Install, configure and troubleshoot information
security devices
315
Trainer’s Handbook – Security Analyst SSC/ Q0903
Unit Title (Task) Install, configure and troubleshoot information security devices
316
Trainer’s Handbook – Security Analyst SSC/ Q0903
appropriate people
PC3. liaise with stakeholders clearly and promptly regarding the installation/
configuration of information security devices
PC4. install/configure information security devices as per instructions and
guidelines
PC5. test installed/configured information security devices, following
instructions and guidelines
PC6. resolve problems with security devices, following instructions and
guidelines
PC7. obtain advice and guidance on
installing/configuring/testing/troubleshooting information security
devices from appropriate people, where required
PC8. record the installation/configuration/testing/troubleshooting of
information security devices promptly using standard templates and
tools
PC9. provide reports for troubleshooting, configurations and deployment
using standard templates and tools
PC10. comply with your organization’s policies, standards, procedures,
guidelines and service level agreements (SLAs) when Installing /
configuring / troubleshooting information security devices
Knowledge and Understanding (K)
317
Trainer’s Handbook – Security Analyst SSC/ Q0903
THE UNITS
318
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT I
Configuring Network Devices
319
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
You need to know and KA4, KA5. Peer group, 2Hrs PCs/Tablets/L
understand: Faculty group and classroom aptops
Industry experts. assessment
KA4. the organizational
and 10 Hrs Labs
systems, procedures and KB1 - KB4 availability
offline
tasks/checklists within the (24/7)
Group and Faculty Research and
domain and how to use these
evaluation based on Learning Internet with
anticipated out activity. WiFi
comes. Reward
KB1. fundamentals of
points to be allocated (Min 2 Mbps
information security and how to Dedicated)
to groups.
apply these, including:
Access to all
• networks security sites
• communication like ISO, PCI
DSS, Center
• application security for Internet
Security
320
Trainer’s Handbook – Security Analyst SSC/ Q0903
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
321
Trainer’s Handbook – Security Analyst SSC/ Q0903
Real-time detection - Relies on detection of traffic generated by the endpoint. The benefit is its
timely nature—detection is immediate. Consequently, you can take action very quickly. The
downside of this approach is that since detection is based on traffic generated by the endpoint,
there must be a sensor located near this traffic. This technique may not be practical for all network
topologies.
Scheduled detection - The system queries network addresses for a response according to a
schedule. This model can overcome the proximity limitations of the first approach. Sensors can
execute scans from a limited number of locations or a single location on the network. The
downside of this approach is that detection is not immediate. It is limited to the detection interval
determined by the schedule. As in the example of off-hours scanning, rogue systems may operate
on the network between detection scans and escape identification.
322
Trainer’s Handbook – Security Analyst SSC/ Q0903
323
Trainer’s Handbook – Security Analyst SSC/ Q0903
324
Trainer’s Handbook – Security Analyst SSC/ Q0903
system provides details of the location of test systems are automatically isolated
all the test machines connected to the from the production network within one
network. For those test machines hour of initial notification and that an e-
included in the asset inventory, the team mail or alert indicating the isolation has
must also verify that the system provides occurred. The team must then verify that
information about the asset owner. The the connected test systems are isolated
evaluation team must then verify that the from production systems.
325
Trainer’s Handbook – Security Analyst SSC/ Q0903
326
Trainer’s Handbook – Security Analyst SSC/ Q0903
327
Trainer’s Handbook – Security Analyst SSC/ Q0903
328
Trainer’s Handbook – Security Analyst SSC/ Q0903
329
Trainer’s Handbook – Security Analyst SSC/ Q0903
and interpreting each packet passing lower. This type of device is intended for
through the device. As a result, APG the analysis of the operation of specific
devices are not suitable for filtering services and protocols (e.g., HTTP or
applications that are more demanding in SMTP). Due to their limited traffic-filtering
terms of bandwidth or applications that capabilities, DP devices are deployed
are sensitive to time delays (real-time behind firewall devices in the network
applications). Another deficiency of these architecture. Their main function is to
devices is the limitation in the number of perform specialised filtering of a specific
services that can be filtered through type of traffic (based on a limited set of
them. Each type of traffic passing through parameters) and carry out the logging
the device requires a specific proxy agent operation. This significantly reduces the
that acts as an intermediary in the load on the firewall device itself, which is
communication. Consequently, APG located in front of the DP server. The most
devices do not always support the filtering widely used devices of this type are Web
of new applications or protocols. Due to Proxy servers. A common example of their
their price, APG devices are commonly use is an HTTP proxy server (placed
used for protecting data centres or other behind the firewall device or router), to
networks containing publicly available which users need to connect when they
servers that are of high importance to an wish to access external web servers. If an
organisation. In order to reduce the load institution has an outgoing connection
on APG devices and achieve greater (uplink) of lower bandwidth, the use of
efficiency, modern networks more the caching function is recommended in
frequently use proxy servers (dedicated order to reduce the level of traffic and
proxy servers) that are dedicated to improve the response time. As a result of
specific services that are not so sensitive an increase in the number of available
to time delays (e.g., e-mail or web proxy web applications and the number of
servers). threats transferred through the HTTP
protocol, Web Proxy servers are growing
Dedicated Proxy Server in significance. Equipment manufacturers
Like APG devices, Dedicated Proxy (DP) today add the functionality of various
servers also have a role as firewall technologies to the standard Web
“intermediaries” in the communication Proxy servers, thus increasing their traffic-
between two hosts, although their traffic- filtering capabilities.
filtering capabilities are significantly
330
Trainer’s Handbook – Security Analyst SSC/ Q0903
331
Trainer’s Handbook – Security Analyst SSC/ Q0903
feature of PAT increases the level of IDP (Intrusion Detection and Prevention)
security of the LAN to a certain degree,
Network Intrusion Detection (ID) is based
since it prevents a connection from the
on monitoring the operation of computer
Internet being established directly with
systems or networks and analysing the
the hosts on the LAN. Due to this manner
processes they perform, which can point
of operation, PAT is sometimes,
to certain incidents. Incidents are events
incorrectly, regarded as a security
posing a threat to or violating defined
technology, although it is primarily a
security policies, violating AUP
routing technology.
(Acceptable Use Policy) rules, or generally
accepted security norms. They appear as a
result of the operation of various malware
VPN (Virtual Private Network)
programmes (e.g., worms, spyware,
VPN (Virtual Private Network) technology viruses, and Trojans), as a result of
is used to increase the security of data attempts at unauthorised access to a
transfer through a network infrastructure system through public infrastructure
that does not provide a sufficient degree (Internet), or as a result of the operation
of data security. It enables the encryption of authorised system users who abuse
and decryption of network traffic their privileges.
between external networks and an
internal, protected network. Network Intrusion Prevention (IP)
includes the process of detecting network
VPN functionality can be available on
firewall devices or implemented on VPN intrusion events, but also includes the
servers that are placed behind firewall process of preventing and blocking
devices in the network architecture. In detected or potential network incidents.
many cases, the implementation of VPN Network Intrusion Detection and
services on a firewall device itself is the
Prevention systems (IDP) are based on
most optimal solution. Placing a VPN
identifying potential incidents, logging
server behind the firewall device requires
the VPN traffic to pass through the information about them, attempting to
firewall device in an encrypted form. As a prevent them and alerting the
result, the firewall device cannot perform administrators responsible for security. In
an inspection, access control or logging of addition to this basic function, IDP
the network traffic, and therefore cannot systems can also be used to identify
scan it for certain security threats. problems concerning the adopted security
However, regardless of the place of the policies, to document existing security
implementation, the VPN service requires threats and to discourage individuals from
the application of certain filtering rules of violating security rules. IDP systems use
the firewall device in order to enable its various incident-detection methods.
uninterrupted operation. Accordingly,
special attention should always be paid to
making sure that the appropriate
protocols and the TCP/UDP services that
are necessary for the functioning of the
chosen VPN solution are supported.
332
Trainer’s Handbook – Security Analyst SSC/ Q0903
There are three primary classes of log in to a host, or the level of utilisation
detection methodology: of the processor in a given time interval).
These characteristics of the behaviour of
1. Signature-based detection
users, hosts, connections or applications
in the same time interval are then
Certain security threats can be detected
considered to be completely acceptable.
based on the characteristic manner in
However, acceptable-behaviour profiles
which they appear. The behaviour of an
can unintentionally contain certain
already detected security threat,
security threats, which lead to problems
described in a form that can be used for
in their application. Likewise, imprecisely
the detection of any subsequent
defined profiles of acceptable behaviour
appearance of the same threat, is called
can cause numerous alarms, generated by
an attack signature. This detection
the system itself as a reaction to certain
method, based on the characteristic
(acceptable) activities on the network.
signature of an attack, is a process of
The greatest advantage of this detection
comparing the known forms in which the
method is its exceptional efficiency in
threat has appeared with the specific
detecting previously unknown security
network traffic in order to identify certain
threats.
incidents. Although it can be very efficient
in detecting the subsequent appearance 3. Detection based on stateful protocol
of known threats, this detection method analysis
is extremely inefficient in the detection of
Stateful protocol analysis is a process of
completely unknown threats, of threats
comparing predefined operation profiles
hidden by using various techniques, and
with the specific data flow of that
of already known threats that have
protocol on the network. Predefined
somehow been modified in the
profiles of operation of a protocol are
meantime. It is considered the simplest
defined by the manufacturers of IDP
detection method and it cannot be used
devices and they identify everything that
for monitoring and analysing the state of
is acceptable or not acceptable in the
certain, more complex forms of
exchange of messages in a protocol.
communication.
Unlike anomaly-based detection, where
profiles are created based on the hosts or
2. Anomaly-based detection
specific activities on the network, stateful
This method of IDP is based on detecting protocol analysis uses general profiles
anomalies in a specific traffic flow in the generated by the equipment
network. Anomaly detection is performed, manufacturers. Most IDP systems use
based on the defined profile of acceptable several detection methods
traffic and its comparison with the specific simultaneously, thus enabling a more
traffic in the network. Acceptable traffic comprehensive and precise method of
profiles are formed by tracking the typical detection.
characteristics of the traffic in the
Testing tools are used for testing the
network during a certain period of time
detection, recognition and response
(e.g., the number of e-mail messages sent
capabilities of devices that perform packet
by a user, and the number of attempts to
333
Trainer’s Handbook – Security Analyst SSC/ Q0903
filtering (including those that use network applications such as IIS, SQL Server and
address translation), such as firewalls, WINS. Standard traffic sessions can be
IDSes/IPSes, routers and switches. These used to test how packet filtering devices
test the Traffic Filtering devices' ability to handle a variety of protocols including
detect and/or block DoS attacks, spyware, HTTP, FTP, SNMP and SMTP.
backdoors, and attacks against
334
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT II
Configuring Secure Content
Management
Lesson Plan
Suggested Learning Activities
Training Resource Material
2.1 Secure Content Management Overview
2.2 The importance of Secure Content Management
2.3 How does Secure Content Management Work?
2.4 Solution Architectures
335
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
336
Trainer’s Handbook – Security Analyst SSC/ Q0903
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
337
Trainer’s Handbook – Security Analyst SSC/ Q0903
Lesson
338
Trainer’s Handbook – Security Analyst SSC/ Q0903
339
Trainer’s Handbook – Security Analyst SSC/ Q0903
Database size—A larger database allows more sites to be added to the restricted list.
Update frequency—New sites continually emerge, and many existing sites are relocated.
Most site blocking solutions update their databases on a daily basis, often automatically
downloading new URLs every night.
A general limitation of site blocking is that it focuses exclusively on HTTP-based Web traffic.
It does not block instant messaging, e-mail attachments, peer-to-peer applications and
other applications that could contain security threats.
340
Trainer’s Handbook – Security Analyst SSC/ Q0903
Content Monitoring
341
Trainer’s Handbook – Security Analyst SSC/ Q0903
2. 4 Solution Architectures
Content management software can be the policy database grows to exceed the
embedded on a networked device such as storage available. Key vendors of
a proxy server, caching appliance or standalone solutions include SonicWALL®,
firewall, or it can reside on a dedicated Websense and Surf Control®.
server running the Microsoft Windows,
Linux or UNIX operating system. The three Integrated Solutions
common deployment methods vary in
Integrated solutions consolidate
terms of effectiveness, cost and
management and processing in a single
manageability.
gateway or firewall, thereby reducing
capital and operational expenses.
Client Solutions
However, when the gateway or firewall is
Installed on the desktop, client solutions also used for services like anti-virus and
are most suited for home environments intrusion prevention, performance can
where parental control is the primary suffer. Key vendors of integrated content
application. Client software solutions filtering solutions include SonicWALL®,
include a management interface and a Symantec™ and WatchGuard®. Evaluating
database of blocked Web sites; the parent Solutions Depending on the levels of
downloads database updates via the protection, performance and
Internet. Leading providers of client manageability required, non-residential
solutions include Zone Labs, Net Nanny® customers should choose between an
and Internet Service Providers (ISPs) such integrated solution and a standalone
as Microsoft® MSN and AOL®. appliance. Both alternatives can combine
Internet content management with
Standalone Solutions dynamic threat protection techniques to
control access and secure the network
Standalone solutions consist of a against an array of threats from viruses,
dedicated database server for defining spyware, worms, instant messaging and
policies and a separate gateway or peer-to-peer applications. At the core of
firewall that enforces the content
both integrated and standalone solutions
management policies. These solutions are is a rating architecture that leverages a
more manageable than client based comprehensive database of millions of
solutions because an administrator can pre-rated Web sites and domains. When a
create a policy once on the gateway and
user attempts to access a Web site, the
then apply it across all desktops.
URL is cross-referenced against a master
However, most standalone solutions ratings database. These databases can be
require organizations to purchase and
managed and maintained by the content
manage two separate hardware devices in filtering solution vendor, and made
addition to content management
available at multiple locations for
software. They also require additional performance efficiency and high
storage to be purchased as needed, when
342
Trainer’s Handbook – Security Analyst SSC/ Q0903
343
Trainer’s Handbook – Security Analyst SSC/ Q0903
344
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT III
Configuring Firewall
Lesson Plan
Suggested Learning Activities
Trainer’s Resource Material
3.1. What Firewall Software Does?
3.2. Firewall Configuration
3.3. Why Firewall Security?
3.4. Configuring a Simple Firewall
345
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4
Learning (Min 2 Mbps
and how to use these
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
346
Trainer’s Handbook – Security Analyst SSC/ Q0903
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
347
Trainer’s Handbook – Security Analyst SSC/ Q0903
Lesson
348
Trainer’s Handbook – Security Analyst SSC/ Q0903
A company might set up only one or two to be an exact match. The "X-rated" filter
machines to handle a specific protocol would not catch "X rated" (no hyphen).
and ban that protocol on all other But you can include as many words,
machines. phrases and variations of them as you
need.
350
Trainer’s Handbook – Security Analyst SSC/ Q0903
351
Trainer’s Handbook – Security Analyst SSC/ Q0903
takes by sending it to a different router. what traffic to allow through. For most of
This is one of the ways that a denial of us, it is probably better to work with the
service attack is set up. defaults provided by the firewall
developer unless there is a specific reason
Source routing : In most cases, the path a
to change it.
packet travels over the Internet (or any
other network) is determined by the One of the best things about a firewall
routers along that path. But the source from a security standpoint is that it stops
providing the packet can arbitrarily specify anyone on the outside from logging onto
the route that the packet should travel. a computer in your private network.
Hackers sometimes take advantage of this While this is a big deal for businesses,
to make information appear to come from most home networks will probably not be
a trusted source or even from inside the threatened in this manner. Still, putting a
network! Most firewall products disable firewall in place provides some peace of
source routing by default. mind.
In cases like this, you may want to create access lists by means of Context-Based
a DMZ (Demilitarized Zone). DMZ is just Access Control (CBAC).
an area that is outside the firewall. Think Basic traffic filtering is limited to
of DMZ as the front yard of a house. It configured access list implementations
belongs to the owner, who may put some that examine packets at the network layer
things there, but would put anything or, at most, the transport layer,
valuable inside the house where it can be permitting or denying the passage of each
properly secured. packet through the firewall. However, the
use of inspection rules in CBAC allows the
Setting up a DMZ is very easy. If you have creation and use of dynamic temporary
multiple computers, you can choose to access lists. These dynamic lists allow
simply place one of the computers temporary openings in the configured
between the Internet connection and the access lists at firewall interfaces. These
firewall. Most of the software firewalls openings are created when traffic for a
available will allow you to designate a specified user session exits the internal
directory on the gateway computer as a network through the firewall. The
openings allow returning traffic for the
DMZ.
specified session (that would normally be
blocked) back through the firewall.
See the Cisco IOS Security Configuration
Configuring a Simple Firewall Guide, Release 12.3 , for more detailed
The Cisco 1800 integrated services routers information on traffic filtering and
support network traffic filtering by means firewalls.
of access lists. The router also supports The following Figure shows a network
packet inspection and dynamic temporary deployment using PPPoE or PPPoA with
NAT and a firewall.
353
Trainer’s Handbook – Security Analyst SSC/ Q0903
In the configuration example that follows, entering the router on the Fast Ethernet
the firewall is applied to the outside WAN WAN interface FE1.
interface (FE0) on the Cisco 1811 or Cisco Note that in this example, the network
1812 and protects the Fast Ethernet LAN traffic originating from the corporate
on FE2 by filtering and inspecting all traffic network, network address 10.1.1.0, is
considered safe traffic and is not filtered.
Configuration Tasks
Perform the following tasks to configure this network scenario:
Perform these steps to create access lists for use by the firewall, beginnin g in global
configuration mode:
Command Purpose
Step 1 access-list access-list-number { deny | permit }protocol Creates an access
source source-wildcard [ operator [port]] destination list which prevents
Example: Internet- initiated
traffic from
Router(config)# access-list 103 permit host 200.1.1.1 eq
reaching the local
isakmp any
(inside) network of
Router(config)# the router, and
which compares
source and
destination ports.
See the Cisco IOS IP
Command
Reference, Volume
1 of 4: Addressing
and Services for
details about this
command.
Step 2 access-list access-list-number { deny | permit }protocol Creates an access
source source-wildcard destination destination-wildcard list that allows
Example: network traffic to
pass freely between
Router(config)# access-list 105 permit ip 10.1.1.0 0.0.0.255
the corporate
192.168.0.0 0.0.255.255
network and the
Router(config)# local networks
through the
configured VPN
tunnel.
354
Trainer’s Handbook – Security Analyst SSC/ Q0903
Step ip inspect name inspection-name Repeat this command for each inspection rule that
2 protocol you wish to use.
Example:
Router(config)# ip inspect name
firewall rtsp
Router(config)# ip inspect name
firewall h323
Router(config)# ip inspect name
firewall netshow
Router(config)# ip inspect name
firewall ftp
Router(config)# ip inspect name
firewall sqlnet
Router(config)#
355
Trainer’s Handbook – Security Analyst SSC/ Q0903
Command Purpose
Step interface type number Enters interface configuration mode for the inside
1Example: network interface on your router.
Step ip inspect inspection-name Assigns the set of firewall inspection rules to the
2{ in | out } inside interface on the router.
Example:
Router(config-if)# ip inspect
firewall in
Router(config-if)#
Step exit Returns to global configuration mode.
3Example:
Router(config-if)# exit
Router(config)#
Step interface type number Enters interface configuration mode for the outside
4Example: network interface on your router.
Router(config)# interface
fastethernet 0
Router(config-if)#
Step ip access-group { access-list- Assigns the defined ACLs to the outside interface
5number | access-list-name } on the router.
{ in | out }
Example:
Router(config-if)# ip access-group
103 in
Router(config-if)#
Step exit Returns to global configuration mode.
6
Example:
Router(config-if)# exit
Router(config)#
356
Trainer’s Handbook – Security Analyst SSC/ Q0903
! Firewall inspection is setup for all tcp and udp traffic as well as specific application
protocols as defined by the security policy.
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
!
interface vlan 1 ! This is the internal home network
ip inspect firewall in ! inspection examines outbound traffic
no cdp enable
!
interface fastethernet 0 ! FE0 is the outside or internet exposed interface.
ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as
denies internet initiated traffic inbound.
ip nat outside
no cdp enable
!
! acl 103 defines traffic allowed from the peer for the ipsec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
access-list 103 permit icmp any any ! allow icmp for debugging but should be disabled due
to security implications.
access-list 103 deny ip any any ! prevents internet initiated traffic inbound.
no cdp run
!
357
Trainer’s Handbook – Security Analyst SSC/ Q0903
358
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT IV
Troubleshooting information security
devices
Lesson Plan
Suggested Learning Activities
Training Resource Material
4.1 Troubleshooting the Cisco IOS Firewall Configuration
4.2 Troubleshooting routers
359
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
360
Trainer’s Handbook – Security Analyst SSC/ Q0903
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
361
Trainer’s Handbook – Security Analyst SSC/ Q0903
362
Trainer’s Handbook – Security Analyst SSC/ Q0903
363
Trainer’s Handbook – Security Analyst SSC/ Q0903
364
Trainer’s Handbook – Security Analyst SSC/ Q0903
Some of the more frequently used show interfaces commands include the following:
365
Trainer’s Handbook – Security Analyst SSC/ Q0903
Some of the most frequently used show controllers commands include the following:
366
Trainer’s Handbook – Security Analyst SSC/ Q0903
367
Trainer’s Handbook – Security Analyst SSC/ Q0903
be used to confirm basic network connectivity The trace command works by using the error
on AppleTalk, ISO Connectionless Network message generated by routers when a
Service (CLNS), IP, Novell, Apollo, VINES, datagram exceeds its time-to-live (TTL) value.
DECnet, or XNS networks. First, probe datagrams are sent with a TTL
value of 1. This causes the first router to
For IP, the ping command sends Internet
discard the probe datagrams and send back
Control Message Protocol (ICMP) Echo
“time exceeded” error messages. The trace
messages. ICMP is the Internet protocol that
command then sends several probes and
reports errors and provides information
displays the round-trip time for each. After
relevant to IP packet addressing. If a station
every third probe, the TTL is increased by one.
receives an ICMP Echo message, it sends an
ICMP Echo Reply message back to the source. Each outgoing packet can result in one of two
error messages. A “time exceeded” error
The extended command mode of the ping
message indicates that an intermediate router
command permits you to specify the
has seen and discarded the probe. A “port
supported IP header options. This allows the
unreachable” error message indicates that the
router to perform a more extensive range of
destination node has received the probe and
test options. To enter ping extended
discarded it because it could not deliver the
command mode, enter yes at the extended
packet to an application. If the timer goes off
commands prompt of the ping command.
before a response comes in, trace prints an
It is a good idea to use the ping command
asterisk (*).
when the network is functioning properly to
see how the command works under normal The trace command terminates when the
conditions and so you have something to destination responds, when the maximum TTL
compare against when troubleshooting. is exceeded, or when the user interrupts the
trace with the escape sequence.
Using the trace Command As with ping, it is a good idea to use the trace
command when the network is functioning
The trace user exec command discovers the
properly to see how the command works
routes that a router’s packets follow when
under normal conditions and so you have
traveling to their destinations. The trace
something to compare against when
privileged exec command permits the
troubleshooting
supported IP header options to be specified,
allowing the router to perform a more
extensive range of test options.
.
368
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT V
Configuring IDS
Lesson Plan
Suggested Learning Activities
Training Resource Material
5.1 Cisco IOS Firewall IDS feature
5.2 Cisco IOS Firewall IDS Signature List
5.3 Cisco IOS Firewall IDS Configuration Task List
5.4 Configuring Snort
369
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4
Learning (Min 2 Mbps
and how to use these
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on
information security and how to sites like ISO, PCI
anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
370
Trainer’s Handbook – Security Analyst SSC/ Q0903
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
371
Trainer’s Handbook – Security Analyst SSC/ Q0903
372
Trainer’s Handbook – Security Analyst SSC/ Q0903
The maximum incomplete sessions detect the policy violation in real time,
(modified via the ip inspect max- forward alarms to a Cisco Secure IDS
incomplete high and the ip inspect Director management console, and
max-incomplete low commands) remove the offender from the network.
After the incoming TCP session setup rate The Cisco Secure IDS Director is a high-
crosses the one-minute high water mark, performance, software-based
the router will reset the oldest half-open management system that centrally
session, which is the default behaviour of monitors the activity of multiple Cisco
the Cisco IOS Firewall. Cisco IOS IDS Secure IDS Sensors located on local or
cannot modify this default behaviour. remote network segments.
Thus, after a new TCP session rate crosses The Cisco Secure IDS Post Office is the
the one-minute high water mark and a communication backbone that allows
router attempts to open new connections Cisco Secure IDS services and hosts to
by sending SYN packets at the same time, communicate with each other. All
the latest SYN packet will cause the router communication is supported by a
to reset the half-open session that was proprietary, connection-based protocol
opened by the earlier SYN packet. Only that can switch between alternate routes
the last SYN request will survive. to maintain point-to-point connections.
Cisco Secure IDS customers can deploy
Compatibility with Cisco the Cisco IOS Firewall IDS signatures to
complement their existing IDS systems.
Secure Intrusion Detection This allows an IDS to be deployed to areas
that may not be capable of supporting a
Cisco IOS Firewall is compatible with the
Cisco Secure IDS Sensor. Cisco IOS Firewall
Cisco Secure Intrusion Detection System IDS signatures can be deployed alongside
(formally known as NetRanger). The Cisco
or independently of other Cisco IOS
Secure IDS is an enterprise-scale, real- Firewall features.
time, intrusion detection system designed
to detect, report, and terminate The Cisco IOS Firewall IDS can be added to
unauthorized activity throughout a the Cisco Secure IDS Director screen as an
network. icon to provide a consistent view of all
intrusion detection sensors throughout a
The Cisco Secure IDS consists of three
network. The Cisco IOS Firewall intrusion
components:
detection capabilities have an enhanced
Sensor reporting mechanism that permits logging
Director to the Cisco Secure IDS Director console in
addition to Cisco IOS syslog.
Post Office
Cisco Secure IDS Sensors, which are high-
speed network appliances, analyze the Functional Description
content and context of individual packets
The Cisco IOS Firewall IDS acts as an in-
to determine if traffic is authorized. If a
line intrusion detection sensor, watching
network's data stream exhibits
packets as they traverse the router's
unauthorized or suspicious activity, such
interfaces and acting upon them in a
as a SATAN attack, a ping sweep, or the
definable fashion. When a packet, or a
transmission of a secret research project
number of packets in a session, match a
code word, Cisco Secure IDS Sensors can
373
Trainer’s Handbook – Security Analyst SSC/ Q0903
signature, the Cisco IOS Firewall IDS may information-gathering activity was
perform the following configurable thwarted.
actions: • Packets going through the interface
• Alarm—Sends an alarm to a syslog that match the audit rule are audited
server or Cisco Secure IDS Director by a series of modules, starting with
• Drop—Drops the packet IP; then either ICMP, TCP, or UDP (as
appropriate); and finally, the
• Reset—Resets the TCP connection Application level.
The following describes the packet • If a signature match is found in a
auditing process with Cisco IOS Firewall module, then the following user-
IDS: configured action(s) occur:
• You create an audit rule, which
– If the action is alarm, then the
specifies the signatures that should be module completes its audit, sends
applied to packet traffic and the an alarm, and passes the packet to
actions to take when a match is found. the next module.
An audit rule can apply informational
and attack signatures to network – If the action is drop, then the
packets. The signature list can have packet is dropped from the module,
just one signature, all signatures, or discarded, and not sent to the next
any number of signatures in between. module.
Signatures can be disabled in case of – If the action is reset, then the
false positives or the needs of the packets are forwarded to the next
network environment. module, and packets with the reset
• You apply the audit rule to an flag set are sent to both
interface on the router, specifying a participants of the session, if the
traffic direction (in or out). session is TCP.
• If the audit rule is applied to It is recommended that you use
the in direction of the interface, the drop and reset actions
packets passing through the interface together.
are audited before the inbound ACL If there are multiple signature matches
has a chance to discard them. This in a module, only the first match fires an
allows an administrator to be alerted action. Additional matches in other
if an attack or information-gathering modules fire additional alarms, but only
activity is underway even if the router one per module.
would normally reject the activity. Note This process is different than on
• If the audit rule is applied to the Cisco Secure IDS Sensor
the out direction on the interface, appliance, which identifies all
packets are audited after they enter signature matches for each
the router through another interface. packet.
In this case, the inbound ACL of the
other interface may discard packets
before they are audited. This may
result in the loss of Cisco IOS Firewall
IDS alarms even though the attack or
374
Trainer’s Handbook – Security Analyst SSC/ Q0903
When to Use Firewall IDS their customers, all housed within the
necessary function of a router.
Firewall IDS capabilities are ideal for
providing additional visibility at intranet,
extranet, and branch-office Internet Memory and Performance
perimeters. Network administrators enjoy
more robust protection against attacks on
Impact
the network and can automatically The performance impact of intrusion
respond to threats from internal or detection will depend on the
external hosts. configuration of the signatures, the level
The Firewall with intrusion detection is of traffic on the router, the router
intended to satisfy the security goals of platform, and other individual features
customers, and is particularly appropriate enabled on the router such as encryption,
for the following scenarios: source route bridging, and so on. Enabling
• Enterprises that are interested in a or disabling individual signatures will not
cost-effective method of extending alter performance significantly, however,
their perimeter security across all signatures that are configured to use
network boundaries, specifically Access Control Lists will have a significant
performance impact.
branch-office, intranet, and extranet
perimeters. For auditing atomic signatures, there is no
traffic-dependent memory requirement.
• Small and medium-sized businesses
For auditing compound signatures, CBAC
that are looking for a cost-effective
allocates memory to maintain the state of
router that has an integrated firewall
each session for each connection.
with intrusion-detection capabilities.
Memory is also allocated for the
• Service providers that want to set up configuration database and for internal
managed services, providing caching.
firewalling and intrusion detection to
375
Trainer’s Handbook – Security Analyst SSC/ Q0903
In Cisco IOS Firewall IDS, signatures are categorized into four types:
• Info Atomic
• Info Compound
• Attack Atomic
• Attack Compound
An info signature detects information- Atomic signatures marked with an
gathering activity, such as a port sweep. asterisk (Atomic*) are allocated memory
An attack signature detects attacks for session states by CBAC.
attempted into the protected network,
such as denial-of-service attempts or the 1000 IP options-Bad Option List (Info,
execution of illegal commands during an Atomic)
FTP session.
Triggers on receipt of an IP datagram
Info and attack signatures can be either where the list of IP options in the IP
atomic or compound signatures. Atomic
datagram header is incomplete or
signatures can detect patterns as simple malformed. The IP options list
as an attempt to access a specific port on contains one or more options that
a specific host. Compound signatures can perform various network management
detect complex patterns, such as a or debugging tasks.
sequence of operations distributed across
multiple hosts over an arbitrary period of 1001 IP options-Record Packet Route
time. (Info, Atomic)
The intrusion-detection signatures Triggers on receipt of an IP datagram
included in the Cisco IOS Firewall were where the IP option list for the
chosen from a broad cross-section of datagram includes option 7 (Record
intrusion-detection signatures as Packet Route).
representative of the most common 1002 IP options-Timestamp (Info,
network attacks and information- Atomic)
gathering scans that are not commonly
found in an operational network. Triggers on receipt of an IP datagram
where the IP option list for the
The following signatures are listed in
datagram includes option 4
numerical order by their signature
(Timestamp).
number in the Cisco Secure IDS Network
Security Database. After each signature's 1003 IP options-Provide s,c,h,tcc
name is an indication of the type of (Info, Atomic)
signature (info or attack, atomic or Triggers on receipt of an IP datagram
compound). where the IP option list for the
376
Trainer’s Handbook – Security Analyst SSC/ Q0903
377
Trainer’s Handbook – Security Analyst SSC/ Q0903
378
Trainer’s Handbook – Security Analyst SSC/ Q0903
3042 TCP - FIN bit with no ACK bit in 3106 Mail Spam (Attack, Compound)
flags (Attack, Atomic)
Counts number of Rcpt to: lines in a
Triggers when a TCP packet is received single mail message and alarms after a
with the FIN bit set but with no ACK user-definable maximum has been
bit set in the flags field. exceeded (default is 250).
3050 Half-open SYN Attack/SYN Flood 3107 Majordomo Execute Attack
(Attack, Compound) (Attack, Compound)
Triggers when multiple TCP sessions A bug in the Majordomo program will
have been improperly initiated on any allow remote users to execute
of several well-known service ports. arbitrary commands at the privilege
Detection of this signature is currently level of the server.
limited to FTP, Telnet, HTTP, and e-
3150 FTP Remote Command
mail servers (TCP ports 21, 23, 80, and
Execution (Attack, Compound)
25 respectively).
Triggers when someone tries to
3100 Smail Attack (Attack, execute the FTP SITE command.
Compound)
3151 FTP SYST Command Attempt
Triggers on the very common "smail"
(Info, Compound)
attack against SMTP-compliant e-mail
servers (frequently sendmail). Triggers when someone tries to
execute the FTP SYST command.
3101 Sendmail Invalid Recipient
(Attack, Compound) 3152 FTP CWD ~root (Attack,
Compound)
Triggers on any mail message with a
"pipe" (|) symbol in the recipient field. Triggers when someone tries to
execute the CWD ~root command.
3102 Sendmail Invalid Sender (Attack,
Compound) 3153 FTP Improper Address Specified
(Attack, Atomic*)
Triggers on any mail message with a
"pipe" (|) symbol in the "From:" field. Triggers if a port command is issued
with an address that is not the same
3103 Sendmail Reconnaissance as the requesting host.
(Attack, Compound)
3154 FTP Improper Port Specified
Triggers when "expn" or "vrfy"
(Attack, Atomic*)
commands are issued to the SMTP
port. Triggers if a port command is issued
with a data port specified that is less
3104 Archaic Sendmail Attacks than 1024 or greater than 65535.
(Attack, Compound)
4050 UDP Bomb (Attack, Atomic)
Triggers when "wiz" or "debug"
commands are issued to the SMTP Triggers when the UDP length
port. specified is less than the IP length
specified.
3105 Sendmail Decode Alias (Attack,
Compound) 4100 Tftp Passwd File (Attack,
Compound)
Triggers on any mail message with ":
decode@" in the header.
379
Trainer’s Handbook – Security Analyst SSC/ Q0903
380
Trainer’s Handbook – Security Analyst SSC/ Q0903
See the following sections for • Initializing the Post Office (Required)
configuration tasks for the Cisco IOS • Configuring and Applying Audit
Firewall Intrusion Detection System Rules (Required)
feature. Each task in the list is identified
as optional or required: • Verifying the
Configuration (Optional)
• Initializing Cisco IOS Firewall
IDS (Required)
Command Purpose
Step 1 Router(config)# ip audit Sets the threshold beyond which spamming in e-mail
smtp spamrecipients messages is suspected. Here,recipients is the maximum
number of recipients in an e-mail message. The default is
250.
Step 2 Router(config)# ip audit Sets the threshold beyond which queued events are
po max- dropped from the queue for sending to the Cisco Secure
eventsnumber_events IDS Director.
Here, number_events is the number of events in the event
queue. The default is 100. Increasing this number may have
an impact on memory and performance, as each event in
the event queue requires 32 KB of memory.
Step 3 Router(config)# exit Exits global configuration mode.
Command Purpose
Step 1 Router(config)# ip audit notifynr-director Sends event notifications (alarms)
or to either a Cisco Secure IDS
Router(config)#ip audit notifylog Director, a syslog server, or both.
For example, if you are sending
alarms to a Cisco Secure IDS
Director, use the nr-
director keyword in the command
syntax. If you are sending alarms
381
Trainer’s Handbook – Security Analyst SSC/ Q0903
382
Trainer’s Handbook – Security Analyst SSC/ Q0903
the default).
• application-type is
either director or logger.
Note If you are sending Post
Office notifications to a
Sensor, use loggerinstead
of director as your
application. Sending to a
logging application means
that no alarms are sent to a
GUI; instead, the Cisco Secure
IDS alarm data is written to a
flat file, which can then be
processed with filters, such
as perl and awk, or staged to
a database. Use logger only in
advanced applications where
you want the alarms only to
be logged and not displayed.
Step 4 Router(config)# logging console info Displays the syslog messages on
the router console if you are
sending alarms to the syslog
console.
Step 5 Router(config)# exit Exits global configuration mode.
Step 6 Router# write memory Saves the configuration.
Step 7 Router# reload Reloads the router.
After you have configured the router, add and Directors communicating with the
the Cisco IOS Firewall IDS router's Post router. You can do this with the
Office information to nrConfigure tool in Cisco Secure IDS. For
the /usr/nr/etc/hosts and /usr/nr/etc/rout more information, refer to the NetRanger
es files on the Cisco Secure IDS Sensors User Guide.
383
Trainer’s Handbook – Security Analyst SSC/ Q0903
Command Purpose
Step 1 Router(config)# ip audit Sets the default actions for info and attack signatures.
info {action [alarm] [drop] Both types of signatures can take any or all of the
[reset]} following actions: alarm, drop, and reset. The default
and Router(config)# ip action is alarm.
audit
attack {action [alarm]
[drop] [reset]}
Step 2 Router(config)# ip audit Creates audit rules, where audit-name is a user-defined
name audit-name name for an audit rule. For example:
{info |attack}
ip audit name audit-name info
[list standard-acl]
[action [alarm] [drop] ip audit name audit-name attack
[reset]]
The default action is alarm.
Note Use the same name when you assign attack and
info type signatures.
You can also use the ip audit name command to attach
access control lists to an audit rule for filtering out
sources of false alarms. In this case standard-acl is an
integer representing an ACL. If you attach an ACL to an
audit rule, the ACL must be defined as well:
ip audit name audit-name {info|attack} list
acl-list
384
Trainer’s Handbook – Security Analyst SSC/ Q0903
change:
ip audit signature signature-number disable
385
Trainer’s Handbook – Security Analyst SSC/ Q0903
You can verify which interfaces have audit rules applied to them with the show ip audit
interface command (see Example 2).
Interface Configuration
Interface Ethernet0
Inbound IDS audit rule is AUDIT.1
info actions alarm
attack actions alarm drop reset
Outgoing IDS audit rule is not set
Interface Ethernet1
Inbound IDS audit rule is AUDIT.1
info actions alarm
attack actions alarm drop reset
Outgoing IDS audit rule is not set
Command Purpose
Router# clear ip audit Disables Cisco IOS Firewall IDS, removes all intrusion detection
configuration configuration entries, and releases dynamic resources.
Router# clear ip audit statistics Resets statistics on packets analyzed and alarms sent.
Router# show ip audit statistics Displays the number of packets audited and the number of
alarms sent, among other information.
386
Trainer’s Handbook – Security Analyst SSC/ Q0903
The following display provides sample output from the show ip audit statistics command:
In the following example, Cisco IOS Firewall IDS is initialized. Notice that the router is
reporting to two Directors. Also notice that the AUDIT.1 audit rule will apply both info and
attack signatures.
ip audit smtp spam 25
ip audit notify nr-director
ip audit notify log
ip audit po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1
ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
387
Trainer’s Handbook – Security Analyst SSC/ Q0903
In the following example, an ACL is added to account for a Cisco Secure IDS Scanner (172.16.59.16)
that scans for all types of attacks. As a result, no packets originating from the device will be audited.
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
The security administrator notices that the router is generating a lot of false positives for signatures
1234, 2345, and 3456. The system administrator knows that there is an application on the network
that is causing signature 1234 to fire, and it is not an application that should cause security concerns.
This signature can be disabled, as illustrated in the following example:
interface e0
ip address 10.1.1.1 255.0.0.0
388
Trainer’s Handbook – Security Analyst SSC/ Q0903
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
After further investigation, the security administrator discovers that the false positives for
signatures 2345 and 3456 are caused by specific applications on hosts 10.4.1.1 and 10.4.1.2,
as well as by some workstations using DHCP on the 172.16.58.0 subnetwork. Attaching an
ACL that denies processing of these hosts stops the creation of false positive alarms, as
illustrated in the following example:
ip audit smtp spam 25
ip audit notify nr-director
ip audit notify log
ip audit po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1
ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
389
Trainer’s Handbook – Security Analyst SSC/ Q0903
The company has now reorganized and has placed only trusted people on the 172.16.57.0
network. The work done by the employees on these networks must not be disrupted by
Cisco IOS Firewall IDS, so attack signatures in the AUDIT.1 audit rule now will only alarm on
a match.
For sessions that originate from the outside network, any attack signature matches (other
than the false positive ones that are being filtered out) are to be dealt with in the following
manner: send an alarm, drop the packet, and reset the TCP session.
This dual-tier method of signature response is accomplished by configuring two different
audit specifications and applying each to a different ethernet interface, as illustrated in the
following example:
ip audit smtp spam 25
ip audit notify nr-director
ip audit notify log
ip audit po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1
ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.2 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
390
Trainer’s Handbook – Security Analyst SSC/ Q0903
Snort is an open source network intrusion - sniffer mode: snort will read the network
detection system (NIDS) created by traffic and print them to the screen.
Martin Roesch. Snort is a packet sniffer
- packet logger mode: snort will record
that monitors network traffic in real time,
the network traffic on a file
scrutinizing each packet closely to detect
a dangerous payload or suspicious - IDS mode: network traffic matching
anomalies. There are two types of IDSs, security rules will be recorded (mode used
host-based and network-based, Snort is a in our tutorial)
network-based IDS.
