Security Analyst PDF

Trainer’s Handbook – Security Analyst
Trainer’s Handbook
Security Analyst
SSC/ Q0901
1
2
3
Copyright (c) 2015
NASSCOM
4E-vandana Building (4th Floor)
11, Tolstoy Marg, Connaught Place
New Delhi 110 001, India
T 91 11 4151 9230; F 91 11 4151 9240
E ssc@nasscom.in
W www.nasscom.in
Disclaimer
The information contained herein has been obtained from sources reliable to NASSCOM.
NASSCOM disclaims all warranties to the accuracy, completeness or adequacy of such
information. NASSCOM shall have no liability for errors, omissions, or inadequacies, in the
information contained herein, or for interpretations thereof. Every effort has been made to
trace the owners of the copyright material included in the book. The publishers would be
grateful for any omissions brought to their notice for acknowledgements in future editions of
the book.
No entry in NASSCOM shall be responsible for any loss whatsoever, sustained by any person
who relies on this material. The material in this publication is copyrighted. No parts of this
report can be reproduced either on paper or electronic media, unless authorized by
NASSCOM.
4
Foreword
The Indian IT-ITeS industry has built its reputation in the global arena on several differentiators, chief
among them being the availability of manpower. Organizations across the world recognize the value
India brings to every engagement with its vast and readily available pool of IT professionals. Global
entities have found it extremely effective to leverage this significant resource in order to enjoy a
competitive edge and innovation benefits.
In the coming years, the landscape is expected to shift in ways that reveal more exciting opportunities.
The world will require people with advanced technology skills and domain knowledge, set against a
backdrop of heightened labour mobility across occupations and markets. India is largely
acknowledged to be heir apparent to the benefits of a demographic dividend over the coming
decades, which has the potential to see the nation emerge as one of the world’s largest population
base of employable youth. With many other countries set to face the effects of an aging and
retirement-ready workforce, India is poised to become a sought after destination for those seeking
higher value add and specialized services.
Global markets are on their way towards revival and recovery, and this is well reflected in the proactive
recruitment measures taken by IT-ITeS organizations in India in recent times. India’s IT-BPM industry
is on track to achieve its target of USD 225 billion by 2020. From a base on about 3.1 million employees
in FY2014, the industry is expected to add another 2 million additional employees by 2020. Indirect
employment generated by 2020 is expected to be 3X the total direct employment number is between
13-16 million by 2020.
To realize India’s potential of emerging as a skills hub of the world, a significant amount of foresight
and work is requisite. It is imperative that stakeholders engage in a concerted effort to undertake the
transformation of the labour pool estimated to enter the market into skilled and employable talent.
Enabling the creation of a future industry-ready cohort will give the IT-ITeS industry an edge in
leadership and sustainability.
One of the growing areas of global interest and concern is Information/ Cyber Security. This led to the
identification of the “hot skills” du jour, resulting in the formal creation of a Qualification Pack (QP) or
job role framework for the role of a Security Analyst. The QP is designed to capture the skills required
by the IT-BPM industry for an entry level position in this field.
To ensure the creation of an academic course that is both relevant and viable, IT-ITeS Sector Skills
Council NASSCOM (SSC NASSCOM) partnered with key industry stakeholders, including Cyber Eye
Research, Cypher Cloud, Deloitte, First American, HCL, HDFC, IBM, ISC2, Karvy Analytics, NIIT
University, PwC, Symantec, TCS, Wells Fargo, and the Data Security Council of India (DSCI) for design
of the curricula and courseware. In addition, the program addresses the need for faculty support, and
achieves this by acquainting trainers with the latest advancements in pedagogy.
We wish the universities and colleges all the very best in their endeavor.
R Chandrashekhar
President
NASSCOM
5
Acknowledgements
NASSCOM would like to thank its member company representatives within the Security Analyst
Special Interest Group (SIG) Council for believing in our vision to enhance the employability of the
available engineering student pool. SSC NASSCOM facilitates this by developing and enabling the
implementation of courses relevant to projected industry needs. The aim is to address two key
requirements, of closing the industry-academia skill gap, and of creating a talent pool that can
reasonably weather future externalities in the IT-BPM industry.
NASSCOM believes that this is an initiative of great importance for all stakeholders concerned – the
industry, academia, and the students. The tremendous amount of work and ceaseless support offered
by the members of this SIG in developing a meaningful strategy for the content and design of program
training materials has been truly commendable.
We would like to particularly thank Cyber Eye Research Labs, DSCI, First America, Karvy Analytics, and
Symantec for bringing much needed focus to this effort.
NASSCOM recognizes the fantastic contributions of Mr. Ram Ganesh at Cyber Eye Research labs; Mr.
Ashok Polapragada and Mr. Ranjit Kumar at Karvy Analytics; Mr. Dwaraka Ramana K at First American;
Dr Giri T at Cypher Cloud, Mr. Nanda Kumar Sarvade, Mr. Vinayak Godse and Mr. Aditya Bhatia at
DSCI.
We acknowledge with sincere gratitude the immense contribution of the SIG member companies,
Deloitte, HCL, HDFC, IBM, ISC2, NIIT University, PwC, Symantec, TCS, Wells Fargo for their part in the
creation of this course and its accompanying training materials.
We extend our thanks to PROGILENCE Capability Development Pvt. Ltd. for producing this course
publication.
Dr Sandhya Chintala
Executive Director – Sector Skill Council

Vice President – NASSCOM
6
Prologue
The tectonic shifts in the digital world have resulted in parallel shifts in our relationship with
technology, accompanied by a heightened awareness of security concerns. For instance, functions
such as protecting an individual or entity from digital security threats, or devising robust security
measures that will help maintain the integrity of data, are growing areas of importance.
It is not surprising then that the field of Cyber Security has grown swiftly over the past few years,
especially in view of its implications for developing meaningful business strategies or government
policy. There is a rise in key services that now include guarding sensitive information within a company
or body, implementing required security measures to avoid breaches, avoiding any flaws in security
systems, and preventing unauthorized access to networks. What remains to be addressed is the
projected demand for a relevant and qualified workforce. The creation of a job role framework for the
Security Analyst role is a welcome endeavor that will contribute towards bridging any shortfall.
The content of this book caters to a holistic set of skilling areas, including the study of core
technologies currently adopted in this field and the industry as a whole, and the development of
familiarity with professional environments that students will likely to operate in after graduation. It
incorporates a blend of domain concepts, hands-on practice sessions, and sessions covering auxiliary
skills such as communication and problem solving skills. The incorporated aspects of the facilitator
guide and student handbook are expected to act as effective companions in the learning process. This
mixture is designed to prepare students for the transition from the academic to the professional in an
industry-relevant manner.
This first edition of the publication has been developed by NASSCOM in conjunction with industry
leaders who have operated and studied the field of Cyber Security extensively. I congratulate the team
effort in successfully creating material that will be widely available, accessible and applicable. The
Security Analyst course will be offered to B.Tech candidates who can register to take it in any semester
beginning with the second half of their third year.
This publication will act as an important resource for students as they prepare for the new tide, and
this in turn will contribute to keeping our workforce in the forefront.
Vice Chancellor
JNTUH
7
About the Qualification Pack

JOB ROLE: Security Analyst (Information/System Security Analyst/Engineer)
OCCUPATION: Information Security
Note: All the Horizontals - Occupations, Tracks Security Analyst is

and Job Roles cut across the Industry Verticals.
from the Occupation
“Information
Security” under the IT
Services sub-sector.
8
9
The qualification SSC/Q0901 is part of the IT- ITeS Sector and the IT Services subsector.
This qualification eligibility requirements and National Occupational Standards are listed below.
Qualifications Pack Code SSC/ Q 0901
Security Analyst
Job Role
This job role is applicable in both national and international scenarios
Credits(NVEQF/NVQF/NSQF) Version number 0.1
Sector IT-ITeS Drafted on 30/04/13
Sub-sector IT Services Last reviewed on 30/04/13
Occupation Information Security Next review date 30/06/14
NSQF level 7
Minimum Educational Qualifications Diploma in Engineering or any graduate course
Maximum Educational Qualifications Bachelor's Degree in Science/Technology/Computers
Training Certification in Information systems or related fields, Basic soft
(Suggested but not mandatory) skills training
Experience
0-2 years of work experience/internship in security
Compulsory:
1. SSC/N0901 (Contribute to managing information security)
2. SSC/N0902 (Co-ordinate responses to information security
incidents)
3. SSC/N0903 (Install and configure information security
devices)
4. SSC/N0904 (Contribute to information security audits)
5. SSC/N0905 (Support teams to prepare for and undergo
information security audits)
Applicable National Occupational 6. SSC/N9001 ( Manage your work to meet requirements)
Standards (NOS) 7. SSC/N9002 (Work effectively with colleagues )
8. SSC/N9003 (Maintain a healthy, safe and secure working
environment)
9. SSC/N9004 (Provide data/information in standard
formats)
10. SSC/N9005 (Develop your knowledge, skills and
competence)
Optional:
Not Applicable
10
JNTUH Syllabus for Security Analyst

Objectives:
 To introduce the terminology, technology and its applications
 To introduce the concept of Security Analyst
 To introduce the tools, technologies & programming languages which is used in day to day
security analyst job role.
Information Security Management (Security Analyst – I)

Unit I : Information Security Management
Information Security Overview, Threats and Attack Vectors, Types of Attacks, Common Vulnerabilities
and Exposures (CVE), Security Attacks, Fundamentals of Information Security, Computer Security
Concerns, Information Security Measures etc.
Unit II : Fundamentals of Information Security
Key Elements of Networks, Logical Elements of Network, Critical Information Characteristics,

Information States etc.
Unit III : Data Leakage
What is Data Leakage and statistics, Data Leakage Threats, Reducing the Risk of Data Loss, Key
Performance Indicators (KPI), Database Security etc.
Unit IV : Information Security Policies, Procedures and Audits
Information Security Policies-necessity-key elements & characteristics, Security Policy

Implementation, Configuration, Security Standards-Guidelines & Frameworks etc.
Unit V : Information Security Management – Roles and Responsibilities
Security Roles & Responsibilities, Accountability, Roles and Responsibilities of Information Security
Management, team-responding to emergency situation-risk analysis process etc.
Text Books:
Prescribed books:-
1. Management of Information Security by Michael E.Whitman and Herbert J.Mattord
References:-
1. http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
2. http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
11
Information Security Assessments & Audits ( Security Analyst – II)

Unit I : Information Security Performance Metrics and Audit
Security Metrics and Reporting, Common Issues and Variances of Performance Metrics, Introduction
to Security Audit, Servers and Storage devices, Infrastructure and Networks, Communication Routes,
Information Security Methodologies (Black-box, White-box, Grey-box), Phases of Information Security
Audit and Strategies, Ethics of an Information Security Auditor etc.
Unit II : Information Security Audit Tasks, Reports and Post Auditing Actions
Pre-audit checklist, Information Gathering, Vulnerability Analysis, External Security Audit, Internal
Network Security Audit, Firewall Security Audit, IDS Security Auditing, Social Engineering Security
Auditing, Web Application Security Auditing, Information Security Audit Deliverables & Writing
Report, Result Analysis, Post Auditing Actions, Report Retention etc.
Unit III : Vulnerability Management
Information Security Vulnerabilities – Threats and Vulnerabilities, Human-based Social Engineering,

Computer-based Social Engineering, Social Media Countermeasures, Vulnerability Management –
Vulnerability Scanning, Testing, Threat management, Remediation etc.
Unit IV : Information Security Assessments

Vulnerability Assessment, Classification, Types of Vulnerability Assessment, Vulnerability Assessment
Phases, Vulnerability Analysis Stages, Characteristics of a Good Vulnerability Assessment Solutions
&Considerations, Vulnerability Assessment Reports – Tools and choosing a right Tool, Information
Security Risk Assessment, Risk Treatment, Residual Risk, Risk Acceptance, Risk Management Feedback
Loops etc.
Unit V : Configuration Reviews
Introduction to Configuration Management, Configuration Management Requirements-Plan-Control,

Development of configuration Control Policies, Testing Configuration Management etc.
Text Books:
Prescribed books:-
1. Assessing Information Security (strategies, tactics, logic and framework) by A Vladimirov,
K.Gavrilenko, and A.Michajlowski
2. “The Art of Computer Virus Research and Defense by Peter Szor.”
References:-
1. https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-
process-34180
2. http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf
12
Information Security Incident Response & Management (Security Analyst –

III)
Unit I : Managing Information Security Services
Configuring Network Devices, Identifying Unauthorized Devices, Testing the Traffic Filtering Devices,
Configuring Router, Configuring Modes – Router/Global/Interface/Line/Privilege EXEC/ROM/User
EXEC, Configuring a banner/Firewall/Bastion Host/VPN server etc.
Unit II : Troubleshooting Network Devices and Services
Introcution& Methodology of Troubleshooting, Troubleshooting of Network Communication-

Connectivity-Network Devices-Network Slowdowns-Systems-Modems etc.
Unit III : Information Security Incident Management & Data Backup
Information Security Incident Management overview-Handling-Response, Incident Response Roles

and Responsibilities, Incident Response Process etc.
Data Back introduction, Types of Data Backup and its techniques, Developing an Effective Data Backup
Strategy and Plan, Security Policy for Back Procedures.
Unit IV : Log Correlation
Computer Security Logs, Configuring& Analyzing Windows Logs, Log Management-Functions &
Challenges, Centralized Logging and Architecture, Time Synchronization – NTP/NIST etc.
Unit V : Handling Network Security Incidents
Network Reconnaissance Incidents, Network Scanning Security Incidents, Network Attacks and
Security Incidents, Detecting DoS Attack, DoS Response Strategies, Preventing/stopping a DoS Incident
etc.
Unit VI : Handling Malicious Code Incidents
Incident Handling Preparation, Incident Prevention, Detection of Malicious Code, Containment

Strategy, Evidence Gathering and Handling, Eradication and Recovery, Recommendations etc.
Project:
Text Books:
Prescribed books:-
1. Managing Information Security Risks, The Octave Approach by Christopher Alberts, and Audrey
Dorofee
2. “Cryptography and Network Security (4th Edition) by (Author) William Stallings.”
References:-
1. https://www.sans.org/reading-room/whitepapers/incident/security-incident-handling-small-
organizations-32979
13
Classroom and Lab Requirements:

1. PCs/Tablets/Laptops
2. Labs availability (24/7)
3. Internet with WiFi (Min 2 Mbps Dedicated)
4. Networking Equipment- Routers & Switches
5. Firewalls and Access Points
6. Access to all security sites like ISO, PIC DSS
7. Commercial Tools like HP Web Inspect, IBM AppScan, etc.
8. Open Source tools like sqlmap, Nessus, Nmap, Metasploit Community edition etc.
9. Anti-Virus and Anti-Spam software
10. Security templates from various sites ITIL, ISO, etc.
11. Projection facilities
The above equipment has to be made available for classwork and for research work in non-class
hours. The equipment has to have relatively high speed and current OS and other software
applications.
Students need to have adequate number of terminals for individual use for adequate number of
hours.
The equipment needs to be installed in keeping with all health and safety measures. Any routine
breakdowns should be promptly addressed.
14
Table of Contents
Facilitator’s Guide …17
An Introduction: The industry, sub-sector, occupation and career …37
1. SSC/ N 0901: Contribute to managing information security …49
i. Information Security and Threats

ii. Fundamentals of Information Security
iii. Data Leakage and Prevention
iv. Information Security Policies, Procedures, Standards and Guidelines
v. Information Security Management – Roles and Responsibilities
vi. Information Security Performance Metrics
vii. Risk Assessment
viii. Configuration Review
ix. Device Log Correlations
x. Data Backup
2. SSC/N 0902: Coordinate responses to information security incidents …231
i. Incident response overview

ii. Incident Response – Roles and Responsibilities
iii. Incident Response Process
iv. Handling Malicious Code Incidents
v. Handling Network Security Incidents
3. SSC/ N 0903 Install, configure and troubleshoot information security devices …315
i. Configuring Network Devices

ii. Configuring Secure Content Management
iii. Configuring Firewall
iv. Troubleshooting Cisco IOS Firewall Configurations
v. Cisco IOS Firewall IDS
vi. IPS Configuration
vii. Anti-virus and Antispam Software
viii. Web Application Security Configuration
ix. Patch Management
4. SSC/ N 0904: Contribute to information security audits ; SSC/ N 0905: Support teams to
prepare for and undergo information security audits…………………………………………..523
i. Information Security Audit

ii. Work and Work Environment
iii. Information Security Auditor
iv. Vulnerability Analysis
v. Penetration Testing
15
vi. Information Security Audit Tasks

vii. Audit Reports and Actions
viii. Audit Support Activities
5. SSC/ N 9001: Contribute to managing information security …637
i. Understanding scope of work and working within limits of authority

ii. Work and work environment
iii. Maintaining confidentiality
6. SSC/ N 9002: Work effectively with colleagues …667
i. Effective Communication
ii. Working Effectively
7. SSC/ N 9003: Maintain a healthy, safe and secure working environment …685
i. Need For Health and Safety at Work

ii. Security Analyst’s role
iii. Emergency Situations
iv. Skills for Maintaining Health and Safety at Work
8. SSC/ N 9004: Provide data/information in standard formats …761
i. Information and Knowledge Management

ii. How to manage data/ information effectively
iii. Skills required to manage data and information effectively
iv. Performance Evaluation Criteria for an Information Security Analyst
9. SSC/ N 9005: Develop knowledge, skills & competence …785
i. Importance of Self-Development
ii. Knowledge and Skills Required for the Job
iii. Avenues of Self-Development
iv. Planning for Self-Development
Annexures …839
1. Security Assessment Template
2. Case studies
3. Assessment Criteria
16
Facilitator’s Guide
Training Methodology
Facilitator- Knowledge and Skills
Formative Assessment
Learning Principles
Instructional Methods
Some important instructions for Trainers
17
TRAINING METHODOLOGY
The Training Methodology to be selected keeping in mind the background and ability levels
of the students as well as the adult learning principles.
Focus will be on :
 encouraging the learners to discover the information through research, activities and
questioning techniques.
 providing an opportunity to every participant to practice and perform the practical
criteria that they are expected learn in the session
 incorporating the following principles in the training methodology
Teacher’s Role
The role of a Teacher in this program is to - “Assist each participant to reach an acceptable
workplace competency standard through effective training. “
In order to do that the teacher must first ensure that s(he) is fully competent to take on this
role. i.e the teacher has the right Knowledge, Skill and Attitude as a Facilitator and a Subject
Matter Expert.
18
FACILITATOR – KNOWLEDGE AND SKILLS

What is Competence? What is a Qualification Pack?
Competence is the ability to consistently Each job role will require the performance
carry out tasks to a standard of of a number of tasks. The combination of
performance required in the workplace all the NOSs corresponding to these tasks
that demonstrates performance would form the Qualification Pack (QP) for
outcomes, knowledge, understanding and that job role. These QPs and NOSs can form
skills. the benchmarks for various education and
training programs as well as recruitment.
What are National Occupational
The QP and NOSs for each job role would
Standards(NOS)? correspond to a certain level of skill,
Occupational Standards describe what a knowledge and responsibility of the
person should be able to do, know and National Skills Qualification Framework.
understand in order to carry out work The same is indicated in the Qualification
competently and consistently. When they Pack.
are applicable and recognised Nationally
they become National Occupational What is Competency Based Training
Standards (NOS) (CBT)?
NOS are called ‘Standards’ because they Competency based training focuses on
are performance outcomes, which have what is expected of a person in the
been agreed by employers and key workplace rather than on the suggested
stakeholders from the industry, for any time spent on learning. Competency based
person performing that particular job role. training (CBT) relies on the competency
standards to form the basis of all training
The standards are developed in
and assessment resources and learning
consultation with a wide range of people
outcomes. CBT is an outcome oriented
experienced in the areas covered by the
methodology that focuses on what it is
competency standards. This consultation is
that a participant can do and how well
to ensure that the standards are relevant
to as wide a range of workplaces as he/she can do it. CBT training materials
clearly state what is expected of
possible.
participants in terms of performance, in
Each NOS covers: given conditions, and to what standards.
 Performance Criteria CBT differs from the traditional approach
 Knowledge and Understanding to learning in that it focuses on skill
o Organisational Context
development relative to the needs of a
o Technical
 Core/Generic Skills particular job role, in this case Household
 Professional Skills Helpers.
19
20
FORMATIVE ASSESSMENT
Assessment is the process of diagnose learning needs and adjust

measurement. It is a process by which teaching at that point.
evidence is gathered and
judged/evaluated by an Assessment Assessment methods/tools:
Practitioner in order to decide whether an
 Observation – of individual
individual has demonstrated the required
performance and/or within a group (of
skills, understanding and knowledge when
process, attitudes, behaviours and
compared with a pre-determined application of skills)
standard.  practical assessment (of completed
Assessment may be used in different ways job)
and on different occasions according to its  witness/third party evidence (from
purpose. Such uses of assessment (with workplace/from trainer)
clarification) include:  oral and written questioning
 simulation (role play, scenario-building
 Diagnostic - Finding out what’s learnt to replicate work-place)
and what gaps there might be. Its  course work (structured in line with
purpose is to ascertain, prior to pre-determined standards of
instruction, each student’s strengths, performance)
weaknesses, knowledge, and skills.
 assignments/reports/projects/present
Establishing these permits the ations
instructor to remediate students and
 professional discussion
adjust the curriculum to meet each
 Evidence of own work from the work-
learner’s unique needs.
place
 Formative - Evaluation of an individual
learner used to help individual improve Best practices for assessment:
performance; – Identification of areas
for improvement – Specific suggestions  Define the content and competencies
for improvement. to be assessed in an assessment plan or
 Summative - tying in all aspects of blueprint as the first step in creating a
learning through a final application. valid assessment program.
A trainer will be required to engage in  Provide evidence that the
Diagnostic and Formative assessment that implemented assessment methods
measure what was intended in the
will help ensure that the learning
plan.
outcomes are achieved. Formative
 Assure that the assessment is reliable,
assessment incorporates tests within study
showing the amount of error or
units, for example, when students had
variability that could occur if the same
finished working on a specific learning
assessment were repeated with the
activity, in order to allow teachers to
21
same group of trainees or  Is there evidence of appropriate critical

practitioners. thinking?
 Present accumulated evidence of the  Are conclusions drawn appropriately?
validity of assessment results for a  Is the focus sharp / to the point?
specific group of people in specific  Does the presenter put her own point
circumstances to demonstrate that the of view in an appropriate manner?
results can be interpreted to measure  Is the audience engaged – is their
what they are purported to measure. attention maintained by the
 Assessment method should be within presenter?
realistic estimates of cost in time and  Is the response to questions and
effort comment competent / accurate /
 Self-Evaluation and Peer Evaluation adequate (etc)?
should also be used as it helps  Is time keeping managed well
strengthen the learning further (enough)?
 Is the presentation:
Assessing Presentations - Audible and clear (articulation)
- does the speaker have ‘presence’ and
Presentations are used increasingly in
adequate confidence
training programmes because the ability to
- is the posture and body language
present information is a valuable skill and
appropriate
also reflects the level of understanding - does she make appropriate eye
achieved. It is not sufficient simply to ask a contact
student to make an oral presentation.  Is the presentation well structured,
Students need feedback on their clear identity of beginning, middle and
performance in order that they can end
improve.  Is there use of creativity, the content or
The list below is designed to help in the presentation original or creative in
some way?
development of assessment criteria and
 Are there unexpected features in the
feedback.
content / presentation beyond the
 Does the content of the presentation expected?
relate to the title and or purpose of the
It is stressed that no more than a few of
presentation?
these criteria can be managed by an
 Is the breadth of the content
assessor listening to a short presentation.
sufficient?
 Is the depth of the content sufficient? It may be possible to set up situations in
 Is the message of the presentation which students help each other to develop
clearly put / argued? presentation skills in a non-tutor led
 Is the argument consistent? practice session. Groups of students are
 Is sufficient evidence given to support asked to prepare for a brief presentation
arguments? (e.g. 5 / 8 minutes) on an academic topic of
an interest. Each participant is given a list
22
of assessment criteria with one sheet for such an exercise can be enhanced if
each presenter. The aim of filling in the students are asked to reflect on their
sheet will be to give feedback rather than performance and write an account of the
marks. For every presentation, all students manner by which they will modify their
fill in one sheet and at the end, simply hand performance on the next occasion.
the sheets to the presenter. The value of
23
A Sample Student Presentations Assessment Sheet

Student name: Date:
Course Unit, number and name:
Presentation topic:
Planned learning outcomes Level of attainment Tutor’s comments
High Average Low
Academic content
1. Knowledge & understanding 10 9 8 7 6 5 4 3 2 1
of core material
2. Extent, quality and 10 9 8 7 6 5 4 3 2 1
appropriateness of research
3. Conceptual grasp of issues, 10 9 8 7 6 5 4 3 2 1
quality of argument and
ability to answer questions
Quality of management
1. Pacing of presentation 10 9 8 7 6 5 4 3 2 1
2. Effective use of visual material
-whiteboard, visual aids, 10 9 8 7 6 5 4 3 2 1
handouts (as appropriate)
3. Organisation/structure of 10 9 8 7 6 5 4 3 2 1
material (intro; main body;
conclusion)
Quality of communication
• Audibility, liveliness and clarity 10 9 8 7 6 5 4 3 2 1
of presentation
10 9 8 7 6 5 4 3 2 1
• Confidence and fluency in use of
English
• Appropriate use of body 10 9 8 7 6 5 4 3 2 1
language (inc. eye contact)
• Listening skills: responsiveness 10 9 8 7 6 5 4 3 2 1
to audience
Key areas of competence achieved:
Key development areas:
Assessing tutor: Signature: Dept:
24
LEARNING PRINCIPLES
Here are some Learning Principles and Use a Variety of Teaching Methods
Techniques to use them.
To engage all learners, it is best to vary the
Create a Supportive Environment methods in which information is
Techniques: communicated.
Techniques:
1. call each trainee by name throughout
training 1. group discussion (small and large)
2. listen to each person's questions and 2. skill practice (role-play)
viewpoints 3. lecture
3. never belittle an individual 4. case study
4. always be courteous and patient 5. panel/guest expert
5. assure individuals that mistakes are 6. Group Activities
part of the learning process 7. question/answer
6. look for opportunities to validate each 8. demonstration
person 9. technology (media, video, computer,
7. encourage trainees to support one interactive)
another in learning endeavors
8. ensure that the physical space is as
Provide Structured Learning
comfortable as possible.
Opportunities
Empower trainees to be self-directed
Emphasize Personal Benefits of
learners as they strive to fulfill objectives
Training of the training, by teaching them how to
Techniques: master the content and to become aware
1. have each participant develop their of their own learning process.
own personal goals for this training Techniques:
2. encourage participants to write down
1. structured note-taking
specific actions they will take in
2. problem-solving exercises
response to this training.
3. brainstorming
4. progress logs
Use Training Methods that Require 5. evaluating own work and the work of
Active Participation others
6. have them analyze the way they went
Techniques:
about doing a learning project
1. limit lecturing to trainees 7. encourage participants to
2. encourage participation and sharing of support/train one another
experiences
3. use questioning techniques
Provide Immediate Feedback on
4. weave discussion sections with
exercises that require trainees to Practice
practice a skill or apply knowledge.
25
Sensitive feedback helps trainees correct 3. encourage individual creativity and

errors and reinforces good behaviors. initiative
Adult 4. pay attention to individual
communication
learners want gentle, constructive
5. acknowledge cultural differences
criticism.
Techniques :
Make Course Content Relevant and
1. self feedback
2. peer feedback Coherent
3. trainer feedback Techniques:
1. provide overview of course with
Meet Trainee's Individual Learning objectives
2. relate each new component to
Needs
previous component
Techniques : 3. when presenting new material, present
1. get to know trainees overall concept first
2. consider each trainee's capabilities and 4. utilize an Experiential Learning Model
interests 5. provide examples of concept that are
relevant to trainees' work.
26
INSTRUCTIONAL METHODS
1. Lecturing and Explaining Managing a planned discussion

Explanation or lecture method, is the most Determine the objectives and scope of the
used instructional particular discussion. Make it clear to the
method. If used well it group what the specific purposes are.
can facilitate effective  Get the environment right, e.g. the
learning by conveying shape of the room, seating
key facts, concepts and arrangements, etc.
principles. This will  Prepare key questions in advance, but
Lecture work situationally with the emerging
provide a framework to
flow of the discussion.
guide the learners through a topic and
 Treat all viewpoints with respect, even
stimulating interest in a subject.
though you might disagree strongly
Effective explanation is characterized by: with a position taken.
 Manage the participation of individuals
 clear statements and examples of what carefully. Do not allow any individuals
is being explained and its relevance to monopolise the discussion.
 logical organisation of information with However, don’t pressure people to
appropriate examples to illustrate contribute.
concepts and principles  Keep the group focused on the topic
 linking of key topics, concepts and (allowing for some exploration of
principles related issues) and ensure that
 re-capping of key points at the end of contributions are relevant and
each sub-topic purposeful. You will need to:
 a clear engaging style of presentation o clarify vague of confusing
 opportunities for student involvement. remarks
o challenge obvious
misconceptions
2. Discussion o check that everyone
Discussion can be a very effective method understands the key points
when the main raised in the discussion.
 Encourage contributors to support
objective is to
their statements with examples,
encourage learners to collaborative facts etc, especially when
share information and they show a clear prejudice.
Class
compare points of  Note important points so that you can
view. It can refer to them later on.
Discussion
specifically promote  Call a halt to procedure at the right
co-operative learning and developing moment, i.e. when the discussion has
covered the topics sufficiently or the
thought process & expression
27
group stops being productive in terms week’s questions and the readings I
of relevant inputs. set? Off you go.”
 Summarise what has been They are also useful when a difficult
discussed, identifying the critical topic or some awkwardness has
learning points and issues.
brought a session to a standstill. In such
Structures for promoting discussion a situation, set a brief task or question
 Rounds : A round simply involves for pairs
everyone sitting in a circle and to work
commenting briefly on a particular on. For
topic in turn.
For example it might concern:
“Questions I would like answered.…”
“Points on which I would like example: What are the difficult areas of
clarification.…” this topic? What appears to be the best
Rounds work well at the start of a approach to take?
session as they involve each person Triads are more resourceful and
speaking once before anyone speaks a rigorous for challenging activities,
second time. This establishes a more perhaps because at any give time one
balanced pattern of interaction and of the three is neither speaking nor
makes it much more likely that being directly spoken to, and so can
individuals will speak again later. have half an eye on the question or
Taking your turn in rounds can be task the group is supposed to be
threatening in a large group, and working on.
students unfamiliar with rounds should  Brainstorms : Brainstorming is a very
be allowed to “pass” when it is their good method for a situation where the
turn. aim is to expand people’s thinking in an
 Buzz groups, pairs and triads : Buzz area and
groups are simply small groups of two
or three students formed
spontaneously to discuss a topic for a
short period.
In a pair, it is almost impossible for a
student to stay silent and once generate ideas. In brainstorming, any
students have spoken “in private” they idea is welcomed and no justification is
are much more likely to speak needed. This method is particularly
afterwards “in public” in the whole appropriate at the beginning of a topic
group. to identify existing knowledge and
Buzz groups are very useful to get provide a framework for learning.
However, brainstorming must be well-
things going, for example: “To start off,
conducted, with certain ground rules
how well did you progress with last clearly adhered to. These are:
28
o All ideas are accepted without  Identify the crucial steps of the activity
justification. and break it down into basic operations
o People cannot comment on and procedures.
other people’s suggestions.  Remember that what is easy and
o One person acts as the comprehensible to you will be less so
coordinator and writes up for most learners. Therefore, try to
comments on the board and simplify without sacrificing essential
keeps a reasonable order on skill components.
proceedings.  Organise the equipment needed and
After an agreed period of time, or prepare any teaching aids that will help
learners understand what is involved.
when no more suggestions are
forthcoming, the group turns its Carrying out the demonstration
attention to the total list, either
 Make sure everyone can see.
accepting it as a statement of a range  Describe what you intend to do and
of possibilities or discussing selected why. Arouse the interest of learners.
items that seem most useful.  Reveal the main steps of the activity
and identify the likely problem areas.
 Accompany each step with a verbal
3. Demonstration description, and attempt to show the
skill from the operator’s point of view.
Demonstration is a However, do keep to the main points.
widely used and Too much talking will distract students
effective method for from the visual demonstration.
teaching of skills at all  Adjust the speed of your movements to
levels. Like explanation, suit your learners, especially if they are
watching and then copying. Watch for
it is always linked in
their responses and actions and alter
some way to other your pace accordingly.
instructional strategies.  Inspire confidence in learners as you go
For example, learners are unlikely to learn along. This way they will be willing and
keen to have a go.
effectively from demonstration alone.
 Try not to over-impress or be too
They will need guided practice and
absorbed in your own demonstration.
feedback on how they are doing. Remember that you are trying to help
The following is a guide for planning and learners achieve competence. Over-
indulgence in your skills may rob some
conducting a demonstration session.
learners of self-confidence when they
Pre - demonstration planning try to practise the skill.
 On finishing the demonstration, check
 Be clear in your mind about what you that the process has been fully
are trying to demonstrate. understood. Ask participants to recap
 Analyse the skill(s) you intend to the main points of the activity. This will
demonstrate: help to identify gaps in knowledge and
reinforce learning.
29
4. Individual work (self  Provide swift and accurate feedback

for learners.
learning)  Be encouraging and praise people for
what they are doing or trying to do. The
Learner practice and supervision
whole purpose of individual practice is
Learners need to to do it more efficiently and effectively.
practise new skills in When and where learners experience
positive results, their achievement will
order to achieve a
encourage them to put in more effort
positive and for further success. However, until
beneficial result. In learners achieve some degree of
providing learners competence, you will need to reinforce
Individual with opportunities their efforts in positive ways.
Work for individual Structured Reflection
practice, you should remember the
Effective learning is supported when
following. students are actively engaged in the
 Plan specific times during the session learning process and structured reflection
when individual practice is to be exercises allow students to explore their
undertaken. experiences, challenge current beliefs and
 Arrange the environment with care. develop new practices and
Ideally such things should be done
understandings.
before learners arrive, but reality may
dictate otherwise. Establish a Reflection involves describing, analysing
procedure to re-arrange settings when and evaluating our thoughts, assumptions,
necessary. beliefs, theory base and actions. It
 Ensure that when learners begin, they
includes:
have an achievable objective in mind.
 Try to ensure that learners are 1. Looking forward (prospective
employing the correct procedure right reflection).
from the start. This is more likely to 2. Looking at what we are doing now
occur if participants know exactly what
(spective reflection).
they are to do.
3. Looking back (retrospective reflection).
 Instil some enthusiasm into the
proceedings. Adult learners have an inbuilt need to
 Be conscious of the group as a whole, direct their own learning. However, they
even when you are dealing with one are heavily reliant on their trainers to
person at a time. Listen to what is going
facilitate the process.
on around you in case some learners
are bored, confused or giving each The Trainer can facilitate the process, by
other wrong advice. asking simulating questions or statements
 Allocate your time fairly between that makes the student think.
individuals. Adults do not expect equal
time every session, but they expect you
to be fair overall.
30
5. Group work (cooperative throughout the groups and, avoid

putting trainees with personality
learning) conflicts together in the same group;
Try to construct groups so that the
Much as been written
more shy trainees will feel free to offer
on the benefits of their opinions without inhibition.
cooperative or
 Give clear, concise directions using
collaborative learning.
your prepared notes. Be sure to cover
Group-based learning
can be very effective as o who belongs to which groups
o where each group will meet (and
an instructional strategy in a variety of
how to get there)
ways as outlined below. o what resources (if applicable) are
 It encourages communication and available - and where
team working. o how long they will have to solve the
 It facilitates problem solving and problem (stress that timing is
decision making. important)
 It provides an active basis for learning. o when and where the class will
come back together
 It enables the sharing of knowledge
and the meeting of different o what the group is to do while
working together
viewpoints and perspectives.
o what your role will be during the
 It encourages ongoing peer
exercise and how you will contact
assessment.
them and how they can contact you
However, managing group learning can be o who are the leaders of each group
difficult and the possible benefits to and what are their responsibilities.
learners can be offset if group activities are  Conducting the group exercises.
poorly organized and facilitated. o Start by ensuring each group has
found its study location and got
How to conduct group exercises
started,
There is a series of activities an Instructor o Then check progress and
must attend to for a small group training interaction within each group
during the exercise. If they are
exercise to be successful. Although the
having small problems, be patient
importance of each activity may vary from
and encourage them to work things
one class to another, the following areas, out as a group. Look for
at least, must be considered and acted participation by the quietest
upon. trainees and encourage them.
o Remind each group of the
 Plan out the exercises ahead of time, imminent end of its individual
anticipate potential difficulties and exercises at least five minutes
alternative solutions and make notes before it is due. Stick to your
for your instructions to the class. schedule!
 Introduce the exercises. Try, when  Conduct the class presentations,
possible, to distribute people with summary or review
special skills or talents evenly
31
o Stay in control of the assembled  Ensure a thorough de-brief of the role-

groups and explain to them what play, so that learners are clear as to the
procedures will be applied to cover purposes of the activity.
the time for each group to present
o as well as rules about interruptions
or distractions. 7. Questioning
o Make sure schedules are met fairly.
o Conduct the summary or discussion The effective use
of the exercise, making sure each of questions is
group’s efforts is given due credit. one of the most
Maintain a neutral position. difficult but
 Always remember to thank the groups effective
for their participation. methods for
promoting learning. The skilful use of
questions can achieve the following
6. Role play results:
Role-play can be a very  Questions can stimulate interest and
useful method when motivation.
learners need to develop  Questions can use learners’ knowledge
and practise important for the benefit of the group.
social and interpersonal  Questions encourage communication
skills, for example, client between group members.
service, conducting drills, meetings,  Questions focus thinking skills and the
practise of thinking skills.
counselling, etc. It enables learners to
 Questions encourage the development
evaluate their performance and feelings in of self-expression of thought and
such situations and develop skills in feelings.
simulated real life conditions without the  Questions can be used to assess
consequences of real life failure. student knowledge and understanding.
Key tactics in using questions
Using role-play
 Make the questions clear and brief, and
Ensure that learners can authentically and ask just one thing at a time.
effectively play the roles.  Pitch questions at the right level for the
individual or group, using language
 Provide sufficient - but not too much - they understand.
information to enable participants to  Choose the right type of questions for
be able to take on the prescribed roles. your purpose, for example, open
 Anticipate and have a plan for possible questions for exploration; closed
breakdowns in the role-play. questions for a focused response.
 Monitor the activity very carefully and  Ask questions in an encouraging way.
be prepared to intervene if there are Your manner will often determine the
significant problems. (Judgement is response.
needed here.)  Pause to give students time to answer.
Answering a question involves a series
32
of mental operations: “Do I considerably with cases. Some contain

understand the question?”; “Do I have very detailed and comprehensive
the answer?”; “Am I prepared to offer information; others simply document the
it?”; “Actually speak it?”. Learn to cope
key elements of a situation. However, all
with thinking silences.
good case studies have the following
 Distribute questions so that everybody
has a chance to contribute. features in common.
 Sequence questions if you need to ask  They present an authentic portrayal of
more than one, and ensure that they important issues and processes in a
are in a logical order. topic area.
Responding to student answers  They are interesting and appropriate
 Respond to students’ answers warmly, for the group of learners.
using non-verbal as well as verbal  They encompass key knowledge for a
signals. topic area.
 Ensure that incorrect responses are  They promote multiple interpretations
dealt with appropriately. Do not allow of a situation.
an individual to feel embarrassed, but  They offer more than one viable
don’t allow an incorrect response to possible solution.
pass without correction. Some useful As an instructional method, case studies
strategies include: can help achieve the following outcomes.
o rephrasing the question for the  Promote skills of critical analysis and
individual concerned problem solving.
o providing clues to the correct  Encourage reflective practice and
answer
decision making in complex situations.
o allowing other individuals to
 Motivate learners and create a
offer a response.
framework for independent learning.
 If you cannot answer a question, be
honest and offer to find the necessary
Using case studies
information if it is pertinent to the Find case studies involving real people and
course of study. real situations. These are interesting to the
students and assist their understanding.
When using the case study method, there
8. Case-studies are certain “rules” to keep in mind.
A case study is a  Be clear about what the case can teach
capture of a real life and what you want the learners to
accomplish.
situation. Cases
 Ensure the case has been thoroughly
typically provide
read and digested. Clarify any points of
information outlining misunderstanding.
a problem-based  Establish a good climate for discussion
Case Study scenario, where in which learners can freely express
decisions involving there views and challenge the views of
value judgements are involved. The others.
 Use the case from more than one
information actually provided varies
perspective. Illustrate different ways of
33
framing the problem, and the work. Posters can involve a design or
assumptions and valuations that proposal, lists of pros and cons of an
underpin these differences. approach, or the main features of a case
 Use good discussion management study.
techniques.
 Introduce relevant theoretical De-briefing this group work can take the
knowledge, showing linkages of form of displaying the posters. Group
concepts and principles. members may briefly introduce or explain
 Summarize the key issues and clarify the contents of their posters. Posters can
any points of concern.
be especially quick and effective as a
means of sharing experimental and
9. Poster board tours laboratory work where different groups
have undertaken different experiments.
Groups work together
on a task, but also Once the posters are displayed, students
produce a poster can “tour” them, asking for clarification or
summarizing the adding comments and questions.
outcomes of their
34
SOME IMPORTANT INSTRUCTIONS FOR TRAINERS

Before the session 8. Provide opportunity and
encouragement for every participant
1. Read the Trainers Guide carefully to practice and perform the practical
before conducting the training. criteria that they are expected learn in
Familiarise yourself thoroughly with the session
the domain knowledge as well as 9. Have an ongoing recognition
instructional style. platform/mechanism for appreciating
2. Ensure familiarity with the local desirable behaviour and practices in
language and culture. the classroom
3. Always enter the class at least 10 10. Follow the lesson plan/ session plan.
minutes before session is due to start Bring any deviations to the notice of
4. Ensure all material/ aids/equipment the Head of the Institution.
required for the training and activities 11. Ensure key learnings are captured at
(as per checklist) are ready and the end of each session.
available, in advance. 12. Regularly check participants work
books to ensure all exercises are being
During the session
completed on time.
5. Carry out attendance check at the After the session
start of every session/ day. Keep track
of absentees. 13. Ensure all tools/equipment/material
6. Ensure all participants complete the are put back in their assigned places
required assessments. Maintain a after the session. Encourage the
careful record of assessment scores participants to take responsibility for
for every participant. the same.
7. Always encourage participants. Never 14. Complete all session related
discourage participants from actively documentation on a day to day basis
engaging in discussions.
35
An Introduction:
The Industry, Sub-sector, Occupation &
Career
UNIT I: An Overview of the IT-BPM Industry

UNIT II: An Overview of the IT Services Sub-Sector
UNIT III: About Information Security and it’s Roles
37 | P a g e
INTRODUCTION
The Industry, Sub-sector, Occupation
& Career
This Unit covers:
 Lesson Plan
 Suggested Learning Activities
 Training Resource Material
1.1. An Overview of the IT-BPM Industry
1.2. An Overview of the IT Services Sub-Sector
1.3. About Information Security and it’s Roles
38 | P a g e
LESSON PLAN
Performance Ensuring Work Environment / Lab

Outcomes Measures Duration (Hrs) Requirement
You need to know and understand: 1. Give a brief 2Hr in class  PCs/Tablets/Laptops
description of the IT- assessment &  Labs availability
 A General Overview of the IT- BPM Industry 2Hrs offline (24/7)
BPM Industry 2. List the types of Research and  Internet with WiFi
 The organisations within IT- organisations within Learning  (Min 2 Mbps
BPM Industry the IT-BPM Industry. activity Dedicated)
 The sub-sectors within the IT 3. Research and  Networking
BPM Industry provide some names Equipment- Routers
 General Overview of the IT of each type & Switches
Services Sub-Sector 4. State the sub-
 Profile of the IT Services Sub- sectors within the IT-
Sector BPM Industry
 Key Trends in the IT Services 5. Give a brief
Sub-Sector description of the IT
 Roles in the IT Services Sub- Services Sub-sector
Sector 6. List the key trends in
 General Overview of the IT Services Sub-
Information Security and it’s sector
Roles 7. List the roles in the IT
 Career Map for Information Services Sub-Sector
Security 8. Give a brief
description of
Information Security
and it’s Roles
9. Describe the Career
Map for Information
Security Personnel
39 | P a g e
SUGGESTED LEARNING ACTIVITIES
Activity 1:
 Ask students to introduce themselves and state why they have chosen
this course.
 Note down all the unique reasons on the board.
 Highlight why Information security or Cyber Security is the right choice
for them.
Activity 2:
 Divide the class in groups of 4 or 5 students each.

 Ask them to research and find out “What could be the 4 major sub-
sectors in the IT ITES sector and what would each sub-sector comprise
of”
 Ask them to present and then share the division given in the course
content.
Activity 3:
 Divide the class in groups of 4 or 5 students each.

 Ask them to research and find out “What the various job categories in
the Information security sector and provide a brief description of each of
the job categories”
 Ask them to present and then share the tracks given in the course
content.
 Share the role and responsibilities of a Security Analyst.
40 | P a g e
Training Resource Material
1.1. An Overview of the IT-BPM Industry
General Overview The organisations within the IT-BPM

Industry are categorised along the
The Information Technology – Business following parameters:
Process Management (IT-BPM) industry
 Sector the organisation is serving
has been fuelling India's growth story. In
 Type as well as range of offering the
addition to contributing to the country's
organisation provides
Gross Domestic Product (GDP) and
 Geographic spread of operations and
exports, the industry has played a big role
 Revenues and size of operations
in influencing the socio-economic
A broad structure of the Industry based on
parameters across the country.
the parameters identified in the Indian
The industry has helped provide context is represented below :
employment and a good standard of living
to millions. It has placed India on the world Multi-national Companies (MNCs):
map with an image of a technologically MNC organisations have their
advanced and a knowledge-based headquarters outside India but operate in
economy. Growth of the IT-BPM industry multiple locations worldwide, including
has provided India with a wide range of those in India. They cater to external
economic and social benefits which clients (both domestic and/or global).
includes creating employment, raising
income levels, promoting exports and Indian Service Providers (ISPs):
significantly contributing to the GDP of the ISPs are organisations that have started
country. with their operations in India. Most of
This sector attracts amongst the largest these organisations would have their
investments by venture capitalists and has headquarters in India, while having offices
been credited with enabling the at many international locations.
entrepreneurial ventures of many, in the While most have a client base which is
country. global as well as domestic, there are some
that have focussed on serving only the
The IT-BPM industry has almost doubled in
Indian clients.
terms of revenue and contribution to
India's GDP over the last six years.
Global In-house Centres (GIC):

Organizations within the IT- GIC organisations cater to the needs of
BPM Industry their parent company only and do not
serve external clients. This model allows
41 | P a g e
the organisation the option to keep IT opportunities for innovation in a cost-

Operations in-house and at the same effective manner.
time, take advantage of expanding their
global footprint and offering
Sub-Sectors within the IT-BPM Industry

The IT-BPM industry has four sub-sectors as listed in the subsequent figure.
Figure : Sub-Sectors in the IT-BPM Industry
ITServices (ITS) Business Process Management (BPM)

 Custom Application Development  Customer Interaction and Support
(CAD) (CIS)
 Hardware Deployment and Support  Finance and Accounting (F&A)
 Software Deployment and Support  Human Resource Management
 IT Consulting (HRM)
 System Integration  Knowledge Services
 Information Systems Outsourcing  Procurement and Logistics
 Software Testing
 Network Consultation and
Integration
 Education and Training
IT-BPM Industry
Engineering and R&D (ER&D) Software Products (SPD)

 Embedded Services  Product Development
 Engineering Services
Figure: Sub-Sectors in the IT-BPM Industry
42 | P a g e
1.2. An Overview of the IT Services Sub-Sector
General Overview IT Services (ITS) sub-sector offers services

to create and manage information for
IT-BPM market, a USD 118 billion market in business functions through host of
India in FY2014, is a leading contributor to activities that include consulting, systems
the services industry in India with respect integration, IT outsourcing / managed
to employment and revenue. services / hosting services, training and
It accounts for 38 per cent of the country's support/ maintenance.
total services exports and contributes to The sub-sector has evolved as a major
8.1 per cent of India’s GDP2. It also contributor to India's GDP and plays a vital
accounts for INR 1,911 billion in FY2014. role in driving economic growth in terms of
The IT Services subsector is a major employment, export promotion and
contributor to the overall IT-BPM Industry. revenue generation.
The number of people

.5 Growth in IT service
directly employed in > 14 %
million exports in FY 2014
ITS sub-sector
1600 Number of Organisations 1 India’s position in IT

+ in the ITS sub-sector global landscape
USD Total amount of ITS Total contribution of

52 sub-sector Export 60 % ITS sub-sector in industry
Billion Revenues IN FY 2014 Exports
Growth of the ITS sub-sector in INR terms

9.7 % in the domestic market in FY 2014
Figure: IT Services Sub-sector-A Snapshot
43 | P a g e
The worldwide IT Services market stood at optimising efficiencies, companies in all

USD 655 billion in 2013. The Indian IT the sectors see value in leveraging IT to
Services exports form the largest and manage their business better and are
fastest growing segment of the IT services increasing their IT investments.
with a growth rate of >14 per cent in FY
The wide scope of the services in this sub-
2014. IT Services export constituted over sector creates a requirement for a large
half of the entire export of the IT Industry.
variety of skills. This reflects on the range
Even within the domestic market, IT of opportunities available for building a
services is the fastest growing segment in career in IT Services to a varied group of
the Indian domestic market, growing by people and the industry continues to be
9.7 per cent to reach INR 727 billion, driven amongst the most sought, after for many
by IS outsourcing, cloud services and young and aspiring individuals.
increasing adoption from all customer
segments – government, enterprise,
consumers and small and medium Profile of the IT Services Sub-
businesses. There are over 1600
companies providing IT services in the
Sector
country with the top 5 comprising around Vertical Profile:
60 per cent of the total revenue from the
BFSI is the largest driver in this space
industry.
claiming half of the entire IT Services
The sub-sector has established a record as export. Other industry verticals like
a major contributor to the country's GDP Healthcare, Retail and Media have started
as well as penetrated into many large making big investments in IT services and
sectors - established as well as upcoming are turning into key verticals for the IT
like healthcare, media, education and Services sub-sector.
retail. This has ensured that the sub-sector
An illustrative view of the vertical and
is a field in demand, both in the present
horizontal profiles is shown below.
and the future. With an increased focus on
Figure 3: Contribution of
Areas in the IT-BPM
Industry (FY 2014)
44 | P a g e
The IT Services sub-sector started off in After starting off, the IT Services sub-
India with a focus on basic application sector, served mostly the North American
development and maintenance. The sub- market until the 1990s.
sector has now grown and includes While North America continues to be a
significant footprints in traditional
major importer of Indian IT services, the
segments which include custom sub-sector has witnessed entry into other
application development, application
markets, in order to mitigate risk as well as
management, IS outsourcing and software to expand markets thus servicing clients in
testing. a greater number of geographical areas
With time, the sector has expanded to like Latin America, the Asia Pacific and
provide end-to-end IT solutions and Europe.
includes consulting, testing services, The client base in these markets is a
infrastructure services and system
healthy mix between BFSI, Manufacturing,
integration in the offering. Retail, Telecom and all key Industry
verticals.
Key Trends in the IT Services Sub-Sector
Figure 5 : Trends in the IT Services
45 | P a g e
The IT-BPM industry is standing at a watershed While the recovery has gathered pace in the
moment in history. In FY 2014, the industry last few months, companies are becoming
achieved a stellar landmark of crossing US 118 increasingly conscious that in the globally
billion in revenues. However, with the industry connected world, the “new normal” will be
slowly reaching a stage of maturity and with a characterised by business volatility. The ups
business model closely aligned to exports, it and downs will be more frequent and
faces the brunt of the economic shake-up like companies need to learn how best to manage
the one observed in 2008, which redefined the this volatility.
economic order amongst nations.
Occupations and tracks within the IT Services Sub-Sector
46 | P a g e
1.3. General Overview of Information Security
Information systems from unauthorised Application Security: Application Security

access, use, disclosure, disruption, roles are responsible for ensuring stable
modification, perusal, inspection, and secure functioning of the applications.
recording, or destruction. The core Application Security professionals perform
function of this occupation is to ensure the the following functions in an organisation:
confidentiality, integrity and availability of
 Knowing threats
data to the ‘right’ users within/outside of
 Securing the network, host and
the organisation.
application
 Incorporating security into the integrity, authentication, availability,
software development process authorisation and non-repudiation of
information. Security Testing professionals
Risk, Audit and Compliance perform scheduled and adhoc tests to
Risk Management roles are responsible for assess vulnerability and/or safety of an
assessing, measuring, and managing the organisation’s information systems.
security risks to information security of an
organisation.
Incident Management
Incident Management roles work towards
These conduct assessments for security
restoring normal service operations in an
threats and vulnerabilities, determine
organisation to minimise the adverse
deviations from acceptable pre-defined
effect on business operations, thus
configurations, enterprise or local policy,
ensuring that the best possible level of
assess the level of risk, develop and/or
service quality and availability is
recommend appropriate mitigation
maintained.
countermeasures in operational and non-
operational situations. Incident management professionals
manage and protect computer assets,
Key responsibilities also include measuring
networks and information systems to
the maturity of an organisation to ensure
answer the key question “what to do,
that proper security controls are
when things go wrong.
incorporated when developing and
running Information-security systems. Business Continuity Management/Disaster
These also perform Recovery (BCP/DR): BCP/DR roles are
scheduled/unscheduled audits on the responsible for improving system
organisation’s security systems and availability and integration of IT
processes and ensure compliance. operational risk management strategies
for an organisation.
Security Testing
 Development, implementation,
Security Testing involves devising testing
testing, and maintenance of the
standards and cases of confidentiality,
47 | P a g e
business continuity management  Consulting

plan  Managed Services
 Recommendation and proof of  Internal function within the
concept for recovery options organisation
 Assessments and audits for BCP/DR
In each of these set-ups, the essential
Network Security functions and the highlighted tracks
remain the same, however, the delivery
Network Security roles are responsible for
style and hence skills vary slightly,
defining and implementing overall
depending upon the set-up.
network security that includes baseline
configuration, change control, security Privacy professionals help define and
standards and process implementation. implement privacy standards, build privacy
awareness to protect an organisation’s
Privacy information assets.
Privacy roles are responsible for defining
IT Forensics
and managing data/information/IP policies
etc. for an organisation. These roles IT Forensics roles collect, process,
require knowledge of information security preserve, analyse and present computer-
norms and data privacy norms and related evidence in support of network
regulations. vulnerability mitigation, and/or criminal,
fraud, counter-intelligence or law-
Note on Information Security occupation:
enforcement investigations.
Information Security related job roles may
be performed in any of the following
setups:
48 | P a g e
Trainer’s Guide– Security Analyst SSC/N0901
SSC/ N 0901:
Contribute to Managing Information Security
UNIT I: Information Security and Threats

UNIT II: Fundamentals of Information Security
UNIT III: Data Leakage
UNIT IV: Information Security Policies, Procedures, Standards and
Guidelines
UNIT V: Information Security Management – Roles and
Responsibilities
UNIT VI: Information Security Performance Metrics
UNIT VII: Risk Assessment
UNIT VIII: Configuration Review
UNIT IX: Device Log Correlation
UNIT X: Data Backup
49
Unit Code SSC/ N 0901

Unit Title
Contribute to managing information security
(Task)
Description This unit is about carrying out specified tasks as part of a team working to
ensure information security.
Scope This unit/ task covers the following:
Information security includes:
 Identify and Access Management (IdAM)
 Physical security
 Networks (wired and wireless)
 Devices
 Endpoints/ edge devices
 Storage devices
 Servers
 Software
 Applications security
 Content management
 Messaging
 Web security
 Security of infrastructure3
 Infrastructure devices (e.g. routers, firewall services)
 Computer assets, server and storage networks
 Messaging
 Intrusion detection/ prevention
 Security incident management
 Third party security management
 Personnel security requirements
Back ups include:
 Validation
 Tracking
 Consolidation
 Replication
 Configuration
 Logs
 Devices
 Applications
 Software
Appropriate people:
 Line manager
50
 Members of the security team

 Subject matter experts
Performance Criteria (PC) w.r.t. the Scope

To be competent, you must be able to:
PC1. establish your role and responsibilities in contributing to managing
information security.
PC2. monitor systems and apply controls in line with information security
policies, procedures and guidelines.
PC3. carry out security assessment of information security systems using
automated tools.
PC4. carry out configuration reviews of information security systems
using automated tools, where required.
PC5. carry out backups of security devices and applications in line with
information security policies, procedures and guidelines, where
required.
PC6. maintain accurate daily records/ logs of information security
performance parameters using standard templates and tools.
PC7. analyze information security performance metrics to highlight
variances and issues for action by appropriate people.
PC8. provide inputs to root cause analysis and the resolution of
information security issues, where required.
PC9. update your organization’s knowledge base promptly and accurately
with information security issues and their resolution.
PC10. obtain advice and guidance on information security issues from
appropriate people, where required.
PC11. comply with your organization’s policies, standards, procedures and
guidelines when contributing to managing information security.
Knowledge and Understanding (K)
A. Organizatio You need to know and understand:

nal KA1. your organization’s policies, procedures, standards and guidelines for
Context managing information security.
(Knowledge KA2. your organization’s knowledge base and how to access and update
of the the same.
KA3. limits of your role and responsibilities and who to seek guidance from
company/
KA4. the organizational systems, procedures and tasks/ checklists within
organizatio the domain and how to use the same.
n and its KA5. how to analyze root causes of information security issues.
processes) KA6. how to carry out information security assessments.
KA7. how to carry out configuration reviews.
KA8. how to correlate devices and logs.
KA9. different types of automation tools and how to use them.
KA10. how to access and analyze information security performance metrics.
KA11. who to involve when managing information security.
KA12. your organization’s information security systems and tools and how
to access and maintain them.
51
KA13. standard tools and templates available and how to use the same.
B. Technical The user/ individual on the job needs to know and understand:
KB1. fundamentals of information security and how to apply them,
Knowledge including:
 networks
 communication
 application security
KB2. different types of backups for security devices and applications and
how to carry out backups.
KB3. common issues and variances of performance metrics that require
action and whom to report these.
KB4. how to identify and resolve information security vulnerabilities and
issues.
52
The Units
The module for this NOS is divided in ten units based on the learning objectives as given below:
UNIT I: Information Security and Threats
1.1. Information Security
1.2. Information Assets & Threats
UNIT II: Fundamentals of Information Security

2.1. Elements of information security
2.2. Principles and concepts – data security
2.3. Types of controls
UNIT III: Data Leakage

3.1 Introduction – Data Leakage
3.2 Organisational Data Classification, Location and Pathways
3.3 Content Awareness
3.4 Content Analysis Techniques
3.5 Data Protection
3.6 DLP Limitations
3.7 DRM-DLP Conundrum
UNIT IV: Information Security Policies, Procedures, Standards and Guidelines

4.1. Information Security Policies
4.2. Key Elements of a Security Policy
4.3. Security Standards, Guidelines and Frameworks
4.4. Laws, Regulations and Guidelines
UNIT V: Information Security Management – Roles and Responsibilities

5.1. Information and Data Security Team Structure
5.2. Security Incident Response Team
UNIT VI: Information Security Performance Metrics

6.1. Introduction – Security Metrics
6.2. Types of Security Metrics
6.3. Using Security Metrics
6.4. Developing the Metrics Process
6.5. Metrics and Reporting
6.6. Designing Information Security Measuring Systems
53
UNIT VII: Risk Assessment

7.1. Risk Overview
7.2. Risk Identification
7.3. Risk Analysis
7.4. Risk Treatment
7.5. Risk Management Feedback Loops
7.6. Risk Monitoring
UNIT VIII: Configuration Reviews

8.1. Configuration Management
8.2. Organisational SecCM Policy
8.3. Identify CM Tools
8.4. Implementing Secure Configurations
8.5. Unauthorised Access to Configuration Stores
UNIT IX: Log Correlation and Management

9.1. Event Log Concepts
9.2. Log Management and its need
9.3. Log Management Process
9.4. Configuring Windows Event Log
9.5. IIS Log Files
9.6. Analysis and Response
UNIT X: Data Backup

10.1. Data Backup
10.2. Types of Backup
10.3. Backup Procedures
10.4. Types of Storage
10.5. Features of a Good Backup Strategy
24
UNIT I
Information Security and Threats
This unit covers:
 Lesson Plan
1.1. Information Security
1.2. Information Assets & Threats (Virus, Worms, Trojans, Other
Threats, Network Attacks)
33
Lesson Plan
Performance Duration Work Environment

Outcomes Ensuring Measures (Hrs) / Lab Requirement
To be competent, you must Peer group, Faculty 2 hr in class  PCs/Tablets/

be able to: group and Industry presentation Laptops
experts. s
PC2. monitor systems and  Projection
apply controls in line with facilities
information security policies,
procedures and guidelines
You need to know and KA4, KA5. Peer 2Hrs  PCs/Tablets/

understand: group, Faculty classroom Laptops
group and Industry assessment
KA4. the organizational  Labs
experts. and 10 Hrs
systems, procedures and availability
offline
tasks/checklists within the KB1 - KB4 (24/7)
Research and
domain and how to use these
Group and Faculty Learning  Internet with
evaluation based on activity. WiFi
anticipated out
KB1. fundamentals of
comes. Reward  (Min 2 Mbps
information security and how Dedicated)
points to be
to apply these, including:
allocated to groups.  Access to all
• networks security sites
• communication like ISO, PCI
DSS, Center
• application security for Internet
Security
34
Suggested Learning Activities

Activity 1:
Divide the students into groups and ask them to research various types of attacks and get
examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get
the maximum number of correct examples will get a prize.
Activity 2:
Ask the students to research cases of attacks over the years and impact of those attacks on
the organisations where these occurred.
Activity 3:
Ask the students to access the CVE and list all the types of information that they can get
from there. Present the same in class and elaborate upon the various ways that
information can be used.
35
Trainer Resource Material

1.1 Introduction – Information Security
With the pervasive growth and use of  At senior level positions, one may
digital information, much of which is carry out investigative work to
confidential, there has also been growth in determine whether a security
incidents of information theft, including, breach has occurred.
cyber attacks by hackers. This has  At higher levels people design
happened both in governments and in systems and architecture to
private companies. This has necessitated address these vulnerabilities.
the need for the position of information
The field of information security has seen
security analyst.
significant growth in recent times, and the
Those who work as information security number of job opportunities in this area
analysts are responsible for keeping are likely to increase in the near future.
information safe from data breaches using Recent incidents of information theft from
a variety of tools and techniques. large companies like Target, Sony and
Information security analysts protect Citibank has shown the risks and
information stored on computer networks, challenges of this field and this
in applications etc. They do this with necessitates the growing need for
special software that allows them to keep information security and professionals in
track of those who can access and who this field. We are now witnessing the rising
have accessed data. Also, they may background level of data leakage from
perform investigations to determine governments, businesses and other
whether or not data has been organisations, families and individuals.
compromised, the extent of it and related
A larger part of an information security
vulnerabilities.
analyst’s work involves monitoring data
 Someone at an entry level position use and access on a computer network.
may operate the software to
monitor and analyze information.
Security analysts focus on three main areas:

1. risk assessment (identifying risks or issues an organization may face)
2. vulnerability assessment (determining an organization’s weaknesses to threats)
3. defense planning (designing the protection architecture and installing security
systems such as firewalls and data encryption programs)
36
Information security analysts can find analysts so they could find themselves
themselves working with IT companies, working at a wide variety of different
financial and utility companies and institutions. A number of companies
consulting firms. They may also find operate ‘Security Operation Centers
positions with government organizations. (SOCs)’ for carrying out data security
Any company or organization with data to services for captive or client services.
protect may hire information security
Why information security?