- IPS mode: also known as snort-inline (IPS
This network intrusion detection and = Intrusion prevention system)
prevention system works through traffic
Another tool is needed to display the logs
analysis and packet logging on IP
generated by the Snort IDS and sent into
networks. Through protocol analysis,
the database. This tool is BASE for Basic
content searching, and various pre-
Analysis and Security Engine. It is in fact a
processors, Snort detects thousands of
php script displaying alerts on a web
worms, vulnerability exploit attempts,
port scans, and other suspicious behavior. interface.
Snort uses a flexible rule-based language Snort can be downloaded from
to describe traffic that it should collect or http://www.snort.org/dl/.
pass, and a modular detection engine.
In order to install and configure Snort
Snort can be runned in 4 modes: access the Snort Manual available at
http://manual.snort.org/.
391
Trainer’s Handbook – Security Analyst SSC/ Q0903
392
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT VI
IPS Configuration
Lesson Plan
Suggested Learning Activities
Training Resource Material
6.1 Understanding IPS Network Sensing
6.2 Overview of IPS Configuration
393
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
KB1. fundamentals of Access to all security
evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
394
Trainer’s Handbook – Security Analyst SSC/ Q0903
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
395
Trainer’s Handbook – Security Analyst SSC/ Q0903
396
Trainer’s Handbook – Security Analyst SSC/ Q0903
The command and control interface is You should select the TCP reset action
always Ethernet. This interface has an only on signatures associated with a TCP-
assigned IP address, which allows it to based service. If selected as an action on
communicate with the manager non-TCP-based services, no action is
workstation or network devices (Cisco taken. Additionally, TCP resets are not
switches, routers, and firewalls). Because guaranteed to tear down an offending
this interface is visible on the network, session because of limitations in the TCP
you should use encryption to maintain protocol.
data privacy. SSH is used to protect the
Make ACL changes on switches,
CLI and TLS/SSL is used to protect the
routers, and firewalls that the sensor
manager workstation. SSH and TLS/SSL
manages. ACLs may block only future
are enabled by default on the manager
traffic, not current traffic.
workstations.
Generate IP session logs, session
When responding to attacks, the sensor
replay, and trigger packets display.
can do the following:
IP session logs are used to gather
Insert TCP resets via the sensing
information about unauthorized use.
interface.
IP log files are written when events
397
Trainer’s Handbook – Security Analyst SSC/ Q0903
398
Trainer’s Handbook – Security Analyst SSC/ Q0903
399
Trainer’s Handbook – Security Analyst SSC/ Q0903
Step 1. Install and connect the device to IPS modules on ASA devices—
your network. Install the device Configure the Platform > Service
software and perform basic device Policy Rules > IPS, QoS, and
configuration. Install the licenses Connection Rules policy on the
required for all of the services host ASA to specify the traffic that
running on the device. The amount should be inspected.
of initial configuration that you
Step 4. Use the Virtual Sensors policy to
perform influences what you will
assign interfaces to the virtual
need to configure in Security
sensors, including the base vs0
Manager.
virtual sensor that exists for all IPS
Follow the instructions in the Installing devices.
Cisco Intrusion Prevention System
If the device supports it, and you have a
Appliances and Modules document
need for it, you can also create
for the IPS version you are using.
user-defined virtual sensors so that
Step 2. Add the device to the Security a single device acts like multiple
Manager device inventory. You sensors. Most of the IPS
can discover router and Catalyst configuration is done on the parent
switch modules when adding the device, but you can configure
device in which the module is unique settings per virtual sensor
installed. For ASA devices, you for signatures, anomaly detection,
must add the service module and event actions.
separately. Step 5. Configure basic device access
Step 3. Configure the interfaces as platform policies. These policies
described in Configuring Interfaces. determine who can log into the
You must enable the interfaces device:
connected to your network for the
AAA —Configure this policy if you
device to function.
want to use a RADIUS server to
For certain types of service module, control access to the device. You
there are additional policies to can use AAA control in conjunction
configure: with local user accounts defined in
the User Accounts policy.
Router-hosted service modules—
Configure the IPS Module interface Allowed Hosts —The addresses of
settings policy on the router. hosts who are allowed access.
IDSM—Configure the IDSM Ensure that the Security Manager
Settings Catalyst platform policy. server is included as an allowed
400
Trainer’s Handbook – Security Analyst SSC/ Q0903
host, or you cannot configure the Block or Request Rate Limit event
device using Security Manager. actions, configure blocking or rate
SNMP —Configure this policy if you limiting hosts.
want to use an SNMP application Step 10. Configure other desired
to manage the device. advanced IPS services.
Password Requirements —You can
define the acceptable Step 11. Maintain the device:
characteristics of a user password. Update and redeploy
User Accounts —The user accounts configurations as necessary.
defined on the device. Apply updated signature and
Step 6. Configure basic server access engine packages.
platform policies. These policies Manage the device licenses. You
identify the servers to which the can update and redeploy licenses,
device can connect: or automate license updates.
Manage the certificates required
External Product Interface —If you
for SSL (HTTPS) communication.
use Management Center for Cisco These certificates expire, so you
Security Agents, configure this need to regenerate them
policy to allow the sensor to approximately every 2 years.
download host postures from the
application. Step 12. Monitor the device:
NTP —Configure this policy if you Use the Event Viewer application
want to use a Network Time to view alerts generated from the
Protocol server to control the device. You can open Event Viewer
device time. from the Launch menu in
DNS, HTTP Proxy —The DNS and Configuration Manager or Report
HTTP Proxy policies are required Manager, or from the Windows
only if you configure global Start menu.
correlation. They identify a server Use the Report Manager
that can resolve DNS names to IP application to generate reports on
addresses. Use the HTTP Proxy IPS usage, including comparisons of
policy if your network requires the inline vs. promiscuous mode, and
use of a proxy to make Internet global correlation vs. traditional
connections; otherwise, use the inspection. You can also analyze
DNS policy. top attackers, victims, signatures,
Step 7. Configure the Logging policy if blocked signatures, and perform
you want non-default logging. target analysis.
Step 8. Configure IPS signatures and
event actions. Event action policies
are easier to configure than
creating custom signatures, so try
to use event action filters and
overrides to modify signature
behaviour before trying to edit
specific signatures.
Step 9. If you use any of the Request
401
Trainer’s Handbook – Security Analyst SSC/ Q0903
402
Trainer’s Handbook – Security Analyst SSC/ Q0903
Configuring SNMP
SNMP is an application layer protocol that and each device has a large number of
facilitates the exchange of management objects, it is impractical to poll or request
information between network devices. information from every object on every
SNMP enables network administrators to device. The solution is for each agent on
manage network performance, find and the managed device to notify the
solve network problems, and plan for manager without solicitation. It does this
network growth. by sending a message known as a trap of
SNMP is a simple request/response the event.
protocol. The network-management After receiving the event, the manager
system issues a request, and managed displays it and can take an action based
devices return responses. This behaviour on the event. For example, the manager
is implemented by using one of four can poll the agent directly, or poll other
protocol operations: Get, Get Next, Set, associated device agents to get a better
and Trap. understanding of the event.
You can configure the sensor for Trap-directed notification results in
monitoring by SNMP. SNMP defines a substantial savings of network and agent
standard way for network management resources by eliminating frivolous SNMP
stations to monitor the health and status requests. However, it is not possible to
of many types of devices, including totally eliminate SNMP polling. SNMP
switches, routers, and sensors. requests are required for discovery and
You can configure the sensor to send topology changes. In addition, a managed
SNMP traps. SNMP traps enable an agent device agent cannot send a trap if the
to notify the management station of device has had a catastrophic outage.
significant events by way of an unsolicited This procedure describes how to configure
SNMP message. SNMP on an IPS sensor so that you can
manage the sensor with an SNMP
Trap-directed notification has the
management station, including the
following advantage—if a manager is configuration of traps.
responsible for a large number of devices,
403
Trainer’s Handbook – Security Analyst SSC/ Q0903
gives access to all SNMP get requests. Step 4 If you configure trap
destinations, you must
Read-Write Community String —
also ensure that the
The community string required for
desired alerts include
read-write access to the sensor. SNMP
the Request SNMP
set requests from the management
station must supply this string to get Trap action. You have the
following options for
responses from the sensor; it can also
adding this action:
be used on get requests. This string
gives access to all SNMP get and set (Easy way.) Create an event action
requests. override to add the Request SNMP
Step 3 If you want to configure Trap action to all alerts of a specified
SNMP traps, click risk rating (IPS > Event Actions > Event
the SNMP Trap Action Overrides policy). For example,
Configuration tab and you could generate traps for all alerts
configure at least the with a risk rating between 85-100.
following options. Event action overrides let you add an
action without individually editing each
Enable Notifications —Select this signature.
option to allow the sensor to send
(Precise way.) Edit the Signatures
SNMP traps.
policy (IPS > Signatures > Signatures)
Trap Destinations —Add the to add the Request SNMP Trap action
SNMP management stations that to the signatures for which you want
should be trap destinations. Click to send trap notifications. Traps are
the Add Row (+) button to add a new sent only for signatures that you
destination, or select a destination and configure to send traps.
click the Edit Row (pencil) button to
If the signature has Default for the
change its configuration.
source, you have to change the source
When adding or editing a trap to the Local source before you can
destination, the trap community string change the action. However, if you
that you enter overrides the default right-click the Action cell in the
community string entered on the signatures table and select Edit
SNMP Trap Configuration tab. The Actions, then select Request SNMP
community string appears in the traps Trap (along with any other desired
sent to this destination and is useful if action) and click OK, the source is
you are receiving multiple types of automatically changed to Local.
traps from multiple agents. For
example, a router or sensor could be Step 5 Add the SNMP management
sending the traps, and if you put stations to the Allowed Hosts policy.
something that identifies the router or The management stations must be
sensor specifically in your community allowed hosts to access the sensor.
string, you can filter the traps based
on the community string.
To remove a destination, select it and
click the Delete Row (trash
can) button.
404
Trainer’s Handbook – Security Analyst SSC/ Q0903
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy
selector. Select the General Configuration tab.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one. Select the General Configuration tab.
Field Reference
Element Description
Enable SNMP Whether to enable the SNMP management workstation to obtain (get)
Gets/Sets information, and modify (set) values on the IPS sensor. If you do not enable
this option, the management workstation cannot manage this sensor; the
sensor will not respond to SNMP requests.
Read-Only The community string required for read-only access to the sensor. SNMP get
Community String requests from the management station must supply this string to get
responses from the sensor. This string gives access to all SNMP get requests.
Use the string to help identify the sensor.
Read-Write The community string required for read-write access to the sensor. SNMP
Community String set requests from the management station must supply this string to get
responses from the sensor; it can also be used on get requests. This string
gives access to all SNMP get and set requests. Use the string to help identify
the sensor.
Sensor Contact The network administrator or contact point who is responsible for this
sensor.
Sensor Location The physical location of the sensor, such as building address, name, and
room number.
Sensor Agent Port The port to use for SNMP get/set communication with the sensor. The
default is 161. The valid range is 1 to 65535.
Enter a port number or the name of a port list object, or click Select to
select a port list object from a list or to create a new object. The port list
object must identify a single port.
SNMP Agent Protocol The protocol you are using for SNMP, either UDP (the default) or TCP. Select
the protocol used by your SNMP management station.
405
Trainer’s Handbook – Security Analyst SSC/ Q0903
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy
selector. Select the SNMP Trap Configuration tab.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one. Select the SNMP Trap Configuration tab.
Field Reference
Element Description
Enable Whether to enable the sensor to send trap notifications to the trap destinations
Notifications whenever a specific type of event occurs in a sensor. If you do not select this
option, the sensor does not send traps.
Tip To have the sensor send SNMP traps, you must also select Request SNMP Trap as
the event action when you configure signatures. Traps are sent only for
signatures that you configure to send traps.
Error Filter The type of events that will generate SNMP traps based on the severity of the
event: fatal, error, or warning. Select all severities that you want; use Ctrl+click
to select multiple values.
The sensor sends notifications of events of the selected severities only.
Enable Detail Whether to include the full text of the alert in the trap. If you do not select this
Traps option, sparse mode is used. Sparse mode includes less than 484 bytes of text
for the alert.
Default Trap The community string used for the traps if no specific string has been set for the
Community trap destination in the Trap Destinations table.
String
Tip All traps carry a community string. By default, all traps that have a community
string identical to that of the destination are taken by the destination. All other
traps are discarded by the destination. However, you can configure the
destination to determine which trap strings to accept.
Trap Destinations The SNMP management stations that will be sent trap notifications. The table
table shows the IP address of the management station, the community string added
to traps from this sensor, and the port to which traps are sent.
To add a destination, click the Add Row button and fill in the Add SNMP
Trap Communication dialog box
To edit a destination, select it, click the Edit Row button and make your
changes.
To delete a destination, select it and click the Delete Row button.
406
Trainer’s Handbook – Security Analyst SSC/ Q0903
Navigation Path
Go to the IPS Platform > Device Admin > Device Access > SNMP policy, select the SNMP Trap
Configuration tab, and click the Add Row button beneath the Trap Destinations table, or select a
destination in the table and click the Edit Row button.
Field Reference
Element Description
IP Address The IP address of the SNMP management station that should receive trap
notifications. Enter the IP address or the name of a network/host object, or
click Select to select the object from a list or to create a new object. The
network/host object must specify a single host IP address.
Trap The community string of the trap. If you do not enter a trap string, the default trap
Community string defined on the SNMP Trap Communication tab is used for traps sent to this
String destination.
Trap Port The port used by the SNMP management station to receive traps. Enter the port
number or the name of a port list object, or click Select to select the object from a
list or to create a new one. The port list object must identify a single port.
407
Trainer’s Handbook – Security Analyst SSC/ Q0903
The following topics describe IPS user accounts, and Security Manager discovery and
deployment considerations, in more detail:
408
Trainer’s Handbook – Security Analyst SSC/ Q0903
409
Trainer’s Handbook – Security Analyst SSC/ Q0903
410
Trainer’s Handbook – Security Analyst SSC/ Q0903
Manager does not remove the However, you have the option of
configuration. having Security Manager use the user
account of the person deploying
configurations to log into the device.
Configuring IPS User Accounts You can configure this using
the Connect to Device Using option on
Use the User Accounts policy to configure the Tools > Security Manager
local user accounts for IPS devices. Users Administration > Device
can use these accounts to log into the Communication page.
device. You can create new users, modify
Cisco IOS IPS devices use the same
user privileges and passwords, and delete
user accounts that are defined for the
users.
router. This procedure does not apply
The user accounts policy should have at to Cisco IOS IPS configurations.
least these accounts:
If you change the password for the
cisco—An account named “cisco” user defined in the device properties,
must exist on the device and you which Security Manager uses to deploy
cannot delete it. configurations to the device, Security
Manager uses the existing credentials
An administrator account that
defined in the device properties to log
Security Manager can use—Security
into the device and deploy changes.
Manager must be able to log into the
After successful deployment, the
device to configure it. Typically, you
device properties are then changed to
create an account for this purpose.
use your new settings.
define the account.
Step 1 Do one of the following to open
the User Accounts policy: To edit a user account, select it
and click the Edit Row
(Device view) Select Platform >
(pencil) button and make the
Device Admin > Device Access >
User Accounts from the Policy required changes in the Edit User
dialog box.
selector.
You cannot change a user role to or from
(Policy view) Select IPS > Platform
the Service role.
> Device Admin > Device Access >
User Accounts, then select an To delete a user account, select it
existing policy or create a new and click the Delete Row (trash
one. can) button. You cannot delete the
account named cisco.
The policy shows existing user accounts,
including the username, role, and
whether the password is managed by
Security Manager.
Step 2 Do one of the following:
To add a user account, click
the Add Row (+) button. This
opens the Add User dialog box.
Enter the information required to
411
Trainer’s Handbook – Security Analyst SSC/ Q0903
All password changes must meet the deploy all of the accounts during the next
requirements of the Password configuration deployment. Passwords are
Requirements policy. If you change the checked for conformity when you validate
requirements policy, all new user policies, which typically happen when you
accounts, or edited accounts, are tested submit changes to the database.
against the new requirements. Although
Add User and Edit User Credentials Dialog
the passwords for existing unedited user
Boxes
accounts are not tested, they too must
meet the password requirements if you Use the Add User or Edit User Credentials
change any user account defined in this dialog boxes to add or edit IPS device user
policy, because Security Manager will accounts.
Table 4: Add or Edit User Dialog Box
412
Trainer’s Handbook – Security Analyst SSC/ Q0903
413
Trainer’s Handbook – Security Analyst SSC/ Q0903
Use the AAA policy to configure AAA Key — You must specify the
access control for your IPS devices. The shared secret key that is defined on
device must use IPS Software release the RADIUS server. Although this field
7.0(4) to configure AAA. is optional for a generic AAA server
You can configure the IPS device to use a object, IPS requires a key.
RADIUS AAA server to authenticate user Port —Ensure that the RADIUS
access to the device. By configuring AAA, Authentication/Authorization port is
you can reduce the number of local users correct. Note that the default port in
defined on the device and take advantage the AAA server object is different from
of your existing RADIUS setup. If you the IPS default, which is 1812. You will
configure a AAA server, you can configure need to change the port if you want to
the device to allow local user accounts as use the IPS default.
a fallback mechanism if the RADIUS You must ensure that the user account
servers are unavailable.
configured in the device properties exists
When configuring AAA, you identify the in the RADIUS server or as a local user
RADIUS server using a AAA server policy account, depending on the authorization
object. You can create the object while method that you use. If you switch
configuring the policy, or you can create it between local and AAA modes, or change
in the Policy Object Manager. When you AAA servers, you must ensure that the
configure the AAA server object, you must account is defined in whatever user
adhere to the following restrictions: account database you are using. If you are
Host —You must specify the IP using AAA with local fallback, the account
address; you cannot use a DNS name. should be defined in all databases. This
account must exist, with the same
Timeout —If you enter a timeout
password defined in the Security Manager
value, it must be from 1 to 512 device properties for the device, or
seconds. The generic AAA server object
deployment to the device will fail. The
allows higher numbers, but IPS has a
user account used for discovery and
more limited timeout range. The deployment must have administrator
default is 3.
privileges.
Protocol —RADIUS is the only
supported protocol.
accounts defined on the IPS device only. With AAA mode, the RADIUS servers are the
primary means of user authentication, and you can configure local user accounts as a
fallback mechanism. The default is Local. You must select AAA to configure any other
options in this policy.
Primary RADIUS Server, Secondary RADIUS Server —The main (primary) AAA server
and a backup server, if any. Enter the name of the AAA server policy object that
identifies the RADIUS server, or click Select to select it from a list of objects or to
create a new object.
When authenticating users, the IPS device sends the user authentication attempt to the
primary server. The secondary server is contacted only if the request to the primary server
times out.
Step 3 Configure the following optional properties if you want non-default values:
Console Authentication —How you want to authenticate users who access the IPS
device through the console:
o Local—Users connected through the console port are authenticated through
local user accounts.
o Local and RADIUS—Users connected through the console port are
authenticated through RADIUS first. If RADIUS fails, local authentication is
attempted.
o RADIUS—Users connected through the console port are authenticated by
RADIUS. If you also select Enable Local Fallback, then users can also be
authenticated through the local user accounts.
RADIUS NAS ID —The Network Access ID, which identifies the service requesting
authentication. The value can be no NAS-ID, cisco-ips, or a NAS-ID already configured
on the RADIUS server. The default is cisco-ips.
Enable Local Fallback —Whether you want to fall back to local user account
authentication if all RADIUS servers are unavailable. This option is selected by
default. Note that local authentication is not attempted if the RADIUS server
responds negatively to the logon attempt; local authentication is tried only if no
response is received from the RADIUS server.
Default User Role —The role to assign to users who do not have a role assigned in
the RADIUS server. You can make Viewer, Operator, or Administrator the default
roles, but not Service; select Unspecified to assign no default role (this is the
default).
User role configuration is very important. If you do not assign a role to the user, either through the
default user role or in the RADIUS server, the sensor prevents user login even if the RADIUS server
415
Trainer’s Handbook – Security Analyst SSC/ Q0903
configured to return “Hello <user> your analysis. NTP is the recommended way to
ips-role=operator.” configure time settings on an IPS device.
For detailed information on how to set
If you configure a service account in the
the time on a sensor, including how to set
RADIUS server, you must also configure an
up a Cisco IOS router as an NTP server,
identical service account locally on the
refer to Configuring Time in Configuring
device. For service accounts, both the the Cisco Intrusion Prevention System
RADIUS and Local accounts are checked Sensor Using the Command Line Interface
during login. Version 7.0.
Identifying an NTP Server Check the time on your IPS sensor if you
are having trouble updating your IPS
Use the NTP policy to configure a Network software. If the time on the sensor is
Time Protocol (NTP) server as the time ahead of the time on the associated
source for the IPS device. Using NTP helps certificate, the certificate is rejected, and
ensure synchronized time among your the sensor software update fails.
network devices, which can aid event
(Device view) Select Platform > Device Admin > Server Access > NTP from the Policy
selector.
(Policy view) Select IPS > Platform > Device Admin > Server Access > NTP, then
select an existing policy or create a new one.
Step 2 In the NTP Server IP Address field, enter the IP address of the NTP server. You can
also enter the name of a network/host object that identifies the single host address of the
server, or click Select to select the object from a list or to create a new one.
Step 3 If the NTP server does not require authentication, deselect the Authenticated
NTP checkbox.
The key and key ID are configured on the NTP server; you must obtain them from the NTP
server configuration.
416
Trainer’s Handbook – Security Analyst SSC/ Q0903
sensor can use to resolve domain names configure the HTTP Proxy policy instead of
to IP addresses. the DNS policy.
If your network requires HTTP proxies The AIP-SSC-5 service module does not
when making Internet connections, support DNS servers.
Step 1 Do one of the following to open the HTTP Proxy policy:
(Device view) Select Platform > Device Admin > Server Access > DNS from the
Policy selector.
(Policy view) Select IPS > Platform > Device Admin > Server Access > DNS,
then select an existing policy or create a new one.
Step 2 Specify the IP addresses of up to three DNS servers in the Primary, Secondary,
and Tertiary Address fields. The sensor uses the servers in the order listed ; if one
server does not respond, the next server is contacted.
You can enter an IP address or the name requires the use of HTTP proxies to
of a network/host object that contains a connect to the Internet, you need to
server address. Click Select to select a configure the HTTP Proxy policy to
network/host object from a list or to identify a proxy that the IPS sensor can
create a new one. The network/host use. When downloading global correlation
object must specify a single host address. updates, the IPS sensor connects to the
update server using this proxy. The proxy
must be able to resolve DNS names.
Identifying an HTTP Proxy If you do not use HTTP proxies, configure
Server DNS servers so that the IPS sensor can
resolve the address of the update server.
If you configure global correlation on an
The AIP-SSC-5 service module does not
IPS 7.0+ sensor, and your network
support HTTP proxy servers.
417
Trainer’s Handbook – Security Analyst SSC/ Q0903
418
Trainer’s Handbook – Security Analyst SSC/ Q0903
Navigation Path
From the External Product Interface IPS platform policy, click Add Row or select an entry and click Edit
Row.
Field Reference
Element Description
External Product’s IP The IP address, or the network/host policy object that contains the address, of
Address the external product. Enter the IP address or object name, or click Select to
select an object from a list or to create a new one.
Interface Type Identifies the physical interface type, which is always Extended SDEE.
Enable receipt of Whether information is allowed to be passed from the external product to the
information sensor.
SDEE URL The URL on the CSA MC the IPS uses to retrieve information using SDEE
communication. You must configure the URL based on the software version of
the CSA MC that the IPS is communicating with as follows:
For CSA MC version 5.0—/csamc50/sdee-server.
For CSA MC version 5.1—/csamc51/sdee-server.
For CSA MC version 5.2 and higher—/csamc/sdee-server (the default
value).
Port The port, or the port list object that identifies the port, being used for
communications. Enter the port or port list name, or click Select to select the
object from a list or to create a new object.
User name A username and password that can log into the external product.
Password
Enable receipt of host Whether to allow the receipt of host posture information from CSA MC. The
postures host posture information received from a CSA MC is deleted if you disable this
option.
Allow unreachable Whether to allow the receipt of host posture information for hosts that are
hosts’ postures not reachable by the CSA MC.
A host is not reachable if the CSA MC cannot establish a connection with the
host on any IP addresses in the host’s posture. This option is useful in filtering
the postures whose IP addresses may not be visible to the IPS sensor or that
might be duplicated across the network. This filter is most applicable in
network topologies where hosts that are not reachable by the CSA MC are also
not reachable by the IPS, for example if the IPS and CSA MC are on the same
network segment.
Posture ACL table Posture ACLs are network addresses for which host postures are allowed or
denied. Use posture ACLs to filter postures that have IP addresses that might
not be visible to the IPS or that might be duplicated across the network.
To add a posture ACL, click the Add Row (+) button. This opens the
Add Posture ACL dialog box. For information on configuring the Posture
419
Trainer’s Handbook – Security Analyst SSC/ Q0903
420
Trainer’s Handbook – Security Analyst SSC/ Q0903
Navigation Path
Device view) Select Platform > Logging from the Policy selector.
(Policy view) Select IPS > Platform > Logging, then select an existing policy or create a new one.
Field Reference
Element Description
421
Trainer’s Handbook – Security Analyst SSC/ Q0903
422
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT VII
Anti-virus and Antispam Software
Lesson Plan
Suggested Learning Activities
Training Resource Material
7.1 Antivirus Software
7.2 Antispam Software
423
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
424
Trainer’s Handbook – Security Analyst SSC/ Q0903
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
425
Trainer’s Handbook – Security Analyst SSC/ Q0903
Most antivirus programs include both While antivirus programs are available for
automatic and manual scanning Windows, Macintosh, and Unix platforms,
capabilities. most antivirus software is sold for
Windows systems. This is because most
The automatic scan may check files that
viruses are targeted towards Windows
are downloaded from the Internet, discs
computers and therefore virus protection
that are inserted into the computer, and
is especially important for Windows users.
files that are created by software
If you are a Windows user, it is smart to
installers. The automatic scan may also
have at least one antivirus program
scan the entire hard drive on a regular
installed on your computer. Examples of
basis.
common antivirus programs include
The manual scan option allows you to Norton Antivirus, Kaspersky Anti-Virus,
scan individual files or your entire system and ZoneAlarm Antivirus.
whenever you feel it is necessary.
The most important thing to remember
Since new viruses are constantly being about virus protection is that no system is
created by computer hackers, antivirus infallible. No matter how good your anti-
programs must keep an updated database virus (AV) software is, and how stringent
of virus types. This database includes a list your security processes are, there is still
of "virus definitions" that the antivirus the chance that a completely new virus
software references when scanning files. will enter your organization and disrupt
Since new viruses are frequently operations. Of course, completely
distributed, it is important to keep your isolating your systems from the Internet
software's virus database up-to-date. and removing them from external e-mail
Fortunately, most antivirus programs will greatly minimize your exposure;
automatically update the virus database however, in today's digital economy that
on a regular basis. is no longer a practical option.
427
Trainer’s Handbook – Security Analyst SSC/ Q0903
428
Trainer’s Handbook – Security Analyst SSC/ Q0903
429
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 3: Changing Outlook Express Preview pane settings from the View, Layout menu
430
Trainer’s Handbook – Security Analyst SSC/ Q0903
be relied upon as a fail-safe means of Due to the large number of viruses and
exchanging information. hoaxes, unnecessary time and e-mail
traffic can be wasted by people
Remove Windows Scripting forwarding virus warnings that may not be
Host legitimate. Before passing along warnings
to others, first check your virus protection
If your organization does not use vendor's Web site to determine if your
Windows Script Hosting (WSH), then you systems are already protected or if it is
should consider removing or disabling it. just a hoax.
To do this in Windows 9x, go to 'Control
Panel' and choose 'Add/Remove Write-protect removable
Programs'. Click on the 'Windows Setup'
media before using them in
tab and double click on 'Accessories'.
Scroll down to 'Windows Script Host' and other computers
uncheck it and choose 'OK'. It may be
If removable media is used to ferry e-
necessary to reboot the system. For
mails between computers (such as from
additional information, visit Microsoft's
work to home), then write-protecting the
support Web site.
medium before using it in a suspect
Use in-box rules to process system can protect it from becoming
infected.
suspicious e-mails
Protecting E-mail Servers
If your organization does not use e-mail
server-based content filtering, then you Some organizations believe that as long as
can use your e-mail inbox rules to they protect their e-mail gateways and
automatically delete or move suspect internal desktop computers, they do not
messages into a dedicated folder. need e-mail server-based anti-virus
solutions. While this may have been true a
Do not open any files attached few years ago, with today's Web-based e-
to an e-mail from an unknown, mail access, public folders, and mapped
network drive access to the stores, this
suspicious or untrustworthy stance is no longer prudent. Besides
source viruses entering the e-mail system from
the Internet SMTP gateway, infected files
Ensure that the source of any e-mail
can be transferred through an
attachments is a legitimate and reputable
organization's remote Web-based
one. If you're uncertain, don't download
interface, network-connected user
the file at all or download the file to a
devices such as PDAs, disk drives on
floppy and then scan it with your own
computers without up-to-date virus
anti-virus software.
protection, or copies from un-scanned
Don't pass along virus warnings from archives. Once an infected item gets into
others unless you have verified that it is the e-mail stores, then only an e-mail
applicable to your organization server-based solution will be able to
detect and remove the infected item.
431
Trainer’s Handbook – Security Analyst SSC/ Q0903
433
Trainer’s Handbook – Security Analyst SSC/ Q0903
Email Spam is the electronic version of junk mail. It involves sending unwanted messages,
often unsolicited advertising, to a large number of recipients. Spam is a serious security
concern as it can be used to deliver Trojan horses, viruses, worms, spyware, and targeted
phishing attacks.
434
Trainer’s Handbook – Security Analyst SSC/ Q0903
spam disposition. Some of these positives but potentially lets more spam
settings are made at the org level, and through.
some for a Default User. You can also
For each of your organisations, you can
adjust individual user’s filtering, or
adjust the overall aggressiveness
allow users to do this themselves at
of filtering, filter specific categories of
the Message Center.
spam more aggressively, and choose a
About Spam Filters spam disposition. Some of these settings
are made at the organisation level, and
Your message security service detects some for a Default User. You can also
spam by applying hundreds of rules adjust individual user’s filtering, or allow
to each message that passes through the users to do this themselves at the
data centre. It can block obvious spam Message Center.
immediately, then divert more borderline
spam to a Quarantine for later evaluation. Where Spam Filtering Is
From there, you or your users can review Managed
the Quarantine for any legitimate
messages that were falsely quarantined You manage spam filtering at the
and need to be forwarded to the user’s following locations:
Inbox. Otherwise, spam is deleted
Organisation level Enable Blatant Spam
automatically.
Blocking for users in the organisation, and
When your service is activated, all types choose a spam disposition—the method
of spam are typically filtered at a of disposing of filtered spam, for example,
uniform level of aggressiveness. One by changing how it’s quarantined, or by
group of users, however, might have its not quarantining it at all. Configure Null
own idea about what constitutes spam, or Sender Disposition to dispose of messages
how aggressively to filter it. A travel that do not contain an SMTP-envelop
agency might have a zero-tolerance policy sender address.
for adult content, for example, but want
If your service is provisioned with
to receive special offers, such as “trips to
Outbound Services, then you also have
Hawaii.” Another group might want to
the option to turn on Null Sender Header
change its spam disposition, by changing
Tag Validation.
how its spam is quarantined, or not
quarantining it at all. Default User Define user-level spam
settings that will apply to new users
Filtering aggressiveness affects how the
added to the organisation. This includes
protection service handles messages that
enabling spam filtering in the first place,
may or may not be spam. More aggressive
adjusting how aggressively to filter spam,
spam filter levels will quarantine
and filtering specific spam categories even
messages that are borderline cases. This
more aggressively. Making these settings
will cause more spam to be caught, but
for a Default User is how you apply a
may increase false positives. More lenient
single filtering policy across an
spam filters will allow borderline
organisation.
messages through, which reduces false
435
Trainer’s Handbook – Security Analyst SSC/ Q0903
Specific User You can modify user- Message Center You can optionally
level spam settings for an allow users to modify their own
individual user, as well. But this filter levels by granting them
isn’t recommended if you want to appropriate User Access
maintain spam filtering policies permissions to the Message
across an organisation. Center.
If Blatant Spam Blocking is enabled for the user’s organisation, the user’s most obvious
spam is bounced or blackholed (deleted), before it reaches your email servers. This
eliminates more than half of users’ spam, so neither you nor they ever have to deal with
it.
Each user (and Default User) has a Bulk Email filter that sets a base level of
aggressiveness for filtering the remaining spam, which is typically sent to a separate
Quarantine for review.
Each user (and Default User) can also optionally adjust four additional Category filters to
filter spam containing particular content even more aggressively (sexually explicit
content, special commercial offers, racially insensitive material, or get-rich-quick
schemes).
Null Sender Disposition lets you choose how to dispose of messages that do not include
an SMTP-envelope sender address. These types of messages are usually Non-Delivery
Reports (NDRs). When the system receives an inbound message, it checks for the SMTP -
envelope sender address. If there is no sender address, the message is disposed of
according to the Null Sender Disposition settings.
Null Sender Header Tag Validation is the process by which the system examines each
inbound message for the presence of an SMTP-envelope sender address and for the
message security service’s digital signature. If your message security service has been
provisioned with Outbound Services and you have them configured for your mail server,
then the system tags the Received field on outbound messages with a digital signature.
When this filter is on and the system receives an inbound message, it checks for the
SMTP-envelope sender address and for the digital signature. If there is no sender
address and the message doesn’t have the system signature, then the message is
disposed of according to the Null Sender Disposition settings. If the system signature is
present, then the message bypasses this filter, and is evaluated by the others.
436
Trainer’s Handbook – Security Analyst SSC/ Q0903
Spam category filters are applied after all applies hundreds of rules to the message
other filtering, including Content Manager envelope, header, and content, all in a
filters, and any applicable Approved matter of milliseconds. Each rule
Senders list (the user’s own list, or one describes some attribute typical of spam,
defined for the organisation). Blatant and has a numerical value based on the
Spam Blocking occurs before most filters, likelihood that the attribute indicates
but doesn’t block messages from spam. An equation is then formulated
approved senders. That means: based on the weighted significance and
combination of all rules triggered, and the
Approved senders bypass Spam resulting value is the
Filters message’s spam score. This score is
Even if their messages contain spam- measured against the sensitivity threshold
like content. set by the user’s spam filters, and a
decision is made: spam or valid email.
Messages with approved content
bypass the category filters Specifically, a Bulk Email filter sets a base
But it will be blocked if it occurs in level for filtering all types of spam,
obvious spam detected by Blatant and individual category filters can be
Spam Blocking. adjusted to filter a specific category of
Messages marked as advertisements spam even more aggressively. The Bulk
are blocked Email filter and category filters work
If the Subject line of a message independently of each other, but
contains the prefix “ADV:” (for parameters from all filters collectively
“advertisement”), the message is provide the final spam score, which can
considered spam, regardless of categorize the message as spam. A
approved content. category filter thus multiplies the Bulk
Email level and increases the number of
Virus Blocking overrides Spam Filters
messages that get identified as spam.
Virus Blocking scans all messages that
either pass through the spam filter, You can see a message’s spam score,
are allowed to bypass spam filtering or whether or not it’s tagged as spam,
are quarantined as spam. For by looking at the message header.
example, if a message is quarantined
as junk, but also determined to be Why Catch Rates Might Vary
infected with a virus, the message will
be processed according to the virus Developing an effective technology for
filter disposition. filtering spam is an ongoing effort
since spammers are always evolving
How Spam Is Identified tactics to avoid detection. To combat new
As a message passes through the spam and ever-changing threats, the message
filters, the message security service security service continually calibrates its
437
Trainer’s Handbook – Security Analyst SSC/ Q0903
detection and filtering mechanisms, You will enable spam filtering and set
always striking a balance between filter levels for the default user (the
catching the most spam while lowering template use for an organisation).
the rate of falsely quarantined messages.
Configure Blatant Spam
As we make adjustments, you might
notice slight variances in catch rates Blocking
for certain spam categories. Or you might Blatant Spam Blocking (BSB) is an
see an increase in falsely quarantined organisation level setting on the Spam
messages. If this happens, you might want Filters page that detects and deletes the
to increase or decrease your own spam most obvious spam before it reaches your
filter levels accordingly: Increase email server. This feature identifies more
sensitivity to catch more spam, or than half of all spam. Messages are either
decrease levels to prevent false bounced or black holed (deleted) without
quarantines. reaching the intended recipient or any
Quarantine.
When to Use Content Manager
Specifically, BSB calculates the message’s
Along With Blatant
spam score. If the score is below 0.00001
Spam Blocking (a perfectly valid message has a score of
100), the message is overwhelmingly
If you experience messages with
deemed spam, and blocked.
undesirable content like profanity not
being caught by your spam filters, you can Blatant Spam Blocking applies to all users
add Content Manager filters to catch in an organisation, but works only for
those messages. users whose Filter Status is On.
If the objectionable content is limited to a The Reports page has statistics regarding
few words and the other content does not how many messages are caught by Blatant
score as spam, then the message would Spam Blocking.
not trigger the spam filters. To stop these
To configure Blatant Spam Blocking:
types of messages, you can create content
filters that look for exactly the offending 1. Go to the Organisation
language you wish to prohibit. Management page for the relevant
organisation.
Configure Spam Settings for an
2. Under Inbound Services,
Organisation click Spam Filtering.
You configure Blatant Spam Blocking 3. Under Blatant Spam Blocking,
(BSB), which deletes the most choose one of the following options.
obvious spam, and Spam Disposition,
which determines how spam messages BSB Off: Disables this feature for
are managed for a user organisation. the organisation.
Bounce: Bounces obvious spam
back to the sender with the error
438
Trainer’s Handbook – Security Analyst SSC/ Q0903
439
Trainer’s Handbook – Security Analyst SSC/ Q0903
the message security service’s digital disposed of according to your Null Sender
signature. Disposition settings, and according to how
Content Manager is configured.
While this filter is an aspect of spam
filtering, it runs at the very beginning of Off: Any message without an SMTP-
the message filtering process to envelope sender address is disposed of
immediately dispose of messages like according to your Null Sender Disposition
invalid NDRs. settings.
Whether or not you have configured Validate reports up to ___ hours after
Outbound Services for your mail server, message delivery: Enter the number
we recommend that you turn this filter of hours that the digital signature is
on. When the filter is on and it catches a considered valid. After that number of
message, the system looks ahead to hours, the signature expires, and
Content Manager to see whether it is messages with an expired signature
configured to let messages bypass the are treated the same as messages
junk filters and allow valid email that does with no signature.
not have an SMTP-envelope sender
address. Under these circumstances, you Configure Spam Disposition for
can let valid messages pass through to an Organisation
their recipients’ inboxes.
To determine what to do with filtered
If this filter is off, then the system does spam, you select a spam disposition. Do
not look ahead to Content Manager this at the organisation level, which sets
and you do not have the option to let the disposition for all users in that
valid null-sender-address messages pass organisation.
through to their recipients’ inboxes.
To configure Spam Disposition:
To configure Null Sender Header Tag
Validation: 1. Go to the Organisation
Management page for the
Use the following options to turn Null organisation.
Sender Header Tag Validation on or off,
and to set the length of time during which 2. Under Inbound Services,
the system can accept the digital click Spam Filtering.
signature: 3. Choose the Spam Disposition:
On/Off: Select On or Off to turn Null User Quarantine: Filtered spam for each
Sender Header Tag Validation on or user in the organisation is sent to a
off. separate User Quarantine.
On: Any message that does not include an Administrators can manage this
SMTP-envelope sender address, but does Quarantine from the user’s Overview
include the message security service’s page.
digital signature bypasses this filter. All If Quarantine Summary is also enabled for
other messages that do not include an the organisation (under Notifications),
SMTP-envelope sender address are each user receives a periodic summary of
440
Trainer’s Handbook – Security Analyst SSC/ Q0903
441
Trainer’s Handbook – Security Analyst SSC/ Q0903
442
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT VIII
Web Application Security
Configuration
Lesson Plan
Suggested Learning Activities
Training Resource Material
8.1 Web Application Security Overview
8.2 Configuring Cisco Web Application Security Module
8.3 Configuring ModSecurity
443
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
KB1. fundamentals of Access to all security
evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
444
Trainer’s Handbook – Security Analyst SSC/ Q0903
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
445
Trainer’s Handbook – Security Analyst SSC/ Q0903
Web application security is highly configurable, and can protect against the following kinds
of application attacks:
• identity theft
• buffer overflow
• form exploitation
• cookie exploitation
• noncompliant HTTP
446
Trainer’s Handbook – Security Analyst SSC/ Q0903
447
Trainer’s Handbook – Security Analyst SSC/ Q0903
The example in Figure shows the map To add a new map, click the Add New
summary that is displayed when you click Map button to display a map editing
on the Request Limits command. Every screen where you can define the map and
other map summary looks similar and give it a name. The sections throughout
contains similar controls. The following this chapter describe the unique map
paragraphs describe how to use the editing screens for each feature.
controls on a map summary page. You can click the links in the blue bar at
Each row in the summary lists one defined the top of the frame to go directly to the
map. Using the controls on a summary screens identified by name.
row you can view, clone, edit, or delete
the map.
To view the definition of a map, click its
Global Configuration and
underlined name at the left end of the Utilities
row. The displayed page shows a read-
only listing of the map definition. This section describes the following global
configuration and utility items that appear
To copy a map to use as the basis of a new under the Web Application Security folder
map, click the Clone button next to the in the left hand menu of the management
map that you want to clone. AVS displays
console:
a map editing screen that is similar to the
one shown when you are adding a new • System Utilities
map, except that all the settings are • Traffic Class Maps
copied from the map that you cloned.
• Policy Maps
To edit a map, click the Edit button in the
• Pattern Definitions
summary. AVS displays a map editing
screen where you can change the settings System Utilities
in the map.
Various utilities let you manage web
To delete one or more maps, check the application security configuration, logging,
box in the Delete column for each map and statistics.
that you want to delete. Then click
the Delete Maps button to delete the Use the System Utilities command to
checked maps. display a page that contains links to the
system utilities, as shown in Figure below.
To use a utility function, click on its link.
448
Trainer’s Handbook – Security Analyst SSC/ Q0903
449
Trainer’s Handbook – Security Analyst SSC/ Q0903
The statistics are initially shown for the The statistics are initially shown for the
master node, which is the first AVS 3120 master node, which is the first AVS 3120
node that is added to the cluster in the node that is added to the cluster in the
management console. To show statistics management console. To show statistics
for a different node, click on the link with for a different node, click on the l ink with
the node name in the Nodes field at the the node name in the Nodes field at the
top of the screen. You can click the links top of the screen.
above the table to jump directly to the
section of the table that shows statistics
Policy Level Stats
for the feature named in the link. For each Click Policy Level Stats to display statistics
item in the table, the statistic shows a organized by policy map. The display looks
number of bytes or the number of times similar to that shown in Figure above, but
the event has occurred. a full set of statistics is listed for each
Traffic Level Stats policy map. Links to each of the policy
maps appear across the top of the screen;
Click Traffic Level Stats to display click one to jump to the statistics for that
statistics organized by traffic classification map.
map. The display looks similar to that The statistics are initially shown for the
shown in Figure above, but a full set of master node, which is the first AVS 3120
statistics is listed for each traffic class node that is added to the cluster in the
map. Links to each of the traffic class management console. To show statistics
maps appear across the top of the screen; for a different node, click on the link with
click one to jump to the statistics for that the node name in the Nodes field at the
map. top of the screen.
450
Trainer’s Handbook – Security Analyst SSC/ Q0903
You can scroll the log window to the right You can clear the current log file by
to see additional columns that include the using Clear Current Logs.
URI, the feature responsible for the log
entry, the policy map, traffic class map,
Saved Log
feature map, and the log message. The Click Saved Log to display the saved log,
policy map, traffic class map, and feature which looks similar to the Figure above.
map names are hyperlinks, which when The saved log item works differently,
clicked will take you to a screen where depending on your system configuration,
you can edit the named map. as follows:
This page displays log entries from all web • If you have an AVS 3180 Management
application security features by default. Station, then Saved Log displays the
You can filter the displayed log items by aggregate log file of all AVS 3120
feature by choosing the feature from the nodes that are part of the cluster in
Filter By Feature drop-down list. Then the management console. (In order to
click Refresh Saved Logs. aggregate log files from all nodes in
451
Trainer’s Handbook – Security Analyst SSC/ Q0903
This page lists the web application default configuration is the configuration
security features and pattern definitions that appears when you create a new map
that can have default configurations. A for a feature.
452
Trainer’s Handbook – Security Analyst SSC/ Q0903
453
Trainer’s Handbook – Security Analyst SSC/ Q0903
454
Trainer’s Handbook – Security Analyst SSC/ Q0903
application traffic for possible security TCP/IP connections. Port 1 is used for
threats. Connect network traffic that management console connectivity and
you want to monitor to port 2 on the ports 3 and 4 are not used.
AVS 3120. For example, you can The port assignments for the various
connect port 2 to the monitor port or operating modes are summarized in the
Switched Port Analyzer (SPAN) port on following Table.
a switch. Port 2 does not have an IP
address and so does not terminate
Table 8: Port Assignments
If you change operating modes, for In the Old Configuration Expires After
example from inline to gateway mode, field, enter the time in seconds to allow
you must restart the web application any HTTP sessions that are in progress to
security module. This is a major change finish before changing configuration when
that will likely also require you to a new configuration is committed. During
reconfigure your network routing. this grace period, the old configuration
In all of the operation modes, the still applies to active HTTP sessions. When
application appliance inspects traffic that this period of time expires, any HTTP
is going to and coming from the web sessions that are still in progress are
servers. closed and the new configuration is
applied.
In the Software Auto Bypass drop-down
list, choose Yes if you want to enable In the Servers to protect area, you must
automatic bypass in inline mode. enter the IP addresses and ports of each
Automatic bypass causes the application web server that you want the web
appliance to bridge packets between the application security module to protect.
incoming and outgoing ports if the web Enter the IP address of a web server in the
application security module fails, which IP address field, check the Add box, and
allows clients to continue to access the click Update Servers. Then you will see a
web servers without security checks. If Port field displayed under the IP address.
you choose No and the web application Enter the port to protect, check the Add
security module fails, client requests will box next to the port, and click Update
not be forwarded to the web servers. Servers. Repeat this procedure to add
each port that you want to protect on the
web server.
455
Trainer’s Handbook – Security Analyst SSC/ Q0903
Repeat entering the IP address and ports return to the utilities main page without
of each web server that you want to saving your changes.
protect. To delete a port or web server IP
address, check the Delete check box next Cluster Control
to the port or IP address and click Update Click Cluster Control to display a page that
Servers. allows you to stop, start or restart the
When you are finished with this form, web application security firewall module
click Apply Changes at the top to save on individual application appliance nodes,
your changes, or click Discard Changes to as shown in the following Figure.
This screen shows the status (Running or that operation on the checked nodes. You
Stopped) of the web application security can use the Include All Nodes and Exclude
firewall module for each node in the All Nodes buttons at the top to check or
cluster. clear all check boxes.
You can run, stop, or restart the web If you want to control the status of both
application firewall module on the nodes the Condenser and web application
in the cluster. Check the check boxes next security firewall modules, you can use
to the nodes that you want to control, and the Cluster Control command under the
then click Run, Stop, or Restart to perform cluster name in the left hand menu.
Publish Configuration configuration to all nodes in a cluster, as
shown in Figure below.
Click Publish Configuration to display a
page that allows you to publish a
456
Trainer’s Handbook – Security Analyst SSC/ Q0903
In the Publish Configuration area of the cluster, you must publish the web
form, click the Publish button to publish application security configuration of the
the running configuration of the master master node to all other nodes.
AVS 3120 node to all other nodes in the In the Synchronize Configuration area of
same cluster. If there are no other nodes the form, click the Sync button to publish
in the cluster, the Publish button is not the configuration that is saved on the
shown. management console to all nodes in the
The master node is the first AVS 3120 same cluster.
node that is added to the cluster in the Use the Sync button in situations where
management console. If that node is the master node is restarted with a
removed, then the next added node different configuration and you want to
becomes the master node, and so on. The resynchronize it and all other nodes with
master node is identified at the top of the the saved configuration that is stored in
Publish Configuration page. the management console.
To cancel the operation and go back to To view the saved configuration that will
the System Utilities page click Back. be published to all nodes, click the View
Use the Publish button in situations Last committed Configuration link.
where the master node is stable and one
Service Policy
of the other nodes restarts or a new node
is added to the cluster. Click Service Policy to display a page that
All AVS 3120 nodes in a cluster must have allows you to choose the active policy
the same web application security running map, as shown in the following Figure.
configuration. If you are operating a
457
Trainer’s Handbook – Security Analyst SSC/ Q0903
In the Select Policy Map drop-down list, by the management console but are not
choose the policy map that you want to saved or applied to the AVS 3120 node
be active. Then click Apply Changes at the where the web application security
top to save your changes, or click Discard module operates.
Changes to discard your changes. Click Commit Config to commit the
Only one policy map can be active at a configuration changes to the master AVS
time. The setting on this screen interacts 3120 node and to save them on the
with enabling a policy map on the policy management console. The master node is
map summary screen shown in the the first AVS 3120 node that is added to
following figure. Setting a policy to be the cluster in the management console.
enabled in that screen will cause it to be You are asked in a confirmation dialog if
the selected service policy in this service you are sure that you want to commit the
policy screen. configuration. Click OK to commit
or Cancel to cancel.
Clear System Config
If any HTTP sessions are in progress, they
Click Clear System Config to clear the are given a grace period in which to finish,
saved System Settings on the master AVS before the new configuration takes effect.
3120 node. The master node is the first This grace period is configurable and is
AVS 3120 node that is added to the described in the "System Settings"
cluster in the management console. You section. During this period, you normally
are asked in a confirmation dialog if you cannot commit a second new
are sure that you want to clear the configuration. If you need to commit
configuration. Click OK to clear another configuration before this interval
or Cancel to cancel. has passed, use Force Commit.
This command clears only the system After committing a configuration, we
settings, not the policy configuration. To recommend that you save the
clear the policy configuration, use Clear configuration on the master node by
Config. using Save Config. If you have a cluster of
AVS 3120 nodes, you must also publish
Commit Config the configuration to all nodes in the
Configuration changes that you make to cluster by using Publish Configuration. The
web application security policies must be application appliance does not support a
committed before they take effect and cluster where the nodes have different
are applied to web traffic. Before they are web application security configurations.
committed, they are stored temporarily
458
Trainer’s Handbook – Security Analyst SSC/ Q0903
459
Trainer’s Handbook – Security Analyst SSC/ Q0903
Traffic Class Maps set of traffic before you can apply security
features to the traffic in a policy map.
Traffic mapping allows you to classify
Use the Traffic Class Maps command to
HTTP request and response traffic
display a page that summarizes the traffic
according to a set of definable criteria.
classification maps that are defined, as
You must define a traffic map to select a
shown in the following Figure
.
460
Trainer’s Handbook – Security Analyst SSC/ Q0903
Each row in the summary lists one defined similar to that shown in Figure below. is
traffic map. From here you can view, displayed where you can edit the traffic
clone, edit, or delete a traffic map, or add map.
a new map. To delete one or more traffic maps, check
To view the definition of a traffic map, the box in the Delete column for each
click its underlined name. The displayed map that you want to delete.
page shows a read-only listing of the Click Delete to delete the checked maps.
definition. To add a new traffic map, use the Add
The Match column lists the matching Traffic Class area below the summary
policy of the map. table. Give the map a name in the Map
To copy a map to use as the basis of a new Name field. To determine how the criteria
map, click the Clone button for the traffic in this map are to be applied, choose one
map that you want to copy. of the following radio buttons below this
field:
To edit a traffic map, click the Edit button
for the map that you want to edit. A form
461
Trainer’s Handbook – Security Analyst SSC/ Q0903
• Match Any Criteria—This traffic map below. One criteria line has already been
is applied if any one of the criteria is added to this traffic map.
satisfied You can add criteria lines that describe
• Match All Criteria—This traffic map is one or more characteristics of the traffic
applied only if all of the criteria are that you want to classify. From the Type
satisfied drop-down list, select the traffic type:
Request or Response. Next select the type
Then click the Add New Map button to
of HTTP data that you want to examine
create the traffic map. You are returned
for a match in the Match Criteria drop-
to the map summary page where you will
down list.
see the new traffic map listed. To
continue the process of defining the new The match criteria choices are listed in the
map, click the Edit button for the map to following Table.
display the screen shown in the Figure
Table 9: Traffic Class Match Criteria
462
Trainer’s Handbook – Security Analyst SSC/ Q0903
463
Trainer’s Handbook – Security Analyst SSC/ Q0903
464
Trainer’s Handbook – Security Analyst SSC/ Q0903
Each row in the summary lists one defined To enable a policy map (make it active),
policy map. From here you can view, click the radio button in the Enable
clone, edit, delete, or enable a policy map, column for the map that you want to
or add a new map. enable, then click the Enable button at
To view the definition of a policy map, the bottom of the column. You can only
click its underlined name. The displayed enable a policy map that has associated
page shows a read-only listing of the traffic class maps, and you can only
definition. enable one policy map at a time. This
setting interacts with the policy map
The Associated Traffic Maps column lists selected in the Service Policy screen of the
the traffic class maps that are associated System Utilities. Selecting a policy to be
with a policy. If no traffic class maps are active in that screen will cause it to be
yet associated, it reads "No Maps displayed as enabled in this policy map
Associated." The Match Criteria column summary screen.
lists the matching policy of the map.
To add a new policy map, use the Add
To copy a map to use as the basis of a new Policy area below the summary table.
map, click the Clone button for the map Give the map a name in the Map Name
that you want to copy.
field. Choose when to execute the policy
To edit a policy map and add traffic class by clicking one of the following radio
maps, click the Edit button for the map buttons:
that you want to edit. A form similar to • First Match—Execute the policy only
that shown in the following Figure is on the first traffic map that matches
displayed where you can edit the policy the traffic
map.
• Match All—Execute the policy on all
To delete one or more policy maps, check
traffic maps that match the traffic
the box in the Delete column for each
map that you want to delete. Then click Add New Policy Map to add the
Click Delete to delete the checked maps. map to the summary. The new map is not
465
Trainer’s Handbook – Security Analyst SSC/ Q0903
yet configured, and to do that click then this will cause a First Match policy to
the Edit button for the map. fire (if it uses this traffic map). The cookie-
When you choose First Match for the type class might also match this request, but it
of traffic map matching, it is important to is not invoked since the url-class already
understand the order in which AVS triggered its policy.
matches traffic maps. Traffic matching is The order in which traffic maps are listed
driven by the order in which the traffic in the traffic maps list (see Figure below)
data arrives, which is: HTTP method, HTTP is irrelevant and does not signify the order
version, host, URL, cookie name, and in which traffic maps are evaluated for a
cookie value. There can be multiple match.
cookies and they can arrive in any order,
so the value of one cookie could cause a Adding a Traffic Map to a Policy Map
match before the name of another cookie. To define a policy map and add traffic
Say that you have a traffic map, url-class, class maps, in the map summary table
that matches on a specific URL, and click the Edit button for the map that you
another traffic map, cookie-class that want to edit. A form similar to that shown
matches on a cookie name. In an incoming in the following Figure is displayed where
request, the URL arrives before any you can edit the policy map.
cookies, so if the URL matches url-class,
When you first edit a new policy map, List button to add the traffic map to the
there are no traffic maps included in it. To policy. For details on the predefined
begin defining a policy, choose a traffic default traffic maps.
map from the Traffic Map Name drop- After the update, the screen looks like
down list. Then click the Add check box to that shown in the following figure.
put a check in it and click the Update
466
Trainer’s Handbook – Security Analyst SSC/ Q0903
The newly added traffic map is shown in To view the policy for a traffic map, click
the first row under the Traffic Map Name its underlined name. The displayed page
heading. Each row summarizes one traffic shows a read-only listing of the policy
map that is part of this policy definition. definition.
The last row allows you to add a new To delete one or more traffic maps from
traffic map by selecting its name from the this policy definition, check the box in the
drop-down list of traffic maps, clicking the Delete column for each map that you
Add check box, and clicking the Update want to delete. Click Update List to delete
List button. the checked maps.
Using the controls in the summary row for To edit the policy for a traffic map, click
a traffic map, you can view the policy for the Edit button.
the map, delete it, or edit it.
When you are finished adding or editing click Discard Changes to return to the
traffic map policies, click Apply summary page without saving your
Changes to save your changes, or changes.
467
Trainer’s Handbook – Security Analyst SSC/ Q0903
Associating Security Feature Maps with a Traffic maps that contain response criteria
Traffic Map cannot be used to trigger a feature that is
operating on a request. For example, if
To edit the policy for a traffic map, click
you have a traffic map that uses the
the Edit button in the summary. A form
content-type criteria (a response criteria),
similar to that shown in the Figure above
this traffic map cannot be used in a policy
is displayed where you can edit the policy
where it is associated with a request limits
definition by choosing which security
feature map.
feature maps to apply to the traffic class.
Many features can apply to both requests
On this screen, you choose which security
and responses. If such a feature operates
features to apply to the traffic map shown
only on response data and not on request
in the Traffic Map Name field. You can
data, then it can be associated with a
choose a general response action and/or
traffic map that contains response
apply one or more feature maps to the
criteria. For example, if you have a traffic
traffic.
map that uses the set-cookie-name
To apply a general response action, criteria (a response criteria), this traffic
choose one of the following actions from map can be used in a policy where it is
the Response Action drop-down list: associated with a cookie protection map,
• None—Take no action as long as the cookie protection map
operates only on response cookies. If the
• Reset client—Reset the client side of
cookie protection map includes any
the connection
request cookie operations, then the policy
• Drop—Drop the connection silently is invalid and will not be allowed.
• Reset server client—Reset both the The default traffic map class-default-
server and client sides of the request can be associated with feature
connection maps that operate only on request data. A
• Reset server—Reset the server side of policy map that contains the class-default-
the connection request traffic map cannot include other
traffic maps that contain the request-body
• Error Page—Send an error page. matching criteria.
Choose the error page to send from
the next drop-down list to the right. The default traffic map class-default-
You define such error pages by using response can be associated with feature
the send page feature. maps that operate only on response data.
A policy map that contains the class-
Click the Log check box to log the event.
default-response traffic map cannot
To apply a feature map to the traffic, include other traffic maps that contain the
choose a feature from the Feature drop- response-body matching criteria.
down list and then from the Map Name
To delete an associated feature map,
drop-down list, choose one of the feature check the Delete check box for the map
maps that you have defined for that and click Update List.
feature. Then click the Update List button
to take you back to the screen shown If you would rather cancel the changes
in Figure above. You can add multiple that you made on this form, click
feature maps to be applied to this traffic the Discard Changes button.
map by editing the traffic map again and The following features are available in the
following the same procedure. Feature drop-down list:
468
Trainer’s Handbook – Security Analyst SSC/ Q0903
469
Trainer’s Handbook – Security Analyst SSC/ Q0903
470
Trainer’s Handbook – Security Analyst SSC/ Q0903
to be added to the Included Regular When you are finished with this form,
Expressions list. click Apply Changes at the top to save
You can remove a regular expression from your changes, or click Discard Changes to
the Included Regular Expressions list by return to the summary page without
selecting it and clicking the left arrow (<--) saving your changes. If you want to use
button. the settings on this form as the default for
new maps of this type, click Set As
Default.
This section describes the following security feature configuration items that appear under
the Web Application Security folder in the left hand menu of the Management Console:
• URL Normalization
• Cookie Protection
• ID Theft Protection
• Request Limits
• Error/Redirect Pages
• Web Cloaking
• URL Tagging
471
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the new map a name in the Map • Overlong unicode encoding—
Name field. In the Normalize Case drop- Overlong unicode character encoding
down list, select True to normalize the • Null encoding—Null character
case of URLs or False to ignore case.
encoding
The following part of the form lists a • Forward directory traversal—Forward
number of conditions that may indicate a
directory traversal
possible attack and lets you determine
what action to take if one of the following • Backward directory traversal—
conditions is detected in a URL: Backward directory traversal
• Encoding—Any kind of character In the Action drop-down list for each item,
encoding choose one of the following actions to
take if the condition occurs:
• Escape encoding—Escape character
encoding • None—Take no action
• Percent-U encoding—Percent-U • Reset server—Reset the server side of
character encoding the connection
• Unicode encoding—Unicode • Reset client—Reset the client side of
character encoding the connection
• Combination of encoding schemes—A • Reset server and client—Reset both
combination of character encoding the server and client sides of the
schemes connection
• Multiple levels of encoding—Multi- • Drop—Drop the connection silently
level character encoding • [SEND-PAGE] pagename—Send the
• Unsupported encoding—Unsupported error page identified by pagename.
character encoding
472
Trainer’s Handbook – Security Analyst SSC/ Q0903
You define such error pages by using application appliance protects against
the send page feature. cookie tampering by using hashed cookies
• [REDIRECT-PAGE] pagename—Send and provides cookie privacy by encrypting
the redirection page identified cookies. The application appliance also
by pagename. You define such supports adding and removing cookie
redirection pages by using the redirect attributes, and filtering cookies based on
page feature. user configurable attributes such as HTTP-
only cookies, maximum age, number of
For each item you can also click the Log cookies, and others. The cookie protection
check box to log the event. features operate both on server cookies
When you are finished with this form, sent to clients in HTTP responses and on
click Apply Changes at the top to save client cookies that are sent back to servers
your changes, or click Discard Changes to in HTTP requests.
return to the summary page without Use the Cookie Protection command to
saving your changes. If you want to use display a page that summarizes the cookie
the settings on this form as the default for protection maps that are defined and to
new maps of this type, click Set As view, delete, clone, edit or add new maps.
Default.
When you click the button to add a new
Cookie Protection map, AVS displays the screen shown in the
following Figure.
Web applications store a variety of
information in plain text cookies. The
473
Trainer’s Handbook – Security Analyst SSC/ Q0903
474
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the new map a name in the Map The next part of the form lists a number of
Name field. cookie problems and lets you determine
The next three Tamper Proof fields set the what action to take if one of the following
key and algorithm used for hashing events occurs:
cookies. In the Tamper Proof Key Length • Alien Cookie—A cookie is observed
drop-down list, choose the key length in that is not one processed by the AVS
bits that you want to use. In the Tamper cookie protection feature
Proof Key field, enter a key of the chosen • Old Cookie—A cookie sent from the
length. You must enter 16 characters for a client uses an old version of the hash
128-bit key or 32 characters for a 256-bit or encryption key. In this case, the
key. Spaces are not allowed in keys. In the cookie cannot be unhashed or
Tamper Proof Algorithm drop-down list, decrypted.
choose the hashing algorithm to use.
Currently, AVS supports only SHA-1. • Encrypt Fail—Cookie decryption failed
The next three Encrypt fields set the key • Tamper Proof Verification Fail—
and algorithm used for encrypting Verification that the cookie was not
cookies. In the Encrypt Key Length drop- tampered with failed, so this may
down list, choose the key length in bits indicate possible cookie tampering
that you want to use. In the Encrypt Key • Server Cookie Range not between—
field, enter a key of the chosen length. The number of server cookies is not
You must enter 16 characters for a 128-bit within the specified range. Enter a
key or 32 characters for a 256-bit key. range of integers, with the smaller
Spaces are not allowed in keys. In the number in the first field and the larger
Encrypt Algorithm drop-down list, choose number in the second field.
the encryption algorithm to use.
• Client Cookie Range not between—
Currently, AVS supports only AES.
The number of client cookies is not
In the Process Response Cookies drop- within the specified range. Enter a
down list, choose the cookie protection range of integers, with the smaller
actions to take on all response cookies number in the first field and the larger
(cookies sent from the server to the number in the second field.
client). The following actions are defined:
In the Action drop-down list for each item,
• Allow individual cookie processing— choose one of the following actions to
Allow response rule map processing take if the event occurs:
whereby you can enable encryption
• Allow—Allow the request unchanged
and/or tamper proofing on selected
cookies, based on cookie/attribute • Remove cookie—Remove the cookie
names and values; that triggered the event
• Encrypt all cookies—Encrypt all • Drop—Drop the connection silently
cookies • Reset—Reset the connection
• Tamper proof all cookies—Hash all • [SEND-PAGE] pagename—Send the
cookies to prevent tampering error page identified by pagename.
• Encrypt and tamper proof all You define such error pages by using
cookies—Encrypt and hash all cookies the send page feature.
• [REDIRECT-PAGE] pagename—Send
the redirection page identified
475
Trainer’s Handbook – Security Analyst SSC/ Q0903
by pagename. You define such the settings on this form as the default for
redirection pages by using the redirect new maps of this type, click Set As
page feature. Default.
For each item you can also click the Log
check box to log the event.
Response Attribute Rule Maps
By using the next parts of the form, you
can add rule-based processing to cookies In the Response Attribute Rule Maps
that is based on their values and section, you can define operations to set,
attributes. These next form parts are insert, or remove specific cookie
described in the following sections: attributes from response cookies (cookies
• Response Attribute Rule Maps sent from the server to the client). You
can delete one or more operations by
• Response Rule Maps clicking the Delete check box next to each
• Request Rule Maps operation that you want to delete and
then clicking the Delete button.
When you are finished with this form,
click Apply Changes at the top to save To add a new attribute operation, click
your changes, or click Discard Changes to the Add New button to open the window
return to the summary page without shown in the following Figure.
saving your changes. If you want to use
From the Operation drop-down list, select • Set—Set an existing attribute with the
the type of operation you want to specified name to the specified value.
perform, as follows: If the attribute does not exist, it is not
• Insert—Insert an attribute with the added. To insert a new attribute, use
specified name and value. If the Insert.
attribute already exists, its value is Enter the attribute name in the Attribute
replaced with the specified value. Name field and its value in the Attribute
• Remove—Remove the attribute with Value field. When you are finished,
the specified name and value. If the click Create to add the operation or Close
attribute exists but the value is Window to cancel the operation.
different from the specified value, it is When you add a new operation, it will be
not removed. listed in the Response Attribute Rule
476
Trainer’s Handbook – Security Analyst SSC/ Q0903
Maps section of the cookie protection individual cookie processing in the cookie
map form. protection map.
If there are already rule maps listed here,
you can view them by clicking on the
Response Rule Maps underlined identifier in the RuleMaps
In the Response Rule Maps section, you column. You can edit a rule map by
can define rule maps for response cookies clicking the Edit button next to the map
(cookies sent from the server to the name. You can delete one or more rule
client). In a response rule map, you can maps by clicking the Delete check box
specify specific cookies to which to apply next to each rule map that you want to
encryption and/or tamper proofing delete and then the clicking
actions. This response rule map the Delete button.
processing applies only if the Process To add a new rule map, click the Add
Response Cookies element is set to Allow New button to open the window shown
in Figure below.
Enter a unique name for the rule map in the Cookie Name and Cookie Value fields.
the Rule Map Name field. You can specify You can use regular expressions in these
a numeric priority (from 1 to 65535) in the fields.
Numeric Priority field, which is used to You can also identify cookies by attribute
order the rule maps. Rule maps are name and/or value by specifying one or
applied to cookies in descending order of more regular expressions in the Attribute
priority (highest number priority first). If Name and Attribute Value fields. If you
the criteria in the next priority rule map specify more than one name/value pair,
do not match the cookie, then the rule all specified attributes must be present in
map with the next highest priority that order for this rule to match a cookie.
matches is applied.
Identify the cookie to which this rule map
is to be applied by name and/or value in
477
Trainer’s Handbook – Security Analyst SSC/ Q0903
In the Action drop-down list, select the Response Cookies drop-down list, but
action to apply to matched cookies, as operates only on request cookies that
follows: were initially processed by the cookie
• Encrypt—Encrypt all cookies protection feature in the server to client
direction. Any cookies that do not meet
• Tamper proof—Hash all cookies to this criteria are implicitly allowed, though
prevent tampering they are processed by other cookie
• Encrypt and tamper proof—Encrypt protection features and may be removed
and hash all cookies as a result of that processing.
If you want to log the event, click the Log If there are already rule maps listed here,
check box next to the Action field. you can view them by clicking on the
underlined identifier in the RuleMaps
When you are finished, click Create to add
column. You can edit a rule map by
the rule map or Close Window to cancel
clicking the Edit button next to the map
the operation.
name. You can delete one or more rule
Request Rule Maps maps by clicking the Delete check box
next to each rule map that you want to
In the Request Rule Maps section, you can delete and then the clicking
define rule maps for request cookies the Delete button.
(cookies sent from the client to the
To add a new rule map, click the Add
server). In a request rule map, you can
New button to open the window shown
specify cookies to drop or to cause a
in the following figure.
connection reset.
Request rule map processing occurs
regardless of the setting of the Process
Enter a unique name for the rule map in applied to cookies in descending order of
the Rule Map Name field. You can specify priority (highest number priority first). If
a numeric priority (from 1 to 65535) in the the criteria in the next priority rule map
Numeric Priority field, which is used to do not match the cookie, then the rule
order the rule maps. Rule maps are
478
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the new map a name in the Map choose one of the defined custom regular
Name field. expression sets. These regular expression
You can protect social security numbers, sets are defined by using the Pattern
credit card numbers, and custom types of Definitions command.
numbers by using the SSN, Credit Card, In the Action drop-down lists that are to
and Custom controls. In the SSN drop- the right of the other fields, choose the
down list, choose one of the defined SSN action to perform when the firewall finds
regular expression sets. In the Credit Card a number that matches one of these sets
drop-down list, choose one of the defined of regular expressions. The following
credit card number regular expression actions are defined:
sets. In the Custom drop-down list, • None—Take no action
479
Trainer’s Handbook – Security Analyst SSC/ Q0903
• Reset server—Reset the server side of validation of inputs such as URL, URL
the connection query string, and HTTP headers, can lead
• Reset client—Reset the client side of to buffer overflow attacks. A buffer
the connection overflow attack is when a program writes
data beyond its allocated space. These
• Reset server client—Reset both the attacks can cause denial of service by
server and client sides of the crashing the server and/or injecting
connection malicious code to alter program
• Blank out—Substitute an "x" execution. Execution of the malicious
character for each number in the code facilitates exploit of downstream
string that matches the regular resources. Such attacks can be prevented
expression. This action is not available by enforcing boundary length checking on
for Custom expressions. all inputs received from the client.
If you want to log the event, click the Log Use the Request Limits command to
check box next to the Action field. display a page that summarizes the
request limit maps that are defined and to
When you are finished with this form,
view, delete, clone, edit or add new maps.
click Apply Changes at the top to save
For details on using the summary page
your changes, or click Discard Changes to
GUI.
return to the summary page without
saving your changes. When you click the button to add a new
map, AVS displays the screen shown in the
Request Limits following figure.
Many web sites use user-supplied input to
create dynamic web pages. Improper
Give the new map a name in the Map In the URL length checks area you can
Name field. enter the maximum lengths, in bytes, for
various parts of the URL, as follows:
480
Trainer’s Handbook – Security Analyst SSC/ Q0903
• URI Length—Maximum length of the of headers exceeds this limit. The actions
URI not including the query portion are the same as those for the URL length
• Query Length—Maximum length of settings. If you want to log the event
the query portion of the URI when the header limit is exceeded, click
the Log check box next to the Action drop-
• URI+Query Length—Maximum length down list.
of the full URI including the query
In the Advanced Checks area, you can
portion
check if a particular header value exceeds
In the Action drop-down list, choose the a length limit. Choose the header to check
action to apply if one of the above lengths from the Parameter Name drop-down list.
is exceeded. Actions include these: If the header you want to check is not
• None—Take no action listed, select custom and enter the header
name in field below the drop-down list.
• Drop—Drop the connection silently
Enter the maximum length of the header's
• Reset client—Reset the client side of value in the Parameter Value field. Then
the connection check the Add check box and click Update
• [SEND-PAGE] pagename—Send the Parameters to add this header value
error page identified by pagename. check to the map. You can repeat this
You define such error pages by using procedure to add more header value
the send page feature. checks to the map. In the Action drop-
down list, choose the action to apply if
• [REDIRECT-PAGE] pagename—Send
any of the header values exceeds the
the redirection page identified
specified limits. The actions are the same
by pagename. You define such
as those for the URL length settings. If you
redirection pages by using the redirect
want to log the event when a header
page feature.
value length limit is exceeded, click the
If you want to log the event when a URL Log check box next to the Action drop-
length parameter is exceeded, click the down list.
Log check box next to the Action drop-
To delete a header value length check,
down list.
click the Delete check box next to the
To limit header length, in the Default header check that you want to delete and
Header Length field you can enter the then click Update Parameters.
maximum length allowed for any single
When you are finished with this form,
HTTP header. In the Action drop-down
click Apply Changes at the top to save
list, choose the action to apply if any
your changes, or click Discard Changes to
header exceeds this limit. The acti ons are
return to the summary page without
the same as those for the URL length saving your changes. If you want to use
settings. If you want to log the event
the settings on this form as the default for
when a header length limit is exceeded,
new maps of this type, click Set As
click the Log check box below the Action Default.
drop-down list.
To limit the number of headers, in the Error/Redirect Pages
Number of Headers field you can enter Error obfuscation makes it more difficult
the maximum number of HTTP headers for hackers to discover identifying
allowed. In the Action drop-down list, information about the web server and
choose the action to apply if the number application by masking or mapping error
481
Trainer’s Handbook – Security Analyst SSC/ Q0903
messages that might normally be returned Error obfuscation can be triggered as the
to the user. Many security vulnerabilities action to perform when one of the
are dependent on specific software following web application security
versions and hiding this information can features encounters an error: URL
increase the security of the system. Normalization, Cookie Protection, Request
AVS implements the following techniques Limits, Input Validation Checks, and HTTP
for error obfuscation: Protocol Conformance.
Each of the four summary sections of the To edit a map, click the Edit button in the
page lists the maps configured for a sub- summary. A form similar to that shown
feature of error obfuscation. Each defined when adding a map is displayed where
map is summarized on one line. From you can edit the map.
here you can view, clone, edit, or delete a To delete one or more maps, check the
map, or add a new map. box in the Delete column for the map.
To view the definition of a map, click its Click Delete Maps to delete the checked
underlined name. The displayed page maps.
shows a read-only listing of the definition. To add a new map or template, click
To copy a map to use as the basis of a new the Add New Map or Add New
map, click the Clone button next to the Template button for the item that you
map that you want to clone. want to add.
482
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the template a name in the Template When you are finished with this form,
Name field. click Apply Changes at the top to save
Add one or more headers to the template your changes, or click Discard Changes to
by choosing a header name from the return to the summary page without
Header Name drop-down list. If you want saving your changes. If you want to use
to add a header that is not in the list, the settings on this form as the default for
choose Custom and enter the name of the new maps of this type, click Set As
header in the field below the list. Enter Default.
the value of the header in the Header After at least one send page header
Value field next to the name. Then click template is defined, you can define a send
the Add check box and click the Update page map, which defines the error page
Headers button to add the header to the that you want to send to the client. Click
template. You can add multiple headers the Add New Map button on the
by following the same procedure for each summary page to display the form shown
one. in the following figure.
To delete a header from the template,
click the Delete check box next to it and
click the Update Headers button.
483
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the error page map a name in the the selected error code, but you can
Map Name field. change it.
You can define two different sets of error In the Header Template drop-down list,
codes, error phrases, and header select the name of the send page header
templates that are to be sent in response template map that you want to use for
to HTTP requests that use HTTP versions this error page. If no header templates are
1.0 and 1.1. If you want to define an error defined, only --Select-- is shown in this
page that is to be sent in response to list, and you must define a send page
HTTP version 1.0 requests, check the HTTP header template before you can define a
Version 1.0 check box and complete the send page map. Go back to the summary
fields on that line. To send this error page page and use the Add New
in response to HTTP version 1.1 requests, Template button to define a header
check the HTTP Version 1.1 check box and template.
complete the fields on that line. To In the Include Date Header drop-down
respond to both versions of HTTP list, select Yes or No to include a date
requests, check both check boxes. This header or not in the error page.
error page is sent only if the HTTP version
setting matches the HTTP version of the In the HTTP Body field, enter the HTML for
the body of the error page.
request.
In the Error Code drop-down list, choose In the Content Type drop-down list, select
the MIME type of the page content: either
the error code that this error page should
text/plain or text/html.
show to the client. In the Error Phrase
field, enter the phrase that should be When you are finished with this form,
used to describe this error. By default, the click Apply Changes at the top to save
Error Phrase field initially shows the your changes, or click Discard Changes to
standard error phrase that corresponds to return to the summary page without
saving your changes. If you want to use
484
Trainer’s Handbook – Security Analyst SSC/ Q0903
the settings on this form as the default for Before you can configure a redirect page
new maps of this type, click Set As map, you must first define a redirect page
Default. header template, which is a template of
HTTP headers that can be sent on redirect
pages. To define a redirect page header
Redirect Page Configuration template, on the summary page, click on
the Add New Template button to display
the form shown in the following figure.
Give the template a name in the Template When you are finished with this form,
Name field. click Apply Changes at the top to save
Add one or more headers to the template your changes, or click Discard Changes to
by choosing a header name from the return to the summary page without
Header Name drop-down list. If you want saving your changes. If you want to use
to add a header that is not in the list, the settings on this form as the default for
choose Custom and enter the name of the new maps of this type, click Set As
header in the field below the list. Enter Default.
the value of the header in the Header After at least one redirect page header
Value field next to the name. Then click template is defined, you can define a
the Add New check box and click redirect page map, which defines the
the Update Headers button to add the redirect page that you want to send to the
header to the template. You can add client. Click the Add New Map button on
multiple headers by following the same the summary page to display the form
procedure for each one. shown in the following figure.
To delete a header from the template,
click the Delete check box next to it and
click the Update Headers button.
485
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the redirect page map a name in the templates are defined, only --Select-- is
Map Name field. shown in this list, and you must define a
You can define two different sets of error redirect page header template before you
codes, error phrases, and header can define a send page map. Go back to
templates that are to be sent in response the summary page and use the Add New
to HTTP requests that use HTTP versions Template button to define a header
1.0 and 1.1. If you want to define a template.
redirect page that is to be sent in In the Location Header field, enter the
response to HTTP version 1.0 requests, absolute URI of the location to which the
check the HTTP Version 1.0 check box and client should be redirected.
complete the fields on that line. To send In the Include Date Header drop-down
this redirect page in response to HTTP list, select Yes or No to include a date
version 1.1 requests, check the HTTP header or not in the redirect page.
Version 1.1 check box and complete the
fields on that line. To respond to both In the HTTP Body field, enter the HTML for
versions of HTTP requests, check both the body of the redirect page.
check boxes. This redirect page is sent In the Content Type drop-down list, select
only if the HTTP version setting matches the MIME type of the page content: either
the HTTP version of the request. text/plain or text/html.
In the Error Code drop-down list, choose When you are finished with this form,
the error code that this error page should click Apply Changes at the top to save
show to the client. In the Error Phrase your changes, or click Discard Changes to
field, enter the phrase that should be return to the summary page without
used to describe this error. By default, the saving your changes. If you want to use
Error Phrase field initially shows the the settings on this form as the default for
standard error phrase that corresponds to new maps of this type, click Set As
the selected error code, but you can Default.
change it.
Web Cloaking
In the Header Template drop-down list,
select the name of the redirect page Web cloaking makes it more difficult for
header template map that you want to hackers to discover identifying
use for this redirect page. If no header information about the web server and
486
Trainer’s Handbook – Security Analyst SSC/ Q0903
• Adding false headers to confuse cloaking maps that are defined and to
attackers view, delete, clone, edit or add new maps.
Use the Web Cloaking command to When you click the button to add a new
display a page that summarizes the web map, AVS displays the screen shown in the
following figure.
Give the new map a name in the Map In the Available Headers/Header
Name field. Sequence area you can change the
If you want to log web cloaking actions, sequence of individual HTTP headers in
click the Enable Log check box. responses. Select the header that you
want to be first from the Standard list and
487
Trainer’s Handbook – Security Analyst SSC/ Q0903
click the right arrow (>) to add it to the • If you are removing a header, enter a
Header Sequence list on the right side of value in the Old Value field only, to
the page. Then select the header that you remove only headers that have this
want to be second, and so on, adding value.
each one in turn to the Header Sequence Finally, click the Add check box to add the
list. When you add a header, it is always header operation to this web cloaking
added at the bottom of the list. You can map. The operation is added after you
also add a custom header that is not listed click Update Parameters, and a new blank
by typing its name into the Custom field operation line is shown below the newly
and clicking the right arrow (>) next to added one, where you can add another
that field. operation. Also, a Delete check box is
To reorder the headers listed in the shown at the right end of each operation
Header Sequence list, select a header and line, which you can use to delete an
click the up arrow next to the list to move operation by checking it and
the header up one position in the list, or clicking Update Parameters.
click the down arrow to move it one In the Header Name Normalization area,
position down. Repeat the process each you can force specific header names to be
time that you want to move the header all uppercase or all lowercase. To
one more position up or down. normalize the case of a header name,
In the Add/Modify/Remove Response select it in the list at the left side of the
Headers area you can add, modify, or page and click the Uppercase right arrow
remove HTTP headers in responses. You (>) button to make it uppercase, or click
can add multiple functions in this area; the Lowercase right arrow button to make
one operation is summarized on each line. it lowercase. Do the same for each header
To add an operation, in the Operation name that you want to normalize. If you
drop-down list choose the type of want to normalize a custom header name,
operation: ADD, MODIFY, or REMOVE. In choose Custom in the list and type the
the Response Header drop-down list, name in the Custom field below the list.
choose the name of the header that you Then click the appropriate right arrow
want to add, modify, or remove. If the button. To remove a header name from a
header name is not listed, choose custom normalization list at the right side, select
from the list and type the name of the it and click the left arrow (<) button next
header in the Response Header field to the list.
below the drop-down list. Next, enter When you are finished with this form,
values in the Old Value and New Value click Apply Changes at the top to save
fields, as follows: your changes, or click Discard Changes to
• If you are adding a header, enter a return to the summary page without
value in the New Value field only and saving your changes. If you want to use
leave Old Value empty. the settings on this form as the default for
new maps of this type, click Set As
• If you are modifying a header, enter Default.
the existing value to match in the Old
Value field and enter the value to
change it to in the New Value field.