With the pervasive growth and use of digital information, much of which is confidential,
there has been also a growth in incidents of information theft, including cyber-attacks by
hackers. This has happened both in governments and in private companies. This has
necessitated the need for keeping information safe from data breaches using a variety of
tools and techniques.
Role of a security analyst in information technology

 Protect information and information systems from unauthorized access; use; disclosure;
disruption; modification; perusal; inspection; recording or destruction.
 Perform investigations to determine whether or not data has been compromised, the extent of
it and related vulnerabilities.
 Ensure the confidentiality, integrity and availability of data to the 'right' users within/ outside
of the organization.
 Risk assessment (identifying risks or issues an organization may face).
 Vulnerability assessment (to determine an organization’s weaknesses to threats).
 Defense planning (designing the protection architecture and installing security systems such as
firewalls and data encryption programs).
37
Major Skills of
Security Analyst
• Understanding security policy
• Data & Traffic Analysis
• Identifying Security Events –> How & when to alarm
• Incident Response
Foundation and
Background
• Network infrastructure knowledge
• Diverse device configuration ability
• Security configuration knowledge
• Data management & teamwork
Challenges for
Security Analyst
• Not tied to a product or solution
• Complex knowledge – Not one specific process is correct or product solution
• Diverse set of skills are needed
38
1.2 Information Assets & Threats
Security concerning IT and information is confidentiality, integrity or availability of

normally categorised in three categories to an information system constitute risk
facilitate the management of information. management. The key concerns in
information assets security are:
Threats to information assets
Risk is the potential threat, and process of
understanding and responding to factors
that may lead to a failure in the
Confidentiality Integrity Availability
• Prevention of • Prevention of • Ensuring authorized

unauthorized unauthorized access of information
disclosure or use of modification of assets when required
information assets information assets for the duration
required
 theft
 fraud/ forgery
 unauthorized information access
 interception or modification of data
and data management systems
The above concerns are materialised in the event of a breach caused by exploitation of
vulnerability.
Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures,
internal controls, or implementation that could be exploited or triggered by a threat
source.
‘Threat agent or actor’ refers to the intent and method targeted at the intentional
exploitation of the vulnerability or a situation and method that may accidentally trigger
the vulnerability.
A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target.
‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet,39
Threat classification personnel or security guards who

are annoyed with the company.
Microsoft has proposed a threat
classification called STRIDE from the initials  Organized crime and criminals:
of threat categories: criminals target information that is
of value to them, such as bank
 Spoofing of user identity
accounts, credit cards or
 Tampering
intellectual property that can be
 Repudiation
converted into money. Criminals
 Information disclosure (privacy will often make use of insiders to
breach or data leak) help them.
 Denial of Service (D.o.S.)  Corporations: corporations are
 Elevation of privilege engaged in offensive information
warfare or competitive
Threat agents (individuals and groups) can
intelligence. Partners and
be classified as follows:
competitors come under this
 Non-Target specific: Non-Target category.
specific threat agents are computer  Unintentional human error:
viruses, worms, Trojans and logic accidents, carelessness etc.
bombs.  Intentional human error: insider,
 Employees: staff, contractors, outsider etc.
operational/ maintenance  Natural: Flood, fire, lightning,
meteor, earthquakes etc.
Types of attacks
• Virus
Virus is a malicious program able to inject its code into other programs/ applications or data
files and the targeted areas become "infected". Installation of a virus is done without user's
consent, and spreads in form of executable code transferred from one host to another.
Types of viruses include Resident virus, non-resident virus; boot sector virus; macro virus;
file-infecting virus (file-infector); Polymorphic virus; Metamorphic virus; Stealth virus;
Companion virus and Cavity virus.
• Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to
spread itself. In its design, worm is quite similar to a virus - considered even its sub-class.
Unlike the viruses though worms can reproduce/ duplicate and spread by itself. During this
process worm does not require to attach itself to any existing program or executable.
40
Different types of worms based on their method of spread are email worms; internet
worms; network worms and multi-vector worms.
• Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to
their similarity in operation strategy. Trojans are a type of malware software that
masquerades itself as a not-malicious even useful application but it will actually do damage
to the host computer after its installation. Unlike virus, Trojans do not self-replicate unless
end user intervene to install.
Types of Virus infects the non-infected disks used by

the system
Depending on virus "residence", we can
classify viruses in following way:  Macro virus - virus written in macro
language, embedded in Word, Excel,
 Resident virus - virus that embeds
Outlook etc. documents. This type of
itself in the memory on a target host.
virus is executed as soon as the
In such way it becomes activated
document that contains it, is opened.
every time the OS starts or executes a
This corresponds to the macro
specific action.
execution within those documents
 Non-resident virus - when executed, which under normal circumstances is
this type of virus actively seeks targets automatic.
for infections either on local,
Another classification of viruses can
removable or network locations.
result from their characteristics:
Upon further infection it exits. This
way is not residing in the memory any  File-infecting virus (file-infector) –
more. this is a classic form of virus. When
the infected file is being executed, the
 Boot sector virus - A boot sector virus
virus seeks out other files on the host
is a computer virus that infects a
and infects them with malicious code.
storage device's master boot record
The malicious code is inserted either
(MBR). It is not mandatory that a boot
at the beginning of the host file code
sector virus successfully boot the
(prepending virus), in the middle
victim's PC to infect it. As a result,
(mid-infector) or in the end
even non-bootable media can trigger
(appending virus). A specific type of
the spread of boot sector viruses.
viruses called "cavity virus" can even
These viruses copy their infected code
inject the code in the gaps in the file
either to the floppy disk's boot sector
structure itself. The start point of the
or to the hard disk's partition table.
file execution is changed to the start
During start-up, the virus gets loaded
of the virus code to ensure that it is
to the computer's memory. As soon
run when the file is executed.
as the virus is saved to the memory, it
Afterwards the control may or may
41
not be passed on to the original clean copy of the infected files in

program in turn. Depending on the order to provide it to the antivirus
infections routing the host file may engine for scan while the infected
become otherwise corrupted and version still remains undetected.
completely non-functional. More Furthermore, the stealth viruses are
sophisticated viral forms allow actively working to conceal any traces
through the host program execution of their activities and changes made
while trying to hide their presence to files.
completely (see polymorphic and  Armored virus - vdtype of virus that
metamorphic viruses). has been designed to thwart attempts
 Polymorphic virus - A polymorphic by analysts from examining its code
virus is a complicated computer virus by using various methods to make
that affects data types and functions. tracing, disassembling and reverse
It is a self-encrypted virus designed to engineering more difficult. An
avoid detection by a scanner. Upon Armored Virus may also protect itself
infection, the polymorphic virus from antivirus programs, making it
duplicates itself by creating usable, more difficult to trace. To do this, the
albeit slightly modified, copies of Armored Virus attempts to trick the
itself. antivirus program into believing its
location is somewhere other than
 Metamorphic virus - this virus is
where it really is on the system
capable of changing its own code with
each infection. The rewriting process  Multipartite virus – this attempts to
may cause the infection to appear attack both the file executables as
different each time but the well as the master boot record of the
functionality of the code remains the drive at the same time. This type may
same. The metamorphic nature of this be tricky to remove as even when the
virus type makes it possible to infect file executable part is clean it can re-
executables from two or more infect the system all over again from
different operating systems or even the boot sector if it wasn't cleaned as
different computer architectures as well.
well. The metamorphic viruses are
 Camouflage virus – this virus type is
ones of the most complex in build and able to report as a harmless program
very difficult to detect.
to the antivirus software. In such
 Stealth virus - memory resident virus cases where the virus has similar code
that utilises various mechanisms to to the legitimate non-infected files
avoid detection. This avoidance can code the antivirus application is being
be achieved for example, by removing tricked that it has to do with the
itself from the infected files and legitimate program as well. This
placing a copy of itself in a different would work only but in case of basic
location. The virus can also maintain a signature based antivirus software.
42
Nowadays, antivirus solutions have  Cavity virus - unlike traditional

become more elaborate whereas the viruses the cavity virus does not
camouflage viruses are quite rare and attach itself to the end of the infected
not a serious threat due to the ease of file but instead uses the empty spaces
their detection. within the program files itself (that
 Companion virus - A companion virus exists there for variety of reasons).
This way the length of the program
is a complicated computer virus
code is not being changed and the
which, unlike traditional viruses, does
virus can more easily avoid detection.
not modify any files. Instead, it
The injection of the virus in most
creates a copy of the file and places a
cases is not impacting the
different extension on it, usually
functionality of the host file at all. The
.com. This unique quality makes a
cavity viruses are quite rare though.
companion virus difficult to detect, as
anti-virus software tends to use
changes in files as clue.
……Let us discuss a recent news about a new version of a notorious virus that
takes over a system until money is paid as ransom which has been detected
by cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family,
say experts, is notorious for infecting computers of gamers. The malicious
program is now targeting online consumers and businesses via email
attachments which block access to a computer system until a sum of money,
specifically in dollars, is paid as ransom. If the victim delays, the ransom is
doubled. Detected in February 2015, TeslaCrypt began infecting systems in
the US, Europe and Southeast Asian countries. It then occurred in Indian
cities including Delhi and Mumbai. Two businessmen from Agra were
targeted this year, from whom the extortionist demanded more than
$10,000. In the last six months, two cases were reported in Agra, where the
malware locked down its victim's most important files and kept them
hostage in exchange for a ransom to unlock it.
Source: News Articles

 Email worms: spread through email
messages, especially through those
Types of Worms
with attachments.
The most common categorization of
 Internet worms: spread directly over
worms relies on the method how they
the internet by exploiting access to
spread:
open ports or system vulnerabilities.
43
 Network worms: spread over open The results of Trojan activities can vary
and unprotected network shares. greatly - starting from low invasive ones
that only change the wallpaper or desktop
 Multi-vector worms: having two or
icons through Trojans which open
more various spread capabilities.
backdoors on the computer and allow
other threats to infect the host or allow a
Types of Trojans hacker remote access to the targeted
computer system. It is up to Trojans to
Computer Trojans or Trojan horses are cause serious damage on the host by
named after the mythological Trojan horse deleting files or destroying the data on the
from Trojan War, in which the Greeks give system using various ways (like drive
a giant wooden horse to their foes, the format or causing BSOD). Such Trojans are
Trojans. As soon as Trojans drag the horse usually stealthy and do not advertise their
inside their city walls, Greek soldiers sneak presence on the computer.
out of the horse's hollow belly and open
The Trojan classification can be based upon
the city gates, allowing their soldiers to
performed function and the way they
capture Troy. Computer Trojan horse
breach the systems. An important thing to
works in way that is very similar to such
keep in mind is that many Trojans have
strategy - it is a type of malware software
multiple payload functions so any such
that masquerades itself as not-malicious
classification will provide only a general
even useful application but it will actually
do damage to the host computer after its overview and not a strict boundary. Some
installation. of the most common Trojan types are:
 Remote Access Trojans
Trojans do not self-replicate since its key
difference to a virus and require often end (RAT) aka Backdoor. Trojan - this
user intervention to install itself - which type of Trojan opens backdoor on the
happens in most scenarios where user is targeted system to allow the attacker
remote access to the system or even
being tricked that the program he is
complete control over it. This kind of
installing is a legitimate one (this is very
Trojan is most widespread type and
often connected with social engineering
often has as well various other
attacks on end users). One of the other
functions. It may be used as an entry
common method is for the Trojan to be
point for DOS attack or for allowing
spammed as an email attachment or a link
worms or even other Trojans to the
in an email. Another similar method has
the Trojan arriving as a file or link in an system. A computer with a
instant messaging client. Trojans can be sophisticated backdoor program
spread as well by means of drive-by installed may also be referred to as a
downloads or downloaded and dropped by "zombie" or a "bot". A network of
other Trojans itself or legitimate programs such bots may often be referred to as
that have been compromised. a "botnet" (see part 3 of the Security
1:1 series). Backdoor. Trojans are
44
generally created by malware authors software is disabled. Security

who are organized and aim to make Software Disablers are entry Trojans
money out of their efforts. These that allow next level of attack on the
types of Trojans can be highly targeted system.
sophisticated and can require more
 Info Stealer (Data Sending/ Stealing
work to implement than some of the Trojan) - this Trojan is designed to
simpler malware seen on the
provide attacker with confidential or
Internet. sensitive information from
 Trojan-DDoS - this Trojan is installed compromised host and send it to a
simultaneously on a large number of predefined location (attacker). The
computers in order to create a zombie stolen data comprise of login details,
network (botnet) of machines that passwords, PII, credit card
can be used (as attackers) in a DDoS information etc. Data sending Trojans
attack on a particular target. can be designed to look for specific
information only or can be more
 Trojan-Proxy - A proxy Trojan is a
generic like Key-logger Trojans.
virus which hijacks and turns the host
Nowadays more than ever before
computer into a proxy server, part of
attackers are concentrating on
a botnet, from which an attacker can
compromising end users for financial
stage anonymous activities and
gain. The information stolen with use
attacks.
of Info stealer Trojan is often sold on
 Trojan-FTP – this Trojan is designed to the black market. Info stealers gather
open FTP ports on the targeted information by using several
machine allow remote attacker access techniques.
to the host. Furthermore, the
The most common techniques may
attacked can access as well network
include log key strokes, screen shots
shares or connections to further
and web cam images, monitoring
spread other threats.
internet activity often for specific
 Destructive Trojan – this is designed financial websites. The stolen
to destroy or delete data. It is much information may be stored locally so
like a virus. that it can be retrieved later or it can
 Security Software Disabler Trojan – be sent to a remote location where it
this is designed to stop security can be accessed by an attacker. It is
programs like antivirus solutions, often encrypted before posting it to
firewalls or IPS either by disabling the malware author.
them or killing the processes. This  Keylogger Trojan – this is a type of
kind of Trojan functionality is often data-sending Trojan that is recording
combined with destructive Trojan every keystroke of the end user. This
that can execute data deletion or kind of Trojan is specifically used to
corruption only after the security steal sensitive information from
45
targeted host and send it back to worms, backdoors) to a system. It is

attacker. For these Trojans, the goal is usually an executable file that
to collect as much data as possible contains other files compressed
without any direct specification what inside its body. When a Trojan-
the data will be. Dropper is run, it extracts these
 Trojan-PSW (Password Stealer) – this compressed files and saves them to a
folder (usually a temporary one) on
is a type of data-sending Trojans
the computer.
designed specifically to steal
passwords from the targeted  Trojan.Downloader – a Trojan that
systems. In its execution routine, the can download other malicious
Trojan will very often first drop a programs to the target computer.
keylogging component onto the Very often combined with the
infected machine. functionality of Trojan-Dropper. Most
downloaders that are encountered
 Trojan-Banker – a Trojan designed
will attempt to download content
specifically to steal online banking
from the internet rather than the local
information to allow attacker further
network. In order to successfully
access to bank account or credit card
achieve its primary function, a
information.
downloader must run on a computer
 Trojan-IM – a type of data-sending that is inadequately protected and
Trojan designed specifically to steal connected to a network.
data or account information from
 Trojan.FakeAV – Trojan.FakeAV is a
instant messaging programs like MSN,
detection for Trojan horse programs
Skype etc.
that intentionally misrepresent the
 Trojan-Game Thief – a Trojan security status of a computer. These
designed to steal information about programs attempt to convince the
online gaming account. user to purchase software in order to
 Trojan Mail Finder – a Trojan used to remove non-existent malware or
harvest any emails found on the security risks from the computer. The
infected computer. The email list is user is continually prompted to pay
being then forwarded to the remote for the software using a credit card.
attacker. Some programs employ tactics
designed to annoy or disrupt the
 Trojan-Dropper - A Trojan-Dropper is
activities of the user until the software
a type of trojan that drops different
is purchased.
type of standalone malware (trojans,
46
This type of Trojan can be either  Trojan-Spy – this Trojan has a similar
targeted to extort money for "non- functionality to the Info stealer or
existing" threat removal or in other Trojan-PSW and its purpose is to spy
cases the installation of the program on the actions executed on the target
itself injects other malware to the host host. These can include tracking data
machine. FakeAV applications can entered via keystrokes, collecting
perform fake scans with variable screenshots, listing active processes/
results, but always detect at least one services on the host or stealing
malicious object. They may as well passwords.
drop files that are then ‘detected’. The
 Trojan-ArcBomb -These Trojans are
FakeAV application is constantly archives designed to freeze or slow
updated with new interfaces so that
performance or to flood the disk with
they mimic the legitimate anti-virus a large amount of “empty” data when
solutions and appear very
an attempt is made to unpack the
professional to the end users. archived data. So-called archive
47
bombs pose a particular threat for file Various functions on the

and mail servers when an automated compromised computer are modified,
processing system is used to process ranging from inhibiting access to the
incoming data: an archive bomb can task manager to altering the master
simply crash the server. boot record (MBR) so that the
 Trojan-Clicker or Trojan-AD clicker – operating system cannot be
executed.
a Trojan that continuously attempts
These programs attempt to convince
to connect to specific websites in
the user to pay money in order to
order to boost the visit counters on
have their computer unlocked and
those sites. More specific
use a variety of different techniques
functionality of the Trojan can include
in order to encourage the user to pay
generating traffic to pay-per-click web
the ransom.
advertising campaigns in order to
create or boost revenue.  Cryptolock Trojan
(Trojan.Cryptolocker) – this is a new
 Trojan-SMS – a Trojan used to send
variation of Ransomware Trojan
text messages from infected mobile
emerged in 2013, in a difference to a
devices to premium rate paid phone
Ransomlock Trojan (that only locks
numbers.
computer screen or some part of
 Trojan-Ransom (Trojan- computer functionality), the
Ransomlock) aka Ransomware Cryptolock Trojan encrypts and locks
Trojan - Trojan.Ransomlock is a individual files. While the
detection for Trojan horse programs Cryptolocker uses a common Trojan
that lock the desktop of a spreading techniques like spam email
compromised computer making it and social engineering in order to
unusable. The threat may arrive on infect victims, the threat itself uses
the compromised computer by more sophisticated techniques likes
various means, such as visiting public-key cryptography with strong
malicious sites, by opening untrusted RSA 2048 encryption.
links or advertisement banners, or by
installing software from untrusted
sources.
48
……In an another incident detected by Kaspersky Labs, Pune, the TeslaCrypt

Ransomware encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan
notorious for infecting computer gamers, it displays an HTML page in the web browser
which is an exact copy of CryptoWall 3.0, another notorious ransomware
program. TeslaCrypt were detected in February 2015 and the new ransomware Trojan
gained immediate notoriety as a menace to computer gamers. Amongst other types of
target files, it tries to infect typical gaming files: game saves, user profiles, recoded replays
etc. That said, TeslaCrypt does not encrypt files that are larger than 268 MB. Few more
examples of ransomware Trojans are - CryptoLocker, CryptoWall, CoinVault, TorLocker,
CoinVault and CTB-Locker.
Source: New articles
Other security threats
Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc.
They are designed to cause damage to a targeted computer or cause a certain degree of
operational disruption.
Rootkit are malicious software designed to hide certain processes or programs from
detection. Usually acquires and maintains privileged system access while hiding its
presence in the same time. It acts as a conduit by providing the attacker with a backdoor
to a system
Spyware is a software that monitors and collects information about a particular user,
computer or organisation without user’s knowledge. There are different types of
spyware, namely system monitors, trojans (keyloggers, banker trojans, inforstealers),
adware, tracking cookies etc.
Tracking cookies are a specific type of cookies that are distributed, shared and read
across two or more unrelated websites for the purpose of gathering information or
potentially to present customized data to you.
Riskware is a term used to describe potentially dangerous software whose installation

may pose a risk to the computer.
Adware in general term adware is software generating or displaying certain

advertisements to the user. This kind of adware is very common for freeware and
shareware software and can analyze end user internet habits and then tailor the
advertisements directly to users’ interests.
49
Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and

FakeAV software. Also well known, under the names "Rogue Security Software" or
"Misleading Software". This kind of software tricks user into belief that the computer has
been infected and offers paid solutions to clean the "fake" infection.
Spam is the term used to describe unsolicited or unwanted electronic messages,

especially advertisements. The most widely recognized form of spam is email spam.
Creepware is a term used to describe activities like spying others through webcams (very
often combined with capturing pictures), tracking online activities of others and listening
to conversation over the computer's microphone and stealing passwords and other data.
Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the
severity of the damage causes and as well the speed of spreading. Blended threat defines
an exploit that combines elements of multiple types of malware components. Usage of
multiple attack vectors and payload types targets to increase the severity of the damage
causes and as well the speed of spreading.
A. COHEN B. NORTON
In 1983, this person was

the first to offer the
definition of 'Computer
Virus'...
C. SMITH D. McAfee
ANSWER : …………………………………………………………..
50
Network attacks
either alters, disables or destroys
Network attack is usually defined as an
resources or data.
intrusion on the network infrastructure
 Outside attack: when attack is
that will first analyse the environment and
performed from outside of the
collect information in order to exploit the
existing open ports or vulnerabilities. This organization by unauthorized
may include unauthorized access to entity it is said to be an outside
organisation resources. attack.
 Inside attack: if an attack is
Characteristics of network attacks:
performed from within the
 Passive attacks: they refer to company by an "insider" that
attack where the purpose is only to already has certain access to the
learn and get some information network it is considered to be an
from the system, but the system inside attack.
resources are not altered or  Others such as end users targeted
disabled in any way. attacks (like phishing or social
 Active attacks: in this type of engineering): these attacks are not
network attack, the perpetrator directly referred to as network
accesses and either alters, disables attacks, but are important to know
or destroys resources or data due to their widespread
occurrences.
What types of attack are there?
Social Phishing Social Spear phishing Watering hole

engineering attack phishing attack attack
Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing
Buffer
DoS attack ICMP smurf Man-in-the-
overflow Botnet
& DDoS attack Denial of serv middle attack
attack
Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
*Denial of Service Attack

*Distributed Denial of Service Attack
51
 Social engineering – refers to a sent from sources known to the user

psychological manipulation of people (very often with appropriate company
(employees of a company) to perform logo and localised information). These
actions that potentially lead to leak of emails will contain a direct request to
company's proprietary or confidential verify some account information,
information or otherwise can cause credentials or credit card numbers by
damage to company resources, following the provided link and
personnel or company image. Social confirming the information online.
engineers use various strategies to The request will be accompanied by a
trick users into disclosing confidential threat that the account may become
information, data or both. One of the disabled or suspended if the
very common technique used by mentioned details are not being
social engineers is to pretend to be verified by the user.
someone else - IT professional,  Social phishing – in the recent years,
member of the management team, phishing techniques evolved much to
co-worker, insurance investigator or include social media like Facebook or
even member of governmental Twitter. This type of Phishing is often
authorities. The mere fact that the called Social Phishing. The purpose
addressed party is someone from the remains the same – to obtain
mentioned should convince the victim confidential information and gain
that the person has right to know of access to personal files. The means of
any confidential or in any other way the attack are bit different though and
secure information. The purpose of include special links or posts posted
social engineering remains the same on the social media sites that attract
as purpose of hacking. Unauthorized the user with their content and
access gain to confidential convince them to click on them. The
information, data theft, industrial
link redirects then to malicious
espionage or environment/ service website or similar harmful content.
disruption. The websites can mirror the
 Phishing attack – this type of attack legitimate Facebook pages so that
uses social engineering techniques to unsuspecting user does not notice the
steal confidential information. The difference. The website will require
most common purpose of such attack user to login with his real information.
targets victim's banking account At this point, the attacker collects the
details and credentials. Phishing credentials gaining access to
attacks tend to use schemes involving compromised account and all data on
spoofed emails sent to users that lead it. Other scenario includes fake apps.
them to malware infected websites Users are encouraged to download
designed to appear as real online the apps and install them, apps that
banking websites. Emails received by contain malware used to steal
users in most cases will look authentic confidential information.
52
Facebook Phishing attacks are often collected and account is

much more laboured. Consider the compromised.
following scenario - link posted by an
 Spear phishing attack – this is a type
attacker can include some pictures or of phishing attack targeted at specific
phrase that will attract the user to
individuals, groups of individuals or
click on it. The user clicks upon which companies. Spear phishing attacks are
he/ she is redirected to a mirror
performed mostly with primary
website that ask him/ her to like the purpose of industrial espionage and
post first before even viewing it. User theft of sensitive information while
not suspecting any harm, clicks on the ordinary phishing attacks are directed
"like" button but doesn't realise that against wide public with intent of
the "like" button has been spoofed financial fraud. It has been estimated
and in reality is "accept" button for that in last couple of years targeted
the fake app to access user's personal spear phishing attacks are more
information. At this point, data is widespread than ever before.
The recommendations to protect your company against phishing and spear phishing
include:
1. Never open or download a file from an unsolicited email, even from someone you
know (you can call or email the person to double check that it really came from
them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentication whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking
for a reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal
information on a website to make sure your data will be encrypted.
 Watering hole attack – this is a more potential victim, collecting

complex type of a phishing attack. information about his or her’s
Instead of the usual way of sending internet habits, history of visited
spoofed emails to end users in order websites etc. In next step attacker
to trick them into revealing uses that knowledge to inspect the
confidential information, attackers specific legitimate public websites for
use multiple staged approach to gain vulnerabilities. If any vulnerabilities or
access to the targeted information. In loopholes are found, the attacker
first steps, attacker is profiling the compromises the website with its
53
own malicious code. The familiar to the phishing victim or

compromised website then awaits for number known to be of a real banking
the targeted victim to come back and institution. General practices of
then infects them with exploits (often Vishing include pre-recorded
zero-day vulnerabilities) or malware. automated instructions for users
This is an analogy to a lion waiting at requesting them to provide bank
the watering hole for his prey. account or credit card information for
verification over the phone.
 Whaling – it is a type of phishing
attack specifically targeted at senior  Port scanning – an attack type where
executives or other high profile the attacker sends several requests to
targets within a company. a range of ports to a targeted host in
order to find out what ports are active
 Vishing (Voice Phishing or VoIP
and open, which allows them to
Phishing) – it is a use of social
exploit known service vulnerabilities
engineering techniques over
related to specific ports. Port
telephone system to gain access to
scanning can be used by the malicious
confidential information from users.
attackers to compromise the security
This phishing attack is often combined
as well by the IT professionals to
with caller ID spoofing that masks the
verify the network security.
real source phone number and
instead of it displays the number
Spoofing – it is a technique used to masquerade a person, program or an address as

another by falsifying the data with purpose of unauthorized access.
A few of the common spoofing types include:
 IP Address spoofing – process of creating IP packets with forged source IP
address to impersonate legitimate system. This kind of spoofing is often used in
DoS attacks (Smurf Attack).
 ARP spoofing (ARP Poisoning) – process of sending fake ARP messages in the
network. The purpose of this spoofing is to associate the MAC address with the
IP address of another legitimate host causing traffic redirection to the attacker
host. This kind of spoofing is often used in man-in-the-middle attacks.
 DNS spoofing (DNS Cache Poisoning) – an attack where the wrong data is
inserted into DNS Server cache, causing the DNS server to divert the traffic by
returning wrong IP addresses as results for client queries.
 Email spoofing – a process of faking the email's sender "from" field in order to
hide real origin of the email. This type of spoofing is often used in spam mail or
during phishing attack.
 Search engine poisoning – attackers take advantage of high profile news items
or popular events that may be of specific interest for certain group of people to
54
spread malware and viruses. This is performed by various methods that have in
purpose achieving highest possible search ranking on known search portals by
the malicious sites and links introduced by the hackers. Search engine poisoning
techniques are often used to distribute rogue security products (scareware) to
users searching for legitimate security solutions for download.
 Network sniffing (Packet Sniffing) – a DoS (denial-of-service) attack

process of capturing the data packets Few of the most common DoS attack
travelling in the network. Network types:
sniffing can be used both by IT
 ICMP flood attack (Ping Flood) –
professionals to analyse and monitor
the attack that sends ICMP ping
the traffic for example, in order to
requests to the victim host without
find unexpected suspicious traffic, but
waiting for the answer in order to
as well by perpetrators to collect data
overload it with ICMP traffic to the
send over clear text that is easily
point where the host cannot
readable with use of network sniffers
answer to them any more either
(protocol analysers). Best counter
because of the network bandwidth
measure against sniffing is the use of
congestion with ICMP packets
encrypted communication between
(both requests and replies) or high
the hosts.
CPU utilization caused by
 Denial of Service Attack (DoS processing the ICMP requests.
Attack) and Distributed Denial of Easiest way to protect against any
Service Attack (DDoS Attack) – an various types of ICMP flood attacks
attack designed to cause an is either to disable propagation of
interruption or suspension of services ICMP traffic sent to broadcast
of a specific host/ server by flooding it address on the router or disable
with large quantities of useless traffic ICMP traffic on the firewall level.
or external communication requests.
 Ping of Death (PoD) – this attack
When the DoS attack succeeds the
involves sending a malformed or
server is not able to answer even to
otherwise corrupted malicious ping
legitimate requests anymore, this can
to the host machine for example,
be observed in numbers of ways –
PING having size bigger than usual
slow response of the server, slow
which can cause buffer overflow on
network performance, unavailability
the system that lead to a system
of software or web page, inability to
crash.
access data, website or other
resources. Distributed Denial of  Smurf attack – this works in the
Service Attack (DDoS) occurs where same way as Ping Flood attack with
multiple compromised or infected one major difference that the
systems (botnet) flood a particular source IP address of the attacker
host with traffic simultaneously. host is spoofed with IP address of
55
other legitimate non malicious  Buffer overflow attack – in this type

computer. Such attack will cause of attack the victim host is being
disruption both on the attacked provided with traffic/ data that is out
host (receiving large number of of range of the processing specs of the
ICMP requests) as well as on the victim host, protocols or applications,
spoofed victim host (receiving large overflowing the buffer and
number of ICMP replies). overwriting the adjacent memory.
One example can be the mentioned
 ICMP Smurf Denial of Service
Ping of Death attack where
SYN flood attack – this attack
exploits the way the TCP 3-way malformed ICMP packet with size
exceeding the normal value can cause
handshake works during the TCP
the buffer overflow.
connection is being established. In
normal process, the host computer  Botnet – a collection of compromised
sends a TCP SYN packet to the computers that can be controlled by
remote host requesting a remote perpetrators to perform
connection. The remote host various types of attacks on other
answers with a TCP SYN-ACK packet computers or networks. A known
confirming the connection can be example of botnet usage is within the
made. As soon as this is received by distributed denial of service attack
the first local host it replies again where multiple systems submit as
with TCP ACK packet to the remote many request as possible to the victim
host. At this point the TCP socket machine in order to overload it with
connection is established. During incoming packets. Botnets can be
the SYN flood attack, the attacker otherwise used to send out span,
host or more commonly several spread viruses and spyware and as
attacker hosts send SYN packets to well to steal personal and confidential
the victim host requesting a information which afterwards is being
connection, the victim host forwarded to the botmaster.
responds with SYN-ACK packets but  Man-in-the-middle attack – the
the attacker host never respond attack is form of active monitoring or
with ACK packets as a result the eavesdropping on victims’
victim host is reserving the space connections and communication
for all those connections still between victim hosts. This form of
awaiting the remote attacker hosts
attack includes interaction between
to respond, which never happens. both victim parties of the
This keeps the server with dead communication and the attacker. This
open connections and in the end is achieved by attacker intercepting
effect prevent legitimate host to all part of the communication,
connect to the server any more. changing the content of it and sending
back as legitimate replies. Both
56
parties are not aware of the attacker cookie to gain access and
presence and believing the replies authenticate to remote server by
they get are legitimate. For this attack impersonating legitimate user.
to be successful, the perpetrator must  Cross-side scripting attack (XSS
successfully impersonate at least one
attack) – the attacker exploits the XSS
of the endpoints. This can be the case vulnerabilities found in web server
if there are no protocols in place that
applications in order to inject a client
would secure mutual authentication side script onto the webpage that can
or encryption during the either point the user to a malicious
communication process. website of the attacker or allow
 Session hijacking attack – this attack attacker to steal the user's session
is targeted as exploit of the valid cookie.
computer session in order to gain
 SQL injection attack – the attacker
unauthorized access to information uses existing vulnerabilities in the
on a computer system. The attack
applications to inject a code/ string
type is often referred to as cookie for execution that exceeds the
hijacking as during its progress, the
allowed and expected input to the
attacker uses the stolen session SQL database.
Bluetooth related attacks
 Bluesnarfing – this kind of attack allows the malicious user to gain unauthorized
access to information on a device through its bluetooth connection. Any device
with bluetooth turned on and set to "discoverable" state may be prone to
bluesnarfing attack.
 Bluejacking – this kind of attack allows the malicious user to send unsolicited
(often spam) messages over bluetooth enabled devices.
 Bluebugging – it is a hack attack on a bluetooth enabled device. Bluebugging

enables the attacker to initiate phone calls on the victim's phone as well as read
through the address book, messages and eavesdrop on phone conversations.
57
Fig: Top Network Attacks as per McAfee Labs, 2015
Few recent cyberattacks (or Network attacks) that shook some big businesses around the
globe:
Primera Blue Cross
March 2015
The company, a health insurer based in Washington State, said up to 11

million customers could have been affected by a cyberattack last year.
Hackers gained access to its computers on May 5, and the breach was
not discovered until Jan. 29, Primera said. The breach could have
exposed members' names, dates of birth, Social Security numbers,
mailing and email addresses, phone numbers and bank account
information. The company is working with the F.B.I. and a cybersecurity
firm to investigate.
58
Anthem
February 2015
One of the nation’s largest health insurers said that the personal
information of tens of millions of its customers and employees, including
its chief executive, was the subject of a “very sophisticated external
cyberattack.”
The company added that hackers were able to breach a database that
contained as many as 80 million records of current and former customers,
as well as employees. The information accessed included names, Social
Security numbers, birthdays, addresses, email and employment
information, including income data.
Sony Pictures
November 2014
A huge attack that essentially wiped clean several internal data centers
and led to cancellation of the theatrical release of "The Interview," a
comedy about the fictional assassination of the North Korean leader Kim
Jong-un. Contracts, salary lists, film budgets, entire films and Social
Security numbers were stolen, including -- to the dismay of top executives
-- leaked emails that included criticisms of Angelina Jolie and disparaging
remarks about President Obama.
Staples
October 2014
The office supply retailer said hackers had broken into the company’s
network and compromised the information of about 1.16 million credit
cards.
59
Common Vulnerabilities and allow an attacker to secretly gather

Exposures (CVE) customer information that could be sold.
The catalogue’s main purpose is to
Common Vulnerabilities and Exposures
standardize the way each known
(CVE) is a catalogue of known security
threats. The catalogue is sponsored by the vulnerability or exposure is identified. This
is important because standard IDs allow
United States Department of Homeland
security administrators to quickly access
Security (DHS), and threats are divided into
two categories: vulnerabilities and technical information about a specific
exposures. threat across multiple CVE-compatible
information sources.
According to the CVE website, a
vulnerability is a mistake in software code CVE is sponsored by US-CERT, the DHS
that provides an attacker with direct Office of Cybersecurity and Information
access to a system or network. For Assurance (OCSIA). MITRE, a not-for-profit
example, the vulnerability may allow an organization that operates research and
attacker to pose as a super user or system development centres sponsored by the
U.S. federal government, maintains the
administrator who has full access
CVE catalogue and public website. It also
privileges. An exposure, on the other hand,
manages the CVE Compatibility Program,
is defined as a mistake in software code or
which promotes the use of standard CVE
configuration that provides an attacker
identifiers by authorized CVE Numbering
with indirect access to a system or
network. For example, an exposure may Authorities (CNAs).
60
UNIT II
Fundamentals of Information
Security
This unit covers:
 Lesson Plan
2.1 Elements of information security
2.2 Principles and concepts – data security
2.3 Types of controls
61
Lesson Plan
Performance Ensuring Work Environment /

Outcomes Measures Duration (Hrs) Lab Requirement
To be competent, you must be able QA session and a 2 hrs  PCs/Tablets/Lapto
to: Descriptive write up on ps
understanding.  Labs availability
PC3. carry out security
(24/7)
assessment of information security Peer group, Faculty group  Internet with WiFi
systems using automated tools and Industry experts.  (Min 2 Mbps
PC8. provide inputs to root Dedicated)
cause analysis and the resolution of  Networking
information security issues, where Equipment-
required Routers & Switches
 Firewalls and
Access Points
 Access to all
security sites like
ISO, PIC DSS
 Commercial Tools
like HP Web
Inspect and IBM
AppScan etc.,
 Open Source
tools like sqlmap,
Nessus etc.,
You need to know and understand: KA6, KA7, KA8. Peer 4 hrs  PCs/Tablets/Lapto
review with faculty with classroom ps
KA5. how to analyse root causes appropriate feedback. session and 4  Labs availability
of information security issues hrs research (24/7)
 Internet with WiFi
KA6. how to carry out KB1 – KB4  (Min 2 Mbps
information security assessments Going through the security Dedicated)
standards over Internet by  Networking
KB4. how to identify and resolve visiting sites like ISO, PCI Equipment-
information security vulnerabilities DSS etc., and understand Routers & Switches
and issues various methodologies and  Firewalls and
usage of algorithms Access Points
 Access to all
security sites like
ISO, PIC DSS
like HP Web
Inspect and IBM
AppScan etc.,
 Open Source tools
like sqlmap, Nessus
etc.,
62

Activity 1:
Ask students to and investigate the various types of threats to network security,
Application Security, Communication Security. Also list the various counter measures or
security devices that may be used to address these. Present the same in class.
Activity 2:
Ask students to research various information security service companies’ websites and
understand the various security services they offer. Carry out a comparison of the various
services or products offered and list their features and benefits.
Activity 3:
Ask the students to research various categories if controls and state what are the various
controls within each category. Let them discuss in groups the benefits and limitation of
examples each type of control within a category.
Activity 4:
Ask the students to research various elements of a decision tree and an algorithm. Ask
them to create algorithms and decision trees for various situations in case of planning for
security of information assets.
63

2.1 Elements of Information Security
Network Security ensure terminal’s integrity as it plays a dual

role of router and terminal.
Network security refers to any activity
designed to protect your network. The difficulty of designing security
Specifically, these activities protect the solutions that could address these
usability, reliability, integrity and safety of challenges is not only to ensure robustness
your network and data. Effective network faced with potential attacks or to ensure
security targets a variety of threats and that it does not slow down
stops them from entering or spreading on communications, but also to optimize the
your network. use of resources in terms of bandwidth,
memory, battery, etc. More importantly, in
No single solution protects you from a this open context the wireless network is
variety of threats. You need multiple layers to ensure anonymity and privacy, while
of security. If one fails, others still stand. allowing traceability for legal reasons.
Network security is accomplished through Indeed, the growing need for traceability is
hardware and software. The software now necessary for the fight against
must be constantly updated and managed criminal organizations and terrorists, but
to protect you from emerging threats. also to minimize the plundering of
Wireless networks, which by their nature, copyright. It is therefore facing a dilemma
facilitate access to the radio, are more of providing a network support of free
vulnerable than wired networks and need exchange of information while controlling
to encrypt communications to deal with the content of the communication to avoid
sniffing and continuously checking the harmful content. Actually, this concerns
identity of the mobile nodes. The mobility both wired and wireless networks. All
factor adds more challenges to security, these factors influence the selection and
namely monitoring and maintenance of implementation of security tools that are
secure traffic transport of mobile nodes. guided by a prior risk assessment and
This concerns both homogenous and security policy.
heterogeneous mobility (inter- Finally, we are increasingly thinking about
technology), the latter requires trust models in the design of secured
homogenization of the security level of all systems, that should offer higher level of
networks visited by the mobile. trust than classical security mechanisms,
From the terminal’s side, it is important to and it seems that future networks should
protect its resources (battery, disk, CPU) implement both models: security and trust
against misuse and ensure the models.
confidentiality of its data. In an ad hoc or In fact, if communication nodes will be
sensor network, it becomes essential to capable of building and maintaining a
64
predefined trust level in the network, then order to include new players in the
the communication system will be telecommunication value chain such as
trustable all the time, thus allowing a users offering their machines to build an
trusted and secure service deployment. infrastructure-less network. For example,
However, such trust models are very in the context of ad hoc networks, we
difficult to design and the trust level is could imagine that ad hoc users become
generally a biased concept presently. It is distributors of content or provide any
very similar to the human based trust other networked services1, being a sort of
model. Note that succeeding in building service providers. In this case, an
such trust models will allow infrastructure appropriate charging and billing system
based networks but especially needs to be designed.
infrastructure-less or self-organized
A network security system usually consists
networks such as ad hoc sensors to be
of many components. Ideally, all
trusted enough to deploy several
components work together, which
applications. This will also have an impact
minimizes maintenance and improves
on current business models where the
security.
economic model would have to change in
Network security components often include:

 Anti-virus and anti-spyware
 Firewall to block unauthorized access to your network
 Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as

zero-day or zero-hour attacks
 Virtual Private Networks (VPNs) to provide secure remote access
 Communication security
Application Security
Application security (AppSec) is the use of solution to the problem of software risk.
software, hardware and procedural AppSec helps identify, fix and prevent
methods to protect applications from security vulnerabilities in any kind of
external threats. AppSec is the operational software application irrespective of the
function, language or platform
65
As a best practice, AppSec employs proactive and preventative methods to manage

software risk, and align an organization’s security investments with the reality of
today’s threats. It has three distinct elements:
1) measurable reduction of risk in existing applications

2) prevention of introduction of new risks
3) compliance with software security mandates
The severity and frequency of cyber- Applications can be deployed across

attacks is increasing which is making the myriad platforms – installed to operate
practice of AppSec important. AppSec as a locally, over virtual servers and networks,
discipline is also becoming more complex accessed as a service in the cloud or run on
the variety of business software continues mobile devices.
to proliferate. Here are some of the
AppSec products must provide capabilities
reasons why (and see if these sound
for managing security risk across all of
familiar):
these options as each of these
Today’s enterprise software comes from a development and deployment options can
variety of sources – introduce security vulnerabilities. An
effective software security strategy
 in-house development teams,
addresses both immediate and systemic
 commercial vendors, risk.
 outsourced solution providers, and
 open source projects. The Application Security market has
reached sufficient maturity to allow
Software developers have an endless organizations of all sizes to follow a well-
choice of programming languages to established roadmap:
choose from – Java, .NET, C++, PHP and
more.
A software vulnerability can be defined as a programmatic function that processes critical data
in an insecure way. These “holes” in an application can be exploited by a hacker, spy or
cybercriminal as an entry point to steal sensitive, protected or confidential data.
Begin with software security testing to find and assess potential vulnerabilities:
 Follow remediation procedures to prioritize and fix them.
 Train developers on secure coding practices.
 Leverage ongoing threat intelligence to keep up-to-date.
66
 Develop continuous methods to secure applications throughout the

development life cycle.
 Instantiate policies and procedures that instill good governance.
Testing and remediation form the baseline running business critical software. Properly
response to insecure applications, but the managed, a good application security
critical element of a successful AppSec program will move your organization from
effort is ongoing developer training. a state of unmanaged risk and reactive
Security conscious development teams security to effective, proactive risk
write bulletproof code, and avoid common mitigation.
errors. For example, data input validation
– the process of ensuring that a program Communications Security
operates with clean, correct and useful Communications Security (COMSEC)
data. Neglecting this important step, and ensures the security of
failing to build in standard input validation telecommunications confidentiality and
rules or “check routines” leaves the integrity – the two information assurance
application open to common attacks such (IA) pillars. Generally, COMSEC may refer
as cross-site scripting and SQL injection. to the security of any information that is
When undertaken correctly, Application transmitted, transferred or
Security is an orderly process of reducing communicated.
the risks associated with developing and
There are five COMSEC security types:

 Cryptosecurity: This encrypts data, rendering it unreadable until the data is
decrypted.
 Emission Security (EMSEC): This prevents the release or capture of emanations

from equipment, such as cryptographic equipment, thereby preventing
unauthorized interception.
 Physical Security: This ensures the safety of, and prevents unauthorized access to,
cryptographic information, documents and equipment.
 Traffic-Flow Security: This hides messages and message characteristics flowing on

a network.
 Transmission Security (TRANSEC): This protects transmissions from unauthorized

access, thereby preventing interruption and harm.
67
2.2. Principles and Concepts – Data Security

Critical Information Characteristics
Confidentiality
Integrity Availability
Information States
Information has three basic states, at any confidentiality, integrity and availability.
given moment, information is being These attributes of information represent
transmitted, stored or processed. The the full spectrum of security concerns in an
three states exist irrespective of the media automated environment. They are
in which information resides. Information applicable for any organization
systems security concerns itself with the irrespective of its philosophical outlook on
maintenance of three critical sharing information.
characteristics of information:
Transmission
Information
States
Processing Storage
68
Prevention vs. detection

Security efforts to assure confidentiality,
integrity and availability can be divided Basic information security concepts:
into those oriented to prevention and • Identification
those focused on detection. The latter • Authentication
aims to rapidly discover and correct for • Authorization
lapses that could not be (or at least were • Confidentiality
not) prevented. The balance between • Integrity
prevention and detection depends on the • Availability
circumstances and the available security • Non-repudiation
technologies.
 Identification is the first step in these properties are the scope,

the ‘identify-authenticate- locality, and uniqueness of IDs.
authorize’ sequence that is Identification name spaces can be
performed every day countless local or global in scope. To
times by humans and computers illustrate this concept, let’s refer
alike when access to information to the familiar notation of email
or information processing addresses. While many email
resources are required. While accounts named Gaurav may
particulars of identification exist around the world, an email
systems differ depending on who address Gaurav@company.com
or what is being identified, some unambiguously refers exactly to
intrinsic properties of one su
identification apply regardless of
these particular. Just three of
ch user in the company.com is not globally unique and refers
locality. Provided that the to different persons in different
company in question is a small localities. This is one of the
one, and that only one employee reasons why two user accounts
is named Gaurav. His colleagues should never use the same name
may refer to that particular on the same system — not only
person by only using his first because you would not be able to
name. That would work because enforce access controls based on
they are in the same locality and non-unique and ambiguous user
only one Gaurav works there. names, but also because you
However, if Gaurav were would not be able to establish
someone on the other side of the accountability for user actions.
world or even across town, to
refer to Gaurav@company.com  Authentication happens right
as simply Gaurav would make no after identification and before
sense because user name Gaurav authorization. It verifies the
69
 authenticity of the identity without sufficient rights from

declared at the identification doing the same.
stage. In other words, it is at the After declaring identity at the
authentication stage that you identification stage and proving it
prove you are indeed the person at the authentication stage, users
or the system you claim to be. The are assigned a set of
three methods of authentication authorizations (also referred to as
are what you know, what you rights, privileges or permissions)
have and what you are. that define what they can do on
Regardless of the particular the system. These authorizations
authentication method used, the are most commonly defined by
aim is to obtain reasonable the system’s security policy and
assurance that the identity are set by the security or system
declared at the identification administrator. These privileges
stage belongs to the party in may range from the extremes of
communication. It is important to “permit nothing” to “permit
note that reasonable assurance everything” and include anything
may mean different degrees of in between.
assurance, depending on the
particular environment and  Confidentiality means persons
application, and therefore may authorized have access to receive
require different approaches to or use information, documents
authentication. Authentication etc. Unauthorized access to
requirements of a national confidential information may
security – critical system naturally have devastating consequences,
differ from authentication not only in national security
requirements of a small applications, but also in
company. As different commerce and industry. Main
authentication methods have mechanisms of protection of
different costs and properties as confidentiality in information
well as different returns on systems are cryptography and
investment, the choice of access controls. Examples of
authentication method for a threats to confidentiality are
particular system or organization malware, intruders, social
should be made after these engineering, insecure networks
factors have been carefully and poorly administered systems.
considered.  Integrity is concerned with the
 Authorization is the process of trustworthiness, origin,
ensuring that a user has sufficient completeness and correctness of
rights to perform the requested information as well as the
operation, and preventing those prevention of improper or
70
unauthorized modification of service (DoS) attacks. Natural and

information. Integrity in the manmade disasters obviously
information security context may also affect availability as well
refers not only to integrity of as confidentiality and integrity of
information itself but also to the information though their
origin integrity i.e. integrity of the frequency and severity greatly
source of information. Integrity differ. Natural disasters are
protection mechanisms may be infrequent but severe, whereas
grouped into two broad types: human errors are frequent but
preventive mechanisms, such as usually not as severe as natural
access controls that prevent disasters. In both cases, business
unauthorized modification of continuity and disaster recovery
information, and detective planning (which at the very least
mechanisms, which are intended includes regular and reliable
to detect unauthorized backups) is intended to minimize
modifications when preventive losses.
mechanisms have failed. Controls
 Non-repudiation in the
that protect integrity include
information security context
principles of least privilege,
refers to one of the properties of
separation and rotation of duties.
cryptographic digital signatures
 Availability of information, that offers the possibility of
although usually mentioned last, proving whether a particular
is not the least important pillar of message has been digitally signed
information security. Who needs by the holder of a particular
confidentiality and integrity if the digital signature’s private key.
authorized users of information Non-repudiation is a somewhat
cannot access and use it? Who controversial subject, partly
needs sophisticated encryption because it is an important one in
and access controls if the this day and age of electronic
information being protected is commerce, and because it does
not accessible to authorized users not provide an absolute
when they need it? Therefore, guarantee. A digital signature
despite being mentioned last in owner, who may like to repudiate
the C-I-A triad, availability is just a transaction maliciously may
as important and as necessary a always claim that his/ her digital
component of information signature key was stolen by
security as confidentiality and someone who actually signed the
integrity. Attacks against digital transaction in question,
availability are known as denial of thus repudiating the transaction.
71
The following types of non-repudiation services are defined in international standard ISO
14516:2002 (guidelines for the use and management of trusted third party services).
o Approval: non-repudiation of approval provides proof of who is responsible for approval

of the contents of a message.
o Sending: non-repudiation of sending provides proof of who sent the message.
o Origin: non-repudiation of origin is a combination of approval and sending.
o Submission: non-repudiation of submission provides proof that a delivery agent has
accepted the message for transmission.
o Transport: non-repudiation of transport provides proof for the message originator that
a delivery agent has delivered the message to the intended recipient.
o Receipt: non-repudiation of receipt provides proof that the recipient received the
message.
o Knowledge: non-repudiation of knowledge provides proof that the recipient recognized
the content of the received message.
o Delivery: non-repudiation of delivery is a combination of receipt and knowledge, as it
provides proof that the recipient received and recognized the content of the message.
The following types of non-repudiation Transport: non-repudiation of transport

services are defined in international provides proof for the message originator
standard ISO 14516:2002 (guidelines for that a delivery agent has delivered the
the use and management of trusted third message to the intended recipient.
party services).
Receipt: non-repudiation of receipt
Approval: non-repudiation of approval provides proof that the recipient received
provides proof of who is responsible for the message.
approval of the contents of a message.
Knowledge: non-repudiation of
Sending: non-repudiation of sending knowledge provides proof that the
provides proof of who sent the message. recipient recognized the content of the
received message.
Origin: non-repudiation of origin is a
combination of approval and sending. Delivery: non-repudiation of delivery is a
combination of receipt and knowledge, as
Submission: non-repudiation of
it provides proof that the recipient
submission provides proof that a delivery
received and recognized the content of the
agent has accepted the message for
message.
transmission.
72
Fun-Facts about Top Data Center Security-GOOGLE
73
2.3 Types of Controls
Central to information security is the sense to try and fix the situation.
concept of controls, which may be Corrective controls vary widely,
categorized by their functionality depending on the area being targeted,
(preventive, detective, corrective, and they may be technical or
deterrent, recovery and compensating) administrative in nature.
and plane of application (physical,
administrative or technical). Deterrent controls
By functionality: Deterrent controls are intended to
discourage potential attackers.
Preventive controls Examples of deterrent controls include
notices of monitoring and logging as well
Preventive controls are the first controls as the visible practice of sound
met by an adversary. These try to information security management.
prevent security violations and enforce
access control. Like other controls, these Recovery controls
may be physical, administrative or
technical. Doors, security procedures Recovery controls are somewhat like
and authentication requirements are corrective controls, but they are applied
examples of physical, administrative and in more serious situations to recover
technical preventive controls from security violations and restore
respectively. information and information processing
resources. Recovery controls may
Detective controls include disaster recovery and business
continuity mechanisms, backup systems
Detective controls are in place to detect and data, emergency key management
security violations and alert the
arrangements and similar controls.
defenders. They come into play when
preventive controls have failed or have Compensating controls
been circumvented and are no less
crucial than detective controls. Compensating controls are intended to
Detective controls include cryptographic be alternative arrangements for other
checksums, file integrity checkers, audit controls when the original controls have
trails and logs and similar mechanisms. failed or cannot be used. When a second
set of controls addresses the same
Corrective controls threats that are addressed by another
set of controls, it acts as a compensating
Corrective controls try to correct the
control.
situation after a security violation has
occurred. Although a violation occurred,
but the data remains secure, so it makes
74
By plane of application: discretion to decide about and set access

control restrictions on the object in
Physical controls include doors, secure
question, which may, for example, be a file
facilities, fire extinguishers, flood or a directory. The advantage of DAC is its
protection and air conditioning. flexibility. Users may decide who can
Administrative controls are the access information and what they can do
organization’s policies, procedures and with it — read, write, delete, rename,
guidelines intended to facilitate execute and so on. At the same time, this
information security. flexibility is also a disadvantage of DAC
because users may make wrong decisions
Technical controls are the various regarding access control restrictions or
technical measures, such as firewalls, maliciously set insecure or inappropriate
authentication systems, intrusion permissions. Nevertheless, the DAC model
detection systems and file encryption remains the model of choice for the
among others. absolute majority of operating systems
today, including Solaris.
Mandatory Access Control (MAC)

Access Control Models
Mandatory access control, as its name
Logical access control models are the
suggests, takes a stricter approach to
abstract foundations upon which actual
access control. In systems utilizing MAC,
access control mechanisms and systems
users have little or no discretion as to what
are built. Access control is among the most
access permissions they can set on their
important concepts in computer security.
information. Instead, mandatory access
Access control models define how controls specified in a system-wide
computers enforce access of subjects (such security policy are enforced by the
as users, other computers, applications operating system and applied to all
and so on) to objects (such as computers, operations on that system. MAC based
files, directories, applications, servers and systems use data classification levels (such
devices). as public, confidential, secret and top
secret) and security clearance labels
Three main access control models exist:
corresponding to data classification levels
to decide in accordance with the security
 Discretionary Access Control model policy set by the system administrator
 Mandatory Access Control model what access control restrictions to enforce.
 Role Based Access Control model Additionally, per group and/ or per domain
access control restrictions may be imposed
i.e. in addition to having the required
Discretionary Access Control (DAC) security clearance level, subjects (users or
applications) must also belong to the
The Discretionary Access Control model is appropriate group or domain. For
the most widely used of the three models.
example, a file with a confidential label
In the DAC model, the owner (creator) of belonging only to the research group may
information (file or directory) has the not be accessed by a user from the
75
marketing group, even if that user has a Centralized vs. Decentralized Access
security clearance level higher than Control
confidential (for example, secret or top
Further distinction should be made
secret). This concept is known as
between centralized and decentralized
compartmentalization or ‘need to know’.
(distributed) access control models. In
Although MAC based systems, when used environments with centralized access
appropriately, are thought to be more control, a single, central entity makes
secure than DAC based systems, they are access control decisions and manages the
also much more difficult to use and access control system whereas in
administer because of the additional distributed access control environments,
restrictions and limitations imposed by the these decisions are made and enforced in
operating system. MAC based systems are a decentralized manner. Both approaches
typically used in government, military and have their pros and cons, and it is generally
financial environments where higher than inappropriate to say that one is better than
usual security is required and where the the other. The selection of a particular
added complexity and costs are tolerated. access control approach should be made
MAC is implemented in Trusted Solaris, a only after careful consideration of an
version of the Solaris operating organization’s requirements and
environment intended for high security associated risks.
environments.
Security Vulnerability Management
Role-Based Access Control (RBAC)
Security vulnerability management is the
In the role based access control model, current evolutionary step of vulnerability
rights and permissions are assigned to assessment systems that began in the early
roles instead of individual users. This 1990s with the advent of the network
added layer of abstraction permits easier security scanner S.A.T.A.N. (Security
and more flexible administration and Administrator’s Tool for Analyzing
enforcement of access controls. For Networks) followed by the 1st commercial
example, access to marketing files may be vulnerability scanner from ISS. While early
restricted only to the marketing manager tools mainly found vulnerabilities and
role, and users Ann, David, and Joe may be produced lengthy reports, today’s best-in-
assigned the role of marketing manager. class solutions deliver comprehensive
Later, when David moves from the discovery and support the entire security
marketing department elsewhere, it is vulnerability management lifecycle.
enough to revoke his role of marketing
manager, and no other changes would be A vulnerability can occur anywhere in the
necessary. When you apply this approach IT environment, and can be the result of
to an organization with thousands of many different root causes. Security
employees and hundreds of roles, you can vulnerability management solutions
see the added security and convenience of gather comprehensive endpoint and
using RBAC. Solaris has supported RBAC network intelligence, and apply advanced
since release 8. analytics to identify and prioritize the
vulnerabilities that pose the most risk to
critical systems. The result is actionable
76
data that enables IT security teams to focus components may present existing or new
on the tasks that will most quickly and security concerns and weaknesses i.e.
effectively reduce overall network risk with vulnerabilities. It may be product/
the fewest possible resources. component faults or it may be inadequate
configuration. Malicious code or
Security vulnerability management is a
unauthorized individuals may exploit those
closed-loop workflow that generally
vulnerabilities to cause damage, such as
includes identifying networked systems
disclosure of credit card data. Vulnerability
and associated applications, auditing
management is the process of identifying
(scanning) the systems and applications for
those vulnerabilities and reacting
vulnerabilities and remediating the
appropriately to mitigate the risk.
vulnerabilities. Any IT infrastructure
Vulnerability assessment and management is an essential piece for managing overall IT risk
because:
Persistent threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.
Regulation
Many government and industry regulations mandate rigorous vulnerability management

practices.
Risk management
Mature organizations treat it as a key risk management component. Organizations that follow
mature IT security principles understand the importance of risk management.
Properly planned and implemented threat vulnerability and configuration

and vulnerability management programs assessments of the environment.
represent a key element in an
Network based vulnerability assessment
organization’s information security
(VA) has been the primary method
program, providing an approach to risk and
employed to baseline networks, servers
threat mitigation that is proactive and
and hosts. The primary strength of VA is
business aligned, not just reactive and
breadth of coverage. Thorough and
technology focused.
accurate vulnerability assessments can be
Vulnerability Assessment accomplished for managed systems via
credentialed access. Unmanaged systems
Includes assessment the environment for can be discovered and a basic assessment
known vulnerabilities, and to assess IT can be completed. The ability to evaluate
components, using the security databases and web applications for
configuration policies (by device role) that security weaknesses is crucial, considering
have been defined for the environment.
This is accomplished through scheduled
77
the rise of attacks that target these risk and compliance with policy. This
components. incorporates the basis of the action to be
agreed on between the relevant line of
Database scanners check database
business and the security team.
configuration and properties to verify
whether they comply with database Risk analysis
security best practices. Web application
“Fixing” the issue may involve acceptance
scanners test an application’s logic for
of the risk, shifting of the risk to another
“abuse” cases that can break or exploit the
party or reducing the risk by applying
application. Additional tools can be
remedial action, which could be anything
leveraged to perform more in-depth
from a configuration change to
testing and analysis.
implementing a new infrastructure (e.g.
All three scanning technologies (network, data loss prevention, firewalls, host
application and database) assess a intrusion prevention software).
different class of security weaknesses, and
Elimination of the root cause of security
most organizations need to implement all
weaknesses may require changes to user
three.
administration and system provisioning
Risk assessment processes. Many processes and often
several teams may come into play (e.g.
Larger issues should be expressed in the
configuration management, change
language of risk (e.g. ISO 27005),
management, patch management etc.).
specifically expressing impact in terms of
Monitoring and incident management
business impact. The business case for any
processes are also required to maintain the
remedial action should incorporate
environment.
considerations relating to the reduction of
Vulnerability enumeration
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE
Identifiers) for publicly known information security vulnerabilities. CVE’s common
identifiers make it easier to share data across separate network security databases and
tools, and provide a baseline for evaluating the coverage of an organization’s security
tools. If a report from one of your security tools incorporates CVE identifiers, you may
then quickly and accurately access fix information in one or more separate CVE
compatible databases to remediate the problem.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities. Its quantitative
model ensures repeatable, accurate measurement while enabling users to see the
underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS
is well suited as a standard measurement system for industries, organizations and
governments that need accurate and consistent vulnerability impact scores.
78
Common Weakness Enumeration (CWE)
The Common Weakness Enumeration Specification (CWE) provides a common language

of discourse for discussing, finding and dealing with the causes of software security
vulnerabilities as they are found in code, design or system architecture. Each individual
CWE represents a single vulnerability type. CWEs are used as a classification mechanism
that differentiates CVEs by the type of vulnerability they represent. For more details see:
Common Weakness Enumeration.
Remediation Planning cause the ultimate condition in which the

system finds itself. For example, in an
Prioritization
application crash one should be thinking,
Vulnerability and security configuration why did it crash this way?
assessments typically generate very long
A security analyst’s job in performing an
remediation work lists, and this
RCA is to keep asking the inquisitive "why"
remediation work needs to be prioritized.
until one runs out of room for questions,
When organizations initially implement
and then they are faced with the problem
vulnerability assessment and security
at the root of the situation.
configuration baselines, they typically
discover that a large number of systems Example: an application that had its
contain multiple vulnerabilities and database pilfered by hackers where the
security configuration errors. There is ultimate failure the analyst may be
typically more mitigation work to do than investigating is the exfiltration of
the resources available to accomplish it. consumer private data, but SQL Injection
Therefore, prioritization is important. isn't what caused the failure. Why did the
SQL Injection happen? Was the root of the
Root Cause Analysis (RCA)
problem that the developer responsible
It is important to analyse security and simply didn't follow the corporate policy
vulnerability assessments in order to for building SQL queries? Or was the issue
determine the root cause. In many cases, a failure to implement something like the
the root cause of a set of vulnerabilities lies OWASP ESAPI (ESAPI - The OWASP
within the provisioning, administration Enterprise Security API is a free, open
and maintenance processes of IT source web application security control
operations or within their development or library that makes it easier for
the procurement processes of programmers to write lower-risk
applications. Elimination of the root cause applications.) in the appropriate manner?
of security weaknesses may require Or maybe the cause was a vulnerable
changes to user administration and system open-source piece of code that was
provisioning processes. incorporated into the corporate
application without passing it through the
What makes a good RCA?
full source code lifecycle process?
An RCA is an analysis of a failure to
Your job when you're performing an RCA is
determine the first (or root) failure that
to figure this out. Root-cause analysis is
79
super critical in the software security Decision tree and algorithms may be used
world. A number of automated solutions for further detailed analysis as tools. To
are also available for various types of RCA. learn more about it, visit:
For example, HP's web application security https://www.sans.org/reading-
testing technology which can link XSS room/whitepapers/detection/decision-
issues to a single line of code in the tree-analysis-intrusion-detection-how-to-
application input handler. guide-33678 .
Ranking of Cyber security objectives in terms of business priority objective
5 4.4 4.7
4.5
4 3.5
3.5
3 2.8
2.5 1.9
2
1.5
1
0.5
0
 65% of organizations had an average of 3 DDoS attacks in the past 12 months.

 54 minutes’ downtime during one DDoS attack.
 Average cost per minute downtime is $22,000
 Average annual cost of DDoS attacks is $3000,000
80
UNIT III
Data Leakage and Prevention
This unit covers:
 Lesson Plan
3.1 Introduction Data Leakage
3.2 Organisational Data Classification, Location and Pathways
3.5 Data Protection
3.6 DLP Limitations
3.7 DRM – DLP Conundrum
3.1.
81
Lesson Plan
Performance Ensuring Duration Work Environment / Lab

Outcomes Measures (Hrs) Requirement
To be competent, you must be able 4 hrs  PCs/Tablets/Laptops
to:  Labs availability
Going through various
PC2. monitor systems and apply organizations websites (24/7)
controls in line with information and understand the  Internet with WiFi
security policies, procedures and policies and guidelines.  (Min 2 Mbps
guidelines (Research) Dedicated)
PC3. carry out security  Networking
Project charter,
assessment of information security Equipments- Routers
Architecture (charts),
systems using automated tools Project plan, Poster & Switches
PC11. comply with your presentation and  Firewalls and Access
organization’s policies, standards, execution plan. Points
procedures and guidelines when  Access to all security
contributing to managing sites like ISO, PIC DSS
information security  Commercial Tools
like HP Web Inspect
and IBM AppScan
etc.,
 Open Source tools like
sqlmap, Nessus etc.,
You need to know and understand: KA12. Going through 4 hrs  KA1 to KA13:
KA12. your organization’s various organizations
information security systems and websites and understand  PCs/Tablets/Laptops
tools and how to access and the policies and  Labs availability (24/7)
maintain these guidelines. (Research)  Internet with WiFi
 (Min 2 Mbps
KA13. standard tools and KA12. Project charter, Dedicated)
templates available and how to use Architecture (charts),  Networking
these Project plan, Poster Equipments- Routers &
presentation and Switches
KB4. how to identify and resolve execution plan.  Firewalls and Access
information security vulnerabilities Points
and issues KA13. Creation of  Access to all security
templates based on the sites like ISO, PIC DSS
learnings from KA1 to  Commercial Tools like
KA12. HP Web Inspect and
IBM AppScan etc.,
KB1 – KB4
 Open Source tools like
1. Going through the sqlmap, Nessus etc.,
security standards over
Internet by visiting sites
like ISO, PCI DSS etc.,
and understand various
methodologies and
usage of algorithms
82
Activity 1: Suggested Learning Activities

Research the extent of data leakage in its various forms across different types of
organisations and incidents of leakage and related loss. Present the cases in class and
discus the various steps that can be taken proactively and post event to ensure loss
prevention and minimisation?
Activity 2:
Ask students to identify work behaviours and practices that can lead to data leakage in a
work context. Also encourage students to look at their own environment and identify
various confidential and personal information and how their own practices and habits can
cause data leakage.
Activity 3:
Ask students to research various organisations that offer products and services in the Data
Leakage Prevention and Data Risk Management. Compare the two, note down and
present the various offerings, tools and their features, benefits and limitations.
Activity 4:
Discuss with students the three states of information
 Data at Rest
 Data in Motion
 Data in Use
Ask students to find examples of data around them and in their daily lives that are
categorised in these three. Ask them to state risks of data leakages and the various
sources of it.
83

3.1 Introduction to Data Leakage
Data leakage is defined as the accidental or unintentional distribution of private or sensitive

data to an unauthorized entity.
Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data, and other information depending
on the business and the industry. Data leakage poses a serious issue for companies as the
number of incidents and the cost to those experiencing them continue to increase.
Data leakage is enhanced by the fact that 1. Direct losses: They refer to tangible
transmitted data (both inbound and damage that is easy to measure or to
outbound), including emails, instant estimate quantitatively. Indirect losses, on
messaging, website forms and file the other hand, are much harder to
transfers among others, are largely quantify and have a much broader impact
unregulated and unmonitored on their in terms of cost, place and time.
way to their destinations. Furthermore, in
2. Indirect losses: They include violations
many cases, sensitive data are shared
of regulations (such as those protecting
among various stakeholders such as
customer privacy) resulting in fines;
employees working from outside the
settlements or customer compensation
organization’s premises (e.g. on laptops),
fees; litigation involving lawsuits; loss of
business partners and customers. This
future sales; costs of investigation and
increases the risk that confidential
remedial or restoration fees. Indirect
information will fall into unauthorized
losses include reduced share price as a
hands. Whether caused by malicious intent
result of negative publicity; damage to a
or an inadvertent mistake by an insider or
company’s goodwill and reputation;
outsider, exposure of sensitive information
customer abandonment; and exposure of
can seriously hurt an organization. The
intellectual property (business plans, code,
potential damage and adverse
financial reports and meeting agendas) to
consequences of a data leakage incident
competitors.
can be classified into two categories:
Enterprises use Data Leakage Prevention (DLP) technology as one component in a

comprehensive plan for the handling and transmission of sensitive data. The technological
means employed for enhancing DLP can be divided into the following categories:
• Standard security measures

• Advanced/ intelligent security measures
• Access control and encryption
• Designated DLP systems
84
Standard security measures are used by architecture, with no personal or sensitive

many organizations and include common data stored on a client’s computer. Policies
mechanisms such as firewalls, intrusion and training for improving the awareness
detection systems (IDSs) and antivirus of employees and partners provide
software that can provide protection additional standard security measures.
against both outsider attacks (e.g. a
Advanced or intelligent security measures
firewall which limits access to the internal
include machine learning and temporal
network and an intrusion detection system reasoning algorithms for detecting
which detects attempted intrusions) and abnormal access to data (i.e. databases or
inside attacks (e.g. antivirus scans to detect information retrieval systems), activity
a Trojan horse that may be installed on a based verification (e.g. based on
PC to send confidential information). keystrokes and mouse patterns), detection
of abnormal email exchange patterns, and
Another example is the use of thin clients
applying the honeypot concept for
which operate in a client-server detecting malicious insiders.
Device control, access control and encryption are used to prevent access by an unauthorized user.
These are the simplest measures that can be taken to protect large amounts of personal data
against malicious outsider and insider attacks.
Designated DLP solutions are intended to DLP solutions are typically implemented
detect and prevent attempts to copy or using mechanisms such as exact data
send sensitive data, intentionally or matching, structured data fingerprinting,
unintentionally, without authorization, statistical methods (e.g. machine learning),
mainly by personnel who are authorized to rule and regular expression matching,
access the sensitive information. A major published lexicons, conceptual definitions
capability of such solutions is an ability to and keywords.
classify content as sensitive. Designated
Data Leakage Prevention (DLP) solutions, are often referred to as Information Leak Prevention
(ILP), Data Leak/ Loss Prevention (DLP), Outbound Content Compliance, Content Monitoring and
Filtering, Content Monitoring and Protection (CMP) or Extrusion Prevention.
85
A designated data leakage prevention example, although deep content

solution is defined as a system that is inspection is useful for data in motion, it
designed to detect and prevent the doesn’t help so much for data at rest.
unauthorized access, use or transmission Therefore, an effective data loss
of confidential information. prevention program should adopt
appropriate techniques to cover all the
Data in each state often requires different
organization’s potential loss modes.
techniques for loss prevention. For
Enterprise data generally exists in the following three major states:
 Data at rest: it resides in files systems, distributed desktops and large centralized data
stores, databases or other storage centers.
 Data at the endpoint or in use: it resides at network endpoints such as laptops; USB
devices; external drives; CD/ DVDs; archived tapes; MP3 players; iPhones or other
highly mobile devices.
 Data in motion: it moves through the network to the outside world via email, instant
messaging, peer-to-peer (P2P), FTP or other communication mechanisms.
86
Types of data leaked
8% 4%
15%
NPI ( e.g. Customer Data)
Confidentiality Info
73% PHI (e.g. Patient's Records)

Intellectual Property
Data Leak Vectors
12% HTTP
3%
1% Email
5%
42% Networked Printer
10%
End Point
11% Internal Mail
16% IM
Webmail
Others
Source: http://www.networksunlimited.com
87
3.2 Organizational Data Classification, Location and

Pathways
Enterprises are often unaware of all of the enterprise on servers, individual

types and locations of information they workstations, tape and other media.
possess. Copies are frequently made to facilitate
application testing without first cleansing
It is important, prior to purchasing a DLP
the data of sensitive content. Having a
solution, to identify and classify sensitive
good idea of the data classifications and
data types and their flow from system to
location of the primary data stores proves
system and to users. This process should
helpful in both the selection and
yield a data taxonomy or classification
placement of the DLP solution.
system that will be leveraged by various
DLP modules as they scan for and take Once the DLP solution is in place, it can
action on information that falls into the assist in locating additional data locations
various classifications within the and pathways. It is also important to
taxonomy. Analysis of critical business understand the enterprise’s data life cycle.
processes should yield the required Understanding the life cycle from point of
information. origin through processing, maintenance,
storage and disposal will help uncover
Classifications can include categories such
further data repositories and transmission
as private customer or employee data,
paths. Additional information should be
financial data and intellectual property.
collected by conducting an inventory of all
Once the data have been identified and
data egress points since not all business
classified appropriately, further analysis of
processes are documented and not all data
processes should facilitate the location of
movement is a result of an established
primary data stores and key data
process. Analysis of firewall and router rule
pathways.
sets can aid these efforts.
Frequently multiple copies and variations
of the same data are scattered across the
DLP features vs. DLP solutions
The DLP market is also split between DLP as a feature and DLP as a solution. A number of
products, particularly email security solutions, provide basic DLP functions, but aren't complete
DLP solutions. The difference is:
• A DLP product includes centralized management, policy creation and enforcement

workflow dedicated to the monitoring and protection of content and data. The user
interface and functionality are dedicated to solving the business and technical problems
of protecting content through content awareness.
• DLP features include some of the detection and enforcement capabilities of DLP
products, but are not dedicated to the task of protecting content and data.
88
Content vs. Context Content Analysis

We need to distinguish content from The first step in content analysis is
context. One of the defining characteristics capturing the envelope and opening it. The
of DLP solutions is their content engine then needs to parse the context
awareness. This is the ability of products to (we'll need that for the analysis) and dig
analyse deep content using a variety of into it. This is easy for a plain text email,
techniques, and is very different from but when you want to look inside binary
analysing context. It's easiest to think of files, it gets a little more complicated.
content as a letter and context as the
All DLP solutions solve this using file
envelope and environment around it.
cracking. File cracking is the technology
Context includes things like source; used to read and understand the file, even
destination; size; recipients; sender; if the content is buried multiple levels
header information; metadata; time; down. For example, it's not unusual for the
format and anything else short of the cracker to read an Excel spreadsheet
content of the letter itself. Context is highly embedded in a Word file that's zipped. The
useful and any DLP solution should include product needs to unzip the file, read the
contextual analysis as part of an overall Word doc, analyse it, find the Excel data,
solution. A more advanced version of read it and analyse it.
contextual analysis is business context
Other situations get far more complex, like
analysis, which involves deeper analysis of
a .pdf embedded in a CAD file. Many of the
the content, its environment at the time of
products in the market today support
analysis and the use of the content at that
around 300 file types, embedded content,
time.
multiple languages, double byte character
Content awareness involves peering inside sets for Asian languages, and pulling plain
containers and analysing the content itself. text from unidentified file types. Quite a
The advantage of content awareness is few use the autonomy or verity content
that while we use context, we're not engines to help with file cracking, but all
restricted by it. If I want to protect a piece the serious tools have quite a bit of
of sensitive data, I would want to protect it proprietary capability, in addition to the
everywhere and not just in obviously embedded content engine. Some tools
sensitive containers. I'm protecting the support analysis of encrypted data if
data, not the envelope, so it makes a lot enterprise encryption is used with
more sense to open the letter, read it, and recovery keys, and most tools can identify
decide how to treat it. This is more difficult standard encryption and use that as a
and time consuming than basic contextual contextual rule to block/ quarantine
analysis and is the defining characteristic content.
of DLP solutions.
89
Once the content is accessed, there are employees buying online. More advanced
seven major analysis techniques used to tools look for combinations of information,
find policy violations, each with its own such as the magic combination of first
strengths and weaknesses. name or initial with last name, credit card
or social security number that triggers a
1. Rule based/ Regular expressions: This is
disclosure. Make sure you understand the
the most common analysis technique
performance and security implications of
available in both DLP products and other
nightly extracts vs. live database
tools with DLP features. It analyses the
connections.
content for specific rules, such as 16 digit
numbers that meet credit card checksum Its advantages are: structured data from
requirements, medical billing codes or databases.
other textual analyses. Most DLP solutions
Strengths: very low false positives (close to
enhance basic regular expressions with
0). Allows you to protect customer/
their own additional analysis rules (e.g. a
sensitive data while ignoring other, similar
name in proximity to an address near a
data used by employees (like their
credit card number).
personal credit cards for online orders).
Its advantages are: as a first-pass filter or
Weaknesses: nightly dumps won't contain
for detecting easily identified pieces of
transaction data since the last extract. Live
structured data like credit card numbers,
connections can affect database
social security numbers and healthcare
performance. Large databases affect
codes/ records.
product performance.
Strengths: rules process quickly and can be
3._Exact file matching: With this
easily configured. Most products ship with
technique you take a hash of a file and
initial rule sets. The technology is well
monitor for any files that match that exact
understood and easy to incorporate into a
fingerprint. Some consider this to be a
variety of products.
contextual analysis technique since the file
Weaknesses: prone to high false positive contents themselves are not analysed.
rates. Offers very little protection for
Its advantages are: media files and other
unstructured content like sensitive
binaries where textual analysis isn't
intellectual property.
necessarily possible.
2._Database fingerprinting: Sometimes
Strengths: works on any file type, low false
called Exact Data Matching – this
positives with a large enough hash value
technique takes either a database dump or
(effectively none).
live data (via ODBC connection) from a
database and only looks for exact matches. Weaknesses: trivial to evade. Worthless
For example, you could generate a policy for content that's edited, such as standard
to look only for credit card numbers in your office documents and edited media files.
customer base, thus ignoring your own
90
4._Partial document matching: This documents you want to protect. Trivial to

technique looks for a complete or partial avoid (ROT 1 encryption is sufficient for
match on protected content. Thus you evasion).
could build a policy to protect a sensitive
5._Statistical analysis: Use of machine
document, and the DLP solution will look
learning, Bayesian analysis and other
for either the complete text of the
statistical techniques to analyse a corpus
document, or even excerpts as small as a
of content and find policy violations in
few sentences. For example, you could
content that resembles the protected
load up a business plan for a new product
content. This category includes a wide
and the DLP solution would alert if an
range of statistical techniques which vary
employee pasted a single paragraph into
greatly in implementation and
an Instant Message. Most solutions are
effectiveness. Some techniques are very
based on a technique known as cyclical
similar to those used to block spam.
hashing, where you take a hash of a
portion of the content, offset a Its advantages are: unstructured content
predetermined number of characters, then where a deterministic technique, like
take another hash, and keep going until the partial document matching would be
document is completely loaded as a series ineffective. For example, a repository of
of overlapping hash values. Outbound engineering plans that's impractical to load
content is run through the same hash for partial document matching due to high
technique, and the hash values compared volatility or massive volume.
for matches. Many products use cyclical
Strengths: can work with more nebulous
hashing as a base, then add more
content where you may not be able to
advanced linguistic analysis.
isolate exact documents for matching. Can
Its advantages are: protecting sensitive enforce policies such as "alert on anything
documents or similar content with text outbound that resembles the documents
such as CAD files (with text labels) and in this directory".
source code. Unstructured content that's
Weaknesses: prone to false positives and
known to be sensitive.
false negatives. Requires a large corpus of
Strengths: ability to protect unstructured source content – the bigger, the better.
data. Generally low false positives (some
6._Conceptual/ Lexicon: This technique
vendors will say zero false positives, but
uses a combination of dictionaries, rules
any common sentence/ text in a protected
and other analyses to protect nebulous
document can trigger alerts). Doesn't rely
content that resembles an "idea". It's
on complete matching of large documents.
easier to give an example — a policy that
It can find policy violations on even a
alerts on traffic that resembles insider
partial match.
trading, which uses key phrases, word
Weaknesses: performance limitations on counts and positions to find violations.
the total volume of content that can be Other examples are sexual harassment,
protected. Common phrases/ verbiage in a running a private business from a work
protected document may trigger false account and job hunting.
positives. Must know exactly which
91
Its advantages are: completely describe content related to privacy,

unstructured ideas that defy simple regulations or industry specific guidelines.
categorization based on matching known
Strengths: extremely simple to configure.
documents, databases or other registered
Saves significant policy generation time.
sources.
Category policies can form the basis for
Strengths: not all corporate policies or more advanced, enterprise specific
content can be described using specific policies. For many organizations,
examples. Conceptual analysis can find categories can meet a large percentage of
closely defined policy violations other their data protection needs.
techniques can't even think of monitoring
Weaknesses: one size fits all might not
for.
work. Only good for easily categorized
Weaknesses: in most cases, these are not rules and content.
user-definable and the rule sets must be
These seven techniques form the basis for
built by the DLP vendor with significant
most of the DLP products on the market.
effort, which costs more. This technique is
Not all products include all techniques, and
very prone to false positives and negatives
there can be significant differences
because of the flexible nature of the rules.
between implementations. Most products
7._Categories: Pre-built categories with can also chain techniques — building
rules and dictionaries for common types of complex policies from combinations of
sensitive data, such as credit card content and contextual analysis
numbers/ PCI protection, HIPAA etc. techniques.
Its advantages are: anything that neatly fits

a provided category. Typically, easy to
92
3.5 Data Protection
The goal of DLP is to protect content throughout its lifecycle. In terms of DLP, this includes
three major aspects:
• Data at Rest includes scanning of storage and other content repositories to identify
where sensitive content is located. We call this content discovery. For example, you can
use a DLP product to scan your servers and identify documents with credit card
numbers. If the server isn't authorized for that kind of data, the file can be encrypted
or removed or a warning sent to the file owner.
• Data in Motion is sniffing of traffic on the network (passively or inline via proxy) to
identify content being sent across specific communications channels. For example, this
includes sniffing emails, instant messages and web traffic for snippets of sensitive
source code. In motion, tools can often block based on central policies depending on
the type of traffic.
• Data in Use is typically addressed by endpoint solutions that monitor data as the user
interacts with it. For example, they can identify when you attempt to transfer a sensitive
document to a USB drive and block it (as opposed to blocking use of the USB drive
entirely). Data in use tools can also detect things like copy and paste or use of sensitive
data in an unapproved application (such as someone attempting to encrypt data to
sneak it past the sensors).
Many organizations first enter the world of products limited themselves to basic
DLP with network based products that monitoring and alerting, but all current
provide broad protection for managed and products include advanced capabilities to
unmanaged systems. It’s typically easier to integrate with existing network
start a deployment with network products infrastructure and provide protective, not
to gain broad coverage quickly. Early just detective controls.
93
Data In Motion capture because of the content analysis

overhead. You might have to choose
Network Monitor between pre-filtering (and thus missing
At the heart of most DLP solutions lies a non-standard traffic) or buying more boxes
passive network monitor. The network and load balancing. Also, some products
monitoring component is typically lock monitoring into pre-defined port and
deployed at or near the gateway on a SPAN protocol combinations, rather than using
port (or a similar tap). It performs full service/ channel identification based on
packet capture, session reconstruction and packet content. Even if full application
content analysis in real time. Performance channel identification is included, you
is more complex and subtle than vendors want to make sure it's enabled otherwise
normally discuss. First, on the client you might miss non-standard
expectation side, most clients claim they communications such as connecting over
need full gigabit ethernet performance, an unusual port. Most of the network
but that level of performance is monitors are dedicated general purpose
unnecessary except in very unusual server hardware with DLP software
circumstances since few organizations are installed. A few vendors deploy true
really running that high a level of specialized appliances. While some
communications traffic. DLP is a tool to products have their management,
monitor employee communications, not workflow and reporting built into the
web application traffic. Realistically, we network monitor, this is often offloaded to
find that small enterprises normally run a separate server or appliance.
under 50 MByte/s of relevant traffic, Email Integration
medium enterprises run closer to 50-200
MB/s and large enterprises around 300 The next major component is email
MB/s (maybe as high as 500 in a few integration. Since email is stored and
cases)., Not every product runs full packet forwarded, you can gain a lot of
94
capabilities, including quarantine, most of our communications traffic is

encryption integration and filtering synchronous. Everything runs in real time.
without the same hurdles to avoid blocking Thus if we want to filter it we either need
synchronous traffic. to bridge the traffic, proxy it or poison it
from the outside.
Most products embed an MTA (Mail
Transport Agent) into the product, Bridge
allowing you to just add it as another hop
With a bridge, we just have a system with
in the email chain. Quite a few also
two network cards which performs
integrate with some of the major existing
content analysis in the middle. If we see
MTAs/ email security solutions directly for
something bad, the bridge breaks the
better performance. One weakness of this
connection for that session. Bridging isn't
approach is it doesn't give you access to
the best approach for DLP since it might
internal email. If you're on an exchange
not stop all the bad traffic before it leaks
server, internal messages never make it
out. It's like sitting in a doorway watching
through the external MTA since there's no
everything go past with a magnifying glass.
reason to send that traffic out. To monitor
By the time you get enough traffic to make
internal mail, you'll need direct Exchange/
an intelligent decision, you may have
Lotus integration, which is surprisingly rare
missed the really good stuff. Very few
in the market. Full integration is different
products take this approach although it
from just scanning logs/ libraries after the
does have the advantage of being protocol
fact, which is what some companies call
agnostic.
internal mail support. Good email
integration is absolutely critical if you ever Proxy
want to do any filtering, as opposed to just
In simplified terms, a proxy is protocol/
monitoring.
application specific and queues up traffic
Filtering/ Blocking and Proxy Integration before passing it on, allowing for deeper
analysis. We see gateway proxies mostly
Nearly anyone deploying a DLP solution
for HTTP, FTP and IM protocols. Few DLP
will eventually want to start blocking
solutions include their own proxies. They
traffic. There's only so long you can take
tend to integrate with existing gateway/
watching all your sensitive data running to
proxy vendors since most customers prefer
the nether regions of the Internet before
integration with these existing tools.
you start taking some action. Blocking isn't
Integration for web gateways is typically
the easiest thing in the world, especially
through the iCAP protocol, allowing the
since we're trying to allow good traffic.
proxy to grab the traffic, send it to the DLP
Block only bad traffic, and make the
product for analysis and cut
decision using real-time content analysis.
communication, if there's a violation. This
Email, as we mentioned, is fairly
means you don't have to add another piece
straightforward to filter. It's not quite real
of hardware in front of your network
time and is ‘proxied’ by its very nature.
traffic, and the DLP vendors can avoid the
Adding one more analysis hop is a
difficulties of building dedicated network
manageable problem in even the most
hardware for inline analysis. If the gateway
complex environments. Outside of email,
includes a reverse SSL proxy you can also
95
sniff SSL connections. You will need to passive network monitoring, proxy points,
make changes on your endpoints to deal email servers and remote locations. While
with all the certificate alerts, but you can processing/ analysis can be offloaded to
now peer into encrypted traffic. For Instant remote enforcement points, they should
Messaging, you'll need an IM proxy and a send all events back to a central
DLP product that specifically supports management server for workflow,
whatever IM protocol you're using. reporting, investigations and archiving.
Remote offices are usually easy to support
TCP Poisoning
since you can just push policies down and
The last method of filtering is TCP reporting back, but not every product has
poisoning. You monitor the traffic and this capability. The more advanced
when you see something bad, you inject a products support hierarchical
TCP reset packet to kill the connection. This deployments for organizations that want
works on every TCP protocol but isn't very to manage DLP differently in multiple
efficient. For one thing, some protocols will geographic locations or by business unit.
keep trying to get the traffic through. If you International companies often need this to
TCP poison a single email message, the meet legal monitoring requirements which
server will keep trying to send it for three vary by country. Hierarchical management
days, as often as every 15 minutes. The supports coordinated local policies and
other problem is the same as bridging. enforcement in different regions, running
Since you don't queue the traffic at all, by on their own management servers and
the time you notice something bad, it communicating back to a central
might be too late. It's a good stop-gap to management server. Early products only
cover non-standard protocols, but you'll supported one management server but
want to proxy as much as possible. now we have options to deal with these
distributed situations with a mix of
Internal Networks
corporate/ regional/ business unit policies,
Although technically capable of monitoring reporting and workflow.
internal networks, DLP is rarely used on
internal traffic other than email. Gateways Data At Rest
provide convenient choke points. Internal While catching leaks on the network is
monitoring is a daunting prospect from fairly powerful, it's only one small part of
cost, performance, and policy the problem. Many customers are finding
management/ false positive standpoints. A that it's just as valuable, if not more
few DLP vendors have partnerships for valuable, to figure out where all that data
internal monitoring, but this is a lower is stored in the first place. We call this
priority feature for most organizations. content discovery. Enterprise search tools
Distributed and Hierarchical Deployments might be able to help with this, but they
really aren't tuned well for this specific
All medium to large enterprises and many problem. Enterprise data classification
smaller organizations have multiple tools can also help, but based on
locations and web gateways. A DLP discussions with a number of clients, they
solution should support multiple don't seem to work well for finding specific
monitoring points, including a mix of policy violations. Thus we see many clients
96
opting to use the content discovery only be emailed when encrypted, never be
features of their DLP products. The biggest shared via HTTP or HTTPS, only be stored
advantage of content discovery in a DLP on approved servers and only be stored on
tool is that it allows you to take a single workstations/ laptops by employees on
policy, and apply it across data no matter the accounting team. All of this can be
where it's stored, how it's shared, or how specified in a single policy on the DLP
it's used. For example, you can define a management server.
policy that requires credit card numbers to
Content discovery consists of three components:
 Endpoint discovery: scanning workstations and laptops for content.
 Storage discovery: scanning mass storage, including file servers, SAN and NAS.
 Server discovery: application specific scanning of stored data on email servers,

document management systems and databases (not currently a feature of most
DLP products, but beginning to appear in some Database Activity Monitoring
products).
Content Discovery Techniques large repositories. For endpoints, this

should be a feature of the same agent
There are three basic techniques for
used for enforcing.
content discovery:
3. Memory Resident Agent scanning:
1. Remote scanning: a connection is rather than deploying a full-time agent,
made to the server or device using a file a memory resident agent is installed,
sharing or application protocol, and which performs a scan, then exits
scanning is performed remotely. This is without leaving anything running or
essentially mounting a remote drive stored on the local system. This offers
and scanning it from a server that takes the performance of agent based
policies from, and sends results to the scanning in situations where you don't
central policy server. For some want an agent running all the time. Any
vendors, this is an appliance while for of these technologies can work for any
others, it's a commodity server. For of the modes, and enterprises will
smaller deployments, it's integrated typically deploy a mix depending on
into the central management server. policy and infrastructure
2. Agent Based scanning: an agent is requirements.
installed on the system (server) to be We currently see technology limitations
scanned and scanning is performed with each approach which guide
locally. Agents are platform specific, deployment:
and use local CPU cycles, but can • Remote scanning can significantly
potentially perform significantly faster increase network traffic and has
than remote scanning, especially for
97
performance limitations based on often translates to restrictions on the

network bandwidth and target and number of policies that can be
scanner network performance. Some enforced, and the types of content
solutions can only scan gigabytes per analysis that can be used. For example,
day (sometimes hundreds, but not most endpoint agents are not capable
terabytes per day), per server based on of partial document matching or
these practical limitations, which may database fingerprinting against large
be inadequate for very large storage. data sets. This is especially true of
• Agents, temporal or permanent, are endpoint agents which are more
limited by processing power and limited.
memory on the target system, which • Agents don't support all platforms.
Data at Rest Enforcement
Once a policy violation is discovered, the DLP tool can take a variety of actions:
Alert/ report: create an incident in the central management server just like a network
violation.
Warn: notify the user via email that they may be in violation of policy.
Quarantine/ notify: move the file to the central management server and leave a text file
with instructions on how to request recovery of the file.
Quarantine/ encrypt: encrypt the file in place, usually leaving a plain text file describing
how to request decryption.
Quarantine/ access control: change access controls to restrict access to the file.
Remove/ delete: either transfer the file to the central server without notification or just
delete it.
The combination of different deployment the broadest coverage. Network

architectures, discovery techniques and monitoring is non-intrusive (unless you
enforcement options creates a powerful have to crack SSL), and offers visibility to
combination for protecting data at rest and any system on the network, managed or
supporting compliance initiatives. For unmanaged, server or workstation.
example, we're starting to see increasing Filtering is more difficult, but again still
deployments of CMF to support PCI relatively straightforward on the network
compliance — more for the ability to (especially for email) and covers all
ensure (and report) that no cardholder systems connected to the network.
data is stored in violation of PCI than to However, this isn't a complete solution. It
protect email or web traffic. doesn't protect data when someone walks
out the door with a laptop, and can't even
Data In Use prevent people from copying data to
DLP usually starts on the network because portable storage like USB drives. To move
that's the most cost-effective way to get from a "leak prevention" solution to a
98
"content protection" solution, products Adding an endpoint agent to a DLP solution

need to expand not only to stored data, not only gives you the ability to discover
but to the endpoints where data is used. stored content, but to potentially protect
systems no longer on the network or even
Note: Although there have been large protect data as it's being actively used.
advancements in endpoint DLP, endpoint- While extremely powerful, it has been
only solutions are not recommended for problematic to implement. Agents need to
most users. DLP endpoint solutions perform within the resource constraints of
normally require compromise on the a standard laptop while maintaining
number and types of policies that can be content awareness. This can be difficult if
enforced, offer limited email integration you have large policies such as, "protect all
with no protection for unmanaged 10 million credit card numbers from our
systems. An organisation will need both database", as opposed to something
network and endpoint capabilities, and simpler like, "protect any credit card
most of the leading network solutions are number" that will generate false positives
adding or already offer at least some every time an employee visits say,
endpoint protection. flipkart.com.
Key capabilities existing products vary widely in functionality, but we can break out
three key capabilities:
1. Monitoring and enforcement within the network stack: this allows enforcement of
network rules without a network appliance. The product should be able to enforce the
same rules as if the system were on the managed network as well as separate rules
designed only for use on unmanaged networks.
2. Monitoring and enforcement within the system kernel: by plugging directly into the
operating system kernel you can monitor user activity, such as copying and pasting
sensitive content. This can also allow products to detect (and block) policy violations
when the user is taking sensitive content and attempting to hide it from detection,
perhaps by encrypting it or modifying source documents.
3. Monitoring and enforcement within the file system: this allows monitoring and
enforcement based on where data is stored. For example, you can perform local
discovery and/ or restrict transfer of sensitive content to unencrypted USB devices.
These options are simplified, and most

early products focus on 1 and 3 to solve the
portable storage problem, and protect
devices on unmanaged networks. System/
kernel integration is much more complex
and there are a variety of approaches to
gaining this functionality.
99
Endpoint DLP is evolving to support a few critical use cases:

• Enforcing network rules off the managed network or modifying rules for more
hostile networks.
• Restricting sensitive content from portable storage, including USB drives, CD/ DVD
drives, home storage and devices like smartphones and PDAs.
• Restricting copy and paste of sensitive content.
• Restricting applications allowed to use sensitive content, for example, only allowing
encryption with an approved enterprise solution, not tools downloaded online that
don't allow enterprise data recovery.
• Integration with Enterprise Digital Rights Management to automatically apply access
control to documents based on the included content.
• Auditing use of sensitive content for compliance reporting.
The following features are highly desirable and rules as the network servers/
when deploying DLP at the endpoint: appliances.
 Rules (policies) should adjust based
 Endpoint agents and rules should
on where the endpoint is located
be centrally managed by the same
(on or off the network). When the
DLP management server that
controls data in motion and data at endpoint is on a managed network
with gateway DLP, redundant local
rest (network and discovery).
rules should be skipped to improve
 Policy creation and management
performance.
should be fully integrated with
 Agent deployment should integrate
other DLP policies in a single
with existing enterprise software
interface.
deployment tools.
 Incidents should be reported to,
 Policy updates should offer options
and managed by a central
management server. for secure management via the DLP
management server or existing
 Endpoint agent should use the
enterprise software update tools.
same content analysis techniques
Endpoint limitations
Realistically, the performance and storage limitations of the endpoint will restrict the types of
content analysis supported and the number and type of policies that are locally enforced. For
some enterprises, this might not matter depending on the kinds of policies to be enforced, but
in many cases endpoints impose significant constraints on data in use policies.
100
Photo source: www.slideshare.net
3.6 DLP Limitations
While DLP solutions can go far in helping an agents, network appliances and
enterprise gain greater insight over and crawlers must have access to, and be
control of sensitive data, stakeholders able to utilize, the appropriate
need to be apprised of limitations and gaps decryption keys. If users have the
in DLP solutions. Understanding these ability to use personal encryption
limitations is the first step in the packages where keys are not managed
development of strategies and policies to
by the enterprise and provided to the
help compensate for the limitations of the
DLP solution, the files cannot be
technology.
analyzed. To mitigate this risk, policies
Some of the most significant limitations should forbid the installation and use
common among DLP solutions are: of encryption solutions that are not
 Encryption — DLP solutions can only centrally managed, and users should
inspect encrypted information that be educated that anything that cannot
they can first decrypt. To do this, DLP be decrypted for inspection (meaning
101
that the DLP solution has the  Mobile devices — With the advent of
encryption key) will ultimately be mobile computing devices, such as
blocked. smartphones, there are
communication channels that are not
 Graphics — DLP solutions cannot
easily monitored or controlled. Short
intelligently interpret graphics files.
message service (SMS) is the
Short of blocking or manually
communication protocol that allows
inspecting all such information, a
text messaging, and is a key example.
significant gap will exist in an
Another consideration is the ability of
enterprise’s control of its information.
many of these devices to utilize Wi-Fi
Sensitive information scanned into a
or even become a Wi-Fi hotspot
graphics file or intellectual property
themselves. Both cases allow for out-
(IP) that exists in a graphics format,
of-band communication that cannot be
such as design documents would fall
monitored by most enterprises. Finally,
into this category. Enterprises that
the ability of many of these devices to
have significant IP in a graphics format
capture and store digital photographs
should develop strong policies that
and audio information presents yet
govern the use and dissemination of
another potential gap. While some
this information. While DLP solutions
progress is being made in this area, the
cannot intelligently read the contents
significant limitations of processing
of a graphics file, they can identify
power and centralized management
specific file types, their source and
remain a challenge. Again, this
destination. This capability, combined
situation is best addressed by the
with well-defined traffic analysis can
development of strong policies and
flag uncharacteristic movement of this
supporting user education to compel
type of information and provide some
appropriate use of these devices.
level of control.
 Multilingual support — A few DLP
 Third-party service providers — When
solutions support multiple languages,
an enterprise sends its sensitive
but virtually all management consoles
information to a trusted third party, it
support only English. It is also true that
is inherently trusting that the service
for each additional language and
provider mirrors the same level of
character set, the system must support
control over information leaks since
processing requirements and time
the enterprise’s DLP solutions rarely
windows for analysis increase. Until
extend to the service provider’s
such time that vendors recognize
network. A robust third-party
sufficient market demand to address
management program that
this gap, there is little recourse but to
incorporates effective contract
seek other methods to control
language and a supporting audit
information leaks in languages other
program can help mitigate this risk.
than English. Multinational enterprises
102
must carefully consider this potential intended to discourage the adoption of

gap when evaluating and deploying a DLP technology.
DLP solution. These points are not
The only recourse for most enterprises is the adoption of behavioral policies and
physical security controls that complement the suite of technology controls that is
available today, such as:
• Solution lock-in — At this time there is no portability of rule sets across various DLP
platforms, which means that changing from one vendor to another or integration with an
acquired organization’s solution can require significant work to replicate a complex rule
set in a different product.
• Limited client OS support — Many DLP solutions do not provide endpoint DLP agents
for operating systems such as Linux and Mac because their use as clients in the enterprise
is much less common. This does, however, leave a potentially significant gap for
enterprises that have a number of these clients. This risk can only be addressed by
behavior oriented policies or requires the use of customized solutions that are typically
not integrated with the enterprise DLP platform.
• Cross application support — DLP functions can also be limited by application types. A
DLP agent that can monitor the data manipulations of one application may not be able to
do so for another application on the same system. Enterprises must ensure that all
applications that can manipulate sensitive data are identified and must verify that the DLP
solution supports them. In cases where unsupported applications exist, other actions may
be required through policy, or if feasible, through removal of the application in q uestion.
The Open Security Foundation's and commercial entities, which often have
DataLossDB gathers information about been able to provide statistical analysis
events involving the loss, theft or exposure with graphical presentations.
of personally identifiable information (PII).
DataLossDB's dataset, in current and The charts below are provided in "as-is"
previous forms, has been used in research format based on the current dataset
maintained by the Open Security
by numerous educational, governmental
Foundation and DataLossDB.
103
104
3.7 The DRM – DLP Conundrum

Digital Rights Management (DRM), a sharing a song, reading an ebook on
system for protecting the copyrights of another device, or playing a single player
data circulated via the Internet or other game without an internet connection, you
digital media by enabling secure are being restricted by DRM. In other
distribution and/ or disabling illegal words, DRM creates a damaged good – it
distribution of the data. Typically, a DRM prevents you from doing what would be
system protects intellectual property by possible without it. This concentrates
either encrypting the data so that it can control over production and distribution of
only be accessed by authorized users or media, giving DRM peddlers the power to
marking the content with a digital carry out massive digital book burnings and
watermark or similar method so that the conduct large scale surveillance over
content cannot be freely distributed. The people's media viewing habits.
practice of imposing technological
Enterprise Digital Rights
restrictions that control what users can do
management (DRM) and Data Loss
with digital media. When a program is
Prevention (DLP) are typically thought of as
designed to prevent you from copying or separate technologies that could replace
105
each other. DRM encrypts files and organizations must complement and
controls access privileges dynamically as a empower the existing security
file is in use. DLP detects patterns and can infrastructure with a data centric security
restrict movement of information that solution that protects data in use
meets certain criteria. Rather than being persistently. That is where DRM comes in.
competitive, the reality is that many DRM ensures that only intended recipients
can view sensitive files regardless of their
organizations can use them as location. This assures protection of data
complementary solutions. DLP’s ability to beyond controlled boundaries so that an
scan, detect data patterns and enforce organization is always in control of its
appropriate actions using contextual information. DRM policy stays with the
awareness reduces the risk of losing document even if it is renamed or saved to
sensitive data. A drawback of DLP is that it another format, like a PDF. This provides a
does not provide any protection in case more complete solution to limit the
users have to send confidential possibility of a data breach.
information legitimately to a business By integrating DLP and DRM, organizations
partner or customer. DLP cannot protect may be able to:
information once it is outside the  allow DLP to scan DRM-protected
organization’s perimeter. DLP is very good documents, and apply DLP policies
at monitoring the flow of data throughout  enforce DLP policy engines to
an organization and applying predefined encrypt or reclassify a file to create
policies at endpoint devices or the a DRM protected document
network. The policies can log activities,  secure data persistently and reduce
send warnings to end users and the risk of losing it from both
administrators, quarantine data or block it insiders and outsiders.
altogether.  DLP alone cannot control data in
use by authorized internal or
The challenge is that most businesses need external users. Adding DRM
to share sensitive data with outside ensures that vulnerabilities are
people. Considering most data leaks minimized and that an organization
originate from trusted insiders who have can immediately deny access to any
or had access to sensitive documents, file regardless of its location.
106
UNIT IV
Information Security Policies,
Procedures, Standards and Guidelines
This unit covers:
 Lesson Plan
4.1. Information Security Policies
4.2. Key Elements of a Security Policy
4.3. Security Standards, Guidelines and Frameworks
4.4. Laws, Regulations and Guidelines
107
Lesson Plan

To be competent, you must be able 4 hrs  PCs/Tablets/Lapto
to: ps
 Labs availability
PC2. monitor systems and apply
(24/7)
controls in line with information
security policies, procedures and
(Min 2 Mbps
guidelines
Dedicated)
PC11. comply with your  Networking
organization’s policies, standards, Equipment-
procedures and guidelines when Routers & Switches
contributing to managing  Firewalls and
information security Access Points
like HP Web
Inspect and IBM
AppScan etc.,
like sqlmap, Nessus
etc.,
You need to know and understand: KA1. QA session and a 8 hrs  PCs/Tablets/Lapto
Descriptive write up on ps
KA1. your organization’s understanding.  Labs availability
policies, procedures, standards and
(24/7)
guidelines for managing KA2 Group presentation
information security and peer evaluation along
 (Min 2 Mbps
KA2. your organization’s with Faculty.
Dedicated)
knowledge base and how to access
and update this KA4 Performance  Access to all
evaluation from Faculty security sites like
KA4. the organizational
and Industry with reward ISO, PCI DSS,
systems, procedures and
points. Center for Internet
tasks/checklists within the domain
Security
and how to use these KA12. Faculty and peer
KA12. your organization’s  Security Templates
review. from ITIL, ISO
information security systems and
tools and how to access and KA13. Faculty and peer
maintain these review.
KA13. standard tools and
templates available and how to use KB1 - KB4
these Group and Faculty
KB1. fundamentals of evaluation based on
information security and how to anticipated out comes.
apply these, including: Reward points to be
• networks allocated to groups.
• communication
• application security
108

Activity 1:
Divide students into groups and ask them to research and collate various security
policies available across various organisations.
Let them categorise various policies and highlight the differences between these
based on context including sector, size of organisation, types of information or
data they possess, country, etc.
Ask the students to compile a list of component that are similar across policies.
Engage them in a discussion as to why they think these elements are similar or
dissimilar and what is the impact of the variances.
Activity 2:
Divide the students into groups and ask them to research various standards of
data security that area available.
Ask them to categorise the various standards based on the area they pertain to.
Let them present key highlights of a selected standard. Engage them in a

discussion on why standards are important, why these standards have credibility
and legitimacy.
Also encourage them to think about what is the composition of the standard
setting body and who are their members or patrons.
Activity 3:
Ask the students to develop standards for various aspects of their student life and
education, get them to make a plan for advocacy and promotion of these
standards so that more and more people adopt them. Let them list down key
imperatives and challenges for the successful adoption and recognition of their
proposed standards
Activity 4:
Ask the students to explore the various laws and regulations that are applied in
the areas of information security. Let them present key features of the laws and
cite cases where these were violated and cases were filed in breach of law. Let
them present findings in the class, discussing the details of the case and
interesting facets of it.
109

4.1 Information Security Policies
Security policies are the foundation of your  Technical security policies: these
security infrastructure. Without them, you include how technology should be
cannot protect your company from configured and used.
possible lawsuits, lost revenue and bad
publicity, not to mention basic security  Administrative security policies:
attacks. A security policy is a document or these include how people (both
set of documents that describes, at a high
end users and management)
level, the security controls that will be
should behave/ respond to
implemented by the company.
security.
Policies are not technology specific and do
three things for an organisation: Persons responsible for the
implementation of the security policies
 Reduce or eliminate legal liability to are:
employees and third parties.
 Director of Information Security
 Protect confidential, proprietary
 Chief Security Officer
information from theft, misuse,
 Director of Information Technology
unauthorized disclosure or
 Chief Information Officer
modification.
 Prevent waste of company computing Information in an organisation will be both
resources. electronic and hard copy, and this
information needs to be secured properly
Organisations are giving more priority to
against the consequences of breaches of
development of information security
confidentiality, integrity and availability.
policies, protecting their assets is one of
the prominent things that needs to be Proper security measures need to be
considered. Lack of clarity in InfoSec implemented to control and secure
policies can lead to catastrophic damages information from unauthorised changes,
which cannot be recovered. So an deletions and disclosures. To find the level
organisation makes different strategies in of security measures that need to be
implementing a security policy applied, a risk assessment is mandatory.
successfully. An information security policy
Security policies are intended to define
provides management direction and
what is expected from employees within
support for information security across the
an organisation with respect to
organisation.
information systems.
There are two types of basic security
The objective is to guide or control the use
policies:
of systems to reduce the risk to
information assets. It also gives the staff
110
who are dealing with information systems Security policies are tailored to the specific
an acceptable use policy, explaining what mission goals.
is allowed and what not. Security policies
of all companies are not same, but the key
motive behind them is to protect assets.
A security policy should determine rules and regulations for the following systems:
 Encryption mechanisms
 Access control devices
 Authentication systems
 Firewalls
 Anti-virus systems
 Websites
 Gateways
 Routers and switches
 Necessity of a security policy
It is generally impossible to accomplish a to your users exactly how they can and
complex task without a detailed plan for cannot use the network, how they should
doing so. treat confidential information, and the
proper use of encryption, you are reducing
A security policy is that plan that provides
your liability and exposure in the event of
for the consistent application of security
an incident.
principles throughout your company. After
implementation, it becomes a reference Further, a security policy provides a
guide when matters of security arise. written record of your company’s policies
if there is ever a question about what is
A security policy indicates senior
and is not an approved act.
management’s commitment to maintain a
secure network, which allows the IT staff to Security policies are often required by third
do a more effective job of securing the parties that do business with your
company’s information assets. Ultimately, company as part of their due diligence
a security policy will reduce the risk of a process. Some examples of these might be
damaging security incident. In the event of auditors, customers, partners and
a security incident, certain policies, such as investors. Companies that do business
an Incident Response Policy may limit your with your company, particularly those that
company’s exposure and reduce the scope will be sharing confidential data or
of the incident. connectivity to electronic systems, will be
concerned about your security policy.
A security policy can provide legal
protection to your company. By specifying
111
Lastly, one of the most common reasons policies can be modified at a later time i.e.
why companies create security policies not to say that you can create a violent
today is to fulfill regulations and meet policy now and a perfect policy can be
standards that relate to security of digital developed some time later.
information.
It is also mandatory to update the policy
Once the security policy is implemented, it based upon the environmental changes
will be a part of day-to-day business that an organization goes into when it
activities. Security policies that are progresses.
implemented need to be reviewed
The policy updates also need to be
whenever there is an organizational communicated with all employees as well
change. Policies can be monitored by
as the person who authorized to monitor
depending on any monitoring solutions like policy violations as they may flag for some
SIEM and the violation of security policies
scenarios which have been ignored by the
can be seriously dealt with. There should organization.
also be a mechanism to report any
violations to the policy. Management is responsible for
establishing controls and should regularly
While developing these policies, it is review the status of controls.
obligatory to make them as simple as
possible because complex policies are less Below is a list of some of the security
secure than simple systems. Security policies that an organization may have:
Access Control Policy How information is accessed
Contingency Planning Policy How availability of data is made online 24/7
Data Classification Policy How data are classified
Change Control Policy How changes are made to directories or the file server
Wireless Policy How wireless infrastructure devices need to be configured
Incident Response Policy How incidents are reported and investigated
Termination of Access Policy How employees are terminated
Backup Policy How data are backed up
Virus Policy How virus infections need to be dealt with
Retention Policy How data can be stored
Physical Access Policy How access to the physical area is obtained
Security Awareness Policy How security awareness is carried out

112
Audit Trail Policy How audit trails are analyzed
Firewall Policy How firewalls are named, configured etc.
Network Security Policy How network systems can be secured
Encryption Policy How data are encrypted, the encryption method used etc.
Promiscuous Policy Firewall Management Policy
Permissive Policy
Special Access Policy
Prudent Policy Network Connection Policy
Paranoid Policy
Network Business Partner Policy
Acceptable Use Policy
User Account Policy
Others
Data Classification Policy
Intrusion Detection Policy
Remote Access Policy
Virus Prevention Policy
Information Protection Policy
Laptop Security Policy
Personal Security Policy
Cryptography Policy
Acceptable Usage Policy
Acceptable Usage Policy (AUP) is the policy that one should adhere to while accessing the
network. Some of the assets that this policy covers are mobile, wireless, desktop, laptop and
tablet computers, email, servers, internet etc. For each asset, we need to look at how we can
protect it, manage it, authorised persons to use and administer the asset, accepted methods of
communication in these assets etc.
A template for AUP is published in SANS http://www.sans.org/security -

resources/policies/Acceptable_Use_Policy.pdf and a security analyst will get an idea of how an
AUP actually looks. Some of the regulatory compliances mandate that a user should accept the
AUP before getting access to network devices. Implementing these controls makes the
organization a bit more risk free, even though it is very costly.
Once a reasonable security policy has been a secure channel between two entities.
developed, an engineer has to look at the Some encryption algorithms and their
country’s laws, which should be levels (128,192) will not be allowed by the
incorporated in security policies. One government for a standard use. Legal
example is the use of encryption to create experts need to be consulted if you want
113
to know what level of encryption is allowed if security policies are derived for a big
in an area. This would become a challenge organisation spread across the globe.
Some of the laws, regulation and standards used for policy definition include:
 The PCI Data Security Standard (PCIDSS)
 The Health Insurance Portability and Accountability Act (HIPAA)
 The Sarbanes-Oxley Act (SOX)
 The ISO family of security standards
 The Graham-Leach-Bliley Act (GLBA)
4.2 Key Elements of Security Policy
A policy should contain:

• Overview – background information of what issue the policy addresses.
• Purpose – why the policy is created.
• Scope – what areas this policy covers.
• Targeted audience – whom the policy is applicable for.
• Policy – a detailed description of the policy.
• Definitions – a brief introduction of the technical jargon used in the policy.
• Version – number to control the changes made to the document.
Policy Content frequently advertised on the internet. But

quantity does not equal quality, and it is
When developing content, many go about
the sheer amount of information in those
creating a policy exactly the wrong way.
policies that makes them useless. Brevity is
The goal is not to create hundreds of pages
of utmost importance.
of impressive looking information, but
rather to create an actionable security • A security policy should be written in
plan. The following guidelines apply to the “plain English.” While, by nature, technical
content of successful IT security policies. topics will be covered, it is important that
the policy be clear and understood by the
• A security policy should be no longer than
target audience for that particular policy.
absolutely necessary. Some believe that
There is never room for “consultant speak”
policies are more impressive when they fill
in a security policy. If there is a doubt, the
enormous binders or contain hundreds or
policy should be written so that more
even thousands of policies. These types of
people can understand it rather than
policies overwhelm you with data, and are
114
fewer. Clarity must be a priority in security placed on each page of the policy. At a
policies so that a policy isn’t minimum, this information should include:
misunderstood during a crisis or otherwise policy name, creation date, target
misapplied, which could lead to a critical audience and a clear designation that the
vulnerability. policy is company confidential.
• A security policy must be consistent with
applicable laws and regulations. In some Security Policy Implementation
countries there are laws that apply to a
company’s security practices, such as Once a policy has been created, perhaps
those covering the use of encryption. Some the hardest part of the process is rolling it
states have specific disclosure laws or out to the organization. This step must be
regulations governing the protection of well planned and undertaken thoughtfully.
citizens’ personal information, and some First and most importantly, a security
industries have regulations governing policy must be backed by the company’s
security policies. It is recommended that senior management team. Without their
you research and become familiar with any support, the cooperation needed across
regulations or standards that apply to your departments will likely doom the
company’s security controls. implementation. Department heads must
be involved, and specifically, Human
• A security policy should be reasonable. Resources and Legal Services must play an
The point of this process is to create a integral part. Make sure you have
policy that you can actually use rather than management buy-in before you get too far
one that makes your company secure on along in the process. If the position doesn’t
paper but is impossible to implement.
already exist, an Information Security
Keep in mind that the more secure a policy Officer or IT Security Program Manager
is, the greater the burden it places on your
should be designated at your company
users and IT staff to comply with. Find a who is responsible for implementing and
middle ground in the balance between
managing the security policy. This can be
security and usability that will work for an existing manager. This designation is
you.
sometimes not practical at smaller
• A security policy must be enforceable. A companies, but regardless, one person,
policy should clearly state which actions who has the authority to make executive
are permitted and which of those are in decisions, needs to own and be
violation of the policy. Further, the policy accountable for your company’s security
should spell out enforcement options policy. Remember that your security policy
when non-compliance or violations are must be officially adopted as company
discovered, and must be consistent with policy. It should be signed and recorded in
applicable laws. A security policy can be the same way your company makes any
formatted to be consistent with your major decision, including full senior
company’s internal documentation, management approval. Next, go through
however certain information should be
115
each policy and think about how it will be Often, users create security issues because
applied within the organization. they simply don’t understand that what
they are doing is risky or against the
Make sure that the tools are in place to
security policy. Users must be provided any
conform to the policy. For example, if the
user level policies, and must acknowledge
policy specifies that a certain network be
monitored, make sure that monitoring in writing that they have read and will
adhere to the policies. If possible,
capabilities exist on that network segment.
coordinate this with Human Resources so
If a policy specifies that visitors must agree
that the policies can be included with any
to the Acceptable Use Policy before using
other HR documents that require a user
the network, make sure that there is a
signature. No matter how well
process in place to provide visitors with the
implemented, no policy will be 100%
Acceptable Use Policy. In this phase, if you
applicable for every scenario, and
discover something impractical, create a
exceptions will need to be granted.
plan to make appropriate changes to either
Exceptions, however, must be granted only
the network or the policy. Understand that
in writing and must be well documented. It
policies differ from processes and
should be made clear from the outset that
procedures.
the policy is the official company standard,
You will need to carefully consider the and an exception will only be granted
necessary security processes and when there is an overwhelming business
procedures after you have your policy need.
finished. For example, the Backup Policy
After the security policy has been in place
may detail the schedules for backups and
for some period, which can be anywhere
off-site rotation of backup media, however
from three months to a year, the
it won’t say exactly how these tasks are to
company’s information security controls
be accomplished. Additionally, certain
procedures must be created to support the should be audited against the applicable
policies. Make sure that each policy is
policies. For example, how should your
being followed as intended and is still
users respond if they suspect a security
appropriate to the situation. If
incident? How will you notify your users if
discrepancies are found or the policies are
they are noncompliant with a specific
no longer applicable as written, they must
policy? How will exemptions to the policy
be changed to fit your company’s current
be requested and approved? Work with
requirements. After the initial review
the necessary departments within your
company (Legal, IT, HR etc.) to establish process, you should regularly review the
security policy to ensure that it still meets
procedures to support your policies. User
your company’s requirements. Create a
education is critical to a successful security
process so that the policy is periodically
policy implementation. A training session
reviewed by the appropriate persons. This
should be held to go over the policies that
should occur both at certain intervals (i.e.
will impact users as well as provide basic
once per year), and when certain business
information security awareness training.
changes occur (i.e. the company opens in a
116
new location). This will ensure that the differentiate the new document from past
policy does not get “stale”, and will versions; and distribute any modified user
continue to be a useful management tool level policies to your users. Clearly
for years to come. When changes need to communicate the policy changes to any
be made, be sure to: update the revision affected parties.
history section of the document to
Internal Security Policy: Microsoft

Snicker if you must, but this is for real. Microsoft has great internal security policies and
controls. Think about it. When was the last time you heard about a major breach of
Microsoft's corporate network? The one you might recall is October 2000, when hackers
breached its security and accessed source code for future versions of Windows.
"That was a wake-up call. It changed the way our executives and employees think about
security," says Greg Wood, Microsoft's general manager of InfoSecurity.
Microsoft is one of the most targeted entities on the Internet, absorbing more than 2,200
unique attacks a day. When it developed its security policy, the security team sought
simplicity for protecting the company's 300,000 hosts.
Microsoft threw out its thick, three-ring binder that held its barely touched security policy.
Replacing it was a thin pamphlet containing 45 half-page doctrines based on elemental
security principles: enforcement, business rationale and risk assessments.
The litmus test for any security policy is whether it's enforceable. Microsoft's security
policies are easily understood and have teeth. There's no excuse for ignorance of the
policy, and any breach is enforced through HR actions, Wood says.
Microsoft's security team applies business logic to its security policies. Wood says this
helps earn the business units' cooperation. They know security won't arbitrarily inhibit
operations. Where best practices will often ban certain functions and services, the
Microsoft policy has flexibility to meet business necessities--within reason.
Source: News Journals
117
California State University, Northridge – Adoption plan of good Information Security

Policy
California State University, Northridge (CSUN) is committed to providing a secure and
accessible data and networking infrastructure that protects the confidentiality, availability
and integrity of information. The creation, preservation and exchange of information is an
intrinsic part of the University's teaching, scholarship and administrative operations.
Increasingly that information is processed, handled or stored in electronic form.
The growing availability of digital information offers opportunities to improve our
collaborations and work in new ways. Unfortunately, it also presents us with new threats.
The very technologies we use to gather, share and analyse information also make our
institution vulnerable to varied and continually evolving information security risks. CSUN is
entrusted with a wide range of confidential and sensitive information pertaining to our
students, faculty staff, donors, and other members of the community (e.g. affiliates).
We take seriously our obligation to be stewards of that trust. We are obligated by law and
institutional policy to take all reasonable and appropriate steps to protect the
confidentiality, availability, privacy, and integrity of information in our custody. This
obligation is broad and applies to information in both electronic and material form. Our
practices are designed both to prevent the inappropriate disclosure of information and to
preserve information in case of intentional or accidental loss.
(For complete case study please refer to : http://www.csun.edu/sites/default/files/csun-it-
sec-plan.pdf )
Source: www.csu.edu
118
4.3 Security Standards, Guidelines & Frameworks

Process: Security Governance controls to monitor fraud and abuse and
Frameworks test them through compliance auditing.
This law had little guidance from the
Security governance frameworks Securities and Exchange Commission
represent solutions to the question of how (SEC), and in response to this, a
to manage security effectively. The consortium of private organizations
manner in which a company builds a created the Treadway Commission to
governance structure is a reflection of the figure out what companies needed to do
organization of the company and the laws to comply with this law.
and business environment in which it finds
itself. Auditing the security governance The Committee of Sponsoring
practices of a company requires Organizations of the Treadway
understanding how the organization Commission (COSO) was formed in 1985 to
improve the accuracy of financial reports
manages the processes and procedures
and to standardize on internal control
that make up its security program and
methods to reduce fraudulent reporting.
compare those aspects to recognized
governance frameworks. Luckily, there are COSO studied the problem and issued
many sources that an auditor can use to guidance about how to create an internal
identify best practices in building a controls framework that complies with the
manageable, measurable and effective FCPA. The resulting document, called
security governance program. The “Internal Controls: Integrated
frameworks mentioned in this text are not Framework,” was published in 1994 and
a complete list, and significant research is provided common language, definitions
constantly being conducted in this area. and assessment methodologies for a
What follow are three of the most company’s internal accounting controls.
frequently found frameworks, and should This COSO report is considered the
standard by which accounting auditors
get you started in understanding how they
assess companies to ensure compliance
can be applied to the organizations you
with the FCPA and SOX section 404.
audit.
The COSO report lists a few main concepts
COSO
that guided the development of the COSO
The Foreign Corrupt Practices Act of 1977 framework and define what internal
(FCPA) is a law that requires any publicly controls can and cannot do for an
traded company to accurately document organization. These concepts show the
any transactions or monetary exchanges it relationship between people and
is involved in (to prevent off-the-books processes in respect to the effectiveness
money transfers). Additionally, the law of controls, and they define the principles
requires that a publicly traded company with which to implement them:
also have a system of internal accounting
119
 Internal control is a process and not a one-time activity.
 Internal control is affected by people; it must be adopted through the organization and
is not simply a policy document that gets filed away.
 An internal control can provide only reasonable assurance, not absolute assurance to
the management and board of a business. A control cannot ensure success.
 Internal controls are designed for the achievement of business objectives.
The COSO internal controls framework auditors to assess a company’s control

consists of five main control components efficiency, effectiveness, reliability of
as seen in the figure below. These controls financial reporting and compliance with
are the foundation of the COSO the law.
framework and provide a means for
Monitor
Information and
Communication
Control Activities
Risk Assessment
Control Environment
Figure COSO Internal Controls Framework
Control environment and defining the roles and responsibilities.

The control environment defines how an The control environment consists of the
people, culture and ethics of the business.
organization builds its internal governance
program and affects the company as a Risk assessment
whole. The CEO, Board of Directors, and Solid risk assessment methodologies are
Executive Management are mostly
important to any successful governance
involved at this level, creating the ethics program. COSO identifies this area as
environment and organizational structure
120
critical to all control development Monitoring

activities and for identifying business
Auditing and measurement are essential in
objectives. You can’t protect what you
determining how controls perform.
don’t know about, so a thorough risk
assessment provides the data to help a Monitoring can be the alarm system that
company design controls to protect its identifies a problem and provides valuable
assets and achieve its strategic goals. data for fixing issues for the future.
Monitoring can consist of periodic reports,
Control activities audits or testing mechanisms that provide
This section covers the controls that COSO the status of individual controls.
recommends to help mitigate risk. The COSO is one of the more widely adopted
main categories for controls in COSO are internal control frameworks for large
operational, financial reporting and companies due in no small part to the
compliance. The controls identified are mandates set forth through SOX 404. In
broad in nature and cover some IT related response to criticism that the framework
issues, but COSO doesn’t address this area was impractical for smaller organizations,
as well for IT as it does the accounting side. the committee published “Internal Control
It does highlight the various activities that over Financial Reporting for Small Public
should be controlled, but leaves it up to Companies” in 2006.
management to figure out how to do it.
The COSO framework represents the
Information and communication grandfather of internal controls and
Having an organization in which though it was designed primarily for
information and communication are free accounting controls, it still provides value
to flow between all aspects of the business for companies building out a security
is addressed in this component of COSO. governance strategy. From an IT
perspective, the five main components are
Information, according to COSO, is the
data used to run the business, whereas entirely relevant to securing information,
but the actual controls themselves don’t
communication is defined as the method
go to the same level of depth as other
used to disseminate information to the
frameworks such as Control Objects for
appropriate individuals. People cannot do
Information and related Technologies
their jobs efficiently and effectively if they
(COBIT).
are not provided with the necessary
information. Without the appropriate lines COBIT
of communication and timely action, The COBIT framework was created by the
problems can turn into catastrophes.
Information Systems Audit and Control.
Communication is the mechanism that
drives the other four components of the Association (ISACA) and IT Governance
COSO framework. Institute (ITGI) as a response to the needs
of the IT community for a less generalized
and more actionable set of controls for
securing information systems. The ITGI is a
121
non-profit organization that leads the which necessitates using other sources to
development of COBIT through develop standards and procedures for
committees consisting of experts from implementing the controls. In other words,
universities, governments and auditors COBIT won’t tell you the best way to
across the globe. The COBIT framework is configure AES encryption for your wireless
a series of manuals and implementation infrastructure, but it will provide you with
guidelines for creating a full IT governance, a mechanism for identifying where and
auditing and service delivery program for why you need to apply it based on risk.
any organization. The role of COBIT in IT governance is to
COBIT is not a replacement but an provide a model that takes the guesswork
augmentation to COSO, and maps directly out of how to bridge the gap between
to COSO from an IT perspective. Although business and IT goals. COBIT considers
COSO covers the whole enterprise from an business the customer of IT services.
accounting perspective, it does so by Business requirements (needs) ultimately
providing high level objectives that require drive the investment in IT resources, which
the business to figure out how to in turn need processes that can deliver
accomplish them. COBIT on the other enterprise information back to the
hand, works with COSO by fully detailing business. At the foundation of COBIT is the
the necessary controls required and how cyclical nature of business needing
to measure and audit them. The built-in information and IT delivering information
auditable nature of COBIT is why it has services.
become one of the leading IT governance
Information is what IT provides to the
frameworks as it gets as close as can be business and COBIT defines the following
expected to a turnkey governance seven control areas as business
program. COBIT does not dig down into the requirements for information:
actual tasks and procedures however,
 Effectiveness: information should be delivered in a timely, correct, consistent and

usable manner.
 Efficiency: information is delivered in the most cost effective way.
 Confidentiality: data is protected from unauthorized disclosure.
 Integrity: business is protected from unauthorized manipulation or destruction of

data.
 Availability: data should be accessible when the business needs it.
 Compliance: adherence to laws, regulations, and contractual agreements.
 Reliability of information: data correctly represents the state of the business and
transactions.
122
IT resources in COBIT are the components o PO7 Manage IT Human

of information delivery and represent the Resources
technology, people and procedures used o PO8 Manage quality
to meet business goals. Resources are o PO9 Assess and manage IT risks
divided into four areas: o PO10 Manage projects
 Acquire and Implement (AI): Builds IT
 Applications: information processing
solutions and creates services. The
systems and procedures
high level process for this domain is as
 Information: the data as used by the follows:
business o AI1 Identify automated
 Infrastructure: technology and solutions
systems used for data delivery and o AI2 Acquire and maintain
processing application software
o AI3 Acquire and maintain
 People: the human talent needed to
technology infrastructure
keep everything operating
o AI4 Enable operation and use
IT processes (or activities) are the planned o AI5 Procure IT resources
utilization of resources and divided into o AI6 Manage changes
four inter-related domains. Each process o AI7 Install and accredit
has its own controls that govern how the solutions and changes
process is to be accomplished and  Deliver and Support (DS): User facing
measured. There are 34 high level delivery of services and solutions. The
processes and hundreds of individual high level process for this domain is as
controls. The domains and processes are: follows:
 Plan and Organize (PO): Defines o DS1 Define and manage service
strategy and guides the creation of a levels
service and solutions delivery o DS2 Manage third-party
organization. The high level process for services
this domain is as follows: o DS3 Manage performance and
o PO1 Define a strategic IT plan capacity
o PO2 Define the information o DS4 Ensure continuous service
architecture o DS5 Ensure systems security
o PO3 Determine technological o DS6 Identify and allocate costs
direction o DS7 Educate and train users
o PO4 Define the IT processes, o DS8 Manage service desk and
organization and relationships incidents
o PO5 Manage the IT investment o DS9 Manage the configuration
o PO6 Communicate o DS10 Manage problems
management aims and o DS11 Manage data
direction o DS12 Manage the physical
environment
123
o DS13 Manage operations Institute (SEI). The Capabilities Maturity

 Monitor and Evaluate (ME): Monitors Model was designed as a tool for ensuring
IT processes to ensure synergy quality software development. COBIT has
between business requirements. The modified the model to deliver a
high level process for this domain is as measurement and tracking tool that
follows: identifies the current state of adoption
o ME1 Monitor and evaluate IT (maturity level) for each process so as to
performance compare an organization execution with
o ME2 Monitor and evaluate industry averages and business targets.
internal control This helps management identify where the
o ME3 Ensure compliance with company’s performance is in relation to its
external requirements peers and provides a path to improve with
o ME4 Provide IT governance specific and prescriptive steps used to get
 Each of the processes in COBIT is there.
written for managers, users and
auditors by addressing each group’s
needs. Each process control objective
is built using a template that includes:
o a general statement that
provides answers to why
management needs the control
and were it fits
o the key business requirements
that the control addresses
o how the controls are achieved
o control goals and metrics
o who is responsible for each
individual control activity
o how the controls can be
measured
o clear descriptions of measuring
how mature the organization is
in accomplishing the control
using a detailed 0–5 scale
Maturity Model
Measurement of each process and control
is accomplished through a Maturity Model.
The COBIT Maturity Model is based on the
Capabilities Maturity Model pioneered by
Carnegie Mellon’s Software Engineering
124
The COBIT Maturity Model scale provides the following measurements:

COBIT Maturity Scale
0 Non existent
Not performed.
1 Initial/ Ad hoc
Process is chaotic, not standardized and done case by case.
2 Repeatable
Relies on individual knowledge, no formal training and no process intuitive management.
3 Defined process
Standardized and documented processes and formal training to communicate standards.
4 Managed
Processes are monitored and checked for compliance by management, measurable
processes are reviewed for improvement and limited automation.
5 Optimized
Processes are refined and compared with others based on maturity, processes are
automated through workflow tools to improve quality and effectiveness.
Using COBIT requires customization to audits based on COBIT to ensure that all
better align with the company aspects of the IT process are performed.
implementing it. COBIT is not designed as COBIT is also an invaluable resource when
a governance strategy in a box, but as a writing the audit report because it allows
reference for building a process focused the auditor to justify and compare his
system, utilizing international standards findings to a well-respected standard.
and good practices. Companies still need ITIL
to determine a risk management
methodology and build out a technical The Information Technology Infrastructure
infrastructure to automate the various Library (ITIL) provides documentations for
COBIT processes identified. COBIT’s real best practices for IT Service Management.
value is in providing the management, ITIL was created in the late 1980s by Great
measurement and organizational glue to Britain’s Office of Government Commerce
tie these functions together. to standardize Britain’s government
agencies and to follow security best
IT auditors like to use COBIT mainly practices. A study was conducted and
because it creates a well-documented set
generated a significant amount of
of processes and controls that can be information (roughly 40 books) that
assessed along with the metrics and became known as ITIL. The books were
requirements for each control. COBIT’s revised and consolidated in 2004 and
usefulness is also apparent when the became a series of eight books focused on
organization under audit does not use
IT services management. This version 2 of
COBIT as a governance framework because ITIL became popular among organizations
an auditor can build checklists and plan
125
looking for an internationally recognized,  Continual Service Improvement: This

proactive framework for managing IT book covers service improvements and
services, reducing cost and improving service retirement strategies.
quality. Version 3 of ITIL was released in
ITIL is primarily about delivering IT as a
June 2007 to refresh the core service and
service and the lifecycle of service
support delivery material that many
development, implementation, operation
companies have implemented, and to
and management. ITIL is used by
move the ITIL framework towards a life
companies for overall management of IT
cycle model that includes management of
and also for managing security processes.
all lifecycle services provided by IT. The five
Auditing an ITIL shop requires that the
books that make up Version 3 are:
auditor understand the basics of ITIL to
 Service Strategy: This book is the speak the same language. ITIL also works
foundation for the others by defining well with COBIT as a means for fleshing out
business to IT alignment, value to the service delivery of each process. The
business, services strategy and service ITGI even creates a mapping between
portfolio management. COBIT and ITIL for organizations that want
to utilize the two standards. ITIL also
 Service Design: Focused on the design
meets the criteria for ISO 20000, which
of IT processes, policies and
means that it can be used to achieve
architectures. Includes service level,
international certification. Whether a
management, capacity management,
company chooses to go for certification or
information security management and
not, ITIL gives guidance about how to
availability management.
move from a reactive to a proactive
 Service Transition: Covers moving approach to managing IT and security as a
from the design phase to production service.
business services and change
management. It also includes service
asset and configuration management, Technology: Standards Procedures
service validation and testing, and Guidelines
evaluation and knowledge
Knowing what processes and controls
management.
need to be in place is half the job. The
 Service Operation: Provides other half is implementing the technology
information on the day-to-day support and procedures that allow the control to
of production systems. This includes work as intended. Most auditors focus
service delivery and services support, their efforts on testing and validating
service desk design, application controls to ensure that they are functional
management, problem management and dependable. Penetration testing,
and technical management. configuration review and architecture
review are all part of this type of
assessment, so auditors needs to know
126
where to go to find guidance, templates controls and processes that must be in

and sample designs that have been proven place if a business wants to be certified as
to work through consensus and extensive compliant with the ISO standard.
testing. The best security programs don’t The contents of ISO 27001 are:
provide much benefit if the execution of
those programs relies on poor control  ISMS: Establish the ISM, implement
choices. The following standards and best and operate, monitor and review,
practices can help the auditor distinguish maintain and improve documentation
good security designs from bad and requirements, control documents and
provide reference architectures to records.
compare.  Management responsibility: Involves
ISO 27000 Series of Standards commitment, provision of resources
and training for awareness and
The ISO 27000 series are internationally
competence.
recognized security control standards for
the creation and operations of an  Internal audits: These are the
Information Security Management System requirements for conducting audits.
(ISMS). Previously known as ISO 17799 and  ISMS improvements: These are the
originating from British Standard 7799, the corrective and preventative actions.
ISO 27000 series is one of the most widely
 Annex A: Objectives and controls and
used and cited documents in information
checklist.
security today. All the major governance
frameworks reference ISO when discussing  Annex B: Organization for economic
key controls, and it is a great resource to cooperation, development principles
address a wide range of security needs and international standard.
from data-handling standards, to physical
 Annex C: Correspondence between
security, to policy. ISO 27000 is broad and
ISO 9001, SIO 14001 and standard.
covers a great deal of content that is
broken into seven published standards A key concept used in 27001 is the Deming
documents with ten more currently in Cycle process improvement approach:
preparation. This overview is centered on Plan, Do, Check and Act. This continuous
the first two standards: ISO 27001 and improvement cycle was made famous by
27002. Dr. W. Edwards Deming whose quality
control techniques methodology is a way
The first ISO standard is ISO 27001:2005
to show that a process can be continually
Information Technology Techniques
improved by learning from mistakes and
Information Security Management
monitoring the things done correctly to
Systems. It provides the requirements for
further refine the capabilities of the
a security management system in
system.
accordance with ISO 27002 best practices.
ISO 27001 identifies generic technological
127
The Deming Cycle is simple yet powerful, and ISO 27001 applies it to security management
in the following manner:
Step 1. Plan: Establish the ISM according to the policies, processes and objectives of the
organization to manage risk.
Step 2. Do: Implement and operate the ISM.
Step 3. Check: Audit, assess and review the ISM against policies, objectives and
experiences.
Step 4. Act: Take action to correct deficiencies identified for continuous improvement.
ISO 27001 provides guidance for setting up company that goes down the path of
an ISMS and an excellent checklist for certification.
assessing compliance with the standard by The second ISO standard is ISO 27002:2005
specifying what controls need to be in
Security Techniques Code of Practice,
place. An organization can be certified which consists of international best
through an approved assessment and
practices for securing systems. This
registration organization as being in standard provides best practice
compliance with 27001. There are over
information about everything from Human
3,000 companies certified against ISO Resources security needs to physical
27001. Many companies choose security and it represents the detailed
certification as a mechanism to “prove” implementation requirements for ISO
their competence in building an 27001.
information security program, but also
because certification provides proof for ISO 27002 is full of good high level
SOX and other legal compliance information that can be used as a source
frameworks that the company has met the document for any generalized audit or
requirements of those laws. The other assessment. It consists of security controls
benefit of ISO 27001 is its global across all forms of data communication,
acceptance as an accepted standard that is including electronic, paper and voice
required for conducting business with (notes tied to pigeons are not included).
some companies, which can provide a
unique business opportunity for a
The twelve areas covered in ISO 27002:2005 are:

 Intro to information security management
 Risk assessment and treatment
 Security policy
 Organization of information security
 Asset management
128
 Human Resources security

 Communications and ops management
 Access control
 Information systems acquisition, development and maintenance
 Information security incident management
 Business continuity
 Compliance
The ISO standards define a solid The CSRC is currently directed by the
benchmark for assessing a company’s United States Congress to create standards
information security practices, but as with for information security in response to
most of high level control documents, it laws such as the Information Technology
doesn’t give the auditor details about Reform Act of 1996, the Federal
security architecture or implementation Information Security Management Act of
guidance. 27002 is a great internationally 2002 (FISMA) and HIPAA. Although FISMA
recognized standard to refer back to for is a federal law and not enforceable in the
control requirements in an audit report or private sector, private companies can reap
findings document, and makes excellent the benefits of the many excellent
source material for an auditor’s checklist. documents NIST has created for FISMA
compliance.
NIST
Federal Information Processing Standards
The National Institute of Standards and
Publications (FIPS) standards are a series of
Technologies (NIST) is a federal agency of
standards that government agencies must
the United States government, tasked with
follow by law according to FISMA. FIPS
helping commerce in the U.S. by providing
standards include encryption standards,
weights and measurements, materials
information categorization and other
references and technology standards. If
requirements. FIPS also mandates
you have configured your computer to use
standards for technology through a
an atomic clock source from the internet
certification program. Hardware and
to synchronize time to, then you have used
software involved in encrypting data via
a NIST service. NIST also provides
AES for example, must be FIPS 140-2 (level
reference samples of over 1,300 items,
2) compliant to be used by the federal
including cesium 137, peanut butter and
oysters. The division within NIST, most government.
interesting from an information security The NIST Special Publications (800 series
standpoint is the Computer Security documents) are a treasure trove of good
Resource Centre (CSRC), which is the information for auditors, systems
division tasked with creating information administrators and security practitioners
security standards. of any size company. These documents
129
give guidance and provide specific standards. The documents are also revised
recommendations about how to address a on a regular basis as new technologies
wide range of security requirements. become adopted.
These documents are created by academic Table below provides a list of some of the
researchers, security consultants and
most widely used NIST 800 series
government scientists. They are reviewed documents. This list is not exhaustive, and
by the security community through a draft
there are new documents added all of the
process that allows anyone to provide time, so check the NIST website on a
comments and feedback on the regular basis for updates and new drafts.
documents before they are made
Table NIST 800 Series documents:

SP 800-14 Generally Accepted Principles and Practices for Security Information
Technology Systems
SP 800-18 Guide for Developing Security Plans for Information Technology Systems
SP 800-27 Engineering Principles for Information Technology Security (A Baseline for
Achieving Security)
SP 800-30 Risk Management Guide for Information Technology
SP 800-34 Contingency Planning Guide for Information Technology Systems
SP 800-37 Guidelines for Security Certification and Accreditation of IS Systems
SP 800-47 Security Guide for Interconnecting Information Technology Systems
SP 800-50 Building an Information Technology Security Awareness and Training
Program
SP 800-53 Recommended Security Controls for Federal Information Systems
SP 800-53A Techniques and Procedures for Verification of Security Controls in Federal
Information Technology Systems
SP 800-54 BGP Security
SP 800-55 Security Metrics Guide for Information Technology Systems
SP 800-58 Security Considerations for VOIP Systems
SP 800-60 Guide for Mapping Types of Information and Information Systems to
Security Categories (Two Volumes)
SP 800-61 Computer Security Incident Handling Guide
SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance
Portability and Accountability Act (HIPAA) Security Rule
130
SP 800-77 Guide to IPSEC VPNs