Only headers whose value matches
the Old Value will be changed to New
Value.
488
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the new map a name in the Map • Parameter rewrite—By using the
Name field. Parameter Rules area, you can insert
Using the following areas of the form you or remove parameter name/value
can configure these functions: pairs in the query portion of matched
URLs. Enter a parameter name in the
489
Trainer’s Handbook – Security Analyst SSC/ Q0903
Parameter field and its value in the To delete an existing parameter or URL
Value field. Choose either Add or rewriting rule, click the Delete check box
Remove from the Operation drop- on the same line as the rule, and when
down list. If you choose Remove, the you click Update Parameter Rule (to
parameter name and value must delete parameter rules) or Update URL
match exactly for it to be removed. Rule (to delete URL rewrite rules), the rule
Click the Update Parameter will be deleted.
Rule button to add the rule. When you are finished with this form,
Regular expressions and the following click Apply Changes at the top to save
characters are not allowed in the your changes, or click Discard Changes to
Parameter and Value fields when you return to the summary page without
are adding a parameter: ?*{}[]()^$, saving your changes. If you want to use
When you are removing a parameter, the settings on this form as the default for
regular expressions are allowed and new maps of this type, click Set As
there are no character restrictions in Default.
the Parameter and Value fields.
HTTP Protocol Conformance
• URL rewrite—By using the URL Rules
area, you can search for a string in the HTTP protocol conformance provides
URL and if there is a match you can deep analysis of web traffic, enabling
either replace the complete URL with granular control over HTTP sessions for
another URL or replace only the improved protection from a wide range of
matched string with another string. web-based attacks. In addition, this
Enter the string to search for in the feature allows administrative control over
Find field and enter the replacement instant messaging applications, peer-to-
string or URL in the Replace field. peer file sharing applications, and
From the Type drop-down list, choose applications that attempt to tunnel over
either Replace URL (to replace the port 80 or any port used for HTTP
whole URL with the URL entered in the transactions. Capabilities provided include
Replace field) or Replace matched RFC compliance enforcement, HTTP
string (to replace just the matched command authorization and enforcement,
string in the URL with the string response validation, Multipurpose
entered in the Replace field). Click Internet Mail Extension (MIME) type
the Update URL Rule button to add validation and content control, URL
the rule. Rewritten URLs are escape blacklisting, and more.
encoded before being sent out.
The following sections describe the HTTP
Regular expressions and the following Protocol Conformance menu commands:
characters are mostly not allowed in
the Find and Replace fields: ?*{}[]()^$, 1. IM Controls
When you are replacing a complete
URL, then regular expression are 2. P2P Controls
allowed and there are no character
3. Tunnelling Policies
restrictions in the Find field.
For details on the regular expression 4. Generic Pattern Matcher
syntax that is allowed.
5. Transfer Encoding
490
Trainer’s Handbook – Security Analyst SSC/ Q0903
1. IM Controls
The IM controls feature allows you to
control incoming and outgoing instant
messaging traffic by logging or denying it.
Use this form to define criteria for messaging traffic is added, it is listed in a
identifying instant messaging traffic in criteria section at the top of the form.
either requests or responses. In the New Criteria section, click the Add
Give the instant messaging map a name in check box to indicate that you are adding
the Map Name field. a new criteria. Then in the Message Type
If you are creating a new map, only the drop-down list, choose the message type
New Criteria section of the form is shown. that you want to examine: either Request
As each criteria for identifying instant or Response messages. In the Search Type
491
Trainer’s Handbook – Security Analyst SSC/ Q0903
drop-down list, choose the part of the The Obfuscation Option check box is
request or response that you want to available in certain cases. Checking this
examine, and in the next three fields box deobfuscates the URL before
(Name, Value, and Max No of bytes to performing regular expression matching
search), enter the criteria that must be with the specified criteria. Deobfuscation
matched to consider the traffic to be decodes encoded URLs. For example, a
instant messenger related. For each URL might contain the string "%20", which
message type/search type pair, only is decoded to a space character.
certain criteria fields are used, and these
are described in Table below.
492
Trainer’s Handbook – Security Analyst SSC/ Q0903
493
Trainer’s Handbook – Security Analyst SSC/ Q0903
The generic pattern matcher feature Use the Transfer Encoding command to
display a page that summarizes the
allows you to configure a policy based on
transfer encoding maps that are defined
any user-definable criteria in the traffic, to
and to view, delete, clone, edit or add
control incoming and outgoing traffic by
new maps.
logging or denying it. Use the Generic
Pattern Matcher command to configure When you click the button to add a new
such control. This command works exactly map, AVS displays the screen shown in the
like the IM Controls command. following figure.
494
Trainer’s Handbook – Security Analyst SSC/ Q0903
You define such error pages by using encoding that does not match any of the
the send page feature. criteria on this form. You can choose the
• [REDIRECT-PAGE] pagename—Send same actions as on the other Action list.
the redirection page identified Also, you can click the Log check box next
by pagename. You define such to this drop-down list if you want to log
redirection pages by using the redirect such traffic. When you are finished with
page feature. this form, click Apply Changes at the top
to save your changes, or click Discard
If you want to log the event, click the Log Changes to return to the summary page
check box next to the Action drop-down without saving your changes.
list. Finally, check the Add check box and
click Update to add the criteria to this
form and give you a new line on which to
enter another criteria. To delete one or
more criteria lines, click the Delete check
box on each line that you want to delete
and then click Update to delete all
checked lines.
There is another Action drop-down list at
the bottom of the form, labelled Action
for Nonmatching Traffic. This action
applies to all traffic that has a transfer
495
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the URL black listing map a name in In the next part of the form, you can add
the Map Name field. regular expressions for URLs that you
want to block traffic to. In the URL field,
enter a regular expression that is used to
496
Trainer’s Handbook – Security Analyst SSC/ Q0903
match part of a URL string in incoming when such traffic is observed. In the first
requests. The regular expression is Action drop-down list, choose one of the
matched against only the URL and not the following items:
query parameters. If the regular • Match All—All criteria must be
expression matches any part of the URL, matched to apply the action
the match is considered successful.
• Match Any—Any single criteria must
Check the Obfuscation check box to be matched to apply the action
deobfuscate the URL before performing
regular expression matching. Click the Not check box if you want to
Deobfuscation decodes encoded URLs. For match all traffic that does not meet the
example, a URL might contain the string criteria. If Not is checked, the match
"%20", which is decoded to a space criteria are interpreted as follows:
character. • Match All—Fewer than all criteria
Check the Add check box and must be matched to apply the action
click Update to add the URL to this form • Match Any—None of the criteria must
and give you a new line on which to enter be matched to apply the action
another URL. To delete one or more URL
In the second drop-down list, choose one
lines, click the Delete check box on each of the following actions:
line that you want to delete and then
click Update to delete all checked lines. • None—Take no action
After you have defined the URLs to black • Deny—Block the traffic
list, you can configure the action to apply
• [SEND-PAGE] pagename—Send the If you want to log the event, click the Log
error page identified by pagename. check box next to the Action drop-down
You define such error pages by using lists.
the send page feature. When you are finished with this form,
• [REDIRECT-PAGE] pagename—Send click Apply Changes at the top to save
the redirection page identified your changes, or click Discard Changes to
by pagename. You define such return to the summary page without
redirection pages by using the redirect saving your changes.
page feature.
497
Trainer’s Handbook – Security Analyst SSC/ Q0903
URL black listing can also be done directly specific HTTP method by logging or
in a policy map by defining the traffic to denying it.
black list in a traffic map, then setting a Use the Control HTTP Methods command
general policy to drop the connection to display a page that summarizes the
when such traffic is encountered. HTTP content method maps that are
defined and to view, delete, clone, edit or
add new maps..
8. Control HTTP Methods
When you click the button to add a new
The HTTP method control feature allows map, AVS displays the screen shown in the
you to control incoming traffic that uses a following figure.
Give the HTTP content methods map a • None—Take no action
name in the Map Name field. • Deny—Block the traffic
In the next part of the form, you can add • [SEND-PAGE] pagename—Send the
one or more HTTP methods to act on. In error page identified by pagename.
the Methods drop-down list choose an
HTTP method. Check the Add check box • [REDIRECT-PAGE] pagename—Send
and click Update to add the method to the redirection page identified
this form and give you a new line on by pagename.
which to enter another method. To delete If you want to log the event, click the Log
one or more method lines, click the Delete check box next to the Action drop-down
check box on each line that you want to lists.
delete and then click Update to delete all
When you are finished with this form,
checked lines.
click Apply Changes at the top to save
After you have defined the HTTP methods your changes, or click Discard Changes to
to look for, you can configure the action return to the summary page without
to apply when such traffic is observed. In saving your changes.
the first Action drop-down list, choose
one of the following items:
• Match All—All criteria must be 9. Header Integrity Check
matched to apply the action The header integrity check feature allows
• Match Any—Any single criteria must you to check the integrity of HTTP headers
be matched to apply the action and take action if problems are found.
Click the Not check box if you want to Use the Header Integrity Check command
match all traffic that does not meet the to display a page that summarizes the
criteria. If Not is checked, the match header integrity check maps that are
criteria are interpreted as follows: defined and to view, delete, clone, edit or
add new maps.
• Match All—Fewer than all criteria
must be matched to apply the action When you click the button to add a new
map, AVS displays the screen shown in the
• Match Any—None of the criteria must
following figure.
be matched to apply the action
In the second drop-down list, choose one
of the following actions:
498
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the header integrity check map a • Reset server client—Reset both the
name in the Map Name field. server and client sides of the
In the next part of the form, you can connection
configure actions to take when the • Drop—Drop the connection silently
following problems are found in a header:
• [SEND-PAGE] pagename—Send the
• Null Encoding—Transfer-encoding error page identified by pagename.
header has no encodings listed You define such error pages by using
• Non ASCII Characters—Non-ASCII the send page feature.
characters are found in a header • [REDIRECT-PAGE] pagename—Send
• Illegal Content Length—Content- the redirection page identified
length header contains non-numeric by pagename. You define such
characters redirection pages by using the redirect
page feature.
• Illegal Chunk Encoding—Chunk
encoding is not valid If you want to log a problem, click the Log
check box next to the Action drop-down
• Multiple Length Headers—Multiple list.
content-length headers appear in the
request When you are finished with this form,
click Apply Changes at the top to save
For each listed header integrity problem, your changes, or click Discard Changes to
select one of the following actions from return to the summary page without
the Action drop-down list: saving your changes. If you want to use
• None—Take no action the settings on this form as the default for
• Reset server—Reset the server side of new maps of this type, click Set As
the connection Default.
499
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the map a name in the Map Name In the map, you can configure protection
field. in three ways:
• Scan all of the form input data.
500
Trainer’s Handbook – Security Analyst SSC/ Q0903
Set the Type to Scan All Parameters. choose a regular expression pattern
Choose a regular expression pattern set that lists regular expressions that
set from the Pattern Set drop-down you want to allow in the value of the
list that lists regular expressions that exception parameter. Check the Add
you want to exclude from form input. check box to the right of the Allow
The regular expression patterns that Pattern Set drop-down list and
are listed here are those that are click Update Parameters. You can
defined in the Pattern Definitions page enter as many exception parameters
where the type is Cross Site Scripting. as you want by repeating this
If you see the message "No Pattern procedure. Each parameter can have
Set of this type is defined," you must its own associated regular expression
define at least one pattern map of the that defines the values that are
Cross Site Scripting type before you allowed. To delete a parameter, click
can complete this form. Any form the Delete check box to the right of
input that contains a string that the Allow Pattern Set drop-down list
matches one of the regular and click Update Parameters.
expressions in the specified pattern Any form input that contains a string
set is flagged for the action specified that matches one of the regular
in the Action drop-down list. Leave the expressions in the Pattern Set is
Parameter field empty and make no flagged for the action specified in the
selection from the Allow Pattern Set Action drop-down list. If an exception
drop-down list. parameter value contains a string that
• Scan all of the form input data except matches both the Pattern Set and
for the values of one or more specific Allow Pattern Set regular expressions,
form parameters, in which certain then it is allowed rather than being
expressions are allowed. flagged for action.
Set the Type to Scan All Parameters. • Scan the values of a one or more
Choose a regular expression pattern specific form parameters within the
set from the Pattern Set drop-down input data.
list that lists regular expressions that Set the Type to Scan Specific
you want to exclude from form input. Parameters. Choose a regular
The regular expression patterns that expression pattern set from the
are listed here are those that are Pattern Set drop-down list and enter
defined in the Pattern Definitions page the name of a form parameter to scan
where the type is Cross Site Scripting. in the Parameter field. Check the Add
If you see the message "No Pattern check box to the right of the
Set of this type is defined," you must parameter name and click Update
define at least one pattern map of the Parameters. You can enter as many
Cross Site Scripting type before you parameters as you want by repeating
can complete this form. this procedure. To delete a parameter,
In the Parameter field enter the name click the Delete check box to the right
of an exception parameter in which of the parameter name and
you want to allow input that might click Update Parameters. If any of the
otherwise be flagged by the Pattern specified parameter values contain a
Set regular expression set. In the string that matches one of the regular
Allow Pattern Set drop-down list, expressions in the specified pattern
501
Trainer’s Handbook – Security Analyst SSC/ Q0903
Check the Ignore Case check box if you do If you want to log the event, click the Log
not need to match the case of a check box below the Action drop-down
parameter specified in the Parameter list.
field. If you do need to match the case When you are finished with this form,
exactly, leave this check box unchecked. click Apply Changes at the top to save
In the Action drop-down list, choose the your changes, or click Discard Changes to
action to apply if a form input string that return to the summary page without
matches this map is detected. Actions saving your changes.
include these:
SQL Injection
• None—Take no action
• Reset server client—Reset both the A SQL injection attack appends or
modifies SQL commands in form input
server and client sides of the
connection with the intention of gathering
information regarding the application and
• Drop—Drop the connection silently obtaining access to unauthorized data.
• [SEND-PAGE] pagename—Send the Use the SQL Injection command to display
error page identified by pagename.. a page that summarizes the SQL injection
• [REDIRECT-PAGE] pagename—Send maps that are defined and to view, delete,
the redirection page identified clone, edit or add new maps. When you
by pagename. click the button to add a new map, AVS
displays the screen shown in the following
figure.
Give the map a name in the Map Name Set the Type to Scan All Parameters.
field. Choose a regular expression pattern
In the map, you can configure protection set from the Pattern Set drop-down
in three ways: list that lists regular expressions that
you want to exclude from form input.
• Scan all of the form input data. The regular expression patterns that
502
Trainer’s Handbook – Security Analyst SSC/ Q0903
are listed here are those that are enter as many exception parameters
defined in the Pattern Definitions page as you want by repeating this
where the type is SQL Injection. If you procedure. Each parameter can have
see the message "No Pattern Set of its own associated regular expression
this type is defined," you must define that defines the values that are
at least one pattern map of the SQL allowed. To delete a parameter, click
Injection type before you can the Delete check box to the right of
complete this form. Any form input the Allow Pattern Set drop-down list
that contains a string that matches and click Update Parameters.
one of the regular expressions in the Any form input that contains a string
specified pattern set is flagged for the that matches one of the regular
action specified in the Action drop- expressions in the Pattern Set is
down list. Leave the Parameter field flagged for the action specified in the
empty and make no selection from the Action drop-down list. If an exception
Allow Pattern Set drop-down list. parameter value contains a string that
• Scan all of the form input data except matches both the Pattern Set and
for the values of one or more specific Allow Pattern Set regular expressions,
form parameters, in which certain then it is allowed rather than being
expressions are allowed. flagged for action.
Set the Type to Scan All Parameters. • Scan the values of a one or more
Choose a regular expression pattern specific form parameters within the
set from the Pattern Set drop-down input data.
list that lists regular expressions that Set the Type to Scan Specific
you want to exclude from form input. Parameters. Choose a regular
The regular expression patterns that expression pattern set from the
are listed here are those that are Pattern Set drop-down list and enter
defined in the Pattern Definitions page the name of a form parameter to scan
where the type is SQL Injection. If you in the Parameter field. Check the Add
see the message "No Pattern Set of check box to the right of the
this type is defined," you must define parameter name and click Update
at least one pattern map of the SQL Parameters. You can enter as many
Injection type before you can parameters as you want by repeating
complete this form. this procedure. To delete a parameter,
In the Parameter field enter the name click the Delete check box to the right
of an exception parameter in which of the parameter name and
you want to allow input that might click Update Parameters. If any of the
otherwise be flagged by the Pattern specified parameter values contain a
Set regular expression set. In the string that matches one of the regular
Allow Pattern Set drop-down list, expressions in the specified pattern
choose a regular expression pattern set, the request is flagged for the
set that lists regular expressions that action specified in the Action drop-
you want to allow in the value of the down list.
exception parameter. Check the Add Check the Ignore Case check box if you do
check box to the right of the Allow not need to match the case of a
Pattern Set drop-down list and parameter specified in the Parameter
click Update Parameters. You can
503
Trainer’s Handbook – Security Analyst SSC/ Q0903
field. If you do need to match the case If you want to log the event, click the Log
exactly, leave this check box unchecked. check box below the Action drop-down
In the Action drop-down list, choose the list.
action to apply if a form input string that When you are finished with this form,
matches this map is detected. Actions click Apply Changes at the top to save
include these: your changes, or click Discard Changes to
• None—Take no action return to the summary page without
saving your changes.
• Reset server client—Reset both the
server and client sides of the OS Command Injection
connection
An OS command injection attack inserts
• Drop—Drop the connection silently OS commands into form input with the
• [SEND-PAGE] pagename—Send the intention to gain elevated privileges to
error page identified by pagename. access a web server.
• [REDIRECT-PAGE] pagename—Send Use the OS Command Injection command
the redirection page identified to display a page that summarizes the
by pagename. command injection maps that are defined
and to view, delete, clone, edit or add
new maps.
When you
click the
button to
add a new
map, AVS
displays the
screen
shown
in the
following
figure.
Give the map a name in the Map Name you want to exclude from form input.
field. The regular expression patterns that
In the map, you can configure protection are listed here are those that are
in three ways: defined in the Pattern Definitions page
where the type is Command Injection.
• Scan all of the form input data. If you see the message "No Pattern
Set the Type to Scan All Parameters. Set of this type is defined," you must
Choose a regular expression pattern define at least one pattern map of the
set from the Pattern Set drop-down Command Injection type before you
list that lists regular expressions that can complete this form. Any form
504
Trainer’s Handbook – Security Analyst SSC/ Q0903
input that contains a string that the Allow Pattern Set drop-down list
matches one of the regular and click Update Parameters.
expressions in the specified pattern Any form input that contains a string
set is flagged for the action specified that matches one of the regular
in the Action drop-down list. Leave the expressions in the Pattern Set is
Parameter field empty and make no flagged for the action specified in the
selection from the Allow Pattern Set Action drop-down list. If an exception
drop-down list. parameter value contains a string that
• Scan all of the form input data except matches both the Pattern Set and
for the values of one or more specific Allow Pattern Set regular expressions,
form parameters, in which certain then it is allowed rather than being
expressions are allowed. flagged for action.
Set the Type to Scan All Parameters. • Scan the values of a one or more
Choose a regular expression pattern specific form parameters within the
set from the Pattern Set drop-down input data.
list that lists regular expressions that Set the Type to Scan Specific
you want to exclude from form input. Parameters. Choose a regular
The regular expression patterns that expression pattern set from the
are listed here are those that are Pattern Set drop-down list and enter
defined in the Pattern Definitions page the name of a form parameter to scan
where the type is Command Injection. in the Parameter field. Check the Add
If you see the message "No Pattern check box to the right of the
Set of this type is defined," you must parameter name and click Update
define at least one pattern map of the Parameters. You can enter as many
Command Injection type before you parameters as you want by repeating
can complete this form. this procedure. To delete a parameter,
In the Parameter field enter the name click the Delete check box to the right
of an exception parameter in which of the parameter name and
you want to allow input that might click Update Parameters. If any of the
otherwise be flagged by the Pattern specified parameter values contain a
Set regular expression set. In the string that matches one of the regular
Allow Pattern Set drop-down list, expressions in the specified pattern
choose a regular expression pattern set, the request is flagged for the
set that lists regular expressions that action specified in the Action drop-
you want to allow in the value of the down list.
exception parameter. Check the Add Check the Ignore Case check box if you do
check box to the right of the Allow not need to match the case of a
Pattern Set drop-down list and parameter specified in the Parameter
click Update Parameters. You can field. If you do need to match the case
enter as many exception parameters exactly, leave this check box unchecked.
as you want by repeating this
In the Action drop-down list, choose the
procedure. Each parameter can have
its own associated regular expression action to apply if a form input string that
matches this map is detected. Actions
that defines the values that are
include these:
allowed. To delete a parameter, click
the Delete check box to the right of • None—Take no action
505
Trainer’s Handbook – Security Analyst SSC/ Q0903
LDAP Injection
Give the map a name in the Map Name • Scan all of the form input data.
field. Set the Type to Scan All Parameters.
In the map, you can configure protection Choose a regular expression pattern
in three ways: set from the Pattern Set drop-down
506
Trainer’s Handbook – Security Analyst SSC/ Q0903
list that lists regular expressions that check box to the right of the Allow
you want to exclude from form input. Pattern Set drop-down list and
The regular expression patterns that click Update Parameters. You can
are listed here are those that are enter as many exception parameters
defined in the Pattern Definitions page as you want by repeating this
where the type is LDAP Injection. If procedure. Each parameter can have
you see the message "No Pattern Set its own associated regular expression
of this type is defined," you must that defines the values that are
define at least one pattern map of the allowed. To delete a parameter, click
LDAP Injection type before you can the Delete check box to the right of
complete this form. Any form input the Allow Pattern Set drop-down list
that contains a string that matches and click Update Parameters.
one of the regular expressions in the Any form input that contains a string
specified pattern set is flagged for the that matches one of the regular
action specified in the Action drop- expressions in the Pattern Set is
down list. Leave the Parameter field flagged for the action specified in the
empty and make no selection from the Action drop-down list. If an exception
Allow Pattern Set drop-down list. parameter value contains a string that
• Scan all of the form input data except matches both the Pattern Set and
for the values of one or more specific Allow Pattern Set regular expressions,
form parameters, in which certain then it is allowed rather than being
expressions are allowed. flagged for action.
Set the Type to Scan All Parameters. • Scan the values of a one or more
Choose a regular expression pattern specific form parameters within the
set from the Pattern Set drop-down input data.
list that lists regular expressions that Set the Type to Scan Specific
you want to exclude from form input. Parameters. Choose a regular
The regular expression patterns that expression pattern set from the
are listed here are those that are Pattern Set drop-down list and enter
defined in the Pattern Definitions page the name of a form parameter to scan
where the type is LDAP Injection. If in the Parameter field. Check the Add
you see the message "No Pattern Set check box to the right of the
of this type is defined," you must parameter name and click Update
define at least one pattern map of the Parameters. You can enter as many
LDAP Injection type before you can parameters as you want by repeating
complete this form. this procedure. To delete a parameter,
In the Parameter field enter the name click the Delete check box to the right
of an exception parameter in which of the parameter name and
you want to allow input that might click Update Parameters. If any of the
otherwise be flagged by the Pattern specified parameter values contain a
Set regular expression set. In the string that matches one of the regular
Allow Pattern Set drop-down list, expressions in the specified pattern
choose a regular expression pattern set, the request is flagged for the
set that lists regular expressions that action specified in the Action drop-
you want to allow in the value of the down list.
exception parameter. Check the Add
507
Trainer’s Handbook – Security Analyst SSC/ Q0903
Check the Ignore Case check box if you do When you are finished with this form,
not need to match the case of a click Apply Changes at the top to save
parameter specified in the Parameter your changes, or click Discard Changes to
field. If you do need to match the case return to the summary page without
exactly, leave this check box unchecked. saving your changes.
In the Action drop-down list, choose the
action to apply if a form input string that
matches this map is detected. Actions
Meta Character Detection
include these: A meta character attack inserts meta
• None—Take no action characters in the form input. Meta
• Reset server client—Reset both the characters include characters such as
server and client sides of the semicolons (;), pipes (|), tildes (~), and so
on.
connection
Use the Meta Character
• Drop—Drop the connection silently
Detection command to display a page
• [SEND-PAGE] pagename—Send the that summarizes the meta character maps
error page identified by pagename.. that are defined and to view, delete,
• [REDIRECT-PAGE] pagename—Send clone, edit or add new maps. When you
the redirection page identified click the button to add a new map, AVS
by pagename. displays the screen shown in the following
Figure.
If you want to log the event, click the Log
check box below the Action drop-down
list.
508
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the map a name in the Map Name type before you can complete this
field. form.
In the map, you can configure protection In the Parameter field enter the name
in three ways: of an exception parameter in which
• Scan all of the form input data. you want to allow input that might
otherwise be flagged by the Pattern
Set the Type to Scan All Parameters. Set regular expression set. In the
Choose a regular expression pattern Allow Pattern Set drop-down list,
set from the Pattern Set drop-down choose a regular expression pattern
list that lists regular expressions that set that lists regular expressions that
you want to exclude from form input. you want to allow in the value of the
The regular expression patterns that exception parameter. Check the Add
are listed here are those that are check box to the right of the Allow
defined in the Pattern Definitions page Pattern Set drop-down list and
where the type is Meta Character click Update Parameters. You can
Detection. If you see the message "No enter as many exception parameters
Pattern Set of this type is defined," as you want by repeating this
you must define at least one pattern procedure. Each parameter can have
map of the Meta Character Detection its own associated regular expression
type before you can complete this that defines the values that are
form. Any form input that contains a allowed. To delete a parameter, click
string that matches one of the regular the Delete check box to the right of
expressions in the specified pattern the Allow Pattern Set drop-down list
set is flagged for the action specified and click Update Parameters.
in the Action drop-down list. Leave the
Parameter field empty and make no Any form input that contains a string
selection from the Allow Pattern Set that matches one of the regular
drop-down list. expressions in the Pattern Set is
flagged for the action specified in the
Scan all of the form input data except Action drop-down list. If an exception
for the values of one or more specific parameter value contains a string that
form parameters, in which certain matches both the Pattern Set and
expressions are allowed. Allow Pattern Set regular expressions,
Set the Type to Scan All Parameters. then it is allowed rather than being
Choose a regular expression pattern flagged for action.
set from the Pattern Set drop-down Scan the values of a one or more
list that lists regular expressions that specific form parameters within the
you want to exclude from form input. input data.
The regular expression patterns that
are listed here are those that are Set the Type to Scan Specific
defined in the Pattern Definitions page Parameters. Choose a regular
where the type is Meta Character expression pattern set from the
Detection. If you see the message "No Pattern Set drop-down list and enter
Pattern Set of this type is defined," the name of a form parameter to scan
you must define at least one pattern in the Parameter field. Check the Add
map of the Meta Character Detection check box to the right of the
parameter name and click Update
Parameters. You can enter as many
509
Trainer’s Handbook – Security Analyst SSC/ Q0903
510
Trainer’s Handbook – Security Analyst SSC/ Q0903
Give the map a name in the Map Name • Scan the values of a one or more
field. specific form parameters within the
In the map, you can configure protection input data.
in two ways: Set the Type to Scan Specific
• Scan all of the form input data. Parameters. Choose a regular
expression pattern set from the
Set the Type to Scan All Parameters. Pattern Set drop-down list and enter
Choose a regular expression pattern the name of a form parameter to scan
set from the Pattern Set drop-down in the Parameter field. Check the Add
list that lists regular expressions that check box to the right of the
you want to exclude from form input. parameter name and click Update
The regular expression patterns that Parameters. You can enter as many
are listed here are those that are
parameters as you want by repeating
defined in the Pattern Definitions page this procedure. To delete a parameter,
where the type is Format String click the Delete check box to the right
Attacks. If you see the message "No of the parameter name and
Pattern Set of this type is defined," click Update Parameters. If any of the
you must define at least one pattern specified parameter values contain a
map of the Format String Attacks type string that matches one of the regular
before you can complete this form.
expressions in the specified pattern
Any form input that contains a string set, the request is flagged for the
that matches one of the regular action specified in the Action drop-
expressions in the specified pattern down list.
set is flagged for the action specified
in the Action drop-down list. Leave the Scanning all form input data except
Parameter field empty and make no for the values of one or more specific
selection from the Allow Pattern Set form parameters is not allowed in the
drop-down list. Format String Attacks form. If Type is
set to Scan All Parameters, and you
511
Trainer’s Handbook – Security Analyst SSC/ Q0903
Metacharacter Description
. Matches any single character, except for the new line character (0x0A). For
example, the regular expression r.t matches the strings rat, rut, r t, but not root.
^ Matches the beginning of a line. For example, the regular expression ^When
in matches the beginning of the string "When in the course of human events"
but not the string "What and When in the"
* Matches zero or more occurrences of the character immediately preceding. For
example, the regular expression .* means match any number of any characters.
\ This is the quoting character; use it to treat the following metacharacter as an
ordinary character. For example, \^ is used to match the caret character (^)
rather than the beginning of a line. Similarly, the expression \. is used to match
the period character rather than any single character.
[] Matches any one of the characters between the brackets. For example, the
[c1-c2] regular expression r[aou]t matches rat, rot, and rut, but not ret. Ranges of
characters are specified by a beginning character (c1), a hyphen, and an ending
[^c1-c2] character (c2). For example, the regular expression [0-9] means match any digit.
Multiple ranges can be specified as well. The regular expression [A-Za-z] means
match any upper or lower case letter. To match any character except those in
the range (that is, the complement range), use the caret as the first character
after the opening bracket. For example, the expression [^269A-Z] matches any
512
Trainer’s Handbook – Security Analyst SSC/ Q0903
513
Trainer’s Handbook – Security Analyst SSC/ Q0903
To know more about Modsecurity and its configuration please visit https://www.modsecurity.org
and use the following https://www.feistyduck.com/library/modsecurity-handbook-free/online/ to
know more about installation and configuration.
514
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT IX
Patch Management
Lesson Plan
Suggested Learning Activities
Training Resource Material
9.1 Patch Management Overview
9.2 The Patch Management Process
9.3 Windows Patch Management Tools
515
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
516
Trainer’s Handbook – Security Analyst SSC/ Q0903
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
517
Trainer’s Handbook – Security Analyst SSC/ Q0903
518
Trainer’s Handbook – Security Analyst SSC/ Q0903
519
Trainer’s Handbook – Security Analyst SSC/ Q0903
520
Trainer’s Handbook – Security Analyst SSC/ Q0903
521
Trainer’s Handbook – Security Analyst SSC/ Q0903
https://ics-cert.us-
cert.gov/sites/default/files/recommended_practices/PatchManagementRecommendedPrac
tice_Final.pdf
https://www.sans.org/reading-room/whitepapers/bestprac/practical-methodology-
implementing-patch-management-process-1206
https://support.symantec.com/en_US/article.HOWTO3124.html
522
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
SSC/ N 0904:
SSC/ N 0905:
Contribute to information security audits
Support teams to prepare for and
undergo information security audits
523
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Description This unit is about carrying out specific audit tasks as part of information security
audits.
Scope This unit/task covers the following:
Appropriate people:
line manager
members of the security team
subject matter experts
Information security audits may cover:
Identify and Access Management (IdAM)
networks (wired and wireless)
devices
endpoints/edge devices
storage devices
servers
software
application hosting
application security
application support
application penetration
application testing
content management
messaging
web security
security of infrastructure
infrastructure devices (e.g. routers, firewall services)
computer assets, server s and storage networks
messaging
intrusion detection/prevention
security incident management
third party security management
personnel security requirements
physical security
risk assessment
business continuity
disaster recovery planning
524
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
525
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
KB2. different systems and structures that may need information security
audits and how they operate, including:
servers and storage devices
infrastructure and networks
application hosting and content management
communication routes such as messaging
KB3. features, configuration and specifications of information security systems
and devices and associated processes and architecture
KB4. the importance of auditing and the key principles and rules of conduct
that apply when auditing
KB5. common audit techniques and how to record and report audit tasks
KB1. methods and techniques for testing compliance against your organizations
security criteria, legal and regulatory requirements
526
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Unit Title
Support teams to prepare for and undergo information security audits
(Task)
Description This unit is about supporting functional teams to prepare for and undergo information
security audits carried out by internal or external auditors.
PC1. establish the nature and scope of information security audits and your role
and responsibilities in preparing for them
PC2. identify the procedures/guidelines/checklists that will be used for
information security audits
PC3. identify the requirements of information security audits and prepare for
audits in advance
PC4. liaise with appropriate people to gather data/information required for
information security audits
527
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Knowledge KB1. different information systems that may require audit tasks:
servers and storage devices
infrastructure, assets and networks
application hosting, testing, penetration and support
content management
communication routes such as messaging
physical security
528
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
529
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
THE UNITS
The module for this NOS is divided in 8 Units based on the learning objectives as given below.
UNIT I: Information Security Audit
1.1. Information Systems Audit versus Information Security Audit
1.2. What is an Information Security Audit?
1.3. Scope of the Audit
1.4. What makes a good security audit?
1.5. Constraints of a security audit
UNIT II: Security Audits Features
2.1. Types of Security Audits
2.2. Phases of Information Security Audit
2.3. Information Security Audit Methodology
2.4. Security Testing Frameworks
2.5. Audit Process and Audit Security Practices
2.6. Testing Security Technology and Templates
UNIT III: Information Security Auditor
3.1 Role of an Auditor
3.2 Hiring an Information Security Auditor
3.3 Required Skills Sets of an Information Security Auditor
3.4 Ethics of an Information Security Auditor
3.5 What Makes an Information Security Auditor
UNIT IV: Vulnerability Analysis
4.1. What Is Vulnerability Assessment?
4.2. Vulnerability Classification
4.3. Types of Vulnerability Assessment
4.4. How to Conduct a Vulnerability Assessment
4.5. Vulnerability Analysis Tools
UNIT V: Penetration Testing
5.1. About penetration testing
5.2. Penetration testing stages
UNIT VI: Information Security Audit Tasks
6.1 Pre-audit tasks
6.2 Information Gathering
6.3 External Security Audit
6.4 Internal Network Security Auditing
6.5 Firewall Security Auditing
6.6 IDS Security Auditing
UNIT VII: Audit Reports and Actions
530
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
UNIT I
Information Security Audit
531
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
532
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
Activity 4:
Divide the class into teams and ask them to audit various aspects of the training institute
or the classroom, such as cleanliness, safety and security, hygiene, etc. Ask them to
present their report in class. Highlight the need for planning, scoping, resourcing, detailing,
discipline, integrity, teamwork, eliminating bias and presentation as some of the key
elements in conducting a good audit.
533
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Lesson
An information security audit is one of the incurring the cost and other associated
best ways to determine the security of an damages of a security incident.
organization's information without
1.1. Information Systems Audit versus Information
Security Audit
Information System Audit and Information division, safety, security and privacy
Security Audit are two tools that are used assurance etc.
to ensure safety and integrity of
information and sensitive data. People Information security audit is only focused
often confuse the two tools and feel they on security of data and information
(electronic and print) when it is in the
are same. But this is not the case.
process of storage and transmission. Both
Information systems audit is a large, audits have many overlapping areas.
broad term that encompasses
demarcation of responsibilities, server Information systems audit deals with
and equipment management, problem operations, and infrastructure whereas
information security audit deals with data
and incident management, network
on the whole.
534
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
535
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
536
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
537
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
538
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
539
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
540
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
UNIT II
Security Audit Features
Lesson Plan
Suggested Learning Activities
Trainer’s Resource Material
2.1. Planning Work and Work environment
2.2. Types of Security Audits
2.3. Phases of Information Security Audit
2.4. Information Security Audit Methodology
2.5. Security Testing Frameworks
2.6. Audit Process and Audit Security Practices
2.7. Testing Security Technology and Templates
541
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
542
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
543
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Lesson
Security Review
A security review is when the security posture of an organization is examined based on
professional experience and opinion. In this type of examination, issues that stand out are
sought as a way to help define the starting point for further activities. Running a vulnerability
scanner such as Nessus would fall under this category. The tool generates a list of potential
security issues, but the data must be analysed further to determine on what needs to be acted
on. This is the most basic form of security analysis and the primary output is in the form of an
opinion. Examples include: Penetration test, Vulnerability scan, Architecture review, Policy
review, Compliance review, Risk analysis
544
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Security Assessment
Security assessments utilize professional opinion and expertise, but they also analyse the
output for relevancy and criticality to the organization. The analysis aspect of an
assessment attempts to quantify the risk associated with the items discovered to
determine the extent of the problem. If you an organisation has two servers with the same
vulnerability, but one is the financial server, and the other operates as a print server a
security assessment would rank the financial server as a high risk and the print server as a
lower risk based on the severity and damage potential. The biggest differentiator between
an assessment and a review is the depth to which the auditor examines the system and
analyses the results. Examples include: Vulnerability assessment, Risk assessment,
Architecture assessment, Policy assessment
Security Audit
A security Audit examines the organization’s security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies. Audits take into account people, processes, and
technologies, and it compares them to a benchmark in a standardized and repeatable way.
Examples include: Compliance audit, Policy audit, Procedure audit, Risk audit.
Some of the specific audits that can be included in the above categories are:
• Penetration Test
• Vulnerability Audit
• Web Application Security Audit
• Mobile Application Security Audit
• Audit Overall Concept
• IT-Risk Analyses
• Audit Access Control / Social Engineering
• Architecture, Design and Code Review
• Wireless Systems Audit
• Embedded Systems Audit
• Information Protection Audit
• Roles and Rights Audit
• Endpoint Audit (clients)
• Digital Guard Service
• Configuration Audit (firewalls, servers, etc.)
545
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
547
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Audit methods may also be classified according to type of activity. These include three types
a. Testing – Pen tests and other testing methodologies are used to explore
vulnerabilities. In other words, exercising one or more assessment objects to
compare actual and expected behaviours.
b. Examination and Review – This include reviewing policies, processes, logs, other
documents, practices, briefings, situation handling, etc. In other words checking,
inspecting, reviewing, observing, studying, or analysing assessment objects
c. Interviews and Discussion – This involves group discussions, individual interviews,
etc.
The three methods combine together to form an effective methodology for an overall audit.
548
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
549
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
550
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
551
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
There are many terms used to describe the systems and services. Penetration testers
technical review of security controls. Ethical (also known as pentesters) scan for
hacking, penetration test, and security testing vulnerabilities as part of the process just
are often used interchangeably to describe a like a vulnerability assessment, but the
process that attempts to validate security primary difference between the two is
configuration and vulnerabilities by exploiting that a pentester also attempts to exploit
them in a controlled manner to gain access to those vulnerabilities as a method of
computer systems and networks. There are validating that there is an exploitable
various ways that security testing can be weakness. Successfully taking over a
conducted, and the choice of methods used
system does not show all possible vectors
ultimately comes down to the degree to
of entry into the network, but can identify
which the test examines security as a system.
where key controls fail. If someone is able
There are generally two distinct levels of
to exploit a device without triggering any
security testing commonly performed
alarms, then detective controls need to be
today:
strengthened so that the organization can
Vulnerability assessment: better monitor for anomalies.
554
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Red Team/Blue Team assessment: The designate is the attacker and the Blue
terms Red and Blue Team come from the team is the defence mechanism builder.
military where combat teams are tested
to determine operational readiness. In the The two teams sharpen an organisation’s
computer world, a Red and Blue Team detection and response capability. This is
assessment is like a war game, where the through sharing of intelligence data,
organization being tested is put to the test understanding threat actors' TTPs,
in as real a scenario as possible. Red Team
mimicking these TTPs through a series of
assessments are intended to show all of
the various methods an attacker can use scenarios and configuring, tuning and
to gain entry. It is the most improving the detection and response
comprehensive of all security tests. This capability.
assessment method tests policy and
procedures, detection, incident handling, Penetration tests as part of auditing can
physical security, security awareness, and be conducted in several ways. The most
other areas that can be exploited. Every common difference is the amount of
vector of attack is fair game in this type of knowledge of the implementation details
assessment. This is used to simulate of the system being tested that are
attacks and test the ability to develop available to the testers.
defences for these attacks. The Red team
This assumes no prior knowledge of the infrastructure to be tested. The testers must first
determine the location and extent of the systems before commencing their analysis.
This provides the testers with complete knowledge of the infrastructure to be tested, often
including network diagrams, source code, and IP addressing information.
These are the several variations in between the white and the black box, where the testers
have partial information.
Penetration tests can also be described as "full disclosure" (white box), "partial disclosure"
(grey box), or "blind" (black box) tests based on the amount of information provided to the
testing party.
555
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
network layouts, and possibly even some finding security defects in custom
passwords. applications than black box techniques.
White box techniques involve direct Black box techniques should be used
analysis of the application’s source code, primarily to assess the security of
and black box techniques are performed individual high-risk compiled components;
against the application’s binary interactions between components; and
executable without source code interactions between the entire
knowledge. application or application system with its
users, other systems, and the external
Most assessments of custom applications environment. Black box techniques should
are performed with white box techniques, also be used to determine how effectively
since source code is usually available— an application or application system can
however, these techniques cannot detect handle threats.
security defects in interfaces between
components, nor can they identify Auditors should have a base knowledge of
security problems caused during testing tools and techniques. Using testing
compilation, linking, or installation-time frameworks is a useful way to develop a
configuration of the application. technical testing planning.
White box techniques still tend to be
more efficient and cost-effective for
It is important to develop and use use and from recognised sources. These
standard checklists for audits as this should be understood commonly by all
ensures that data is collected in a uniform participating in the audit. It is important
manner. It also ensures that no data point that those carrying out the audit
or activity critical to be covered is understand the importance of capturing
omitted. One must ensure the templates information in detail.
and checklists are agreed upon prior to
556
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
UNIT III
Information Security Auditor
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational (24/7)
Industry experts. 10 Hrs offline
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
KB1. fundamentals of Access to all security
evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
558
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
559
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Lesson
560
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
561
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
also identifies all relevant regulations of protecting critical data assets within
and industry standards and performs the enterprise, but an unencrypted
periodic compliance reviews based on backup tape can fall off a vendor’s
identified and relevant risks. truck and expose critical information
Noncompliance should be tracked and and put the enterprise at risk. An audit
managed by executive management. of the entire process will definitely
reduce the risks associated with the
The internal auditor should identify extended enterprise. This extended
how the organization is connected to enterprise may exist globally and
the outside, and who on the outside is could add more complexity to the
connected to the organization. There audit plans.
is a total reliance by some
organizations on Statement on The auditor verifies that a business
Auditing Standards No. 70 (SAS 70) continuity plan exists and is
Type II reports for review of external maintained and tested periodically.
vendors. While SAS 70 is good, it is not The auditor should also make sure
final. The auditor first verifies that that the plan covers all the risks
there is a policy in place to address associated with the business and that
third-party connections. In addition to it is enough to keep the business in
the SAS 70 report, the organization operation in times of disruption. The
should periodically perform its own IT auditor should understand the
audit of the vendor to certify that its difference between business
policies and security needs are being continuity and disaster recovery and
adequately addressed (the make sure that each is adequately
organization may have to ensure that addressed and periodically tested.
the vendor contracts allow for this
audit). Changes performed by the The auditor identifies a catalog of IT
third-party vendor on systems initiatives, reviews the business
affecting the organization should reasons for the project and identifies
follow the organization’s normal the executive sponsor for the project.
change management process. The auditor obtains and reviews the
management reports from IT to
Also, the auditor should follow the executive management and verifies
entire process within the extended that sufficient information is provided
enterprise where the critical data to management. The auditor verifies
assets reside. For example, an that IT initiatives are adequately
enterprise may do an exceptional job aligned with business objectives.
562
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
563
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
564
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
565
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
566
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
The Information Systems Audit and Control Association (ISACA) set forth a code governing
the professional conduct and ethics of all certified IS auditors and members of the
association. As a CISA, they expect them to be bound to uphold this code. The following
points form part of this code:
Support the implementation of, and encourage compliance with, appropriate standards
and procedures for the effective governance and management of enterprise information
systems and technology, including: audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professional care, in accordance
with professional standards.
Serve in the interest of stakeholders in a lawful manner, while maintaining high standards
of conduct and character, and not discrediting their profession or the Association.
Maintain the privacy and confidentiality of information obtained in the course of their
activities unless disclosure is required by legal authority. Such information shall not be
used for personal benefit or released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities
they can reasonably expect to complete with the necessary skills, knowledge and
competence.
Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the
results.
The failure of a CISA to comply with this code of professional ethics may result in an
investigation with possible sanctions or disciplinary measures.
567
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
ABOUT CISA
Information Systems Audit and Control Association (ISACA) is a world recognized body that
was founded in 1969. The CISA examination and certification was initiated by ISACA in 1978, to
address industry requirements.
It is important to note that many individuals choose to take the CISA exam prior to meeting
the experience requirements. This practice is acceptable and encouraged although the CISA
designation will not be awarded until all requirements are met.
ABOUT CISSP
568
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
UNIT IV
VULNERABILITY ANALYSIS
Lesson Plan
Suggested Learning Activities
Trainer’s Resource Material
4.1. What Is Vulnerability Assessment?
4.2. Why to carry out Vulnerability Assessment?
4.3. Vulnerability Classification
4.4. Types of Vulnerability Assessment
4.5. How to Conduct a Vulnerability Assessment
4.6. Vulnerability Analysis Tools
569
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
570
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
571
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Lesson
572
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
CERT/CC (the federally funded research and development center operated by Carnegie Mellon
University) reports that nearly 99% of all intrusions resulted from exploitation of known
vulnerabilities or configuration errors.
The following are categories of an attacker right into the system and
vulnerabilities commonly recognised. result in a partially or totally compromised
Even though classification is an ongoing system. Attackers find these
discussion that has not yet been fully misconfigurations through unauthorized
agreed by various stakeholders: access to default accounts, unused web
1. Misconfigurations pages, unpatched flaws, unprotected files
2. Default installations and directories, and more. If a system is
3. Buffer overflows compromised through faulty security
4. Unpatched servers configurations, data can be stolen or
5. Default passwords modified slowly over time and can be
6. Open services time-consuming and costly to recover.
7. Application flaws Default installations
8. Open system flaws
9. Design flaws Most server applications included in a
default installation are solid, thoroughly
tested pieces of software. Having been in
Some of these are explained below use in production environments for many
Misconfigurations years, their code has been thoroughly
refined and many bugs that have been
Security misconfiguration is simply,
found are fixed. However, there is no
incorrectly assembled safeguards for a
perfect software and there is always room
web application. These misconfigurations
for further refinement. Moreover, newer
typically occur when holes are left in the
software is often not as rigorously tested
security framework of an application by
because of its recent arrival to production
systems administrators, DBAs or
environments or because it may not be as
developers. They can occur at any level of
popular as other server software.
the application stack, including the
Developers and system administrators
platform, web server, application server,
often find exploitable bugs in server
database, framework, and custom code.
applications and publish the information
These security misconfigurations can lead
573
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
574
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
575
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
576
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Tools may also be classified based on data Network-based scanner, agent based
examined or location. For example scanner, proxy scanner or cluster scanner.
While new vulnerabilities are discovered every day and new tools are required to tackle
these, a list of available tools are listed below:
Some of the free scanners available on the web server being run. It is easy to update
internet include: and has many useful features.
Nmap For more information visit
Nmap is a utility for network discovery http://www.wiretrip.net/rfp/p/doc.asp?id
=21&iface=2
and/or security auditing. It can be used to
scan large networks or single hosts quickly Enum
and accurately, determining which hosts Enum is a console-based Win32
are available, what services each host is information enumeration utility. Using
running and the operating system that is null sessions, enum can retrieve userlists,
being used. machine lists, sharelists, namelists, group
For more information visit and member lists, password and LSA
http://www.insecure.org/nmap policy information. enum is also capable
of a rudimentary brute force dictionary
Nessus
attack on individual accounts.
Nessus is a remote security scanner. This
For more information visit
software can audit a given network and
http://razor.bindview.com/tools/desc/en
determine if there are any weaknesses
um_readme.html
present that may allow attackers to
penetrate the defences. It launches Firewalk
predefined exploits, and reports on the Firewalking is a technique that employs
degree of success each exploit had. traceroute-like techniques to analyze IP
For more information visit packet responses to determine gateway
http://www.nessus.org ACL filters and map networks. It can also
be used to determine the filter rules in
Whisker
place on a packet forwarding device.
Whisker is a CGI web scanner. It scans for
For more information visit
known vulnerabilities found in web
http://www.packetfactory.net/Projects/Fi
servers, giving the URL that triggered the
rewalk
event as well, it can determine the type of
578
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
UNIT V
PENETRATION TESTING
Lesson Plan
Suggested Learning Activities
Trainer Resource Material
5.1. About penetration testing
5.2. Penetration testing stages
579
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational (24/7)
Industry experts. 10 Hrs offline
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4
Learning (Min 2 Mbps
and how to use these
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
580
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
581
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Lesson
Reasons for conducting pentests: For testing and validating the efficiency of
security protections and controls
Identify the threats facing an
organization's s information assets For enabling vulnerability perspectives to
the organization internally and externally
Reduce an organization's IT security costs
and provide a better Return on IT Security Providing indisputable information usable
Investment (ROSI) by identifying and by audit team’s gathering data for
resolving vulnerabilities and weaknesses regulatory compliance
582
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
An organization should conduct a risk assessment operation before the penetration testing that
will help to identify the main threats, such as:
Penetration (or external assessment) testing usually starts with three pre-test phases:
• Footprinting
• Scanning
• Enumerating
Together, the three pre-test phases are called reconnaissance.
583
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
There are two different reconnaissance methods to discover information on the hosts in
your target network:
• Passive reconnaissance
• Active reconnaissance
b. Active reconnaissance
Active reconnaissance, in contrast, involves using technology in a manner that the target
might detect. This could be by doing DNS zone transfers and lookups, ping sweeps,
traceroutes, port scans, or operating system fingerprinting. Some of the tools that are useful
in active host reconnaissance include the following:
• NSLookup/Whois/Dig lookups
• SamSpade
• Visual Route/Cheops
• Pinger/WS_Ping_Pro
584
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Footprinting employs the first two steps of reconnaissance, gathering the initial target
information and determining the network range of the target. Common tools/resources used in
the footprinting phase are:
• Whois
• SmartWhois
• NsLookup
• Sam Spade
Footprinting may also require manual • Disgruntled employee blogs and Web
research, such as studying the company's sites
Web page for useful information, for • Trade press
example:
You can also get more active with
• Company contact names, phone footprinting. For example, you can call the
numbers and email addresses organization's help desk, and by
• Company locations and branches employing social engineering techniques,
• Other companies with which the get them to reveal privileged information.
target company partners or deals
• News, such as mergers or acquisitions Scanning
• Links to other company-related sites
• Company privacy policies, which may The next four information-gathering steps
help identify the types of security -- identifying active machines, discovering
mechanisms in place open ports and access points,
• Other resources that may have fingerprinting the operating system, and
information about the target company uncovering services on ports -- are
are: considered part of the scanning phase.
• The Capital Market database if the The goal here is to discover open ports
company is publicly traded and applications by performing external
• Job boards, either internal to the or internal network scanning, pinging
company or external sites machines, determining network ranges
and port scanning individual systems.
585
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
• NMap
• Ping
• Traceroute
• Superscan
• Netcat
• NeoTrace
• Visual Route
The next phase is the Vulnerability Analysis. This involves comparing the services, applications,
and operating systems of scanned hosts against vulnerability databases (a process that is
automatic for vulnerability scanners) and the testers’ own knowledge of vulnerabilities. Human
testers can use their own databases—or public databases such as the National Vulnerability
Database (NVD) — to identify vulnerabilities manually. Manual processes can identify new or
obscure vulnerabilities that automated scanners may miss, but are much slower than an
automated scanner.
586
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Most vulnerabilities exploited by penetration testing fall into the following categories:
Misconfigurations
Misconfigured security settings, particularly insecure default settings, are usually easily
exploitable.
Kernel Flaws
Kernel code is the core of an OS, and enforces the overall security model for the system—
so any security flaw in the kernel puts the entire system in danger.
Buffer Overflows
A buffer overflow occurs when programs do not adequately check input for appropriate
length. When this occurs, arbitrary code can be introduced into the system and executed
with the privileges—often at the administrative level—of the running program.
Insufficient Input Validation
Many applications fail to fully validate the input they receive from users. An example is a
Web application that embeds a value from a user in a database query. If the user enters
SQL commands instead of or in addition to the requested value, and the Web application
does not filter the SQL commands, the query may be run with malicious changes that the
user requested—causing what is known as a SQL injection attack.
Symbolic Links
587
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
A symbolic link (symlink) is a file that points to another file. Operating systems include
programs that can change the permissions granted to a file. If these programs run with
privileged permissions, a user could strategically create symlinks to trick these programs
into modifying or listing critical system files.
File Descriptor Attacks
File descriptors are numbers used by the system to keep track of files in lieu of filenames.
Specific types of file descriptors have implied uses. When a privileged program assigns an
inappropriate file descriptor, it exposes that file to compromise.
Race Conditions
Race conditions can occur during the time a program or process has entered into a
privileged mode. A user can time an attack to take advantage of elevated privileges while
the program or process is still in the privileged mode.
Incorrect File and Directory Permissions
File and directory permissions control the access assigned to users and processes. Poor
permissions could allow many types of attacks, including the reading or writing of
password files or additions to the list of trusted remote hosts.
The attack phase activities include: private network, the IDS or IPS monitors
all traffic, and the VPN (Virtual Private
a. Activity: Perimeter Auditing Network) provides remote access; all of
which provide the necessary defence-in-
The perimeter layer of a network starts depth features for the perimeter.
when and where an outside connection is
established and ends with access to a Complex configurations of various
private network. A private network will be organisations make it very difficult to
at risk from many threats because of the secure the perimeter 100%.
need to establish connections to other
networks, especially the Internet. An IDS A sound network security perimeter
(Intrusion Detection System) or IPS architecture requires multiple layers of
(Intrusion Prevention System) is usually defence, up-to-date and hardened policies
included in the perimeter to detect and and controls and segmentation. All of
stop any malicious activity on a private these things make it harder for an
network. The overall network perimeter attacker to gain access to the critical data
complexity will depend on the services assets and easier for the organisation to
provided over the Internet. The router isolate and respond to breaches when
and firewall separate the Internet from a they occur.
588
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
A channel is the means of interaction with an asset and an asset is what has value to the owner.
Channels are classified as
• Physical security
• Spectrum security
• Communications security
The definition of the scope will determine the costs associated with third-party audits.
The scope consists of targets as determined by the selection of channel, test type, and vectors.
These targets are then indexed to allow for unique identification by the test vector.
The more channels and vectors in a scope, the longer it will take to complete an audit.
Common problems during and after the perimeter security implementation process
include:
Management and IT staff believe that once a firewall is in place, they have sufficient
security and no further checks and controls are needed on the internal network.
Analog lines and modems are provided to connect to an Internet service provider or have
dial-in access to the desktop system, thus bypassing perimeter security measures.
Internal host network services are passed through security perimeter control points
unscreened.
589
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Firewalls, hosts, or routers accept connections from multiple hosts on the internal
network and from hosts on the DMZ network.
The organization allows incorrect configuration of access lists, which results in allowing
unknown and dangerous services to pass through the network freely.
The details of logged user activities are not reviewed regularly or are insufficient, thus
deteriorating the effectiveness of the monitoring system.
Hosts on the DMZ or those running firewall software also are using unnecessary services.
Support personnel use unencrypted protocols to manage firewalls and other DMZ
devices.
Employees are allowed to run encrypted tunnels through the organization's perimeter
device without fully validating the tunnel's end-point security.
The company uses unsecured or unsupported wireless network applications.
590
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Web application vulnerabilities account for the largest portion of attack vectors outside of
malware. It is crucial that any web application be assessed for vulnerabilities and any
vulnerabilities by remediated prior to production deployment.
Web Application Audit Tools: Burp Suite, fuzzing tool, dotDefender, IBM Security AppScan, HP
WebInspect, SQL Block Monitor, Microsoft Source Code Analyzer, Acunetix Web Vulnerability
Scanner, WebCruiser, GreenSQL, Microsoft UrlScan, Absinthe, CORE IMPACT Pro, Safe3SI,
BSQLHacker, SQL Power Injector, Havij, BobCat, Sqlninja, sqlmap, Pangolin – Automatic SQL
Injection Penetration Testing Tool, NGSSQuirreL
591
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Web applications are subject to security assessments based on the following criteria:
Point Releases
This will be subject to an appropriate assessment level based on the risk of the changes in
the application functionality and/or architecture.
Patch Releases
This will be subject to an appropriate assessment level based on the risk of the changes to
the application functionality and/or architecture.
Emergency Releases
An emergency release will be allowed to forgo security assessments and carry the
assumed risk until such time that a proper assessment can be carried out.
592
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
593
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Application security testing and examination help an organization determine whether its custom
application software—for example, Web applications—contains vulnerabilities that can be
exploited, and whether the software behaves and interacts securely with its users, other
applications (such as databases), and its execution environment.
External Penetration Testing Tools: Network Topology Mapper, VisualRoute, Visual Trace Route,
nslookup, NetInspector, SmartWhois, Nmap, Hping3, IDA Pro, Httprint, Netcat, Acunetix Web
Vulnerability Scanner, HP WebInspect, HTTPTunnel.
Internal Network Penetration Testing Tools: Angry IP Scanner, SuperScan, TCPView, GFI 596
LANguard, Winfingerprint, Wireshark, Tcpdump, Power Spy 2013, L0phtCrack, Arpspoof, Cain and
Able, Activity Monitor, Active@ Password Changer, Netcat, SMAC, Metasploit, Nessus, Retina
Network Security Scanner.
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
f. Activity: Wireless/Remote Access the SSID, the use and strength of WEP
Assessment encryption, network segmentation, and
access control devices. The testing is
Wireless Security Assessments meet the executed from the perspective of an
security challenges of business-critical authenticated external user connected to
wireless technologies. These technologies the organization's network through
pose unique threats because their signals remote access technologies such as VPN,
propagate outside physical boundaries SSLVPN, Citrix, etc.
and are therefore difficult to control.
Misconfigurations and weak security
protocols allow for unauthorized
eavesdropping and easy access. Auditors Exploit Vulnerabilities and Access Other
attempt to detect the wireless networks Networks, auditors use the previously
in place (including any ad-hoc networks discovered vulnerabilities to obtain access
identified), determine the locations and to other network segments. If the team is
ranges of the wireless networks, evaluate successful, they will test different
the range of the wireless access area, methods to exploit that access. This phase
determine network configuration will determine which network segments
information, and probe points of entry for and systems the wireless network
identifying system information or access infrastructure can access, the security
parameters. Assess Wireless controls that separate the wireless
Implementation for Vulnerabilities, network from other network segments
auditors evaluate the security measures and if the wireless network can be used as
taken to secure infrastructure, including a launching point to attack other systems.
(SSID is short for service set identifier. SSID is a case sensitive, 32 alphanumeric character unique
identifier attached to the header of packets sent over a wireless local-area network (WLAN) that
acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a
component of the IEEE 802.11 WLAN architecture. The SSID differentiates one WLAN from
another, so all access points and all devices attempting to connect to a specific WLAN must use
the same SSID to enable effective roaming. As part of the association process, a wireless network
interface card (NIC) must have the same SSID as the access point or it will not be permitted to join
the BSS.)
597
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
598
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
understand whether the telephony between the corporate LAN and the
system can be considered secure and firewall and between the external e-mail
reliable. gateway and the firewall. They would also
use software on servers to monitor
The need to segregate voice services from unencrypted traffic. Then they analyse the
the traditional corporate network is well traffic with respect to company policy.
publicised and this is the second area of
attention. The method of segregation l. Social Engineering
(commonly VLANs) will be subject to
review, as will any servers that bridge Social engineering is an attempt to trick
both data and voice networks to ensure someone into revealing information (e.g.,
that they are capable of maintaining the a password) that can be used to attack
required level of segregation. systems or networks. It is used to test the
human element and user awareness of
The type of testing conducted will be security, and can reveal weaknesses in
dictated by the nature of the solution and user behaviour—such as failing to follow
in addition to telephony specific skills, standard procedures. Social engineering
tests may include elements of wireless can be performed through many means,
testing, infrastructure penetration testing, including analog (e.g., conversations
application testing, build reviews, remote conducted in person or over the
access testing and more. The mission telephone) and digital (e.g., e-mail, instant
critical nature of voice services and the messaging). One form of digital social
challenges of the multipartite ownership engineering is known as phishing, where
of voice services cannot be undermined or attackers attempt to steal information
ignored. Auditors test these services and such as credit card numbers, Social
related infrastructure to establish - Security numbers, user IDs, and
government and industry regulatory passwords. Phishing uses authentic-
compliance requirements; discover looking emails to request information or
Telephony network vulnerabilities and direct users to a bogus Web site to collect
risks to business systems; validate the information. Other examples of digital
effectiveness of current security social engineering include crafting
safeguards; identify remediation steps to fraudulent e-mails and sending
help prevent network compromise. attachments that could mimic worm
activity.
k. Data Leakage Information Security
Audit
604
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
UNIT VI
Information Security Audit
Tasks
Lesson Plan
Suggested Learning Activities
Trainer’s Resource Material
6.1. Pre-audit tasks
6.2. Information gathering
6.3. External Security Audit
6.4. Internal Network Security Auditing
6.5. Firewall Security Auditing
6.6. IDS Security Auditing
6.7. Social Engineering Audit
605
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on
sites like ISO, PCI
information security and how to anticipated out comes.
DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
606
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
607
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
608
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
During the pre-audit survey, the ISMS auditors identify and ideally make contact with the
main stakeholders in the ISMS such as the ISM manager/s, security architects, ISMS
developers, ISMS implementers and other influential figures such as the CIO and CEO, taking
the opportunity to request pertinent documentation etc. that will be reviewed during the
audit. The organization normally nominates one or more audit "escorts", individuals who are
responsible for ensuring that the auditors can move freely about the organization and rapidly
find the people, information etc. necessary to conduct their work, and act as management
liaison points.
609
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
important for testing according to the The methods in service identification are
service are listed with the task. Additional same as in Port scanning. There are two
port numbers for scanning should be ways using which one can perform
taken from the Consensus Intrusion information gathering:
Database Project Site. The results that the
tester might get using Port scanning are: - 1. 1st method of information gathering is
List of all Open, closed or filtered ports - IP to perform information gathering
addresses of live systems - Internal system techniques with a 'one to one' or 'one to
network addressing - List of discovered many' model; i.e. a tester performs
tunnelled and encapsulated protocols - techniques in a linear way against either
List of discovered routing protocols one target host or a logical grouping of
supported. Methods include SYN and FIN target hosts (e.g. a subnet). This method is
scanning, and variations thereof e.g. used to achieve immediacy of the result
fragmentation scanning. and is often optimized for speed, and
often executed in parallel
Phase Four 2. Another method is to perform
information gathering using a 'many to
Services identification: This is the active one' or 'many to many' model. The tester
examination of the application listening utilizes multiple hosts to execute
behind the service. In certain cases more information gathering techniques in a
than one application exists behind a random, rate-limited, and in non-linear
service where one application is the way. This method is used to achieve
listener and the others are considered stealth. (Distributed information
components of the listening application. gathering)
The results of service identification are: -
Service Types - Service Application Type
and Patch Level - Network Map
c. Information gathering steps
The client benefits by anticipating external Steps for Conducting External Security
attacks, that might cause security Auditing
breaches and to proactively reduce risks
to information, system and networks. It • Inventory the company’s external
also improves the security of the client’s infrastructure and create a
networked resources. This provides topological map of the network
improved e-commerce and e-business • Identify the IP address of the
operations with increased confidence in targets
612
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
• Locate the traffic route that goes • Guess different sub domain names
to the web servers and analyse different responses
• Locate TCP and UDP traffic path to • Examine the session variables
the destination • Examine cookies generated by the
• Identify the physical location of server
the target servers • Examine the access controls used
• Examine the use IPV6 at the in the web applications
remote location • Brute force URL injections and
• Lookup domain registry for IP session tokens
information, find IP block • Check for directory consistency
information about the target and page naming syntax of the
• Locate the ISP servicing the client web pages
• List open and closed ports • Look for sensitive information in
• List suspicious ports that are half web page source code
open/close • Attempt URL encodings on the
• Port scan every port on the web pages
target’s network • Try buffer overflow attempts at
• Use SYN scan and connect scan on input fields
the target and see the response • Try Cross Site Scripting (XSS)
• Use XMAS scan, FIN scan and techniques
NULL scan on the target and see • Record and replay the traffic to the
the response target web server and note the
• Firewalk on the router’s gateway response
and guess the access-list • Try various SQL injection
• Examine TCP sequence number techniques
prediction • Examine hidden fields
• Examine the use standard and • Examine e-commerce and
non-standard protocols payment gateways handled by the
• Examine IPID sequence number web server
prediction • Examine welcome messages, error
• Examine the system uptime of messages, and debug messages
target • Probe the service by SMTP mail
• Examine the operating system bouncing
used for different targets • Grab the banner of HTTP servers,
• Examine the applied patch to the SMTP servers, POP3 servers, FTP
operating system Servers
• Locate DNS record of the domain • Identify the web extensions used
and attempt DNS hijacking at the server
• Download applications from the • Try to use an HTTPS tunnel to
company’s website and reverse encapsulate traffic
engineer the binary code • OS fingerprint target servers
• List programming languages used • Check for ICMP responses (type 3,
and application software to create port unreachable), (type 8, echo
various programs from the target request), (type 13, timestamp
server request), (type 15, information
• Look for error and custom web request), (type 17, subnet address
pages mask request)
613
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
614
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
rest of the internal network more easily. • Access privileges and levels
This would enable a sophisticated attacker
to read and possibly leak confidential
emails and documents; trash computers,
leading to loss of information; and more. • File, directory, event log and
Not to mention that they could then use registry permissions
your network and network resources to • Audit logs
start attacking other sites, that when • Software Patch management
discovered will lead back to you and your • Physical network cabling
company, not the hacker. • Backup methodology & disaster
recovery plans
Most attacks, against known exploits,
could be easily fixed and, therefore, Internal testing involves testing
stopped by administrators if they knew computers and devices within the
about the vulnerability in the first place. company. The internal penetration testing
During an Internal Network Security involves:
Assessment, security experts scan the
entire internal local-area and wide-area • Performing port scanning on
networks for known vulnerabilities. These individual machines and
scans include all servers, workstations, establishing null sessions.
and network devices. • Attempting replay attacks, ARP
poisoning, MAC flooding.
Steps for Internal Network Security • Conducting man-in-the-middle
Auditing attack and trying to login to a
console machine.
Internal Network Review includes: • Attempting to plant keylogger,
Trojan, and Rootkit on target
• Examining the internal machine.
configuration and setup of the • Attempting to send virus using
organizations computing target machine.
resources. • Hiding sensitive data and hacking
• Users’ accounts & password tools in target machine.
policies and practices • Escalating user privileges.
Internal testing which is a critical part of • Attempt ARP poisoning
this includes the following steps: • Attempt MAC flooding
• Map the internal network • Conduct a man-in-the middle
• Scan the network for live hosts attack
• Port scan individual machines • Attempt DNS poisoning
• Try to gain access using known • Try a login to a console machine
vulnerabilities • Boot the PC using alternate OS and
• Attempt to establish null sessions steal the SAM file
• Enumerate users/identify domains • Attempt to plant a software
on the network keylogger to steal passwords
• Sniff the network using Wireshark • Attempt to plant a hardware
• Sniff POP3/FTP/Telnet passwords keylogger to steal passwords
• Sniff email messages • Attempt a plant a spyware on the
• Attempt replay attacks target machine
615
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Continue to compromise every machine in steps. Make sure you can undo your
the network and perform the previous actions based on the pen-test process you
had conducted.
Internal Security Auditing Tools
616
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
617
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
and pass traffic at the same time, and than a single firewall. The downside to
in the event of a failure of one device active/active is that both firewalls
all traffic flows through the single must be able to support their own
remaining firewall. The benefits of traffic loads in addition to the other
active/active over active/standby are firewall if one fails or the organization
that both firewalls are being utilized must be able to accept.
and can support higher data rates
Firewall testing
• Firewall logs.
• Tools output
• The analysis
• Recommendations (if any).
Firewall Auditing Tools: HTTPORT, HTTHOST, Firewall Test Agent, Hping3, Netfilter, fragroute,
IP Filter, Ftester, Fwanalog, Fpipe, Firewall Builder, Port Test/ Firewall Tester, VisualRoute,
datapipe, firewalking;
620
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
• Host-based: A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity.
A network intrusion detection system monitoring software logs, system logs, IDS
(NIDS) is a system that tries to detect logs, and firewall logs into a single
malicious activity such as denial of service monitoring and analysis source.
attacks, port-scans or even attempts to
crack into computers by monitoring Benefits:
network traffic.
• Improves detection time
A host-based IDS monitors individual • Increases situational awareness
hosts on the network for malicious • Incident handling and analysis
activity; for example, Cisco Security Agent. • Shortens response time
Host systems are more accurate than • Decreases detection and reaction
network-based IDS because they analyse time
the server's log files and not just network • Decreases consumed employee
traffic patterns. The host monitors the time and increases in system’s
system and reports its activities to a uptime
centralized server. They are expensive and • Provides a clear picture of what
resource intensive. happened during an incident
622
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Steps for Web Application Testing • Test for cross site scripting
• Fingerprinting the web application • Test for hidden fields
environment • Test cookie attacks
• Investigate the output From HEAD • Test for buffer overflows
and OPTIONS HTTP requests • Test for bad data
• Investigate the format and • Test client-side scripting
wording of 404/other error pages • Test for known vulnerabilities
• Test for recognized file • Test for race conditions
types/extensions/directories • Test with user protection via
• Examine source of available pages browser settings
• Manipulate inputs in order to elicit • Test for command execution
a scripting error vulnerability
• Test inner working of a web • Test for SQL injection attacks
application • Test for blind SQL injection
• Test database connectivity • Test for session fixation attack
• Test the application code • Test for session hijacking
• Testing the use of GET and POST in • Test for XPath injection attack
web application • Test for server side include
• Test for parameter-tampering injection attack
attacks on website • Test for logic flaws
• Test for URL manipulation • Test for binary attacks y
623
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
624
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
UNIT VII
Audit Reports and Actions
Lesson Plan
Suggested Learning Activities
Trainer Resource Material
7.1. Audit Reports and Actions
625
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
KB1. fundamentals of Access to all security
evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
apply these, including:
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
626
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
Lesson
The auditor report’s goal is to show the End-user test results. Examine all exploits
organization that the team honestly wants performed. The summary should include
to improve the company’s security details of discovered vulnerabilities.
posture this is to be borne in mind when Scope of the project should include the IP
writing the report. Documentation report address ranges that are tested and
should contain the final result and mentioned in the contract.
recommendations to rectify the problem • Examining whether social engineering
if occurred during the penetration testing was employed or not.
process. The document report includes:
• Examining whether public or private
• Summary of the test execution. networks are tested or not.
• Scope of the project • Examining whether Trojans and
• Result analysis. backdoor software applications are
• Recommendations. permitted or not.
• Appendixes
After documentation, submit the The results analysed should include:
document to the client and get the • Domain name and IP address of the
signature from them and keep a copy of host
the report. • TCP and UDP ports
The summary should provide a short,
• Description of the service
high-level overview of the test. It should
contain the client’s name, testing firm, • Details of the test performed
date of test, and so on. Information about • Vulnerability analysis
the targeted systems and applications.
627
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
629
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
630
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
UNIT VIII
Audit Support Activities
Lesson Plan
Suggested Learning Activities
Trainer Resource Material
7.1. Audit Support Activities
631
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
LESSON PLAN
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom PCs/Tablets/Laptops
Faculty group and assessment and Labs availability
KA4. the organizational
Industry experts. 10 Hrs offline (24/7)
systems, procedures and
Research and Internet with WiFi
tasks/checklists within the domain KB1 - KB4 (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes.
apply these, including: DSS, Center for
Reward points to be Internet Security
• networks
• communication allocated to groups.
• application security
632
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
633
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
Lesson
Assisting the auditors The various responsibilities of the Security
Analyst in supporting the auditors can
Security Analyst: A security analyst may
include the following:
be assigned responsibilities to carry out
activities supporting the audit team or Assisting with Security Policy
independently carrying out a set of
security auditing activities. It is important As stated, a security audit is essentially an
for the security analyst to clarify and assessment of how effectively the
organization's security policy is being
understand their scope of responsibilities
and work within these limits. In case they implemented. Of course, this assumes
that the organization has a security policy
are not clear about any aspect of their
limits of authority, or scope of in place which, unfortunately, is not
responsibilities they should speak to their always the case. A Security Analyst will
support the auditors in getting the
supervisor and clarify the same. It always
helps to get written clarifications for necessary information by getting them
access to policies and procedures
eliminating the scope of confusion later
on. documents or explaining the processes
where such documents are not available.
Auditors need organizational support,
Facilitating access
such as having access to certain data or
staff. The Security analyst often assists Natural tensions frequently exist
and supports the information audit. This between workplace culture and security
support often includes actions such as policy. Even with the best of intentions,
employees often choose convenience
obtaining access to copies of policies or
over security. Sometimes teams and
system configuration data. These individuals need to be spoken to and
expectations should be clarified or auditors need to be helped in gaining
directed by seniors to the security analyst access to the facilities required for
and the auditors. The security analyst auditing. This may also be the case with
should also get clear information about getting time with individuals to get their
units whose systems will be audited. The time for auditing.
security analyst would communicate the Pre-Audit Homework
same to co-workers and other users in the
Before the computer security auditors
organization to ensure a least disruptive even begin an organizational audit, there's
and smooth audit. For this purpose a fair amount of homework that should be
business and IT unit managers of the done. Auditors need to know what they're
audited systems should be involved in the auditing. In addition to reviewing the
process early in the process. This will results of any previous audits that may
ensure there are no disputes and delays have been conducted, there may be
several tools they will use or refer to
regarding auditor's access to areas and
before. The first is a site survey. This is a
information. technical description of the system's
hosts. It also includes management and
634
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
user demographics. This information may personnel along with some of the
be out of date, but it can still provide a logistical details, such as the time of the
general framework. Security audit, which site staff may be involved
questionnaires may be used as to follow and how the audit will affect daily
up the site survey. These questionnaires operations. The security analyst may be
are, by nature, subjective measurements, called upon to coordinate and smoothen
but they are useful because they provide the audit execution.
a framework of agreed-upon security
practices. The respondents are usually At the Audit Site
asked to rate the controls used to govern When the auditors arrive at the site, their
access to IT assets. These controls include: aim is to not to adversely affect business
management controls, transactions during the audit. They should
authentication/access controls, physical conduct an entry briefing where they
security, outsider access to systems, again outline the scope of the audit and
system administration controls and what they are going to accomplish. Any
procedures, connections to external questions that site management may have
networks, remote access, incident should be addressed and last minute
response, and contingency planning. requests considered within the framework
A security analyst may be called upon to of the original audit proposal. This
assist in conducting site surveys and communication may be further passed on
administering security questionnaires. with the help of the security analyst.
Accompanying communication may be During the audit, they will collect data
required to acquire the specific responses about the physical security of computer
of specific requirements. assets and perform interviews of site staff.
Auditors, review previous security They may perform network vulnerability
incidents at the client organization to gain assessments, operating system and
application security assessments, access
an idea of historical weak points in the
organization's security profile. It may controls assessment, and other
evaluations. Throughout this process, the
require the support of organisational staff
to support auditors examine current auditors should follow their checklists, but
conditions to ensure that repeat incidents also keep eyes open for unexpected
problems. Here they get their noses off
cannot occur. If auditors are asked to
examine a system that allows Internet the checklist and start to sniff the air.
connections, they may also want to know They should look beyond any
about IDS/Firewall log trends. Do these preconceived notions or expectations of
logs show any trends in attempts to what they should find and see what is
actually there. In this case the security
exploit weaknesses? A security analyst
may be called upon to provide such analyst may be of immense help providing
the auditors with background information
support to auditors.
and facilitating ad-hoc activities that may
The auditors develop an audit plan. This not be registered in the original plan.
plan will cover how will audit be executed,
with which personnel, and using what Conduct Outgoing Briefing
tools. They will then discuss the plan with After the audit is complete, the auditors
the requesting agency. Next they discuss will conduct an outgoing briefing,
the objective of the audit with site ensuring that management is aware of
635
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
636
Trainer’s Handbook – Security Analyst SSC/N9001
SSC/ N 9001:
Manage your work to meet requirements
637
Trainer’s Handbook – Security Analyst SSC/N9001
Description This unit is about planning and organizing your work in order to complete it to the
required standards on time.
Scope This unit/task covers the following:
Work requirements:
line manager
the person requesting the work
members of the team/department
members from other teams/departments
Resources:
equipment
materials
information
Performance Criteria(PC) w.r.t. the Scope
638
Trainer’s Handbook – Security Analyst SSC/N9001
company / KA5. how to prioritize your workload according to urgency and importance and
organization the benefits of this
and its KA6. the organization’s policies and procedures for dealing with confidential
information and the importance of complying with these
processes)
KA7. the purpose of keeping others updated with the progress of your work
KA8. who to obtain guidance from and the typical circumstances when this may
be required
KA9. the purpose and value of being flexible and adapting work plans to reflect
change
B. Technical The user/individual on the job needs to know and understand:
KB1. the importance of completing work accurately and how to do this
Knowledge KB2. appropriate timescales for completing your work and the implications of
not meeting these for you and the organization
KB3. resources needed for your work and how to obtain and use these
639
Trainer’s Handbook – Security Analyst SSC/N9001
THE UNITS
The module for this NOS is divided in 3 Unit based on the learning objectives as given below.
640
Trainer’s Handbook – Security Analyst SSC/N9001
UNIT I
Understanding scope of work and
working within limits of authority
Lesson Plan
Resource Material
1.1. Scope of work
1.2. Seeking and providing clarity, assistance and support
1.3. Seeking feedback and approvals
1.4. Change and Flexibility
641
Trainer’s Handbook – Security Analyst SSC/N9001
LESSON PLAN
642
Trainer’s Handbook – Security Analyst SSC/N9001
643
Trainer’s Handbook – Security Analyst SSC/N9001
Activity 1:
Activity 2:
Ask students to work in pairs and link up with professional from various
companies and to research the internet to list various policies and their
purpose in companies.
Praise the top three duos that prepare the most comprehensive list with
accurate description of the purpose and components of the policy.
Activity 3:
Ask the participants about what can they do if they are not clear about
their work or if they face a problem, who all can they seek help from?
Activity 4:
Divide the class into groups and provide each group with a set of written
instructions for a task with multiple parameters and division of roles.
Give them a tight time limit and ask each group to perform accurately as
per instructions and within the time limit. Keep track of which group
were demonstrating the following principles.
o establish and agree your work requirements with appropriate
people
o Appropriate people: line manager, the person requesting the
work, members of the team/department, members from other
teams/departments
o work in line with your organization’s policies and procedures
o work within the limits of your job role
o obtain guidance from appropriate people, where necessary
o ensure your work meets the agreed requirements
644
Trainer’s Handbook – Security Analyst SSC/N9001
Activity 5:
Ask the class the importance of receiving and giving feedback. Encourage
them to receive feedback from the person next to them on their
behavior in class and their overall performance in the course.
Once this is done ask the students to highlight how they felt while giving
and receiving feedback. Explain the importance of giving and receiving
feedback in the right spirit, paying attention the emotions of others. Also
explain the importance to work on feedback and how they can validate
its accuracy?
Now explain to the students how in order to incorporate feedback they
have to change, the way they are, including habits, work style, etc. This
often may result in changing expectations of others.
Activity 6:
645
Trainer’s Handbook – Security Analyst SSC/N9001
Scope of work refers to the range of tasks and expectations around performance of each
activities to be performed or expected to be other and it helps everyone know and rely on
performed by someone or within a project or others to do their part, especially where there
contract, as agreed. This is usually a result of are interdependencies involved. If co-workers
division or defining and limiting of work and do their part as expected or required then
responsibilities. This usually is understood to there is development of trust between co-
be performed within agreed timelines and workers. Where co-workers do not deliver
rules or standards of performance. performance as expected or required there is
disappointment and lack of trust.
It is important to understand clearly one’s own
and others’ scope of work and responsibilities A clear division of work and responsibilities
clearly and commonly between co-workers for also helps plan and carry out work in a
the following reasons: manner that no work is left unassigned or
erroneously assigned duplicitously to multiple
Helps in planning and organising work
people causing lack of clarity on who is
better
responsible and accountable for carrying out
Builds trust and reliability
that work.
Reduces scope of conflict and confusion
Helps optimise effort through reducing The main difference between responsibility
omissions and overlaps and accountability is that responsibility can be
Helps secure the right level of support shared while accountability cannot.
from the right people
646
Trainer’s Handbook – Security Analyst SSC/N9001
647
Trainer’s Handbook – Security Analyst SSC/N9001
collaborate
, assist and
support
each other,
participate in
planning and
decision
Executing the work well may require making, etc.
people to:
648
Trainer’s Handbook – Security Analyst SSC/N9001
Information on whom to secure permissions, advice or assistance from may be derived from
the following sources:
Organisational chart
Organisation
depicting hierarchy Employee
policies and
and reporting handbook
procedures
relationships
All tasks at work must be performed accurately as per instructions and within the
time limit while demonstrating the following principles.
establish and agree your work requirements with appropriate people
Appropriate people: line manager, the person requesting the work, members
of the team/department, members from other teams/departments
work in line with your organization’s policies and procedures
work within the limits of your job role
obtain guidance from appropriate people, where necessary
ensure your work meets the agreed requirements
Provide feedback in the end to each group with respect to the same.
Ensure members represent different levels of hierarchy in an organization,
including supervisor, subordinate, department head, specialist, customer, etc.