SP 800-88 Guidelines for Media Sanitization
SP 800-92 Guide to Computer Security Log Management
SP 800-95 Guide to Security Web Services
SP 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
SP 800-100 Information Security Handbook: A Guide for Managers
The Cyber Security Research and written and provide a sufficient level of
Development Act of 2002 requires that detail down to the actual configuration
NIST develop checklists to help minimize level to use as a checklist while also
the security risks of hardware and software explaining why the particular
used by the federal government. These configuration option needs to be
checklists show detailed configurations of implemented.
many hardware and software platforms CIS refers to its best practice documents as
including Cisco. SP 800-70 outlines the benchmarks and has two categories:
format, goals, and objectives of the
checklists and how to submit a checklist if  Level 1 benchmarks consist of the
you build one that you would like to share. minimum level of security that needs
NIST provides these checklists in Security to be configured that any skilled
Content Automation Protocol (SCAP) administrator can implement.
format, and can be loaded into a SCAP  Level 2 benchmarks focus on particular
validated scanner for automated auditing. applications of security based on the
There are a number of scanning vendors type of system or manner in which the
that support SCAP such as Qualys and system is used. Proper security
Tenable (Nessus Scanner). For a complete depends on understanding risk, which
list of scanning vendors and downloadable determines at what level you need to
checklists, visit http://checklists.nist.gov. protect an asset. Laptops, for example,
Centre for Internet Security have a different risk profile than
servers, which are explored in the Level
The Centre for Internet Security (CIS) is a
2 benchmark section in detail.
not-for-profit group dedicated to creating
security best practices and configuration The CIS benchmarks are often used for
guidance for companies to help reduce the configuration level auditing of technology
risk of inadequately securing corporate for proper implementation of security
systems. CIS provides peer-reviewed features and good defensive practices.
configuration guides and templates that Many compliance laws dictate high level
administrators and auditors can follow controls, but never go into the details of
when securing or testing the security of a how to actually perform the tasks
target system. These guides are well necessary. These benchmarks developed
131
by CIS help to fill in the blanks when  Switches

auditing for compliance through  VoIP and IP telephony
consensus-validated device configuration  Vulnerability reports
recommendations. CIS also makes  Web servers and browsers
available automated assessment tools that  Wireless
leverage these benchmarks. CIS
Auditors are free to use these
benchmarks can be found at
configuration guidelines when examining
www.cisecurity.org.
security controls. They make a great
NSA resource and are updated as new
The National Security Agency (NSA) has technologies and applications are studied.
been responsible for securing information You can find the guides at
and information assurance since it began http://www.nsa.gov/ia/index.cfm.
in 1952. As a component of the U.S. DISA
Department of Defense, the NSA is
The Defense Information Security Agency
typically known for its cryptology research
(DISA) is a component of the U.S.
and cryptanalysis of encrypted
Department of Defense that is charged
communications. The NSA created the DES
with protecting military networks and
encryption standard that was (and still
creating configuration standards for
used in the form of 3DES) the most
military network deployments. DISA
commonly deployed encryption technique
provides a number of useful configuration
until it was replaced by AES.
checklists for a wide variety of information
Although the NSA’s mission is to keep system technologies. Security Technical
government communications private, it Implementation Guides (STIG) are great
has also shared a significant amount of source material for security configuration
computer security research in the form of assessments and highly recommended as a
configuration guides on hardening tool for any auditor looking for vetted
computer systems and network configuration recommendations. While
infrastructure equipment. Through STIGs are written with military auditors in
research conducted by the Information mind, they are easy to read and include
Assurance Department of the NSA, a series justification for the configuration
of security configuration guides have been requirements and what threats are
posted to help the public better secure mitigated. You can access the current list
computers and networks. of STIGs at http://iase.disa.mil/
These guides cover: stigs/stig/index.html.
 Applications SANS
 Database servers The SANS (SysAdmin, Audit, Network,
 Operating systems Security) Institute is by far one of the best
 Routers sources of free security information
 Supporting documents available on the Internet today.
132
Established in 1989 as a security research common venue for a student attending

and education organization, it has become these courses, but many are also offered
a source of training and knowledge that through on-demand web training and self-
shares information about security for study. Each of these courses also offers an
hundreds of thousands of individuals opportunity to test for certification
across the globe. The SANS website has through the GIAC organization (a separate
something for everyone involved in entity that governs the certification and
information security, from the CIO to the testing process for SANS). For those
hard-core security technologists and students who want a more traditional
researchers. education process, SANS is accredited in
the state of Maryland to grant master’s
SANS is in the business of security
degrees in information assurance and
education and delivers training events,
management.
conferences, and webcasts. It offers an
extensive array of technical security and Although SANS focuses on training, it also
management tracks covering everything provides a wealth of free security
from incident handling and hacking to information as part of its mission to use
creating security policies. SANS security knowledge and expertise to give back to
training conferences are the most the Internet community.
SANS offers the following free services and resources that are perfect for auditors and
security professionals to use to gain insight into new issues and understanding technical
security controls:
 SANS reading room: The reading room consists of over 1,600 computer security
whitepapers from vendors and research projects written by SANS students going for
GIAC Gold certification. There are a wide range of topic categories, ensuring you will
find something relevant to what you are looking for from best practices to configuration
guidance.
 SANS Top 20: SANS Top 20 is a list of the top 20 vulnerabilities in operating systems and
applications that hackers attack. This information is updated yearly by a large panel of
security experts, and it provides auditors and security practitioners with a good list of
high-risk areas they need to ensure are addressed. Although this list is good, it doesn’t
cover the latest threats, so it should not be used as a checklist, but rather as a tool to
focus your efforts.
 SANS security policy samples: If you are looking for sample security policies, this
resource is a goldmine. All of the policies represented are free for use, and in some
cases, you can simply insert the business’s name. These policy templates cover a wide
range of security functional areas and are added to on a regular basis. It is important to
note that security policies are a serious documents and require that legal departments
and HR departments be involved in their adoptions.
133
 SANS newsletters: SANS provides a number of newsletters available as e-mails or RSS

feeds that you can subscribe to. Many topics are present, including one focused on
auditing (SANS AuditBits).
 Internet Storm Center: The Internet Storm Center is a group of volunteer incident
handlers who analyze suspicious Internet traffic from across the globe. They look at
packet traces to determine if a new virus, worm, or other attack vectors have popped
up in the wild. The ISC also compiles attack trend data and the most frequently attacked
ports. Incident handlers are always “on duty,” and you can read their notes as they go
about analyzing attacks.
 SCORE: SCORE is a joint project with the CIS to create minimum standards of
configuration for security devices connected to the Internet. These checklists are
available for free and provide sound guidance about necessary technical controls.
 Intrusion Detection FAQ: The Intrusion Detection FAQ is a fantastic resource for better
understanding how to identify an attack on your network. FAQs cover the basics of
intrusion detection, details about tools to use, and a detailed analysis of sample attacks.
The SANS website should be considered mandatory reading for auditors who want to better
understand the tools and techniques attackers use to break into systems. Having all of this
knowledge in a single place is useful as auditors tailor their checklists and audit criteria to
address current events and attacks.
ISACA test IT governance and management

expertise.
If you are involved in security auditing to
any degree, you undoubtedly have heard ISACA is more than just a certification
of the Information Systems Audit and granting organization. In addition to
Control Association (ISACA). ISACA is the establishing the IT Governance Institute
largest association of IT auditors in and developing COBIT, they have created
existence with over 65,000 members the de-facto standards guide for assessing
across the world. Many of the auditing and auditing IT controls. The IS standards,
techniques and security governance guidelines and procedures for auditing and
processes used to audit IT today have been control professionals are regularly
compiled and standardized by ISACA. Over updated and reviewed to provide the
50,000 people have earned the Certified auditing community with standards,
Information Systems Auditor certification guidelines and procedures for conducting
(CISA), demonstrating knowledge in audits.
auditing. The Certified Information
Systems Manager (CISM) is also offered to
134
The auditing guide includes:
 Standards of IS auditing: This section includes code of conduct for professional

auditors, auditing process from planning to follow up and various other standards for
performing audits.
 Auditing G: This section provides information on how to conduct audits while following
the standards of IS auditing.
 Auditing procedures: This section provides details on how to audit various types of
systems and processes, providing a sample approach to testing controls such as
firewalls and intrusion detection systems.
 The IT Assurance Guide to using COBIT is another excellent resource for how to conduct
an audit using COBIT as the governance framework. Regardless of whether or not the
company being audited uses COBIT, the guide describes how to leverage the controls
identified by COBIT and apply those to the audit process. This enables an auditor to
follow a well-documented framework to ensure that no major areas are missed.
ISO 27003 systematically improve the effectiveness

of their Information Security Management
ISO/IEC 27003:2010 focuses on the critical
Systems. It “provides guidance on the
aspects needed for successful design and
development and use of measures and
implementation of an Information Security
measurement in order to assess the
Management System (ISMS) in accordance
effectiveness of an implemented
with ISO/IEC 27001:2005. It describes the
information security management system
process of ISMS specification and design
(ISMS) and controls or groups of controls,
from inception to the production of
as specified in ISO/IEC 27001. This would
implementation plans. It describes the
include policy, information security risk
process of obtaining management
management, control objectives, controls,
approval to implement an ISMS, defines a
processes and procedures, and support the
project to implement an ISMS (referred to
process of its revision, helping to
in ISO/IEC 27003:2010 as the ISMS
project), and provides guidance on how to determine whether any of the ISMS
processes or controls need to be changed
plan the ISMS project, resulting in a final
or improved.”
ISMS project implementation plan.
ISO 27004
ISO/IEC 27004 concerns measurements
relating to information security ISO 15408 Evaluation Common Criteria
management. These are commonly known Evaluation for Security
as ‘security metrics’ in the profession. The SO/IEC 15408-1:2009 establishes the
standard is intended to help organizations general concepts and principles of IT
measure, report on and hence
135
security evaluation and specifies the guidance on ICT security. Together, these
general model of evaluation given by parts can be used to help identify and
various parts of ISO/IEC 15408, which in its manage all aspects of ICT security.
entirety is meant to be used as the basis for ISO 13335 is focused on Information and
evaluation of security properties of IT
Communication Technologies, also called
products. ICT. ISO standard 13335 was created to
It provides an overview of all parts of help businesses improve their information
ISO/IEC 15408, describes the various parts and communication security. There is
of ISO/IEC 15408, defines the terms and currently only one part of the ISO 13335
abbreviations to be used in all parts standard, ISO 13335-1. ISO standard 13335
ISO/IEC 15408, establishes the core is designed to create an IT management
concept of a Target of Evaluation (TOE), framework, including information security
the evaluation context and describes the policies, internal controls, company
audience to which the evaluation criteria approved practices and configuration
are addressed. An introduction to the basic management of hardware and software
security concepts necessary for evaluation components. No one changes information
of IT products is given. and communication technologies without
formal review and approval after thorough
It defines the various operations by which
testing was completed. In addition, ISO
the functional and assurance components
13335 was created in an effort to improve
given in ISO/IEC 15408-2 and ISO/IEC
business continuity, the continuation of
15408-3 may be tailored through the use
business operations in case of a massive
of permitted operations. The key concepts
technical failure, natural disaster or hack
of protection profiles (PP), packages of
attack.
security requirements and the topic of
conformance are specified and the ISO 13335-1
consequences of evaluation and The ICT standard ISO 13335-1 originated as
evaluation results are described. ISO/IEC
a technical report on information security
15408-1:2009 gives guidelines for the before it became a separate ISO standard.
specification of Security Targets (ST) and
ISO 13335-1 is focused on technical
provides a description of the organization
security controls over administrative
of components throughout the model.
procedures and internal corporate rules.
ISO/IEC 13335 (IT Security Management) ISO standard 13335-1 is now the entire ISO
SO/IEC 13335-1:2004 presents the 13335 standard with the other sections
concepts and models fundamental to a either consolidated into ISO 13335-1 or
basic understanding of ICT security, and made into their own standards.
addresses the general management issues Network security controls like firewalls can
that are essential to the successful block traffic from selected IP addresses or
planning, implementation and operation prevent users from accessing specific
of ICT security. Part 2 of ISO/IEC 13335 websites. Built-in data archiving modules
(currently 2nd WD) provides operational attached to routers or network
136
connections automatically save all email estimation of the severity of the risk are set
messages, creating an instant record of during risk analysis. During risk treatment,
communications available if the main the organization decides whether to
email server goes down or if messages are accept the risk, mitigate its effects or work
deleted by unauthorized parties. to prevent the risk from occurring. During
ISO 13335-2 risk monitoring, the group monitors the
risks to the network. Some risks may
ISO 13335-2 originally contained the ISO’s disappear as more security hardware is
guidance on ICT security. The 1990s installed while others may grow due to
version of the standard was broken up into user complacency or evolving security
ISO 13335-1 and 13335-2. The ICT security threats. For example, the risk that a
recommendations in ISO 13335-2 were server’s compromise would shut down a
incorporated into ISO 13335-1 in the 2004 business is reduced when a backup server
update of the standard. off site is created with hot backups of the
ISO 13335-3 organization’s data. If the main server
compromises and is removed from the
ISO 13335-3 was originally the guidelines
network to prevent hackers from using it to
for managing IT security. ISO standard
access other areas, the business simply
13335-3 has been replaced by ISO 27005.
switches over the remote backup server
In essence, what was ISO 13335-3 is now
and keeps going.
part of ISO 27005.
ISO Standard 24762 for Technical Disaster
ISO 13335-4
Recovery
ISO 13335-4 outlined the ISO
ISO/IEC 24762:2008 provides guidelines on
recommended practices of selecting
the provision of information and
technical security controls or IT
communications technology disaster
safeguards. ISO 13335-5 has also been
recovery (ICT DR) services as part of
replaced with ISO 27005.
business continuity management,
ISO 13335-5 applicable to both “in-house” and
ISO 13335-5 was originally a set of “outsourced” ICT DR service providers of
guidelines on network security. ISO 13335- physical facilities and services.
5 was replaced with ISO 18028-1 in 2006. ISO/IEC 24762:2008 specifies:
ISO 18028-1 has since been revised by ISO
 the requirements for implementing,
27033-1, released in 2009.
operating, monitoring and maintaining
ISO 27005 ICT DR services and facilities
ISO 27005 replaced several sections of the  the capabilities which outsourced ICT
original ISO 13335 standard. ISO 27005 DR service providers should possess
describes how organizations define their and the practices they should follow so
context, the areas for which they are as to provide basic secure operating
responsible. Risks are identified and the
137
environments and facilitate to management. The influence of the

organizations' recovery efforts standard will therefore be much greater
than those who simply choose to be
 the guidance for selection of recovery
certified against the standard.
site
ISO/IEC 27031 provides guidance on the
 the guidance for ICT DR service
concepts and principles behind the role of
providers to continuously improve
information and communications
their ICT DR services
technology in ensuring business continuity.
ISO Standard for BCM – 22301
The standard:
ISO 22301 is a management systems
Suggests a structure or framework
standard for BCM which can be used by
(actually a set of methods and processes)
organizations of all sizes and types. These
for any organization – private,
organizations will be able to obtain
governmental and non-governmental.
accredited certification against this
standard and so demonstrate to Identifies and specifies all relevant aspects
legislators, regulators, customers, including performance criteria, design and
prospective customers and other implementation details for improving ICT
interested parties that they are adhering to readiness as part of the organization’s
good practice in BCM. ISO 22301 also ISMS, helping to ensure business
enables the business continuity manager continuity.
to show top management that a Enables an organization to measure its ICT
recognized standard has been achieved. continuity, security and hence readiness to
While ISO 22301 may be used for survive a disaster in a consistent and
certification and therefore includes rather recognized manner.
short and concise requirements, describing IEEE Standards
the central elements of BCM, a more
IEEE has standardization activities in the
extensive guidance standard (ISO 22313) is
network and information security space
being developed to provide greater detail
and in anti-malware technologies,
on each requirement in ISO 22301.
including in the encryption, fixed and
ISO 22301 may also be used within an removable storage and hard copy devices
organization to measure itself against good areas as well as applications of these
practice, and by auditors wishing to report technologies in smart grids.
Encryption Approved standards:
 IEEE Std 1363-2000 IEEE Standard Specifications for Public-Key Cryptography [Also
1363a-2004]
 IEEE Std 1363.1-2008 IEEE Standard Specification for Public-Key Cryptographic
Techniques Based on Hard Problems over Lattices
138
 IEEE Std 1363.2-2008 IEEE Standard Specification for Password-Based Public Key
Cryptographic Techniques
Fixed and Removable Storage Approved standards:

• IEEE Std 1619-2007 IEEE Standard for Cryptographic Protection of Data on Block-
Oriented Storage Devices*
• IEEE Std 1619.1-2007 IEEE Standard for Authenticated Encryption with Length
Expansion for Storage Devices
• IEEE Std 1619.2-2010 IEEE Standard for Wide-Block Encryption for Shared Storage
Media
• IEEE Std 1667-2009 IEEE Standard Protocol for Authentication in Host Attachments
of Transient Storage Devices
Security for Hardcopy Devices Approved standards:

• IEEE Std 2600-2008 IEEE Standard for Information Technology: Hardcopy Device and
System Security
• IEEE Std 2600.1-2009 IEEE Standard for a Protection Profile in Operational
Environment A
• IEEE Std 2600.2-2009 IEEE Standard Protection Profile for Hardcopy Devices in IEEE
Std. 2600 (TM)-2008 Operational Environment B
Std. 2600 (TM)-2008 Operational Environment C
Std. 2600 (TM)-2008 Operational Environment D
ISO 17799 information security management in an

organization. The objectives outlined
ISO/IEC 17799:2005 establishes guidelines
provide general guidance on the
and general principles for initiating,
commonly accepted goals of information
implementing, maintaining and improving
security management.
ISO/IEC 17799:2005 contains best practices of control objectives and controls in the
following areas of information security management:
o security policy
o organization of information security
139
o asset management
o human resources security
o physical and environmental security
o communications and operations management
o access control
o information systems acquisition, development and maintenance
o information security incident management
o business continuity management
o compliance
The control objectives and controls in and practical guideline for developing
ISO/IEC 17799:2005 are intended to be organizational security standards and
implemented to meet the requirements effective security management practices
identified by a risk assessment. ISO/IEC and to help build confidence in inter-
17799:2005 is intended as a common basis organizational activities.
ISO 17799: The key components of the Standard –

The Standard is divided into 2 parts.
• ISO 7799 Code of Practice for Information Security Management
• BS 7799 Part II Specifies requirements for establishing, implementing and documenting
Information Security Management System (ISMS)
The standard has ten domains, which security policy. This is an extremely
address key areas of Information Security important task and should convey total
Management. commitment of top management. The
policy cannot be a theoretical exercise.
1. Information security policy for the
It should reflect the needs of the actual
organization
users. It should be implementable,
This activity involves a thorough easy to understand and must balance
understanding of the organization the level of protection with
business goals and its dependence on productivity. The policy should cover
information security. This entire
exercise begins with creation of the IT
140
all the important areas like personnel, 5. Physical and environmental security
physical, procedural and technical.
Designing a secure physical
2. Creation of information security environment to prevent unauthorized
infrastructure access, damage and interference to
A management framework needs to be business premises and information is
usually the beginning point of any
established to initiate, implement and
security plan. This involves creating
control information security within the
physical security perimeter and entry
organization. This needs proper
control, secure offices; rooms;
procedures for approval of the
facilities, providing physical access
information security policy, assigning
controls and protection devices to
of the security roles and coordination
minimize risks ranging from fire to
of security across the organization.
electromagnetic radiation and
3. Asset classification and control providing adequate protection to
One of the most laborious but essential power supplies and data cables are
task is to manage inventory of all the IT some of the activities. Cost effective
assets, which could be information design and constant monitoring are
assets, software assets, physical assets two key aspects to maintain adequate
or other similar services. These physical security control.
information assets need to be classified 6. Communications and operations
to indicate the degree of protection. management
The classification should result into
appropriate information labelling to Properly documented procedures for
the management and operation of all
indicate whether it is sensitive or
information processing facilities should
critical and what procedure, which is
be established. This includes detailed
appropriate for copy, store, transmit or
operating instructions and incident
destruction of the information asset.
response procedures.
4. Personnel security
Network management requires a range
Human errors, negligence and greed of controls to achieve and maintain
are responsible for most thefts, frauds security in computer networks. This
or misuse of facilities. Various also includes establishing procedures
proactive measures that should be for remote equipment including
taken are: creation of personnel equipment in user areas. Special
screening policies, confidentiality controls should be established to
agreements, terms and conditions of safeguard the confidentiality and
employment and information security integrity of data passing over public
education and training. networks. Special controls may also be
Alert and well-trained employees who required to maintain the availability of
are aware of what to look for can the network services.
prevent future security breaches.
141
Exchange of information and software use and ensuring information security

between external organizations should when using mobile computing and
be controlled and should be compliant tele-working facilities.
with any relevant legislation. There 8. System development and
should be proper information and
maintenance
software exchange agreements. The
media in transit need to be secured and Security should ideally be built at the
should not be vulnerable to time of inception of a system. Hence
unauthorized access, misuse or security requirements should be
corruption. identified and agreed prior to the
development of information systems.
Electronic commerce involves
This begins with security requirements
electronic data interchange, electronic analysis and specification and
mail and online transactions across
providing controls at every stage i.e.
public networks such as Internet. data input; data processing; data
Electronic commerce is vulnerable to a
storage and retrieval and data output.
number of network threats that may It may be necessary to build
result in fraudulent activity, contract
applications with cryptographic
dispute and disclosure or modification controls. There should be a defined
of information. Controls should be
policy on the use of such controls,
applied to protect electronic which may involve encryption; digital
commerce from such threats.
signature; use of digital certificates;
7. Access control protection of cryptographic keys and
standards to be used for cryptography.
Access to information and business
processes should be controlled on the A strict change control procedure
business and security requirements. should be in place to facilitate tracking
This will include defining access control of changes. Any changes to operating
policy and rules; user access system changes, software packages
management; user registration; should be strictly controlled. Special
privilege management; user password precaution must be taken to ensure
use and management; review of user that no covert channels, back doors or
access rights; network access controls; Trojans are left in the application
enforcing path from user terminal to system for later exploitation.
computer; user authentication; node 9. Business Continuity Management
authentication; segregation of
networks; network connection control; A business continuity management
network routing control; operating process should be designed,
system access control; user implemented and periodically tested
identification and authentication; use to reduce the disruption caused by
of system utilities; application access disasters and security failures. This
control; monitoring system access and begins by identifying all events that
142
could cause interruptions to business where one can see a long run business led
processes and depending on the risk approach to Information Security
assessment, preparation of a strategy Management.
plan. The plan needs to be periodically BS 7799 (ISO 17799) consists of 127 best
tested, maintained and re-assessed
security practices (covering 10 Domains
based on changing circumstances. which was discussed above) which Indian
10. Compliance companies can adopt to build their
Security Infrastructure. Even if a company
It is essential that strict adherence is
decides not go in for the certification, BS
observed to the provision of national
7799 (ISO 17799) model helps companies
and international IT laws, pertaining to
maintain IT security through ongoing,
Intellectual Property Rights (IPR),
integrated management of policies and
software copyrights, safeguarding of
procedures, personnel training, selecting
organizational records, data protection
and implementing effective controls,
and privacy of personal information,
reviewing their effectiveness and
prevention of misuse of information
improvement. Additional benefits of an
processing facilities, regulation of
ISMS are improved customer confidence, a
cryptographic controls and collection
competitive edge, better personnel
of evidence.
motivation and involvement, and reduced
Information Technology’s use in business incident impact. Ultimately leads to
has also resulted in enacting of laws that increased profitability.
enforce responsibility of compliance. All
legal requirements must be complied with Security Standards Organizations
to avoid breaches of any criminal and civil  Internet Corporation for Assigned
law, statutory, regulatory or contractual Names and Numbers (ICANN)
obligations and of any security
ICANN’s role is to oversee the huge and
requirements.
complex interconnected network of
BS 7799 (ISO 17799) and "It’s" relevance unique identifiers that allow
to Indian Companies: computers on the Internet to find one
Although Indian companies and the another.
Government have invested in IT, facts of To reach another person on the
theft and attacks on Indian sites and Internet you have to type an address
companies are alarming. Attacks and theft into your computer - a name or a
that happen on corporate websites are number. That address has to be unique
high and is usually kept under "strict" so computers know where to find each
secrecy to avoid embarrassment from other. ICANN coordinates these unique
business partners, investors, media and identifiers across the world. Without
customers. that coordination we wouldn't have
Huge losses are sometimes un-audited and one global Internet.
the only solution is to involve a model
143
ICANN was formed in 1998. It is a not- International Standards impact everyone,

for-profit partnership of people from everywhere.
all over the world dedicated to keeping
 Consultative Committee For
the Internet secure, stable and
Telephone and Telegraphy (CCITT)
interoperable. It promotes
competition and develops policy on the The CCITT, now known as the ITU-T (for
Internet’s unique identifiers. This is Telecommunication Standardization
commonly termed “universal Sector of the International
resolvability” and means that wherever Telecommunications Union), is the primary
you are on the network – and hence international body for fostering
the world – that you receive the same cooperative standards for
predictable results when you access telecommunications equipment and
the network. Without this, you could systems. It is located in Geneva,
end up with an Internet that worked Switzerland.
entirely differently depending on your  American National Standards
location on the globe. Institute(ANSI)
 International Organization for American National Standards Institute
Standardization (ISO) (ANSI) oversees the creation,
ISO (International Organization for promulgation and use of thousands of
Standardization) is an independent, non- norms and guidelines that directly impact
governmental membership organization businesses in America in nearly every
and the world's largest developer of sector: from acoustical devices to
voluntary International Standards. construction equipment, from dairy and
livestock production to energy
They are made up of 162 member
distribution, and many more. ANSI is also
countries who are the national standards
actively engaged in accreditation -
bodies around the world, with a Central
assessing the competence of organizations
Secretariat that is based in Geneva,
determining conformance to standards.
Switzerland.
 Institute Of Electronics and Electrical
International Standards make things work.
Engineers (IEEE)
They give world-class specifications for
products, services and systems, to ensure IEEE is the world's largest professional
quality, safety and efficiency. They are association dedicated to advancing
instrumental in facilitating international technological innovation and excellence
trade. for the benefit of humanity. IEEE and its
members inspire a global community
ISO has published more than 19 500
through IEEE's highly cited publications,
International Standards covering almost
conferences, technology standards, and
every industry, from technology, to food
professional and educational activities.
safety, to agriculture and healthcare. ISO
IEEE, pronounced "Eye-triple-E," stands for
144
the Institute of Electrical and Electronics from earthquake-resistant skyscrapers to

Engineers. wide-body jetliners to global
communication networks. The National
 Electronic Industries Association
Centre for Standards and Certification
The Electronic Industries Association (EIA) Information provides research services on
comprises individual organizations that standards, technical regulations and
together have agreed on certain data conformity assessment procedures for
transmission standards such as EIA/TIA- non-agricultural products. The Centre is a
232 (formerly known as RS-232). The central repository for standards-related
Electronics Industries Alliance (EIA) is an information in the United States and has
alliance of trade organizations that lobby in access to U.S., foreign and international
the interest of companies engaged in the documents and contact points through its
manufacture of electronics-related role as the U.S. national inquiry point
products. under the World Trade Organization
 National Center for Standards and Agreement on Technical Barriers to Trade.
Certification Information (NIST) The Program maintains a database on NIST
and Department of Commerce staff
National Institute of Standards and
participation in standards developing
Technology's web site. Founded in 1901
activities.
and now part of the U.S. Department of
Commerce, NIST is one of the nation's  World Wide Web Consortium (W3C)
oldest physical science laboratories. US The World Wide Web Consortium (W3C) is
Congress established the agency to an international community where
remove a major handicap to U.S. industrial Member organizations, a full-time staff,
competitiveness at the time. Today, NIST and the public work together to develop
measurements support the smallest of Web standards. Led by Web inventor Tim
technologies—nanoscale devices so tiny Berners-Lee and CEO Jeffrey Jaffe, W3C's
that tens of thousands can fit on the end of mission is to lead the Web to its full
a single human hair—to the largest and potential.
most complex of human-made creations,
Vision
W3C's vision for the Web involves participation, sharing knowledge, and thereby building
trust on a global scale.
145
The following design principles guide W3C's work.

Web for All
The social value of the Web is that it enables human communication, commerce, and
opportunities to share knowledge. One of W3C's primary goals is to make these benefits
available to all people, whatever their hardware, software, network infrastructure, native
language, culture, geographical location, or physical or mental ability.
Web on Everything
The number of different kinds of devices that can access the Web has grown immensely.
Mobile phones, smart phones, personal digital assistants, interactive television systems,
voice response systems, kiosks and even certain domestic appliances can all access the
Web. L
Web for Rich Interaction
The Web was invented as a communications tool intended to allow anyone, anywhere to
share information. For many years, the Web was a "read-only" tool for many. Blogs and
wikis brought more authors to the Web, and social networking emerged from the
flourishing market for content and personalized Web experiences. W3C standards have
supported this evolution thanks to strong architecture and design principles. Some people
view the Web as a giant repository of linked data while others as a giant set of services
that exchange messages. The two views are complementary, and which to use often
depends on the application.
Web of Trust
The Web has transformed the way we communicate with each other. In doing so, it has
also modified the nature of our social relationships. People now "meet on the Web" and
carry out commercial and personal relationships, in some cases without ever meeting in
person. W3C recognizes that trust is a social phenomenon, but technology design can
foster trust and confidence. As more activity moves on-line, it will become even more
important to support complex interactions among parties around the globe.
Web Application Security Consortium (WASC)
The Web Application Security Consortium (WASC) is a non-profit made up of an
international group of experts, industry practitioners, and organizational representatives
who produce open source and widely agreed upon best-practice security standards for
the World Wide Web. As an active community, WASC facilitates the exchange of ideas
and organizes several industry projects. WASC consistently releases technical
information, contributed articles, security guidelines, and other useful documentation.
Businesses, educational institutions, governments, application developers, security
professionals, and software vendors all over the world utilize our materials to assist with
the challenges presented by web application security.
146
4.4. Information Security Laws, Regulations & Guidelines
India and discusses the different types of

disclosure.
India’s Ministry of Communications and
Information Technology (“Department of  http://deity.gov.in/sites/upload_fil
Information Technology”) has es/dit/files/GSR313E_10511(1).pdf
implemented the Information Technology  http://pib.nic.in/newsite/erelease.
(Reasonable security practices and aspx?relid=74990
procedures and sensitive personal data or
 http://unpan1.un.org/intradoc/gro
information) Rules, 2011 (“Privacy Rules”).
ups/public/documents/apcity/unp
Clarifications to the Privacy Rules were
an010239.pdf
issued via Press Note by the Ministry.
India’s enabling legislation is India’s Data Protection Authority and
Information Technology Act 2000 (the Registration Requirements
“Act”). While India continues to adhere to
 No specific data protection authority
the Information Technology (Reasonable
exists, but the Privacy Rules state that
Security Practices and Procedures and
in the case of a breach, a “Body
Sensitive Personal Data or Information)
Corporate,” as defined under the Act,
Rules, 2011 (Rules) enacted in 2011, the
must answer to “the agency mandated
Centre for Internet and Society presented
under the law” (presumably, the
a new Privacy (Protection) Bill, 2013 (Bill),
Ministry).
on September 30, 2013. The Bill seeks to
 There are no registration requirements
further refine provisions of the Rules, with
for the collection of data. However, the
a focus on protection of personal data
Data Security Council of India (the
through limitations on use and
“DSCI”) provides a certification service
requirements for notice. The collection of
by which organizations within India
personal data would be prohibited unless
may become “DSCI Privacy Certified.”
“necessary for the achievement of a
purpose of the person seeking its Protected Personal Data
collection,” and, subject to sections 6 and Personal information is defined as any
7 of the Bill, “no personal data may be information that relates to a natural
collected under this Act prior to the data person, which, either directly or indirectly,
subject being given notice, in such form in combination with other information
and manner as may be prescribed, of the available or likely to be available with a
collection.” The Bill acknowledges the corporate entity, is capable of identifying
collection of data with and without such person.
consent; the regulation of personal data
Sensitive personal data or information is
storage, processing, transfer, and security;
defined as “personal information” which
consists of information relating to any of
147
the following: passwords; financial  reasonable security practices and

information such as bank account or credit procedures.
card or debit card or other payment
Data may be collected and processed when
instrument details; physical, physiological
all of the following conditions are met:
and mental health condition; sexual
orientation; medical records and history;  the data subject has provided
biometric information; any detail relating written consent and is aware at the
to any of the above as provided to a time of collection that the
corporate entity for providing service; and information is being collected, the
any of the information received under the purpose of collection, the intended
above by a corporate entity for processing, recipients of the information; and
stored or processed under lawful contract the name and address of the
or otherwise. Data or information is not agency that is collecting and will
sensitive and personal if it is available in retain the information;
the public domain or furnished under the  the data subject has been provided
Right to Information Act of 2005. with the option not to provide its
sensitive personal data or
Data Collection and Processing
information;
The Privacy Rules apply to data collection,  the data subject is permitted to
but do not define processing. withdraw his/her consent, in
The Privacy Rules requires a Body writing, at any time;
Corporate that collects, receives,  the information is collected for a
possesses, stores, deals, or handles lawful purpose connected with a
sensitive or personal data to provide a function or activity of the body
privacy policy for handling of such data and corporate or any person on its
ensure that the policies are available for behalf; and
view by the data subjects who have  the collection of the sensitive
provided the information under contract. personal data or information is
The policy shall provide for: considered necessary for that
lawful purpose.
 clear and easily accessible
statements of its practices and Data Transfer
policies; Disclosure of data to a third party requires
 the type of personal or sensitive prior permission of the data subject,
personal data or information whether the information is provided under
collected; contract or otherwise, except in the
 the purpose of collection and usage following situations:
of such information;
 the disclosure has already been
 the disclosure of information
agreed to in a contract;
including sensitive personal data or
 the disclosure is necessary for
information; and
compliance with a legal obligation;
148
 the data is shared with government Other Considerations

agencies with the authority to Data retention rules state that information
obtain the data for the purpose of should not be retained longer than is
verification of identity, or for the required for the purposes for which the
prevention, detection, information may lawfully be used or is
investigation, prosecution, and otherwise required under any other law.
punishment of offenses, including
A clarification to the Privacy Rules stating
cyber incidents; or
that a “Body corporate providing services
 the disclosure is pursuant to an
relating to collection, storage, dealing or
order under the law.
handling of sensitive personal data or
Data may be transferred domestically or information under contractual obligation
internationally to any person or Body with any legal entity located within or
Corporate that ensures the same level of outside India is exempt from the
data protection that is adhered to by the requirement to obtain consent” was issued
Body corporate, but the transfer is allowed via Press Note by the Department of
only if: Information and Technology.
 the data subject consents; or Accordingly, outsourcing service providers
 the transfer is necessary for the in India should be exempt from obtaining
performance of the lawful contract consent from the individuals whose data
between the body corporate or any they process.
person on its behalf and the data
Enforcement & Penalties
subject.
A corporate entity may be liable for up to
Data Security
Rs. 50,000,000 for the negligent failure to
A Body Corporate is required to implement implement and maintain reasonable
reasonable security practices and practices and procedures, causing
procedures. The Privacy Rules indicate that wrongful loss or gain.
reasonable practice methodologies
International Directory of laws:
include IS/ISO/EIC 27001 or other
measures that have been pre-approved by This directory includes laws, regulations and
the central government and are subject to industry guidelines with significant security
annual audits by a central government and privacy impact and requirements. This is
approved auditor. largely USA focused but used by International
agencies as a reference point.
Breach Notification
There is no mandatory requirement to
report data security breach incidents
under the Privacy Rules.
149
Broad laws:
 Sarbanes-Oxley Act (SOX);
 Payment Card Industry Data Security Standard (PCI DSS);
 Gramm-Leach-Bliley Act (GLB) Act;
 Electronic Fund Transfer Act, Regulation E (EFTA);
 Customs-Trade Partnership Against Terrorism (C-TPAT);
 Free and Secure Trade Program (FAST);
 Children's Online Privacy Protection Act (COPPA);
 Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule; Federal
Rules of Civil Procedure (FRCP)
Industry specific laws:
 Federal Information Security Management Act (FISMA);

 North American Electric Reliability Corp. (NERC) standards;
 Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records;
 Health Insurance Portability and Accountability Act (HIPAA);
 The Health Information Technology for Economic and Clinical Health Act (HITECH);
 Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule);
 H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
150
UNIT V
Information Security Management – Roles
and Responsibilities
This Unit covers:
 Lesson Plan
5.1. Information and Data Security Team Structure
5.2. Security Incident Response Team
151
LESSON PLAN

To be competent, you must be able Going through various 2 hrs  PCs/Tablets/Lapto
to: organizations websites ps
and understand the  Labs availability
PC1. establish your role and policies and guidelines. (24/7)
responsibilities in contributing to (Research)  Internet with WiFi
managing information security
(Min 2 Mbps
PC10. obtain advice and Understand, summarize Dedicated)
guidance on information security and articulate.  Networking
issues from appropriate people, Equipment-
where required Routers & Switches
 Firewalls and
PC11. comply with your Access Points
organization’s policies, standards,  Commercial Tools
procedures and guidelines when like HP Web
contributing to managing Inspect and IBM
information security AppScan etc.,
like sqlmap, Nessus
etc.,
You need to know and understand: KA1. Going through 2 hrs  PCs/Tablets/Lapto
various organizations ps
KA3. limits of your role and websites and  Labs availability
responsibilities and who to seek understand the policies (24/7)
guidance from and guidelines.  Internet with WiFi
KA4. the organizational (Research) (Min 2 Mbps
Dedicated)
tasks/checklists within the domain KA2, KA3. Understand,
and how to use these summarize and
KA11. who to involve when articulate.
managing information security
152

Activity 1:
Research various job titles and roles within the data security sub-sector. Meet industry
representatives and compile a list of functions, qualification and experience requirements
for each role. Present the same in class in groups.
Activity 2:
Divide the students into various teams and ask them to research through industry
interactions various teams in place in organisations, from different sectors, assigned to
information security. Compare the variances between different types of companies and
encourage students to debate and deliberate on various aspects of these including
composition, liaising with different departments inside the organisation, interactions with
other organisations, their functions, etc.
153

5.1 Information and Data Security Team Structure
With the growing importance and scope of adherence to standards and
information and data security, numerous commissioning the development of
organizational structures and security architectures that address the
configurations have been implemented to security requirements of the business as a
get a handle on the complexities whole. The auditing function might be its
associated with managing and protecting own group (or outsourced to a third party)
data. and might report to the CEO or directly to
the Board of Directors to maintain its
Information security governance begins at
independence.
the top with the Board of Directors and
CEO enforcing accountability for
Board of Directors
The Board of Directors is responsible for protecting the interests of the shareholders of the
corporation. This duty of care (fiduciary responsibility) requires that it understand the risk
to the business and its data. The Board of Directors is responsible for approving the
appropriate resources necessary to safeguard data. It also needs to be kept aware of how
the security program is performing.
Security Steering Committee

The Security Steering Committee has an important role in security governance; this group
is responsible for setting the tactical and strategic direction for the organization as a whole.
The group generally consists of the CEO, CFO, CIO/CISO, and the internal auditing function
(or oversight if it is outsourced to a third party). Other business functions might also be
present, such as Human Resources and business operational leaders, depending on the size
and organizational complexity of the business. This team reviews audit results, risk
assessment, and current program performance data. The committee also provides approval
for any major policy or security strategy changes.
CEO or Executive Management

Senior management must answer to the Board of Directors and shareholders of a company.
Furthermore, if the company is publicly traded, the CEO and CFO must personally attest to
the accuracy and integrity of the financial reports the company issues. Executive
management sets the tone and direction for the rest of the company and must be aware of
the risks the company faces for the confidentiality, integrity, and availability of sensitive
data.
CIO/CISO
The CIO/CISO is responsible for aligning the information security program strategy and
vision to business requirements. The CIO/CISO ensures that the correct resources are in
place to adhere to the policies and procedures set forth by the steering committee. This
154
role generally reports to the CEO and Board of Directors and reports how the organization
is performing relative to the company’s goals and similar organizations in the same industry.
Security Director
The security director’s role is to coordinate the efforts for securing corporate assets. The
responsibilities include reporting on the progress of initiatives to executive management
and building the teams and resources to address the various tasks necessary for information
security. This role also acts as a liaison to other aspects of the business to articulate security
requirements throughout the company. The security director manages the teams in
developing corporate data security policies, standards, procedures, and guidelines.
Security Analyst
A security analyst builds the policies, analyses risk, and identifies new threats to the
business. Business continuity and disaster recovery planning are important functions
performed by the analyst to prepare the company for the unexpected. The analyst is also
responsible for creating reports about the performance of the organization’s security
systems.
Security Architect
A security architect defines the procedures, guidelines, and standards used by the company.
Architects help to select the controls used to protect the company’s data and they make
sure that the controls are sufficient for addressing the risk and complying with policy. This
role is also responsible for testing security products and making recommendations about
what will best serve the needs of the company.
Security Engineer
A security engineer implements the controls selected by the security architect. Security
engineers are responsible for the maintenance of firewalls, IPS, and other tools. This
includes upgrades, testing, patching, and overall maintenance of the security systems. This
role might also be responsible for testing the functionality of equipment to make sure that
it operates as expected.
Systems Administrator
A systems administrator is responsible for monitoring and maintaining the servers, printers,
and workstations a company uses. In addition, administrators add and/or remove user
accounts as necessary, control access to shared resources, and maintain company-wide
antivirus software.
Database Administrator
The Database Administrator (DBA) has an important job in most companies. The DBA is
responsible for designing and maintaining corporate databases and also securing access to
the data to ensure its integrity. The ramifications of lax security in this role can be severe,
especially considering the reporting requirements mandated by SOX.
IS Auditor
155
An auditor’s role in security governance is to assess the effectiveness in meeting the

requirements set forth by policy and management direction. The auditor is tasked to
identify risk and report on how the organization performs to upper management. The
auditor provides an impartial review of projects and technologies to identify weaknesses
that could result in loss to the company.
End User
End users have a critical role in security governance that is often overlooked. They must be
aware of the impact their actions can have on the security of the company and be able to
safeguard confidential information. They are responsible for complying with po licies and
procedures and following safe computing practices, such as not opening attachments
without antimalware software running or loading unauthorized software. A solid user
security awareness program can help promote safe computing habits.
1. Board of
Directors
3. CIO/CISO 2. CEO
6. System 7. System 4. Security

Architect Engineer Director
8. System
5. Security Analyst 10. IS Auditor
Administrator
9. Database
11. End User
Administrator
Hierarchical flowchart for all the Roles w.r.t. Information Security
156
5.2 Security incident response team
The security incident response team is a  Coordinates security incidents (level 2

group of individuals who have been or 3) from discovery to closure.
trained in incident management, each  Reviews incidents, provides
having distinct response roles. The team solutions/resolutions and closure.
works under the direction of the incident
officer. The team is tasked with the
Table-Top Exercise :
following responsibilities:
Students are recommended to follow this
 Processes IT security complaints or link and perform an interesting exercise on
incidents. Security Breach by assuming various roles
 Assesses threats to IT resources. as mentioned in the corresponding
 Alerts IT managers of imminent exercise:
threats.
 Determines incident severity and http://www.nascio.org/portals/0/awards/
escalates it, if necessary, with nominations2015/2015/2015PA12-
notification to CTO and president’s PA%20Cyber%20Continuity%20CIO%20Ex
senior staff. ercise%20DR%20Sec%20Biz%20Continuity
%20NASCIO%202015%20FINAL.pdf
157
158
UNIT VI
Information Security Performance
Metrics
This Unit covers:
 Lesson Plan
6.1. Introduction – Security Metrics
6.3. Using Security Metrics
6.4. Developing the Metrics Process
6.5. Metrics and Reporting
6.6. Designing Information Security Measuring
Systems
159
LESSON PLAN
Performance Ensuring Duration Work Environment /

Outcomes Measures (Hrs) Lab Requirement
To be competent, you must be able to: QA session and a 4 hrs  PCs/Tablets/Lapto
PC7. analyze information security understanding.  Labs availability
performance metrics to highlight
(24/7)
variances and issues for action by Group presentation and  Internet with WiFi
appropriate people peer evaluation along  (Min 2 Mbps
with Faculty. Dedicated)
PC3. carry out security assessment of
 Networking
information security systems using Team work (IM and chat Equipments-
automated tools applications) and group Routers & Switches
activities (online forums)  Firewalls and
PC9. update your organization’s including templates to be
knowledge base promptly and accurately Access Points
prepared.  Access to all
with information security issues and their
resolution security sites like
Project charter, ISO, PIC DSS
Architecture (charts),  Commercial Tools
PC2. monitor systems and apply Project plan, Poster
controls in line with information security like HP Web
presentation and Inspect and IBM
policies, procedures and guidelines execution plan. AppScan etc.,
Creation of templates like sqlmap, Nessus
based on the learnings etc.,
You need to know and understand: KA1. QA session and a 12 hrs  PCs/Tablets/Lapto
KA1. your organization’s policies, understanding.  Labs availability
procedures, standards and guidelines for (24/7)
managing information security KA2 Group presentation  Internet with WiFi
and peer evaluation along  (Min 2 Mbps
KA2. your organization’s knowledge with Faculty. Dedicated)
base and how to access and update this
 Networking
KA10, KA11. Team work Equipments-
KA10. how to access and analyze (IM and chat applications) Routers & Switches
information security performance and group activities (online
metrics  Firewalls and
forums) including Access Points
templates to be prepared.  Access to all
KA11. who to involve when managing
information security security sites like
KA12. Project charter, ISO, PIC DSS
Architecture (charts),  Commercial Tools
KA12. your organization’s information Project plan, Poster
security systems and tools and how to like HP Web
presentation and Inspect and IBM
access and maintain these execution plan. AppScan etc.,
KA13. standard tools and templates  Open Source tools
KA13. Creation of like sqlmap, Nessus
available and how to use these templates based on the
KB3. common issues and variances of etc.,
learnings
performance metrics that require action
and who to report these to
160
Activity 1:
Ask the class to make teams and gather as much information from industry and research
the various information security performance metrics they use in their organisations.
Encourage students to discuss the various challenges in identifying, monitoring and
inferencing performance through these metrics.
Activity 2:
Ask students to develop performance metrics for various aspects of their own academic
and non-academic behaviours and track these over a period of a week. Let them draw out
various inferences from this monitoring. Let them present at the end of the week the
object of their study, the metric they chose, and the challenges in implementing these
metrics and their process of inferencing. Encourage the class to debate the inferences and
their validity.
Activity 3:
Ask the students to research the various information security companies offering products
and services for tracking and instituting performance metrics systems in organisations. Ask
students to compare services, present features, benefits and limitations of the same.
161

6.1 Introduction – Security Metrics
It helps to understand what metrics are by management interests and issues is critical
drawing a distinction between metrics and to development of an effective security
measurements. Measurements provide metrics program.
single-point-in-time views of specific,
While there are multiple ways to
discrete factors, while metrics are derived
categorize metrics, guidance from the
by comparing to a predetermined baseline
National Institute for Standards and
of two or more measurements taken over
Technology (NIST) does this in a way that is
time. Measurements are generated by
more helpful than simply providing tag
counting; metrics are generated from
names for metric groupings. The
analysis. In other words, measurements
Performance Measurement Guide for
are objective raw data and metrics are
Information Security (NIST SP 800-55
either objective or subjective human
Revision 1) divides security metrics into
interpretations of those data.
three categories and links each to levels of
In the face of regular, high-profile news security program maturity.
reports of serious security breaches, as
The categories are:
well as intense scrutiny of institutional
 Implementation – metrics used to
costs, security managers are more than
show progress in implementing
ever being held accountable for
policies and procedures and
demonstrating effectiveness of their
security programs. What means should individual security controls
managers be using to meet this challenge?
 Effectiveness/efficiency – metrics
Key among these should be security
used to monitor results of security
metrics. This presentation will provide a
control implementation for a single
definition of security metrics, explain their
control or across multiple controls
value, discuss the difficulties in generating
them, suggest a methodology for building  Impact – metrics used to convey the
a security metrics program, and review
impact of the information security
factors that affect its ongoing success
program on the institution's mission,
Good metrics are those that are SMART, often through quantifying cost
i.e. specific, measurable, attainable, avoidance or risk reduction
repeatable, and time-dependent. Truly produced by the overall program
useful metrics indicate the degree to which
security goals, such as data confidentiality, Truly useful metrics indicate the degree to
are being met, and they drive actions taken which security goals are being met and
to improve an organization’s overall they drive actions taken to improve an
security program. Distinguishing metrics organization's overall security program.
meaningful primarily to those with direct Before expending resources, it is essential
responsibility for security management that goals and objectives of the security
from those that speak directly to executive program be articulated.
162

information security projects/initiatives
Three distinct types of metrics classified (e.g. implementing dual-factor
according to level: authentication) and the information
security management system (e.g.
security incident statistics) are typical
 Strategic security metrics
examples.
These are measures concerning the
information security elements of high
level business goals, objectives and  Operational security metrics
strategies. For example, if the At the lowest level of analysis, most
organization needs to bolster its information security controls, systems
information security capabilities and and processes need to be measured in
competences in order to support various order to operate and control them.
business initiatives, without expanding Metrics supporting security operations
the budget, metrics concerning the are normally only of direct concern to
efficiency and effectiveness of those managing and performing security
information security are probably activities. They include both technical
relevant. Broad-brush metrics relating to and non-technical security metrics that
information security risks, capabilities are often updated on a weekly, daily or
and value tend to exist at this high level. hourly basis. They are unlikely to be of
The reporting period may be one or much interest or value beyond the
more years. information security and related
technical functions, although some
 Security management metrics
There are numerous facets to managing Another classification is by object of
information security risks that could be measurement:
measured, hence many possible metrics.  Process Security Metrics: These
We recommend making a special effort metrics measure processes and
to identify management metrics that procedures. Examples are number of
directly relate to achieving specific policy violations, percentage of
business objectives for information systems with formal risk assessments,
security, supplementing those that are percentage of system with tested
needed to manage the information security controls, percentage of weak
security department, function or team passwords (noncompliant), number of
just like any other part of the business identified risks and their severity,
(e.g. expenditure against budget). percentage of systems with
Management-level metrics tend to be contingency plans, etc. These are
reported/updated on a monthly or usually Compliance/Governance
quarterly basis. Metrics concerning driven. While they generally support
163
better security, but the actual impact is  Application Security

hard to define. o Number of Applications
 Network Security Metrics: These are o Percentage of Critical Applications
driven by products (firewalls, IDS, etc.) o Risk Assessment Coverage
Readily available and widely used, they o Security Testing Coverage
give a sense of control. Usually have a  Configuration Change Management
level of data presentation through o Mean-Time to Complete Changes
charts and interfaces. These can be o Percent of Changes with Security
misleading though. Examples are Review
Successful/unsuccessful logons, o Percent of Changes with Security
number of incidents, number of viruses Exceptions
blocked, number of patches applied,  Financial
number of spam blocked, number of o Information Security Budget as %
virus infections, number of port of IT Budget
probes, traffic analysis, etc. o Information Security Budget
 Software Security Metrics: Software Allocation
measures are usually troublesome  Incident Management
(LOC, FPs, Complexity, etc.) Metrics are o Mean-Time to Incident Discovery
context sensitive and environment- o Incident Rate
dependent and architecture o Percentage of Incidents Detected
dependent. Examples are Size and by Internal Controls

complexity, defects/LOC, defects o Mean-Time Between Security
(severity, type) over time, cost per Incidents

o Mean-Time to Recovery
defect, attack surface (# of interfaces),
 Patch Management
layers of security and design flaws
o Patch Policy Compliance
 People Security Metrics: Are usually
o Patch Management Coverage
relevant, but unreliable. As people
o Mean-Time to Patch
behavior is difficult to model. There are
 Vulnerability Management
biases and non-standard responses
o Vulnerability Scan Coverage
that make it difficult to predict.
o Percent of Systems Without
Examples include
Known Severe Vulnerabilities
associates/contractors that have
o Mean-Time to Mitigate
completed information security policy
Vulnerabilities
training, team size, etc. Number of Known Vulnerability
 Other Instances
A sample list of metrics is given below.
These metrics cover the following
business functions:
164
6.3 Using Security Metrics
Using security metrics involves data as self-assessment tools,

acquisition. This may be automated or certification and accreditation
manually collected. Data collection (C&A) databases, incident
automation depends on the availability of reporting and response databases,
data from automated sources versus the and other data sources as a security
availability of data from people. Manual program matures.
data collection involves developing  Metrics data collection is fully
questionnaires and conducting interviews automated when all data is
and surveys with the organization’s staff. gathered by using automated data
sources without human
 More useful data becomes involvement or intervention.
available from semi-automated
and automated data sources, such
6.4 Developing the Metrics Process

At a high level, the steps for establishing o Schedule
a metrics program are:
o Implement metrics
o Define goals and objectives
o Set benchmarks and targets
o Determine information goals
o Establish a formal review
o Develop metrics models cycle
o Determine metrics reporting

format and
165
6.5 Metrics and Reporting

There are a number of challenges often  Measures should help ensure
encountered in the organizations that are maximum ROI (while not unreasonable
about to implement or are already in the per se, this often receives a high
process of implementing an ISMP. A priority at the expense of the other
number of challenges that commonly arise facets of measurement, which get
from the stakeholders' misconceptions neglected and, ones again, the
and erroneous expectations regarding
capability of IS management to deliver
metrics (IATAC, 2009); these include:
on these expectations is not always
Measurement efforts are finite (while in fully considered).
reality a metrics programme is aimed at
continual improvement and long term The lack of consensus definitions and
benefits). vocabulary, and a broadly accepted model
for mapping IS metrics to organizational
 Data for metrics support is readily structure and clearly illustrating how the
accessible and conducive to lower level metrics can roll up into the
measurement (in many cases, higher level ones in a meaningful way can
depending on the IS management's possibly contribute to this problem
maturity, size and structure of the (although, based on the information
organization, et cetera, this may not be presented in earlier chapters of the report,
so and changes to the existing data it can be recognized that efforts are being
collection and analysis processes may made to rectify these issues). Without a
have to be made, especially toward good model or methodology for rolling up
quantitative measures, security
higher levels of standardization, to
professionals often struggle to find a
make metrics effective and efficient).
compromise between reporting methods
 Metrics provide quick returns (this
that are too technical for the senior
again depends on factors such as
management and ones that impair the
maturity of IS management; expecting utility of a metric due to oversimplification.
business impact metrics from an ISMS
that does not have the capability to The frequency of reports depends on
organizational norms, the volume and
effectively provide them is unrealistic,
gravity of information available, and
for instance).
management requirements. Regular
 Metrics can be automated reporting periods may vary from daily or
easily/rapidly (attempting to automate weekly to monthly, quarterly, six-monthly
measures that have not yet been or annual. The latter ones are more likely
thoroughly tested and proven to be to identify and discuss trends and strategic
effective can be ultimately issues, and to include status reports on
security-relevant development projects,
counterproductive).
information security initiatives and so
forth, in other words they provide the
context to make sense of the numbers
166
Here are some options for your consideration:
An annual, highly-confidential Information Security Report for the CEO, the Board and
other senior management (including Internal Audit). This report might include
commentary on the success or otherwise of specific security investments. A forward-
looking section can help to set the scene for planned future investments, and is a good
opportunity to point out the ever changing legal and regulatory environment and the
corresponding personal liabilities on senior managers.
Quarterly status reports to the most senior body directly responsible for information
security, physical security, risk and/or governance. Traffic light status reports are
common and KPIs may be required, but the Information Security Manager’s
commentary (supplemented or endorsed by that of the CTO/CIO) is a good value add.
Monthly reports to the CTO/CIO, listing projects participated in and security incidents,
along with their monetary value (the financial impacts do not need to be precisely
accurate, they are used to indicate the scale of losses).
167
6.6 Designing information security measurement systems

In order to design an information security different content. Managers are likely to
measurement system one has to ask the feel more comfortable with
following fundamental questions. conventional management reports, so
look at a range of sample reports to pick
1. What are we going to measure? out the style cues.
Identifying the right metrics, we 4. How should we implement our

shouldn’t implement a measurement reporting system?
process if we don’t intend to follow it
routinely and systematically - we need When developing metrics, it’s worth
repeatable and reliable measures; we testing out the feasibility and
shouldn’t capture data that we don’t effectiveness of the measurement
processes and the usefulness of chosen
intend to analyse, that is simply an
avoidable cost. We shouldn’t analyse metrics on a limited scale before rolling
data if we don’t intend to make practical them out across the entire corporation.
use of the results. Pilot studies or trials are useful ways to
iron-out any glitches in the processes for
2. How will we measure things? collecting and analysing metrics, and for
deciding whether the metrics are truly
Where will the data come from and indicative of what you are trying to
where will they be stored? If the source measure.
information is not already captured and Even after the initial trial period,
available, there will be a need to put in
continuous feedback on the metrics can
place the processes to gather it. This in help to refine the measurement system.
turn raises the issue of who will capture Changes in both the organization and
the data. Will it be centralized or will we the information security risks it faces
distribute the data collection processes? mean that some metrics are likely to
If departments and functions outside
become outdated over time.
central control are reporting, how far
can they be trusted not to manipulate 5. Setting targets
the figures? Will they meet deadlines
and formatting requirements? How Measuring and reporting leads to the
much data gathering and reporting can identification and benchmarking of Key
be automated? Performance Indicators (KPIs) and then
tracking measures to evaluate
3. How will we report? performance.
What do senior management actually Before publishing the chosen metrics it is
want? To get senior management buy- important to figure out which ones
in it is important to discuss the purpose would truly indicate making progress
and outputs with managers and peers. towards the organization’s information
Provide alternative formats initially to security goals.
assess their preference. It may be
required to report differently from other
functions in the organization, using
different presentation formats as well as
168
UNIT VII
Risk Assessment
This Unit covers:
 Lesson Plan
7.1. Risk Overview
7.2. Risk Identification
7.3. Risk Analysis
7.4. Risk Treatment
7.5. Risk Management Feedback Loops
7.6. Risk Monitoring
169
LESSON PLAN

To be competent, you must be able 1. 4 hrs  PCs/Tablets/Lapt
to: ops
 Labs availability
(24/7)
 Internet with
WiFi
guidelines
 (Min 2 Mbps
PC11. comply with your Dedicated)
organization’s policies, standards,  Access to all
procedures and guidelines when security sites like
contributing to managing ISO, PCI DSS,
information security Center for
Internet Security
You must know and understand: KA6, KA7, KA8. Peer review 4 hrs  PCs/Tablets/Lapt
KA6. how to carry out with faculty with appropriate ops
information security assessments feedback.  Labs availability
KA13. Creation of templates (24/7)
KA13. standard tools and based on the learnings  Internet with
templates available and how to use KB1 – KB4 WiFi
these
Going through the security  (Min 2 Mbps
standards over Internet by Dedicated)
KB4. how to identify and resolve  Access to all
information security vulnerabilities visiting sites like ISO, PCI DSS
security sites like
and issues etc., and understand various
ISO, PCI DSS,
methodologies and usage of
Center for
algorithms Internet Security
170

Activity 1:
The students should be encouraged to research various risks for their institute in the area of
information security. They should prepare a process report highlighting their approach
towards identifying risk, recording, monitoring, analysing and treating risk. The approach
should be shared with the faculty and the report should be submitted for evaluation. The
student or group which addresses a risk effectively especially instigating a real change in
practices, policy, etc. should be recognised and applauded by the faculty.
171

7.1 Risk Overview
Risk: A probability or threat of damage, damage that could occur if a threat
injury, liability, loss, or any other negative materializes, including recovery costs.
occurrence that is caused by external or Identifying cost-effective actions to
internal vulnerabilities, and that may be mitigate or reduce the risk. These actions
avoided through pre-emptive action. can include implementing new
organizational policies and procedures as
Risk assessments, whether they pertain to
well as technical or physical controls.
information security or other types of risk,
Documenting the results and developing
are a means of providing decision makers
an action plan. There are various models
with information needed to understand
and methods for assessing risk, and the
factors that can negatively influence
extent of an analysis and the resources
operations and outcomes and make
expended can vary depending on the scope
informed judgments concerning the extent
of the assessment and the availability of
of actions needed to reduce risk.
reliable data on risk factors. In addition,
As reliance on computer systems and the availability of data can affect the extent
electronic data has grown, information to which risk assessment results can be
security risk has joined the array of risks reliably quantified.
that governments and businesses must
A quantitative approach generally
manage. Regardless of the types of risk
estimates the monetary cost of risk and
being considered, all risk assessments
risk reduction techniques based on
generally include the following elements.
Identifying threats that could harm and, (1) the likelihood that a damaging event
thus, adversely affect critical operations will occur,
and assets. Threats include such things as
(2) the costs of potential losses, and
intruders, criminals, disgruntled
employees, terrorists, and natural (3) the costs of mitigating actions that
disasters. could be taken.
Estimating the likelihood that such threats When reliable data on likelihood and costs
will materialize based on historical are not available, a qualitative approach
information and judgment of can be taken by defining risk in more
knowledgeable individuals. Identifying and subjective and general terms such as high,
ranking the value, sensitivity, and criticality medium, and low. In this regard,
of the operations and assets that could be qualitative assessments depend more on
affected should a threat materialize in the expertise, experience, and judgment of
order to determine which operations and those conducting the assessment. It is also
assets are the most important. Estimating, possible to use a combination of
for the most critical and sensitive assets quantitative and qualitative methods.
and operations, the potential losses or
172
7.2 Risk Identification
Risk identification is the process of bounds the scope by which risks are
determining risks that could potentially identified and assessed.
prevent the program, enterprise, or
There are multiple sources of risk. For risk
investment from achieving its objectives. It
identification, the project team should
includes documenting and communicating
review the program scope, cost estimates,
the concern. The objective of risk
schedule (to include evaluation of the
identification is the early and continuous
critical path), technical maturity, key
identification of events that, if they occur,
performance parameters, performance
will have negative impacts on the project's
challenges, stakeholder expectations vs.
ability to achieve performance or
current plan, external and internal
capability outcome goals. They may come
dependencies, implementation challenges,
from within the project or from external
integration, interoperability,
sources.
supportability, supply-chain
There are multiple types of risk vulnerabilities, ability to handle threats,
assessments, including program risk cost deviations, test event expectations,
assessments, risk assessments to support safety, security, and more. In addition,
an investment decision, analysis of historical data from similar projects,
alternatives, and assessments of stakeholder interviews, and risk lists
operational or cost uncertainty. Risk provide valuable insight into areas for
identification needs to match the type of consideration of risk.
assessment required to support risk-
Risk identification is an iterative process.
informed decision making. For an
As the program progresses, more
acquisition program, the first step is to
information will be gained about the
identify the program goals and objectives,
program (e.g., specific design), and the risk
thus fostering a common understanding
statement will be adjusted to reflect the
across the team of what is needed for
current understanding. New risks will be
program success. This gives context and
identified as the project progresses
through the life cycle.
173
7.3 Risk Analysis
This is the next step in the risk assessment In other words, Risk analysis, which is a
program, Risk Analysis, requires an entity tool for risk management, is a method of
to, conduct an accurate and thorough identifying vulnerabilities and threats, and
assessment of the potential risks and assessing the possible damage to
vulnerabilities to the confidentiality, determine where to implement security
integrity, and availability of electronic safeguards.
protected information held by the entity.
Risk analysis steps:

 Identify the scope of the analysis.
 Gather data.
 Identify and document potential threats and vulnerabilities.
 Assess current security measures.
 Determine the likelihood of threat occurrence.
 Determine the potential impact of threat occurrence.
 Determine the level of risk.
 Identify security measures and finalize documentation.
A risk analysis has four main goals:

 Identify assets and their values
 Identify vulnerabilities and threats
 Quantify the probability and business impact of these potential threats
 Provide an economic balance between the impact of the threat and the cost of the
countermeasure
174
7.4 Risk Evaluation

The risk evaluation process receives as
input the output of risk analysis process. It
compares each risk level against the risk
acceptance criteria and prioritise the risk
list with risk treatment indications.
7.5 Risk Treatment
Risk treatment strategies include:

Risk treatment efforts should be
undertaken to mitigate identified risks,  Risk reduction
using appropriate administrative, technical
and physical controls. Control includes: Taking the mitigation steps
necessary to reduce the overall risk
 applying appropriate controls to
to an asset. Often this will include
avoid, eliminate or reduce risks;
selecting countermeasures that will
 transferring some risks to third
either reduce the likelihood of
parties as appropriate (e.g., by
occurrence or reduce the severity of
insurance);
loss, or achieve both objectives at
 knowingly and objectively
the same time. Countermeasures
accepting some risks; and
can include technical or operational
 documenting the risk treatment
controls or changes to the physical
choices made, and the reasons for
environment. For example, the risk
them.
of computer viruses can be mitigated
Risk treatments should take account of: by acquiring and implementing
antivirus software. When evaluating
 legal-regulatory and private
the strength of a control,
certificatory requirements; consideration should be given to
 organizational objectives, whether the controls are
operational requirements and
preventative or detective. The
constraints; and
remaining level of risk after the
 costs of implementation and controls/countermeasures have
operation relative to risks being been applied is often referred to as
reduced. “residual risk.” An organization may
choose to undergo a further cycle of
risk treatment to address this.
175
 Risk sharing/transference  Risk avoidance
The organization shares its risk with The practice of eliminating the risk
third parties through insurance by withdrawing from or not
and/or service providers. Insurance becoming involved in the activity
is a post-event compensatory that allows the risk to be realized. For
mechanism used to reduce the example, an organization decides to
burden of loss if the event were to discontinue a business process in
occur. Transference is the shifting of order to avoid a situation that
risk from one party to another. For exposes the organization to risk.
example, when hard-copy
 Risk acceptance
documents are moved offsite for
storage at a secure-storage vendor An organization decides to accept a
location, the responsibility and costs particular risk because it falls within
associated with protecting the data its risk-tolerance parameters and
transfers to the service provider. The therefore agrees to accept the cost
cost of storage may include when it occurs. Risk acceptance is a
compensation (insurance) if viable strategy where the cost of
documents are damaged, lost, or insuring against the risk would be
stolen. greater over time than the total
losses sustained. All risks that are not
avoided or transferred are accepted
by default
176
7.6 Risk Management Feedback Loops
Risk management is a comprehensive process that requires organizations to:
 frame risk (i.e., establish the context for risk-based decisions);

 assess risk;
 respond to risk once determined; and
 monitor risk on an ongoing basis using effective organizational communications and a
feedback loop for continuous improvement in the risk-related activities of
organizations.
Risk management is carried out as a likelihood of occurrence that affect

holistic, organization wide activity that how risk is assessed, responded to,
addresses risk from the strategic level to and monitored over time);
the tactical level, ensuring that risk based  risk constraints (e.g., constraints on
decision making is integrated into every the risk assessment, response, and
aspect of the organization. The following monitoring alternatives under
sections briefly describe each of the four
consideration);
risk management components. The first
 risk tolerance (e.g., levels of risk,
component of risk management addresses
types of risk, and degree of risk
how organizations frame risk or establish a
risk context—that is, describing the uncertainty that are acceptable);
environment in which risk-based decisions and
are made. The purpose of the risk framing  priorities and trade-offs (e.g., the
component is to produce a risk relative importance of
management strategy that addresses how missions/business functions, trade-
organizations intend to assess risk, offs among different types of risk
respond to risk, and monitor risk—making that organizations face, time
explicit and transparent the risk frames in which organizations must
perceptions that organizations routinely address risk, and any factors of
use in making both investment and uncertainty that organizations
operational decisions. The risk frame consider in risk responses).
establishes a foundation for managing risk
and delineates the boundaries for risk- The risk framing component and the
based decisions within organizations. associated risk management strategy also
include any strategic-level decisions on
Establishing a realistic and credible risk
how risk to organizational operations and
frame requires that organizations identify:
assets, individuals, other organizations,
 risk assumptions (e.g., assumptions and the Nation, is to be managed by senior
about the threats, vulnerabilities, leaders/executives.
consequences/impact, and
177
The second component of risk  how threat information is obtained

management addresses how organizations (i.e., sources and methods).
assess risk within the context of the
organizational risk frame. The purpose of The third component of risk management
the risk assessment component is to addresses how organizations respond to
identify: risk once that risk is determined based on
the results of risk assessments.
 threats to organizations (i.e.,
operations, assets, or individuals) The purpose of the risk response
component is to provide a consistent,
or threats directed through
organization-wide, response to risk in
organizations against other
accordance with the organizational risk
organizations or the Nation;
frame by:
 vulnerabilities internal and external
to organizations;  developing alternative courses of
 the harm (i.e., action for responding to risk;
consequences/impact) to  evaluating the alternative courses
organizations that may occur given of action;
the potential for threats exploiting  determining appropriate courses of
vulnerabilities; and action consistent with
 the likelihood that harm will occur. organizational risk tolerance; and
The end result is a determination of  implementing risk responses based
risk (i.e., the degree of harm and on selected courses of action.
likelihood of harm occurring).
To support the risk response component,
To support the risk assessment organizations describe the types of risk
component, organizations identify: responses that can be implemented (i.e.,
accepting, avoiding, mitigating, sharing, or
 the tools, techniques, and transferring risk).
methodologies that are used to
assess risk; Organizations also identify the tools,
techniques, and methodologies used to
 the assumptions related to risk
develop courses of action for responding
assessments;
to risk, how courses of action are
 the constraints that may affect risk
evaluated, and how risk responses are
assessments; communicated across organizations and as
 roles and responsibilities; appropriate, to external entities (e.g.,
 how risk assessment information is external service providers, supply chain
collected, processed, and partners).
communicated throughout
The fourth component of risk management
organizations;
addresses how organizations monitor risk
 how risk assessments are over time. The purpose of the risk
conducted within organizations; monitoring component is to:
 the frequency of risk assessments;
and
178
 verify that planned risk response and the environments in which the
measures are implemented and systems operate.
information security requirements To support the risk monitoring component,
derived from/traceable to organizations describe how compliance is
organizational mission/business verified and how the ongoing effectiveness
functions, federal legislation, of risk responses is determined (e.g., the
directives, regulations, policies, types of tools, techniques, and
and standards, and guidelines, are methodologies used to determine the
satisfied; sufficiency/correctness of risk responses
 determine the ongoing and if risk mitigation measures are
effectiveness of risk response implemented correctly, operating as
measures following intended, and producing the desired effect
with regard to reducing risk). In addition,
implementation; and
organizations describe how changes that
 identify risk-impacting changes to
may impact the ongoing effectiveness of
organizational information systems
risk responses are monitored.
179
7.7 Risk Monitoring
Risk monitoring provides organizations with the means to:
 verify compliance;
 determine the ongoing effectiveness of risk response measures; and
 identify risk-impacting changes to organizational information systems and environments of
operation.
Analysing monitoring results gives activities might include, for example,

organizations the capability to maintain analyses of new or current technologies
awareness of the risk being incurred, either in use or considered for future use
highlight the need to revisit other steps in by organizations to identify exploitable
the risk management process, and initiate weaknesses and/or deficiencies in those
process improvement activities as needed. technologies that may affect
mission/business success. Tier 3
Organizations employ risk monitoring
monitoring activities focus on information
tools, techniques, and procedures to
systems and might include, for example,
increase risk awareness, helping senior
automated monitoring of standard
leaders/executives develop a better
configuration settings for information
understanding of the ongoing risk to
technology products, vulnerability
organizational operations and assets,
scanning, and ongoing assessments of
individuals, other organizations, and the
security controls. In addition to deciding on
Nation. Organizations can implement risk
appropriate monitoring activities across
monitoring at any of the risk management
the risk management tiers, organizations
tiers with different objectives and utility of
also decide how monitoring is to be
information produced. For example, Tier 1
conducted (e.g., automated or manual
monitoring activities might include
approaches) and the frequency of
ongoing threat assessments and how
monitoring activities based on, for
changes in the threat space may affect Tier
example, the frequency with which
2 and Tier 3 activities, including enterprise
deployed security controls change, critical
architectures (with embedded information
items on plans of action and milestones,
security architectures) and organizational
and risk tolerance.
information systems. Tier 2 monitoring
180
UNIT VIII
Configuration review
This Unit covers:
 Lesson Plan
8.1. Configuration Management
8.2. Organisational SecCM Policy
8.3. Identify CM Tools
8.4. Implementing Secure Configurations
8.5. Unauthorised Access to Configuration Stores
181
LESSON PLAN

To be competent, you must be able Performance evaluation 2 hrs  PCs/Tablets/Lapt
to: from Faculty and Industry ops
with reward points  Labs availability
PC4. carry out configuration
(24/7)
reviews of information security
 Internet with
systems using automated tools, QA session and a WiFi
where required Descriptive write up on  (Min 2 Mbps
understanding. Dedicated)
 Networking
Equipments-
Routers &
Switches
 Firewalls and
Access Points
 Access to all
security sites like
ISO, PIC DSS
 Commercial
Tools like HP
Web Inspect and
IBM AppScan
etc.,
 Open Source
tools like sqlmap,
Nessus etc.,
You must know and understand: KA6, KA7 Performance 4 hrs  PCs/Tablets/Lapt
KA6. how to carry out evaluation from Faculty ops
information security assessments and Industry with reward  Labs availability
points (24/7)
KA7. how to carry out  Internet with
configuration reviews WiFi
KA9. QA session and a  (Min 2 Mbps
KA9. different types of Dedicated)
Descriptive write up on
automation tools and how to use  Access to all
these understanding.
security sites like
ISO, PCI DSS,
Center for
Internet Security
182
Activity 1:
The students should be divided into groups and asked to research configuration
management tools available in the industry. They should compare and categorise these
tools based on their features, area of strengths and limitations. These should be presented
in class for shared understanding.
Activity 2:
Create a group project by interacting with companies that offer CM tools and prepare a
sequential process map of how the tool functions in order to carry out its functions.
Present the same in class, highlighting the functionality and dependencies of the tools.
183

8.1 Configuration Management
An information system is typically in a term security-focused configuration
constant state of change in response to management (SecCM) is used to
new, enhanced, corrected, or updated emphasize the concentration on
hardware and software capabilities, information security. Though both IT
patches for correcting software flaws and business application functions and
other errors to existing components, new security-focused practices are expected to
security threats, changing business be integrated as a single process, SecCM in
functions, etc. Implementing information this context is defined as the management
system changes almost always results in and control of configurations for
some adjustment to the system information systems to enable security and
configuration. To ensure that the required facilitate the management of information
adjustments to the system configuration security risk.
do not adversely affect the security of the
Configuration Management (CM)
information system or the organization
comprises a collection of activities focused
from operation of the information system,
on establishing and maintaining the
a well-defined configuration management
integrity of products and systems, through
process that integrates information
control of the processes for initializing,
security is needed.
changing, and monitoring the
configurations of those products and
Organizations apply configuration
management (CM) for establishing systems.
baselines and for tracking, controlling, and A Configuration Item (CI) is an identifiable
managing many aspects of business part of a system (e.g., hardware, software,
development and operation (e.g., firmware, documentation, or a
products, services, manufacturing, combination thereof) that is a discrete
business processes, and information target of configuration control processes.
technology). Organizations with a robust
and effective CM process need to consider A Baseline Configuration is a set of
information security implications with specifications for a system, or CI within a
respect to the development and operation system, that has been formally reviewed
of information systems including and agreed on at a given point in time, and
hardware, software, applications, and which can be changed only through change
documentation. Effective CM of control procedures. The baseline
information systems requires the configuration is used as a basis for future
integration of the management of secure builds, releases, and/or changes.
configurations into the organizational CM The basic parts of a CM Plan include:
process or processes. For this reason, this
document assumes that information Configuration Control Board (CCB) –
security is an integral part of an Establishment of and charter for a group of
organization’s overall CM process; qualified people with responsibility for the
however, the focus of this document is on process of controlling and approving
implementation of the information system changes throughout the development and
security aspects of CM, and as such the operational lifecycle of products and
184
systems; may also be referred to as a  documentation of the

change control board; approved/implemented changes.
Configuration Item Identification – SecCM requires an ongoing investment in
methodology for selecting and naming time and resources. Product patches, fixes,
configuration items that need to be placed and updates require time for security
under CM; impact analysis even as threats and
vulnerabilities continue to exist. As
Configuration Change Control – process for
changes to information systems are made,
managing updates to the baseline
baseline configurations are updated,
configurations for the configuration items;
specific configuration settings confirmed,
and
and configuration items tracked, verified,
Configuration Monitoring – process for and reported. SecCM is a continuous
assessing or testing the level of compliance activity that, once incorporated into IT
with the established baseline configuration management processes, touches all stages
and mechanisms for reporting on the of the system development life cycle
configuration status of items placed under (SDLC).
CM.
In the context of SecCM of information
Security-Focused Configuration systems, a configuration item (CI) is an
Management (SecCM) is the management aggregation of information system
and control of secure configurations for an components that is designated for
information system to enable security and configuration management and treated as
facilitate the management of risk. SecCM a single entity throughout the SecCM
builds on the general concepts, processes, process. This implies that the CI is
and activities of configuration identified, labelled, and tracked during its
management by attention on the life cycle – the CI is the target of many of
implementation and maintenance of the the activities within SecCM, such as
established security requirements of the configuration change control and
organization and information systems. monitoring activities. A CI may be a specific
information system component (e.g.,
Information security configuration server, workstation, router, application), a
management requirements are integrated
group of information system components
into (or complement) existing (e.g., group of servers with like operating
organizational configuration management systems, group of network components
processes (e.g., business functions, such as routers and switches, an
applications, products) and information application or suite of applications), a non-
systems. SecCM activities include: component object (e.g., firmware,
 identification and recording of documentation), or an information system
configurations that impact the as a whole. CIs give organizations a way to
security posture of the information decompose the information system into
system and the organization; manageable parts whose configurations
 the consideration of security risks can be actively managed.
in approving the initial The purpose of breaking up an information
configuration; system into CIs is to allow more granularity
 the analysis of security implications and control in managing the secure
of changes to the information configuration of the system. The level of
system configuration; and
185
granularity will vary among organizations information system, the secure baseline
and systems and is balanced against the may address configuration settings,
associated management overhead for software loads, patch levels, how the
each CI. In one organization, it may be information system is physically or logically
appropriate to create a single CI to track all arranged, how various security controls
of the laptops within a system, while in are implemented, and documentation.
another organization, each laptop may Where possible, automation is used to
represent an individual CI. enable interoperability of tools and
uniformity of baseline configurations
Baseline configuration
across the information system.
A baseline configuration is a set of
Controlling configuration changes - Given
specifications for a system, or
the continually evolving nature of an
Configuration Item (CI) within a system,
information system and the mission it
that has been formally reviewed and
supports, the challenge for organizations is
agreed on at a given point in time, and
not only to establish an initial baseline
which can be changed only through change
configuration that represents a secure
control procedures. The baseline
state (which is also cost-effective,
configuration is used as a basis for future
functional, and supportive of mission and
builds, releases, and/or changes.
business processes), but also to maintain a
Security-focused configuration secure configuration in the face of the
management of information systems significant waves of change that ripple
involves a set of activities that can be through organizations.
organized into four major phases –
Monitoring
Planning, Identifying and Implementing
Configurations, Controlling Configuration Monitoring activities are used as the
Changes, and Monitoring. mechanism within SecCM to validate that
the information system is adhering to
Planning - Planning includes developing
organizational policies, procedures, and
policy and procedures to incorporate
the approved secure baseline
SecCM into existing information
configuration. Monitoring identifies
technology and security programs, and
undiscovered/ undocumented system
then disseminating the policy throughout
components, misconfigurations,
the organization.
vulnerabilities, and unauthorized changes,
Identifying and implementing all of which, if not addressed, can expose
configurations - After the planning and organizations to increased risk. Using
preparation activities are completed, a automated tools helps organizations to
secure baseline configuration for the efficiently identify when the information
information system is developed, system is not consistent with the approved
reviewed, approved, and implemented. baseline configuration and when
The approved baseline configuration for an remediation actions are necessary. In
information system and associated addition, the use of automated tools often
components represents the most secure facilitates situational awareness and the
state consistent with operational documentation of deviations from the
requirements and constraints. For a typical baseline configuration.
186
8.2 Organizational SecCM Policy
The organization is typically responsible for writing/keeping the records; and

defining documented policies for the procedures for protecting, accessing,
SecCM program. The SecCM program auditing, and ultimately deleting
manager develops, disseminates, and such records.
periodically reviews and updates the
SecCM policies for the organization. The SecCM policy may also address the
policies are included as a part of the overall following topics:
organization-wide security policy.  SecCM training requirements;
The SecCM policy normally includes the  Use of SecCM templates;
following:  Use of automated tools;
1. Purpose – the objective(s) in  Prohibited configuration settings;
establishing organization-wide and
SecCM policy;  Requirements for inventory of
information systems and
2. Scope – the extent of the enterprise components.
architecture to which the policy
applies; SecCM Training
3. Roles – the roles that are significant SecCM is a fundamental part of an

within the context of the policy; organizational security program, but often
requires a change in organizational culture.
4. Responsibilities – the responsibilities Staff is provided training to ensure their
of each identified role; understanding of SecCM policies and
procedures. Training also provides a venue
5. Activities – the functions that are for management to communicate the
performed to meet policy objectives; reasons why SecCM is important. SecCM
training material is developed covering
6. Common secure configurations –
organizational policies, procedures, tools,
federal and/or organization-wide
artefacts, and monitoring requirements.
standardized benchmarks for
The training may be mandatory or optional
configuration settings along with
as appropriate and is targeted to relevant
how to address deviations; and
staff (e.g., system administrators,
7. Records – the records of system/software developers, system
configuration management activities security officers, system owners, etc.) as
to be maintained; the information to necessary to ensure that staff has the skills
be included in each type of record; to manage the baseline configurations in
who is responsible for accordance with organizational policy.
187
8.3 Identify SecCM Tools

Managing the myriad configurations found Tools that implement and/or assess
within information system components configuration settings are evaluated to
has become an almost impossible task determine whether they include
using manual methods like spreadsheets. requirements such as:
When possible, organizations look for • Ability to pull information from a
automated solutions which, in the long variety of sources (different type of
run, can lower costs, enhance efficiency, components, different operating
and improve the reliability of SecCM systems, different platforms, etc.);
efforts.
• Use of standardized specifications
In most cases, tools to support activities in such as XML and SCAP;
SecCM phases two, three, and four are
• Integration with other products such
selected for use across the organization by
as help desk, inventory
SecCM program management, and
management, and incident response
information system owners are
solutions;
responsible for applying the tools to the
SecCM activities performed on each • Vendor-provided support (patches,
information system. Similarly, tools and updated vulnerability signatures,
mechanisms for inventory reporting and etc.);
management may be provided to
information system owners by the • Compliance with applicable federal
organization. In accordance with federal laws, Executive Orders, directives,
government and organizational policy, if policies, regulations, standards, and
automated tools are used, the tools are guidelines and link vulnerabilities to
Security Content Automation Protocol SP 800-53 controls;
(SCAP)-validated to the extent that such • Standardized reporting capability
tools are available. (e.g. SCAP, XML) including ability to
There are a wide variety of configuration tailor output & drill down;
management tools available to support an • Data consolidation into Security
organization’s SecCM program. At a Information and Event Management
minimum, the organization considers tools (SIEM) tools and dashboard
that can automatically assess configuration products.
settings of IS components. Automated
tools should be able to scan different Organizations may consider
information system components (e.g., implementation of an all-in-one solution
Web server, database server, network for configuration management. For
devices, etc.) running different operating example, various configuration
systems, identify the current configuration management functions are included in
settings, and indicate where they are products for managing IT servers,
noncompliant with policy. Such tools workstations, desktops, and services
import settings from one or more common provided by applications. These products
secure configurations and then allow for may include functions such as:
tailoring the configurations to the o Inventory/discovery of IS
organization’s security and components;
mission/functional requirements. o Software distribution;
188
o Patch management; o Migration to new baseline

o Operating system deployment; configuration; and
o Policy management; o Backup/recovery.
8.4 Implementing secure configurations
Implementing secure configurations for IT complicate matters, for some products,

products is no simple task. There are many the configuration settings of the
IT products, and each has a myriad of underlying platform may need to be
possible parameters that can be modified to allow for the functionality
configured. In addition, organizations have required for mission accomplishment such
mission and business process needs which that they deviate from the approved
may require that IT products be configured common secure configurations.
in a particular manner. To further
Using the secure configuration previously established as a starting point, the following
structured approach is recommended when implementing the secure configuration:
1) Prioritize Configurations
2) Test Configurations
3) Resolve Issues and Document Deviations
4) Record and Approve the Baseline Configuration
5) Deploy the Baseline Configuration
i. Prioritize Configurations over information systems with a low

security impact level.
In the ideal environment, all IT products
• Risk assessments – Risk assessments
within an organization would be
can be used to target information
configured to the most secure state that
systems, IT products, or CIs having the
still provided the functionality required by
most impact on security and
the organization. However, due to limited
organizational risk.
resources and other constraints, many
• Vulnerability scanning – Vulnerability
organizations may find it necessary to
scans can be used to target information
prioritize which information systems, IT
systems, IT products, or CIs that are
products, or CIs to target first for secure
most vulnerable. For example, the
configuration as they implement SecCM.
Common Vulnerability Scoring System
In determining the priorities for (CVSS) is a specification within SCAP
implementing secure configurations in that provides an open framework for
information systems, IT products, or CIs, communicating the characteristics of
organizations consider the following software flaw vulnerabilities and in
criteria: calculating their relative severity. CVSS
scores can be used to help prioritize
• System impact level – Implementing configuration and patching activities.
secure configurations in information • Degree of penetration – The degree of
systems with a high or moderate penetration represents the extent to
security impact level may have priority
189
which the same product is deployed examined individually and either resolved
within an information technology or documented as a deviation from, or
environment. For example, if an exception to, the established common
organization uses a specific operating secure configurations.
system on 95 percent of its
In some cases, changing one configuration
workstations, it may obtain the most
setting may require changes to another
immediate value by planning and
setting, another CI, or another information
deploying secure configurations for
system. For instance, a common secure
that operating system. Other IT
configuration may specify strengthened
products or CIs can be targeted
password requirements which may require
afterwards.
a change to existing single sign-on
ii. Test Configurations applications. Or there may be a
requirement that the OS-provided firewall
Organizations fully test secure
be enabled by default. To ensure that
configurations prior to implementation in
applications function as expected, the
the production environment. There are a
firewall policy may need to be revised to
number of issues that may be encountered
allow specific ports, services, IP addresses,
when implementing configurations
etc. When conflicts between applications
including software compatibility and
and secure configurations cannot be
hardware device driver issues. For
resolved, deviations are documented and
example, there may be legacy applications
approved through the configuration
with special operating requirements that
change control process as appropriate.
do not function correctly after a common
secure configuration has been applied. iv. Record and Approve the Baseline
Additionally, configuration errors could Configuration
occur if OS and multiple application
The established and tested secure
configurations are applied to the same
configuration, including any necessary
component. For example, a setting for an
deviations, represents the preliminary
application configuration parameter may
baseline configuration and is recorded in
conflict with a similar setting for an OS
order to support configuration change
configuration parameter.
control/security impact analysis, incident
Virtual environments are recommended resolution, problem solving, and
for testing secure configurations as they monitoring activities. Once recorded, the
allow organizations to examine the preliminary baseline configuration is
functional impact on applications without approved in accordance with
having to configure actual machines. organizationally defined policy. Once
approved, the preliminary baseline
iii. Resolve Issues and Document
configuration becomes the initial baseline
Deviations
configuration for the information system
Testing secure configuration and its constituent CIs.
implementations may introduce functional
The baseline configuration of an
problems within the system or
information system includes the sum total
applications. For example, the new secure
of the secure configurations of its
configuration may close a port or stop a
constituent CIs and represents the system-
service that is needed for OS or application
specific configuration against which all
functionality. These problems are
changes are controlled.
190
The baseline configuration may include, as policy and approved baseline

applicable, information regarding the configurations is not practical, or even
system architecture, the interconnection possible, in most cases. Automated tools
of hardware components, secure can also facilitate reporting for Security
configuration settings of software Information and Event Management
components, the software load, applications that can be accessed by
supporting documentation, and the management and/or formatted into other
elements in a release package. There could reports on baseline configuration status.
be a different baseline configuration for Care is exercised in collecting and analysing
each life cycle stage (development, test, the results generated by automated tools
staging, production) of the information to account for any false positives.
system.
SecCM monitoring may be supported by
When possible, organizations employ numerous means, including, but not
automated tools to support the limited to:
management of baseline configurations
• Scanning to discover components not
and to keep the configuration information
recorded in the inventory. For
as up to date and near real time as
example, after testing of a new
possible. There are a number of solutions
firewall, a technician forgets to remove
which maintain baseline configurations for
it from the network. If it is not properly
a wide variety of hardware and software
configured, it may provide access to
products. Some comprehensive SecCM
the network for intruders. A scan
solutions integrate the maintenance of
would identify this network device as
baseline configurations with component
not a part of the inventory, enabling
inventory and monitoring tools.
the organization to take action.
v. Deploy the Baseline Configuration • Scanning to identify disparities
between the approved baseline
Organizations are encouraged to
configuration and the actual
implement baseline configurations in a
configuration for an information
centralized and automated manner using
system.
automated configuration management
tools, automated scripts, vendor-provided
Example I. A technician rolls out a new
mechanisms, etc.
patch but forgets to update the baseline
SecCM monitoring is accomplished configurations of the information systems
through assessment and reporting impacted by the new patch. A scan would
activities. For organizations with a large identify a difference between the actual
number of components, the only practical environment and the description in the
and effective solution for SecCM baseline configuration enabling the
monitoring activities is the use of organization to take action.
automated solutions that use standardized
reporting methods such as SCAP. Example II. A new tool is installed on the
workstations of a few end users of the
An information system may have many information system. During installation,
components and many baseline the tool changes a number of configuration
configurations. To manually collect settings in the browser on the users’
information on the configuration of all workstations, exposing them to attack. A
components and assess them against scan would identify the change in the
191
workstation configuration, allowing the Automated tools are preferable since

appropriate individuals to take action. actions are not reliant upon human
intervention and are taken immediately
Implementation of automated change
once an unauthorized change is identified.
monitoring tools (e.g.,
Examples of possible actions include:
change/configuration management tools,
application whitelisting tools).  Implementing non-destructive
Unauthorized changes to information remediation actions (e.g.,
systems may be an indication that the quarantining of unregistered
systems are under attack or that SecCM device(s), blocking insecure
procedures are not being followed or need protocols, etc.);
updating. Automated tools are available  Sending an alert with change
that monitor information systems for details to appropriate staff using
changes and alert system staff if email;
unauthorized changes occur or are  Rolling back changes and restoring
attempted. from backups;
 Updating the inventory to include
 Querying audit records/log
newly identified components; and
monitoring to identify
unauthorized change events.  Updating baseline configurations
to represent new configurations.
 Running system integrity checks to
verify that baseline configurations
Many applications support configuration
have not been changed.
management interfaces and functionality
 Reviewing configuration change
to allow operators and administrators to
control records (including system
change configuration parameters, update
impact analyses) to verify
Web site content, and to perform routine
conformance with SecCM policy
maintenance. Top configuration
and procedures.
management threats include:
When possible, organizations seek to
normalize data to describe their  Unauthorized access to
information system in order that the administration interfaces
various outputs from monitoring can be  Unauthorized access to
combined, correlated, analysed, and configuration stores
reported in a consistent manner. SCAP  Retrieval of plaintext configuration
provides a common language for secrets
describing vulnerabilities,  Lack of individual accountability
misconfigurations, and products and is an  Over-privileged process and service
obvious starting point for organizations accounts
seeking a consistent way of  Unauthorized Access to
communicating across the organization Administration Interfaces
regarding the security status of the
enterprise architecture. Administration interfaces are often
provided through additional Web pages or
When inconsistencies are discovered as a
separate Web applications that allow
result of monitoring activities, the
administrators, operators, and content
organization may want to take remedial
developers to managed site content and
action. Action taken may be via manual configuration. Administration interfaces
methods or via use of automated tools.
192
such as these should be available only to  Use strong authentication, for

restricted and authorized users. Malicious example, by using certificates.
users able to access a configuration  Use strong authorization with
management function can potentially multiple gatekeepers.
deface the Web site, access downstream
systems and databases, or take the Consider supporting only local
application out of action altogether by administration. If remote administration is
corrupting configuration data. absolutely essential, use encrypted
channels, for example, with VPN
Counter measures to prevent technology or SSL, because of the sensitive
unauthorized access to administration nature of the data passed over
interfaces include: administrative interfaces. To further
reduce risk, also consider using IPSec
 Minimize the number of policies to limit remote administration to
administration interfaces. computers on the internal network.
193
8.5 Unauthorized Access to Configuration Stores

Because of the sensitive nature of the data threatens the ability to identify when
maintained in configuration stores, you changes were made and who made those
should ensure that the stores are changes. When a breaking change is made
adequately secured. either by an honest operator error or by a
malicious change to grant privileged
Countermeasures to protect access, action must first be taken to correct
configuration stores include: the change. Then apply preventive
 Configure restricted ACLs on measures to prevent breaking changes to
text-based configuration files be introduced in the same manner. Keep in
such as Machine.config and mind that auditing and logging can be
Web.config. circumvented by a shared account; this
 Keep custom configuration applies to both administrative and
stores outside of the Web space. user/application/service accounts.
This removes the potential to Administrative accounts must not be
download Web server shared. User/application/service accounts
configurations to exploit their must be assigned at a level that allows the
vulnerabilities. identification of a single source of access
 Retrieval of Plaintext using the account, and that contains any
Configuration Secrets damage to the privileges granted that
account.
Restricting access to the configuration
store is a must. As an important defence in
depth mechanism, you should encrypt
sensitive data such as passwords and Over-privileged Application and Service
connection strings. This helps prevent Accounts
external attackers from obtaining sensitive
configuration data. It also prevents rogue If application and service accounts are
administrators and internal employees granted access to change configuration
from obtaining sensitive details such as information on the system, they may be
database connection strings and account manipulated to do so by an attacker. The
credentials that might allow them to gain risk of this threat can be mitigated by
access to other systems. adopting a policy of using least privileged
service and application accounts. Be wary
Lack of Individual Accountability of granting accounts the ability to modify
their own configuration information unless
Lack of auditing and logging of changes explicitly required by design.
made to configuration information
194
UNIT IX
Log Correlation and Management
This Unit covers:
 Lesson Plan
9.1. Event Log Concepts
9.2. Log Management and its need
9.3. Log Management Process
9.4. Configuring Windows Event Log
9.5. IIS Log Files
9.6. Analysis and Response
195
LESSON PLAN

To be competent, you must be able Going through various 4 hrs  PCs/Tablets/La
to: organizations websites ptops
and understand the  Labs
PC6. maintain accurate daily
policies and guidelines. availability
records/logs of information security
performance parameters using (Research)
(24/7)
standard templates and tools Understand, summarize
 Internet with
and articulate.
PC7. analyze information WiFi
security performance metrics to Peer group, Faculty group  (Min 2 Mbps
highlight variances and issues for and Industry experts. Dedicated)
action by appropriate people  Networking
PC8. provide inputs to root Peer review with faculty Equipment-
cause analysis and the resolution of with appropriate Routers &
information security issues, where feedback. Switches
required  Firewalls and
Going through various Access Points
PC9. update your organization’s
knowledge base promptly and organizations websites  Access to all
accurately with information and understand the
security sites
security issues and their resolution policies and guidelines.
like ISO, PIC
(Research)
PC3. carry out security DSS
assessment of information security Team work (IM and chat  Commercial
systems using automated tools applications) and group Tools like HP
activities (online forums) Web Inspect
including templates to be and IBM
prepared AppScan etc.,
 Open Source
tools like
sqlmap,
Nessus etc.,
You must know and understand: KA1. Going through various 4 hrs  PCs/Tablets/Lapt
KA1. your organization’s organizations websites ops
policies, procedures, standards and and understand the  Labs availability
guidelines for managing policies and guidelines. (24/7)
information security (Research)  Internet with
WiFi
KA2. your organization’s KA2, Understand, summarize  (Min 2 Mbps
knowledge base and how to access Dedicated)
and articulate.
and update this  Networking
Equipments-
KA4. the organizational KA4, KA5. Peer group, Faculty Routers &
systems, procedures and group and Industry
Switches
tasks/checklists within the domain experts.
 Firewalls and
and how to use these Access Points
196
KA5. how to analyze root causes KA8. Peer review with faculty  Access to all
of information security issues with appropriate security sites like
feedback. ISO, PIC DSS
KA8. how to correlate devices  Commercial
and logs KA9. Going through various Tools like HP
organizations websites Web Inspect and
KA9. different types of IBM AppScan
and understand the
automation tools and how to use etc.,
policies and guidelines.
these  Open Source
(Research)
KA10. how to access and analyze tools like sqlmap,
information security performance Nessus etc.,
metrics KA10, KA11. Team work (IM
and chat applications) and
group activities (online
forums) including
templates to be prepared.

Activity 1:
The students should research various log report templates and sources which provide
guidance on using log reports. The various information available in the report should be
understood and possible anomalies listed.
Activity 2:
Students should divided in groups. One group should explore the log configurations of their
own server and generate reports from the servers of their own institute each week. These
should be analysed and activity reports and inferences from it presented in class by a
different group each week.
197

9.1 Event Logs - Concepts
A log is a record of the events occurring reduction and real-time alerting, and they
within an organization’s systems and provide specific workflows to address
networks. Logs are composed of log security breaches as they occur. Another
entries; each entry contains information key feature of SIEM is the incorporation of
related to a specific event that has non-event based data, such as
occurred within a system or network. vulnerability scanning reports, for
Originally, logs were used primarily for correlation and analysis.
troubleshooting problems, but logs now
serve many functions within most A lot of money has been invested in
organizations, such as optimizing system security products such as firewalls,
and network performance, recording the intrusion detection, and strong
actions of users, and providing data useful authentication over the past several years.
for investigating malicious activity. However, system penetration attempts
continue to occur and go unnoticed until it
Logs have evolved to contain information is too late. It is not that security
related to many different types of events countermeasures are ineffective against
occurring within networks and systems. intrusive activity. Indeed, they can be very
Within an organization, many logs contain effective within an organization where
records related to computer security; security policies and procedures require
common examples of these computer analysis of security events and appropriate
security logs are audit logs that track user incident response. However, deploying
authentication attempts and security and analysing a single device in an effort to
device logs that record possible attacks maintain situational awareness with
respect to the state of security within an
Key Concepts organization is the "computerized version
of tunnel vision”. Security events must be
Log management: Log management refers analysed from as many sources as possible
to the broad practice of collecting, in order to assess threat and formulate
aggregating and analysing network data appropriate response. Extraordinary levels
for a variety of purposes. Data logging of security awareness can be attained in an
devices collect incredible amounts of organization's network by simply listening
information on security, operational and to what its devices are telling you.
application events — log management
comprises the tools to search and parse  Security software logs primarily
this data for trends, anomalies and other contain computer security-related
relevant information. information.
 Operating system logs and
Security information event management
application logs typically contain a
(SIEM): Like log management, SIEM also
variety of information, including
involves the collection and analysis of data.
computer security-related data
The key distinction to be made is that SIEM
is a specialized tool for information
security. SIEM appliances enable event
198
Security Software and failed login attempts, as well as the

dates and times each user connected and
Most organizations use several types of disconnected, and the amount of data sent
network-based and host-based security and received in each user session. VPN
software to detect malicious activity, systems that support granular access
protect systems and data, and support control, such as many Secure Sockets Layer
incident response efforts. Accordingly, (SSL) VPNs, may log detailed information
security software is a major source of about the use of resources.
computer security log data. Common types
of network-based and host based security Web Proxies
software include the following:
Web proxies are intermediate hosts
Antimalware Software. The most common through which Web sites are accessed.
form of antimalware software is antivirus Web proxies make Web page requests on
software, which typically records all behalf of users, and they cache copies of
instances of detected malware, file and retrieved Web pages to make additional
system disinfection attempts, and file accesses to those pages more efficient.
quarantines. Web proxies can also be used to restrict
Web access and to add a layer of
Additionally, antivirus software might also protection between Web clients and Web
record when malware scans were servers. Web proxies often keep a record
performed and when antivirus signature or of all URLs accessed through them.
software updates occurred. Antispyware
software and other types of antimalware Vulnerability Management Software
software (e.g., rootkit detectors) are also
common sources of security information. Vulnerability management software,
which includes patch management
Intrusion Detection and Intrusion software and vulnerability assessment
Prevention Systems. Intrusion detection software, typically logs the patch
and intrusion prevention systems record installation history and vulnerability status
detailed information on suspicious of each host, which includes known
behaviour and detected attacks, as well as vulnerabilities and missing software
any actions intrusion prevention systems updates. Vulnerability management
performed to stop malicious activity in software may also record additional
progress. information about hosts’ configurations.
Vulnerability management software
Some intrusion detection systems, such as typically runs occasionally, not
file integrity checking software, run continuously, and is likely to generate large
periodically instead of continuously, so batches of log entries.
they generate log entries in batches
instead of on an ongoing basis. Authentication Servers
Remote Access Software Authentication servers, including directory

servers and single sign-on servers, typically
Remote access is often granted and log each authentication attempt, including
secured through virtual private networking its origin, username, success or failure, and
(VPN). VPN systems typically log successful date and time.
199
Routers service. Typically, failed events and the

most significant successful events are
Routers may be configured to permit or logged, but many OSs permit
block certain types of network traffic based administrators to specify which types of
on a policy. Routers that block traffic are events will be logged. The details logged
usually configured to log only the most for each event also vary widely; each event
basic characteristics of blocked activity. is usually timestamped, and other
supporting information could include
Firewalls event, status, and error codes; service
name; and user or system account
Like routers, firewalls permit or block associated with an event.
activity based on a policy; however,
firewalls use much more sophisticated Audit Records
methods to examine network traffic.
Audit records contain security event
Firewalls can also track the state of information such as successful and failed
network traffic and perform content authentication attempts, file accesses,
inspection. Firewalls tend to have more security policy changes, account changes
complex policies and generate more (e.g., account creation and deletion,
detailed logs of activity than routers. account privilege assignment), and use of
privileges. OSs typically permit system
Network Quarantine Servers administrators to specify which types of
events should be audited and whether
Some organizations check each remote successful and/or failed attempts to
host’s security posture before allowing it perform certain actions should be logged.
to join the network. This is often done
through a network quarantine server and OS logs are most beneficial for identifying
agents placed on each host. Hosts that do or investigating suspicious activity
not respond to the server’s checks or that involving a particular host. After suspicious
fail the checks are quarantined on a activity is identified by security software,
separate virtual local area network (VLAN) OS logs are often consulted to get more
segment. Network quarantine servers log information on the activity.
information about the status of checks,
including which hosts were quarantined Applications
and for what reasons.
Operating systems and security software
Operating systems (OS) for servers, provide the foundation and protection for
workstations, and networking devices applications, which are used to store,
(e.g., routers, switches) usually log a access, and manipulate the data used for
variety of information related to security. the organization’s business processes.
The most common types of security- Most organizations rely on a variety of
related OS data are as follows: commercial off-the-shelf (COTS)
applications, such as e-mail servers and
System Events clients, Web servers and browsers, file
servers and file sharing clients, and
System events are operational actions database servers and clients. Some
performed by OS components, such as applications generate their own log files,
shutting down the system or starting a
200
while others use the logging capabilities of Usage information such as the number of
the OS on which they are installed. transactions occurring in a certain period
Applications vary significantly in the types (e.g., minute, hour) and the size of
of information that they log. The following transactions (e.g., e-mail message size, file
lists some of the most commonly logged transfer size). This can be useful for certain
types of information and the potential types of security monitoring (e.g., a ten-
benefits of each: fold increase in e-mail activity might
indicate a new e-mail–borne malware
Client requests and server responses, threat; an unusually large outbound e-mail
which can be very helpful in reconstructing message might indicate inappropriate
sequences of events and determining their release of information).
apparent outcome. If the application logs
successful user authentications, it is Significant operational actions such as
usually possible to determine which user application startup and shutdown,
made each request. Some applications can application failures, and major application
perform highly detailed logging, such as e- configuration changes. This can be used to
mail servers recording the sender, identify security compromises and
recipients, subject name, and attachment operational failures.
names for each e-mail; Web servers
recording each URL requested and the type Much of this information, particularly for
of response provided by the server; and applications that are not used through
business applications recording which unencrypted network communications,
financial records were accessed by each can only be logged by the applications,
user. This information can be used to which makes application logs particularly
identify or investigate incidents and to valuable for application-related security
monitor application usage for compliance incidents, auditing, and compliance
and auditing purposes. efforts. However, these logs are often in
proprietary formats that make them more
Account information such as successful difficult to use, and the data they contain
and failed authentication attempts, is often highly context-dependent,
account changes (e.g., account creation necessitating more resources to review
and deletion, account privilege their contents.
assignment), and use of privileges. In
addition to identifying security events such
as brute force password guessing and
escalation of privileges, it can be used to
identify who has used the application and
when each person has used it.
201
9.2 Log Management and its need

Log management can benefit an have occurred, and for providing
organization in many ways. It helps to information useful for resolving such
ensure that computer security records are problems.
stored in sufficient detail for an
appropriate period of time. Routine log Logs can also be useful for performing
reviews and analysis are beneficial for auditing and forensic analysis, supporting
identifying security incidents, policy the organization’s internal investigations,
violations, fraudulent activity, and establishing baselines, and identifying
operational problems shortly after they operational trends and long term problems
A log management infrastructure typically comprises the following three tiers:
Log Generation
The first tier contains the hosts that generate the log data. Some hosts run logging client
applications or services that make their log data available through networks to log servers
in the second tier. Other hosts make their logs available through other means, such as
allowing the servers to authenticate to them and retrieve copies of the log files.
Log Analysis and Storage

The second tier is composed of one or more log servers that receive log data or copies of
log data from the hosts in the first tier. The data is transferred to the servers either in a
real-time or near-real-time manner, or in occasional batches based on a schedule or the
amount of log data waiting to be transferred. Servers that receive log data from multiple
log generators are sometimes called collectors or aggregators. Log data may be stored on
the log servers themselves or on separate database servers.
Log Monitoring
The third tier contains consoles that may be used to monitor and review log data and the
results of automated analysis. Log monitoring consoles can also be used to generate
reports. In some log management infrastructures, consoles can also be used to provide
management for the log servers and clients. Also, console user privileges sometimes can
be limited to only the necessary functions and data sources for each user.
Log management infrastructures typically data. These functions are normally

perform several functions that assist in performed in such a way that they do not
the storage, analysis, and disposal of log alter the original logs.
202
The following items describe common Storage

log management infrastructure
functions: Log rotation is closing a log file and
opening a new log file when the first file is
Log parsing is extracting data from a log considered to be complete. Log rotation is
so that the parsed values can be used as typically performed according to a
input for another logging process. A schedule (e.g., hourly, daily, weekly) or
simple example of parsing is reading a when a log file reaches a certain size. The
text-based log file that contains 10 primary benefits of log rotation are
comma-separated values per line and preserving log entries and keeping the size
extracting the 10 values from each line. of log files manageable. When a log file is
rotated, the preserved log file can be
Parsing is performed as part of many compressed to save space. Also, during log
other logging functions, such as log rotation, scripts are often run that act on
conversion and log viewing. the archived log. For example, a script
might analyse the old log to identify
Event filtering is the suppression of log malicious activity, or might perform
entries from analysis, reporting, or long- filtering that causes only log entries
term storage because their meeting certain characteristics to be
characteristics indicate that they are preserved. Many log generators offer log
unlikely to contain information of rotation capabilities; many log files can
interest. also be rotated through simple scripts or
third-party utilities, which in some cases
For example, duplicate entries and offer features not provided by the log
standard informational entries might be
generators.
filtered because they do not provide
useful information to log analysts. Log archival is retaining logs for an
Typically, filtering does not affect the extended period of time, typically on
generation or short-term storage of removable media, a storage area network
events because it does not alter the (SAN), or a specialized log archival
original log files. appliance or server. Logs often need to be
preserved to meet legal or regulatory
In event aggregation, similar entries are
requirements.
consolidated into a single entry
containing a count of the number of
There are two types of log archival:
occurrences of the event. For example,
retention and preservation. Log retention
a thousand entries that each record
is archiving logs on a regular basis as part
part of a scan could be aggregated into
of standard operational activities. Log
a single entry that indicates how many
preservation is keeping logs that normally
hosts were scanned. Aggregation is
would be discarded, because they contain
often performed as logs are originally
records of activity of particular interest.
generated (the generator counts similar
Log preservation is typically performed in
related events and periodically writes a
support of incident handling or
log entry containing the count), and it
investigations.
can also be performed as part of log
reduction or event correlation Log compression is storing a log file in a
processes, which are described below. way that reduces the amount of storage
203
space needed for the file without altering Log file integrity checking involves
the meaning of its contents. Log calculating a message digest for each file
compression is often performed when logs and storing the message digest securely to
are rotated or archived. ensure that changes to archived logs are
detected. A message digest is a digital
Log reduction is removing unneeded signature that uniquely identifies data and
entries from a log to create a new log that has the property that changing a single bit
is smaller. A similar process is event in the data causes a completely different
reduction, which removes unneeded data message digest to be generated. The most
fields from all log entries. Log and event commonly used message digest algorithms
reduction are often performed in are MD5 and Secure Hash Algorithm 1
conjunction with log archival so that only (SHA- 1). 25 If the log file is modified and
the log entries and data fields of interest its message digest is recalculated, it will
are placed into long-term storage. not match the original message digest,
indicating that the file has been altered.
Log conversion is parsing a log in one The original message digests should be
format and storing its entries in a second protected from alteration through FIPS-
format. For example, conversion could approved encryption algorithms, storage
take data from a log stored in a database on read-only media, or other suitable
and save it in an XML format in a text file. means. Analysis
Many log generators can convert their own
logs to another format; third party Event correlation is finding relationships
conversion utilities are also available. Log between two or more log entries. The most
conversion sometimes includes actions common form of event correlation is rule-
such as filtering, aggregation, and based correlation, which matches multiple
normalization. – In log normalization, each log entries from a single source or multiple
log data field is converted to a particular sources based on logged values, such as
data representation and categorized timestamps, IP addresses, and event types.
consistently. One of the most common
uses of normalization is storing dates and Event correlation can also be performed in
times in a single format. For example, one other ways, such as using statistical
log generator might store the event time in methods or visualization tools. If
a twelve-hour format (2:34:56 P.M. EDT) correlation is performed through
categorized as Timestamp, while another automated methods, generally the result
log generator might store it in twenty-four of successful correlation is a new log entry
(14:34) format categorized as Event Time, that brings together the pieces of
with the time zone stored in different information into a single place. Depending
notation (-0400) in a different field on the nature of that information, the
categorized as Time Zone. 24 Normalizing infrastructure might also generate an alert
the data makes analysis and reporting to indicate that the identified event needs
much easier when multiple log formats are further investigation. – Log viewing is
in use. However, normalization can be very displaying log entries in a human-readable
resource-intensive, especially for complex format. Most log generators provide some
log entries (e.g., typical intrusion detection sort of log viewing capability; third-party
logs). log viewing utilities are also available.
Some log viewers provide filtering and
aggregation capabilities.
204
Log reporting is displaying the results of Disposal

log analysis. Log reporting is often
performed to summarize significant Log clearing is removing all entries from a
activity over a particular period of time or log that precede a certain date and time.
to record detailed information related to a Log clearing is often performed to remove
particular event or series of events. old log data that is no longer needed on a
system because it is not of importance or it
has been archived.
205
9.3 Log Management Process

System-level and infrastructure The administrator’s ability to configure
administrators should follow standard each log source is dependent on the
processes for managing the logs for which features offered by that particular type of
they are responsible. log source. For example, some log sources
offer very granular configuration options,
Major operational processes for log while some offer no granularity at all—
management are as follows: logging is simply enabled or disabled, with
no control over what is logged. This section
 Configure the log sources, including discusses log source configuration in three
log generation, storage, and categories: log generation, log storage and
security disposal, and log security.
 Perform analysis of log data
 Initiate appropriate responses to Event Logs
identified events
 Manage the long-term storage of Event logs are special files that record
log data. significant events on your computer, such
as when a user logs on to the computer or
Configure Log Sources when a program encounters an error.
System-level administrators need to Example: Windows Event Log Whenever

configure log sources so that they capture the significant types of events occur,
the necessary information in the desired Windows records the event in an event log
format and locations, as well as retain the that you can read by using Event Viewer.
information for the appropriate period of Advanced users might find the details in
time. The process includes: event logs helpful when troubleshooting
problems with Windows and other
 administrators determine which of programs.
their hosts and host components must
or should participate in the log Event Viewer tracks information in
management infrastructure, several different logs. Windows Logs
 A single log file might contain include:
information from several sources, such Application (program) events
as an OS log containing information Events are classified as error, warning,
from the OS itself and several security or information, depending on the
software programs and applications. severity of the event. An error is a
Administrators ascertain which log significant problem, such as loss of data.
sources use each log file. A warning is an event that isn't
 For each identified log source, necessarily significant, but might
administrators determine which types indicate a possible future problem. An
of events each log source must or information event describes the
should log, as well as which data successful operation of a program,
characteristics must or should be driver, or service.
logged for each type of event. Security-related events
These events are called audits and are
described as successful or failed
206
depending on the event, such as that run on your computer, as well as more
whether a user trying to log on to detailed logs that pertain to specific
Windows was successful. Windows services.
Setup events
Computers that are configured as Open Event Viewer by clicking the Start
domain controllers will have additional button Picture of the Start button, clicking
logs displayed here. Control Panel, clicking System and
System events Security, clicking Administrative Tools, and
System events are logged by Windows then double-clicking Event Viewer.
and Windows system services, and are Administrator permission is required if
classified as error, warning, or you're prompted for an administrator
information. password or confirmation, type the
Forwarded events password or provide confirmation.
These events are forwarded to this log
by other computers. Click an event log in the left pane.
Applications and Services Logs vary. They Double-click an event to view the details of
include separate logs about the programs the event.
207
9.4 Configuring Windows Event Log
Authorized administrators can define

security settings for the event logs. The
choices are somewhat limited, and include
log size, the length of time a log should be
stored, and when the log should be
cleared. Each event log can be configured
individually.
1. Click Start, select Programs, select

Administrative Tools, click
Computer Management.
2. In the console tree, click Event
Viewer. Right-click Security and Under Log size, select one of these
select Properties. options:
If the log is not to be archived, click
Overwrite events as needed.
To archive the log at scheduled intervals,
click Overwrite events older than and
specify the
appropriate number of days. Be sure that

the Maximum log size is large enough to
accommodate the interval.
3. The Security Properties window

will appear. Here authorized
administrators can set
the Maximum log size and select
what action to take when the
maximum log size is reached. To retain all the events in the log, click Do
not overwrite events (clear log manually).
 To restore the default settings, This option requires that logs be cleared
click Restore Defaults. manually. When the maximum log size is
 To clear the log, click Clear Log. reached, new events are discarded. If the
event log is not cleared and archived
208
regularly, the following message will become active. Change the date by
appear. selecting the drop down menu and
choosing a date from the calendar that
1. After establishing the security log is presented. Change the time by
settings, click the Apply button. scrolling the up and down arrows in the
time dialog box. Follow the same
procedures clicking on the To: drop
down menu and changing the selection
to Events On. Set the date and time for
the last as described above.
5. Once all the desired filtering options

have been selected, click
the Apply button and click OK. The
Event Viewer will filter the log and
display the information as defined by
the filter.
Windows Logon Types
Logon Types are logged in the Logon Type

2. The Security Properties window also field of logon events (event IDs 528 and
provides the ability to set filters on the
540 for successful logons, and 529-537 and
event log to perform searches and 539 for failed logons).
sorting of audit data. To filter an
existing event log in order to view or Windows supports the following logon
save specific security events, select types and associated logon type values:
the Filter tab and configure the filter. 2: Interactive logon—This is used for a
logon at the console of a computer. A
3. To configure the filter, select the Event
type 2 logon is logged when you
types that will be included by checking
attempt to log on at a Windows
or unchecking a selection box next
computer’s local keyboard and screen.
to Information, Warning, Error, Succe
3: Network logon—This logon occurs
ss Audit, and/or Failure audit, then
when you access remote file shares or
input any additional desired filtering
printers. Also, most logons to Internet
requirements by Event
Information Services (IIS) are classified
source, Category, Event ID, User,
as network logons, other than IIS logons
or Computer.
that use the basic authentication
4. By default. the entire event log will be protocol (those are logged as logon type
filtered for viewing by the parameters 8).
selected above. If desired, select a date 4: Batch logon—This is used for
and time range for the logs that will be scheduled tasks. When the Windows
filtered for viewing. This is Scheduler service starts a scheduled
accomplished by first clicking on task, it first creates a new logon session
the From: drop down menu and for the task, so that it can run in the
changing the selection to Events On. security context of the account that was
The date and time dialog boxes will specified when the task was created.
209
5: Service logon—This is used for

How to Read the Windows Application,
services and service accounts that log
on to start a service. When a service Security, and System Log Files
starts, Windows first creates a logon
session for the user account that is The Windows application, security, and
specified in the service configuration. system log files can be read with a
7: Unlock—This is used whenever you Windows application called “Event
unlock your Windows machine. Viewer,” which is accessed through the
8: Network clear text logon—This is Control Panel:
used when you log on over a network  Click the Start button on the
and the password is sent in clear text. desktop’s Taskbar
This happens, for example, when you  Click the Control Panel menu item
use basic authentication to authenticate  The Control Panel’s window will
to an IIS server. open
9: New credentials-based logon—This  In the Control Panel, double-click
is used when you run an application the Administrative Tools icon
using the RunAs command and specify  The Administrative Tools window
the /netonly switch. When you start a will open with a list of different
program with RunAs using /netonly, the icons
program starts in a new logon session  Double click the Event Viewer icon
that has the same local identity (this is
the identity of the user you are How to Read Other Windows Log Files
currently logged on with), but uses
Many log files that software applications
different credentials (the ones specified
use are written as plain text file, making it
in the runas command) for other
network connections. Without /netonly, possible to use any freeware text editor,
Windows runs the program on the local “Notepad” or “WordPad”, to read the
computer and on the network as the generated log files. To read .txt files in
user specified in the runas command, WordPad:
and logs the logon event with type 2.  Click the Start button on the
10: Remote Interactive logon—This is desktop’s Taskbar
used for RDP-based applications like  Click All Programs option
Terminal Services, Remote Desktop or  Click Accessories menu item
Remote Assistance.  Click WordPad application
11: Cached Interactive logon—This is  A new WordPad window will open
logged when users log on using cached  Click the File menu
credentials, which basically means that  Click the Open menu item
in the absence of a domain controller,
 Navigate to the desired log file and
you can still log on to your local
click the Open button
machine using your domain credentials.
There are also programs that allow the
Windows supports logon using cached
user to monitor log files as they occur in
credentials to ease the life of mobile
real-time. Examples of such software
users and users who are often
include Tail For Win32 and Hoo WinTail.
disconnected.
These programs make it easy to read new
entries from the bottom (tail) of the log
file.
210
9.5 IIS log files

Internet Information Services (IIS) is a web customizable. Data is recorded
server developed by Microsoft for use with from multiple Web sites and sent to
Windows Server. The server is meant for a a single log file. To interpret the
variety of hosting uses while attempting to data, you need a special parser.
maintain a high level of flexibility and  HTTP.sys Error Log Files Fixed
scalability. format for HTTP.sys-generated
errors.
To help with server use and analysis, IIS is
integrated with several types of log files. You can read text-based log files using a
These log file formats provide information text editor such as Notepad, which is
on a range of websites and specific included with Windows, but
statistics, including Internet Protocol (IP) administrators often import the files into a
addresses, user information and site visits report-generating software tool for further
as well as dates, times and queries. analysis.
Log File Formats in IIS (IIS 6.0) IIS logs, when properly analysed, provide
information about demographics and
IIS provides six different log file formats
usage of the IIS web server. By tracking
that you can use to track and analyse
usage data, web providers can better tailor
information about your IIS-based sites and
their services to support specific regions,
services. In addition to the six available
time frames or IP ranges. Log filters also
formats, you can create your own custom
allow providers to track only the data
log file format.
deemed necessary for analysis.
The following log file formats and logging
Analyse an IIS Log file
options are available in IIS:
IIS logs contain crucial information for
 W3C Extended Log File Format
improving the web site. Log files for an IIS
Text-based, customizable format
server are the key source of information
for a single site. This is the default
for managing the websites hosted on the
format.
server. The log files contain a record of
 W3C Centralized Logging All data
each request from a web user and the
from all Web sites is recorded in a
response provided by the IIS server. This
single log file in the W3C log file
data is crucial for marketing, site
format.
performance and security. Logs are often
 NCSA Common Log File Format
the only indication that a user is
Text-based, fixed format for a
attempting to hack into your IIS server.
single site.
Patterns and trends can be spotted in this
 IIS Log File Format Text-based,
data to help you segment your users for
fixed format for a single site.
marketing opportunities. IIS log analysis is
 ODBC Logging Fixed format for a
a critical tool in improving your website.
single site. Data is recorded in an
ODBC-compliant database. Internet Information Services (IIS) 6.0
 Centralized Binary Logging Binary- offers a number of ways to record the
based, unformatted data that is not
211
activity of your Web sites, File Transfer Use this line to determine the
Protocol (FTP) sites, Network News corresponding values in each
Transfer Protocol (NNTP) service, and column.
Simple Mail Transfer Protocol (SMTP)  Use the date and time to identify
service and allows you to choose the log when the request was created. The
file format that works best for your "sitename" and "computername"
environment. IIS logging is designed to be will indicate what server responded
more detailed than the event logging or to the request.
performance monitoring features of the  Identify the visitor to your web
Microsoft® Windows® Server 2003, server by the "c-ip" which is the ip
Standard Edition, Windows® Server 2003, address of the visitors’ computer.
Enterprise Edition, and Windows® Server  The "cs-method" column will most
2003, Datacenter Edition, operating often contain either "post" or "get"
systems. IIS log files can include depending on the request made by
information such as who has visited your the visitors’ browser. The fields "cs-
site, what was viewed, and when the uri-stem" and "cs-uri-query" will
information was last viewed. You can denote the resource such as an
monitor attempts to access your sites, image or web page the visitor
virtual folders, or files and determine requested.
whether attempts were made to read or  Use the "sc-status" column to
write to your files. IIS log file formats allow determine whether the web server
you to record events independently for any was capable of correctly
site, virtual folder, or file. responding to the request. A link is
provided in the resource section of
Using a text editor, the following steps can this article to a complete list of
be used to analyse the IIS file: response codes.
 Use the "cs(User-Agent)" to
 Open the log file labeled as determine what type of browser
"ex010110.log" in your text editor. the visitor used, or if the visitor is
The six digits in the log file name actually a search engine. A link to a
are in the format day, month and list of common user agents has
year the file was created. been provided in the resource area
 Locate the header information. of this article.
This is a line starting with "#Fields:."
212
9.6 Log Analysis and Response

Analyse Log Data Another motivation for understanding the
log entries is so that the analysis process
Effective analysis of log data is often the can be automated as much as possible. By
most challenging aspect of log determining which types of log entries are
management, but is also usually the most of interest and which are not,
important. Although analysing log data is administrators can configure automated
sometimes perceived by administrators as filtering of the log entries. This allows
uninteresting and inefficient (e.g., little events known to be malicious to be
value for much effort), having robust log recognized and responded to
management infrastructures and automatically (e.g., alerting
automating as much of the log analysis administrators, reconfiguring other
process as possible can significantly security controls). Another purpose for
improve analysis so that it takes less time filtering is to ensure that the manual
to perform and produces more valuable analysis performed by administrators is
results. prioritized appropriately. The filtering
should be configured so that it presents
The most effective way to gain a solid administrators with a reasonable number
understanding of log data is to review and of entries for manual analysis.
analyse portions of it regularly (e.g., every
day). The goal is to eventually gain an Web log analysis software (also called a
understanding of the baseline of typical log web log analyzer) is a kind of web analytics
entries, likely encompassing the vast software that passes a server log file from
majority of log entries on the system. a web server, and based on the values
(Because a few types of entries often contained in the log file, derives indicators
comprise a significant percentage of the about when, how, and by whom a web
log entries, this is not as difficult as it may server is visited. Usually reports are
first sound.) Daily log reviews should generated from the log files immediately,
include those entries that have been but the log files can alternatively be passed
deemed most likely to be important, as for a database and reports generated on
well as some of the entries that are not yet demand.
fully understood. Because it can make
considerable effort to understand the There are free, open source and paid
significance of most log entries, the initial software tools available for log analysis or
days, weeks, or even months of performing management.
the log analysis process are the most
challenging and time-consuming. Over Response to events
time, as the baseline of normal activity is
broadened and deepened, the daily log During their log analysis, infrastructure and
reviews should take less time and be more system-level administrators may identify
focused on the most important log entries, events of significance, such as incidents
thus leading to more valuable analysis and operational problems that necessitate
results. some type of response. When an
administrator identifies a likely computer
security incident, as defined by the
213
organization’s incident response policies, analysis. Administrators should also be

the administrator should follow the prepared to alter their logging
organization’s incident response configurations as part of a response.
procedures to ensure that it is addressed Adverse events such as worms often cause
appropriately. Examples of computer unusually large numbers of events to be
security incidents include a host being logged. This can cause various negative
infected by malware and a person gaining impacts, such as slowing system
unauthorized access to a host. performance, overwhelming logging
Administrators should perform their own processes, and overwriting recent log
responses to non-incident events, such as entries. Analysts may not be able to see
minor operational problems (e.g., other events of significance because their
misconfiguration of host security records are hidden among all of the other
software). Some organizations require log entries. Accordingly, administrators
system-level administrators to report may need to reconfigure logging for the
incidents and logging-related operational short term, long term, or permanently,
problems to infrastructure administrators depending on the source of the log data, to
so that the infrastructure administrators prevent it from overwhelming the system
can better identify additional instances of and the logs. Administrators may also need
the same activities and patterns that to adjust logging to capture more data as
cannot be seen at the individual system part of a response effort, such as collecting
level. Infrastructure and system-level additional information on a particular type
administrators should also be prepared to of activity. To identify similar incidents,
assist incident response teams with their especially in the short term, administrators
efforts. For example, when an incident may need to perform additional log
occurs, affected system-level monitoring and analysis, such as more
administrators may be asked to review closely examining the types of logging
their systems’ logs for particular signs of sources that recorded pertinent
malicious activity or to provide copies of information on the initial incident.
their logs to incident handlers for further
214
UNIT X
Data Backup
This Unit covers:
 Lesson Plan
10.1. Data Backup
10.2. Types of Backup
10.3. Backup Procedures
10.4. Types of Storage
10.5. Features of a Good Backup Strategy
215
LESSON PLAN

To be competent, you must be able Project charter, 4 hrs  PCs/Tablets/Lapt
to: Architecture (charts), ops
Project plan, Poster  Labs availability
presentation and (24/7)
execution plan.  Internet with
WiFi
guidelines
Going through the  (Min 2 Mbps
PC5. carry out backups of security standards over Dedicated)
security devices and applications in Internet by visiting sites  Networking
line with information security like ISO, PCI DSS etc., and Equipments-
policies, procedures and guidelines, understand various Routers &
where required methodologies and usage Switches
of algorithms  Firewalls and
Access Points
 Backup devices
and storage
media
You must know and understand: KA12. Project charter, 4 hrs  PCs/Tablets/La
KA12. your organization’s Architecture (charts), ptops
information security systems and Project plan, Poster  Labs
tools and how to access and presentation and availability
maintain these execution plan.
KB2. different types of backups (24/7)
for security devices and applications  Internet with
KB2. Going through the
and how to carry out backups WiFi
security standards over
Internet by visiting sites like  (Min 2 Mbps
ISO, PCI DSS etc., and Dedicated)
understand various  Networking
methodologies and usage of Equipments-
algorithms Routers &
Switches
 Firewalls and
Access Points
 Backup devices
and storage
media
216

Activity 1:
The students should backup data available in the institute and evaluate the backup
requirements for the institute. If there isn’t a policy for backup then the same should be
developed by the students and all necessary steps for successful implementation should
be carried out by students.
Activity 2:
The students should be divided into group and asked to prepare a report on difference
between backup of individual data and of security devices and applications. The same
should focus on requirements, challenges, products and means available, advantages and
disadvantages, media used, and other differences.
Activity 3:
The students should research various products and services for backup available in the
industry and compare the benefits, features and limitations of each. The comparison
should be presented in class.
217
Training Material resource
10.1 Data Backup - Overview

Backup is the activity of copying files or business resumption. Special backup
databases so that they will be preserved in needs, identified through technical risk
case of equipment failure or other analysis that exceeds these requirements,
catastrophe. Backup is usually a routine should be accommodated on an individual
part of the operation of large businesses basis.
with mainframes as well as the
administrators of smaller business Scope
computers. For personal computer users, Data custodians are responsible for
backup is also necessary but often providing adequate backups to ensure the
neglected. The retrieval of files you backed recovery of data and systems in the event
up is called restoring them. of failure. Backup provisions allow business
processes to be resumed in a reasonable
Purpose
amount of time with minimal loss of data.
All electronic information considered of Since hardware and software failures can
institutional value should be copied onto take many forms, and may occur over time,
secure storage media on a regular basis multiple generations of institutional data
(i.e., backed up), for disaster recovery and backups need to be maintained.
218
10.2 Types of Backup
Full backup just the changed files and new files added
since the last backup.
Full backup is a method of backup where
all the files and folders selected for the Advantages
backup will be backed up. It is commonly Much faster backups
used as an initial or first backup followed Efficient use of storage space as files is
not duplicated. Much less storage space
with subsequent incremental or
used compared to running full backups
differential backups. After several
and even differential backups.
incremental or differential backups, it is
common to start over with a fresh full
backup again. Disadvantages
Restores are slower than with a full
Some also like to do full backups for all backup and differential backups.
backup runs typically for smaller folders or Restores are a little more complicated.
projects that do not occupy too much All backup sets (first full backup and all
storage space. incremental backups) are needed to
perform a restore.
Advantages
Restores are fast and easy to manage as
the entire list of files and folders are in Differential backups
one backup set.
Easy to maintain and restore different Differential backups fall in the middle
versions. between full backups and incremental
backup. A differential backup is a backup of
all changes made since the last full backup.
Disadvantages
With differential backups, one full backup
Backups can take very long as each file is
backed up again every time the full is done first and subsequent backup runs
backup is run. are the changes made since the last full
Consumes the most storage space backup. The result is a much faster backup
compared to incremental and than a full backup for each backup run.
differential backups. The exact same Storage space used is less than a full
files are be stored repeatedly resulting in backup but more than Incremental
inefficient use of storage. backups. Restores are slower than with a
full backup but usually faster than
Incremental backups.
Incremental backup
Advantages
Incremental backup is a backup of all Much faster backups then full backups
changes made since the last backup. The More efficient use of storage space then
last backup can be a full backup or simply full backups since only files changed
the last incremental backup. With since the last full backup will be copied
incremental backups, one full backup is on each differential backup run.
done first and subsequent backup runs are
219
Faster restores than incremental Advantages

backups The backup is clean and does not contain
old and obsolete files
Disadvantages
Backups are slower then incremental Disadvantages
backups There is a chance that files in the source
Not as efficient use of storage space as deleted accidentally, by sabotage or
compared to incremental backups. All through a virus may also be deleted from
files added or edited after the initial full the backup mirror.
backup will be duplicated again with
each subsequent differential backup.
Restores are slower than with full Full PC backup
backups.
Full PC backup of full computer backup
Restores are a little more complicated
typically involves backing up entire images
than full backups but simpler than
incremental backups. Only the full of the computer’s hard drives rather than
backup set and the last differential individual files and folders. The drive image
backup are needed to perform a restore. is like a snapshot of the drive. It may be
stored compressed or uncompressed.
Mirror backups With other file backups, only the user’s

document, pictures, videos and music files
Mirror backups are as the name suggests a can be restored while the operating
mirror of the source being backed up. With system, programs etc. need to be
mirror backups, when a file in the source is reinstalled from is source download or disc
deleted, that file is eventually also deleted media.
in the mirror backup. Because of this,
mirror backups should be used with With the full PC backup however, you can
caution as a file that is deleted by accident, restore the hard drives to its exact state
sabotage or through a virus may also cause when the backup was done. Hence, not
that same file in mirror to be deleted as only can the documents, pictures, videos
well. Some do not consider a mirror to be and audio files be restored but the
a backup. operating system, hardware drivers,
system files, registry, programs, emails etc.
Many online backup services offer a mirror In other words, a full PC backup can restore
backup with, a 30 day’s delete. This means a crashed computer to its exact state at the
that when you delete a file on your source, time the backup was made. Full PC backups
that file is kept on the storage server for at are sometimes called “Drive Image
least 30 days before it is eventually Backups”
deleted. This helps strike a balance
offering a level of safety while not allowing Advantages
A crashed computer can be restored in
the backups to keep growing since online
minutes with all programs databases
storage can be relatively expensive.
emails etc intact. No need to install the
Many backup software utilities do provide operating system, programs and
support for mirror backups. perform settings etc. Ideal backup
solution for a hard drive failure.
220
Offsite Backup
Any backup where the backup storage medium is kept at a different geographic location from
the source is known as an offsite backup. The backup may be done locally at first on the usual
storage devices but once the storage medium is brought to another location, it becomes an
offsite backup.
Full internal control over the backup

storage media and the security of the
Disadvantages data on it. There is no need to entrust
May not be able to restore on a the storage media to third parties.
completely new computer with a
different motherboard, CPU, Display
adapters, sound card etc. Disadvantages
Any problems that were present on the Since the backup is stored close by to the
computer (like viruses, or mis- source, it does not offer good
configured drivers, unused programs protections against theft, fire, flood,
etc.) at the time of the backup may still earthquakes and other natural disasters.
be present after a full restore. When the source is damaged by any of
these circumstances, there’s a good
chance the backup will be also damaged.
Local backup
A local backup is any backup where the
storage medium is kept close at hand.
Typically, the storage medium is plugged in
Advantages
directly to the source computer being
Offers additional protection when
backed up or is connected through a local
compared to local backup such as
area network to the source being backed
protection from theft, fire, flood,
up. earthquakes, hurricanes and more.
Advantages
Offers good protection from hard drive Disadvantages
failures, virus attacks, accidental deletes Except for online backups, it requires
and deliberate employee sabotage on more due diligence to bring the storage
the source data. media to the offsite location.
Very fast backup and very fast restore. May cost more as people usually need to
Storage cost can be very cheap when the rotate between several storage devices.
right storage medium is used like For example when keeping in a bank
external hard drives deposit box, people usually use 2 or 3
Data transfer cost to the storage hard drives and rotate between them. So
medium can be negligible or very cheap at least one drive will be in storage at any
Since the backups are stored close by, time while the other is removed to
they are very conveniently obtained perform the backup.
whenever needed for backups and Because of increased handling of the
restore. storage devices, the risk of damaging
221
delicate hard disk is higher. (does not serviced by multiple redundant Internet
apply to online storage) connection so there is no single point of
failure to bring the service down.
Online backup Advantages

Offers the best protection against fires,
An online backup is a backup done on an theft and natural disasters.
ongoing basis to a storage medium that is Because data is replicated across several
always connected to the source being storage media, the risk of data loss from
backed up. The term “online” refers to the hardware failure is very low.
storage device or facility being always Because backups are frequent or
connected. Typically, the storage medium continuous, data loss is very minimal
or facility is located offsite and connected compared to other backups that are run
to the backup source by a network or less frequently.
Internet connection. It does not involve Because it is online, it requires little
human intervention to plug in drives and human or manual interaction after it is
setup.
storage media for backups to run.
Many commercial data centers now offer

Disadvantages
this as a subscription service to consumers.
Is a more expensive option then local
The storage data centers are located away backups.
from the source being backed up and the Initial or first backups can be a slow
data is sent from the source to the storage process spanning a few days or weeks
center securely over the Internet. depending on Internet connection speed
and the amount of data backed up.
Typically, a client application is installed on
Can be slow to restore.
the source computer being backed up.
Users can define what folders and files
they want to backup and at one times of Remote backups
the day they want the backups to run. The
Remote backups are a form of offsite
data may be compressed and encrypted
backup with a difference being that you
before being sent over the Internet to the
can access, restore or administer the
storage data center.
backups while located at your source
The storage facility is a commercial data location or other physical location. The
center located away from the source term “remote” refers to the ability to
computers being backed up. Typically, they control or administer the backups from
are built to certain fire and earthquake another location.
safety specifications. They have higher
You do not need to be physically present at
security standards with CCTV and round
the backup storage facility to access the
the clock monitoring. They typically have
backups.
backup generators to deal with grid power
outages and the facility is temperature Putting your backup hard drive at your
controlled. Data is not just stored in one bank safe deposit box would not be
physical media but replicated across considered a remote backup. You cannot
several devices. These facilities are usually administer or access it without making a
222
trip to the bank. The term “remote Data is replicated across several storage
backup” is often used loosely and devices and usually serviced by multiple
interchangeably with “online backup” and internet connections so the system is not
“cloud backup”. at the mercy of a single point of failure.
When the service is provided by a good
Advantages commercial data center, service is
Much better protection from natural managed and protection is un-
disasters than local backups. paralleled.
Easier administration as it does not need
a physical trip to the offsite backup
location. Disadvantages
More expensive then local backups
Can take longer to backup and restore
Disadvantages
Can take longer to backup and restore FTP Backup
than local backups
This is a kind of backup where the backup
is done via the File Transfer Protocol (FTP)
Cloud backup over the Internet to an FTP Server.
Typically, the FTP Server is located in a
Cloud backup is a term often used loosely
commercial data center away from the
and interchangeably with Online Backup
source data being backed up. When the
and Remote Backup. This is a type of
FTP server is located at a different location,
backup where data is backed up to a
this is another form of offsite backup.
storage server or facility connected to the
source via the Internet. With the proper Advantages
login credentials, that backup can then be Since this is an offsite backup, it offers
accessed securely from any other protection from fire, floods, earth
computer with an Internet connection. The quakes and other natural disasters.
term “cloud” refers to the backup storage Able to easily connect and access the
backup with just an Internet connection.
facility being accessible from the Internet.
Advantages
Disadvantages
Since this is an offsite backup, it offers
protection from fire, floods, earth
Can take longer to backup and restore.
quakes and other natural disasters.
Backup and restore times are dependent
Able to easily connect and access the
to the Internet connection.
backup with just an Internet connection.
223
10.3 Backup Procedures