649
Trainer’s Handbook – Security Analyst SSC/N9001
Seeking feedback and getting work quality 2. Identifying areas of strength and
checked by appropriate persons is improvement
important for various reasons including: 3. Gathering evidence of satisfactory
performance
1. Ensuring internal and external 4. Compliance with set procedures
customer satisfaction and organisation guidelines
Internal
Customers
Department External
head, etc. customers
Feedback
is sought
from
Team these: Own direct
members supervisor
Fellow Team
leader or
co-workers manager
The person providing the feedback should of the same. This gets greater support,
be thanked for taking the time to do so. generates positivity in the mind of the
person providing the feedback and usually
Feedback must be analysed and used to gets greater buy-in from them.
improve our work and achieve better.
Feedback sought and not worked on is To incorporate feedback may sometimes
wasted feedback and often can cause require change of work processes and
disappointment to the person providing methods, which may require approval of
the feedback. Usually once feedback is others. This may be a formal requirement
used to improve or change work with set processes that may need to be
processes and performance, the person followed to affect the change.
providing the feedback must be informed
650
Trainer’s Handbook – Security Analyst SSC/N9001
651
Trainer’s Handbook – Security Analyst SSC/N9001
UNIT II
Work and Work Environment
Lesson Plan
Suggested Learning Activities
Trainer Resource Material
2.1 Planning Work and Work environment
2.2 Cleanliness and Tidiness
652
Trainer’s Handbook – Security Analyst SSC/N9001
LESSON PLAN
You need to know and understand: Ask each individual to 1Hrs (Inclusive of Hardware
write a note keeping their classroom / Software
KA4. the importance of having a work area clean. assessment Specifications)
tidy work area and how to do this and 5Hrs
All learners to listen to all Standard Environment
offline
KA5. how to prioritize your the tips and list 5 best PLUS Create Discussion
Research and
workload according to urgency and ideas for prioritization that forums at college level
Learning
importance and the benefits of this they would practice. activity. Create contacts in
LinkedIn and other
social media sites.
653
Trainer’s Handbook – Security Analyst SSC/N9001
Activity 1:
Activity 2:
Ask the learners to write what they think are their individual goals and team goals
in a page.
Then ask them to show it to their team head for feedback and discussion. Modify if
required and bring to the next class.
In the next class ask them to retrieve their earlier list of important tasks and see,
which tasks lead to their individual and team goals and which don’t.
Discuss what to do with the tasks that do not help in one’s goals. – Eliminate,
Delegate or Negotiate
Now ask them to also make a list of their personal goals and consider if they are
doing anything for their personal goals.
Activity 3:
Ask all learners to research and share with the class 2 most important ways to
prioritize your workload according to urgency and explain the importance and the
benefits of this.
Activity 4:
Ask learners to prioritize completing the work right first time by proper planning,
required to achieve results. Ask them to prepare a list of things to be considered to
get things right the first time and present this in class.
Activity 5:
Ask students to surf the net to find out the appropriate resources for any task.
Explain to the students various processes for acquiring required resources for any
tasks in the organisation.
654
Trainer’s Handbook – Security Analyst SSC/N9001
655
Trainer’s Handbook – Security Analyst SSC/N9001
To-Do List
10
656 | P a g e
Trainer’s Handbook – Security Analyst SSC/N9001
Prioritizing
2. 2.
3. 3.
4. 4.
5. 5.
Planning work and work environment can have a substantial impact on the quality and
quantity of work and contributes towards efficiency and productivity.
657 | P a g e
Trainer’s Handbook – Security Analyst SSC/N9001
6. Mechanisms for
5. Anticipating events and
checking accuracy and
issues impacting work
quality of work
Defining goals and sub-goals includes may have IT equipment that the user
breaking the overall objective into department may requisition through a
measureable and well defined formal request approved by a
constituent results, that can help in designated level of authority
planning, implementation and tracking (authorised person).
achievement and progress. It is
Organisations also have procedures to
important that these are further request for purchase of new resources
evaluated in terms of realistic and
and materials that may not be available
required time frames and time within the organisation. This has to be
available is allocated in such a manner routed as per procedure through the
that these goals are achieved within authorised department and personnel
optimal time frames. and requires necessary approvals.
Sequencing activities right is also of One also has to plan for foreseen and
great importance in efficient and unforeseen events or occurrences that
effective working. Factors that need to may impact the work and ensure to
be considered while sequencing factor these in for timelines, costs,
activities include:
material and human resource
o Dependencies on interim requirements, etc.
outputs It is very important to check one’s work
o Availability of resources for accuracy, completeness and
o Space design quality.
o Schedule of deliverables and
As a security analyst this is particularly
urgencies important as your work is very detailed and
o Work styles, interests and a minor omission may result in
preferences vulnerabilities being ignored and causing
o Capabilities greater damage.
Resources required can be identified It is also important to meet time
by analysing the work, tasks and sub- commitments and agreed deadlines.
tasks involved and the volume of work
1. Loss of reputation and being
required.
recognised as incompetent or
Most organisations have standard unprofessional.
procedures for requisitioning for
resources. For eg. the IT supplies team
658 | P a g e
Trainer’s Handbook – Security Analyst SSC/N9001
2. Not being able to meet time A place for everything and everything in its
commitments also means that it place’ is a principle used by many to
impinges on further commitments of organise their environment. One can
other work that has to follow. There contribute effectively towards making
one’s work environment conducive for
might be others depending on the
efficient working.
output of work done.
Some of the key requirements for
3. Delays can also cause financial losses, this are
as there may be penalty clauses on
cleanliness and tidiness,
delayed delivery.
4. Also time spent on the job is budget at organising the space layout for
a certain cost any delay means efficient working,
increases in costs ergonomic design, optimal space
Planning the Work for people and the work to be
environment carried out,
right ambient conditions (lighting,
ventilation, etc.).
659 | P a g e
Trainer’s Handbook – Security Analyst SSC/N9001
660 | P a g e
Trainer’s Handbook – Security Analyst SSC/N9001
UNIT III
Maintaining Confidentiality
Lesson Plan
Suggested Learning Activities
Trainer Resource Material
3.1. Treating confidential information
3.2. Policies and procedures for confidential information
661
Trainer’s Handbook – Security Analyst SSC/N9001
LESSON PLAN
Activity 1:
Activity 2:
Discuss - Why the organisations would have chosen to have these policies? What
would have if these policies are violated?
662 | P a g e
Trainer’s Handbook – Security Analyst SSC/N9001
Privacy is having control over the extent, In the wrong hands, confidential
timing, and circumstances of sharing information can be misused to commit
oneself with others, physically, illegal activity (e.g., fraud or
behaviorally, or intellectually discrimination), which can in turn
result in costly lawsuits for the
Confidentiality is the treatment of employer.
information that an individual has There are laws protecting the
disclosed in trust and with the expectation confidentiality of certain information in
that it will not be given away to others in the workplace.
ways that are inconsistent with the The disclosure of sensitive employee
understanding of the original disclosure and management information can lead
without permission. to a loss of employee trust, confidence
and loyalty. This will almost always
Confidential information refers to items result in a loss of productivity.
that should be kept private. This can
include: What Type Of Information Must Or
Should Be Protected?
Audio
Documents, Images,
materials, etc Restricted Information or Data: "Restricted
information" is UC's term for the most
sensitive confidential information.
Confidential information is often Restricted information or data is any
generated in client-professional, or confidential or personal information that is
employee-employer relationships and protected by law or policy and that
requires the highest level of access control
could also be conversations. If information
and security protection, whether in
is not public then it generally has an
storage or in transit.
owner, which can be an individual or an
organization. In most cases, only the Examples of Restricted Data
owner is permitted to share or authorize Personal Identity Information (PII)
the sharing of private items. Electronic protected health
In today’s increasingly litigious and highly information (ePHI) protected by
competitive workplace, confidentiality is Federal HIPAA legislation
important for a host of reasons: Credit card data regulated by the
Sharing confidential information is Payment Card Industry (PCI)
often a professional violation and a Passwords providing access to
legal violation. There are a wide range restricted data or resources
of consequences including financial Information relating to an ongoing
damages, loss of reputation, litigation, criminal investigation
etc. Court-ordered settlement
Failure to properly secure and protect agreements requiring non-disclosure.
confidential business information can Information specifically identified by
lead to the loss of business/clients. contract as restricted.
663
Trainer’s Handbook – Security Analyst SSC/N9001
664
Trainer’s Handbook – Security Analyst SSC/N9001
665
Trainer’s Handbook – Security Analyst SSC/N9001
666
Student Handbook – Security Analyst SSC/N9002
SSC/ N 9002:
Work effectively with colleagues
667
Student Handbook – Security Analyst SSC/N9002
33Description This unit is about working effectively with colleagues, either in your own work
group or in other work groups within your organization.
Colleagues:
line manager
members of your own work group
people in other work groups in your organization
Communicate:
face-to-face
by telephone
in writing
668
Student Handbook – Security Analyst SSC/N9002
processes) an environment where you have no authority over those you are working
with
KA6. where you do not meet your commitments, the implications this will have
on individuals and the organization
B. Technical The user/individual on the job needs to know and understand:
KB1. different types of information that colleagues might need and the
Knowledge importance of providing this information when it is required
KB2. the importance of understanding problems from your colleague’s
perspective and how to provide support, where necessary, to resolve
these
669
Student Handbook – Security Analyst SSC/N9002
THE UNITS
The module for this NOS is divided in 3 Unit based on the learning objectives as given below.
670
Student Handbook – Security Analyst SSC/N9002
UNIT I
Effective Communication
Lesson Plan
Suggested Learning Activities
Trainer Resource Material
1.1. What is Communication?
1.2. Barriers to Effective Communication
1.3. Communicating Effectively at work
671
Student Handbook – Security Analyst SSC/N9002
LESSON PLAN
Reading Skills
You need to know and understand how SA3. Quiz, Document 1Hrs
to: review by peer group classroom
SA3.read instructions, guidelines and Faculty. assessment
/procedures and 10Hrs
offline.
Oral Communication (Listening and
Speaking skills)
You need to know and understand how
to: SA4, SA5. Online
SA4.listen effectively and orally assessment. Strongly 10Min per
communicate information accurately recommends student
SA5.ask for clarification and advice from Versant/SVAR (approx. 4
the line manager hours)
672
Student Handbook – Security Analyst SSC/N9002
Activity 1:
Activity 2:
Have the entire batch sit in a semi-circle. Now write the following sentence on a
piece of paper such that no-one can see what’s written on it. (You may write it
in Hindi, if the majority does not speak and understand English).
“I AM RISHI, YOU HAVE LOGGED IN COMPLAINT NUMBER 4628, I HAVE SOME
QUESTIONS REGARDING THAT, DO YOU HAVE THE TIME TO DISCUSS THAT
NOW?”
Now whisper softly in the ear of the first participant at one end of the semi-
circle this sentence as it is. Repeat the message. If he/she is still not sure, show
him the slip. ask him to state the message back to you. Ensure that he/she is
able to say the message verbatim.
Now ask the participant to pass the message, like in a Chinese whisper game.
And each participant will whisper the message as understood by him or her to
the next participant till the last person will state it aloud.
As in most Chinese whispers, the message will be distorted. Now ask the first
person to state the actual message. Inform the participants that this was a
communication gone wrong.
Discuss with them the reasons for the same and what all they could have done
to ensure that even the last person get the correct message. Note down all the
suggestions on the board.
Share with them the Effective communication cycle chart and the role of each
factor in the same i.e.
o Sender
o Receiver
o message
o feedback
o encoding / decoding
o noise
Now linking to points noted on the board/flipchart during the earlier discussion,
share the various “Barriers to communication.”
Activity 3:
Ask the class
673
Student Handbook – Security Analyst SSC/N9002
Ask the students to enlist the types of colleagues that an Information Security
Analyst is likely to encounter in an organisation and then mention the type of
communication they expect to have with them by which mode.
At the end of this activity, the students should be able to broadly classify the
colleague types into three categories- line manager, members of the same work
group, and members of other work groups.
And mode of Communication would include the following categories:
o Face-to-Face
o Written- emails, letters, memos, forms, etc.
o Telephonic
o Virtual- Skype, or any other virtual face-to-face interaction application
Activity 4:
Have the students prepare written documents following the correct approach to
preparing documents. E.g :Story writing, Handouts.
Activity 5:
Have the students write emails to each other with cc to trainer. Trainer can use these a
few of these emails to highlight many commonly occurring email etiquette mistakes and
have the students identify how to improve some more.
674
Student Handbook – Security Analyst SSC/N9002
676
Student Handbook – Security Analyst SSC/N9002
677
Student Handbook – Security Analyst SSC/N9002
678
Student Handbook – Security Analyst SSC/N9002
UNIT II
Working Effectively
Lesson Plan
Resource Material
2.1. Working Effectively
679
Student Handbook – Security Analyst SSC/N9002
LESSON PLAN
680
Student Handbook – Security Analyst SSC/N9002
681
Student Handbook – Security Analyst SSC/N9002
After a few months, your company’s CEO will have to share the details of the
asks you to install special security systems firewalls and other security systems that
for the Finance department as the data she has installed on the network wit h the
with them was more vulnerable than that other two sub-departments.
of the other departments. For this, you Jai handles the Hardware part, while Amit
need to understand the workings of the handles the Software part.
department and come up with a plan that
would be approved by the department Both, Amit and Reena have been in the
representative. As luck may have it, the organisation for over two years and have
department representative turns out to therefore reached a point where they can
be that very person whom you had trust each other with their confidential
refused to help earlier. You can ask the information. On the other hand, Jai is new
students what they think will happen now. to the organisation. Reena is
How will it affect your work? At the end of uncomfortable sharing all the details with
this discussion, the students should be him. Jai, however, trusts her and share his
able to understand the need for having information freely.
good relationships with other colleagues, After a while, he realises that Reena is not
even if they are not directly related to reciprocating and is hiding some crucial
your profile. information from him. At one instance, Jai
had to make a Hardware Procurement
Plan for the coming year, for which he
Importance of an environment of needed to understand Reena’s system
trust and mutual respect requirements for the coming year. Reena
did not share all the information with Jai
One important aspect of inter- because of which Jai’s plan suffered.
dependence is mutual respect and trust. Because Reena and Amit were friends, Jai
This is as verytrue in professional started mistrusting Amit as well.
relationships and as it is in personal As a result, the entire IT department’s
relationships. It is the former that have to
plans suffered.
be explained to the students. This again
can be best done with an example.
You can ask the students to give their
Example-3 comments on this scenario and discuss
what steps could the organisation, or
Share the following scenario with the Reena and Amit have taken to prevent the
students. The IT department of a company trust gap. With the help of this discussion,
has three sub-departments – you can explain how their bosses could
have ensured that the three work in
1. Hardware,
tandem with each other. The seniors
2. Software and
could have instilled confidence in Reena
3. Security.
and Amit by telling them that they had
Reena is responsible for the Security part
taken the necessary preventive measures
of it as she is the Information Security
like getting Jai to sign a Non Disclosure
Analyst of the company. Given the nature
Agreement at the time of his joining, and
of the job, all three sub-departments need
that they could trust him with their
to work in tandem with each other, which
information. They could have also
means giving access to each other’s
handheld them for a while and let go once
systems. For Reena, this means that she
682
Student Handbook – Security Analyst SSC/N9002
things started rolling. Also, the seniors And, the other fell sick.
should have monitored their activities and
As a result, the task could not be
paid heed to the early warning signs.
completed over the weekend. As luck may
have it, there was a virus attack on the
Some of the benefits of an environment of
systems on Monday morning as a result of
trust and mutual respectare as follows:
which some financial transactions of some
customers were leaked to some
Getting tasks done gets easier.
unauthorised people.
It encourages free flow of ideas.
The customers got to know of this and as
It saves time spent in gauging whether a result, there was a huge backlash
the other person is speaking the truth, against the bank. The company’s senior
or is giving genuine advice. management and the Public Relations
Colleagues are more likely to go along department had to work overtime to allay
with the changes that you the fears of the customers. Some other
recommend. employees too had to work overtime to
ensure that no unauthorised transactions
You can take help in hours of need, if were performed from the leaked data. In
required. short, the whole company suffered. At the
Your productivity increases. end of this example, the students should
be able to appreciate the importance of
Your performance gets appraised the role of an Information Security Analyst
better. and the ripple effect it can have on an
organisation if the Analyst does not
Implications of not meeting perform his duties properly.
commitments on individuals and You can summarize the following key
organisation points:
The performance of the entire team
Example-4 suffers, which has an impact on the
performance of the department and
The Information Security department of a organization as a whole.
bank was entrusted with the task of
Customers get annoyed and the
upgrading the anti-virus software of all
the computers at the bank over the organization’s reputation gets
weekend. The Information Security tarnished.
department had only two employees who Remedial action eats up resources that
were responsible for this. could have been used for more
One of them had his annual leave productive activities
planned for that weekend, which
he availed.
References
http://www.quintcareers.com/job_skills_values.html
http://www.kent.ac.uk/careers/sk/skillsmenu.htm https://www.mymajors.com/career/information-
security-analysts/skills/
683
Student Handbook – Security Analyst SSC/N9002
1. Criteria for assessment for each Qualification Pack (QP) will be created by the Sector Skill
Council (SSC). Each performance criteria (PC) will be assigned Theory and Skill/Practical marks
proportional to its importance in NOS.
2. The assessment will be conducted online through assessment providers authorised by SSC.
3. Format of questions will include a variety of styles suitable to the PC being tested such as
multiple choice questions, fill in the blanks, situational judgment test, simulation and
programming test.
4. To pass a QP, a trainee should pass each individual NOS. Standard passing criteria for each
NOS is 70%.
5. For latest details on the assessment criteria, please visit www.sscnasscom.com.
MarksAllocation
Total 100 20 80
684
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
SSC/ N 9003:
Maintain a healthy, safe and secure working
environment
685
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Unit Title (Task) Maintain a healthy, safe and secure working environment
Description This unit is about monitoring the working environment and making sure it meets
requirements for health, safety and security.
Emergency procedures:
illness
accidents
fires
other reasons to evacuate the premises
breaches of security
PC1. comply with your organization’s current health, safety and security policies
and procedures
PC2. report any identified breaches in health, safety, and security policies and
procedures to the designated person
PC3. identify and correct any hazards that you can deal with safely, competently
and within the limits of your authority
PC4. report any hazards that you are not allowed to deal with to the relevant
person in line with organizational procedures and warn other people who
may be affected
PC5. follow your organization’s emergency procedures promptly, calmly, and
efficiently
PC6. identify and recommend opportunities for improving health, safety, and
security to the designated person
PC7. complete any health and safety records legibly and accurately
686
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
and its KA5. the organisation’s emergency procedures for different emergency
processes) situations and the importance of following these
KA6. the importance of maintaining high standards of health, safety and
security
KA1. implications that any non-compliance with health, safety and security
may have on individuals and the organization
B. Technical You need to know and understand:
Knowledge KB1. different types of breaches in health, safety and security and how and
when to report these
KB2. evacuation procedures for workers and visitors
KB3. how to summon medical assistance and the emergency
services, where necessary
KB4. How to use the health, safety and accident reporting
procedures and the importance of these
KB1. government agencies in the areas of safety, health and security and their
norms and services
687
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
THE UNITS
The module for this NOS is divided in 4 Unit based on the learning objectives as given below.
688
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
UNIT I
Need For Health and Safety
at Work
Lesson Plan
Suggested Learning Activities
Resource Material
1.1. Need for Health and Safety at Work
689
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
LESSON PLAN
690
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Activity 1:
To set the tone of the session, can ask the students if they think having a healthy,
safe and secure environment at the workplace is important. If yes, then why.
The objective of this exercise is to gauge the current level of understanding of the
students.
Activity 2:
Can share the following definition with them.
Since 1950, the International Labour Organisation (ILO) and the World Health
Organisation (WHO) have shared a common definition of occupational health. The
definition reads:
“The main focus in occupational health is on three different objectives:
(i) the maintenance and promotion of workers’ health and working capacity;
(ii) the improvement of working environment and work to become conducive to safety
and health, and
(iii) development of work organisations and working cultures in a direction which
supports health and safety at work, and in doing so also promotes a positive social
climate and smooth operation, and may enhance productivity of the undertakings.
The concept of working culture is intended in this context to mean a reflection of the
essential value systems adopted by the undertaking concerned. Such a culture is reflected
in practice in the managerial systems, personnel policy, principles for participation,
training policies and quality management of the undertaking.”
Can throw open a discussion on each point of the discussion, in terms of:
• Why is it important?
• What measures it would entail?
Activity 3:
Ask the students to go through various organizations websites and understand the
policies and guidelines for health, safety and security. Define a role and
responsibilities relates to this in an employee context (Research & report)
You can ask the students to enlist some implications that they have learnt so far.
During the discussion, make sure that the following points have been covered:
• Potential employees may be reluctant to join your organisation. As a result, good talent
may get diverted to your competitors.
691
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Activity 4:
Can ask the students to work in groups and understand, summarize and articulate the
hazards w.r.t. health, safety and security. Report them into a standard template.
692
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Since 1950, the International Labour Organisation (ILO) and the World Health Organisation
(WHO) have shared a common definition of occupational health. The definition reads:
(i) the maintenance and promotion of workers’ health and working capacity;
(ii) the improvement of working environment and work to become conducive to safety and
health, and
(iii) development of work organisations and working cultures in a direction which supports
health and safety at work, and in doing so also promotes a positive social climate and smooth
operation, and may enhance productivity of the undertakings.
The concept of working culture is intended in this context to mean a reflection of the essential
value systems adopted by the undertaking concerned. Such a culture is reflected in practice
in the managerial systems, personnel policy, principles for participation, training policies and
quality management of the undertaking."
Having a healthy, safe and secure working environment is important for the following reasons:
693
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
734
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
This can be best explained with the help of the following diagram:
735
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
736
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
UNIT II
Security Analyst’s role
Lesson Plan
Lesson
2.1. Security Analyst’s Role
737
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
LESSON PLAN
738
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Activity 2:
• Can ask the learners to go through various organizations websites and
understand the policies and guidelines for health, safety and security.
Define a role and responsibilities relates to this in an employee context
(Research & report)
• Have them collate the role and responsibilities in groups and further have a volunteer
collate it into one list.
• Use this as a basis to to conduct the following activity
Activity 3:
Ask the students to work in groups and fill the following table based on whatever
they have learnt so far. You can share one example with them to explain what is
expected out of them, if required.
739
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Understanding ‘Safety’
Accident is an unplanned and undesired Natural
Unsafe
occurrence, which may or may not result in Calamiti
injury, or damage to self, others and/or
Conditions,
es, 2%
property. Main causes of accidents are: 18%
740
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
741
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
WARNING SIGNS
Danger – Watch your step Danger – Under construction Danger – Watch your step
742
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
electrical supplies and circuits. Coming in observing all unsafe condition and
contact with an electrical voltage can cause warning people of potential
current to flow through the body, resulting hazards
in electrical shock, burns or serious injury. reporting any violations of safety
Even death may occur. rules and
Electric Shock: An electrical shock is setting a good example by his or
received when electrical current passes her own behaviour
through the body. One gets an electrical Far too many accidents happen due to
shock if: unsafe conditions that were not noted,
• touching a live wire and an reported, or corrected. After finding an
electrical earth, or unsafe condition, the security analyst must
• touching a live wire and either correct the condition or report it to
another wire at a different someone who can make the correction.
voltage.
Safety is purely a matter of common sense.
Electricity travels in closed circuits, and its Corrective action should be taken when
normal route is through a conductor. possible or the proper authority called to
Electric shock occurs when the body handle the situation. It is important both to
becomes part of a circuit and works like a the guest and the people being protected
conductor. Earthing is a physical from injuries due to careless safety
connection to the earth, which is at zero practice.
volts.
Freeing a victim from electrocution
Role of a Security Analyst in
The first person to reach a shocked
worker should cut off the current if
maintaining health and safety
this can be done quickly. at work
If this is not possible, the victim
should be removed from contact The role and responsibilities of an
with the charged equipment. Either Information Security Analyst related to
the equipment/wire should be maintaining a healthy, safe and secure
pulled away or the victim. working environment would be defined in
Bare hands should not be used, the organisation’s policy on the same.
use a dry board, dry rope, leather
Thus, he would have to ensure that he
belt, coat, overalls or some other
non-conductor. follows the rules. For example, if the
Be sure to stand on a non- company policy states that all IT
conducting surface when pulling – equipment that is more than two years
dry rubber slippers, dry wooden old, should go for annual maintenance,
board, etc. then it would be the Information Security
Accident prevention is said to be Analyst’s responsibility to ensure the
everybody’s job. The security analyst can same.
at least do the following:
743
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Incident frequency and severity- Jobs Can the worker suffer strain from
where incidents occur frequently, or lifting, pushing, or pulling?
where they occur infrequently but
Is the worker exposed to extreme
result in disabling injuries.
heat, or cold?
Potential for severe injuries or illness-
Is excessive noise, or vibration a
The consequences of the incident,
problem?
hazardous conditions, or exposure to
harmful substances are potentially Is there a danger from falling objects?
severe.
Is lighting a problem?
Newly established jobs- Due to lack of
Can weather conditions affect safety?
experience in these jobs, hazards may
not be evident or anticipated. Is harmful radiation a possibility?
Modified jobs- New hazards may be Can contact be made with hot, toxic,
associated with changes in job or caustic substances?
procedures.
Are there dusts, fumes, mists, or
Infrequently performed jobs- vapours in the air?
Employees may be at greater risk
Step 4- Hazard Mitigation- Upon completion
when undertaking non-routine jobs,
of the first three steps of the job hazard
and an analysis provides a means of
analysis, determine the appropriate controls
reviewing hazards.
to overcome the hazards. You can remind the
Step 2- Break the job down into a sequence of students that these steps have already been
steps. Ensure that each step is not too specific, discussed in this chapter earlier: elimination,
or too general. Steps should be kept in the substitution, isolation, engineering controls,
correct sequence. Document using the administrative controls, and personal
company template. Make notes on what is protective clothing and equipment.
done, rather than how it is done.
744
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
745
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
746
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
UNIT III
Emergency Situations
Lesson Plan
Suggested Learning Activities
Resource Material
3.1. Emergency Situations
747
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
LESSON PLAN
748
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Activity 1:
You can throw open this question to the students. During the discussion, make
sure the following commonly occurring emergency situations get covered.
Emergencies may be natural, or man-made, and include the following:
• Floods
• Hurricanes
• Tornadoes
• Fires
• Toxic gas releases
• Chemical spills
• Radiological accidents
• Explosions
• Civil disturbances
• Workplace violence resulting in bodily harm and trauma
Activity 2:
You can ask the students to make an emergency plan based on whatever they have learnt so
far. At the end of the discussion, you can share the following guidelines for developing an
emergency action plan
749
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
750
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Procedures for employees who remain A system for accounting for personnel
to perform, or shut down critical plant following an evacuation. Employees’
operations, operate fire extinguishers, transportation needs for community-
or perform other essential services that wide evacuations should also be
cannot be shut down for every considered
emergency alarm before evacuating.
Rescue and medical duties for any How to summon medical
workers designated to perform them.
assistance and emergency
services
How and when to report these Here again, organisation’s policies and
The Information Security Analyst should procedures need to be kept in mind.
report any job hazards that he may come Usually, organisations have an in-house
across to his line manager, or the person first-aid kit, or medical team to assist in
assigned the responsibility in the company medical emergency situations. Employees
policy. This also means that he should keep can follow the emergency evacuation plan
an eye for potential hazards and report and take help from the designated
them before they cause any harm. personnel. The following are some
751
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
emergency numbers that can be used in How to use health, safety and
India:
accident reporting procedures
Service Telephone
and their importance
Ambulance 102
The Information Security Analyst should be
Emergency response service for well conversant with the organisation’s
medical, police and fire emergencies. policy for emergency reporting
Available in Andhra Pradesh, Gujarat, procedures. Not only he should keep an
Uttarakhand, Goa, Tamil Nadu, eye for potential hazards, he should report
Rajasthan, Karnataka, Assam, them to the line manager, or any other
Meghalaya, Madhya Pradesh and Uttar person designated for the same. If he fails
Pradesh 108 to do so, big disasters can happen that can
cause harm to the employees and the
Local police 100
company as a whole.
Fire service 101
752
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
UNIT IV
Skills for maintaining Health and
Safety at Work
Lesson Plan
Suggested Learning Activities
Resource Material
3.1. Skills for maintaining Health and Safety at Work
753
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
LESSON PLAN
754
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
and 10Hrs
offline.
SB4. apply problem solving approaches in SB6. Assessment 1Hrs classroom Suggested online
different situations based on use case. assessment tools:
Analytical Thinking You need to Submit and review and 10Hrs WebEx
know and understand how to: the document by offline. GotoMeetings
group/faculty. 2Hrs classroom
SB5. analyse data and activities Lensoo
Validate real-time assessment AnyMeetings
Critical Thinking opinions given by the and 30Hrs OpenMeetings
You need to know and understand how to: students. Evaluate
offline. Standard
SB6. apply balanced judgements to approach of
student/groups Environment PLUS
different situations
towards the given case Seminars,
Attention to Detail study. workshops, panel
You need to know and understand how to: SB7, SB8. discussions etc.
SB7. check your work is complete and Assessment based Standard
free from errors QA standards. Environment PLUS
Submit and review Access to online
SB8. get your work checked by peers the document by forums.
Team Working group/faculty on QA
You need to know and understand how to: standards.
SB9. work effectively in a team SB9. Group and
environment Faculty evaluation
based on anticipated
out comes from a
group.
You need to know and understand: SC1 to SC3. 1Hrs classroom Standard
SC1. identify and refer anomalies Online assessment. assessment Environment
and 20Hrs PLUS Various
SC2. help reach agreements with Task based publicly available data
offline.
colleagues assessment. sets.
SC3. keep up to date with changes, Document comparison www.data.gov.in
procedures and practices in your role reports. Task
schedulers.
755
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Activity 2:
You can ask the students to make an emergency plan based on whatever they
have learnt so far. At the end of the discussion, you can share the following
guidelines for developing an emergency action plan:
Activity 3:
SA1. Documentation preparation - follow the approach document. Technical
writing.
SA2. Learning and understanding various guidelines, procedures, rules and SLA
available Publicly in open data camps.
SA3. Listen, Interpret and communicate between groups and Faculties. SB1. Learn
concepts of SOW, Plan, do, check, act (PDCA), Work Breakdown Structure (WBS)
and Decision trees. Brain storming.
SB2. Learn concepts of SOW, Plan, do, check, act (PDCA), Work Breakdown
Structure (WBS) and Decision trees. Brain storming. Learn about Agile and
SCRUM methodologies. Suggested follow one of them.
SB3. Understanding the scope, defining the objectives. Identifying the
deliverables based on the time lines. Simulate Client and Company environment
in the campus and practice a business deal.
SB4. Understanding the scope, defining the objectives. Identifying deviations from the
expectations, solution to mitigate with the deviations, document into approach template.
SB5. Discuss with peers, groups, faculties and SME/industry SPOCs. Prepare a document to
build a safe & secure platform in an Analytics way.
756
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
SB6. Discuss with peers, groups, faculties and SME/industry SPOCs. Prepare a document to
build a safe & secure platform in an Analytics way. Use online meeting tools to share the
opinions in real-time.
SB7, SB8. Discuss with peers, groups, faculties and SME/industry SPOCs. Conduct review
meetings with peer group/faculty.
SB9. Define roles and responsibilities amongst the groups.
Activity 4:
• SC1 to SC3. Ask the learners to check for publicly available data sets by
exploration and research. Review and download data.
• Store data into data bases using various methods like SQL/programming
languages/scripting etc. Find out anomalies and prepare report. Recommend
to define roles to perform tasks. Groups must take different domains (data sets).
757
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
Skills is the ability to use information, or For example, each organisation has certain
knowledge acquired through education, or guidelines for maintaining a healthy and safe
experience, to accomplish a given task. environment. As an Information Security
Analyst, you should be aware of those. Only
Types of skills then can you install the appropriate systems.
Technical Skills- The ability to do a Other than reading and writing, an Information
specific type of activity or work. Security Analyst should also have oral skills like
listening and speaking. For example, when
Human Skills- The ability to work with
talking to your line manager, you need to listen
people.
to the instructions carefully. If at any stage, you
Conceptual Skills- The ability to work do not understand the instructions, you should
with ideas, or concepts. be able to speak well and ask for clarifications.
Generic Skills- These are generic in nature that Professional Skills- During the course of any
are common to most white collar jobs like career, one needs to be adept at professional
reading, writing, listening and speaking. skills like problem solving, critical thinking,
Professional Skills- These skills make a person logical reasoning, etc. This is equally true for an
more employable by giving the person the Information Security Analyst.
ability to make logical decisions and the ability Decision Making- Many times, as an
to solve problems judiciously. Some examples
Information Security Analyst, you would
of professional skills are decision making,
need to take decisions, and you should
planning and organising, customer centricity,
have the skills to be able to take the
problem solving, critical thinking, attention to
appropriate decisions. Also, you should
detail, and team work.
follow the company rules for the same. For
example, what safety systems to install?
How to test them?
Skills required to maintain a safe
Planning and Organising- These are basic
and healthy work environment skill sets of any role. To be able to
Security Analysts need to be good at the accomplish any task, one needs to first
following skill-sets to be able to maintain a plan and then organise the sub-tasks. For
healthy, safe and secure working environment. example, making a Project Plan for
upgrading the safety and security systems.
Core/ Generic Skills- As an Information
Security Analyst, you should be able to Customer Centricity- As explained in the
communicate well with colleagues, in writing. earlier chapter as well, here too you, the
You should be able to write accurately with Instructor, will have to explain that here
attention to detail. For example, making plans the term, ‘customer’ refers to internal
for the department for upgrading the safety customers, i.e., colleagues. You can tell the
and security systems requires writing skills. students that as an Information Analyst,
You should also be able to read instructions, they will need to work with colleagues
guidelines, procedures and service level from across the organisation, as has been
agreements laid down by your organisation. explained in the chapter on how to work
758
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
759
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
760
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
SSC/ N 9004:
Provide data/information in standard formats
761
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
Description This unit is about providing specified data/information related to your work in
templates or other standard formats.
Appropriate people:
line manager
members of your own work group
people in other work groups in your organization
subject matter experts
Data/information:
quantitative
qualitative
Sources:
within your organization
outside your organization
Formats:
paper-based
electronic
Performance Criteria(PC) w.r.t. the Scope
762
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
763
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
THE UNITS
The module for this NOS is divided in 4 Unit based on the learning objectives as given below.
764
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
UNIT I
Information and Knowledge
Management
765
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
Activity 2:
You can ask the students what type of people an Information Security Analyst is likely to
interact with, to manage data effectively. At the end of the discussion, you can help
them categorise the people into the following categories:
• Line manager
• Members of your own workgroup
• People of other workgroups
• Subject matter experts
766
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
767
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
UNIT II
How to manage data/
information effectively
Lesson Plan
Suggested Learning Activities
Trainer Resource Material
2.1. How to Manage Data/Information effectively
768
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
LESSON PLAN
769
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
You need to know and understand: QA session and a 2Hr in class Standard
KA1. The organization’s procedures and guidelines Descriptive write assessment Environment PLUS
for providing data/ information in standard formats up on & access to online
and your role and responsibilities in relation to this understanding. 30Hrs forums, blogs etc.
Group offline
KA2. The knowledge management culture of the Research
organization presentation
and peer and
KA3. Your organization’s policies and procedures evaluation along Learning
for recording and sharing information and the activity
with Faculty.
importance of complying with these.
Performance
KA4. The importance of validating data/information
evaluation from
before use and how to do this
Faculty and
KA5. Procedures for updating data in appropriate Industry with
formats and with proper validation reward points.
KA6. The purpose of the CRM database Online exam and
KA7. How to use the CRM database to record and rewards points
extract information based on
reviews from the
KA8. The importance of having your data/
forums.
information reviewed by others
KA9. The scope of any data/information
requirements including the level of detail required
KA10. The importance of keeping within the scope of
work and adhering to timescales
You need to know and understand: QA session and 2Hr in class Standard
KB1. data/information you may need to provide a Descriptive assessment Environment
including the sources and how to do this write up on & PLUS Access to
understanding & 15Hrs online forums.
KB2. templates and formats used for data and reporting. offline
information including their purpose and how to use Research
these Group
presentation and and
KB3. different techniques used to obtain data/ peer evaluation Learning
information and how to apply these along with activity
KB4. how to carry out rulebased analysis on the data/ Faculty.
information Performance
KB5. typical anomalies that may occur in data/ evaluation of the
information report by Faculty
with reward
KB6. who to go to in the event of inaccurate data/
points.
information and how to report this
770
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
Activity 1:
• You can explain to the students that to be able to work in any organisation, an
employee, irrespective of the role he has been assigned, needs to know about
the organisation he is working with. This includes knowledge about the
company’s policies, procedures, structure, culture, your role and
responsibilities, overview of other departments, information needs of other
departments, key contact points, etc.
Activity 2:
• Going through various organizations websites and understand the policies and
guidelines. Identify various standard templates and reporting formats in practice.
(Research)
Activity 3:
• Understand, summarize and articulate policies and procedures and specify the
importance of complying policies and procedures.
Activity 4:
• Evaluate open source CRM database. Download public datasets and do a
validation check.
• Peer group, Faculty group and Industry experts.
• Peer review with faculty with appropriate feedback.
Activity 5:
• Going through various organizations websites and understand the scope of work
and adhering to time scales and guidelines. (Research)
Activity 6:
• Working in a Team (IM and chat applications) and group activities (online forums)
including templates to be prepared.
771
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
772
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
773
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
774
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
775
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
776
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
UNIT III
Skills required to manage data
and information effectively
Lesson Plan
Suggested Learning Activities
Trainer Resource Material
3.1. Skills required to manage data and information effectively
777
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
LESSON PLAN
778
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
779
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
Activity 1:
Have the students do the following tasks:
For writing Skills: Documentation preparation as per specifications given.
Story writing, Handouts.
For Reading Skills: Download instructions, procedures and guidelines from
internet and do a Peer & Faculty discussions.
For Listening and speaking skills: Conduct a group discussion on a topic
selected by the faculty. Listen, Interpret and communicate between groups
and Faculties.
Activity 2:
For decision making skills: Discover and review data from public websites.
Use various supervised and unsupervised learning methods. Build models and
find a decision making process. Recommend groups to take different
domains (data sets). Document entire exercise and circulate across all the
groups and publish in the forums.
Activity 3:
For Planning and Organising skills: Assign task with a measurable target to be
achieved within a deadline. Divide the batch into groups. Share the steps
involved in planning and organising and them to perform the task in the given
time, making sure all the steps for planning and organising are done.
Activity 4:
For Customer Centricity: Check all previous exercises. Create a traceability
matrix for requirements Vs Outcomes. Compare with the customer
expectation (faculty is the customer or an industry expert)
Submit the expectation in a standard template.
Activity 5:
For Problem solving: Discuss with peers, groups, faculties and SME/industry
SPOCs. Come up with a solution document/architecture for a use case.
Activity 6:
For Analytical Ability and Critical thinking: Discuss with peers, groups,
faculties and SME/industry SPOCs.
Come up with a plan document for various situations in business use cases.
Activity 7:
For Attention to detail: Check and review the work of peers and share with
faculty
Activity 16:
For Team Work: Define roles and responsibilities amongst the groups.
780
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
Activity 8:
For Technical Skills: Check for publicly available data sets by exploration
and research. Review and download data.
Store data into data bases using various methods like SQL/programming
languages/scripting etc. Find out anomalies and prepare report.
Recommend to define roles to perform tasks. Groups must take different
domains (data sets).
Activity 9:
Ask the students to fill the following table based on whatever they have learnt so
far. You can share one example with them to explain what is expected out of them,
if required.
Give the students 10 minutes to fill the table, post which you can discuss
some samples with them. You can keep enlisting the evaluation criteria, so
that the whole class can refer to them. At the end of the exercise, you can
ensure that the following evaluation criteria have been covered.
781
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
782
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
from across the organisation, as has with a plan that keeps the user
been explained in the chapter on how friendliness in mind while not
to work effectively with colleagues. compromising on the security.