The 3-2-1 Rule  Roles and Responsibilities -
Appropriate roles and
The simplest way to remember how to responsibilities must be defined for
back up your images safely is to use the 3- data backup and restoration to
2-1 rule. ensure timeliness and
We recommend keeping 3 copies of any accountability.
important file (a primary and two backups)  Offsite Storage - Removable
backup media taken offsite must be
We recommend having the files on 2 stored in an offsite location that is
different media types (such as hard drive insured and bonded or in a locked
and optical media), to protect against media rated, fire safe.
different types of hazards.*  Onsite Storage - Removable backup
1 copy should be stored offsite (or at least media kept onsite must be stored
offline). in a locked container with
restricted physical access.
The data backup procedures must include  Media Destruction - How to
 frequency, dispose of data storage media in
 data backup retention, various situations.
 testing,  Encryption - Non-public data stored
on removable backup media must
 media replacement,
be encrypted. Non-public data
 recovery time,
must be encrypted in transit and at
 roles and responsibilities
rest when sent to an offsite backup
Local data backup procedures must include facility, either physically or via
the following: electronic transmission.
 Third Parties - Third parties' backup
 Data Backup Retention. Retention
handling & storage procedures
of backup data must meet System
must meet System, or institution
and institution requirements for
policy or procedure requirements
critical data.
related to data protection, security
 Testing - Restoration of backup
and privacy. These procedures
data must be performed and
must cover contract terms that
validated on all types of media in
include bonding, insurance,
use periodically.
disaster recovery planning and
 Media Replacement - Backup
requirements for storage facilities
media should be replaced
with appropriate environmental
according to manufacturer
controls.
recommendations.
 Recovery Time - The recovery time
objective (RTO) must be defined
and support business
requirements.
224
Definitions directly exposed to fire and high

Archive: An archive is a collection of temperatures.
historical data specifically selected for Information Technology Resources:
long-term retention and future Facilities, technologies, and information
reference. It is usually data that is no resources used for System information
longer actively used, and is often stored processing, transfer, storage, and
on removable media. communications. Included in this
Backup: A copy of data that may be used definition are computer labs, classroom
to restore the original in the event the technologies, computing and electronic
latter is lost or damaged beyond repair. communications devices and services,
It is a safeguard for data that is being such as modems, e-mail, networks,
used. Backups are not intended to telephones (including cellular), voice
provide a means to archive data for mail, fax transmissions, video,
future reference or to maintain a multimedia, and instructional materials.
versioned history of data to meet This definition is not all-inclusive, but
specific retention requirements. rather, reflects examples of System
Critical Data: Data that needs to be equipment, supplies and services.
preserved in support of the institution's Recovery Point Objective (RPO):
ability to recover from a disaster or to Acceptable amount of service or data
ensure business continuity. loss measured in time. The RPO is the
Data: Information collected, stored, point in time prior to service or data loss
transferred or reported for any purpose, that service or data will be recovered to.
whether in computers or in manual files. Recovery Time Objective (RTO).
Data can include: financial transactions, Acceptable duration from the time of
lists, identifying information about service or data loss to the time of
people, projects or processes, and restoration.
information in the form of reports.
Because data has value, and because it
has various sensitivity classifications Automated Backup
defined by federal law and state statute,
If the data backup plan defines a daily
it must be protected.
interval, making manual backups becomes
Destruction: Destruction of media
quite time consuming, and one may
includes: disintegration, incineration,
pulverizing, shredding, and melting. discover now and then that they have
Information cannot be restored in any skipped making backups because they had
form following destruction. something else more important to do at
Media Rated, Fire Safe: A safe designed same time. It is better to foresee the risk of
to maintain internal temperature and not making backups and try to automate
humidity levels low enough to prevent the whole backup process as much as
damage to CDs, tapes, and other possible.
computer storage devices in a fire. Safes
are rated based on the length of time the
contents of a safe are preserved while
225
10.4 Types of storage

Local Storage Options  Faster read and write performance
 More robust and reliable than
1. External Hard Drive
traditional magnetic hard drives
These are hard drives similar to the type  Highly portable. Can be easily taken
that is installed within a desktop computer offsite
or laptop computer. The difference being
that they can be plugged in to the Disadvantages:
computer or removed and kept separate
 Still relatively expensive when
from the main computer.
compared to traditional hard drives
Advantages:  Storage space is typically less than that
of traditional magnetic hard drives.
 Very good option for local backups of
large amounts of data. 3. Network Attached Storage (NAS)
 The cheapest storage option in terms
NAS are simply one or more regular IDE or
of cost per GB. Very reliable when
SATA hard drives plugged in an array
handled with care
storage enclosure and connected to a
Disadvantages: network Router or Hub through a Ethernet
port. Some of these NAS enclosures have
 Can be very delicate. May be damaged ventilating fans to protect the hard drives
if dropped or through electrical surge from overheating.
2. Solid State Drive (SSD) Advantages:
Solid State Drives look and function similar  Very good option for local backups
to traditional mechanical/ magnetic hard especially for networks and small
drives but the similarities stop there. businesses.
Internally, they are completely different.  As several hard drives can be plugged
They have no moving parts or rotating in, NAS can hold very large amounts of
platers. They rely solely on semiconductors
data
and electronics for data storage making it
 Can be setup with Redundancy (RAID)
a more reliable and robust than traditional
increasing the reliability and/ or read
magnetic. No moving parts also means that
they use less power than traditional hard and write performance. Depending on
drives and are much faster too. the type of RAID level used, the NAS
can still function even if one hard drive
With the prices of Solid State Drives in the RAID set fails. Or two hard drives
coming down and is lower power usage,
can be setup to double the read and
SSD’s are used extensively on laptops and
write speed of single hard drive.
mobile devices. External SSD’s are also a
viable option for data backups.  The drive is always connected and
available to the network making the
Advantages: NAS a good option for implementing
automated scheduled backups.
226
Disadvantages:
 Significantly more expensive than using Advantages:

single External Hard Drives  Low cost per disk
 Difficult to bring offsite making it very
much a local backup hence still Disadvantages:
susceptible to some events like theft
 Relatively shorter life span than other
and floods, fire etc.
storage options
4. USB Thumb Drive or Flash Drive  Not as reliable as other storage options
like external hard disk and SSD. One
These are similar to Solid State Drives
damaged disk in a backup set can make
except that it is much smaller in size and
the whole backup unusable.
capacity. They have no moving parts
making them quite robust. They are
Remote Storage Options
extremely portable and can fit on a
keychain. They are Ideal for backing up a 1. Cloud Storage
small amount of data that need to be
Cloud storage is storage space on
brought with you on the go.
commercial data center accessible from
Advantages: any computer with Internet access. It is
usually provided by a service provider. A
 The most portable storage option. Can limited storage space may be provided free
fit on a keychain making it an offsite with more space available for a
backup when you bring it with you. subscription fee. Examples of service
 Much more robust than traditional providers are Amazon S3, Google Drive,
magnetic hard drives Sky Drive etc.
Disadvantages: Advantages:
 Relatively expensive per GB so can only  A very good offsite backup. Not
be used for backing up a small amount affected by events and disasters such
of data as theft, floods, fire etc
5. Optical Drive (CD/ DVD) Disadvantages:
CD’s and DVD’s are ideal for storing a list of  More expensive than traditional
songs, movies, media or software for external hard drives. Often requires an
distribution or for giving to a friend due to ongoing subscription.
the very low cost per disk. They do not  Requires an Internet connection to
make good storage options for backups access the cloud storage.
due to their shorter lifespan, small storage  Much slower than other local backups
space and slower read and write speeds.
227
10.5 Features of a Good Backup Strategy
The following are features to aim for when designing your backup strategy:
 Able to recover from data loss in all circumstances like hard drive failure, virus
attacks, theft, accidental deletes or data entry errors, sabotage, fire, flood, earth
quakes and other natural disasters.
 Able to recover to an earlier state if necessary like due to data entry errors or
accidental deletes.
 Able to recover as quickly as possible with minimum effort, cost and data loss.
 Require minimum ongoing human interaction and maintenance after the initial
setup. Hence able to run automated or semi-automated.
minimal time. Offsite backups are

needed for its wider scope of protection
Planning Your Backup Strategy from major disasters or catastrophes not
1. What to Backup covered by local backups.
The first step in planning your backup
strategy is identifying what needs to be
backed up. Identify the files and folders 3. When to Backup
that you cannot afford to lose? It Frequency: How often you backup your
involves going through your documents, data is the next major consideration
databases, pictures, videos, music and when planning your backup policy. Some
program setup or installation files. Some folders are fairly static and do not need
of these media like pictures and videos to be backed up very often. Other
may be irreplaceable. Others like folders are frequently updated and
documents and databases may be should correspondingly have a higher
tedious or costly to recover from hard backup frequency like once a day or
copies. These are the files and folders more.
that need to be in your backup plan.
2. Where to Backup to Your decision regarding backup
This is another fundamental frequency should be based on a worst
consideration in your backup plan. In case scenario. For example, if tragedy
light of some content being struck just before the next backup was
irreplaceable, the backup strategy scheduled to run, how much data would
should protect against all events. Hence you lose since the last backup. How long
a good backup strategy should employ a would it take and how much would it
combination of local and offsite backups. cost to re key that lost data?
Local backups are needed due to its Backup Start Time: You would typically
lower cost allowing you to backup a huge want to run your backups when there’s
amount of data. Local backups are also minimal usage on the computers.
useful for its very fast restore speed Backups may consume some computer
allowing you to get back online in resources that may affect performance.
228
Also, files that are open or in use may not storage devices with limited space like
get backed up. USB thumb drives.
Scheduling backups to run after business If you are backing up very private or
hours is a good practice providing the sensitive data to an offsite service, some
computer is left on overnight. Backups backup tools and services also offer
will not normally run when the computer support for encryption. Encryption is a
is in “sleep” or “hibernate mode”. Some good way to protect your content should
backup software will run immediately it fall into malicious hands. When
upon boot up if it missed a scheduled applying encryption, always ensure that
backup the previous night. you remember your encryption key. You
will not be able to restore it without your
So if the first hour on a business day encryption key or phrase.
morning is your busiest time, you would 6. Testing Your Backup
not want your computer doing its A backup is only worth doing if it can be
backups then. If you always shut down restored when you need it most. It is
or put your computer in sleep or advisable to periodically test your
hibernate mode at the end of a work backup by attempting to restore it. Some
day, maybe your lunch time would be a backup utilities offer a validation option
better time to schedule a backup. Just for your backups. While this is a
leave the computer on but logged-off welcome feature, it is still a good idea to
when you go out for lunch. test your backup with an actual restore
once in a while.
Since servers are usually left running 24 7. Backup Utilities & Services
hours, overnight backups for servers are Simply copying and pasting files and
a good choice. folders to another drive would be
4. Backup Types considered a backup. However, the aim
Many backup softwares offer several of a good backup plan is to set it up
backup types like Full Backup, once and leave it to run on its own. You
Incremental Backup and Differential would check up on it occasionally but
backup. Each backup type has its own the backup strategy should not depend
advantages and disadvantages. Full on your ongoing interaction for it to
backups are useful for projects, continue backing up. A good backup
databases or small websites where many plan would incorporate the use of good
different files (text, pictures, videos etc.) quality, proven backup software utilities
are needed to make up the entire and backup services.
project and you may want to keep
different versions of the project.
5. Compression & Encryption
As part of your backup plan, you also
need to decide if you want to apply any
compression to your backups. For
example, when backing up to an online
service, you may want to apply
compression to save on storage cost and
upload bandwidth. You may also want to
apply compression when backing up to
229
To access further security logs, access the following web links

https://www.owasp.org/index.php/Logging_Cheat_Sheet
https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-
applications-log-files-2074
http://blog.hicube.in/2012/11/07/understanding-log-files-linux-server/
230
Trainer’s Handbook – Security Analyst SSC/N0902
SSC/ N 0902:
Coordinate responses to information security
Incidents
UNIT I: Incident Response Overview

UNIT II: Incident Response – Roles and Responsibilities
UNIT III: Incident Response Process
UNIT IV: Handling Malicious Code Incidents
UNIT V: Handling Network Security Incidents
243
Unit Code SSC/N0902
Unit Title
Co-ordinate responses to information security incidents
(Task)
Description This unit is about playing a co-ordinating role in responding to

information security incidents, liaising with members of the security
team who carry out investigations and other stakeholders or business
users.
Scope This unit/ task covers the following:

Information security incidents may cover:
 Identify and Access Management (IDAM)
 Networks (wired and wireless)
 Devices
 Endpoints/ edge devices
 Storage devices
 Servers
 Software
 Applications security
 Content management
 Messaging
 Web security
 Security of infrastructure
 Infrastructure devices (e.g. routers, firewall services)
 Computer assets, server s and storage networks
 Messaging
 Intrusion detection/prevention
 Security incident management
 Third party security management
 Personnel security requirements
Information security incidents:
 Automatically by tools and systems
 Manually by employees or business users
Appropriate people:
 Line manager
244
 Members of the security team

 Incident management group
 Subject matter experts
PC1. establish your role and responsibilities in co-ordinating responses

to information security incidents.
PC2. record, classify and prioritize information security incidents
using standard templates and tools.
PC3. access your organization’s knowledge base for information on
previous information security incidents and how these were
managed.
PC4. assign information security incidents promptly to appropriate
people for investigation/ action.
PC5. liaise with stakeholders to gather, validate and provide
information related to information security incidents, where
required.
PC6. track progress of investigations into information security
incidents and escalate to appropriate people where progress
does not comply with standards or service level agreements
(SLAs).
PC7. prepare accurate preliminary reports on information security
incidents using standard templates and tools.
PC8. submit preliminary reports promptly to appropriate people for
action
PC9. update the status of information security incidents following
investigation/ action using standard templates and tools.
PC10. obtain advice and guidance on co-ordinating information
security incidents from appropriate people, where required.
PC11. update your organization’s knowledge base promptly and
accurately with information security incidents and how they
were managed.
PC12. comply with your organization’s policies, standards, procedures,
guidelines and service level agreements (SLAs) when co-
ordinating responses to information security incidents.
A. Organizationa You need to know and understand:

l
Context
245
(Knowledge of KA1. your organization’s policies, procedures, standards, guidelines

the company/ and service level agreements for responding to information
organization security incidents.
and its KA2. the day-to-day operations, procedures and tasks relating to your
processes) area of work.
KA3. your organization’s knowledge base and how to access and
update the same.
KA4. limits of your role and responsibilities and who to seek guidance
from, where required.
KA5. the purpose of managing information security incidents.
KA6. who to involve when investigating and coordinating responses to
information security incidents and how to contact them.
KA7. the importance of tracking progress and corrective and
preventative actions for information security incidents.
KA8. the importance of keeping records and evidence relating to
information security incidents.
KA9. the impact information security incidents can have on your
organization.
KA10. different types of information security incidents and how to deal
with them.
KA11. how to assign and escalate information on information security
incidents.
KA12. different methods and techniques used when working with
others.
KA13. standard tools and templates available and how to use them.
KA14. your organization’s policies and procedures for sharing
information on security incidents and the importance of
complying with the same.
KA15. how to classify and priorities information security incidents.
B. Technical You need to know and understand:
Knowledge KB1. fundamentals of information security and how to apply these,

including:
 networks
 communication
KB2. routine operational procedures and tasks required to co-ordinate
and respond to information security incidents.
KB3. different stages of incident management and your role in relation
to these, including:
 identify
246
 contain
 cleanse
 recover
 close
KB4. how to identify and resolve information security vulnerabilities
and incidents.
KB5. common issues and incidents of information security that may
require action and who to report these to.
KB6. how to obtain and validate information related to information
security issues.
KB7. how to prepare and submit information security reports and who
to share these with.
247
THE UNITS
The module for this NOS is divided in five units based on the learning objectives as given below:
UNIT I: Incident Response Overview
1.1 Incident Response Overview
1.2 Handling Different Types of Information Security Incidents
1.3 Preparation for Incident Response and Handling Constraints of a Security Audit
UNIT II: Incident Response Team – Roles and Responsibilities

2.1 Incident Response Team
2.2 Incident Response Team Dependencies
UNIT III: Incident Response Process

3.1 Incident Response Process
UNIT IV: Handling Malicious Code Incidents

4.1. Incident Handling Preparation
4.2. Incident Prevention
4.3. Detection of Malicious Code
4.4. Containment Strategy
4.5. Evidence Gathering and Handling
4.6. Eradication and Recovery
UNIT V: Handling Network Security Incidents

5.1. Network Reconnaissance Incidents
5.2. Denial of Service Attack Incidents
5.3. Unauthorized Access Incidents
5.4. Inappropriate Usage Incidents
5.5. Multiple Component Incidents
248
UNIT I
Incident Response Overview
This unit covers:

 Lesson Plan
1.1 Incident Response Overview
1.2 Handling Different Types of Information Security Incidents
1.3 Preparation for Incident Response and Handling
249
Lesson Plan
Performance Ensuring Work Environment / Lab

Outcomes Measures Duration (Hrs) Requirement
To be competent, you must be able PC2. PC3. QA session 2 hr in class  PCs/Tablets/Laptops
to: and a Descriptive presentations  Projection facilities
write up on
PC2. record, classify and prioritize understanding.
information security incidents using
standard templates and tools Group presentation
PC3. access your organization’s and evaluation by
knowledge base for information on faculty and groups
previous information security
incidents and how these were
managed
You need to know and understand: KA1. QA session and a 2Hr in class  PCs/Tablets/Laptops
Descriptive write up on assessment &  Labs availability
KA5. the purpose of managing 15Hrs offline (24/7)
understanding.
information security incidents Research and  Internet with WiFi
KA5. Performance Learning  (Min 2 Mbps
KA9. the impact information evaluation from Faculty activity Dedicated)
security incidents can have on your and Industry with
organization
reward points.
KA10. different types of KA9. QA session and a
information security incidents and Descriptive write up on
how to deal with these understanding.
KA14. your organization’s KA10. Classify latest
policies and procedures for sharing threats and
information on security incidents vulnerabilities into CIA
and the importance of complying triad. Classify various
with these threats into incident
categories listed in the
KA15. how to classify and
unit.
priorities information security
incidents KA15. Group and
Faculty evaluation
KB3. different stages of incident based on anticipated
management and your role in
out comes. Reward
relation to these, including:
points to be allocated
• identify
• contain to groups.
• cleanse KA14. KB3 Group and
• recover
faculty evaluation for
• close
highlighting the various
parts and their purpose
of an incident response
plan/tasks of incident
management, using live
researched examples
250
Activity 1:
Ask the students to research various type of information security incidents from the
internet and populate the various categories of incidents mentioned in the unit with
examples of each. Let them present a few details of these incidents if possible.
Activity 2:
Ask the students visit various company sites and find out their incident response plans and
list out various components of it.
Activity 3:
Divide the students into groups and ask them to create an incident response plan for the
training institute and modify it as they progress through this module.
251
1.1 Incident Response
An incident is a set of one or more security events or conditions that requires action and
closure in order to maintain an acceptable risk profile.
Incidents Incidents can be classified into:
In the haystack of events, organizations  Malicious code

must find the "needles" that are the  Network reconnaissance
security incidents. Events are isolated and  Unauthorized access
disconnected, but incidents add the  Inappropriate usage
context that enables security  Multiple component
administrators to gain understanding and
take action. Introduction to Incident Handling and
It can be defined as a set of events or Response
conditions requiring response and closure. Computer or information security incident
Incidents comprise not only the significant response has become an important
threats that jeopardize business and component of information technology (IT)
require intervention. security programs. An incident response
They include more mundane situations capability is therefore necessary for rapidly
that occur on a daily basis, and only detecting incidents, minimizing loss and
threaten the business if no action is taken. destruction, mitigating the weaknesses
Examples of these routine situations that were exploited and restoring IT
include “low and slow” port scans and services.
some varieties of email worms. Most Different types of information security
organizations face thousands of instances incidents are caused due to:
of the latter types of threats, together with  Peripheral devices such as
the higher profile blended threats like external/ removable media
Code Red, Nimda, and Klez.  Attrition (brute force methods that
compromise, degrade, or destroy
Besides attacks, known system systems, networks or services)
vulnerabilities or discovered policy  Website or web based application
violations are also incidents that require a  Email message or attachment
response in order to protect the business.  Improper usage of an
When related events (e.g. attacks, organization’s acceptable usage
vulnerabilities, and policy violations) are policies by an authorized user
viewed together, the true nature (or type)  Loss or theft of equipment
of the incident becomes evident.  Other factors
252
These are explained in Unit IV and V.
Impact of information security incidents:

• Functional impact (current and likely future negative impact to business
functions)
• Information impact (effect on the confidentiality, integrity, and availability
of the organization’s information)
• Recoverability from the incident (time and types of resources that must be
spent on recovering from the incident)
Organizations prioritize information  adhere to organization’s mission, size,

security incidents based on the weightages structure, and functions.
they give to each of the above categories  formulate policy, plan, and procedure
for a particular incident. For example, an creation to counter adverse events.
organization that deals with massive  to provide stronger protection for
amounts of personal identifying systems and data.
information (PII) might weight information  to minimize loss or theft of information
impact more heavily than recoverability and disruption of services.
impact, while an emergency response  to respond quickly and effectively
agency might prioritize functional impact when security breaches occur.
to ensure the continued delivery of
emergency services.
How to identify an incident
Need for incident response  incident analysis hardware and

software to identify an incident.
 to respond quickly and effectively  appropriate incident handling
when security breaches occur. communication means and facilities.
 to be able to use information  incident analysis resources to identify
gained during incident handling to an incident.
better prepare for handling future  incident mitigation software to identify
incidents. an incident.
 to provide stronger protection for  different response strategies to
systems and data.
identify incidents through attack
 to help deal properly with legal
vectors, such as external/ removable
issues that may arise during
incidents. media, attrition, web, email,
 to comply with law, regulations, and impersonation, improper usage by
policy directing a coordinated, organization’s authorized users, loss
effective defense against information. or theft of equipment and
 others that are beyond the scope of
Goals of incident response
the above mentioned.
 formal, focused, and coordinated
approach to responding to incidents.
253
Two main types of signs of an incident are:

• Precursors: a sign that an incident may occur in the future.
• Indicator: a sign that an incident may have occurred or may be occurring now.
Signs of security incident Incident Information

One can get information about incidents
Some of the common signs of security from various sources:
incident are:
 web server log entries that show the  Alerts: reviewing alerts based on
usage of a vulnerability scanner. supporting data from sources such as
 announcement of a new exploit that Intrusion Detection and Prevention
targets a vulnerability of the Systems (IDPS); Security Information
organization’s mail server. and Event Management (SIEM) alerts;
 threat from a group stating that it will Antivirus and anti-spam software; file
attack the organization. integrity checking software; third-party
 network intrusion detection sensor monitoring services etc.
alerts when a buffer overflow attempt  Logs: analyzing logs from sources such
occurs against a database server. as operating system, service and
 antivirus software alerts when it application logs and network device
detects that a host is infected with logs in correlation with event
malware. information.
 system administrator sees a file name  Network flow: using routers and other
with unusual characters. networking devices to provide
 host records an auditing configuration information and locate anomalous
change in its log. network activity caused by malware,
 application logs multiple failed login data exfiltration and other malicious
attempts from an unfamiliar remote acts.
system.  Publicly Available Information:
 email administrator sees a large updating and integrating new
number of bounced emails with vulnerabilities and exploits published
suspicious content. by authorized agencies such as
 network administrator notices an National Vulnerability Database (NVD).
unusual deviation from typical network  People: validating reports registered by
traffic flows. users, system administrators, network
administrators, security staff, other
people within the organization and
reports originating from external
sources or parties.
254
1.2 Handling Different Types of Information Security

Incidents
Handling incidents Purpose of incident response plan
There are five important incident handling The objective of instating an incident
phases: response plan is to provide the roadmap
 Preparation: establishing and training for implementing the incidence response
an incident response team, and capability. The incident response plan acts
acquiring the necessary tools and as a defence mechanism against hackers,
resources. malware, human error and a series of
 Detection and analysis: detecting other security threats.
security breaches and alerting
organization during any imminent Requirements of incident response plan
attack.
 Containment: mitigating the impact of The intervention of an incident response
the incident by containing plan can be the structure to building an
 Eradication and recovery: carrying out organization’s incident response
detection and analysis cycle to capability. Emphasis on computing security
eradicate incident and ultimately policies and practices are the main
initiate recovery. objectives of most organization in their
 Post-incident activity: preparing overall risk management strategies.
detailed report of the cause and cost of Elements that are recommended as
the incident and future preventive important to an incident response plan
measures against similar attacks. are:
This is similar to the tasks contained within
incident management plans:  organization’s mission towards the
• identify plan
• contain  organization’s strategies and goals to
• cleanse determine the structure of incident
• recover response capability
 senior management approval in the
• close
structuring of the proposed plan
 organizational approach to incident
Organizations should have a plan to response
respond to various types of incidents
 incident response team’s
detailing various aspects of incident
communication with the rest of the
handling including the above.
organization and with other
organizations
Incident response plan
 metrics for measuring the incident
response capability and its
Incident Response Plan is an organization’s
effectiveness
foundation to a formal, focused and
 roadmap for maturing the incident
coordinated approach for incident
response capability (regular reviews,
response.
audits and tests etc.)
255
 how the program fits into the overall  organize both short and long-term
organization. goals program, including metrics for
measuring the program.
Incident response plan checklist  highlight incident handler’s training
needs and other technical
Developing an incident response plan requirements.
checklist can minimize the threat of  address existing and new cyber
security breach in the form of attacks in technologies are adequately addressed
websites and servers, or inadvertent in policies and procedure.
leakage of share sensitive data etc.  conduct regular reviews, audits and
Instating a structure that ensures the latest tests to protect against security
developments are captured, understood, breach.
evaluated as threats to the business,  classify business data in the order of its
documented and distributed will help sensitivity and security requirements.
ensure an effective incident response. An  selecting of appropriate incident
incident response plan checklist should be response team structure.
an amalgamation of the following key  complying with security-related
practices: incident regulations and law
enforcement procedures
 provides a roadmap for implementing
an incident response program based
on the organization’s policy.
256
1.3 Preparation for Incident Response and Handling
 Create a core team over those teams. For example, a

department wise team may assist
Integrity of business security demands the individual agencies’ teams and it is
presence of an effective incidence almost modelled as a CSIRT for CSIRTs.
response team and the latter can be  Create tool kit, systems and
achieved through the selection of instrumentation: a jumpkit is a
appropriate structure and staffing models. portable case instrumental to incident
Typically, a designated incident response response teams and it contains items
team or personnel function as the first such as laptop, appropriate software
point of contact (POC) in a situation such as packet sniffers, digital
involving security breach in an forensics, back up devices, blank media
organization. The incident handlers may etc.
then analyse the incident data, determine
the impact of the incident, and act Listed below are range of various tool kit,
appropriately to limit the damage and systems and instrumentation that may be
restore normal services. The incident useful in an incident response:
response team’s success depends on the
participation and cooperation of  Incident handler communications and
individuals throughout the organization. facilities: these may include contact
Therefore, an organization must create a information of team members and
core team, identify suitable individuals, others within the organization and
discuss incident response team models, external, on-call information matrix,
and provide advice on selecting an incident reporting mechanisms such as
appropriate model. phone numbers, email addresses,
online forms, etc. Incident tracking
A team model may be based on the systems; smartphones for round-the-
following models: clock communication; use of
 Central Security Incident Response encryption software for internal team
team: a functional model for small members; security materials storage
organizations with limited or no facility etc.
geographic presence wherein a single  Incident analysis hardware and
incident response team handles core software: digital forensic workstations
security computing. and/ or backup devices to create disk
 Distributed Security Incident images, preserve log files and save
Response team: this model is effective other relevant incident data etc.
for large organizations (e.g. one team Laptops; spare workstations; servers;
per division) and for organizations with networking equipment or the
major computing resources at distant virtualized equivalents for storing and
locations (e.g. one team per trying out malware; blank removable
geographic region, one team per major media; packet sniffers and protocol
facility). analyzers; digital forensic software;
 Coordinating team: an incident evidence gathering accessories such as
response team provides advice to digital cameras, audio recorders, chain
other teams without having authority of custody forms etc.
257
 Incident analysis resources: port lists, cryptographic hashes of critical files to

including commonly used ports and speed incident analysis, verification
Trojan horse ports; documentation for and eradication.
Oss; applications; protocols etc.  Incident mitigation software: access to
Network diagrams and lists of critical images of clean OS and application
assets such as database servers; installations for restoration and
current baselines of expected network recovery purposes.
system and application activity;
Table-Top Exercise for Incident Response (IR) for XYZ Organization:
IR Lifecycle Summary of Incident Activities

Stage
Preparation  Provide training and awareness for all individuals in

recognizing anomalous behavior and specific reporting
requirements for suspected breaches of an
 Gather contact information for incident handlers,
 Gather hardware and software needed for technical
analysis; and
Perform evaluations, such as tabletop exercises, of the IR
capability.
Detection and Analysis  Monitor information system protection mechanisms and
system logs
 Investigate reports of suspected XYZ breaches from
agency individuals.
 Notify Security Director and the System Administrator
immediately, but no later than 24-hours after
identification of a possible issue involving XYZ asset
information.
Containment  Choose and implement strategy for preventing further
Information loss based on level of risk to Information.
 Gather and preserve technical evidence, if applicable;
Eradication  Eliminate components of the incident, such as deleting
malicious code and disabling breached user accounts, if
applicable.
Recovery  Restore systems via appropriate technical actions such as:
restoring from clean backups, rebuilding systems from
scratch, replacing compromised files with clean versions,
installing patches, changing passwords, and tightening
network perimeter security.
258
Sample Incident Response Evaluation Scenarios
XYZ Breach Scenario Tabletop Exercise Objectives
Through a routine evaluation of system  Determine the actions that would help
logs, a system administrator discovers that prevent this type of incident
XYZ’s data has been exfiltrated from the (preparation).
system by an unauthorized user account.  Determine the controls in place that
A remote user has lost his/her laptop. The would help identify this incident, along
user’s job function required that XYZ’s with procedures on how to report the
information be stored on the laptop. incident (detection and analysis).
 How to prevent further damage
After a recent office move, it is discovered (containment),
that a locked cabinet containing XYZ’s  How to clean the system (eradication).
information is missing.  How to restore the system in a secure
manner (recovery).
259
260
UNIT II
Incident Response
- Roles and Responsibilities
This unit covers:

 Lesson Plan
2.1. Incident Response Team
2.2. Incident Response Team Dependencies
261
Lesson Plan

To be competent, you must be able to: 1. Identify and access 2 hrs  PCs/Tablets/Lapto
sources for standard ps
PC1. establish your role and checklists, guidelines  Labs availability
responsibilities in co-ordinating responses and templates for (24/7)
to information security incidents carrying out different  Internet with WiFi
PC4. assign information security types of audits (Min 2 Mbps
incidents promptly to appropriate people Dedicated)
for investigation/action
PC5. liaise with stakeholders to gather,
validate and provide information related to
information security incidents, where
required
PC10. obtain advice and guidance on co-

ordinating information security incidents
from appropriate people, where required
You need to know and understand: KA4 Peer group, Faculty 4 hrs  PCs/Tablets/Lapto
KA4. limits of your role and group and Industry classroo ps
responsibilities and who to seek guidance experts. m  Labs availability
from where required session (24/7)
KA6 Performance and 2 hrs  Internet with WiFi
KA6. who to involve when investigating evaluation from Faculty research (Min 2 Mbps
and co-ordinating responses to and Industry with reward Dedicated)
information security incidents and how to points  Access to all
contact them security sites like
KA11. Online exam and
ISO, PCI DSS,
KA11. how to assign and escalate rewards points based on
information on information security reviews from the forums. Center for
incidents Internet Security
KA12. Faculty and peer  Security
KA12. different methods and techniques review. Templates from
used when working with others ITIL, ISO
KB5, KB6, KB7 Going
KB5. common issues and incidents of through the security
information security that may require standards over Internet
action and who to report these to by visiting sites like ISO,
PCI DSS etc., and
KB6. how to obtain and validate understand various
information related to information security methodologies and
issues usage of algorithms.
Learn about CIA triad
relating to latest threats
KB7. how to prepare and submit and vulnerabilities
information security reports and who to
share these with
262
Activity 1:
Ask students to research various sites of companies to understand their Information

Security Incident plan and team involved, including roles and responsibilities for various
teams and personnel. Let them come and present the same in class.
Activity 2:
Ask students to research various external service providers and services that support
incident team in the organisation in responding to information security incidents.
263

2.1 Incident Response Team
Incident response team members Incident response team: roles and

responsibilities
A single employee, with one or more
designated alternates should be in charge An incident response team member
of incident response. In a fully outsourced should possess technical skills, such as
model, this person oversees and evaluates system administration, network
the outsourcer’s work. All other models administration, programming, technical
generally have a team manager and one support or intrusion detection. An
or more deputies who assume authority in incident response team should be a
the absence of the team manager. Every combination of skilled members in the
team member should have good problem area of technology (e.g. operating systems
solving skills and critical thinking abilities. and applications) and other technical
areas such as network intrusion detection,
malware analysis or forensics.
Roles and responsibilities
A team member in an incident response unit is expected to have the basic understanding
of the technologies used and their applications. The individual should be capable of
comprehending and handling the following security incidents:
 the type of incident activity that is being reported or seen by the community.
 the way in which incident response team services are being provided (the level
and depth of technical assistance provided to the constituency).
 the responses that are appropriate for the team (e.g. what policies and procedures
or other regulations must be considered or followed while undertaking the
response).
 the level of authority the incident response team has in taking any specific actions
when applying technical solutions to an incident reported to the incident
response team.
Developing skills in incident response  promote deeper technical

personnel understanding.
 engage external technical knowledge
 maintain, enhance and expand
facilitator with deep technical
proficiency in technical areas and
knowledge in needed areas to impart
security disciplines as well as less
learning and development.
technical topics such as the legal
 provide opportunities to perform
aspects of incident response.
other tasks in non-functional areas.
 incentivize participation in staff
conferences.
264
 rotate staffing of members across initial investigation and data

functions to gain new technical skills. collection.
 create a mentoring program to enable  Employee morale: segregate
senior technical staff to help less administrative work and core
experienced staff learn incident incident response to minimize
handling. stress on employees and to help
 develop incident handling scenarios boost morale.
and conduct team discussions.  Cost: implement sufficient funding
for training and skills development
Incident response team structure
of incident response team
After successfully selecting a functional members the area of work
core team, it is best followed that team function demands broader
members be further integrated and knowledge of IT.
modelled into appropriate staffing based  Staff expertise: incident handling
on the magnitude of incident response requires specialized knowledge
and size of the organization. Find details and experience in several technical
of the three types of staffing methods
areas. The breadth and depth of
below:
knowledge required varies based
on the severity of the
 In house employees
 Partially outsourced organization’s risks.
 Fully outsourced Outsourced
 In the case of outsourced work,
Therefore, an organization must consider the organization must consider not
the following factors before selecting an only the current quality (breadth
appropriate incident response team and depth) of the outsourcer’s
structures: work, but also efforts to ensure
the quality of future work.
 The need for 24/7 availability:  Document line of work or
real-time availability is considered authority of outsourced incident
one of the best for incident response work appropriately and
response options because the ensure actions for these decision
longer an incident last, the more points are handled.
potential there is for damage and  Divide incident response
loss. responsibilities and restrict access
 Full-time versus part-time team to sensitive information.
members: organizations with  Provide regularly updated
limited funding, staffing or documents that define what
incident response needs may have incidents outsources is concerned
only part-time incident response about.
team members, serving as more of  Create correlation among multiple
a virtual incident response team. data sources.
An existing group such as the IT  Maintain basic incident response
help desk can act as a first POC for
skills in-house.
incident reporting and perform
265
2.2 Incident Response Team Dependencies
users, technical staff know about

It is important to identify other groups
detecting, reporting and responding to
within the organization and rely on the
expertise, judgment, and abilities of incidents through means such as
others, including response policy, budget, workshops; websites; newsletters;
staffing established by management; posters and stickers on monitors and
information security staff members during laptops.
certain stages of incident handling  Information sharing: manage the
(prevention, containment, eradication, organization’s incident information
and recovery); IT technical experts sharing efforts.
(system and network administrators,
legal departments to review plans, Defining the relationship between
policies, documents etc.); public affairs; incident response, incident handling, and
media relations; human resources; incident management
business continuity planning; physical Incident response means responding to
security and facilities management. computer security incidents systematically
Different methods and techniques used or by following a consistent incident
when working with others handling methodology so that the
appropriate actions are taken timely. It is
 Incident response team services a mechanism to minimize loss or theft of
 The main focus of an incident response information and disruption of services
team is performing incident response caused by incidents.
however it may also undertake the
Incident handling refers to the several
provision of the following services:
phases of incident response process i.e.
 Intrusion detection: incident response preparation, detection and analysis,
team analyzes incidents more quickly containment, eradication and recovery
and accurately, based on the and post-incident activity required in
knowledge it gains of intrusion adequate handling of an incident.
detection technologies.
Incident management is term used to
 Advisory distribution: the team also
describe the overall computing security
may also issue advisories within the
management to detect the occurrence of
organization regarding new incident, initiate and handle an incident
vulnerabilities and threats through response and prevent any future re-
automated methods. occurrences.
 Education and awareness: promote
education and awareness among
266
Routine operational procedures and tasks required to co-ordinate and respond to

information security incidents
 Prepare to handle incidents.
 Use incident analysis hardware and software.
 Use incident analysis resources.
 Use of incident mitigation software.
 Management responsible for coordinating incident response among various
stakeholders, minimizing damage, and reporting to Congress, OMB, the General
Accounting Office (GAO), and other parties.
 Information security staff members may be needed during certain stages of
incident handling (prevention, containment, eradication and recovery). For
example, to alter network security controls (e.g. firewall rule sets).
IT technical experts (e.g. system and network administrators) can ensure that the
appropriate actions are taken for the affected system, such as whether to disconnect an
attacked system.
Coordinate with relevant legal experts to review incident response plans, policies and
procedures to ensure their compliance with law and federal guidance, including the right
to privacy.
Coordinate and inform the media and, by extension, the public.
Ensure that incident response policies and procedures and business continuity processes
are in sync.
Coordinate with Physical Security and Facilities Management to access facilities during
incident handling.
A part of outlining the incident response framework involves the identification of IR

Severity Levels. These levels will help the team understand the severity of an event and
will govern the team’s response. Some suggestions for these levels are the following:
SEVERITY LEVEL LEVEL OF BUSINESS IMPACT RESOLUTION EFFORT REQUIRED
SEVERITY 1 LOW LOW EFFORT

SEVERITY 2 MODERATE MODERATE EFFORT
SEVERITY 3 HIGH EXTENSIVE, ONGOING EFFORT
SEVERITY 4 SEVERE DISASTER RECOVERY INVOKED
267
Start to create a documented action script that will outline your response steps so your IR
Manager can follow them consistently. Your script should show steps similar to the
following:
STEP # ACTION
1 Incident announced
2 IR Manager alerted
3 IR Manager begins information gathering from affected site
4 IR Manager begins tracking and documentation of incident
IR Manager invokes Assessment Team
5
(Details of call bridge or other communication mechanism)
6 Assessment Team reviews details and decides on Severity Level of incident.
7 IF SEV 1 = PROCEED TO STEP #11.0
FOR SEVERITY LEVEL 1 – Proceed with following sequence
11.0 Determine attack vectors being used by threat
11.1 Determine network locations that are impacted
11.2 Identify areas that fall under “Parent Organization”
11.3 Identify systems or applications that are impacted
FOR SEVERITY LEVEL 2 – Proceed with following sequence
12.0 Determine attack vectors being used by threat
12.1 Alert Incident Officer to Severity 2 threat
References: Students are encouraged to read more on Roles and Responsibilities in IR

team of any Organization from following references.
 http://www.cert.org/csirts/Creating-A-CSIRT.html
 http://www.cert.org/csirts/Creating-A-CSIRT.html#practices
 O’Reilly Incident Response – Kenneth R. vanWyk and Richard Forno
 http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
268
UNIT III
Incident Response Process
This unit covers:

 Lesson Plan
269
Lesson Plan

PC2. record, classify and 1. QA session and a 4 Hrs  PCs/Tablets/Lapto
prioritize information security Descriptive write up on classroom ps
incidents using standard templates understanding.  Labs availability
and tools 2. Group presentation and (24/7)
peer evaluation along  Internet with WiFi
PC5. liaise with stakeholders to with Faculty. (Min 2 Mbps
gather, validate and provide 3. Performance evaluation
Dedicated)
information related to information from Faculty and  Access to all
security incidents, where required Industry with reward security sites like
PC6. track progress of points.
ISO, PCI DSS,
investigations into information 4. Written assignment of
incident report prepared Center for
security incidents and escalate to
Internet Security
appropriate people where
progress does not comply with  Security
standards or service level Templates from
agreements (SLAs) ITIL, ISO
 Projection
PC7. prepare accurate
preliminary reports on information facilities
security incidents using standard
templates and tools
PC8. submit preliminary
reports promptly to appropriate
people for action
PC9. update the status of

following investigation/action
using standard templates and tools
KA1. your organization’s KA1. QA session and a 4 Hours  PCs/Tablets/Lapto

policies, procedures, standards, Descriptive write up on Classroom ps
guidelines and service level understanding. and 10 hrs  Labs availability
agreements for responding to research (24/7)
information security incidents KA2 Group presentation  Internet with WiFi
and peer evaluation along (Min 2 Mbps
KA2. the day-to-day with Faculty. Dedicated)
operations, procedures and tasks  Access to all
relating to your area of work KA7, KA8. Performance
security sites like
evaluation from Faculty
and Industry with reward ISO, PCI DSS,
KA7. the importance of
tracking progress and corrective points Center for
and preventative actions for Internet Security
information security incidents KA13. Creation of  Security
templates based on the Templates from
KA8. the importance of keeping learnings ITIL, ISO
records and evidence relating to
information security incidents KB1 – KB7
1. Group and Faculty

evaluation based on
270
KA13. standard tools and anticipated out comes.

templates available and how to use Reward points to be
these allocated to groups.
KA14. your organization’s 2. Classify latest

policies and procedures for sharing threats and vulnerabilities
information on security incidents into CIA triad.
and the importance of complying
with these
KA15. how to classify and

priorities information security
incidents
KB6. how to obtain and

validate information related to
information security issues
KB7. how to prepare and

submit information security
reports and who to share these
with

Activity 1:
Ask the class to research the internet and collect ideas and templates on incident report
forms and formats. Meet with industry if possible to understand the usage and applicability
of these.
Activity 2:
Divide the students in groups ask them to prepare an incident report using templates
available for preparing a report for your training institute. Highlight the sources of
information for various parts of the report.
Activity 3:
Provide students with a list of types of companies/organisations and the different kinds of
data available within these. Ask students to prioritize the various types of data using
various considerations stated in the unit.
271

Step 1: Identification Mentioned below are some of the means

to conduct initial analysis for validation:
Obtaining and validating information  Profiling Networks and Systems in
related to information security issues order to measure the characteristics of
expected activity so that changes to it
In incident handling, detection may be the can be more easily identified and used
most difficult task. Incident response one of the several detection and
teams in an organization are equipped to analysis techniques.
handle security incidents using well-  Studying networks, systems and
defined response strategies beginning with applications to understand what their
information gathering. Preparing a list normal behavior is so that abnormal
most common attack vectors such as behavior can be recognized more
external/removable media, web, email, easily.
impersonation, improper use by  Creating and implementing a log
authorized users etc. can narrow down to retention policy that specifies how long
the most competent incident handling log data should be maintained may be
procedure. Therefore, it is important to extremely helpful in analysis because
validate each incident using defined older log entries may show
standard procedures and document each reconnaissance activity or previous
step taken accurately. instances of similar attacks.
 Correlating events using evidence of an
Common issues and incidents of incident captured in several logs such
information security that may require wherein each may contain different
action and whom to report types of data — a firewall log may have
the source IP address that was used,
An indicator may not always translate into whereas an application log may
a security incident given the possibility of contain a username.
technical faults due to human error in  Synchronizing hosts clock using
cases such as server crash or modification protocols such as the Network Time
of critical files. Determining whether a Protocol (NTP) to record time of attack.
particular event is actually an incident is  Maintain and use a knowledge base of
sometimes a matter of judgment. It may be information that handlers need for
necessary to collaborate with other referencing quickly during incident
technical and information security analysis.
personnel to make a decision. Therefore,  Use internet search engines for
incident handlers need to report the research to help analysts find
matter to highly experienced and information on unusual activity.
proficient staff members who can analyse  Run packet sniffers to collect additional
the precursors and indicators effectively data to record traffic that matches
and take appropriate actions. specified criteria should keep the
volume of data manageable and
272
minimize the inadvertent capture of  Comments from incident handlers

other information.  Next steps to be taken (rebuild the
 Filter the data to segregate categories host, upgrade an application etc.)
of indicators that tend to be
insignificant. Step 3: Initial response
Commence initial response to an incident

Step 2: Incident recording based on the type of incident, the criticality
of the resources and data that are affected,
Any occurrences of incident must be the severity of the incident, existing
recorded and the incident response team Service Level Agreements (SLA) for
should update the status of incidents along affected resources, the time and day of the
with other pertinent information. week, and other incidents that the team is
Observations and facts of the incident may handling. Generally, the highest priority is
be stored in any of the following sources handling incidents that are likely to cause
such as logbook, laptops, audio recorders the most damage to the organization or to
and digital cameras etc. other organizations.
Incident record samples and template Step 4: Communicating the incident
Documenting system events, The incident should be communicated in

conversations and observed changes in appropriate procedures through the
files can lead to a more efficient, more organization’s points of contact (POC) for
systematic and error-free handling of the reporting incidents internally. Therefore, it
problem. Using an application or a is important for an organization to
database, such as an issue tracking system structure their incident response capability
helps ensure that incidents are handled so that all incidents are reported directly to
and resolved in a timely manner. the incident response team, whereas
others will use existing support.
The following useful information are to be
included in an incident record template: Assigning and escalating information on
 Current status of the incident as new, information security incidents
in progress, forwarded for
investigation, resolved etc. Organizations should also establish an
 Summary of the incident escalation process for those instances
 Indicators related to the incident when the team does not respond to an
 Other incidents related to this incident incident within the designated time. This
 Actions taken by all incident handlers can happen for many reasons. For
on this incident example, cell phones may fail or people
 Chain of custody, if applicable may have personal emergencies. The
 Impact assessments related to the escalation process should state how long a
incident person should wait for a response and
 Contact information for other involved what to do if no response occurs. On
parties (system owners, system failure to respond within a stipulated time,
administrators etc.) then the incident should be escalated
 List of evidence gathered during the again to a higher level of management.
incident investigation
273
This process should be repeated until the system has been compromised and if
incident is successfully handled. allowed with the compromise to continue,
Step 5: Containment it may help the attacker to use the
compromised system to attack other
Containment and Quarantine systems.
Containment is important before an Understand network damage

incident overwhelms resources or
increases damage. Most incidents require On the other hand, containment may give
containment so that is an important rise to another potential issue and that is
consideration early in the course of some attacks may cause additional
handling each incident. Containment damage when they are contained. When
provides time for developing a tailored the incident handler attempts to contain
remediation strategy. An essential part of the incident by disconnecting the
containment is decision-making where the compromised host from the network, the
situation may demand immediate action subsequent pings will fail. As a result of the
such as shut down a system, disconnect it failure, the malicious process may
from a network and disable certain overwrite or encrypt all the data on the
functions. host’s hard drive.
Various containment strategies may be Identify and isolate the trust model
considered in the following ways:
 Potential damage to and theft of Network information systems are
resources vulnerable to threats and benign nodes
 Need for evidence preservation often compromised because of unknown,
 Service availability (network incomplete or distorted information while
connectivity, services provided to interacting with external sources. In this
external parties etc.) case, malicious nodes need to be identified
 Time and resources needed to and isolated from the environment. The
implement the strategy solution to insecure can be found in the
 Effectiveness of the strategy (partial establishment of trust. Trust model can be
containment, full containment etc.) formed based on the characteristics,
 Duration of the solution (emergency information sources to compute, most
workaround to be removed in four relevant and reliable information source,
hours, temporary workaround to be experience of other members of
removed in two weeks, permanent community etc.
solution etc.)
Step 6: Formulating a response strategy
Quarantine
An analysis of the recoverability from an
Handling an incident may necessitate the incident determines the possible
use of strategies to contain the existing responses that the team may take when
predicament and one such method being handling the incident. An incident with a
redirecting the attacker to a sandbox (a high functional impact and low effort to
form of containment) so that they can recover from is an ideal candidate for
monitor the attacker’s activity, usually to immediate action from the team. In
gather additional evidence. Hence, once a situations involving high end data
274
infiltration and exposure of sensitive will create and any requirements

information the incident response team related to incident handling.
may formulate response by transferring
the case to strategic level team. Each An incident may be broadly classified
response strategy should be formulated based on common attack vectors
based on business impact caused by the such as external/ removable media;
incident and the estimated efforts attrition; web; email; improper usage;
required to recover from the incident. loss or theft of equipment;
miscellaneous.
Incident response policies should include
provisions concerning incident reporting at
a minimum, what must be reported to Incident classification guidelines and
whom and at what times. Important templates
information to be included are CIO, head of
information security, local information Organizations should document their
security officer, other incident response guidelines and templates to handle any
teams within the organization, external incident but should focus on being
incident response teams (if appropriate), prepared to handle incidents that use
system owner, human resources (for cases common attack vectors. Capturing the
involving employees, such as harassment attack pattern formally with required
through email), public affairs etc. information may help understand specific
parts of an attack, how it is designed and
Step 7: Incident classification executed, providing the adversary's
perspective on the problem and the
Classifying and prioritizing information solution, and gives guidance on ways to
security incidents mitigate the attack's effectiveness.
 Requirements – identification of
Incident prioritization
relevant security requirements, misuse
 Functional impact of the incident on
and abuse cases.
the existing functionality of the
 Architecture and design – provide
affected systems and future functional
context for architectural risk analysis
impact of the incident if it is not
immediately contained. and guidance for security architecture.
 Implementation and development –
 Information impact of the incident that
prioritize and guide review activities.
may amount to information exfiltration
 Testing and quality assurance –
and impact on organization’s overall
provide context for appropriate risk-
mission and impact of exfiltration of
based and penetration testing.
sensitive information on other
 System operation – leverage lessons
organizations if any of the data pertain
learned from security incidents into
to a partner organization.
preventative guidance.
 Recoverability from the incident and
 Policy and standard generation – guide
how to determine the amount of time
the identification of appropriate
and resources that must be spent on
prescriptive organizational policies and
recovering from that incident.
standards.
Necessity to actually recover from an
incident and carefully weigh that
against the value the recovery effort
275
Incident prioritization guidelines and time and types of resources that must be
templates spent on recovering from the incident).
Creating written guidelines for prioritizing Step 8: Incident investigation

incidents serve as a good practice and help
achieve effective information sharing One of the key tasks of an incident
within an organization. The step may also response team is to receive information on
help in identifying situations that are of possible incidents, investigate them, and
greater severity and demand immediate take action to ensure that the damage
attention. An ideal template for incident caused by the incidents is minimized.
prioritization should be formulated based
on relevant factors such as the functional Following up an incident investigation
impact of the incident (e.g. current and
likely future negative impact to business In the course of the work, the team
functions), the information impact of the must adhere to the following
incident (e.g. effect on the confidentiality, procedures deemed appropriate to a
integrity and availability of the given situation:
organization’s information) and the
recoverability from the incident (e.g. the
• receive initial investigation and data gathering from IT help desk members and
escalate to high strategic level specialist if situation demands.
• use appropriate materials that may be needed during an investigation.
• should become acquainted with various law enforcement representatives
before an incident occurs to discuss conditions under which incidents should be
reported to them.
• maintain record of chain of custody forms should detail the transfer and include
each party’s signature while transferring evidence from person to person.
• should be careful to give out only appropriate information — the affected

parties may request details about internal investigations that should not be
revealed publicly.
• ensure law enforcement are available to investigate incidents wherever
necessary.
• collect required list of evidence gathered during the incident investigation.
• should collect evidence in accordance with procedures that meet all applicable
laws and regulations that have been developed from previous discussions with
legal staff and appropriate law enforcement agencies so that any evidence can
be admissible in court.
276
Lessons learnt from security incident
Handling and rectifying security incident Incident data can also be collected to
work best in a “learning and improving” determine if a change to incident response
model. Therefore, incident handling teams capabilities causes a corresponding change
must evolve to reflect on new threats, in the team’s performance (improvements
improved technology and lessons learned. in efficiency, reductions in costs etc).
Each lesson’s learned brief must include
the following agenda: Incident record keeping
 What exactly happened and during Incident record keeping or collecting data
times? that are actionable, rather than collecting
 How well did staff and management data simply because they are available will
perform in dealing with the incident? be useful in several capacities to the
Were the documented procedures organization. It may help in deriving at the
followed? Were they adequate? following information:
 What information was needed sooner?
 Were any steps or actions taken that  systemic security weaknesses and
might have inhibited the recovery? threats, as well as changes in incident
 What would the staff and management trends.
do differently the next time a similar  selection and implementation of
incident occurs? additional controls.
 How could information sharing with  measure the success of the incident
other organizations have been response team.
improved?  expected return on investment from
 What corrective actions can prevent the data.
similar incidents in the future?
 What precursors or indicators should Step 9: Data collection
be watched for in the future to detect
similar incidents? Chain of custody
 What additional tools or resources are
needed to detect, analyze and mitigate Evidences collected should be accounted
future incidents? for at all times whenever evidence is
transferred from person to person, chain
Process change for the future of custody forms should detail the transfer
and include each party’s signature. A
The changing nature of information detailed log should be kept for all
technology and changes in personnel evidence, including the following:
requires the incident response team to
review all related documentation and  Identifying information (e.g. the
procedures for handling incidents at location, serial number, model
designated intervals. A study of incident number, hostname, media access
characteristics (data collected of previous control (MAC) addresses and IP
incidents) may indicate systemic security addresses of a computer).
weaknesses and threats as well as changes  Name, title, and phone number of each
in incident trends. individual who collected or handled the
evidence during the investigation.
277
 Time and date (including time zone) of should be made aware of the steps that
each occurrence of evidence handling. they should take to preserve evidence. In
 Locations where the evidence was addition, evidence should be accounted
stored. for at all times whenever evidence is
transferred from person to person, chain
Step 10: Forensic analysis of custody forms should detail the transfer
Incident handling requires some team and include each party’s signature and a
members to be specialized in particular registry or log be maintained location of
technical areas, such as network intrusion the stored evidence.
detection, malware analysis or forensics. Step 12: Notify external agencies
Many incidents cause a dynamic chain of
events to occur, an initial system snapshot An organization’s incident response team
may do more good in identifying the should plan its incident coordination with
problem and its source than most other those parties before incidents occur to
actions that can be taken at this stage. ensure that all parties know their roles and
Therefore, it is appropriate to obtain that effective line of communication are
snapshots through full forensic disk established.
images, not file system backups. Disk Some of the organizations’ external
images should be made to sanitized write- agencies may include other or external
protectable or write-once media. This incident response teams, law enforcement
process is superior to a file system backup agencies, Internet service providers and
for investigatory and evidentiary purposes. constituents, law enforcements/ legal
Imaging is also valuable in that it is much departments and customers or system
safer to analyse an image than it is to owner etc.
perform analysis on the original system
because the analysis may inadvertently Step 13: Eradication
alter the original. Some of the useful Eliminating components of the incident
resources in forensic aspects of incident such as deleting malware and disabling
analysis may include digital forensic breached user accounts as well as
workstations and/ or backup devices to identifying and mitigating all vulnerabilities
create disk images, preserve log files, and that were exploited follow next to
save other relevant incident data successful containment and quarantine.
During the process, it is important to
Step 11: Evidence protection identify all affected hosts within the
organization so that they can be
Importance of keeping evidence relating remediated. In some cases, eradication is
to information security incidents either not necessary or is performed
Collecting evidence from computing during recovery.
resources presents some challenges. It is Identify data backup holes
generally desirable to acquire evidence
from a system of interest as soon as one Verify data back-up and restore
suspects that an incident may have procedures. Incident response should be
occurred. Users and system administrators aware of the location of back-up date
278
storage, maintenance, user access and should also focus on longer-term changes
security procedures for data restoration (e.g. infrastructure changes) and ongoing
and system recovery. Following are the work to keep the enterprise as secure as
suggested data back-up sources: possible.
 spare workstations, servers, Step 14: Systems recovery

networking equipment or virtualized
In recovery, administrators restore
equivalents, which may be used for
systems to normal operation, confirm that
many purposes, such as restoring back-
the systems are functioning normally, and
ups and trying out malware.
(if applicable) remediate vulnerabilities to
 other important materials include
prevent similar incidents. Recovery may
back-up devices, blank media, basic
involve such actions as restoring systems
networking equipment and cables.
from clean back-ups, rebuilding systems
Operating system updates and patch
from scratch, replacing compromised files
management
with clean versions, installing patches,
All hosts patched appropriately using changing passwords and tightening
standard configurations be configured to network perimeter security (e.g. firewall
follow the principle of least privilege — rulesets, boundary router access control
granting users only the privileges lists etc.). Higher levels of system logging
necessary for performing their authorized or network monitoring are often part of
tasks. Hosts should have auditing enabled the recovery process. Once a resource is
and should log significant security-related successfully attacked, it is often attacked
events, security of hosts and their again or other resources within the
configurations should be continuously organization are attacked in a similar
monitored. In some organizations, the use manner.
of Security Content Automation Protocol
Step 15: Incident documentation
(SCAP) expressed operating system and
application configuration checklists to A logbook is an effective and simple
assist in securing hosts consistently and medium for recording all facts regarding
effectively. incidents. Documenting system events,
conversations and observed changes in
Infrastructure and security policy
files can lead to a more efficient, more
improvement
systematic and less error prone handling of
Security cannot be achieved by merely the problem. Every step taken from the
implementing various security systems, time the incident was detected to its final
tools or products. However, security resolution should be documented and
failures are less likely through the time-stamped. Every document regarding
implementation of security policy, process, the incident should be dated and signed by
procedure and product(s). Multiple layers the incident handler as such information
of defence need to be applied to design a can also be used as evidence in a court of
fail-safe security system. The organization law if legal prosecution is pursued.
should also report all changes and updates
made to its IT infrastructure, network
configuration and systems. Organization
279
Importance of keeping records and  Voice mailbox greeting (set up a

evidence relating to information security separate voice mailbox for incident
incidents updates and update the greeting
message to reflect the current incident
The incident response team should
status and use the help desk’s voice
maintain records about the status of
mail greeting)
incidents along with other pertinent
 Paper (post notices on bulletin boards
information. Using an application or a
and doors, hand out notices at all
database, such as an issue tracking system,
entrance points etc.)
helps ensure that incidents are handled
and resolved in a timely manner.
Incident status template
Audio and video documentation
An incident status should carry statement
strategies
of the current status of the incident so that
Recording details of evidence gathering communications with the media are
accessories including hard-bound consistent and up-to-date. Template may
notebooks, digital cameras, audio include the following details:
recorders, chain of custody forms etc. is
 Current status of the incident (new,
one of the common strategies used to
track incidents and security. In addition, in progress, forwarded for
laptops, audio recorders, and digital investigation, resolved etc.)
cameras can also serve the purpose beside  Summary of the incident
system events, conversations, and  Indicators related to the incident
observed changes in files can lead to a  Other incidents related to this
more efficient, more systematic and less incident
error prone handling of the problem.  Actions taken by all incident
handlers on this incident
 Chain of custody, if applicable
Update the status of information security
 Impact assessments related to the
incidents
incident
Incident handling team may need to  Contact information for other
provide status updates to certain parties involved parties (e.g. system
even in some cases the entire organization. owners, system administrators)
The team should plan and prepare several
 List of evidence gathered during
communication methods, including out-of-
the incident investigation
band methods (in person or on paper), and
 Comments from incident handlers
select the methods that are appropriate
for a particular incident.  Next steps to be taken (e.g. rebuild
the host, upgrade an application)
Possible communication methods include:  Preparing reports on information
 Email security incidents
 Website (internal, external or portal)
This estimate may become the basis for
 Telephone calls
subsequent prosecution activity by law
 In person (daily briefings)
280
enforcement entities. Follow-up reports example, an organization may state that

should be kept for a period of time as email messages should be retained for only
specified in record retention policies 180 days. If a disk image contains
thousands of emails, the organization may
Another important post-incident activity is
not want the image to be kept for more
creating a follow-up report for each
than 180 days unless it is absolutely
incident, which can be quite valuable for
necessary.
future use. The report provides a reference
that can be used to assist in handling Step 16: Incident damage and cost
similar incidents. assessment
Incident report templates After the incident is adequately handled,

the organization issues a report that details
Creating a formal chronology of events in
the cause and cost of the incident and the
the incident report template for criteria
steps the organization should take to
including time-stamped information such
prevent future incidents.
as log data from systems (important for
legal reasons) and monetary estimate of The incident data, particularly the total
the amount of damage the incident hours of involvement and the cost, may be
caused. used to justify additional funding of the
incident response team. Cost of storing
Additionally, the following information
evidence and the cost of retaining
may also be a part of the report:
functional computers that can use the
 Number of incidents handled stored hardware and media can be
 Time per incident substantial.
 Objective assessment of each incident Cost is a major factor, especially if
 Subjective assessment of each incident employees are required to be onsite 24/7.
Organizations may fail to include incident
Organizations should specify which response-specific costs in budgets, such as
incidents must be reported, when they sufficient funding for training and
must be reported and to whom. The maintaining skills.
parties most commonly notified are the
Step 17: Review and update the response
CIO, head of information security, local
policies
information security officer, other incident
response teams within the organization The organization must review and update
and system owners. response policies, related activities, gather
information from the handlers, provide
incident updates to other groups, and
Submitting information security reports ensure that the team’s needs are met. The
Security follow-up reports are usually kept gambit of the work may also include
for a period of time as specified in record periodically reviewing and updating threat
retention policies. Most organizations update information through briefings, web
have data retention policies that state how postings, and mailing lists published by
long certain types of data may be kept. For authorized agencies or public bodies.
281
Step 18: Training and awareness Incident response knowledge base
Organizations must create, provision, and

The knowledge base is the consolidated
operate a formal incident response
capability. incident data collected onto common
incident database. Organizations can
Security awareness and training checklist create their own knowledge base or refer
 Establishing an incident response to those established by several groups and
training and awareness should organizations. Although it is possible to
include the following actions: build a knowledge base with a complex
 creating an incident response structure, a simple approach can be
training and awareness policy and effective. Text documents, spreadsheets
plan. and relatively simple databases provide
 developing procedures for effective, flexible and searchable
performing incident handling and mechanisms for sharing data among team
reporting. members. The knowledge base should also
 setting guidelines for contain a variety of information, including
communicating with outside explanations of the significance and
parties regarding incidents. validity of precursors and indicators, such
 training IT staff on complying with as IDPS alerts, operating system log entries
the organization’s security and application error codes.
standards and making users aware
of policies and procedures Accessing and updating knowledge base
regarding appropriate use of
networks, systems and An incident handler may access knowledge
applications. databases information quickly during
incident analysis, a centralized knowledge
 training should be provided for SOP
base provides a consistent and
(delineation of the specific
maintainable source of information. The
technical processes, techniques,
knowledge base should include general
checklists and forms) users.
information such as data on precursors
 staffing and training the incident
and indicators of previous incidents.
response team.
 providing a solid training program
Importance of tracking progress
for new employees.
 training to maintain networks,
Several groups collect and consolidate
systems and applications in
incident data from various organizations
accordance with the organization’s
into incident databases. This information
security standards.
sharing may take place in many forms such
 creating awareness of policies and
as trackers and real-time blacklists. The
procedures regarding appropriate
organization can also check its own
use of networks, systems, and
applications.
282
knowledge base or issue tracking system  Periodic risk assessments of systems

for related activity. and applications to determine what
risks posed by combinations of threats
Corrective and preventative actions for and vulnerabilities.
information security incidents  Hardened hosts appropriately using
standard configurations while keeping
In the absence of security controls higher each host properly patched, hosts
should be configured to follow the
volumes of incidents may occur
principle of least privilege — granting
overwhelming the incident response team.
users only the privileges necessary for
An incident response team may be able to
performing their authorized tasks.
identify problems that the organization is
 The network perimeter should be
otherwise not aware of. The team can play configured to deny all activity that is
a key role in risk assessment and training not expressly permitted.
by identifying gaps.  Software to detect and stop malware
should be deployed throughout the
The following text, however, provides a organization.
brief overview of some of the main  Users should be made aware of policies
recommended practices for securing and procedures regarding appropriate
networks, systems and applications: use of networks, systems and
applications.
283
UNIT IV
Handling Malicious Code Incidents
This unit covers:
 Lesson Plan
5.1. Incident handling preparation
5.2. Incident prevention
5.3. Detection of Malicious Code
5.4. Containment strategy
5.5. Evidence gathering and handling
5.6. Eradication and Recovery
284
Lesson Plan

To be competent, you must be able 1. Creation of templates 4 hrs  PCs/Tablets/Lapto
to: based on the learnings ps
2. Peer review with  Labs availability
PC5. liaise with stakeholders to faculty with (24/7)
gather, validate and provide appropriate feedback.  Internet with WiFi
information related to information
(Min 2 Mbps
security incidents, where required
Dedicated)
PC9. update the status of  Projection facilities
following investigation/action using
standard templates and tools
You need to know and understand: KA7 Peer review with 8 hrs  PCs/Tablets/Lapto
faculty with appropriate ps
KA7. the importance of tracking
feedback.  Labs availability
progress and corrective and
(24/7)
preventative actions for KA10 Team work (IM and  Internet with WiFi
information security incidents chat applications) and  (Min 2 Mbps
group activities (online Dedicated)
KA10. different types of
information security incidents and
forums) including  Access to all
templates to be prepared. security sites like
how to deal with these
ISO, PCI DSS,
Center for Internet
Security
 Security Templates
from ITIL, ISO

Activity 1:
Divide students in groups and assign them the following task. List various service providers
and products that help in addressing malicious code incidents through prevention and
eradication. Compare features and benefits of various products and service providers.
Present your finding in class and compare the findings with that of your peers.
Activity 2:
Research various OS and the inbuilt provisions to prevent malicious code incidents. Present
the same in class.
285
Malicious code refers to a program that is covertly inserted into another program with
the intent to destroy data, run destructive or intrusive programs or otherwise
compromise the security or integrity of the victim’s data.
Generally, malicious code is designed to attacks can be divided into five categories:
perform these nefarious functions without viruses, Trojan horses, worms, mobile code
the system’s user knowing. Malicious code and blended.
4.1 Incident Handling Preparation
 Encryption software to be used

Preparation is the first step to handling an for communication among
incident response and it accounts for team members, within the
establishing an incident response organization and with external
capability so that the organization is ready parties and federal agencies,
to respond to incidents, but also software must use a FIPS-
preventing incidents by ensuring that validated encryption algorithm.
systems, networks and applications are  Digital forensic workstations
sufficiently secure. and/ or backup devices to
create disk images, preserve log
Incident handling procedures include files, and save other relevant
the following requirements: incident data.
 Contact information for team  Laptops for activities such as
members and others within and analyzing data, sniffing packets
outside the organization and writing reports.
(primary and back-up contacts)  Portable printer to print copies
such as law enforcement and of log files and other evidence
other incident response teams from non-networked systems.
etc.  Packet sniffers and protocol
 On-call information for other analyzers to capture and
teams within the organization analyze network traffic.
including escalation  Port lists, including commonly
information. used ports and Trojan horse
 Incident reporting mechanisms, ports.
such as phone numbers; email  Documentation for OSs,
addresses; online forms; and applications, protocols, and
secure instant messaging intrusion detection and
systems that users can use to antivirus products.
report suspected incidents.
 Network diagrams and lists of
 Issue tracking system for critical assets, such as database
tracking incident information, servers.
status etc.
286
 Current baselines of expected detect signs of malicious code

network, system and incidents such as configuration
application activity. changes and system executable
 Cryptographic hashes of critical modifications. File integrity
files to speed incident analysis, checkers are useful in identifying
verification and eradication. the affected components of a
 Access to images of clean OS system.
and application installations for
restoration and recovery
Some organizations configure their
purposes.
network perimeters to block connections
For malicious code incidents, the to specific common Trojan horse ports,
following preparation steps can be with the goal of preventing Trojan horse
taken: client and server component
communications. However, this approach
STEP 1.Make users aware of malicious is generally ineffective. Known Trojan
code issues – this information horses use hundreds of different port
should include a basic review of the numbers, and many Trojan horses can be
methods that malicious code uses configured to use any port number. Also,
to propagate and the symptoms of some Trojan horses use the same port
infections. Holding regular user numbers that legitimate services use so
education sessions helps to ensure
their communication cannot be blocked by
that users are aware of the risks
port number. Some organizations also
that malicious code poses.
implement port blocking incorrectly so
STEP 2.Read antivirus vendor bulletins –
sign up for mailing lists from legitimate connections are sometimes
antivirus vendors that provide blocked. Implementing filtering rules for
timely information on new each Trojan horse port will also increase
malicious code threats. the demands placed on the filtering device.
STEP 3.Deploy host-based intrusion Generally, a Trojan horse port should be
detection systems to critical hosts blocked only if the organization has a
– host-based IDS software can serious Trojan horse infestation.
287
Figure: Incident Captured in system32 files
288
4.2 Incident Prevention

they can see how their actions
could affect the organization.
Incident prevention objectively works on
minimizing larger negative business (e.g. For preventing malicious code
more extensive damage, longer periods of incidents, the following steps can be
service and data unavailability etc.) impact taken:
and reduced number of incidents.
Although incident response teams are STEP 1.Use antivirus software: antivirus
generally not responsible for securing software is a necessity to combat
resources, they can be advocates of sound the threat of malicious code and
limit damage. The software should
security practices. They can play a key role
be running on all hosts throughout
of identify problems that the organization
the organization, and all copies
is otherwise not aware of, the team can
should be kept current with the
play a key role in risk assessment and latest virus signatures so that the
training by identifying gaps. newest threats can be thwarted.
Antivirus software should also be
Some of the recommended practices for
used for applications used to
securing networks, systems and
transfer malicious code, such as e-
applications include: mail, file transfer and instant
messaging software. The software
should be configured to perform
periodic scans of the system as well
 periodic risk assessments of as real-time scans of each file as it is
systems and applications. downloaded, opened or executed.
 hardening of hosts appropriately The antivirus software should also
be configured to disinfect and
using standard configurations.
quarantine infected files. Some
 configuring network perimeters antivirus products not only look for
such as securing all connection viruses, worms and Trojan horses,
points, such as virtual private but they also examine HTML,
networks (VPNs) and dedicated ActiveX, JavaScript and other types
connections to other organizations. of mobile code for malicious
content.
 deploying malware protection at
the host level (server and STEP 2.Block suspicious files: configure
workstation operating systems), email servers and clients to block
attachments with file extensions
the application server level (email
that are associated with malicious
server, web proxies etc.) and the code (e.g. .pif, .vbs) and suspicious
application client level (email file extension combinations (e.g.
clients, instant messaging clients .txt.vbs, .htm.exe).
etc.) STEP 3.Limit the use of nonessential
 applying the learning from previous programs with file transfer
incidents, and sharing with users so capabilities: examples include
peer-to-peer file and music sharing
289
programs, instant messaging Organizations should routinely

software and IRC clients and check all hosts for open shares and
servers. These programs are direct the system owners to secure
frequently used to spread malicious the shares properly. Also, the
code among users. network perimeter should be
STEP 4.Educate users on the safe handling configured to prevent traffic that
uses NetBIOS ports from entering or
of email attachments: antivirus
leaving the organization’s
software should be configured to
networks. This should not only
scan each attachment before
prevent external hosts from directly
opening it. Users should not open
infecting internal hosts through
suspicious attachments or
attachments from unknown open shares but should also
prevent internal worm infections
sources. Users should also not
from spreading to other
assume that if the sender is known,
organizations through open shares.
the attachment is not infected.
Senders may not know that their STEP 6.Use web browser security to limit
systems are infected with malicious mobile code: all web browsers
code that can extract email should have their security settings
addresses from files and send configured so as to prevent
copies of the malicious code to unsigned ActiveX and other mobile
those addresses. This activity code vehicles from unknowingly
creates the impression that the being downloaded to and executed
emails are coming from a trusted on local systems. Organizations
person even though the person is should consider establishing an
not aware that they have been sent. internet security policy that
Users can also be educated on file specifies which types of mobile
types that they should never open code may be used from various
(e.g. .bat, .com, .exe, .pif, .vbs). sources (e.g. internal servers,
Although user awareness of good external servers).
practices should lessen the number STEP 7.Configure email clients to act more
and severity of malicious code securely: email clients throughout
incidents, organizations should the organization should be
assume that users will make configured to avoid actions that
mistakes and infect systems. may inadvertently permit infections
STEP 5.Eliminate open windows shares: to occur. For example, email clients
many worms spread through should not automatically execute
unsecured shares on hosts running attachments.
Windows. If one host in the
organization is infected with a
worm, it could rapidly spread to
hundreds or thousands of other
hosts within the organization
through their unsecured shares.
290
4.3 Detection of Malicious Code
Detection of malicious code involves the observing antivirus software alerts for
preparation to handle incidents that use detecting various forms of malware,
common attack vectors. Some of the key generates alerts and prevents the malware
aspects useful in determining malicious from infecting hosts.
code detection:
maintaining and using a rich knowledge
screening attack vectors such as base replete with explanations of the
removable media or other peripheral significance and validity of precursors and
device. indicators, such as IDPS alerts, operating
system log entries and application error
keeping a tab on network flow information
codes.
through routers and other networking
devices that can be used to find anomalous following appropriate containment
network activity caused by malware, data procedures which require disconnection of
exfiltration and other malicious acts. host from the network, and cause further
damage.
monitoring alerts sent by most IDPS
products that uses attack signatures to Because malicious code incidents can take
identify malicious activity. The signatures many forms, they may be detected via a
must be kept up to date so that the newest number of precursors and indications.
attacks can be detected. Some precursors and possible responses
are listed below:
Precursor: An alert warns of new malicious code that targets software that the
organization uses.
Response: Research the new virus to determine whether it is real or a hoax. This can be
done through antivirus vendor websites and virus hoax sites. If the malicious code is
confirmed as authentic, ensure that antivirus software is updated with virus signatures for
the new malicious code. If a virus signature is not yet available, and the threat is serious
and imminent, the activity might be blocked through other means, such as configuring
email servers or clients to block emails matching characteristics of the new malicious
code. The team might also want to notify antivirus vendors of the new virus.
291
Precursor: Antivirus software detects and successfully disinfects or quarantines a newly

received infected file.
Response: Determine how the malicious code entered the system and what vulnerability
or weakness it was attempting to exploit. If the malicious code might pose a significant
risk to other users and hosts, mitigate the weaknesses that the malicious code used to
reach the system and would have used to infect the target host.
For Example:  System instability and crashes

Malicious action: malicious mobile code
Similarly, there are certain indications that on a Web site is used to infect a host with
can highlight the onset of a malicious a virus, worm or Trojan horse.
action. For example: Indicators:
Malicious action: a virus that spreads  Indications listed above for the
through email infects a host. pertinent type of malicious code
Indicators:  Unexpected dialog boxes,
 Antivirus software alerts of requesting permission to do
infected files something
 Sudden increase in the number of  Unusual graphics such as
emails being sent and received overlapping or overlaid message
 Changes to templates for word boxes
processing documents,
spreadsheets etc. Malicious action: a Trojan horse is installed
and running on a host.
 Deleted, corrupted or inaccessible
Indicators:
files
 Antivirus software alerts of Trojan
 Unusual items on the screen such
horse versions of files
as odd messages and graphics
 Network intrusion detection alerts
 Programs start slowly, run slowly or
of Trojan horse client-server
do not run at all
communication
 System instability and crashes
 Firewall and router log entries for
Trojan horse client-server
Malicious action: a worm that spreads
communication
through a vulnerable service infects a host.
Indicators:  Network connections between the
host and unknown remote systems
 Antivirus software alerts of
infected files  Unusual and unexpected ports
 Port scans and failed connection open
attempts targeted at the  Unknown processes running
vulnerable service (e.g. open  High amounts of network traffic
Windows shares, HTTP) generated by the host, particularly
 Increased network usage if directed at external host(s)
 Programs start slowly, run slowly or  Programs start slowly, run slowly or
do not run at all do not run at all
 System instability and crashes
292
4.4 Containment Strategy
Containment strategies vary based on the Incident handlers may need to search for
type of incident. For example, the strategy indications of infection through other
for containing an email-borne malware means such as:
infection is quite different from that of a
 performing port scans to detect
network-based DDoS attack. Organizations
hosts listening on a known Trojan
should create separate containment
strategies for each major incident type, horse or backdoor port.
with criteria documented clearly to  using antivirus scanning and clean-
facilitate decision making. up tools released to combat a
specific instance of malicious code.
Criteria for determining the appropriate
 reviewing logs from email servers,
strategy include:
firewalls and other systems that
 Potential damage to and theft of the malicious code may have
resources passed through as well as individual
 Need for evidence preservation host logs.
 Service availability (e.g. network  configuring network and host
connectivity or services provided to intrusion detection software to
external parties) identify activity associated with
 Time and resources needed to infections.
implement the strategy  auditing the processes running on
 Effectiveness of the strategy (e.g. systems to confirm that they are all
partial containment or full legitimate.
containment)
Sending unknown malicious code to
 Duration of the solution (e.g.
antivirus vendors: malicious code that
emergency workaround to be
cannot be definitively identified by
removed in four hours, temporary
antivirus software may occasionally enter
workaround to be removed in two the environment. Eradicating the malicious
weeks or permanent solution) code from systems and preventing
additional infections may be difficult or
Containment strategy for malicious code
impossible without having updated
incidents may include:
antivirus signatures from the vendor.
Identifying and isolating other infected Incident handlers should be familiar with
hosts: antivirus alert messages are a good the procedures for submitting copies of
source of information, but not every unknown malicious code to the
infection will be detected by antivirus organization’s antivirus vendors.
software.
Configuring email servers and clients to
block emails: many email programs can be
configured manually to block emails by
293
particular subjects, attachment names or shut down an email server to halt the
other criteria that correspond to the spread of email-borne viruses.
malicious code. This is neither a foolproof
Isolating networks from the internet:
nor an efficient solution, but it may be the
networks may become overwhelmed with
best option available if an imminent threat
worm traffic when a severe worm
exists and antivirus signatures are not yet
infestation occurs. Occasionally a worm
available.
will generate so much traffic throughout
Blocking outbound access: if the malicious the internet that network perimeters are
code attempts to generate outbound completely overwhelmed. It may be better
emails or connections, handlers should to disconnect the organization from the
consider blocking access to IP addresses or internet, particularly if the organization’s
services to which the infected system may internet access is essentially useless as a
be attempting to connect. result of the volume of worm traffic. This
protects the organization’s systems from
Shutting down email servers: during the
being attacked by external worms should
most severe malicious code incidents with
the organization’s systems already be
hundreds or thousands of internal hosts
infected. This prevents them from
infected, email servers may become
attacking other systems and adding to the
completely overwhelmed by viruses trying
traffic congestion.
to spread via email. It may be necessary to
294
4.5 Evidence Gathering and Handling
The primary reason for gathering evidence With respect to legal proceedings, it is
during an incident is to resolve the incident important to clearly document how all
however it may also be needed for legal evidence, including compromised systems,
proceedings. In the case of incident has been preserved. Evidence should be
analysis, the procedure is implemented collected according to procedures that
through the application of hardware and meet all applicable laws and regulations
software and related accessories such as that have been developed from previous
hard-bound notebooks, digital cameras, discussions with legal staff and appropriate
audio recorders, chain of custody forms, law enforcement agencies so that any
evidence storage bags and tags and evidence can be admissible in court. Thus,
evidence tape and to preserve evidence for users and system administrators should be
possible legal actions. made aware of the steps that they should
take to preserve evidence.
4.6 Eradication and Recovery

 contain and eradicate the incident in
accordance with appropriate
After an incident has occurred, it is
important to identify all affected hosts procedures.
within the organization so that they can be Recovery may involve such actions as
remediated. For some incidents, restoring systems from clean backups,
eradication is either not necessary or is rebuilding systems from scratch, replacing
performed during recovery. In recovery, compromised files with clean versions,
administrators restore systems to normal
installing patches, changing passwords and
operation, confirm that the systems are tightening network perimeter security (e.g.
functioning normally and (if applicable) firewall rulesets, boundary router access
remediate vulnerabilities to prevent control lists).
similar incidents.
Some of the recommended practices in
Eradication procedures may be performed recovery procedures are:
in the following ways:
 return affected systems to an
 identify and mitigate all vulnerabilities
operationally ready state
that were exploited.
 confirm that the affected systems
 remove malware, inappropriate
are functioning normally
materials and other components.
 implement additional monitoring
 repeat the detection and analysis steps
to look for future related activity, if
to identify all other affected hosts, if
necessary
more affected hosts are discovered
(e.g. new malware infections.
295
Eradication and recovery should be done in scratch. Of course, the system should then
a phased approach so that remediation be secured so that it will not be susceptible
steps are prioritized. to another infection from the same
malicious code. Antivirus software sends
Antivirus systems
alerts when it detects that a host is
Antivirus software effectively identifies infected with malware. It detects various
and removes malicious code infections forms of malware, generates alerts and
however, some infected files cannot be prevents the malware from infecting hosts.
disinfected. (Files can be deleted and Current antivirus products are effective at
replaced with clean backup copies. In case stopping many instances of malware if
of an application, the affected application their signatures are kept up to date. Anti-
can be reinstalled.) If the malicious code spam software is used to detect spam and
provided attackers with root-level access, prevent it from reaching users’ mailboxes.
it may not be possible to determine what Spam may contain malware, phishing
other actions the attackers may have attacks and other malicious content, so
performed. In such cases, the system alerts from anti-spam software may
should either be restored from a previous, indicate attack attempts.
uninfected backup or be rebuilt from
Case Study on Incident Handling Process
The Challenge
A large, multinational organization was alerted by US-CERT/FBI that it had been the
source of a number of credit cards and details being leaked/sold on underground
(carding) forums. After an initial investigation, the organization's security team
discovered a compromised credit-card processing server but, having insufficient
resources and skills in dealing with the incident, called in OSEC.
The Solution
OSEC sent a team of analysts, including Incident Response, Crisis Management, and
Digital Forensics personnel to the organization's head office and data centres to deal
with the incident. Once there, the team initiated full incident response based on the
information supplied by the organization itself as well as law enforcement/authorities.
Planning - After The Fact

The first task was understanding what measures were in place to deal with the
incident. Unfortunately, while the organization had an incident response plan, it had
not undertaken the first step of Incident Response - preparation. OSEC's incident
response manager, along with the team, got to work coming up with a strategy:
analysing the available information, using it to understand the extent of the
compromise, and the incident, and working out how to contain and eradicate it. All the
while, information to the rest of the organization and the world at large had to be
controlled, due to the possible legal and regulatory implications.
296
Now that you know the security challenge that had been faced by US-CERT/FBI, you may
now read the Detection and Eradication process that was adopted to handle the incident in
a controlled manner:
Detection and Analysis
Containment required understanding what data had been exfiltrated, and working back
from there to the compromised resources, as well as examining the rest of the
environment for other footholds that the attackers had. Quickly gaining an
understanding of the network and segmentation, as well as rapidly implementing
network behavioural analysis and performing content inspection between the payment
processing infrastructure and external networks, OSEC detected connections back to
command and control servers that were known to be operated by organized criminal
elements ('carders'). From there, we started performing analysis of the compromised
systems using forensics techniques to determine how and what vulnerabilities had been
exploited to gain access, correlating that with available logging information, all the while
monitoring network flows to both ensure that no additional card information was being
exfiltrated for the purposes of understanding what machines were under their control,
all without alerting the bad guys.
Within a short amount of time, OSEC determined that a third-party web application/site
that was vulnerable to SQL injection had been initially compromised, and then used as a
"base of operations" to penetrate further into the network, ultimately gaining access to
the payment processing segments. By targeting administrators using social engineering
attacks in combination with an Internet Explorer vulnerability, they had then stolen
credentials that could be used to authenticate to payment processing servers, and
utilized privilege escalation vulnerabilities on the servers themselves to harvest credit
card numbers as they were being processed. In addition, they had installed customized
malware that communicated with the command and control servers and exfiltrated data
through encrypted tunnels, in bursts, to evade detection.
297
Containment and Eradication
OSEC then went about stopping the spread of the malware and compromise, and
expelling the attackers from the network. Once we had determined that the malware
installed would not respond negatively to loss of connectivity to command and control
servers, we quickly: ensured the initial point of compromise (SQL injection) was
corrected scanned for similar common vulnerabilities in externally-visible systems, and
ensured any identified issues were corrected reset all relevant authentication
credentials blocked the attackers at the network perimeter. We then set about
isolating and cleaning each of the compromised hosts as quickly as we could, in
coordination with IT personnel, to ensure that the processing systems were impacted
as little as possible. In most cases, we were able to wipe hosts and perform recovery to
ensure all traces of malware were eradicated, but a number of systems required
manual cleaning, which we undertook with the relevant organizational resources, and
initiated extensive monitoring to ensure no undetected issues remained.
Finally, once the full extent of the breach was understood - particularly what and how
much data had been stolen, OSEC coordinated with PR and Legal personnel to manage
client and other regulatory-body notifications.
Post-Incident Activity
Once the immediate incident had been dealt with, OSEC performed a post-mortem
analysis of the incident, the organization's response, and compared it to OSEC's
internally-developed IR processes, procedures, and frameworks to identify what
needed to be done to ensure IR, vulnerability management, as well as overall
Information Security Management process and procedures were improved such that
future incidents would be minimized We then sat down with the various stakeholders
in the organization that had been involved and discussed the incident and response,
explaining the relevant issues, identifying organizational problems that also needed to
be corrected, as well as future strategies for avoiding incidents and dealing with them
when they occurred, communicating our recommended incident response strategy and
implementation to the organization's senior levels.
Having reviewed OSEC's recommendations, the organization then asked us back to

assist with implementing them. Over a 3 months’ period, OSEC led a number of efforts,
including implementing protection mechanisms at the host, application, and network
layers; establishing a functioning vulnerability management within the overall
information security management program, verifying processes, helping with staffing
and training, and performing incident response drills to test the final product.
The Result
Twelve months after implementing the recommendations, and achieving a practical
incident response program, the organization has not suffered any subsequent
breaches. In addition, it has gained the assurance, through incident response drills, that
should a breach occur, response will be swift and effective.
298
UNIT V
Handling Network Security Incidents
This unit covers:
 Lesson Plan
5.1. Network Reconnaissance Incidents
5.2. Denial of Service Attacks
5.3. Unauthorised Access Incidents
5.4. Inappropriate Usage Incidents
5.5. Multiple Component Incidents
299
Lesson Plan
To be competent, you must be able 1. Creation of templates 4 hrs  PCs/Tablets/Lapto
to: based on the learnings ps
2. Peer review with  Labs availability
PC5. liaise with stakeholders to faculty with (24/7)
gather, validate and provide appropriate feedback.  Internet with WiFi
information related to information
(Min 2 Mbps
Dedicated)
PC9. update the status of  Projection facilities
following investigation/action using
You need to know and understand: KA7 Peer review with 8 hrs  PCs/Tablets/Lapto
faculty with appropriate ps
KA7. the importance of tracking
feedback.  Labs availability
progress and corrective and
(24/7)
preventative actions for KA10 Team work (IM and  Internet with WiFi
information security incidents chat applications) and  (Min 2 Mbps
group activities (online Dedicated)
KA10. different types of
forums) including  Access to all
information security incidents and
templates to be prepared. security sites like
how to deal with these
ISO, PCI DSS,
Center for Internet
Security
 Security Templates
from ITIL, ISO
Activity 1:
Present to class different types of incidents that impact network security and research
various service providers who offer services for network incident management. Compare
their offerings.
Activity 2:
Create an action plan for your training institute for addressing network security incidents.
As part of the plan state do’s and don’ts for the network administrator and users.
300
Intruders over computer networks to gather information about computer systems and
resources. A probe is any attempt launched to detect:
• active hosts and networks that are reachable over a public or an accessible
medium.
• services and applications they are running that could be connected to any
vulnerability that these services and applications may have, which could be
exposed and taken advantage of.
5.1 Network Reconnaissance Incidents
Probes can be classified appropriately into those of particular interest to an intruder

three main activities: along with the port address they are
running on.
Host detection
Vulnerability assessment
Host detection essentially aims to establish
liveness of a host along with its network Vulnerability assessment seeks to establish
address. Hardware addresses may also be information on the type and version of the
sought by intruders having access to the operating system and the different
same segment as the target. applications running on a machine. Version
and patch level details about an operating
Port enumeration
system and applications are important to
Port enumeration is to do with the listing judge the possible exploits that could be
of TCP/ UDP services running on a host. used to attack the host.
This may be a list of all services or only
301
A probe could be seen to be launched by an intruder in two modes:
1. Active
2. Passive
An active probe involves some attempted interaction over the network on behalf of the
intruder. This may involve sending a packet directly to a target host or a network or
some intermediary used for the purposes of probing.
A passive probe, on the other hand, would involve an intruder restricting herself to
sniffing and logging traffic, originating from and destined to a potential or an identified
target and obtaining relevant information. The choice of being passive may be due to
reasons of configuration or access or it may be a deliberate act by an intruder to avoid
detection.
This probe by their nature are hard to detect. Any reconnaissance information gained
using such tactics, however, is limited to the traffic visible to an intruder. Active probes
are necessary if an intruder wishes to gather information both timely and of her choice.
A variety of techniques exist for active response allows an intruder to

probes, including making use of determine a live host).
mechanisms such as the TCP handshake to • filtering inbound TCP probes
judge a host’s liveness, fingerprinting the with different combinations of
protocol stack (which often indicates the flags set, (response or lack of it,
operating system the host is running), to which (depending on the
probing DNS servers and grabbing service
flags set and the operating
banners volunteering information on the
system probed) may indicate to
host.
an intruder whether a host is
Most active probes make use of live or not).
techniques that use the core protocols of • using a variety of firewalling
the modern day communications, namely techniques that allow throttling
IP, ICMP, TCP and UDP. Common of probes and stateful
approaches to counter-probing activity at mechanisms that disallow
this level include:
unsolicited packets aimed at
• filtering inbound ICMP probes generating responses from
(responses to which are used to target hosts.
determine what machine is A somewhat more proactive approach is
alive). suggested by Kang et al, who propose to
• filtering outbound ICMP generate false positive responses to any
responses to UDP port scanning probes attempting to detect hosts or
attempts (where a lack of enumerate ports targeting an unused
address space or closed ports on active
hosts. Their approach, referred to as all
302
positive response (APR), is designed to

make it difficult for an intruder to  where some probes are randomly
distinguish active hosts from inactive ones, replied to and some are not.
and open ports from closed ones. To an  to a specified subset of the unused
intruder, all machines appear active and all address space. This subset could be
ports appear open. Such an approach chosen randomly (from a given
could also help in detecting any packets chunk of addresses) or strategically
that follow up after initial probes, which (from an address space used non-
attempt to probe the host further, contiguously).
enumerating ports or assessing some  for all probes destined for the
vulnerability. unused address space. This is
similar to APR, except that only
Using false responses is useful in hiding probes destined for the unused
any information about the network that an parts of the address space are
intruder may try to gather, but an all replied to and one or a few services
positive approach will certainly indicate to depicted.
an intruder that false responses are being
generated to all probing. Another Handling specific types of incidents
important issue is that generating false  Denial of Service (DoS) — an attack
responses for a very large network may that prevents the usage of network,
require untenably large resources, and system or application resources.
may therefore not be scalable. Some  Malicious Code — a virus, worm,
factors to consider here are the size of the Trojan horse or other code based
entire (used and unused) address space malicious entity that infects a host.
that the false response needs to be  Unauthorized Access — a user
generated for, the rate at which the gains access without permission to
network is probed, the various types of a network, system, application,
probes launched (that need to be
data or other resource.
responded to) and memory state required
 Inappropriate Usage — a user
to detect any attempts at intrusion that
violates acceptable computing use
follow up a false response.
policies.
Generating a false positive response to  Multiple Component — a single
probes targeting a closed port on an active incident that encompasses two or
host could also result in a conflict: an active more incidents. For example, a
host may have a port closed at the time of malicious code infection leads to
the probe, but the port may open (upon unauthorized access to a host,
the host initiating a connection or starting which is then used to gain
a service, for instance) sometime after the unauthorized access to additional
false response is generated. Some hosts.
alternatives to APR could be designed so
that such responses are generated:
303
Fig: A Sample Network Reconnaissance Check Screenshot
304
5.2 Denial of Service Incidents

Lower the TTLs, if necessary, to
DoS prevents authorized used of IT facilitate DNS redirection if the original
resources. Tips for responding to a IPs get attacked.
network distributed denial-of-service  Establish contacts for your ISP, law
(DDoS) incident. enforcement, IDS, firewall, systems
and network teams.
General considerations  Document your IT infrastructure
details, including business owners, IP
 DDoS attacks often take the form of
addresses and circuit IDs. Prepare a
flooding the network with unwanted
network topology diagram and an
traffic. Some attacks focus on
asset inventory.
overwhelming resources of a specific
 Understand business implications (e.g.
system.
money lost) of likely DDoS attack
 It will be very difficult to defend against
scenarios.
the attack without specialized
 If the risk of a DDoS attack is high,
equipment or your ISP’s help.
consider purchasing specialized DDoS
 Too many people often participate
mitigation products or services.
during incident response. Limit the
 Collaborate with your BCP/ DR
number of people on the team.
planning team to understand their
 DDoS incidents may span days.
perspective on DDoS incidents.
Consider how your team will handle a
 Harden the configuration of network,
prolonged attack. Humans get tired!
OS and application components that
 Understand your equipment’s
may be targeted by DDoS.
capabilities in mitigating a DDoS attack.
 Baseline your current infrastructure’s
Many underappreciate the capabilities
performance so you can identify the
attack faster and more accurately.
of their devices or overestimate their
performance. Analyse the attack
Prepare for a future incident  Understand the logical flow of the
DDoS attack and identify the
 If you do not prepare for a DDoS
infrastructure components affected by
incident in advance, you will waste
it.
precious time during the attack.
 Review the load and logs of servers,
 Contact your ISP to understand the
routers, firewalls, applications and
paid and free DDoS mitigation it offers
other affected infrastructure.
and what process you should follow.
 Identify what aspects of the DDoS
 Create a whitelist of the source IPs and
traffic differentiate it from benign
protocols you must allow if prioritizing
traffic (e.g. specific source IPs,
traffic during an attack. Include your
destination ports, URLs, TCP flags etc.).
big customers, critical partners etc.
 Confirm DNS time-to-live (TTL) settings
for the systems that might be attacked.
305
 Use a network analyzer (e.g. tcpdump,  Route traffic through a traffic-

ntop, Aguri, MRTG, a NetFlow tool) to scrubbing service or product via DNS or
review the traffic. routing changes.
 Contact your ISP and internal teams to  If adjusting defenses, make one change
learn about their visibility into the at a time, so you know the cause of the
attack, and to ask for help. changes you may observe.
 If contacting the ISP, be specific about  Configure egress filters to block the
the traffic you would like to control traffic your systems may send in
(e.g. blackhole what networks blocks to response to DDoS traffic to avoid
be blackholed what source IPs to be adding unnecessary packets to the
rate-limited). network.
 Find out whether the company
Wrap up the incident and adjust
received an extortion demand as a
precursor to the attack.  consider what preparation steps you
 Create a NIDS signature to focus to could have taken to respond to the
differentiate between benign and incident faster or more effectively.
malicious traffic, if possible.  adjust assumptions that affected the
 Notify your company’s executive and decisions made during DDoS incident
legal teams upon their direction. preparation, if necessary.
Consider involving law enforcement.  assess the effectiveness of your DDoS
response process, involving people and
Mitigate the effects of the attack
communication.
 While it is very difficult to fully block  consider what relationships inside and
DDoS attacks. You may be able to outside your organizations could help
mitigate their effects. you with future incidents.
 Attempt to throttle or block DDoS
Key DDoS incident response steps
traffic as close to the network’s “cloud”
as possible via a router, firewall, load  Preparation: establish contacts, define
balancer, specialized device etc. procedures and gather tools to save
 Terminate unwanted connections or time during an attack.
processes on servers and routers and  Analysis: detect the incident,
tune their TCP/ IP settings. determine its scope and involve the
 Switch to alternate sites or networks appropriate parties.
using DNS or another mechanism.  Mitigation: mitigate the attack’s effects
Blackhole DDoS traffic targeting the on the targeted environment.
original IPs, if possible.  Wrap up: document the incident’s
 If the bottle neck is a particular a details, discuss lessons learned and
feature of an application, temporarily adjust plans and defenses.
disable that feature.
 Add servers or network bandwidth to
handle the DDoS load (this is an arms
race though).
306
5.3 Unauthorized Access Incidents

Examples of unauthorised access include: organization is stored in a single
secured location.
 performing a remote root
 establish procedures to be followed
compromise of an email server.
when all users of an application,
 defacing a web server.
system, trust domain or organization
 guessing and cracking passwords.
should change their passwords
 copying a database containing
because of a password compromise.
credit card numbers.
The procedures should adhere to the
 viewing sensitive data, including
organization’s password policy.
payroll records and medical
 discuss unauthorized access incidents
information without authorization.
with system administrators so that
 running a packet sniffer on a
they understand their roles in the
workstation to capture usernames
incident handling process.
and passwords.
 using a permission error on an Prevention
anonymous FTP server to distribute
Network security
pirated software and music files.
 dialing into an unsecured modem Configure the network perimeter to deny
and gaining internal network all incoming traffic that is not expressly
access. permitted.
 posing as an executive, calling the Secure all remote access methods
help desk, resetting the executive’s properly, including modems and VPNs. An
email password and learning the unsecured modem can provide easily
new password. attainable unauthorized access to internal
 using an unattended, logged-in systems and networks. War dialling is the
workstation without permission. most efficient technique for identifying
improperly secured modems. When
Preparation securing remote access, carefully consider
the trustworthiness of the clients. If they
 configure network based and host
are outside the organization’s control, they
based IDS software (such as file
should be given as little access to resources
integrity checkers and log monitors) to as possible, and their actions should be
identify and alert on attempts to gain closely monitored.
unauthorized access. Each type of
Put all publicly accessible services on
intrusion detection software may
secured demilitarized zone (DMZ) network
detect attacks that others are not able
segments. The network perimeter can
to detect.
then be configured so that external hosts
 use centralized log servers so pertinent can establish connections only to hosts on
information from hosts across the the DMZ, not internal network segments.
307
Use private IP addresses for all hosts on • create authentication and authorization
internal networks. This will severely standards for employees and contractors
restrict the ability of attackers to establish to follow when developing software. For
direct connections to internal hosts. example, passwords should be strongly
encrypted using a FIPS 140-2 validated
Host security
algorithm when they are transmitted or
• perform regular vulnerability stored.
assessments to identify serious risks and
• establish procedures for provisioning and
mitigate the risks to an acceptable level.
de-provisioning user accounts. These
• disable all unneeded services on hosts. should include an approval process for new
Separate critical services so they run on account requests and a process for
different hosts. If an attacker then periodically disabling or deleting accounts
compromises a host, immediate access that are no longer needed.
should be gained only to a single service.
Physical security
• run services with the least privileges
• Implement physical security measures
possible to reduce the immediate impact
that restrict access to critical resources.
of successful exploits.
Detection and analysis
• use host based firewall software to limit
individual hosts’ exposure to attacks. As unauthorized access incidents can occur
in many forms, they can be detected
• limit unauthorized physical access to
through dozens of types of precursors and
logged-in systems by requiring hosts to
indications.
lock idle screens automatically and asking
users to log off before leaving the office.
• verify the permission settings regularly Precursors

for critical resources, including password
files, sensitive databases and public web List of precursors and respective
pages. This process can easily be responses:
automated to report changes in Precursor: unauthorized access incidents
permissions on a regular basis. are often preceded by reconnaissance
Authentication and authorization activity to map hosts and services and to
identify vulnerabilities. Activity may
• create a password policy that requires include port scans, host scans, vulnerability
the use of complex, ‘difficult-to-guess’ scans, pings, trace routes, DNS zone
passwords, forbids password sharing, and transfers, OS fingerprinting and banner
directs users to use different passwords on grabbing. Such activity is detected
different systems, especially external hosts primarily through IDS software and
and applications. secondarily, through log analysis.
• require sufficiently strong Response: incident handlers should look
authentication, particularly for accessing for distinct changes in reconnaissance
critical resources. patterns. For example, a sudden interest in
308
a particular port number or host. If this guidance on handling the social

activity points out a vulnerability that engineering attempts. The team should
could be exploited, the organization may determine what resources the attacker
have time to block future attacks by was interested in and look for
mitigating the vulnerability (e.g. patching a corresponding log based precursors, as it is
host, disabling an unused service, likely that the social engineering is only
modifying firewall rules etc.). part of the reconnaissance.
Precursor: a new exploit for gaining Precursor: a person or system may observe
unauthorized access is released publicly, a failed physical access attempt (e.g.
and it poses a significant threat to the outsider attempting to open a locked
organization. wiring closet door, unknown individual
using a cancelled ID badge).
Response: the organization should
investigate the new exploit and, if possible, Response: security should detain the
alter security controls to minimize the person, if possible. The purpose of the
potential impact of the exploit for the activity should be determined and it should
organization. be verified that the physical and computer
security controls are strong enough to
Precursor: users report possible social
block the apparent threat. (An attacker
engineering attempts — attackers trying to
who cannot gain physical access may
trick them into revealing sensitive
perform remote computing based attacks
information, such as passwords or
instead.) Physical and computer security
encouraging them to download or run
controls should be strengthened if
programs and file attachments.
necessary.
Response: the incident response team
should send a bulletin to users with
Indications
List of Malicious actions and their
Malicious action: root compromise of a host

Indicators:
• Hacker tools on system
• Unusual traffic to/ from host
• System configuration changes
• Modification of critical files
• Unexplained account usage
• Strange OS/ application log messages
respective indicators:
309
hundreds of files, including system

Malicious action: unauthorized data modification (e.g. web server defacement, FTP
warez server)
Indicators:
 Network intrusion detection alerts

 Increased resource utilization
 User reports of the data modification (e.g. defaced website)
 Modifications to critical files (e.g. web pages)
 New files or directories with unusual names (e.g. binary characters, leading
spaces, leading dots etc.)
 Significant changes in expected resource usage (e.g., CPU, network activity, full
logs or file systems)
binaries. Rootkits hide much of what they

do, making it tricky to identify what was
changed. Therefore, if an attacker appears
to have gained root access to a system,
Malicious Action: Unauthorized usage of standard user account
handlers cannot trust the operating system
Indicators
software. Typically, the best solution is to
• Access attempts to critical files (e.g., password files)
restore the system from a known good
• Unexplained account usage (e.g., idle account in use, account in use from
backup or reinstall the operating system
multiple locations at once, commands that are unexpected from a particular
and applications from scratch, and then
user, large number of locked-out accounts)
secure the system properly.
• Web proxy log entries showing the download of hacker tools
Changing all passwords on the system, and
possibly on all systems that have trust
relationships with the victim system, is also
Containment, eradication and highly recommended.
recovery Some unauthorized access incidents
involve the exploitation of multiple
Initial containment elements
vulnerabilities, so it is important for
 Isolation of affected system handlers to identify all vulnerabilities that
 Disabling affected service were used and to determine strategies for
 Eliminate attacker’s route correcting or mitigating each vulnerability.
 Disable user accounts used in Other vulnerabilities that are present
attack should be mitigated as well or an attacker
may use them instead.
 Enhance physical security
If an attacker only gains a lesser level of
Eradication and recovery
access than administrator level,
Successful attackers frequently install eradication and recovery actions should be
rootkits, which modify or replace dozens or based on the extent to which the attacker
310
gained access. Vulnerabilities that were password compromise may force the
used to gain access should be mitigated organization to require all users of an
appropriately. application, system, trust domain or
Additional actions should be performed as perhaps, the entire organization to
merited to identify and address change their passwords.
weaknesses systemically. For example, if  configure the network perimeter to
an attacker gained user level access by deny all incoming traffic that is not
guessing a weak password, then not only expressly permitted. By limiting the
should that account’s password be types of incoming traffic, attackers
changed to a stronger password, but also should be able to reach fewer targets
the system administrator and owner and should be able to reach the targets
should consider enforcing stronger using only designated protocols. This
password requirements. If the system was should reduce the number of
in compliance with the organization’s unauthorized access incidents.
password policies, the organization should
 secure all remote access methods,
consider revising its password policies.
including modems and VPNs.
Recommendations Unsecured modems provide easily
Key recommendations for handling attainable unauthorized access to
unauthorized access incidents are internal systems and networks.
summarized below: Remote access clients are often
outside the organization’s control,
 configure intrusion detection software
granting them access to resources
to alert on attempts to gain
increases risk.
unauthorized access. Network and
 put all publicly accessible services on
host based intrusion detection
secured DMZ network segments. This
software (including file integrity
permits the organization to allow
checking software) is valuable for
external hosts to initiate connections
detecting attempts to gain
to hosts only on the DMZ segments,
unauthorized access. Each type of
not to hosts on internal network
software may detect incidents that the
segments. This should reduce the
other types of software cannot so the
number of unauthorized access
use of multiple types of computer
incidents.
security software is highly
 disable all unneeded services on hosts
recommended.
and separate critical services. Every
 configure all hosts to use centralized
service that is running presents
logging. Incidents are easier to detect if
another potential opportunity for
data from all hosts across the
compromise. Separating critical
organization is stored in a centralized,
services is important because if an
secured location.
attacker compromises a host that is
 establish procedures for having all
running a critical service, immediate
users change their passwords. A
311
access should be gained only to that are probably caused by routine system
one service. administration rather than attacks.
 use host based firewall software to When such indications are detected,
limit individual hosts’ exposure to the team should be able to use change
attacks. Deploying host based firewall management information to verify that
software to individual hosts and the indications are caused by
configuring it to deny all activity that is authorized activity.
not expressly permitted should further  select containment strategies that
reduce the likelihood of unauthorized balance mitigating risks and
access incidents. maintaining services. Incident handlers
 create and implement a password should consider moderate
policy. The password policy should containment solutions that focus on
require the use of complex, ‘difficult- mitigating the risks as much as is
to-guess’ passwords and ensure that practical while maintaining unaffected
authentication methods are services.
sufficiently strong for accessing critical  restore or reinstall systems that appear
resources. Weak and default to have suffered a root compromise.
passwords are likely to be guessed or The effects of root compromises are
cracked, leading to unauthorized often difficult to identify completely.
access. The system should be restored from a
 provide change management known good backup, or the operating
information to the incident response system and applications should be
team. Indications such as system reinstalled from scratch. The system
shutdowns, audit configuration should then be secured properly so the
changes and executable modifications incident cannot recur.
312
5.4 Inappropriate usage incident

An inappropriate usage incident occurs inappropriate usage incidents,
when a user performs actions that violate particularly for incidents that are
acceptable computing use policies. targeted at outside parties. Incident
Although such incidents are often not handlers should understand when they
security related, handling them is very should discuss incidents with the
similar to handling security related allegedly attacked party and what
incidents. Therefore, it has become
information they should reveal.
commonplace for incident response teams
 configure network based intrusion
to handle many inappropriate usage
detection software to detect certain
incidents. Examples of incidents a team
types of inappropriate usage. Intrusion
might handle include users who —
detection software has built-in
 download password cracking tools or capabilities to detect certain
pornography. inappropriate usage incidents, such as
 send spam promoting a personal the use of unauthorized services,
business. outbound reconnaissance activity and
 email harassing co-workers. attacks and improper mail relay usage
 set up an unauthorized website on one (e.g. sending spam).
of the organization’s computers.  log basic information on user activities.
 use file or music sharing services to Basic information on user activities
acquire or distribute pirated materials. such as FTP commands, web requests,
 transfer sensitive materials from the and email headers may be valuable for
organization to external locations. investigative and evidentiary purposes.
 configure all email servers so they
Recommendations cannot be used for unauthorized mail
Key recommendations for handling relaying. Mail relaying is commonly
inappropriate usage incidents include: used to send spam.
 implement spam filtering software on
 discuss the handling of inappropriate
all email servers. Spam filtering
usage incidents with the organization’s
software can block much of the spam
human resources and legal
sent by external parties to the
departments. Processes for monitoring
organization’s users as well as spam
and logging user activities should
that is sent by internal users.
comply with the organization’s policies
 implement URL filtering software. It
and all applicable laws. Procedures for
prevents access to many inappropriate
handling incidents that directly involve
websites. Users should be required to
employees should incorporate
use the software, typically by
discretion and confidentiality.
preventing access to external websites
 discuss liability issues with the
unless the traffic passes through a
organization’s legal departments.
server that performs URL filtering.
Liability issues may arise during
313
5.5 Multiple component incident
 use centralized logging and event

A multiple component incident is a single
incident that encompasses two or more correlation software. Incident handlers
incidents. For example, the following could should identify an incident as having
comprise a multiple component incident: multiple components more quickly if all
precursors and indications are
1. Malicious code spread through email
accessible from a single point of view.
compromises an internal workstation.
 contain the initial incident and then
2. An attacker (who may or may not be the search for signs of other incident
one who sent the malicious code) uses the components. It can take an extended
infected workstation to compromise period of time for a handler to
additional workstations and servers. authoritatively determine that an
3. An attacker (who may or may not have incident has only a single component;
been involved in steps 1 or 2) uses one of meanwhile, the initial incident has not
the compromised hosts to launch a DDoS been contained. It is generally better to
attack against another organization. contain the initial incident first.
This multiple component incident consists  prioritize the handling of each incident
component. Resources are probably
of a malicious code incident, several
too limited to handle all incident
unauthorized access incidents and a DoS
components simultaneously.
incident. Components should be prioritized
based on the current component and
Recommendations
its response guidelines.
The key recommendations for handling
multiple component incidents are given
below:
314
Trainer’s Handbook – Security Analyst SSC/ Q0903
SSC/ N 0903
Install, configure and troubleshoot information
security devices
UNIT I: Configuring Network Devices

UNIT II: Configuring Secure Content Management
UNIT III: Configuring Firewall
UNIT IV: Troubleshooting Cisco IOS Firewall Configurations
UNIT V: Cisco IOS Firewall IDS
UNIT VI: IPS Configuration
UNIT VII: Anti-virus and Antispam Software
UNIT VIII: Web Application Security Configuration
UNIT IX: Patch Management
315
Unit Title (Task) Install, configure and troubleshoot information security devices
Description This unit is about installing/configuring information security devices and

resolving any problems, following clearly laid down instructions and guidelines.
Scope This unit/task covers the following:
Information security devices may cover:

 networks (wired and wireless)
 devices
 endpoints/edge devices
 storage devices
 servers
 software
 application support
 application penetration
 application testing
 content management
 messaging
 web security
 security of infrastructure
 infrastructure devices (e.g. routers, firewall services)
 computer assets, server s and storage networks
 messaging
 intrusion detection/prevention
 security incident management
 third party security management
 personnel security requirements
Appropriate people:
 line manager
 members of the security team
 subject matter experts
Stakeholders:
 internal
 external
Performance Criteria(PC) w.r.t. the Scope
The user / individual on the job should be able to:

PC1. identify the information security devices you are required to install/
configure/troubleshoot and source relevant instructions and guidelines
PC2. identify any issues with instructions and guidelines for
installing/configuring information security devices and clarify these with
316
appropriate people
PC3. liaise with stakeholders clearly and promptly regarding the installation/
configuration of information security devices
PC4. install/configure information security devices as per instructions and
guidelines
PC5. test installed/configured information security devices, following
instructions and guidelines
PC6. resolve problems with security devices, following instructions and
guidelines
PC7. obtain advice and guidance on
installing/configuring/testing/troubleshooting information security
devices from appropriate people, where required
PC8. record the installation/configuration/testing/troubleshooting of
information security devices promptly using standard templates and
tools
PC9. provide reports for troubleshooting, configurations and deployment
PC10. comply with your organization’s policies, standards, procedures,
guidelines and service level agreements (SLAs) when Installing /
configuring / troubleshooting information security devices
A. Organizatio The user/individual on the job needs to know and understand:

nal KA1. your organization’s policies, procedures, standards, guidelines and client
Context specific service level agreements for installing, configuring and
(Knowledge troubleshooting information security devices
KA2. limits of your role and responsibilities and who to seek guidance from
of the
where required
company /
KA3. your organization’s systems, procedures and tasks/checklists relevant to
organization
your work and how to use these
and its KA4. the importance of following manufacturer’s installation guides and
processes) procedures and how to access and apply these to install, configure and
troubleshoot information security devices
KA5. who to involve when installing, configuring and troubleshooting
information security devices
KA6. methods and techniques used when working with others
KA7. the importance of recording issues when installing/configuring/
troubleshooting information security devices and how to report these
KA8. standard tools and templates available and how to use these to record
installation/configuration/troubleshooting
B. Technical The user/individual on the job needs to know and understand:
KB1. different types of information security devices and their functions
Knowledge KB2. different technical and configuration specifications for information
security devices and how this affects function and use
KB3. architecture concepts and design patterns and how these contribute to
the security of design and devices
KB4. common issues that may occur when installing or configuring
information security devices and how to resolve these
KB5. methods of testing installed/configured information security devices
317
THE UNITS
The module for this NOS is divided in 9 Units.
UNIT I: Configuring Network Devices

1.1. Identifying Unauthorized Devices
1.2. Testing the Traffic Filtering Devices
1.3. Solutions Combining Traffic Filtering with Other Technologies
UNIT II: Configuring Secure Content Management
2.1 Secure Content Management Overview
2.2 The importance of Secure Content Management
2.3 How does Secure Content Management Work?
2.4 Solution Architectures
UNIT III: Configuring Firewall
3.1. What Firewall Software Does?
3.2. Firewall Configuration
3.3. Why Firewall Security?
3.4. Configuring a Simple Firewall
UNIT IV: Troubleshooting Cisco IOS Firewall Configurations
4.1 Troubleshooting Cisco IOS Firewall Configurations
UNIT V: Cisco IOS Firewall IDS
5.1 Cisco IOS Firewall IDS feature
5.2 Cisco IOS Firewall IDS Signature List
5.3 Cisco IOS Firewall IDS Configuration Task List
UNIT VI: IPS Configuration
6.1 Understanding IPS Network Sensing
6.2 Overview of IPS Configuration
UNIT VII: Anti-virus and Antispam Software
7.1 Antivirus Software
7.2 Antispam Software
UNIT VIII: Web Application Security Configuration
8.1 Web Application Security Overview
8.2 Configuring Cisco Web Application Security Module
UNIT IX: Patch Management
9.1 Patch Management Overview
9.2 The Patch Management Process
9.3 Windows Patch Management Tools
318
UNIT I
Configuring Network Devices
This Unit covers:

 Lesson Plan
1.3. Solutions Combining Traffic Filtering with Other
Technologies
319
LESSON PLAN
Performance Work Environment /

Outcomes Ensuring Measures Duration (Hrs) Lab Requirement
To be competent, you must be Peer group, Faculty 2 hr in class  PCs/Tablets/L

able to: group and Industry presentations aptops
experts.
PC2. monitor systems and  Projection
apply controls in line with facilities
You need to know and KA4, KA5. Peer group, 2Hrs  PCs/Tablets/L
understand: Faculty group and classroom aptops
Industry experts. assessment
and 10 Hrs  Labs
systems, procedures and KB1 - KB4 availability
offline
tasks/checklists within the (24/7)
Group and Faculty Research and
domain and how to use these
evaluation based on Learning  Internet with
anticipated out activity. WiFi
comes. Reward
KB1. fundamentals of
points to be allocated  (Min 2 Mbps
information security and how to Dedicated)
to groups.
apply these, including:
 Access to all
• networks security sites
• communication like ISO, PCI
DSS, Center
• application security for Internet
Security
320

Activity 1:
Activity 2:
Activity 3:
321
Trainer Resource Material

Most organizations today use some form audited the network, typically between 1
of asset management. These systems percent and 10 percent of assets were
work great for managing assets that are previously unknown to the administrator.
known and permitted within the Once detected, local system
environment, but offer little visibility or administrators can manage modest
control over rogue machines that may be numbers of assets. However, if the
connecting to the network. volume or location of rogue assets is
excessive or dangerous, these results
The challenge with rogue devices is that
provide justification and motivation for
they are not part of the management
automated and proactive enforcement
framework. This means that they are not
performed by Network Access Control.
part of any standards, policies, security
controls, or patch updates. They pose a
unique threat to an environment.
Identify Assets
Consider a server that a developer built to
test something and never There are two general approaches to
decommissioned. This server remains identifying assets on the network,
online, running company code on an techniques that are very similar in nature
unpatched database. Without actively to finding viruses:
monitoring the network, there is no way  on-access or real-time detection,
that an administrator can have any real  on-demand or scheduled
idea of the volume of unmanaged systems
detection.
on the network.
Note that the optimal solution is likely to
The greater the number of unmanaged be able to cater for both approaches to
systems, the greater the risk to the device identification.
network. Where administrators have
Real-time detection - Relies on detection of traffic generated by the endpoint. The benefit is its
timely nature—detection is immediate. Consequently, you can take action very quickly. The
downside of this approach is that since detection is based on traffic generated by the endpoint,
there must be a sensor located near this traffic. This technique may not be practical for all network
topologies.
Scheduled detection - The system queries network addresses for a response according to a
schedule. This model can overcome the proximity limitations of the first approach. Sensors can
execute scans from a limited number of locations or a single location on the network. The
downside of this approach is that detection is not immediate. It is limited to the detection interval
determined by the schedule. As in the example of off-hours scanning, rogue systems may operate
on the network between detection scans and escape identification.
322
Further steps to identifying unauthorised such as mobile phones, tablets, laptops,

devices include asset inventory tool. and other portable electronic devices that
store or process data must be identified,
Asset Inventory Tool regardless of whether or not they are
Deploy an automated asset inventory attached to the organization’s network.
discovery tool and use it to build a Make sure the asset inventory database is
preliminary asset inventory of systems properly protected and a copy stored in a
connected to an organization’s public and secure location.
private network(s). Both, active tools that In addition to an inventory of hardware,
scan through network address ranges and organizations should develop an inventory
passive tools that identify hosts based on of information assets that identifies their
analysing their traffic should be critical information.
employed.
Information asset inventory should map
Deploy DHCP Server logging, and utilize a critical information to the hardware assets
system to improve the asset inventory (including servers, workstations, and
and help detect unknown systems laptops) on which it is located. A
through this DHCP information. department and individual responsible for
All equipment acquisitions should each information asset should be
automatically update the inventory identified, recorded, and tracked.
system as new, approved devices are Further to the asset inventory tool the
connected to the network. organisation needs to:
Maintain an asset inventory of all systems  Deploy network level authentication
connected to the network and the via 802.1x to limit and control which
network devices themselves recording at devices can be connected to the
least the network addresses, machine network.
name(s), purpose of each system, an asset  Deploy network access control (NAC)
owner responsible for each device, and to monitor authorized systems so if
the department associated with each attacks occur, the impact can be
device. remediated by moving the untrusted
The inventory should include every system to a virtual local area network
system that has an Internet Protocol (IP) that has minimal access.
address on the network, including but not  Create separate VLANs for BYOD
limited to desktops, laptops, servers, (bring your own device) systems or
network equipment (routers, switches, other untrusted devices.
firewalls, etc.), printers, storage area  Utilize client certificates to validate
networks, Voice Over-IP telephones, and authenticate systems prior to
multi-homed addresses, virtual addresses, connecting to the private network.
etc.
Organizations must first establish
The asset inventory created must also information/asset owners, deciding and
include data on whether the device is a documenting which organizations and
portable and/or personal device. Devices individuals are responsible for each
323
component of a business process that systems communicating through those

includes information, software, and switches. Whether physical or virtual,
hardware. In particular, when each machine using an IP address should
organizations acquire new systems, they be included in an organization’s asset
record the owner and features of each inventory.
new asset, including its network interface
The system must be capable of identifying
media access control (MAC) address and
any new unauthorized devices that are
location. This mapping of asset attributes
connected to the network within 24
and owner-to-MAC address can be stored
hours. Alerting or sending e-mail
in a free or commercial database
notification to a list of enterprise
management system.
administrative personnel. The system
Use tools to pull information from must automatically isolate the
network assets such as switches and unauthorized system from the network
routers regarding the machines connected within one hour of the initial alert.
to the network.
Send a follow-up alert or e-mail
Using securely authenticated and notification when isolation is achieved.
encrypted network management Every 24 hours after that point, the
protocols, tools can retrieve MAC system must alert or send e-mail about
addresses and other information from the status of the system until the
network devices that can be reconciled unauthorized system has been removed
with the organization’s asset inventory of from the network. The asset inventory
servers, workstations, laptops, and other database and alerting system must be
devices. Once MAC addresses are able to identify the location, department,
confirmed, switches should implement and other details of where authorized and
802.1x and NAC to only allow authorized unauthorized devices are plugged into the
systems that are properly configured to network.
connect to the network.
To evaluate the implementation of
Effective organizations configure free or Control 1 on a periodic basis, the
commercial network scanning tools to evaluation team will connect hardened
perform network sweeps on a regular test systems to at least 10 locations on
basis, sending a variety of different packet the network, including a selection of
types to identify devices connected to the subnets associated with demilitarized
network. In addition to active scanning zones (DMZs), workstations, and servers.
tools that sweep the network, other asset Two of the systems must be included in
identification tools passively listen on the asset inventory database, while the
network interfaces looking for devices to other systems are not. The evaluation
announce their presence by sending team must then verify that the systems
traffic. Such passive tools can be generate an alert or e-mail notice
connected to switch span ports at critical regarding the newly connected systems
places in the network to view all data within 24 hours of the test machines
flowing through such switches, being connected to the network. The
maximizing the chance of identifying evaluation team must verify that the
324
system provides details of the location of test systems are automatically isolated
all the test machines connected to the from the production network within one
network. For those test machines hour of initial notification and that an e-
included in the asset inventory, the team mail or alert indicating the isolation has
must also verify that the system provides occurred. The team must then verify that
information about the asset owner. The the connected test systems are isolated
evaluation team must then verify that the from production systems.
325
There are four basic recommendations for 2. Select a traffic-filtering technology

Traffic Filtering In order to reduce security that will be implemented depending
threats, organisations use various devices, on the requirements and needs;
technologies and techniques for traffic
filtering. Each institution/organisation 3. Implement defined rules on the
that wishes to improve the efficiency of selected technology and optimise the
filtering and increase the level of security performance of devices accordingly;
in its network should apply the following
4. Maintain all the components of the
recommendations:
solution, including not only devices,
1. Define traffic-filtering rules that will but also the policy.
determine the manner in which the
incoming and outgoing traffic flow in
the network will be regulated. A set of
traffic-filtering rules can be adopted as
an independent packet filtering policy
or as a part of the information security
policy;
Traffic-filtering technologies are commonly divided into
 packet filtering/stateless firewall

 stateful firewall technologies.
The packet-filtering functionality of control of access to resources by

(stateless firewall) is built into the deciding whether a packet should be
majority of operating systems and devices allowed to pass, based on the information
with a traffic routing feature. In most contained in the IP packet header. The
cases, it is a router on which access packet filter does not analyse the content
control lists (ACLs) are applied. A packet of the packet (unlike a content filter), nor
filter implemented on a router is the does it attempt to determine the sessions
simplest, but only one of the available to which individual packets belong, based
traffic-filtering methods. on the information contained in the TCP
or UPD header, and therefore it does not
Packet filtering is the basic feature of all
make any further decisions in that regard.
firewall devices. The first firewall devices,
For this reason, the process is also known
with only a packet filter, were also called
as stateless packet inspection. Due to its
stateless inspection firewalls. Unlike
manner of operation, which does not
them, modern firewall devices provide far
track the information on the state of
more possibilities for packet filtering. A
connections, it is necessary to explicitly
packet filter enables the implementation
allow two-way traffic on the connection
326
when configuring a stateless firewall of some services (the services that

device. Stateless firewall devices analyse require
each packet individually and filter them
based on the information contained in  dynamic negotiation about the ports
that will be used in communication –
Layers 3 and 4 of the OSI reference model.
passive FTP).
A filtering decision is made based on the
following information:
 source IP address; 8 Stateful packet inspection improves the

 destination IP address; packet filtering process by monitoring the
 protocol; state of each connection established
 source port number; through a firewall device. It is known that
 destination port number. the TCP protocol allows two-way
communication and that TCP traffic is
They are commonly implemented as a characterised by three phases:
part of the functionality on routers (ACL, establishing the connection, data transfer,
firewall filters, etc.), but can also be and terminating the connection. In the
implemented on servers. connection establishment phase, stateful
packet inspection records each
The advantages of applying packet filters:
connection in the state-table. In the data
 simple implementation; transfer phase, the device monitors
certain parameters in the header of the L3
 supported by most routers, so there packet and L4 segment and makes a
is no need to invest in new filtering decision depending on their
equipment and software; values and the content of the state-table.
The state-table contains all currently
 rarely cause bottlenecks in the area active connections. As a result, a potential
of their application, even at high
attacker trying to spoof a packet with a
speeds in Gigabit networks.
header indicating that the packet is a part
of an established connection can only be
detected by the stateful inspection
The disadvantages of applying packet firewall device, which verifies whether the
filters:
connection is recorded in the state-table.
 vulnerability to IP spoofing attacks; The state-table contains the following
information:
 vulnerability to attacks that exploit
 source IP address;
problems within the TCP/IP
specification and the protocol stack;  destination IP address;
 source port number;
 problems with filtering packets that  destination port number;
are fragmented (causing  TCP sequence numbers;
interoperability and non-functioning  TCP flag values.
of VPN connections);
The state of the synchronize (SYN), reset
 no support for the dynamic filtering (RST), acknowledgment (ACK) and finish
327
(FIN) flags are monitored within the TCP

• no support for user authentication.
header and a conclusion is reached about
the state of a specific connection. The
UDP protocol does not have a formal Lately, attempts have been made to
procedure for establishing and improve the standard stateful packet
terminating a connection. However, inspection technology by adding basic
devices with stateful inspection can solutions from intrusion detection
monitor the state of individual flows1 and technology. The improved version is called
match different flows when they logically stateful protocol analysis, also known as
correspond to each other (e.g., a DNS DPI (Deep Packet Inspection) analysis of
response from an external server will only data on the application layer. The devices
be allowed to pass if the corresponding resulting from this development trend
DNS query from the internal source to include Application Firewall, Application
that server has previously been recorded). Proxy Gateways and Proxy servers. Unlike
stateful firewall devices that filter traffic
The advantages of applying stateful based on the data on layers 3, 4 and 5 of
firewall devices: the OSI reference model, these devices
 a higher level of protection also enable traffic filtering based on the
compared to stateless firewall information on the application layer of the
devices (greater efficiency and more OSI reference model (Layer 7).
detailed traffic analysis);
 detection of IP spoofing and DoS

attacks; Application Firewall
Application Firewall (AF) devices perform
 more log information compared to
packet filters. a stateful protocol analysis of the
application layer. They support numerous
common protocols, such as HTTP, SQL, e-
mail service (SMTP, POP3 and IMAP), VoIP
The disadvantages of applying stateful
and XML. Stateful protocol analysis relies
firewall devices:
on predefined profiles of acceptable
• no protection against application operating modes for the selected
layer attacks; protocol, enabling the identification of
potential deviations and irregularities in
• performance degradation of the the message flow of the protocol through
router on which they are deployed the device. Problems may arise if there is
(this depends on the size of the
a conflict between the operating mode of
network and other services run on
a specific protocol, which is defined on
the router);
the AF device, and the way in which the
• not all of them provide support for protocol is implemented in the specific
UDP, GRE and IPSEC protocols, version of the application or of the
treating them in the same way as operating systems used in the network.
stateless firewall devices;
328
The stateful protocol analysis can: Application Proxy Gateway

 determine whether an e-mail Application Proxy Gateway (APG) devices
message contains a type of also perform an analysis of the traffic flow
attachment that is not allowed (e.g., on the application layer. Compared to AF
exec files); devices, APG devices provide a higher
level of security for individual applications
 determine whether instant since they never allow a direct connection
messaging is used via an HTTP port; between two hosts, and they can perform
an inspection of the content of
 block the connection through which
application-layer messages.
an unwanted command is executed
(e.g., an FTP put command on the APG devices contain so-called proxy
FTP server); agents or “intermediaries” in the
communication between two end hosts.
 block access to a page with
In this way, they prevent direct
unwanted active content (e.g., Java);
communication between them. Each
 identify an irregular sequence of successful connection between the end
commands exchanged in the hosts consists of two connections – one
communication between two hosts between the client and the proxy server
(e.g., an unusually large number of and the other between the proxy server
repetitions of the same command or and the destination device. Based on the
the use of a command before using filtering rules defined on the APG device,
the command it depends on); proxy agents decide whether network
traffic will be allowed or not. Traffic-
 enable the verification of individual
commands and the minimum and filtering decisions can also be made based
maximum length of appropriate on the information contained in the
command-line arguments (e.g., the header of an application-layer message or
number of characters used in a even based on the content conveyed by
username). An AF device cannot that message. In addition, proxy agents
detect attacks that meet the can require user authentication. There are
generally acceptable procedures of also APG devices with the capability of
operation of a specific protocol, such packet decryption, analysis and re-
as DoS (Denial of Service) attacks encryption, before a packet is forwarded
caused by the repetition of a large to the destination host. Packets that
number of acceptable message
cannot be decrypted are simply
sequences in a short time interval.
forwarded through the device.
Due to the complexity of the
analysis they perform, and the large Compared to packet filters and stateful
number of concurrent sessions they devices, APG devices have numerous
monitor, the main disadvantage of deficiencies. The manner of operation of
the method of stateful protocol APG devices requires a significantly
analysis is the intensive use of AF
greater utilisation of resources, i.e., they
devices.
require more memory and greater
utilisation of processor time for analysing
329
and interpreting each packet passing lower. This type of device is intended for
through the device. As a result, APG the analysis of the operation of specific
devices are not suitable for filtering services and protocols (e.g., HTTP or
applications that are more demanding in SMTP). Due to their limited traffic-filtering
terms of bandwidth or applications that capabilities, DP devices are deployed
are sensitive to time delays (real-time behind firewall devices in the network
applications). Another deficiency of these architecture. Their main function is to
devices is the limitation in the number of perform specialised filtering of a specific
services that can be filtered through type of traffic (based on a limited set of
them. Each type of traffic passing through parameters) and carry out the logging
the device requires a specific proxy agent operation. This significantly reduces the
that acts as an intermediary in the load on the firewall device itself, which is
communication. Consequently, APG located in front of the DP server. The most
devices do not always support the filtering widely used devices of this type are Web
of new applications or protocols. Due to Proxy servers. A common example of their
their price, APG devices are commonly use is an HTTP proxy server (placed
used for protecting data centres or other behind the firewall device or router), to
networks containing publicly available which users need to connect when they
servers that are of high importance to an wish to access external web servers. If an
organisation. In order to reduce the load institution has an outgoing connection
on APG devices and achieve greater (uplink) of lower bandwidth, the use of
efficiency, modern networks more the caching function is recommended in
frequently use proxy servers (dedicated order to reduce the level of traffic and
proxy servers) that are dedicated to improve the response time. As a result of
specific services that are not so sensitive an increase in the number of available
to time delays (e.g., e-mail or web proxy web applications and the number of
servers). threats transferred through the HTTP
protocol, Web Proxy servers are growing
Dedicated Proxy Server in significance. Equipment manufacturers
Like APG devices, Dedicated Proxy (DP) today add the functionality of various
servers also have a role as firewall technologies to the standard Web
“intermediaries” in the communication Proxy servers, thus increasing their traffic-
between two hosts, although their traffic- filtering capabilities.
filtering capabilities are significantly
330
1.3. Solutions Combining Traffic Filtering with Other

Technologies
In addition to their basic purpose of translates its private IP address into a
blocking unwanted traffic, firewall devices publicly available IP address, by taking the
often combine their filtering functionality first available IP address from a defined
with other technologies, primarily routing. pool of publicly available IP addresses.
It is the other way around with routers. As Dynamic NAT is suitable for client
a result, NAT (Network Address computers.
Translation) is sometimes considered to
Static NAT provides one-to-one mapping
be a firewall technology, although
between the private IP address of a host
essentially it is a routing technology.
and the public IP address assigned to it. In
Other related functionalities, such as VPN this manner, the host with a private IP
and IDP, are often available on firewall address always appears on the Internet
devices. In order to have a complete with the same public IP address. This is
overview and due to their frequent use, the main difference between static and
these technologies are also addressed dynamic translation. Static NAT is suitable
briefly in this chapter. for servers. In both types of translation
mentioned above, each private IP address
NAT (Network Address Translation)
is translated into a separate, public IP
NAT is a technology that enables devices address. In order to support a sufficient
that use private IP addresses to number of simultaneous user sessions, an
communicate with devices on the organisation using dynamic and/or static
Internet. This technology translates NAT needs to have a sufficient number of
private IP addresses, which can be used by public IP addresses.
devices within a Local Area Network
PAT (Port Address Translation or so-called
(LAN), into publicly available Internet
NAT overload) performs mapping
addresses.
between several private IP addresses and
The application of NAT technology may one or more public IP addresses. The
limit (intentionally or unintentionally) the mapping of each private IP address is
number of available services, i.e., it may performed by way of the port number of
disable the functioning of the services the public IP address. PAT translation
that require direct, end-to-end ensures that each client on a LAN that
connectivity (e.g., VoIP). establishes a connection with a device on
the Internet is assigned a different port
There are three types of NAT translations:
number of the public IP address. The
dynamic, static and PAT.
response from the Internet, which comes
Dynamic NAT uses a set of publicly as a result of the request, is sent to the
available IP addresses, successively port from which the request was
assigning them to hosts with private IP forwarded. In this manner, a device that
addresses. When a host with a private IP performs the translation (a router, firewall
address needs to communicate with a or server) knows to which host from the
device on the Internet, dynamic NAT LAN it should forward the packet. This
331
feature of PAT increases the level of IDP (Intrusion Detection and Prevention)
security of the LAN to a certain degree,
Network Intrusion Detection (ID) is based
since it prevents a connection from the
on monitoring the operation of computer
Internet being established directly with
systems or networks and analysing the
the hosts on the LAN. Due to this manner
processes they perform, which can point
of operation, PAT is sometimes,
to certain incidents. Incidents are events
incorrectly, regarded as a security
posing a threat to or violating defined
technology, although it is primarily a
security policies, violating AUP
routing technology.
(Acceptable Use Policy) rules, or generally
accepted security norms. They appear as a
result of the operation of various malware
VPN (Virtual Private Network)
programmes (e.g., worms, spyware,
VPN (Virtual Private Network) technology viruses, and Trojans), as a result of
is used to increase the security of data attempts at unauthorised access to a
transfer through a network infrastructure system through public infrastructure
that does not provide a sufficient degree (Internet), or as a result of the operation
of data security. It enables the encryption of authorised system users who abuse
and decryption of network traffic their privileges.
between external networks and an
internal, protected network. Network Intrusion Prevention (IP)
includes the process of detecting network
VPN functionality can be available on
firewall devices or implemented on VPN intrusion events, but also includes the
servers that are placed behind firewall process of preventing and blocking
devices in the network architecture. In detected or potential network incidents.
many cases, the implementation of VPN Network Intrusion Detection and
services on a firewall device itself is the
Prevention systems (IDP) are based on
most optimal solution. Placing a VPN
identifying potential incidents, logging
server behind the firewall device requires
the VPN traffic to pass through the information about them, attempting to
firewall device in an encrypted form. As a prevent them and alerting the
result, the firewall device cannot perform administrators responsible for security. In
an inspection, access control or logging of addition to this basic function, IDP
the network traffic, and therefore cannot systems can also be used to identify
scan it for certain security threats. problems concerning the adopted security
However, regardless of the place of the policies, to document existing security
implementation, the VPN service requires threats and to discourage individuals from
the application of certain filtering rules of violating security rules. IDP systems use
the firewall device in order to enable its various incident-detection methods.
uninterrupted operation. Accordingly,
special attention should always be paid to
making sure that the appropriate
protocols and the TCP/UDP services that
are necessary for the functioning of the
chosen VPN solution are supported.
332
There are three primary classes of log in to a host, or the level of utilisation
detection methodology: of the processor in a given time interval).
These characteristics of the behaviour of
1. Signature-based detection
users, hosts, connections or applications
in the same time interval are then
Certain security threats can be detected
considered to be completely acceptable.
based on the characteristic manner in
However, acceptable-behaviour profiles
which they appear. The behaviour of an
can unintentionally contain certain
already detected security threat,
security threats, which lead to problems
described in a form that can be used for
in their application. Likewise, imprecisely
the detection of any subsequent
defined profiles of acceptable behaviour
appearance of the same threat, is called
can cause numerous alarms, generated by
an attack signature. This detection
the system itself as a reaction to certain
method, based on the characteristic
(acceptable) activities on the network.
signature of an attack, is a process of
The greatest advantage of this detection
comparing the known forms in which the
method is its exceptional efficiency in
threat has appeared with the specific
detecting previously unknown security
network traffic in order to identify certain
threats.
incidents. Although it can be very efficient
in detecting the subsequent appearance 3. Detection based on stateful protocol
of known threats, this detection method analysis
is extremely inefficient in the detection of
Stateful protocol analysis is a process of
completely unknown threats, of threats
comparing predefined operation profiles
hidden by using various techniques, and
with the specific data flow of that
of already known threats that have
protocol on the network. Predefined
somehow been modified in the
profiles of operation of a protocol are
meantime. It is considered the simplest
defined by the manufacturers of IDP
detection method and it cannot be used
devices and they identify everything that
for monitoring and analysing the state of
is acceptable or not acceptable in the
certain, more complex forms of
exchange of messages in a protocol.
communication.
Unlike anomaly-based detection, where
profiles are created based on the hosts or
2. Anomaly-based detection
specific activities on the network, stateful
This method of IDP is based on detecting protocol analysis uses general profiles
anomalies in a specific traffic flow in the generated by the equipment
network. Anomaly detection is performed, manufacturers. Most IDP systems use
based on the defined profile of acceptable several detection methods
traffic and its comparison with the specific simultaneously, thus enabling a more
traffic in the network. Acceptable traffic comprehensive and precise method of
profiles are formed by tracking the typical detection.
characteristics of the traffic in the
Testing tools are used for testing the
network during a certain period of time
detection, recognition and response
(e.g., the number of e-mail messages sent
capabilities of devices that perform packet
by a user, and the number of attempts to
333
filtering (including those that use network applications such as IIS, SQL Server and
address translation), such as firewalls, WINS. Standard traffic sessions can be
IDSes/IPSes, routers and switches. These used to test how packet filtering devices
test the Traffic Filtering devices' ability to handle a variety of protocols including
detect and/or block DoS attacks, spyware, HTTP, FTP, SNMP and SMTP.
backdoors, and attacks against
334
UNIT II
Configuring Secure Content
Management
This Unit covers:
 Lesson Plan
2.1 Secure Content Management Overview
2.2 The importance of Secure Content Management
2.3 How does Secure Content Management Work?
2.4 Solution Architectures
335
LESSON PLAN