When designing and installing the Attention to Detail- Quality is a key
security systems, you will have to make criterion for any job and that of an
sure that they meet the requirements Information Security Analyst is no
of their colleagues. In other words, different. One aspect of it is to pay
their needs have to be considered
attention to detail. For example, data
paramount. Not only should you strive usage policy of an organisation may be
to meet customer requirements, you different for the senior management as
should try and exceed them. compared to that of the others. The
Problem Solving- You would have to Information Security Analyst would
face many challenges as an Information need to be aware of this while
Security Analyst. You will have to designing policies. Also, you need to
develop problem solving skills to be ensure that the data is error-free and
able to handle them. For example, if complete. You can also take help from
you have developed a system that does colleagues, if required.
not permit employees to access data Team Work- No job can be completed
on Sundays, and if you notice certain without interacting with others, within
anomalies, it would be your
and outside the organisation. Thus the
responsibility to bring this to the notice ability to be able to work with others as
of your line manager.
a team is a key requirement. For
Analytical Thinking- Another skill-set example, to be able to test database
that is associated with an Information systems, an Information Security
Security Analyst is that you will need to Analyst would need to coordinate with
have an analytical bent of mind. He/she members of other teams. Hence, being
will have to analyse data across the able to work effectively in a team
organisation and also monitor the environment is a must-have skill-set.
activities of all, before coming up with Technical Skills- Just like technical
a data security plan. You will have to knowledge, technical skills too are equally
ensure that the relevant information
important for any Information Security
reaches the concerned people on time. Analyst to perform their job. For example,
Critical Thinking- This skill may be the ability to use information technology
required by an Information Security efficiently; being able to input and extract
Analyst time and again as you may have data accurately; being able to validate and
to apply your judgment in a balanced update data; being able to identify and
manner in various situations. For refer anomalies in data; being able to store
example, you may suggest a particular and share information in standard formats;
data security template, but the senior being up to date with changes, procedures
management may not agree due it and practices in your role; etc.
being too complex. Thus, you may have
to apply your judgement to come up
783
Trainer’s Handbook – SSC/ Q09004 – Security Analyst
784
Trainer’s Handbook – Security Analyst SSC/N9005
SSC/ N 9005:
Develop knowledge, skills & competence
785
Trainer’s Handbook – Security Analyst SSC/N9005
Description This unit is about taking action to ensure you have the knowledge and skills you
need to perform competently in your current job role and to take on new
responsibilities, where required.
Competence is defined as: the application of knowledge and skills to perform to
the standards required.
Scope This unit/task covers the following:
line manager
human resources specialists
learning and development specialists
peers
Job role:
786
Trainer’s Handbook – Security Analyst SSC/N9005
787
Trainer’s Handbook – Security Analyst SSC/N9005
THE UNITS
The module for this NOS is divided in 4 Unit based on the learning objectives as given below.
788
Trainer’s Handbook – Security Analyst SSC/N9005
UNIT I
Importance of Self Development
789
Trainer’s Handbook – Security Analyst SSC/N9005
LESSON PLAN
790
Trainer’s Handbook – Security Analyst SSC/N9005
Ask the students to write in a sheet that after they join their work, what all do they
need to do to ensure the following:
o They perform well at work
o They get the respect of their seniors, peers and users
o Grow to the next level
Have them share and write the same on the board. Highlight the need for learning.
Activity 2:
Ask the students to list all the reasons they feel continual learning on the job is
important.
Have them research and see what professionals say about this.
Ask them to pose that question in Security Analyst Networking forums and bring the
responses they got.
After the research, discuss in the class
Activity 3:
Activity 4:
Divide the participants in groups of 4-5. Distribute to each group the following topics, so that each
group has at least 1 topic to discuss and all the topics are covered. The topics are:
a) After they join work, who will be responsible for their learning?
b) What will happen if they get so involved in work that they are unable to learn
further?
c) What if the organization they join provides no opportunities for work?
d) What could be the obstacles that could hamper their learning. How to handle them?
After the discussion each group to present in front of the class and a class discussion to be
facilitated by the trainer to motivate everyone to commit to being responsible for their own
learning.
Activity 5:
Have the class work together and develop a self-development charter, stating what they
all would like to commit to doing for their self-development in future
The trainer can provide inputs.
Have each student sign it and keep a soft and hard copy.
Can have the original laminated and put up in the class.
791
Trainer’s Handbook – Security Analyst SSC/N9005
792
Trainer’s Handbook – Security Analyst SSC/N9005
818
Trainer’s Handbook – Security Analyst SSC/N9005
819
Trainer’s Handbook – Security Analyst SSC/N9005
UNIT II
Knowledge and Skills
Required for the Job
Lesson Plan
Suggested Learning activities
Trainer Resource Material
2.1. Knowledge and Skills Required for the Job
820
Trainer’s Handbook – Security Analyst SSC/N9005
LESSON PLAN
821
Trainer’s Handbook – Security Analyst SSC/N9005
Activity 6:
822
Trainer’s Handbook – Security Analyst SSC/N9005
You can explain to the students that to be Human Skills- The ability to work with
able to work in any organisation, an people.
employee, irrespective of the role he has Conceptual Skills- The ability to work with
been assigned, needs to know about the ideas, or concepts.
organisation he is working with. This
Core/ Generic Skills- These are generic in
includes knowledge about the company’s
nature that are common to most white
policies, procedures, structure, culture,
collar jobs like reading, writing, listening
your role and responsibilities, overview of
and speaking.
other departments, information needs of
other departments, key contact points, As an Information Security Analyst, you
etc. should be able to communicate well
with colleagues, in writing. For
Technical Knowledge example, making plans for the
department for upgrading the security
Technical knowledge helps a person systems required writing skills.
understand a field of work. This section You should also be able to read
would be the easiest to explain to the instructions, guidelines and procedures
students as it would be obvious to them laid down by your organisation. For
that to perform any task, they would need example, each organisation has certain
the technical know-how for the same. If guidelines for data security.
the Information Security Analyst does not
know what a gateway is, or what a As an Information Security Analyst, you
multiplexer is, or what a hub is, or how should be aware of those. Only then
they function; how can he be expected to can you install the appropriate security
install them? systems.
Other than reading and writing, an
One also has to plan for foreseen and Information Security Analyst should
unforeseen events or occurrences that also have oral skills like listening and
may impact the work and ensure to factor speaking. For example, when talking to
these in for timelines, costs, material and your line manager, you need to listen to
human resource requirements, etc. the instructions carefully. If at any
823
Trainer’s Handbook – Security Analyst SSC/N9005
825
Trainer’s Handbook – Security Analyst SSC/N9005
UNIT III
Avenues for Self-Development
Lesson Plan
3.1. Formal Avenues of Self Development in an organisation
3.2. Different types of learning styles and methods
826
Trainer’s Handbook – Security Analyst SSC/N9005
LESSON PLAN
827
Trainer’s Handbook – Security Analyst SSC/N9005
Activity 1:
Ask the learners to work in groups or 4-5 and make a list of all the various
modes of learning they have used in this course.
Ask them to further add other avenues to training that they think will be
available to them on the job.
Then discuss the various options. Ask the participants to expand the list after the
discussion if they learnt any new avenue during the discussion.
Activity 2:
Ask the learners to take out the list of Knowledge and skills for self development, that they
had compiled in the earlier unit. Ask them to assign against each the avenues that they could
use to develop in each area.
Activity 3:
First share with the learners the three learning styles and their clues.
1) Visual
2) Auditory
3) Kinesthetic
Then ask each learner to identify with style(s) do the prefer more than the others.
Ask them to make a note of their preferred learning methods.
1) Activist
2) Reflector
3) Theorist
4) Pragmatist
Activity 4:
Ask the learners to search the internet for questionnaires on Kolbs as well as Honey
and Mumford learning styles. Ask them to use those questionnaires to find out their
preferred learning styles.
828
Trainer’s Handbook – Security Analyst SSC/N9005
Knowledge, skills and attitudes can be Life-long learning is very important for
developed through a range of developing a successful and sustainable
methodologies career. There are many professionals who
got comfortable with their current level of
1) Education or professional
performance and stopped learning and in
qualifications,
some time found themselves without a
2) Training by employers, job, or stuck at a particular level without
3) On-the-job experience, any growth. These people then get
frustrated with their professional lives and
4) Informal learning from peers,
either resort to blaming employers or fate
seniors and others.
for their own lack of hard work and lack of
5) Self-study and practice desire to keep learning. Successful
Many employers invest large amount of professionals commit to a life of learning
resources (time, effort and money) to (life-long learning).
make employees work ready and for them It is important that one constantly finds
to grow in their jobs and improve their out what avenues are available for one’s
knowledge, skills and attitudes. Employees development in terms of professional
should realise that this is an opportunity development courses, further education,
for them to develop not only for delivering professional books and programs, etc. Also
a better performance for employers but one must make the most of knowledge and
for the employee’s own career experience available within the job
development. environment from seniors, training
A professional should think of career manuals and programs, peers, trade and
development not just in the short term but professional journals, suppliers and
also from a longer term perspective. vendors, etc.
Knowledge and skills required for a job Some more Avenues for Learning
changes over time and therefore a Develop Your Own Pet Projects: If
professional need to ensure his or her there is some technology that you
employability over one’s working life, and really want to learn and if you do not
needs to keep learning. High achievers in have the opportunity to apply this
any field and people who are recognised technology at work, then you should
for their professionalism work very hard to invent your own project to use it and
keep abreast of developments in their field develop this project during your free
and are life-long learners. time.
829
Trainer’s Handbook – Security Analyst SSC/N9005
830
Trainer’s Handbook – Security Analyst SSC/N9005
Visual Learners
CLUES LEARNING METHODS
Needs to see it to know it. Use graphics to reinforce learning -
Strong sense of color. films, slides, illustrations, diagrams.
May have artistic ability. Color coding to organize notes and
Difficulty with spoken directions. possessions.
Overreaction to sounds. Write out directions.
Trouble following lectures. Use flow charts / diagrams for note
Misinterpretation of words taking.
Visualizing spelling of words or
facts to be memorized.
Auditory Learners
CLUES LEARNING METHODS
Prefers to get information by listening and Use tapes for reading and for
needs to hear it to know it. class and lecture notes.
Difficulty following written directions. Learn by interviewing/participating
Difficulty with reading. in discussions.
Problems with writing. Have test questions or directions
Inability to read body language and read aloud or put on tape.
facial expressions
Kinesthetic Learners
CLUES LEARNING METHODS
Prefers hands-on learning. Experimental learning (making
Can assemble parts without reading models, doing lab work, and role
directions. playing)
Difficulty sitting still. Frequent breaks in study periods.
Learns better when physical activity is Trace letters and words to learn
involved. spelling and remember facts.
May be very well coordinated and have ath Use computer to reinforce learning
letic ability. through sense of touch.
Memorize or drill while walking or
exercising.
Express abilities through dance,
drama, or gymnastics
831
Trainer’s Handbook – Security Analyst SSC/N9005
The most used and researched models were developed by Kolb (1984) and Honey and Mumford
(1986), As per Honey and Mumford (1986), learners displayed the following learning styles:
832
Trainer’s Handbook – Security Analyst SSC/N9005
UNIT IV
Planning for Self-Development
Lesson Plan
Suggested Learning Activities
Trainer’s Resource Material
4.1. Planning for Self-Development
833
Trainer’s Handbook – Security Analyst SSC/N9005
LESSON PLAN
KA5. how to produce a plan to address your QA session and a Descriptive Online access for research
learning and development needs , who to agree write up on understanding. work
it with and the importance of undertaking the
planned activities
KA6. different types of support available to help Group presentation and
you plan and undertake learning and peer evaluation along with
development activities and how to access these Faculty.
KA7. why it is important to maintain records of
your learning and development
KB3. different types of learning styles and Performance evaluation
methods including those that help you learn from Faculty and Industry
best with reward points.
834
Trainer’s Handbook – Security Analyst SSC/N9005
Activity 1:
Ask the learners to download samples of organization’s policies and procedures for
Learning and development and share with the class.
Activity 2:
Have the learners apply all the 10 steps on themselves as they learning to create a self
– development plan that they could follow as soon as they finish the course.
Activity 3:
Have the learners research each step further on their own.
835
Trainer’s Handbook – Security Analyst SSC/N9005
836
Trainer’s Handbook – Security Analyst SSC/N9005
837
Trainer’s Handbook – Security Analyst SSC/N9005
838
Annexures
{CLIENT ORGANIZATION}
Security Assessment Report
{YOUR ORGANIZATION}
{YOUR MAILING ADDRESS}
EXECUTIVE SUMMARY 5
Top-Ten List 5
1. Information Security Policy 5
2. {Security Issue #2} 5
3. {Security Issue #3} 5
4. {Security Issue #4} 5
5. {Security Issue #5} 5
6. {Security Issue #6} 6
7. {Security Issue #7} 6
8. {Security Issue #8} 6
9. {Security Issue #9} 6
10. {Security Issue #10} 6
INTRODUCTION 7
Scope 7
Project Scope 7
In Scope 7
Out of Scope 7
BACKGROUND INFORMATION 8
{CLIENT ORGANIZATION} 8
ASSET IDENTIFICATION 9
THREAT ASSESSMENT 9
Vulnerabilities 10
The {CLIENT ORGANIZATION} has no information security policy 10
{State the Vulnerability} 10
PERSONNEL 11
Management 11
Operations 11
Development 11
Vulnerabilities 11
There is no information security officer 11
{State the Vulnerability} 11
NETWORK SECURITY 12
Vulnerabilities 12
The {CLIENT ORGANIZATION} systems are not protected by a network firewall 12
{State the Vulnerability} 13
SYSTEM SECURITY 13
Vulnerabilities 13
Users can install unsafe software 13
{State the Vulnerability} 14
APPLICATION SECURITY 14
Vulnerabilities 14
Sensitive information within the database is not encrypted 14
{State the Vulnerability} 14
OPERATIONAL SECURITY 15
Vulnerabilities 15
There is no standard for security management 15
{State the Vulnerability} 15
PHYSICAL SECURITY 15
Vulnerabilities 16
Building Vulnerabilities 16
Several key doors within the building are unlocked or can be forced open 16
{State the Vulnerability} 16
Security Perimeter Vulnerabilities 17
There is no entryway access control system 17
{State the Vulnerability} 17
Server Area Vulnerabilities 17
The backup media are not protected from fire, theft, or damage 17
{State the Vulnerability} 18
SUMMARY 18
Action Plan 18
REFERENCES 18
Executive Summary
Briefly describe the activities of the assessment.
Talk about the importance of information security at the client organization.
Discuss security efforts that the organization has under taken.
Highlight three major security issues discovered that could significantly impact the operations of
the organization.
Top-Ten List
A top-ten list is used to highlight the ten most urgent issues discovered during an assessment.
Clients unfamiliar with security may be overwhelmed by a long list of problems. Putting the
major issues together may allow the client to easily focus efforts on these problems first.
The list below contains the “top ten” findings, weaknesses, or vulnerabilities discovered during
the site security assessment. Some of the issues listed here are coalesced from more than one
section of the assessment report findings. Additional information about each is provided
elsewhere in the report.
It is recommended that these be evaluated and addressed as soon as possible. These should be
considered significant and may impact the operations of the {CLIENT ORGANIZATION}.
Introduction
Provide an overview of the report.
Scope
The scope is the boundaries of the project. It is used to describe the on-site activities.
Project Scope
In Scope
The following activities are within the scope of this project:
Interviews with key staff members in charge of policy, administration, day-to-
day operations, system administration, network management, and facilities
management.
A Visual Walk Through of the facilities with administrative and facilities
personnel to assess physical security.
A series of Network Scans to enumerate addressable devices and to assess each
systems available network services. (These Scans will be conducted from within
each center’s network and from the outside.)
A configuration and security assessment of at most ten key systems at each
center.
Out of Scope
The following activities are NOT part of this security assessment:
Penetration Testing of systems, networks, buildings, laboratories or facilities.
Social Engineering to acquire sensitive information from staff members.
Testing Disaster Recovery Plans, Business Continuity Plans, or Emergency
Response Plans.
First Day
Second Day
Third Day
Background Information
Use this section to talk about any relevant background information.
{CLIENT ORGANIZATION}
Describe the client organization.
Asset Identification
Describe the process of asset identification.
Tangible Assets
{List tangible assets.}
Intangible Assets
{List intangible assets.}
Each item on these lists also has value associated with it. Each item’s relative value changes over
time. In order to determine the current value, it is often best to think in terms of recovery costs.
What would it cost to restore or replace this asset in terms of time, effort, and money?
Threat Assessment
Describe the process of threat assessment.
Natural Threats
{List Natural Threats.}
Intentional Threats
{List Intentional Threats.}
Unintentional Threats
{List Unintentional Threats.}
Vulnerabilities
Listed below are the vulnerabilities discovered during the assessment relating to law, regulation,
and policy. These are considered significant and steps should be taken to address them.
Personnel
Describe the personnel at the client organization. Organize them into related groups.
In this example, we have Management, Operations, and Development.
Management
Describe the management group.
Operations
Describe the operations team.
Development
Describe the development team.
Vulnerabilities
Listed below are the staff vulnerabilities discovered during the interviews with the {CLIENT
ORGANIZATION} staff. These are considered significant and steps should be taken to address
them.
Risk
There are several risks in not having {this vulnerability}.
{Provide a list of risks.}
Recommendations
{Provide a list of recommendations}.
Network Security
Describe the state of network security at the client organization.
List public network resources and sites.
List partner connections and extranets.
Vulnerabilities
Listed below are the network security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.
System Security
Describe the state of system security at the client organization.
Vulnerabilities
Listed below are the system security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.
Application Security
Describe the state of application security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.
Recommendations
{Provide a list of recommendations}.
Operational Security
Describe the state of operational security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.
Physical Security
Describe the state of operational security at the client organization.
Specifically, list the building, security perimeter, and server room vulnerabilities.
Vulnerabilities
Listed below are the physical security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them. The list is divided into a list of
vulnerabilities that relate to the building, the security perimeter, and the server rooms. The
building group contains vulnerabilities within the {CLIENT ORGANIZATION} office. The
security perimeter group includes the exterior office windows, doors, alarm system, and the
surrounding area. The server room are specific to rooms containing server equipment.
Building Vulnerabilities
Several key doors within the building are unlocked or can be forced
open
Explanation
There are several important doors in the interior {CLIENT ORGANIZATION} office
area that are normally unlocked or can be forced open even when locked. The door to the
utility room is a hollow core wooden door with no lock. The utility room contains the
wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system
box. The room containing the modem pool is normally open and unlocked. The system
administrator’s office containing the office file and web server is usually unlocked and
open.
Risk
These doors protect valuable assets of the {CLIENT ORGANIZATION}. A determined
attacker, thief, or disgruntled employee could get through these important doors with
minimal effort to steal and/or destroy.
Recommendations
Replace current doors with stronger fire doors.
Replace existing door hardware with high security locks.
Weld exterior hinge pins in place.
The backup media are not protected from fire, theft, or damage
Explanation
The backup media are stored near the backup system on an open shelf in the server area.
The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a
fire. If a system or data must be recovered, the media may not be available or functional
when needed.
Risk
The operation of the {CLIENT ORGANIZATION} can be impacted if the backup media
are not available due to theft, damage, or fire.
Confidential and Proprietary Information: Need to Know
Page 17
{CLIENT ORGANIZATION}
Recommendations
Purchase and install a lockable, fireproof media safe. Secure it to the floor and/or
wall.
Summary
Summarize the report findings.
Action Plan
Provide an action plan that lists steps to be taken to improve security at the client organization.
References
Anderson, R. Security Engineering: A Guide to Building Dependable Distributed Systems.
Indianapolis: John Wiley & Sons, 2001.
Archer, Tom and Whitechapel. Andrew. Inside C#. Redmond: Microsoft Press, 2002.
Deraison, Renaud. The Nessus Security Scanner. http://www.nessus.com/
Garfinkel, Simson, Spafford, Eugene H., and Schwartz Alan. Practical Unix & Internet Security,
3rd Edition. Sebastapol: O’Reilly, 2003.
Gordon, Lawrence, Loeb, Martin, Lucyshyn, William and Richardson, Robert. “2004 CSI/FBI
Computer Crime and Security Survey,” San Francisco: Computer Security Institute, 2004.
International Standards Organization, International Electrotechnical Commission. Information
technology — Code of practice for information security management. ISO/IEC 17799:2000(E).
Switzerland: ISO/IEC, 2001.
Open Web Application Security Project. “The Ten Most Critical Web Application Security
Vulnerabilities – 2004 Update.” OWASP, 2004. http://www.wasp.org/documentation/topten.html
Peltier, Thomas R. Information Security Risk Analysis. Boca Raton: CRC Press, 2001.
Public Law No. 100-235. The Computer Security Act of 1987.
Stoneburner, Gary, Goguen, Alice, and Feringa, Alexis. “Risk Management Guide for
Information Technology Systems.” NIST Special Publication 800-30. National Institute of
Standards and Technology, 2001.
Confidential and Proprietary Information: Need to Know
Page 18
Security Assessment Report
Stoneburner, Gary, Hayden, Clark, and Feringa, Alexis. “Engineering Principles for Information
Technology Security (A Baseline for Achieving Security).” NIST Special Publication 800-27 Rev
A. National Institute of Standards and Technology, 2004.
Swiderski, Frank and Snyder, Window. Threat Modeling. Redmond: Microsoft Press, 2004.
United States Department of Agriculture. “USDA Information Systems Security Policy.” USDA
3140-001. Washington: USDA, 1996.
Viega, John and McGraw, Gary. Building Secure Software. Indianapolis: Addison-Wesley, 2002.
Wood, Charles C., Banks, William W., Guarro, Sergio B., Garcia, Abel A., Hampel, Victor E.,
and Sartorio, Henry P. Computer Security. New York: Wiley, 1987.
Zwicky, Elizabeth D., Cooper, Simon, and Chapman, D. Brent. Building Internet Firewalls, 2nd
Edition. Sebastapol: O’Reilly, 2000.
Case Studies
Common Cyber Attacks:
Reducing The Impact
Contents
Introduction ....................................................................................................................................................................... 3
1 www.gov.uk/government/publications/information-security-breaches-survey-2014
2 www.gov.uk/government/publications/cyber-essentials-scheme-overview
3
‘When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities’, Tim Rains, 17 June 2014,
http://blogs.microsoft.com/cybertrust/2014/06/17/when-vulnerabilities-are-exploited-the-timing-of-first-known-exploits-for-remote-code-execution-vulnerabilities
‘Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World’, Leyla Bilge and Tudor Dumitras, CCS ’12, 16-18 October 2012,
http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
4 https://nvd.nist.gov/
5
Fixes such as applying software patches, removing detected malware and updating device configuration to address issues detected through vulnerability scanning
Stages of an attack
A number of attack models describe the stages of a cyber attack (the Cyber Kill Chain® produced by
Lockheed Martin is a popular example6). We have adopted a simplified model in this paper that describes the
four main stages present in most cyber attacks:
Survey - investigating and analysing available information about the target in order to identify
potential vulnerabilities
Delivery - getting to the point in a system where a vulnerability can be exploited
Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access
Affect - carrying out activities within a system that achieve the attacker’s goal
10
‘Metadata’ many programs automatically add metadata to files, including author, their username and the file save location
11
‘Online reconnaissance’, CPNI, May 2013, www.cpni.gov.uk/documents/publications/2013/2013007-online_reconnaissance.pdf?epslanguage=en-gb
12
An ‘iframe’ was inserted to point to malicious content
It has become a well cited truis, that these increasing threats do not stop at state borders.
On the other hand, international co-operation in fighting against cyber-attacks and
cyber-incidents appears to be in its infancy, compared to law enforcement efforts against
physical crime.
Frequently, both the actual perception of IT or cyber incident and the initial response to it
take place at a national level, either by private stakeholders or by state authorities. Hence,
the editors of this study consider it worthwhile to share with our readers reflections and
lessons learned of three cases from the Netherlands, Germany, and Sweden, which were
dealt with mainly, but not exclusively, within these countries.The cyber incidents
described, differ in scope, in the damage caused, and in many other aspects, but they
have in common that their impact on society was considerable. Even though, on a
technical level, these incidents were not very complex. Also, as a consequence of
networks, these incidents escalated quickly, which put great emphasis on incident
response. In two of the cases, the identities of the (possible) attackers have not as yet
been revealed (in the Tieto case there was no attack) .
Hence, one lesson to be learned, as it were a priori, is that coping with cyber-attacks and
cyber incidents always involves some degree of uncertainty. The publication of this case
study, therefore, aims at providing transparency of past events as a starting point for
preventive measures against future cyber threats. The report is a joint effort of three
authorities: the National Cyber Security Centre (NCSC) in the Netherlands, the Bundesamt
für Sicherheit in der Informationstechnik (BSI) in Germany, and the Swedish Civil
Contingencies Agency (Myndigheten för samhällsskydd och beredskap, MSB).
Wilma van Dijk, Director Cyber Security, Ministry of Security and Justice.
Andreas Könen, Vicepresident, Federal Office for Information Security.
Nils Svartz, Deputy Director-General, Swedish Civil Contingencies Agency.
All three cases share certain characteristics. They all focus on the vital infrastructure
of their country. They all affected not just one, but a whole network of organisations
in their country. In each case, trust was lacking or was lowered after the incident. The
Swedish case stands out because it focuses on non-intentional disturbance of vital
infrastructure. The German case is about a deliberate attack to deny the availability of a
telecommunications provider and the consequences of such an attack. The Dutch case,
the hack of DigiNotar, was a deliberate act, but it probably was not the ultimatel goal of
the attacker to hack into DigiNotar. The attacker used forged certificates from DigiNotar
to eavesdrop on other citizens in different countries.
It is hard to reach an effective level of trust in the digital domain. By moving so many
aspects of our lives to the digital realm, we automatically become potential victims of
extensive data breaches at digital service providers. Assurance reports, Service Level
Agreements and legal action can only do so much to reflect what is required from a digital
service provider: that they perform at a level which deserves the trust their clients place in
them.
We hope you will find benefit in reading this international publication which is the joint
effort of the national CERTs of the participating countries. Let it be a reminder of known
risks, and the medium for a message: that trust in the digital domain is not only hard to
come by, but also crucial to its success.
In these examples, the security breach at a provider was a first step in successfully
attacking targets which depended on this provider for their security.
The important role which DigiNotar fulfils in the Netherlands is threefold. First, DigiNotar
is one of the security certificate providers for the Dutch government. Second, DigiNotar
is an issuer of certificates for the Dutch national PKI (PKIoverheid). Third, DigiNotar
Response
When DigiNotar initially noticed the break-in into their systems, they decided to keep
it a secret from the general public and the authorities. In the Netherlands, there was no
explicit legal provision which required them to report such an incident. However, judging
from the consequences of keeping this incident secret, this course of action was probably
not in the publics best interest.
Once GovCERT1 had been notified, they were in charge of handling the incident. When it
became clear, a week later, that PKIoverheid certificates could also not be trusted, a full
crisis management plan was initiated. The Dutch crisis management structure (‘national
crisis structure’) was activated in accordance with existing procedures. The IRB (ICT
Response Board)2 is an advisor to the crisis organisation in case of a crisis involving an
IT component. The IRB convened twice, which helped to gain a quick insight into the
impact of revoking trust in DigiNotar certificates. Many parties cooperated in the crisis
management. Some examples are the Dutch national police, public prosecutor, ministry
of the interior, ministry of security and justice and IT security company Fox-IT.
Since January 2012 GovCERT has been included within the National Cyber Security Centre (NCSC).
1
The IRB is a private public advisory board, which advises the national crisis structure about the situation and
2
29 August 6 September
Mozilla also discovers attack. GovCERT, the At the explicit request of the Dutch
Dutch national computer emergency government, Microsoft decides to postpone
response team is notified of the attack by – only in the Netherlands – the update
CERT-BUND, their German equivalent. which will remove all support for DigiNotar
DigiNotar publicly admits having been certificates.
hacked.
14 September
1 September Dutch telecommunications authority OPTA
Dutch governmental organisation Logius announces that it revokes the licence of
circulates an email message in which it asks DigiNotar to issue certificates for qualified
other government bodies what the impact signatures. 300 Dutch government websites
would be of revoking DigiNotar certificates. still use DigiNotar certificates to encrypt
communications.
3 September
Dutch government officially renounces
DigiNotar as a trustworthy certificate
provider.
Final remarks
After the DigiNotar crisis, two measures were proposed:
• A legal obligation to notify a central authority of any significant data leaks or break-
ins within an organisation. For providers of qualified certificates, such an obligation
has since been introduced. In the case of DigiNotar, this would have led to an earlier
awareness and understanding of the extent of the problems.
• The creation of a department of digital firefighters, which could act on behalf of
the Dutch government in order to resolve a cybersecurity incident or crisis. Many
proposed formats for this closely matched the role which GovCERT already had within
the government. A discussion point within this concept was whether the government
should have the power to take over IT operations and exercise it in case of a cyber crisis
in order to protect the public interest.
Six days after the OPTA revoked DigiNotar’s licence to issue qualified certificates, the
company went bankrupt. Most of its property was auctioned off, but the hardware used to
protect the private keys of the revoked certificates is still kept locked away. The original
expiry date of the root certificates has not yet passed, which means it is possible some
software still accepts certificates issued by DigiNotar. After this expiry date, the DigiNotar
incident will be over.
The DigiNotar case has been evaluated extensively within all levels of the Dutch
government. Some important conclusions can be made:
• Apparently, the certificate authority/PKI system is part of the critical infrastructure of a
country. The DigiNotar case motivates one to re-evaluate whether his or her perception
of what constitutes the ‘critical infrastructure’ of a country is both correct and
complete. Also, in what way does any compromise involving such trust providers have a
significant impact on the physical world?
• In cybersecurity, the effectiveness of the measures taken by a provider greatly affect the
security stance of its clients. On the other hand, the insight and influence clients have
over the security measures taken by their provider is very limited. This means that there
will always be a residual risk associated with cooperating with providers of any kind.
DDoS attacks are very common on the internet. BSI is aware of about 1,800 DDoS attacks
in Germany during the first half of 2013. It means that on average at least ten DDoS
attacks are carried out daily. The real figure is probably much higher. Worldwide, several
companies report that they observe thousands of DDoS attacks per day. On average,
an attack lasts less than one hour. But in some cases it can last for several days or even
months.
Statistics show that the main targets of DoS attacks are governments, banks, and
e-commerce companies. Often adversaries attack a victim’s web-server to disrupt its
internet presence. But in some cases, other services, such as the Domain Name System4
(DNS), are targeted as well.
There are different motivations for DoS attacks, e.g. political and ideological motives,
competition, extortion. Adversaries can be government agencies, state-sponsored or
patriotic hackers, hacktivists, or criminals. Some examples for adversaries and their DDoS
attacks in the recent past are:
The DNS is a distributed system for computers, services, or any resource connected to the Internet or a private
4
network. It associates a variety of information with domain names assigned to each of the participating entities.
Most prominently, it translates easily memorised domain names to the numerical IP addresses needed for the
purpose of locating computer services and devices worldwide. An oft-used analogy to explain the Domain Name
System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames
into IP addresses. For more information, see e.g. http://en.wikipedia.org/wiki/Dns
DoS attacks lead to direct and indirect costs for the victim. They cause costs for DDoS
mitigation, direct revenue losses for e-commerce companies, reputational and brand
damage, and customer turnover. Studies and surveys suggest that an hour of DDoS attack
can cost a victim tens of thousands of euros. Attacks against critical infrastructure of a
state can even disrupt its supply of essential goods and services to its population.
From: y.y.y.y
To: z.z.z.z
Message: Requested Information: …
Fr o: Sen bou
M orm d
om y.y d t
es a om
in
T
: z .y me you
f
sa tio a
.z.
ge n in
z.z
:
. y
a
al r
l
Attacker
IP: x.x.x.x
The motivation for the attack is unclear. The attacker made no demands to Deutsche
Telekom. No information claiming responsibility for the attack was published. A possible
explanation could be a “proof of concept” or test by which the attackers try out their
capabilities, infrastructure and tools to carry out that kind of attack.
Response
Abuse messages sent to the web hosting provider to stop the attack were unsuccessful.
After a short delay the ISP was able to mitigate the attack by redirecting the malicious
traffic (see Timeline of events, above). The mitigation was possible, since the ISP
possessed the necessary equipment and skills to monitor and mitigate such attacks and
its network capacity was high enough not to collapse under the heavy traffic.
CERT-Bund was informed by Deutsche Telekom about the attack and helped it with the
analysis. While the attack against a provider’s infrastructure which provides services to
the broad population was new, the attack method itself was already known. Since benign
DNS queries need to be answered only once, repeated DNS queries were blocked by the
mitigation systems of Deutsche Telekom.
Also, the Federal Criminal Police Office was involved in the investigation of the attack
infrastructure. However, at first, it was not clear whether it was responsible in this case.
It started to act after the Telekom provided additional information about the attack and it
was recognised that the attack was targeting a critical infrastructure.
Final Remarks
For providers of Domain Name Services there are different technical advisories for
strengthening their own DNS servers in such a way that they cannot be misused for this
kind of attack. The DNS provider should be made aware of the threat and be forced to
implement the necessary counter measures. The problem here is that this should be
done by every single provider worldwide.
The internet is a critical infrastructure. Its availability is essential for the functioning of a
society and economy. Its outage can cause serious negative effects on almost all areas of
life and can even inflict real damage in the physical world. Therefore, its protection should
be an important goal for governments in every country.
Although the attack technique has been known for quite some time, its recent use for
launching DoS attacks of unprecedented scale has brought renewed interest in it. Similar
attacks are carried out against victims worldwide. A recent attack which made it into the
headlines was a DoS attack on the anti-spam organisation, The Spamhaus Project, in
March 2013.
The usage of internet servers – here DNS servers, in other cases also web, email, etc.
servers – instead of home PCs enables the attacker to generate higher network traffic,
since the internet connection of any such server is much faster than the connection of
a typical private PC. This threat changes the general situation and demands immediate
action for implementing appropriate counter measures.
An account of the disruption at the IT service provider Tieto in late 2011 is given below.
The disruption affected both public and private organisations, and was debated both in
the specialist press and in the general media. A similar event occurred in Sweden on New
Year’s Eve (January 1, 2014) as a fire in the server room of one of the Stockholm facilities of
the IT service provider Evry caused considerable problems for the Stockholm metro, for
railway traffic, and for postal and logistic services, among others. The fire extinguishing
system was empty due to a human error. No one had restored (re-loaded) the system after
a minor incident the day before. The fire resulted in a loss of power, and data storage
systems had to be re-started. During the re-start, a software failure complicated matters,
and Evry was not able to re-deploy several IT services. This incident started a chain
reaction with implications for the whole society.
The disruptions at Tieto and Evry emphasise an already known circumstance, namely that
increased concentration and integration create a new category of vulnerability where
technical and human errors can shut down a number of societal functions over vast
geographical areas in a short period of time. A disruption at a large IT service supplier
can affect an entire society and the consequences can be considerable. Modern society is
becoming more and more vulnerable when IT systems become unavailable.
The exact details of what happened have not been made public by Tieto, but data storage
for a large number of servers was suspended in a very short period of time. The disruption
affected about 50 of Tieto’s customers, including companies, governmental agencies and
municipalities. Exactly which clients were affected by the disruption has still not been
made public by Tieto. For some organisations, IT support nearly came to a complete
halt, while other organisations experienced disruptions of specific services. In addition,
several service suppliers seem to have been connected to the storage system, including
companies that deliver web-based tools for administration, travel management and
similar services. There were reports from several municipalities across the country about
malfunctioning administration of financial services and pension services following the
disruption at Tieto.
5 December
The 180 control stations of the motor-
vehicle inspection company Bilprovningen
This section focuses on responses related to the consequences of the disruption. Many
of the affected organisations had to resort to manual routines while Tieto was working
on restoring their IT services. This halted some processes, and slowed down others
considerably, due mainly to lack of personnel. Some organisations had frameworks and
plans for dealing with the loss of IT services; others had to solve the problems as they
emerged. A few organisations resorted to using old IT systems – systems that still existed,
or could be re-installed. There was also an example of a public organisation that used
Twitter and Facebook to communicate with people when their website and email systems
were down.
The Swedish Civil Contingencies Agency (MSB) started working on the event, formally,
on the morning of the 28th of November 2011. Regular meetings were held through the
Agency’s National Cybersecurity Coordination Function. Obtaining situational awareness
was the most important part of that work. In addition to this, MSB published information
on the Agency’s websites, including the national crisis portal which is the responsibility of
the Agency. On Tuesday, November 29, MSB completed an impact analysis and concluded
that no critical societal functions were affected in such a way that would seriously
threaten the functioning of society. This was followed by a status report to the Swedish
Ministry of Defence. MSB followed the progression of events through open sources,
its own contact networks, and contacts with affected parties as well as with Tieto. The
Agency quickly contacted Tieto, as well as many of the affected organisations. However,
it was difficult to gain a complete understanding of the situation through these channels
from the perspective of societal considerations as regards the widespread effects of the
disruption. Therefore, a request was drawn up on 6 December for the majority of agencies
specifically indicated in the Emergency Management and Heightened Alert Ordinance
(2006:942) to submit a situation report to the MSB regarding the disruption at Tieto. In
summary, however, it can be concluded that the MSB had difficulty in quickly forming a
comprehensive picture of how the event was affecting Swedish society. There is still no
single party with a complete picture of the societal impact. In February 2012, the Agency
submitted a formal report on the event to the Swedish Ministry of Defence.
Final remarks
It is difficult to assess fully the negative societal consequences of the disruption at Tieto.
For some organisations, IT services were unavailable for weeks, while others only suffered
minor problems. Apart from IT services becoming unavailable, there were also some
cases of data losses. In terms of financial cost, it is even more difficult to estimate the
The Swedish Civil Contingencies Agency (MSB) did not activate the national IT response
plan during the Tieto disruption. The consequences of the disruption at Tieto cannot
be considered a social emergency. However, the disruption clearly had serious negative
consequences for individuals and organisations, meaning that the event was very serious.
The analysis that followed the event was able to establish that several of the affected
parties did not have enough knowledge about their own dependencies, nor about their
need for cooperation. Had the disruption led to more extensive social problems, the
MSB would have had trouble coordinating the relief work and alleviating the effects
of the incident, as well as creating a satisfactory basis for collaboration. The affected
organisations (Tieto’s customers), have a great responsibility in terms of informing
their users and other stakeholders themselves. The event shows that this responsibility
is difficult for many organisations to comply with. Emergency preparedness and
contingency planning for long disruptions are requirements for most organisations, but
special needs arise when an organisation outsources IT operations or uses cloud services
for vital parts of the operation. The impression after the disruption at Tieto is that the
organisations’ contingency planning was of varying quality. Further, only a small number
of organisations had applied information classification or performed a risk analysis
before their procurement and outsourcing of services.
In the event of cyber incidents, warnings come at short-notice or not at all, the pace is
rapid and the incident is usually geographically independent. In order to prevent and
handle cyber incidents, an increased capability of all organisations in society at all levels
of responsibility and in all sectors is required. To this end, the MSB has identified four
areas in which further work is required:
• Strengthening preventive initiatives for cyber security (information security) throughout society.
• Procurement as a tool for better security: There is a great deal of potential in public
procurement, and all organisations need to develop further their competency in using
procurement as a means of controlling their cyber security (information security).
• Special focus on risk analysis and contingency planning: The disruption at Tieto shows that
there are shortcomings in the contingency planning and emergency preparedness
among several of the affected organisations.
• National and regional cyber security situational awareness: The increased concentration of
IT operations and other IT related services means that a large number of stakeholders
On a technical level, the incidents were not very complex, but the impact on society
was great. The Swedish case describes a relatively simple system failure; the German
story about the denial-of-service attack involves somewhat advanced but well-known
techniques; and the hack at DigiNotar was mostly possible because of the lack of proper
controls in place at DigiNotar.
In each case, the impact was large because of the role the target played in each country:
a national telecommunications provider, a signer of the national PKI infrastructure, and
an IT operations provider. All had many parties who depended on their cyber security.
Through network effects, these incidents escalated quickly.
1 New technology has created new opportunities as well as new risks in our society. New
technology and new business solutions have allowed a concentration of information,
services, communication and IT operations in society. This increased concentration,
along with new forms of operation and increased integration, can lead to a
vulnerability where small technical errors can shut down a number of societal functions
in a short period of time.
3 The internet is a critical infrastructure. Its availability is essential for the functioning
of a society and economy. Therefore, its protection should be an important goal for
4 The incidents in this report show that a large cyber incident can have an effect on an
entire society and that the impact can be considerable. In order to prevent and handle
major IT incidents, an increased capability of all participants in society at all levels
of responsibility and in all sectors is required. In this regard, the following areas are
particularly important:
a Procurement as a tool for better control of cyber security
b Special focus on risk analysis and contingency planning
c Implementation of the necessary processes for early detection and mitigation of IT
attacks
d National and regional situation status reports on cyber security.
5 In each of these cases, incident response plays a central role. Cooperation and
coordination around a major cyber security incident are crucial. The timing and
the quality of the initial response are both crucial in order to deal effectively with
all aspects of an incident or with a crisis at a later stage. The examples in this report
show that all participants must be able to act together and collaborate on decision-
making and operations in the event of an emergency. It is important that the affected
parties have developed processes for gathering and sharing information. This should
also include being able to communicate information to the public and to other
stakeholders. And finally the information should be coordinated.
7 Internet Service Providers (ISPs) are an important party in preventing cyber attacks.
The effectiveness of the measures taken by a provider greatly affects the security stance
of its clients. Any lack of security at a provider which is responsible for trust-related
services has a great impact.
November 2014
Cyber Case Studies:
The Traditional Security Nexus
Blu3
Introduction
As the lives of individuals and the daily operations of organizations increasingly use and depend upon
online networks and resources, the line between security incidents in the cyber and physical worlds has
become blurred. Traditional security definitions and boundaries no longer apply uniformly. While many
security professionals may still consider cyber security a technical problem, today’s reality is an
intertwined cyber-physical world wherein cyber security issues often affect and cross over into the
physical realm (and vice versa) with direct, tangible impact. Billions of people worldwide are now online; it
has become another, if not the primary, domain that individuals and organizations depend upon to
communicate, increase efficiency, engage in commerce, store and publish information, and reduce costs.
Criminals, spies, terrorists, and hacktivists (hacker activists) also take advantage of these same benefits.
The proliferation of intersections between cyber and physical is increasing as a function of computing
device connectivity. People use numerous communications protocols to connect multiple devices to
various networks at work, at home, and on the go. An organization’s sensitive and proprietary systems,
once closed-off networks, are now accessible or controllable via remote or Internet access. Furthermore,
low-cost “smart” technology has been introduced into departments not traditionally overseen by technical
staff. According to Gartner, 26 billion devices will be part of the “Internet of Things” (IoT) by 2020. IoT is
the interconnection of atypical, non-computing devices – everything from smart thermostats and alarm
systems to medical monitoring devices and automobiles – to the Internet using a myriad of wireless
technologies. This wave of ubiquitous automation will likely create a surge of security implications in both
the cyber and physical realms, especially considering security has historically lagged behind technology.
Defenders must cover all points of attack, while attackers only have to identify the weakest point. An
increasing number of traditional security incidents have occurred because of weak links that existed in the
cyber realm; the converse is also true. Through the examination of security incidents, including the
highlighted examples in Table 1, this white paper will demonstrate the interwoven nature of the two
realms, reveal who has been affected, and provide best practices and countermeasures.
Information Security • Syrian spy cameras and microphones surveil activists and journalists
Financial Security • Credit card breaches will continue after chip and PIN adoption
Personnel Security • Terrorist-linked software developers hired for critical infrastructure work
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Agreement on the categorization of traditional security disciplines is difficult because there is much
overlap among them; cyber security is no different. Several other security sub-categories could fall under
one or more security disciplines in Table 1, such as operations security (OPSEC). Facility security,
personal protection, and information security are all common sub-categories of physical security.
Physical security (defined as the physical protection of sensitive or proprietary information, people,
facilities, installations, or other sensitive materials, resources, or processes) is broad and multi-faceted. Its
key areas involve the physical protection of facilities, people, and information.
Facility Security
U.S. Steel
In May, a federal grand jury indicted five military officers in China’s People Liberation Army (PLA) Unit
61398 for computer hacking, economic espionage, identity theft, and other related offenses directed at six
U.S. private-sector organizations in the nuclear power, metals, and solar energy industries. This was the
first time the U.S. Government successfully brought criminal charges against nation-state actors for this
type of computer hacking. Most of the alleged criminal conduct involved information that was stolen while
the companies were in negotiations, partnerships, or trade litigations with Chinese state-owned
enterprises (SOEs).
One of the affected organizations, United States Steel Corporation (U.S. Steel), was involved in trade
cases with Chinese steel companies between 2009 and 2012. Shortly before the anticipated decision in
one of the cases, an indicted military hacker allegedly sent spear-phishing emails to U.S. Steel
employees – including those associated with the litigation. Some of the emails, which appeared to come
from the CEO, successfully tricked employees into clicking on malicious links, resulting in the installation
of malware and backdoor access on corporate computers. The hackers used more spear-phishing
emails, with the subject line “US Steel Industry Outlook,” to steal a list of about 1,700 company
computers, including servers that controlled physical access to the company’s facilities and emergency
response.
Although the indictment stated that vulnerable servers on that list were identified and exploited, it does
not confirm which ones were hacked or detail the extent of exploitation. Compromised facility access
systems could have enabled a Chinese competitor to target U.S. Steel’s business operations from a
physical security angle. However, most of the alleged activity conducted by the PLA 61398 hackers
resulted in intellectual property (IP) and trade secret theft.
Countermeasures
The U.S. Steel case study underscores the need for Spear-phishing is used
segmentation or compartmentalization of critical systems in over 90 percent of
from public-facing networks via physical and/or logical advanced economic
(software) means. espionage attacks by
nation-state or nation-
The case study also stresses the importance of cyber state-sponsored actors.
security education, especially to protect against spear-
phishing tactics.
o Spear-phishing is used in over 90 percent of
advanced economic espionage attacks by nation-state or nation-state-sponsored actors.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
o Spear-phishing was the predominant method allegedly used by the PLA 61398 hackers.
Segmentation and compartmentalization will likely become more important as the Internet of
Things expands, where thermostats, refrigerators, alarm systems, and security cameras could all
exist on the same network.
o A vulnerability in just one device could disclose the credentials to the entire network.
o Not only could an attacker turn off an alarm or security camera, but a threat actor could
use the cameras or smart meter readings to determine when a building is vacant in order
to break in.
o Manipulation of a thermostat to prompt a building evacuation could be the first step in a
plot to attack an organization’s physical security.
o In addition, networks that communicate without encryption, or with IoT devices that lack
physical protection, are exposed and vulnerable to attack.
Personal Protection
Social networking sites and social media sites have made collecting information on people and
organizations for social engineering, blackmail, and conducting traditional, economic, or industrial
espionage – in both the cyber and physical domains – much easier. However, information published on
these sites can also affect the physical security of people in an organization.
Mexican drug cartels and organized crime groups (OCG) often glean personally identifiable information
(PII) from social networking and media sites to add legitimacy to extortion and kidnapping threats. They
regularly monitor social media target individuals, such as journalists disseminating “unfavorable”
information about illicit OCG activities. OCGs may also search for secure communication channels to
avoid detection by government and security authorities, and they are likely trying to diversify revenue
streams through hacking, counterfeiting, and ATM skimming activities. As such, there have been media
reports of kidnappings, enslavements, bribes, and coercions of computer programmers, engineers, and
telecommunications experts since at least 2009.
A hacking group called the Lizard Squad attacked Sony Online Entertainment in August 2014, causing
denial-of-service disruptions to Sony’s PlayStation Network servers and tweeting a hoax to American
Airlines about “receiving reports that [Sony Online Entertainment CEO]’s plane #362 from DFW to SAN
has explosives on-board.” The hackers were a previously-unknown group who claimed links to terrorism
to add credence to the hoax; therefore, American Airlines diverted the flight and security authorities
checked for explosives. The Lizard Squad had obtained the CEO’s flight information from cross-
referencing flight schedules with travel information he had posted on Twitter (see Figure 2).
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Figure 2: Hacking group Lizard Squad devised a hoax using information gleaned from
Sony Online Entertainment CEO’s tweets
Information found on social networking and media sites can be used to defeat security questions used to
reset passwords on online sites and services. This, in addition to the use of weak passwords, use of
repeated passwords across multiple sites, a lack of two-factor authentication, and the allowance of
unlimited password guesses on a cloud back-up service, contributed to the highly-publicized leaks of
private celebrity photos in 2014. Using information on the Internet to humiliate, blackmail, bully, stalk,
surveil, and/or kidnap a person may be the most frightening ways someone’s personal safety can be
compromised by cyber-related means.
Kaspersky Kidnapping
The highest-profile cyber surveillance, stalking, and abduction case involved Ivan Kaspersky, son of the
chairman and CEO of Russia-based Kaspersky Lab, one of the most prominent cyber security firms in the
world. Ivan Kaspersky was kidnapped for ransom in 2011 while walking to work from his Moscow
apartment. According to Russian media sources, amateurs – an older indebted couple – orchestrated the
plot and enlisted their son and two of his friends as “muscle” for the plot. The abductors stalked
Kaspersky and his girlfriend for several months prior to the kidnapping, determining his behavioral
patterns and discovering that he did not have a protective security detail. The kidnappers reportedly
obtained all the needed information from Kaspersky’s user profile on Vkontakte, a popular Russian social
networking site. His profile contained publicly-posted personal information, such as his real name, photo,
current school and area of study, girlfriend, work location, and the addresses of his last two apartments.
With this information, even amateurs could track and abduct the son of a prominent billionaire.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Kaspersky was forced to call his father to relay the ransom demands. Fortunately, the cellphone he used
was tracked within six days, although there is conflicting reporting as to whether its location was tracked
by Russian security authorities or someone working directly for Kaspersky. The Russian System for
Operative Investigative Activities (SORM) lawfully enables authorities to monitor, record, analyze, and
retain all data that traverses Russian telephone and Internet networks, including all emails, telephone
calls, Internet browsing sessions, text messages, and fax transmissions. The abductors may have used
the same cellphone to make food deliveries, or had geolocation services enabled.
Countermeasures
The common thread in these personal safety attacks is the lack of operations security (OPSEC)
used in online interactions.
o Limiting the amount of publicly-available personal information online and turning off
geolocation services on social networking and media sites can go a long way in
preventing targeted attacks.
o Even in cases where permissions are set to limit the audience to online “friends,” it is
easy for the Internet savvy to use fake social networking site accounts to socially
engineer their way in.
o Potential targets should be made aware of what information about them is publicly
available online (or for a few dollars), to understand the ways they could be targeted.
o Posting information from wearable IoT devices with geolocation capabilities (GPS), like
fitness activity-monitoring devices, could also reveal regular routes or residential
addresses.
Only trusted third-party sites and services with stringent security measures should be used for
any off-site or cloud storage of sensitive files.
Other best practices to help counter attacks include separating work and personal accounts and
using fabricated information in password reset security questions.
Information Security
In addition to facilities and people, physical security protects sensitive or proprietary information from
sabotage or theft. Using cyber methods to destroy or steal information stored electronically is obvious, but
using cyber methods to obtain information that is not located on computer networks or electronic media is
less so. Stringent physical security measures and systems used in facilities to prevent adversaries from
overhearing information, gaining access to printed information, or discovering what physical security
systems or methods are in place, can be defeated by one compromised cellphone or computer.
Computers and cellphones contain cameras, microphones, and often tracking devices – the same
components that make up high-tech eavesdropping devices.
Violence from Syria’s civil war continues both on the ground and in the cyber realm. Pro-government
forces are circulating spyware to infiltrate, track, and gather intelligence against the opposition, which
often winds up in the hands of the Assad regime and results in arrests, raids, and attacks. In some cases,
suspected rebels have been rounded up and interrogated about activities they conducted on their
computers, without the interrogators needing to have physical access to the machines.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Pro-Assad hackers deploy malware that is usually in the form of a remote access toolkit (RAT), which
grants nearly full access to victim computers. Not only do the attackers have access to computer files, but
they can record everything that is typed or displayed on the screen, such as online communications,
emails, video calls, and chats on social networking sites. The spyware is able to obtain information not
normally in the cyber domain – it can turn on cameras to collect intelligence on locations, record sensitive
information posted within view, attribute online activities to specific users’ faces, and turn on microphones
to eavesdrop on conversations in the room.
The attackers use well-informed social engineering that is tailored to the interests, needs, and fears of the
opposition. For example, they have hidden malware in fake security tools, fake versions of privacy or
encryption software [such as virtual private network (VPN) clients and Skype encryption tools], bait
documents, and malicious links. One email promised documents and maps showing the movements of
fighting groups. Further, they compromised legitimate Facebook accounts, such as one belonging to the
head of the Transnational Syrian Opposition, to recommend the installation of malicious software.
When diplomatic efforts appeared to replace the possibility of U.S. military action in Syria, NGOs and
journalists working on the conflict were included as targets in the attackers’ phishing, social media, and
spear-phishing campaigns. In one instance, an NGO administrator received an email purporting to
contain video evidence of Syrian military abuses. The file played a video of a graphic execution while it
installed RAT malware.
Pro-government hacking campaigns followed similar methods until late last year, when security
researchers began to see attacks that they believed were “false flags.” The new campaigns seemed to
implicate pro-Assad hackers deliberately, but did not fit their techniques and tactics. For example, new
malware of unknown origin claimed to be from the Syrian Electronic Army, but specifically attacked
Mac computers, which are uncommon in the region. Mac computers are more popular with activists
and journalists covering Syrian issues from outside the country. Kaspersky Lab has attributed the
locations of attackers in recent Syria-related cyber attack campaigns to operations coming from Syria,
Lebanon, and Russia. This may indicate that Syrian government allies with significant hacking
capabilities, such as Hizballah, are secretly assisting in the attacks. Figure 3 shows the geographical
distribution of those targeted by recent cyber attacks.
Activists, journalists, and NGOs working on the Syrian conflict have become more knowledgeable of
the risks posed by these kinds of attacks. However, the attackers’ malware campaigns have become
increasingly innovative and sophisticated in 2014, with higher levels of social engineering. Analysis of
the cyber attacks, especially correlating new or resurging attack campaigns with current events, is
difficult.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Figure 3: Recent Syria-related cyber attacks mostly affected victims in Syria and nearby countries
(Source: Kaspersky Lab)
Countermeasures
Organizations should also be aware that there is a risk of surveillance or eavesdropping when
using computers and mobile electronic devices.
o Microphones can be physically switched off (not using software) or disconnected from
systems in sensitive areas.
o Covers or removable tape can be used to cover camera lenses when not in use.
o Cellphones can be left outside, or batteries can be temporarily removed, during
sensitive conversations in secure areas.
o Other best practices for safely using electronic devices abroad can be found in the
OSAC report on economic espionage trends.
An exploited vulnerability in cyber security does not always defeat physical security, but physical access
to computing devices nearly always defeats cyber security. Lack of access control, locks, temperature
control, and backup power for high-value networks or server rooms could easily result in data loss or
compromise.
Additionally, most attacks against cellphones and mobile electronic devices require one or more of the
following:
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
An unencrypted connection to an unsecure or Wi-Fi network;
Falling prey to a malicious link or attachment in an email, social networking or media site, or text
message;
Software that is unpatched or out of date; or
Having physical access to the device.
Physical access is the easiest way to compromise laptops and mobile electronic devices. Abroad,
especially in locations with aggressive technical collectors, most security experts assume devices that are
out of direct physical control are compromised.
Perhaps the greatest confluence of traditional and cyber security occurs in the finance industry, where
international commerce and financial services operate largely on a cashless framework. “Cyber” is losing
its place as a term in the finance industry vernacular. Excluding cash-only economies, monetary
exchanges and transactions are done electronically. Brazil was a pioneer in the adoption of electronic and
online financial systems 30 years ago and today has a large, robust banking community and e-commerce
sector. Even in several African countries, such as Kenya, mobile network penetration preceded that of
broadband Internet, and financial transactions by phone have become commonplace. With rapid
technological growth comes a general lag in implementing and enforcing cyber security legislations and
practices, usually creating lucrative environments for cyber criminals. As such, Brazil is a worldwide
hotspot for cyber crime, and in Africa, fraud conducted over mobile networks is prolific.
Especially in the United States, major data breaches seem to make the news headlines regularly,
contributing to the “Age of the Data Breach.” In 2014 alone, hackers have stolen over 500 million financial
records from the U.S. private sector. Of these, point-of-sale (POS) terminal malware exposed the financial
information of over 100 million credit cardholders, stealing the information while it was unencrypted in
memory or elsewhere in the transaction chain. EMV “chip and PIN” credit cards, wherein cards contain an
embedded microchip and are authenticated to bank servers using a personal identification number (PIN),
may be an answer. However, without end-to-end encryption of credit card data in a financial transaction
(including memory and storage), these breaches could still occur. Furthermore, stolen card information
still can be used fraudulently in online transactions, which cannot access the chip.
Credit card skimming, when criminals insert a rogue device into an ATM or POS terminal that copies
information stored on the magnetic strip, will likely decrease in countries that migrate fully to EMV chip
technology. However, chip and PIN cards are not immune to software flaws, incorrect implementation, or
more advanced skimming attacks that clone the chip or harvest the PIN.
As countries migrate to the EMV standard, payment networks have implemented liability shifts. In the
U.S., the card issuer is liable for fraudulent transactions, but in countries that have adopted EMV, liability
for fraudulent transactions has shifted to retailers and ATM owners who do not support it.
Countermeasures
Large credit card breaches will likely continue to occur because of the time required for a country to
completely adopt EMV technology, and as long as there are end-to-end encryption issues. However,
examination of the major credit card breaches in 2014 reveals other vulnerabilities that were involved in
the attacks.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Computers on the same network as those in the POS transaction chain (without physical or
logical separation):
o Were open to Internet access;
o Had remote administration software installed;
o Had user accounts with access to email and Internet browsing (susceptible to spear-phishing
and drive-by downloads that install malware); and/or
o Were connected to third-party vendors or services, such as payment processor companies or
HVAC companies, that employ less stringent security measures.
Even organizations that employed stringent security software and response teams missed alerts
and warnings. This can happen when multiple offices are responsible for an organization’s overall
security, but there is no standard operating procedure to delineate individual responsibilities, and
when no formal breach response plan exists.
Compliance with new PCI-DSS 3.0 security standards will help address some of the vulnerabilities
affecting credit card transactions.
Personnel security assures the loyalty, reliability, suitability, and trustworthiness of employees and others
who work with or have access to sensitive information and material. It is often concerned with insider
threat. Economic (nation state) and industrial (corporate) espionage threat actors use social engineering
techniques, both cyber and traditional, to specifically target employees who have any access to sensitive
or IP-related information. Some insiders may be state-sponsored threat actors already embedded in U.S.
private-sector organizations, but many are coerced with promises of financial reward. Both economic and
industrial espionage actors lure employees with lucrative job opportunities at either state-owned
enterprises or competitors. Employees can also be coerced by nation-state governments to help their
home countries out of patriotism or loyalty.
Disgruntled employees are prime targets for economic and industrial espionage actors, wherein as many
as 75 percent of departing employees are disgruntled. According to client statistics compiled by cyber
security firm Websense, 65 percent of malicious insiders have already accepted a new job, and 25
percent of them hand over proprietary information to a foreign company or government (see Figure 4).
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Jerome Kerviel and Societe General
For Jerome Kerviel, no encouragement or lure was needed in what became the biggest rogue trading
scandal in history. Kerviel, a trader for French multinational banking and financial services company
Societe Generale, was convicted in 2008 for breach of trust, forgery, and unauthorized use of the bank’s
computers. As an insider, he subverted controls and used an accumulation of privilege to go on a
gambling spree that resulted in a $7 billion loss for his employer. Since his release from prison in
September 2014, he was hired as an information systems and computer security consultant by Lemaire
Consultants and Associates.
Aum Shinrikyo
Aum Shinrikyo, a Japanese doomsday terrorist group, was responsible for many assassinations and the
1995 sarin gas nerve agent attacks on the Tokyo subway system that killed 12 people. Five years later,
security authorities realized that more than 80 Japanese companies and government organizations had
contracted computer companies affiliated with Aum Shinrikyo for software development. The Japanese
companies affected were major players in the electronics, food, banking, transportation, and metal
manufacturing fields, while some of the government agencies were responsible for construction,
education, postal services, and telecommunications.
Computer software development was a major source of revenue for Aum Shinrikyo. Many affected
organizations did not know they had ordered software from firms affiliated with the terrorist group because
their main suppliers had subcontracted the work. Additionally, most affiliates concealed their relationship
with Aum Shinrikyo. They developed about 100 different types of software, including customer
management, airline route management, and mainframe computer systems. The most prominent
corporate customer was Nippon Telegraph and Telephone (NTT), Japan’s main telephone and Internet
service provider, and the Defense Ministry of Japan. The concern that the terrorist group had inside
access to sensitive government and corporate computer systems became a widespread fear, as many
worried about acts of cyber terrorism and sabotage of vital communications and networks. Many affected
government agencies and companies were forced to suspend the use of purchased systems until they
could assure they were secure.
Countermeasures
The most effective countermeasure for insider threat is user education, especially as part of a
formalized insider threat program.
o The average employee is not aware that foreign governments, in addition to competitors,
attempt to recruit insiders.
o Coworkers have the best chance at identifying insider threat behavior in an organization.
o The CERT Insider Threat Center has published best practices for mitigating IP theft,
information systems sabotage, and fraud. Additionally, the FBI Counterintelligence
Division’s Insider Threat Program offers an extensive list of possible insider behavior and
risk indicators.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
o It often requires only one instance of human error, such as falling for a spear-phishing
scheme, for a major data breach or loss to occur in an organization.
The Aum Shinrikyo case stresses the importance of personnel security measures not only for
employees in the workplace, but also for all those who work with or have access to sensitive
information or systems in the entire supply chain.
Public safety involves the prevention of and protection from events that could endanger or cause injury,
harm, or damage to the general public. The Aum Shinrikyo case highlights a cyber-related incident that
overlaps multiple security disciplines; it could have had long-reaching effects on the public safety in
Japan. Other examples of cyber incidents that could impact public safety involve event security and
terrorism.
Hacktivists (hacker activists) have threatened mass disruptions at major events to publicize or bring
attention to their causes. Days before the opening ceremony at the London 2012 Summer Olympic
Games, British security services warned Olympics authorities about the threat of a cyber attack on the
stadium’s power supply. According to government investigations, the threat came from hacktivists that
were not credible. However, the threat led to checks on a back-up power system, including tests to
ensure functionality despite the strain from the stadium’s lighting and communications networks.
Hacktivists have also threatened to hack into traffic control systems at major events, such as the 2014
FIFA World Cup, using vulnerabilities in traffic control systems that were recently published in two
separate studies. The studies revealed that traffic control systems could be disrupted or rendered
inoperable. One researcher used a remote-control drone and cheap programmable hardware to launch
an attack on a traffic system and sent fake data to sensors – small wireless vehicle detection devices
embedded in the ground that transmit information about automobile location and movement. Traffic could
be impacted if the sensors were wirelessly linked to traffic lights. The other research team showed that it
was possible to break into the wireless communications of another system’s traffic controllers because
there were no passwords in use and no encryption used in the transmissions.
Terrorists could exploit traffic control system vulnerabilities to direct traffic toward (or restrict it to) a
planned attack location. While the products detailed in the studies are deployed primarily in the U.S.,
about 200,000 of the sensors in one system are in use worldwide – such as the UK, France, and
Australia. Experts believe that many traffic infrastructure devices created by various vendors have similar
security properties due to a lack of security consciousness in the traffic control systems field.
Countermeasures
There are several practical ways that transportation departments, traffic light operators, and
equipment manufacturers can increase the security of their infrastructure:
o Enabling encryption on wireless networks,
o Blocking non-essential traffic from being sent on the network, and
o Updating device firmware regularly.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
The simplest solutions with the greatest impact are to enable passwords and not rely on
default login credentials.
The vulnerabilities in the traffic sensor system have been patched, with planned upgrades for
older models. However, the identity of the other vendor has not been disclosed, and their
vulnerabilities are still exploitable.
National security refers to the protection of a nation through the use of economic power, political power,
military might, and diplomacy to ensure its survival. Accordingly, national security is dependent upon
military as well as non-military facets such as economic security, energy security, and environmental
security.
One of the most concerning national security issues with or without a cyber security nexus is the scale of
trade secret theft conducted against U.S. economic interests, especially those with foreign operations. In
addition, host country national security can affect the operations and welfare of U.S. private sector
organizations abroad. There are many possible attack vectors that could impact a country’s critical
infrastructure and therefore the operations of OSAC constituents. Furthermore, international and
intranational conflicts more frequently include cyber components.
Intellectual property theft, especially in the cyber domain, has been one of the most serious economic and
national security challenges the U.S. has faced over the past several years. The Commission on the Theft
of American Intellectual Property, in their 2013 IP Commission Report, estimated that the U.S. economy
is experiencing annual losses of over $300 billion a year to international trade secret theft. The report
concluded that better protection for IP, especially overseas, would add millions of jobs to the U.S.
economy, significantly bolster economic growth, encourage investment in research and development, and
improve innovation.
Threats to a host nation’s critical infrastructure include those against the financial services industry,
energy sector, water supply, transportation systems, public health services, and telecommunications
networks. Nation states have infiltrated or attacked critical infrastructures, often controlled and monitored
by industrial control systems (ICS), since at least 2003. Patching and updating ICS equipment can be
difficult because it is often old, sensitive, proprietary, or no longer supports software upgrades. Many
systems require continuous operation and cannot be rebooted after an update, especially if it takes
several hours to do so or there is a risk that the system may not work properly afterward.
Critical infrastructures that are accessible via the Internet are most vulnerable to attack. However, those
that isolate, or “air gap” their systems from the Internet are not impenetrable. Advanced nation-state
attacks on air-gapped systems have succeeded, e.g., the Stuxnet and Agent.btz campaigns, where
employees may have inserted malicious USB flash drives – planted outside targeted facilities – into
computers that were connected (or later connected) to the sensitive, isolated networks. The Stuxnet virus
destroyed nuclear centrifuges in Iran, and Agent.btz infiltrated both classified and unclassified U.S.
military networks. Other research suggests that the Stuxnet virus may have entered via hacked suppliers
of nuclear facility components. Additionally, the Shamoon virus, introduced by a disgruntled insider with
full systems access, destroyed 75 percent of the corporate data at Saudi Arabia’s national oil and natural
gas company.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Actors based in China, Russia, and Iran have allegedly conducted cyber probes of U.S. grid systems;
cyber attacks have occurred against critical infrastructure in several other countries as well. In 2013, a
senior Israeli official revealed a foiled hacking attempt to break into the computers of the water system in
Haifa and stated that critical infrastructures in Israel undergo hundreds of cyber attacks every minute. In
2013 and 2014, private security researchers set up fake industrial control systems (“honeypots”) on the
Internet that emulated water pumping stations. Analysis of one decoy system revealed intrusion and
system modification attempts originating from several countries, as shown in Figure 5. Further, targeted
attacks to obtain statistics, diagnostics, and protocol information included a spear-phishing attack from
China, a commonly-known malware attack from Vietnam, and an unknown malware attack from Russia.
Despite the vulnerabilities and reported intrusions of industrial control systems, it is rare for threat actors
to carry out significantly damaging or full-scale attacks. Many critical infrastructure systems in
technologically-advanced countries are air-gapping their most important systems from the Internet. Some
experts argue that a mass takeover of critical infrastructure is not likely because it is sufficiently
segmented, where only one component, area, or section could be affected at one time. Regardless, the
pervasiveness of cyber attacks on critical infrastructures and “cold war” tactics indicate that the definition
of national security has expanded to include a nation’s offensive and defensive cyber capabilities.
National governments use cyber tactics to help fight rebellions, oppositions, and terrorists internally (see
previous section on the Syrian civil war). However, they have also used cyber tactics as a component in
international conflicts. Cyber researchers have noted major spikes in malware traffic on corporate and
government networks preceding the Russia-Ukraine and Israel-Gaza conflicts, suggesting that conflict
occurring in the cyber realm could be used as a threat indicator or even a tripwire for kinetic attacks. Over
an 18-month period, as tensions rose between each pair of countries, so did the frequency of cyber
attacks between them. Attribution of the attacks becomes crucial, however, as a false flag or the
misidentification of a state-led cyber attack could lead to physical, armed conflict.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Russian Conflicts
Open-source reporting and private industry security research have accused Russia of conducting attacks
on telecommunications networks in its engagements with Estonia in 2007, Georgia in 2008, and Ukraine
in 2014. In a dispute that erupted over the Estonian removal of a Soviet war memorial in Tallinn, Russia
allegedly conducted a three-week cyber attack that took down Estonian systems that relied on Internet
technology – disabling voting, security, telephony, and 95 percent of banking operations. US-CERT
attributed the takedowns to distributed denial-of-service (DDoS) attacks. In 2008, the Russian invasion of
Georgia included disruption attacks that blocked Georgia’s banking, media, and government websites.
Internet connectivity within Georgia and to the outside world was impacted, and there were widespread
propaganda and website defacement campaigns against Georgian websites. In 2014, armed men raided
Ukrainian telecommunications facilities in Crimea, severing Internet and telephone services between the
region and the rest of Ukraine. However, this was accomplished by physically cutting telecommunications
lines, a military tactic that predates the Internet by decades. Russia also allegedly installed equipment
that blocked the mobile phones of Ukrainian members of parliament. Some Ukrainian government
agencies, including the Prime Minister’s office and at least 10 Ukrainian embassies abroad, were infected
with a Russian-linked cyber espionage campaign called the Snake malware, also referred to as
“Uroboros.” At least nine other countries’ embassies in Eastern Europe were also infected with the
malware, resulting in leaks of sensitive diplomatic information. And in September, the broadband network
of a major telecommunications provider in New Zealand ground to a halt for 36 hours when user
connections were co-opted to conduct a DDoS attack against websites in Ukraine and several large
international banks enforcing sanctions against Russia.
Predictably, the Russian government has denied state involvement in these attacks. Nonetheless,
investigations by private cyber security firms have determined that these attacks originated inside
Russia's borders. State-sponsored or Russian nationalist hackers could have been responsible for at
least some of the cyber campaigns. Cyber Berkut, a nationalist hacking group that emerged after the
dissolution of the “Berkut” Ukrainian special police force, took credit for the hacking of Ukraine’s electronic
election system prior to the 2014 presidential election. They took down the system via DDoS,
manipulated and destroyed data, and defaced the website to display fake election results.
Israel-Gaza Conflict
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Terrorist Groups
The Islamic State of Iraq and the Levant (ISIL or ISIS) and Al-Qa’ida have not exhibited the ability to
conduct sophisticated cyber attacks, thus far only using social media networks and other online resources
to communicate, post propaganda, and recruit. Just as governments, militant groups, and terrorists may
receive physical assistance and arms support from their allies, they may also receive offensive cyber
training. Based on open-source reporting and past attack attribution, Iran, Syria, Hamas, Hizballah, and to
a lesser extent, pro-Islamic hacktivists, are the only adversaries in the Middle East and North Africa
region that have exhibited offensive cyber capabilities.
Countermeasures
Critical infrastructures should isolate their most important systems from public networks. Many ICS
devices are not only Internet-facing, but do not have security mechanisms to prevent unauthorized
access.
o Web-based ICS equipment that cannot be isolated from the Internet should use encrypted
communications.
o System administrators should set appropriately secure and non-default log-in credentials,
implement two-factor authentication, and disable insecure or unnecessary remote access
communications protocols.
o Organizations with aging, fragile, or sensitive industrial control systems can employ real-time
network monitoring and incident response. Otherwise, administrators should keep ICS
equipment up to date with software patches and fixes.
o Physical and logical (software-based) access control can prevent unauthorized employees or
contractors from accessing important equipment.
Air-gapped systems may still be vulnerable to attack by advanced nation-state threat actors.
o Education and training is the best way to protect against both insider threat and the
connection of unauthorized devices or external electronic media.
o Disabling or restricting computer ports that accept external electronic devices or media can
prevent the introduction of malware.
o Suppliers are usually much easier for hackers to exploit than the corporations or government
agencies using them.
Shodan is an online search engine that allows users to search for publicly-accessible devices and
computer systems that are connected to the Internet.
o Shodan users can locate systems including security cameras; heating and security control
systems for banks, universities, and large corporations; medical devices; and industrial
control systems (see Figure 6) for water plants, power grids, and nuclear power facilities.
o Users are primarily cyber security professionals, researchers, and law enforcement agencies,
and it is a useful tool for conducting penetration tests on, or “red teaming,” network resources
and systems.
o While cyber criminals can use the website, they have other effective methods to accomplish
the same task without detection. One recent honeypot study revealed intrusion attempts from
China-based attackers within two hours of connecting the decoy ICS equipment to the
Internet, before the system appeared on Shodan.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Figure 6: A map of industrial control systems that are directly connected to the Internet (Source: Shodan)
Out of convenience, people and organizations have adopted technology into nearly every aspect of their
daily lives and operations. Physical devices are linking or connecting to the cyber realm at an exponential
rate. As atypical devices with “smart” functionalities and Internet capabilities become connected to the
Internet of Things, they also become hackable. Sharing or storing information on external networks also
relinquishes control of the data to third-party vendors and services. Even worse, technology adoption is
surpassing the ability to secure it. This is especially concerning as cyber security has become a
component of an organization’s overall security posture.
The convergence of traditional and cyber threats has created the need for integration of the security
disciplines. Adversaries have become more sophisticated in their exploits, often involving both traditional
and cyber attack vectors. Traditional security organizations and jobs are more frequently including cyber
security responsibilities as the line between cyber and real-world security incidents becomes indistinct.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Information security – traditionally the protection of sensitive or proprietary information – and financial
security have almost become synonymous with cyber security because most information and financial
data is now transmitted and stored on computer networks.
According to former DHS Secretary Michael Chertoff, “one of the biggest misconceptions is that cyber
security is a hardware or software problem; the reality is that it is a people problem.” Understanding
adversaries and addressing both technical and human vulnerabilities is critical. A strong security posture
depends upon a culture where security is everyone’s responsibility, especially when the actions of one
person, or one weak link, can compromise the entire enterprise.
Examination of the case studies presented in this white paper reveals countermeasures that OSAC
constituents could incorporate into their security strategies to prevent or lessen the impact of security
incidents with a cyber nexus:
Contact Information
For further information or inquiries, please contact OSAC’s Coordinator for Information Security & Cyber
Threats.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
OSAC constituents can confidentially report traditional or cyber security incidents abroad on the OSAC
website at https://www.osac.gov/Pages/IncidentSubmission.aspx or by directly contacting the OSAC
Research and Analysis Unit (RAU).
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Annexure 3
Assessment Criteria
Criteria for Assessment of Trainees
Marks Allocation
Skills
Total Mark Out of Theory Practical
1.SSC/N0901 (Contribute
to managing information PC1. establish your role and responsibilities in 12.5 12.5 0
security) contributing to managing information security
PC2. monitor systems and apply controls in line
with information security policies, procedures 12.5 0 12.5
and guidelines
PC3. carry out security assessment of
information security systems using automated 12.5 0 12.5
tools
PC4. carry out configuration reviews of
information security systems using automated 12.5 0 12.5
tools, where required
PC5. carry out backups of security devices and 100
applications in line with information security
12.5 0 12.5
policies, procedures and guidelines, where
required
PC6. maintain accurate daily records/logs of
information security performance parameters 6.25 0 6.25
using standard templates and tools
PC7. analyze information security performance
metrics to highlight variances and issues for 6.25 6.25 0
action by appropriate people
PC8. provide inputs to root cause analysis and
the resolution of information security issues, 6.25 0 6.25
where required
63
Criteria for Assessment of Trainees
PC9. update your organization’s knowledge
base promptly and accurately with information 6.25 0 6.25
security issues and their resolution
PC10. obtain advice and guidance on
information security issues from appropriate 6.25 6.25 0
people, where required
64
Criteria for Assessment of Trainees
Total 100 25 75
3.SSC/N0903 (Install,
configure and PC1. identify the information security devices
troubleshoot you are required to install/ 12.5 6.25 6.25
information security configure/troubleshoot and source relevant
devices) instructions and guidelines
PC2. identify any issues with instructions and
guidelines for installing/configuring
12.5 0 12.5
information security devices and clarify these
with appropriate people
PC3. liaise with stakeholders clearly and
promptly regarding the installation/ 12.5 12.5 0
configuration of information security devices
PC4. install/configure information security
12.5 0 12.5
devices as per instructions and guidelines
PC5. test installed/configured information
security devices, following instructions and 12.5 0 12.5
guidelines
PC6. resolve problems with security devices, 100
12.5 0 12.5
following instructions and guidelines
PC7. obtain advice and guidance on
installing/configuring/testing/troubleshooting
6.25 6.25 0
information security devices from appropriate
people, where required
PC8. record the
installation/configuration/testing/troubleshooti
6.25 0 6.25
ng of information security devices promptly
using standard templates and tools
PC9. provide reports for troubleshooting,
configurations and deployment using standard 6.25 0 6.25
templates and tools
PC10. comply with your organization’s policies,
standards, procedures, guidelines and service
level agreements (SLAs) when 6.25 0 6.25
installing/configuring/troubleshooting
information security devices
Total 100 25 75
4. SSC/N0904
(Contribute to PC1. establish the nature and scope of
12.5 12.5 0
information security information security audits and your role and
audits) responsibilities within them
PC2. identify the
procedures/guidelines/checklists for the audit 12.5 0 12.5
tasks you are required to carry out 100
PC3. identify any issues with
procedures/guidelines/checklists for carrying
12.5 0 12.5
out audit tasks and clarify these with
appropriate people
PC4. collate information, evidence and artifacts 6.25 0 6.25
65
Criteria for Assessment of Trainees
when carrying out audits
PC5. carry out required audit tasks using
standard tools and following established 12.5 0 12.5
procedures/guidelines/checklists
PC6. refer to appropriate people where audit
tasks are beyond your levels of knowledge, skills 12.5 12.5 0
and competence
PC7. record and document audit tasks and audit
12.5 0 12.5
results using standard tools and templates
PC8. review results of audit tasks with
12.5 0 12.5
appropriate people and incorporate their inputs
PC9. comply with you organization’s policies,
standards, procedures, guidelines and checklists
6.25 0 6.25
when contributing to information security
audits
Total 100 25 75
5. SSC/N0905 Support
teams to prepare for and PC1. establish the nature and scope of
6.25 6.25 0
undergo information information security audits and your role and
security audits responsibilities in preparing for them
PC2. identify the
procedures/guidelines/checklists that will be 12.5 0 12.5
used for information security audits
PC3. identify the requirements of information
security audits and prepare for audits in 25 12.5 12.5
advance
PC4. liaise with appropriate people to gather
data/information required for information 12.5 0 12.5
security audits
PC5. organize data/information required for
information security audits using standard 12.5 6.25 6.25
templates and tools
PC6. provide immediate support to auditors to
12.5 0 12.5
carry out audit tasks
PC7. participate in audit reviews, as required 6.25 0 6.25
PC8. comply with you organization’s policies,
standards, procedures, guidelines and checklists
12.5 0 12.5
when supporting teams to prepare for and
undergo information security audits
Total 100 25 75
6.SSC/N9001 (Manage PC1. establish and agree your work 6.25 0 6.25
your work to meet requirements with appropriate people
requirements)
PC2. keep your immediate work area clean 12.5 6.25 6.25
and tidy 100
PC3. utilize your time effectively 12.5 6.25 6.25
PC4. use resources correctly and efficiently 18.75 6.25 12.5
PC5. treat confidential information correctly 6.25 0 6.25
66
Criteria for Assessment of Trainees
PC6. work in line with your organization’s 12.5 0 12.5
policies and procedures
PC7. work within the limits of your job role 6.25 0 6.25
PC8. obtain guidance from appropriate 6.25 0 6.25
people, where necessary
PC9. ensure your work meets the agreed 18.75 6.25 12.5
requirements
Total 100 25 75
7.SSC/N9002 (Work PC1. communicate with colleagues clearly, 20 0 20
effectively with concisely and accurately
colleagues)
PC2. work with colleagues to integrate your 10 0 10
work effectively with theirs
PC3. pass on essential information to colleagues 10 10 0
in line with organizational requirements
PC4. work in ways that show respect for 20 0 20
colleagues
PC5. carry out commitments you have made to 100 10 0 10
colleagues
PC6. let colleagues know in good time if you 10 10 0
cannot carry out your commitments, explaining
the reasons
PC7. identify any problems you have working 10 0 10
with colleagues and take the initiative to solve
these problems
PC8. follow the organization’s policies and 10 0 10
procedures for working with colleagues
Total 100 20 80
8.SSC/N9003 (Maintain a PC1. comply with your organization’s current
healthy, safe and secure health, safety and security policies and
working environment) procedures 20 10 10
PC2. report any identified breaches in health,
safety, and security policies and procedures to
the designated person 10 0 10
PC3. identify and correct any hazards that
you can deal with safely, competently and
within the limits of your authority 20 10 10
PC4. report any hazards that you are not
100
competent to deal with to the relevant person
in line with organizational procedures and warn
other people who may be affected 10 0 10
PC5. follow your organization’s emergency
procedures promptly, calmly, and efficiently 20 10 10
PC6. identify and recommend opportunities
for improving health, safety, and security to the
designated person 10 0 10
PC7. complete any health and safety records
legibly and accurately 10 0 10
67
Criteria for Assessment of Trainees
Total 100 30 70
PC1. establish and agree with appropriate
9.SSC/N9004 (Provide
people the data/information you need to
data/information in
provide, the formats in which you need to
standard formats)
provide it, and when you need to provide it 12.5 12.5 0
PC2. obtain the data/information from reliable
sources 12.5 0 12.5
PC3. check that the data/information is
accurate, complete and up-to-date 12.5 6.25 6.25
PC4. obtain advice or guidance from
appropriate people where there are problems
with the data/information 6.25 0 6.25
100
PC5. carry out rule-based analysis of the
data/information, if required 25 0 25
PC6. insert the data/information into the
agreed formats 12.5 0 12.5
PC7. check the accuracy of your work, involving
colleagues where required 6.25 0 6.25
PC8. report any unresolved anomalies in the
data/information to appropriate people 6.25 6.25 0
PC9. provide complete, accurate and up-to-date
data/information to the appropriate people in
the required formats on time 6.25 0 6.25
Total 100 25 75
10.SSC/N9005 (Develop PC1. obtain advice and guidance from
your knowledge, skills appropriate people to develop your knowledge,
and competence) skills and competence 10 0 10
PC2. identify accurately the knowledge and
skills you need for your job role 10 0 10
PC3. identify accurately your current level of
knowledge, skills and competence and any
learning and development needs 20 10 10
PC4. agree with appropriate people a plan of
learning and development activities to address
your learning needs 100 10 0 10
PC5. undertake learning and development
activities in line with your plan 20 10 10
PC6. apply your new knowledge and skills in the
workplace, under supervision 10 0 10
PC7. obtain feedback from appropriate people
on your knowledge and skills and how
effectively you apply them 10 0 10
PC8. review your knowledge, skills and
competence regularly and take appropriate
action 10 0 10
Total 100 20 80
68