To be competent, you must be able Peer group, Faculty 2 hr in class  PCs/Tablets/Laptops
to: group and Industry presentations  Projection facilities
experts.
PC2. monitor systems and
apply controls in line with
You need to know and understand: KA4, KA5. Peer group, 2Hrs classroom  PCs/Tablets/Laptops
Faculty group and assessment and  Labs availability
Industry experts. 10 Hrs offline (24/7)
Research and  Internet with WiFi
tasks/checklists within the domain KB1 - KB4  (Min 2 Mbps
and how to use these Learning
Dedicated)
Group and Faculty activity.
 Access to all security
KB1. fundamentals of evaluation based on sites like ISO, PCI
information security and how to anticipated out comes. DSS, Center for
Reward points to be Internet Security
• networks
• communication allocated to groups.
336

Activity 1:
Activity 2:
Activity 3:
337
Lesson
2.1 Secure Content Management - Overview

Organizations are increasingly moving sharing portals, media streaming, etc. by
toward collaboration — encouraging the users expand the attack surface of an
usage of the Internet for knowledge organization. They create enormous
access and productivity enhancement, opportunities for external threats to
advocating widespread adoption of email exploit weaknesses. Allowing the inbound
as a communication means and and outbound connections — as access
promoting instant messaging for better given to the employees to initiate or
coordination. The global nature of receive traffic — creates issues of
business transactions — involving service employee productivity. It also contributes
providers and third party solutions — to bandwidth issue as connection to
relies on communication protocols such as public or media streaming sites consumes
SMTP, HTTP, HTTPS, FTP, IPSec VPN, etc. an organization’s network bandwidth.
for exchange of information and
While allowing legitimate traffic,
execution of a transaction. This has been
organizations may not like their employee
contributing to increased dependencies of
to indulge in different forms of
an organization on the inbound and
entertainment and attractions available
outbound traffic flowing across its
online, which can lead to security threats,
boundaries. Internet technology, with its
data leakage and productivity issues.
open architecture, inherently provides
Security has been evolving to address
access to all resources that are connected
these challenges through a set of
to the World Wide Web. Hence, users can
practices and technical solutions under a
connect themselves to all legitimate and
category which can broadly be classified
illegitimate web sources. This may expose
as ‘Secure Content Management’ (SCM).
organizations to serious security threats.
The outward and inward connections, DSCI believes that SCM is an important
thus, have a potential to jeopardize the discipline of security. It deserves a close
security posture of an organization. These attention as it promises defence against
connections also create possibilities of the threats that are increasingly
data leakage from an organization to the concentrating their acts to exploit
outside world. Security threats have been weakness in the content management. It
increasingly exploiting these connections, also offers effective instruments to curb
channels, protocols and traffic to the data leakages, hence, is regarded as
perpetrate attacks. an important element of data security
strategies.
Advent of Web 2.0 technologies and
proliferation of file sharing protocols, data
338
2.2 The Importance of Secure Content Management
Unrestricted Access Liability Exposure

The use of the Internet is on the rise, as Employees who visit pornographic or
are the risks of uncontrolled access. When racist/hate sites represent a major legal
employees and staff inadvertently or liability concern. Businesses need to shield
deliberately access sites containing themselves from potential legal liability
inappropriate, illegal or dangerous that can arise if an employee is repeatedly
content, businesses suffer losses of exposed to offensive material on a co-
productivity, expose themselves to legal worker’s computer or anywhere in the
liabilities and can experience degraded workplace. Other sources of liability
network performance that negatively exposure include peer-to-peer networking
affects mission-critical tasks. There are and file sharing, which have opened the
also a growing number of security risks— door to charges of copyright violations
including Trojans and worms—that can and high-profile litigation. Corporations
seriously impact operations. can be held liable for breaking copyright
laws if employees use company networks
The Risks include:
to download music or movies illegally.
Impacted employee productivity
Hacker Attacks and Privacy Violations
Restricting access to inappropriate Web
Instant messaging, peer-to-peer file
sites helps companies prevent excessive
sharing and multimedia downloads make
non-productive Web surfing and
businesses vulnerable to backdoor
preserves network bandwidth.
attacks.
339
2.3 How Secure Content Management Works

Securing content starts with controlling caching device. The device then evaluates
access to certain Web sites based on each request to determine whether it
predetermined criteria. At a basic level, should be allowed or denied based on
user access to Internet content is company policy.
controlled using the URL address or the
URL content category (such as nudity or
gambling). Basic content management Site blocking
solutions can also examine the way the
The site blocking approach for content
content is delivered, such as through Java
management typically uses list-based or
applets or ActiveX scripts, and determine
URL-based filters to identify and block
access permissions accordingly.
certain Web sites. Some solutions rely on
More advanced content management white lists that allow access to only those
solutions also provide the abilit y to block sites that appear on the list. For example,
applications such as instant messaging a retail store might create a white list
and peer-to-peer services. containing only the company’s Web site,
shipping Web sites and supplier Web
Site Blocking Versus Content
sites. Other solutions use black lists, which
Monitoring permit access to all sites except those on
Secure content management solutions the black list. The black list approach is
employ one of two basic approaches: site preferable for businesses whose
blocking or content monitoring. While employees need less restrictive Internet
there are considerable differences access. With a black list approach, the
between these two approaches, both are database of Web sites is organized into
based on pass-through filtering categories, such as “violence” or “drugs,”
technology. That is, all requests for Web and network administrators can
pages pass through an Internet control selectively block categories.
point such as a firewall, proxy server or
The effectiveness and manageability of site blocking depends on a number of factors:
Database size—A larger database allows more sites to be added to the restricted list.
Update frequency—New sites continually emerge, and many existing sites are relocated.
Most site blocking solutions update their databases on a daily basis, often automatically
downloading new URLs every night.
Category organization—Definition of categories must be carefully considered and

established with enough granularity to accomplish effective restrictions while allowing
access when appropriate.
A general limitation of site blocking is that it focuses exclusively on HTTP-based Web traffic.
It does not block instant messaging, e-mail attachments, peer-to-peer applications and
other applications that could contain security threats.
340
Content Monitoring
The most basic level of content More advanced content monitoring

monitoring uses a keyword-blocking solutions not only examine the individual
approach. Instead of blocking URLs, it words on the page, but also evaluate
compares the keyboard data to a user- context and other data such as HTML tags.
defined library of words and phrases. Armed with this information, advanced
When a match to one of the blocked content monitoring solutions can more
accurately assess Web sites and
words or phrases is detected, the solution
consequently more accurately control
filters or blocks the data, or in some cases
blocking. Another valuable advantage of
even closes the application. The problem
content monitoring is the ability to
with this approach is that it can
monitor and filter content not only from
inadvertently block legitimate pages Web sites, but also chat rooms, instant
based on the fact that they contain one or messaging, e-mail attachments and
more targeted keywords. Windows applications.
For example, a Web site about cancer
research could be blocked because it
contains the word “breast.”
341
2. 4 Solution Architectures
Content management software can be the policy database grows to exceed the
embedded on a networked device such as storage available. Key vendors of
a proxy server, caching appliance or standalone solutions include SonicWALL®,
firewall, or it can reside on a dedicated Websense and Surf Control®.
server running the Microsoft Windows,
Linux or UNIX operating system. The three Integrated Solutions
common deployment methods vary in
Integrated solutions consolidate
terms of effectiveness, cost and
management and processing in a single
manageability.
gateway or firewall, thereby reducing
capital and operational expenses.
Client Solutions
However, when the gateway or firewall is
Installed on the desktop, client solutions also used for services like anti-virus and
are most suited for home environments intrusion prevention, performance can
where parental control is the primary suffer. Key vendors of integrated content
application. Client software solutions filtering solutions include SonicWALL®,
include a management interface and a Symantec™ and WatchGuard®. Evaluating
database of blocked Web sites; the parent Solutions Depending on the levels of
downloads database updates via the protection, performance and
Internet. Leading providers of client manageability required, non-residential
solutions include Zone Labs, Net Nanny® customers should choose between an
and Internet Service Providers (ISPs) such integrated solution and a standalone
as Microsoft® MSN and AOL®. appliance. Both alternatives can combine
Internet content management with
Standalone Solutions dynamic threat protection techniques to
control access and secure the network
Standalone solutions consist of a against an array of threats from viruses,
dedicated database server for defining spyware, worms, instant messaging and
policies and a separate gateway or peer-to-peer applications. At the core of
firewall that enforces the content
both integrated and standalone solutions
management policies. These solutions are is a rating architecture that leverages a
more manageable than client based comprehensive database of millions of
solutions because an administrator can pre-rated Web sites and domains. When a
create a policy once on the gateway and
user attempts to access a Web site, the
then apply it across all desktops.
URL is cross-referenced against a master
However, most standalone solutions ratings database. These databases can be
require organizations to purchase and
managed and maintained by the content
manage two separate hardware devices in filtering solution vendor, and made
addition to content management
available at multiple locations for
software. They also require additional performance efficiency and high
storage to be purchased as needed, when
342
availability. A rating is returned to the affordable way to upgrade existing

requestor and compared to the content firewalls by introducing new functionality
filtering policy established by the without an actual upgrade on the firewall
administrator. If the Web request is itself. A standalone appliance can
permitted, the user is able to view the affordably combine Internet content
page. If the requested Web site is denied, management with real-time gateway anti-
a custom block message informs the user virus and antispyware capabilities, and the
that the site has been blocked according best appliances are rich in features and
to policy. functionality and deliver superior value
for the investment.
Integrated Content Management
and Firewalls Beyond these advantages and basic Web
site access controls, other advantages of a
Content filtering integrated on a firewall is standalone appliance include:
a cost-effective content management Seamless integration—Appliances can be
solution that is ideal for businesses with easily installed in virtually any network,
small to mid-sized networks. This and combined with any existing firewall.
alternative integrates the existing firewall Plug-and-play designs speed installation,
technology, or is installed simultaneously making them drop-in solutions that
with a new firewall solution. A typical eliminate the need for additional servers
service will make available a continuously or hardware.
updated, comprehensive database of Dynamic rating engine—Built-in
millions of Web sites, domains and IP capabilities can dynamically evaluate new
addresses. Minimal administrative URLs. Real-time analysis of page content,
overhead means that businesses can context for flagged words, HTML tags and
either manage the solution themselves or other data can produce a rating and
outsource the task to their IT service category for immediate access or blocking
provider. based on the organizations’
predetermined policies. New ratings can
Standalone Appliances be automatically added to a master
ratings database for subsequent requests.
For larger businesses and enterprise
Protection from attacks—Deep packet
environments requiring more
inspection technology can block viruses,
comprehensive content control abilities, a
worms, Trojans, spyware, phishing,
standalone content filtering appliance
malicious code and other attacks before
maximizes the protection of any network
they are able to infect a network.
from today’s sophisticated Internet
Appliances can scan and clean network
threats. Although it requires the purchase
traffic over a multitude of ports and
of additional hardware, ease of
protocols including HTTP, SMTP, POP3,
installation and use make this an
FTP and NetBIOS.
attractive solution. The appliance can be
Advanced security for bandwidth
dropped into the existing network without
protection and reduced legal liabilities—
any reconfiguration of existing hardware
Appliances can provide controls for
or software. Appliances are also an
343
managing instant messaging, peer-to-peer option to create custom categories and

and multimedia applications. URL-rating lists provides more granular
Management and reporting control over filtering policies. Advanced
capabilities—Integrated support enables reporting and analysis tools provide
network administrators to manage all granular insight into network usage
users through a single interface, while the through custom reports.
344
UNIT III
Configuring Firewall
This Unit covers:
 Lesson Plan
 Trainer’s Resource Material
3.1. What Firewall Software Does?
3.2. Firewall Configuration
3.4. Configuring a Simple Firewall
345
LESSON PLAN

experts.
tasks/checklists within the domain KB1 - KB4
Learning  (Min 2 Mbps
and how to use these
Dedicated)
• networks
346

Activity 1:
Activity 2:
Activity 3:
347
Lesson
3.1. What Firewall Software Does

A firewall is simply a program or hardware connections only to that one computer
device that filters the information coming and prevent them on all others.
through the Internet connection into your
A company can set up rules like this for
private network or computer system. If an
FTP servers, Web servers, Telnet servers
incoming packet of information is flagged
and so on. In addition, the company can
by the filters, it is not allowed through.
control how employees connect to Web
Let's say that you work at a company with sites, whether files are allowed to leave
500 employees. The company will the company over the network and so on.
therefore have hundreds of computers A firewall gives a company tremendous
that all have network cards connecting control over how people use the network.
them together. In addition, the company
Firewalls use one or more of three
will have one or more connections to the
methods to control traffic flowing in and
Internet through something like T1 or T3
out of the network:
lines. Without a firewall in place, all of
those hundreds of computers are directly Packet filtering : Packets (small chunks of
accessible to anyone on the Internet. A data) are analyzed against a set of filters.
person who knows what he or she is doing Packets that make it through the filters
can probe those computers, try to make are sent to the requesting system and all
FTP connections to them, try to make others are discarded.
telnet connections to them and so on. If
Proxy service : Information from the
one employee makes a mistake and leaves
Internet is retrieved by the firewall and
a security hole, hackers can get to the
then sent to the requesting system and
machine and exploit the hole.
vice versa.
With a firewall in place, the landscape is
Stateful inspection : A newer method that
much different. A company will place a
doesn't examine the contents of each
firewall at every connection to the
packet but instead compares certain key
Internet (for example, at every T1 line
parts of the packet to a database of
coming into the company). The firewall
trusted information. Information traveling
can implement security rules. For
from inside the firewall to the outside is
example, one of the security rules inside
monitored for specific defining
the company might be:
characteristics, then incoming information
Out of the 500 computers inside this is compared to these characteristics. If the
company, only one of them is permitted comparison yields a reasonable match,
to receive public FTP traffic. Allow FTP the information is allowed through.
Otherwise it is discarded.
348
3.2 Firewall Software Configuration
Firewall Configuration because IP addresses sometimes need to

change, all servers on the Internet also
Firewalls are customizable. This means have human-readable names, called
that you can add or remove filters based domain names.
on several conditions. Some of these are:
For example, it is easier for most of us to
remember www.howstuffworks.com than
it is to remember 216.27.61.137.
IP addresses
A company might block all access to
Each machine on the Internet is assigned
certain domain names, or allow access
a unique address called an IP address. IP only to specific domain names.
addresses are 32-bit numbers, normally
expressed as four "octets" in a "dotted
decimal number." A typical IP address
looks like this: 216.27.61.137. For Protocols
example, if a certain IP address outside The protocol is the pre-defined way that
the company is reading too many files someone who wants to use a service talks
from a server, the firewall can block all with that service. The "someone" could be
traffic to or from that IP address. a person, but more often it is a computer
program like a Web browser. Protocols
are often text, and simply describe how
Domain names the client and server will have their
conversation. The http in the Web's
As it is hard to remember the string of
protocol.
numbers that make up an IP address, and
to download and upload files

Some common protocols that you can set
firewall filters for include:  UDP (User Datagram Protocol) -
used for information that requires
 IP (Internet Protocol) - the main
no response, such as streaming
delivery system for information
audio and video
over the Internet
 ICMP (Internet Control Message
 TCP (Transmission Control
Protocol) - used to break apart and Protocol) - used by a router to
exchange the information with
rebuild information that travels
other routers
over the Internet
 SMTP (Simple Mail Transport
 HTTP (Hyper Text Transfer
Protocol) - used for Web pages Protocol) - used to send text-based
information (e-mail)
 FTP (File Transfer Protocol) - used
 SNMP (Simple Network
349
Management Protocol) - used to

 Telnet - used to perform
collect system information from a commands on a remote computer
remote computer
A company might set up only one or two to be an exact match. The "X-rated" filter
machines to handle a specific protocol would not catch "X rated" (no hyphen).
and ban that protocol on all other But you can include as many words,
machines. phrases and variations of them as you
need.
Some operating systems come with a

Ports firewall built in. Otherwise, a software
Any server machine makes its services firewall can be installed on the computer
available to the Internet using numbered in your home that has an Internet
ports, one for each service that is connection. This computer is considered a
available on the server (see How Web gateway because it provides the only
Servers Work for details). For example, if a point of access between your home
server machine is running a Web (HTTP) network and the Internet.
server and an FTP server, the Web server With a hardware firewall, the firewall unit
would typically be available on port 80, itself is normally the gateway. A good
and the FTP server would be available on example is the Linksys Cable/DSL router. It
port 21. A company might block port 21 has a built-in Ethernet card and hub.
access on all machines but one inside the Computers in your home network connect
company. to the router, which in turn is connected
to either a cable or DSL modem. You
configure the router via a Web-based
Specific words and phrases interface that you reach through the
browser on your computer. You can then
This can be anything. The firewall will sniff set any filters or additional information.
(search through) each packet of
information for an exact match of the text Hardware firewalls are incredibly secure
listed in the filter. and not very expensive. Home versions
that include a router, firewall and
For example, you could instruct the
Ethernet hub for broadband connections
firewall to block any packet with the word can be found for well under Rs 10000.
"X-rated" in it. The key here is that it has
350
Access or abuse of unprotected request to the server to connect to it.

computers When the server responds with an
acknowledgement and tries to establish a
There are many creative ways that session, it cannot find the system that
unscrupulous people use to access or made the request. By inundating a server
abuse unprotected computers: with these unanswerable session
Remote login : When someone is able to requests, a hacker causes the server to
slow to a crawl or eventually crash.
connect to your computer and control it in
some form. This can range from being E-mail bombs :An e-mail bomb is usually a
able to view or access your files to actually personal attack. Someone sends you the
running programs on your computer. same e-mail hundreds or thousands of
times until your e-mail system cannot
Application backdoors : Some programs
accept any more messages.
have special features that allow for
remote access. Others contain bugs that Macros : To simplify complicated
provide a backdoor, or hidden access that procedures, many applications allow you
provides some level of control of the to create a script of commands that the
program. application can run. This script is known as
a macro. Hackers have taken advantage of
SMTP session hijacking : SMTP is the most
common method of sending e-mail over this to create their own macros that,
depending on the application, can destroy
the Internet. By gaining access to a list of
your data or crash your computer.
e-mail addresses, a person can send
unsolicited junk e-mail (spam) to Viruses: Probably the most well-known
thousands of users. This is done quite threat is computer viruses. A virus is a
often by redirecting the e-mail through small program that can copy itself to
the SMTP server of an unsuspecting host, other computers. This way it can spread
making the actual sender of the spam quickly from one system to the next.
difficult to trace. Viruses range from harmless messages to
erasing all of your data.
Operating system bugs : Like applications,
some operating systems have backdoors. Spam : Typically harmless but always
Others provide remote access with annoying, spam is the electronic
insufficient security controls or have bugs equivalent of junk mail. Spam can be
that an experienced hacker can take dangerous though. Quite often it contains
advantage of. links to Web sites. Be careful of clicking on
these because you may accidentally
Denial of service : You have probably
accept a cookie that provides a backdoor
heard this phrase used in news reports on
to your computer.
the attacks on major Web sites. This type
of attack is nearly impossible to counter. Redirect bombs : Hackers can use ICMP to
What happens is that the hacker sends a change (redirect) the path information
351
takes by sending it to a different router. what traffic to allow through. For most of
This is one of the ways that a denial of us, it is probably better to work with the
service attack is set up. defaults provided by the firewall
developer unless there is a specific reason
Source routing : In most cases, the path a
to change it.
packet travels over the Internet (or any
other network) is determined by the One of the best things about a firewall
routers along that path. But the source from a security standpoint is that it stops
providing the packet can arbitrarily specify anyone on the outside from logging onto
the route that the packet should travel. a computer in your private network.
Hackers sometimes take advantage of this While this is a big deal for businesses,
to make information appear to come from most home networks will probably not be
a trusted source or even from inside the threatened in this manner. Still, putting a
network! Most firewall products disable firewall in place provides some peace of
source routing by default. mind.
Security against unauthorized Proxy Servers and DMZ
access or abuse A function that is often combined with a

firewall is a proxy server. The proxy server
Some of the items in the list above are is used to access Web pages by the other
hard, if not impossible, to filter using a computers. When another computer
firewall. While some firewalls offer virus requests a Web page, it is retrieved by the
protection, it is worth the investment to proxy server and then sent to the
install anti-virus software on each requesting computer. The net effect of
computer. And, even though it is this action is that the remote computer
annoying, some spam is going to get hosting the Web page never comes into
through your firewall as long as you direct contact with anything on your
accept e-mail. home network, other than the proxy
The level of security you establish will server.
determine how many of these threats can Proxy servers can also make your Internet
be stopped by your firewall. The highest access work more efficiently. If you access
level of security would be to simply block a page on a Web site, it is cached (stored)
everything. Obviously that defeats the on the proxy server. This means that the
purpose of having an Internet connection. next time you go back to that page, it
But a common rule of thumb is to block normally doesn't have to load again from
everything, then begin to select what the Web site. Instead it loads
types of traffic you will allow. instantaneously from the proxy server.
You can also restrict traffic that travels There are times that you may want
through the firewall so that only certain remote users to have access to items on
types of information, such as e-mail, can your network. Some examples are:
get through. This is a good rule for
businesses that have an experienced  Web site
network administrator that understands  Online business
what the needs are and knows exactly  FTP download and upload area
352
In cases like this, you may want to create access lists by means of Context-Based
a DMZ (Demilitarized Zone). DMZ is just Access Control (CBAC).
an area that is outside the firewall. Think Basic traffic filtering is limited to
of DMZ as the front yard of a house. It configured access list implementations
belongs to the owner, who may put some that examine packets at the network layer
things there, but would put anything or, at most, the transport layer,
valuable inside the house where it can be permitting or denying the passage of each
properly secured. packet through the firewall. However, the
use of inspection rules in CBAC allows the
Setting up a DMZ is very easy. If you have creation and use of dynamic temporary
multiple computers, you can choose to access lists. These dynamic lists allow
simply place one of the computers temporary openings in the configured
between the Internet connection and the access lists at firewall interfaces. These
firewall. Most of the software firewalls openings are created when traffic for a
available will allow you to designate a specified user session exits the internal
directory on the gateway computer as a network through the firewall. The
openings allow returning traffic for the
DMZ.
specified session (that would normally be
blocked) back through the firewall.
See the Cisco IOS Security Configuration
Configuring a Simple Firewall Guide, Release 12.3 , for more detailed
The Cisco 1800 integrated services routers information on traffic filtering and
support network traffic filtering by means firewalls.
of access lists. The router also supports The following Figure shows a network
packet inspection and dynamic temporary deployment using PPPoE or PPPoA with
NAT and a firewall.
A figure of a router with a firewall configured
1. Multiple networked devices—

Desktops, laptop PCs, switches
2. Fast Ethernet LAN interface (the
inside interface for NAT)
3. PPPoE or PPPoA client and firewall
implementation—Cisco 1811/1812
or Cisco 1801/1802/1803 series
integrated services router,
respectively
4. Point at which NAT occurs
5. Protected network
6. Unprotected network
7. Fast Ethernet or ATM WAN interface
(the outside interface for NAT)
353
In the configuration example that follows, entering the router on the Fast Ethernet
the firewall is applied to the outside WAN WAN interface FE1.
interface (FE0) on the Cisco 1811 or Cisco Note that in this example, the network
1812 and protects the Fast Ethernet LAN traffic originating from the corporate
on FE2 by filtering and inspecting all traffic network, network address 10.1.1.0, is
considered safe traffic and is not filtered.
Configuration Tasks
Perform the following tasks to configure this network scenario:
 Configure Access Lists

 Configure Inspection Rules
 Apply Access Lists and Inspection Rules to Interfaces
Configure Access Lists
Perform these steps to create access lists for use by the firewall, beginnin g in global
configuration mode:
Command Purpose
Step 1 access-list access-list-number { deny | permit }protocol Creates an access
source source-wildcard [ operator [port]] destination list which prevents
Example: Internet- initiated
traffic from
Router(config)# access-list 103 permit host 200.1.1.1 eq
reaching the local
isakmp any
(inside) network of
Router(config)# the router, and
which compares
source and
destination ports.
See the Cisco IOS IP
Command
Reference, Volume
1 of 4: Addressing
and Services for
details about this
command.
Step 2 access-list access-list-number { deny | permit }protocol Creates an access
source source-wildcard destination destination-wildcard list that allows
Example: network traffic to
pass freely between
Router(config)# access-list 105 permit ip 10.1.1.0 0.0.0.255
the corporate
192.168.0.0 0.0.255.255
network and the
Router(config)# local networks
through the
configured VPN
tunnel.
354
Configure Inspection Rules

Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as
specific application protocols as defined by the security policy, beginning in global configuration
mode:
Command or Action Purpose

Step ip inspect name inspection-name Defines an inspection rule for a particular protocol.
1 protocol
Example:
Router(config)# ip inspect name
firewall tcp
Router(config)#
Step ip inspect name inspection-name Repeat this command for each inspection rule that
2 protocol you wish to use.
Example:
firewall rtsp
firewall h323
firewall netshow
firewall ftp
firewall sqlnet
Router(config)#
355
Apply Access Lists and Inspection Rules to Interfaces

Perform these steps to apply the ACLs and inspection rules to the network interfaces, beginning in
global configuration mode:
Command Purpose
Step interface type number Enters interface configuration mode for the inside
1Example: network interface on your router.
Router(config)# interface vlan 1

Router(config-if)#
Step ip inspect inspection-name Assigns the set of firewall inspection rules to the
2{ in | out } inside interface on the router.
Example:
Router(config-if)# ip inspect
firewall in
Router(config-if)#
Step exit Returns to global configuration mode.
3Example:
Router(config-if)# exit
Router(config)#
Step interface type number Enters interface configuration mode for the outside
4Example: network interface on your router.
Router(config)# interface
fastethernet 0
Router(config-if)#
Step ip access-group { access-list- Assigns the defined ACLs to the outside interface
5number | access-list-name } on the router.
{ in | out }
Example:
Router(config-if)# ip access-group
103 in
Router(config-if)#
Step exit Returns to global configuration mode.
6
Example:
Router(config-if)# exit
Router(config)#
356
Configuration Example from the Home LAN to the corporate

network.
A telecommuter is granted secure access
Like the Internet Firewall Policy, HTTP
to a corporate network, using IPSec
need not be specified because Java
tunneling. Security to the home network
blocking is not necessary. Specifying TCP
is accomplished through firewall
inspection allows for single-channel
inspection. The protocols that are allowed
protocols such as Telnet and HTTP. UDP is
are all TCP, UDP, RTSP, H.323, NetShow,
specified for DNS.
FTP, and SQLNet. There are no servers on
the home network; therefore, no traffic is The following configuration example
allowed that is initiated from outside. shows a portion of the configuration file
IPSec tunneling secures the connection for the simple firewall scenario described
in the preceding sections.
! Firewall inspection is setup for all tcp and udp traffic as well as specific application
protocols as defined by the security policy.
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
!
interface vlan 1 ! This is the internal home network
ip inspect firewall in ! inspection examines outbound traffic
no cdp enable
!
interface fastethernet 0 ! FE0 is the outside or internet exposed interface.
ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as
denies internet initiated traffic inbound.
ip nat outside
no cdp enable
!
! acl 103 defines traffic allowed from the peer for the ipsec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
access-list 103 permit icmp any any ! allow icmp for debugging but should be disabled due
to security implications.
access-list 103 deny ip any any ! prevents internet initiated traffic inbound.
no cdp run
!
357
358
UNIT IV
Troubleshooting information security
devices
This Unit covers:
 Lesson Plan
4.1 Troubleshooting the Cisco IOS Firewall Configuration
4.2 Troubleshooting routers
359
LESSON PLAN

experts.
Dedicated)
• networks
360

Activity 1:
Activity 2:
Activity 3:
361
4.1 Troubleshooting CISCO IOS Firewall configurations

 In order to reverse (remove) an access list, put a "no" in front of the access-
group command in interface configuration mode:
int <interface>
no ip access-group # in|out
 If too much traffic is denied, study the logic of your list or try to define an additional
broader list, and then apply it instead. For example:
access-list # permit tcp any any
access-list # permit udp any any
access-list # permit icmp any any
int <interface>
ip access-group # in|out
 The show ip access-lists command shows which access lists are applied and what traffic
is denied by them. If you look at the packet count denied before and after the failed
operation with the source and destination IP address, this number increases if the access
list blocks traffic.
 If the router is not heavily loaded, debugging can be done at a packet level on the
extended or ip inspect access list. If the router is heavily loaded, traffic is slowed through
the router. Use discretion with debugging commands.
Temporarily add the no ip route-cache command to the interface:
int <interface>
no ip route-cache
Then, in enable (but not config) mode:
term mon
debug ip packet # det
produces output similar to this:
*Mar 1 04:38:28.078: IP: s=10.31.1.161 (Serial0), d=171.68.118.100 (Ethernet0),
g=10.31.1.21, len 100, forward
*Mar 1 04:38:28.086: IP: s=171.68.118.100 (Ethernet0), d=9.9.9.9 (Serial0), g=9.9.9.9,
len 100, forward
 Extended access lists can also be used with the "log" option at the end of the various
statements:
 access-list 101 deny ip host 171.68.118.100 host 10.31.1.161 log
 access-list 101 permit ip any any
You therefore see messages on the screen for permitted and denied traffic:
362
*Mar 1 04:44:19.446: %SEC-6-IPACCESSLOGDP: list 111 permitted icmp 171.68.118.100

-> 10.31.1.161 (0/0), 15 packets
*Mar 1 03:27:13.295: %SEC-6-IPACCESSLOGP: list 118 denied tcp 171.68.118.100(0)
-> 10.31.1.161(0), 1 packet
 If the ip inspect list is suspect, the debug ip inspect <type_of_traffic> command
produces output such as this output:
 Feb 14 12:41:17 10.31.1.52 56: 3d05h: CBAC* sis 258488 pak 16D0DC TCP P ack
3195751223
 seq 3659219376(2) (10.31.1.5:11109) => (12.34.56.79:23)
 Feb 14 12:41:17 10.31.1.52 57: 3d05h: CBAC* sis 258488 pak 17CE30 TCP P ack
3659219378
seq 3195751223(12) (10.31.1.5:11109) <= (12.34.56.79:23)
363
4.2 Troubleshooting Routers

Cisco Router Basic statement explicitly denying traffic, it
might be blocked by an implicit “deny
Troubleshooting Checklist any.”
Excerpted from the book The Accidental Is the VPN Up? If a VPN is part of the
Administrator: Cisco Router Step-by-Step connection, check to ensure that it is up.
Configuration Guide (Crawley, Don R., Use the show crypto family of commands
Seattle, WA, soundtraining.net, ISBN 978- to check VPN connections. With VPN
0983660729) connections, each end of the connection
When a router isn’t functioning, here are must mirror the other. For example, even
some steps to perform to eliminate basic something as seemingly inconsequential
faults as the source of trouble: as a different timeout value or a different
key lifetime can prevent a connection.
Physical Layer Stuff: Check power issues.
Look for power lights, check plugs, and Do the Protocols Match? If you are trying
circuit breakers. to gain remote access to a server, ensure
that it supports the protocol you’re
Check the Interfaces: Use the command attempting to use. For example, if the
show ip interface brief or show ipv6 router hasn’t been configured to support
interface brief to ensure that desired SSH and you use the default settings in
interfaces are up and configured properly. PuTTY which call for SSH, you won’t be
Ping: Use the ping and trace commands able to connect. Also, some admins
to check for connectivity. change the default port numbers, so you
may expect to use port 22 with SSH, but
Check the Routing Table: Use the show ip the admin may have configured it to use a
route or show ipv6 route command to non-standard port.
find out what the router knows. Is there
either an explicit route to the remote Check for Human Error: User errors can
network or a gateway of last resort? also be the source of errors. Check to
ensure that correct usernames and
Is there a Firewall on the Computer? If passwords are being used, that you and
the problem involves a computer, check the admin on the other end of the
to ensure that its firewall is not blocking connection are using the same network
packets. Sometimes there are computers addresses and matching subnet masks.
at client locations with firewalls in
operation without the client’s knowledge. Verify Settings: Do not make
assumptions. Verify everything!
Any Access Lists? If the above steps don’t
resolve the issue, check for access-control Often, by using the above steps, you can
lists that block traffic. There is an implicit solve the problem. If that doesn’t do it,
“deny any” at the end of every access- then proceed to more advanced show and
control list, so even if you don’t see a debug commands to isolate the problem.
364
Router Troubleshooting Tools

Using Router Diagnostic Commands commands to perform a variety of
functions:
Cisco routers provide numerous
integrated commands to assist you in • Monitor router behaviour during
monitoring and troubleshooting your initial installation
internetwork. The following sections
describe the basic use of these • Monitor normal network
commands: operation
• The show commands help monitor • Isolate problem interfaces, nodes,

installation behaviour and normal media, or applications
network behaviour, as well as isolate
problem areas.
• Determine when a network is
congested
• The debug commands assist in the
isolation of protocol and configuration • Determine the status of servers,
clients, or other neighbours
problems.
Following are some of the most
• The ping commands help determine commonly used show commands:
connectivity between devices on your
network. • show interfaces—Use the show
• The trace commands provide a method of interfaces exec command to
determining the route by which packets display statistics for all interfaces
reach their destination from one device to configured on the router or access
another. server. The resulting output varies,
depending on the network for
Using show Commands which an interface has been
configured.
The show commands are powerful
monitoring and troubleshooting
tools. You can use the show
Some of the more frequently used show interfaces commands include the following:
— show interfaces ethernet

— show interfaces tokenring
— show interfaces fddi

— show interfaces atm
— show interfaces serial
— show controllers—This command displays statistics for interface card controllers. For
example, the show controllers mci command provides the following fields:
MCI 0, controller type 1.1, microcode version 1.8
128 Kbytes of main memory, 4 Kbytes cache memory
365
22 system TX buffers, largest buffer size 1520

Restarts: 0 line down, 0 hung output, 0 controller error
Interface 0 is Ethernet0, station address 0000.0c00.d4a6
15 total RX buffers, 11 buffer TX queue limit, buffer size 1520
Transmitter delay is 0 microseconds
Interface 1 is Serial0, electrical interface is V.35 DTE
High speed synchronous serial interface
Interface 2 is Ethernet1, station address aa00.0400.3be4
Interface 3 is Serial1, electrical interface is V.35 DCE
High speed synchronous serial interface
Some of the most frequently used show controllers commands include the following:
— show controllers token

— show controllers FDDI
— show controllers LEX
— show controllers ethernet
— show controllers E1
— show controllers MCI
— show controllers cxbus
— show controllers t1
— show running-config— Displays the router configuration currently running
— show startup-config—Displays the router configuration stored in nonvolatile RAM
(NVRAM)
— show flash—Group of commands that display the layout and contents of flash
memory
— show buffers—Displays statistics for the buffer pools on the router
— show memory—Shows statistics about the router’s memory, including free pool
statistics
— show processes—Displays information about the active processes on the router
— show stacks—Displays information about the stack utilization of processes and
interrupt routines, as well as the reason for the last system reboot
— show version—Displays the configuration of the system hardware, the software
version, the names and sources of configuration files, and the boot images
There are hundreds of other show commands available.
366
Using debug Commands To access and list the privileged exec

commands, complete the following tasks:
The debug privileged exec commands can
Step 1 Enter the privileged exec mode:
provide a wealth of information about the
traffic being seen (or not seen) on an Command:
interface, error messages generated by nodes Router> enable
on the network, protocol-specific diagnostic Password: XXXXXX Router#
packets, and other useful troubleshooting
Step 2 List privileged exec commands:
data.
Router# debug ?
Exercise care when using debug commands. command will place the router in the
Many debug commands are processor privileged exec mode. After entering the
intensive and can cause serious network enable password, you will receive a prompt
problems (such as degraded performance or that will consist of the router name with a #
loss of connectivity) if they are enabled on an symbol.
already heavily loaded router. When you
Step 3 Use the terminal monitor command
finish using a debug command, remember to
to copy debug command output and system
disable it with its specific no debug command
error messages to your current terminal
(or use the no debug all command to turn off
display.
all debugging).
Use debug commands to isolate problems, By redirecting output to your current terminal
not to monitor normal network operation. display, you can view debug command output
Because the high processor overhead of remotely, without being connected through
debug commands can disrupt router the console port.
operation, you should use them only when
If you use debug commands at the console
you are looking for specific types of traffic or
port, character-by-character processor
problems and have narrowed your problems
interrupts are generated, maximizing the
to a likely subset of causes.
processor load already caused by using debug.
Output formats vary with each debug
command. Some generate a single line of
Using Router Diagnostic Commands
output per packet, and others generate In many situations, using third-party
multiple lines of output per packet. Some diagnostic tools can be more useful and less
generate large amounts of output, and others intrusive than using debug commands.
generate only occasional output. Some
generate lines of text, and others generate Using the ping Command
information in field format. To check host reachability and network
To minimize the negative impact of using connectivity, use the ping exec (user) or
debug commands, follow this procedure: privileged exec command. After you log in to
If you intend to keep the output of the debug the router or access server, you are
command, spool the output to a file. automatically in user exec command mode.
The exec commands available at the user level
Step 1 Use the no logging console global are a subset of those available at the
configuration command on your router. This privileged level. In general, the user exec
command disables all logging to the console commands allow you to connect to remote
terminal. devices, change terminal settings on a
Step 2 Telnet to a router port and enter the temporary basis, perform basic tests, and list
enable exec command. The enable exec system information. The ping command can
367
be used to confirm basic network connectivity The trace command works by using the error
on AppleTalk, ISO Connectionless Network message generated by routers when a
Service (CLNS), IP, Novell, Apollo, VINES, datagram exceeds its time-to-live (TTL) value.
DECnet, or XNS networks. First, probe datagrams are sent with a TTL
value of 1. This causes the first router to
For IP, the ping command sends Internet
discard the probe datagrams and send back
Control Message Protocol (ICMP) Echo
“time exceeded” error messages. The trace
messages. ICMP is the Internet protocol that
command then sends several probes and
reports errors and provides information
displays the round-trip time for each. After
relevant to IP packet addressing. If a station
every third probe, the TTL is increased by one.
receives an ICMP Echo message, it sends an
ICMP Echo Reply message back to the source. Each outgoing packet can result in one of two
error messages. A “time exceeded” error
The extended command mode of the ping
message indicates that an intermediate router
command permits you to specify the
has seen and discarded the probe. A “port
supported IP header options. This allows the
unreachable” error message indicates that the
router to perform a more extensive range of
destination node has received the probe and
test options. To enter ping extended
discarded it because it could not deliver the
command mode, enter yes at the extended
packet to an application. If the timer goes off
commands prompt of the ping command.
before a response comes in, trace prints an
It is a good idea to use the ping command
asterisk (*).
when the network is functioning properly to
see how the command works under normal The trace command terminates when the
conditions and so you have something to destination responds, when the maximum TTL
compare against when troubleshooting. is exceeded, or when the user interrupts the
trace with the escape sequence.
Using the trace Command As with ping, it is a good idea to use the trace
command when the network is functioning
The trace user exec command discovers the
properly to see how the command works
routes that a router’s packets follow when
under normal conditions and so you have
traveling to their destinations. The trace
something to compare against when
privileged exec command permits the
troubleshooting
supported IP header options to be specified,
allowing the router to perform a more
extensive range of test options.
.
368
UNIT V
Configuring IDS
This Unit covers:
 Lesson Plan
5.4 Configuring Snort
369
LESSON PLAN

experts.
Dedicated)
information security and how to sites like ISO, PCI
anticipated out comes. DSS, Center for
• networks
370

Activity 1:
Activity 2:
Activity 3:
371

The Cisco IOS Firewall IDS feature When packets in a session match a
supports intrusion detection technology signature, the IDS system can be
for midrange and high-end router configured to take these actions:
platforms with firewall support. It is ideal  Send an alarm to a syslog server or
for any network perimeter, and especially a Cisco Secure IDS Director
for locations in which a router is being (centralized management
deployed and additional security between interface)
network segments is required. It also can
protect intranet and extranet connections  Drop the packet
where additional security is mandated,  Reset the TCP connection
and branch-office sites connecting to the
Cisco developed its Cisco IOS software-
corporate office or Internet.
based intrusion-detection capabilities in
The Cisco IOS Firewall IDS feature Cisco IOS Firewall with flexibility in mind,
identifies 59 of the most common attacks so that individual signatures could be
using "signatures" to detect patterns of disabled in case of false positives. Also,
misuse in network traffic. The intrusion- while it is preferable to enable both the
detection signatures included in the Cisco firewall and intrusion detection features
IOS Firewall were chosen from a broad of the CBAC security engine to support a
cross-section of intrusion-detection network security policy, each of these
signatures. The signatures represent features may be enabled independently
severe breaches of security and the most and on different router interfaces. Cisco
common network attacks and IOS software-based intrusion detection is
information-gathering scans. part of the Cisco IOS Firewall.
The Cisco IOS Firewall IDS acts as an in-
line intrusion detection sensor, watching
packets and sessions as they flow through Interaction with Cisco IOS
the router, scanning each to match any of Firewall Default Parameters
the IDS signatures.
 IDS monitors packets and send When Cisco IOS IDS is enabled, Cisco IOS
alarms when suspicious activity is Firewall is automatically enabled. Thus,
detected. IDS uses Cisco IOS Firewall default
parameter values to inspect incoming
 IDS logs the event through Cisco sessions. Default parameter values
IOS syslog or the Cisco Secure include the following:
Intrusion Detection System (Cisco
Secure IDS, formerly known as  The rate at which IDS starts deleting
NetRanger) Post Office Protocol. half-open sessions (modified via the ip
inspect one-minute high command)
The network administrator can configure
the IDS system to choose the appropriate  The rate at which IDS stops deleting
response to various threats. half-open sessions (modified via the ip
inspect one-minute low command)
372
 The maximum incomplete sessions detect the policy violation in real time,
(modified via the ip inspect max- forward alarms to a Cisco Secure IDS
incomplete high and the ip inspect Director management console, and
max-incomplete low commands) remove the offender from the network.
After the incoming TCP session setup rate The Cisco Secure IDS Director is a high-
crosses the one-minute high water mark, performance, software-based
the router will reset the oldest half-open management system that centrally
session, which is the default behaviour of monitors the activity of multiple Cisco
the Cisco IOS Firewall. Cisco IOS IDS Secure IDS Sensors located on local or
cannot modify this default behaviour. remote network segments.
Thus, after a new TCP session rate crosses The Cisco Secure IDS Post Office is the
the one-minute high water mark and a communication backbone that allows
router attempts to open new connections Cisco Secure IDS services and hosts to
by sending SYN packets at the same time, communicate with each other. All
the latest SYN packet will cause the router communication is supported by a
to reset the half-open session that was proprietary, connection-based protocol
opened by the earlier SYN packet. Only that can switch between alternate routes
the last SYN request will survive. to maintain point-to-point connections.
Cisco Secure IDS customers can deploy
Compatibility with Cisco the Cisco IOS Firewall IDS signatures to
complement their existing IDS systems.
Secure Intrusion Detection This allows an IDS to be deployed to areas
that may not be capable of supporting a
Cisco IOS Firewall is compatible with the
Cisco Secure IDS Sensor. Cisco IOS Firewall
Cisco Secure Intrusion Detection System IDS signatures can be deployed alongside
(formally known as NetRanger). The Cisco
or independently of other Cisco IOS
Secure IDS is an enterprise-scale, real- Firewall features.
time, intrusion detection system designed
to detect, report, and terminate The Cisco IOS Firewall IDS can be added to
unauthorized activity throughout a the Cisco Secure IDS Director screen as an
network. icon to provide a consistent view of all
intrusion detection sensors throughout a
The Cisco Secure IDS consists of three
network. The Cisco IOS Firewall intrusion
components:
detection capabilities have an enhanced
 Sensor reporting mechanism that permits logging
 Director to the Cisco Secure IDS Director console in
addition to Cisco IOS syslog.
 Post Office
Cisco Secure IDS Sensors, which are high-
speed network appliances, analyze the Functional Description
content and context of individual packets
The Cisco IOS Firewall IDS acts as an in-
to determine if traffic is authorized. If a
line intrusion detection sensor, watching
network's data stream exhibits
packets as they traverse the router's
unauthorized or suspicious activity, such
interfaces and acting upon them in a
as a SATAN attack, a ping sweep, or the
definable fashion. When a packet, or a
transmission of a secret research project
number of packets in a session, match a
code word, Cisco Secure IDS Sensors can
373
signature, the Cisco IOS Firewall IDS may information-gathering activity was
perform the following configurable thwarted.
actions: • Packets going through the interface
• Alarm—Sends an alarm to a syslog that match the audit rule are audited
server or Cisco Secure IDS Director by a series of modules, starting with
• Drop—Drops the packet IP; then either ICMP, TCP, or UDP (as
appropriate); and finally, the
• Reset—Resets the TCP connection Application level.
The following describes the packet • If a signature match is found in a
auditing process with Cisco IOS Firewall module, then the following user-
IDS: configured action(s) occur:
• You create an audit rule, which
– If the action is alarm, then the
specifies the signatures that should be module completes its audit, sends
applied to packet traffic and the an alarm, and passes the packet to
actions to take when a match is found. the next module.
An audit rule can apply informational
and attack signatures to network – If the action is drop, then the
packets. The signature list can have packet is dropped from the module,
just one signature, all signatures, or discarded, and not sent to the next
any number of signatures in between. module.
Signatures can be disabled in case of – If the action is reset, then the
false positives or the needs of the packets are forwarded to the next
network environment. module, and packets with the reset
• You apply the audit rule to an flag set are sent to both
interface on the router, specifying a participants of the session, if the
traffic direction (in or out). session is TCP.
• If the audit rule is applied to It is recommended that you use
the in direction of the interface, the drop and reset actions
packets passing through the interface together.
are audited before the inbound ACL If there are multiple signature matches
has a chance to discard them. This in a module, only the first match fires an
allows an administrator to be alerted action. Additional matches in other
if an attack or information-gathering modules fire additional alarms, but only
activity is underway even if the router one per module.
would normally reject the activity. Note This process is different than on
• If the audit rule is applied to the Cisco Secure IDS Sensor
the out direction on the interface, appliance, which identifies all
packets are audited after they enter signature matches for each
the router through another interface. packet.
In this case, the inbound ACL of the
other interface may discard packets
before they are audited. This may
result in the loss of Cisco IOS Firewall
IDS alarms even though the attack or
374
When to Use Firewall IDS their customers, all housed within the
necessary function of a router.
Firewall IDS capabilities are ideal for
providing additional visibility at intranet,
extranet, and branch-office Internet Memory and Performance
perimeters. Network administrators enjoy
more robust protection against attacks on
Impact
the network and can automatically The performance impact of intrusion
respond to threats from internal or detection will depend on the
external hosts. configuration of the signatures, the level
The Firewall with intrusion detection is of traffic on the router, the router
intended to satisfy the security goals of platform, and other individual features
customers, and is particularly appropriate enabled on the router such as encryption,
for the following scenarios: source route bridging, and so on. Enabling
• Enterprises that are interested in a or disabling individual signatures will not
cost-effective method of extending alter performance significantly, however,
their perimeter security across all signatures that are configured to use
network boundaries, specifically Access Control Lists will have a significant
performance impact.
branch-office, intranet, and extranet
perimeters. For auditing atomic signatures, there is no
traffic-dependent memory requirement.
• Small and medium-sized businesses
For auditing compound signatures, CBAC
that are looking for a cost-effective
allocates memory to maintain the state of
router that has an integrated firewall
each session for each connection.
with intrusion-detection capabilities.
Memory is also allocated for the
• Service providers that want to set up configuration database and for internal
managed services, providing caching.
firewalling and intrusion detection to
375
The following is a complete list of Cisco IOS

Firewall IDS signatures. A signature detects
patterns of misuse in network traffic.
In Cisco IOS Firewall IDS, signatures are categorized into four types:
• Info Atomic
• Info Compound
• Attack Atomic
• Attack Compound
An info signature detects information- Atomic signatures marked with an
gathering activity, such as a port sweep. asterisk (Atomic*) are allocated memory
An attack signature detects attacks for session states by CBAC.
attempted into the protected network,
such as denial-of-service attempts or the  1000 IP options-Bad Option List (Info,
execution of illegal commands during an Atomic)
FTP session.
Triggers on receipt of an IP datagram
Info and attack signatures can be either where the list of IP options in the IP
atomic or compound signatures. Atomic
datagram header is incomplete or
signatures can detect patterns as simple malformed. The IP options list
as an attempt to access a specific port on contains one or more options that
a specific host. Compound signatures can perform various network management
detect complex patterns, such as a or debugging tasks.
sequence of operations distributed across
multiple hosts over an arbitrary period of  1001 IP options-Record Packet Route
time. (Info, Atomic)
The intrusion-detection signatures Triggers on receipt of an IP datagram
included in the Cisco IOS Firewall were where the IP option list for the
chosen from a broad cross-section of datagram includes option 7 (Record
intrusion-detection signatures as Packet Route).
representative of the most common  1002 IP options-Timestamp (Info,
network attacks and information- Atomic)
gathering scans that are not commonly
found in an operational network. Triggers on receipt of an IP datagram
where the IP option list for the
The following signatures are listed in
datagram includes option 4
numerical order by their signature
(Timestamp).
number in the Cisco Secure IDS Network
Security Database. After each signature's  1003 IP options-Provide s,c,h,tcc
name is an indication of the type of (Info, Atomic)
signature (info or attack, atomic or Triggers on receipt of an IP datagram
compound). where the IP option list for the
376
datagram includes option 2 (Security Triggers when a IP datagram is

options). received with the "protocol" field in
the IP header set to 1 (ICMP) and the
 1004 IP options-Loose Source Route
"type" field in the ICMP header set to
(Info, Atomic)
0 (Echo Reply).
Triggers on receipt of an IP datagram
 2001 ICMP Host Unreachable (Info,
Atomic)
datagram includes option 3 (Loose
Source Route). Triggers when an IP datagram is
received with the "protocol" field in
 1005 IP options-SATNET ID (Info,
Atomic)
Triggers on receipt of an IP datagram 3 (Host Unreachable).
 2002 ICMP Source Quench (Info,
datagram includes option 8 (SATNET
Atomic)
stream identifier).
Triggers when an IP datagram is
 1006 IP options-Strict Source Route
(Info, Atomic)
Triggers on receipt of an IP datagram "type" field in the ICMP header set to
in which the IP option list for the 4 (Source Quench).
datagram includes option 2 (Strict
 2003 ICMP Redirect (Info, Atomic)
Source Routing).
 1100 IP Fragment Attack (Attack,
Atomic)
Triggers when any IP datagram is "type" field in the ICMP header set to
received with the "more fragments" 5 (Redirect).
flag set to 1 or if there is an offset
 2004 ICMP Echo Request (Info,
indicated in the offset field.
Atomic)
 1101 Unknown IP Protocol (Attack,
Atomic)
Triggers when an IP datagram is the IP header set to 1 (ICMP) and the
received with the protocol field set to "type" field in the ICMP header set to
101 or greater. These protocol types 8 (Echo Request).
are undefined or reserved and should
 2005 ICMP Time Exceeded for a
not be used.
Datagram (Info, Atomic)
 1102 Impossible IP Packet (Attack,
Atomic)
This triggers when an IP packet arrives the IP header set to 1 (ICMP) and the
with source equal to destination "type" field in the ICMP header set to
address. This signature will catch the 11(Time Exceeded for a Datagram).
so-called Land Attack.
 2006 ICMP Parameter Problem on
 2000 ICMP Echo Reply (Info, Atomic) Datagram (Info, Atomic)
377
Triggers when an IP datagram is Triggers when an IP datagram is

received with the "protocol" field in received with the "protocol" field in
the IP header set to 1 (ICMP) and the the IP header set to 1 (ICMP) and the
"type" field in the ICMP header set to "type" field in the ICMP header set to
12 (Parameter Problem on Datagram). 18 (Address Mask Reply).
 2007 ICMP Timestamp Request (Info,  2150 Fragmented ICMP Traffic
Atomic) (Attack, Atomic)
received with the "protocol" field in received with the protocol field in the
the IP header set to 1 (ICMP) and the IP header set to 1 (ICMP) and either
"type" field in the ICMP header set to the more fragments flag is set to
13 (Timestamp Request). 1 (ICMP) or there is an offset indicated
in the offset field.
 2008 ICMP Timestamp Reply (Info,
Atomic)  2151 Large ICMP Traffic (Attack,
Atomic)
received with the "protocol" field in Triggers when an IP datagram is
the IP header set to 1 (ICMP) and the received with the protocol field in the
"type" field in the ICMP header set to IP header set to 1 (ICMP) and the IP
14 (Timestamp Reply). length is greater than 1024.
 2009 ICMP Information Request (Info,  2154 Ping of Death Attack (Attack,
Atomic) Atomic)
received with the "protocol" field in received with the protocol field in the
the IP header set to 1 (ICMP) and the IP header set to 1 (ICMP), the Last
"type" field in the ICMP header set to Fragment bit is set, and
15 (Information Request). ( IP offset * 8 ) + (IP data length) >
 2010 ICMP Information Reply (Info, 65535
Atomic) In other words, the IP offset (which
Triggers when an IP datagram is represents the starting position of this
received with the "protocol" field in fragment in the original packet, and
the IP header set to 1 (ICMP) and the which is in 8-byte units) plus the rest
"type" field in the ICMP header set to of the packet is greater than the
16 (ICMP Information Reply). maximum size for an IP packet.
 2011 ICMP Address Mask Request  3040 TCP - no bits set in flags (Attack,
(Info, Atomic) Atomic)
Triggers when an IP datagram is Triggers when a TCP packet is received
received with the "protocol" field in with no bits set in the flags field.
the IP header set to 1 (ICMP) and the  3041 TCP - SYN and FIN bits set
(Attack, Atomic)
17 (Address Mask Request).
Triggers when a TCP packet is received
 2012 ICMP Address Mask Reply (Info, with both the SYN and FIN bits set in
Atomic) the flag field.
378
 3042 TCP - FIN bit with no ACK bit in  3106 Mail Spam (Attack, Compound)
flags (Attack, Atomic)
Counts number of Rcpt to: lines in a
Triggers when a TCP packet is received single mail message and alarms after a
with the FIN bit set but with no ACK user-definable maximum has been
bit set in the flags field. exceeded (default is 250).
 3050 Half-open SYN Attack/SYN Flood  3107 Majordomo Execute Attack
(Attack, Compound) (Attack, Compound)
Triggers when multiple TCP sessions A bug in the Majordomo program will
have been improperly initiated on any allow remote users to execute
of several well-known service ports. arbitrary commands at the privilege
Detection of this signature is currently level of the server.
limited to FTP, Telnet, HTTP, and e-
 3150 FTP Remote Command
mail servers (TCP ports 21, 23, 80, and
Execution (Attack, Compound)
25 respectively).
Triggers when someone tries to
 3100 Smail Attack (Attack, execute the FTP SITE command.
Compound)
 3151 FTP SYST Command Attempt
Triggers on the very common "smail"
(Info, Compound)
attack against SMTP-compliant e-mail
servers (frequently sendmail). Triggers when someone tries to
execute the FTP SYST command.
 3101 Sendmail Invalid Recipient
(Attack, Compound)  3152 FTP CWD ~root (Attack,
Compound)
Triggers on any mail message with a
"pipe" (|) symbol in the recipient field. Triggers when someone tries to
execute the CWD ~root command.
 3102 Sendmail Invalid Sender (Attack,
Compound)  3153 FTP Improper Address Specified
(Attack, Atomic*)
Triggers on any mail message with a
"pipe" (|) symbol in the "From:" field. Triggers if a port command is issued
with an address that is not the same
 3103 Sendmail Reconnaissance as the requesting host.
(Attack, Compound)
 3154 FTP Improper Port Specified
Triggers when "expn" or "vrfy"
(Attack, Atomic*)
commands are issued to the SMTP
port. Triggers if a port command is issued
with a data port specified that is less
 3104 Archaic Sendmail Attacks than 1024 or greater than 65535.
(Attack, Compound)
 4050 UDP Bomb (Attack, Atomic)
Triggers when "wiz" or "debug"
commands are issued to the SMTP Triggers when the UDP length
port. specified is less than the IP length
specified.
 3105 Sendmail Decode Alias (Attack,
Compound)  4100 Tftp Passwd File (Attack,
Compound)
Triggers on any mail message with ":
decode@" in the header.
379
Triggers on an attempt to access the Triggers when a request is made to

passwd file (typically /etc/passwd) via the portmapper for the YP update
TFTP. daemon (ypupdated) port.
 6100 RPC Port Registration (Info,  6154 ypxfrd Portmap Request (Info,
Atomic*) Atomic*)
Triggers when attempts are made to Triggers when a request is made to
register new RPC services on a target the portmapper for the YP transfer
host. daemon (ypxfrd) port.
 6101 RPC Port Unregistration (Info,  6155 mountd Portmap Request (Info,
Atomic*) Atomic*)
Triggers when attempts are made to Triggers when a request is made to
unregister existing RPC services on a the portmapper for the mount
target host. daemon (mountd) port.
 6102 RPC Dump (Info, Atomic*)  6175 rexd Portmap Request (Info,
Atomic*)
Triggers when an RPC dump request is
issued to a target host. Triggers when a request is made to
the portmapper for the remote
 6103 Proxied RPC Request (Attack,
execution daemon (rexd) port.
Atomic*)
 6180 rexd Attempt (Info, Atomic*)
Triggers when a proxied RPC request is
sent to the portmapper of a target Triggers when a call to the rexd
host. program is made. The remote
execution daemon is the server
 6150 ypserv Portmap Request (Info,
responsible for remote program
Atomic*)
execution. This may be indicative of an
Triggers when a request is made to attempt to gain unauthorized access
the portmapper for the YP server to system resources.
daemon (ypserv) port.
 6190 statd Buffer Overflow (Attack,
 6151 ypbind Portmap Request (Info, Atomic*)
Atomic*)
Triggers when a large statd request is
Triggers when a request is made to sent. This could be an attempt to
the portmapper for the YP bind overflow a buffer and gain access to
daemon (ypbind) port. system resources.
 6152 yppasswdd Portmap Request  8000 FTP Retrieve Password File
(Info, Atomic*) (Attack, Atomic*)
Triggers when a request is made to SubSig ID: 2101
the portmapper for the YP password
Triggers on string "passwd" issued
daemon (yppasswdd) port.
during an FTP session. May indicate
 6153 ypupdated Portmap Request someone attempting to retrieve the
(Info, Atomic*) password file from a machine in order
to crack it and gain unauthorized
access to system resources
380
See the following sections for • Initializing the Post Office (Required)
configuration tasks for the Cisco IOS • Configuring and Applying Audit
Firewall Intrusion Detection System Rules (Required)
feature. Each task in the list is identified
as optional or required: • Verifying the
Configuration (Optional)
• Initializing Cisco IOS Firewall
IDS (Required)
Initializing Cisco IOS Firewall IDS

To initialize Cisco IOS Firewall IDS on a router, use the following commands in global configuration
mode:
Command Purpose
Step 1 Router(config)# ip audit Sets the threshold beyond which spamming in e-mail
smtp spamrecipients messages is suspected. Here,recipients is the maximum
number of recipients in an e-mail message. The default is
250.
Step 2 Router(config)# ip audit Sets the threshold beyond which queued events are
po max- dropped from the queue for sending to the Cisco Secure
eventsnumber_events IDS Director.
Here, number_events is the number of events in the event
queue. The default is 100. Increasing this number may have
an impact on memory and performance, as each event in
the event queue requires 32 KB of memory.
Step 3 Router(config)# exit Exits global configuration mode.
Initializing the Post Office change. To initialize the Post Office

system, use the following commands in
You must reload the router every time global configuration mode:
you make a Post Office configuration
Command Purpose
Step 1 Router(config)# ip audit notifynr-director Sends event notifications (alarms)
or to either a Cisco Secure IDS
Router(config)#ip audit notifylog Director, a syslog server, or both.
For example, if you are sending
alarms to a Cisco Secure IDS
Director, use the nr-
director keyword in the command
syntax. If you are sending alarms
381
to a syslog server, use

the log keyword in the
command syntax.
Step 2 router(config)# ip audit po local hostid host- Sets the Post Office parameters
id orgid org-id for both the router (using the ip
audit po local command) and the
Cisco Secure IDS Director (using
the ip audit po remote command).
Here, host-id is a unique number
between 1 and 65535 that
identifies the router, and org-id is
a unique number between 1 and
65535 that identifies the
organization to which the router
and Director both belong.
Step 3 Router(config)# ip audit po remote hostid host- Sets the Post Office parameters
id orgid org-id rmtaddress ip-addresslocaladdress ip- for both the Cisco Secure IDS
address portport-number preferencepreference- Director (using the ip audit po
number timeout secondsapplication application-type remote command).
• host-id is a unique number
identifies the Director.
• org-id is a unique number
identifies the organization to
which the router and Director
both belong.
• rmtaddress ip-address is the
Director's IP address.
• localaddress ip-address is
the router's interface IP address.
• port-number identifies the
UDP port on which the Director
is listening for alarms (45000 is
the default).
• preference-number is the
relative priority of the route to
the Director (1 is the default)—if
more than one route is used to
reach the same Director, then
one must be a primary route
(preference 1) and the other a
secondary route (preference 2).
• seconds is the number of
seconds the Post Office waits
before it determines that a
connection has timed out (5 is
382
the default).
• application-type is
either director or logger.
Note If you are sending Post
Office notifications to a
Sensor, use loggerinstead
of director as your
application. Sending to a
logging application means
that no alarms are sent to a
GUI; instead, the Cisco Secure
IDS alarm data is written to a
flat file, which can then be
processed with filters, such
as perl and awk, or staged to
a database. Use logger only in
advanced applications where
you want the alarms only to
be logged and not displayed.
Step 4 Router(config)# logging console info Displays the syslog messages on
the router console if you are
sending alarms to the syslog
console.
Step 6 Router# write memory Saves the configuration.
Step 7 Router# reload Reloads the router.
After you have configured the router, add and Directors communicating with the
the Cisco IOS Firewall IDS router's Post router. You can do this with the
Office information to nrConfigure tool in Cisco Secure IDS. For
the /usr/nr/etc/hosts and /usr/nr/etc/rout more information, refer to the NetRanger
es files on the Cisco Secure IDS Sensors User Guide.
383
Configuring and Applying Audit Rules

To configure and apply audit rules, use the
following commands starting in global
configuration mode:
Command Purpose
Step 1 Router(config)# ip audit Sets the default actions for info and attack signatures.
info {action [alarm] [drop] Both types of signatures can take any or all of the
[reset]} following actions: alarm, drop, and reset. The default
and Router(config)# ip action is alarm.
audit
attack {action [alarm]
[drop] [reset]}
Step 2 Router(config)# ip audit Creates audit rules, where audit-name is a user-defined
name audit-name name for an audit rule. For example:
{info |attack}
ip audit name audit-name info
[list standard-acl]
[action [alarm] [drop] ip audit name audit-name attack
[reset]]
The default action is alarm.
Note Use the same name when you assign attack and
info type signatures.
You can also use the ip audit name command to attach
access control lists to an audit rule for filtering out
sources of false alarms. In this case standard-acl is an
integer representing an ACL. If you attach an ACL to an
audit rule, the ACL must be defined as well:
ip audit name audit-name {info|attack} list
acl-list
In the following example, ACL 99 is attached to the audit

rule INFO, and ACL 99 is defined:
ip audit name INFO info list 99
access-list 99 deny 10.1.1.0 0.0.0.255
access-list 99 permit any
Note The ACL in the preceding example is not denying
traffic from the 10.1.1.0 network (as expected if it were
applied to an interface). Instead, the hosts on that
network are not filtered through the audit process
because they are trusted hosts. On the other hand, all
other hosts, as defined by permit any, are processed by
the audit rule.
Step 3 Router(config)# ip audit Disables individual signatures. Disabled signatures are not
signature signature-id included in audit rules, as this is a global configuration
{disable | list acl-list}
384
change:
ip audit signature signature-number disable
To re-enable a disabled signature, use the no ip audit

signature command, wheresignature-number is the
number of the disabled signature.
You can also use the ip audit signature command to apply
ACLs to individual signatures for filtering out sources of
false alarms. In this case signature-number is the number
of a signature, and acl-list is an integer representing an
ACL:
ip audit signature signature-number list acl-list
For example, ACL 35 is attached to the 1234 signature,

and then defined:
ip audit signature 1234 list 35
access-list 35 deny 10.1.1.0 0.0.0.255
Note The ACL in the preceding example is not denying

traffic from the 10.1.1.0 network (as expected if it were
applied to an interface). Instead, the hosts on that
network are not filtered through the signature because
they are trusted hosts or are otherwise causing false
positives to occur. On the other hand, all other hosts, as
defined by permit any, are processed by the signature.
Step 4 Router(config-if)#interface Enters interface configuration mode.
interface-number
Step 5 Router(config-if)# ip Applies an audit rule at an interface. With this
audit audit-name command, audit-name is the name of an existing audit
{in | out} rule, and direction is either in or out.
Step 6 Router(config-if)# exit Exits interface configuration mode.
Step 7 Router(config)# ip audit po Configures which network should be protected by the
protected ip-addr router. Here, ip_addr is the IP address to protect.
[to ip-addr]
Verifying the Configuration

You can verify that Cisco IOS Firewall IDS is properly configured with the show ip audit
configuration command (see Example 1).
Example 1 Output from show ip audit configuration Command
385
ids2611# show ip audit configuration
Event notification through syslog is enabled

Event notification through Net Director is enabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm drop reset
Default threshold of recipients for spam signature is 25
Post Office: HostID:55 OrgID:123 Msg dropped:0
:Curr Event Buf Size:100 Configured:100
HID:14 OID:123 S:1 A:2 H:82 HA:49 DA:0 R:0 Q:0
ID:1 Dest:10.1.1.99:45000 Loc:172.16.58.99:45000 T:5 S:ESTAB *
Audit Rule Configuration

Audit name AUDIT.1
info actions alarm
attack actions alarm drop reset
You can verify which interfaces have audit rules applied to them with the show ip audit
interface command (see Example 2).
Example 2 Output from show ip audit interface Command

ids2611# show ip audit interface
Interface Configuration
Interface Ethernet0
Inbound IDS audit rule is AUDIT.1
info actions alarm
Outgoing IDS audit rule is not set
Interface Ethernet1
Inbound IDS audit rule is AUDIT.1
info actions alarm
Outgoing IDS audit rule is not set
Monitoring and Maintaining Cisco IOS Firewall IDS

This section describes the EXEC commands used to monitor and maintain Cisco IOS Firewall
IDS.
Command Purpose
Router# clear ip audit Disables Cisco IOS Firewall IDS, removes all intrusion detection
configuration configuration entries, and releases dynamic resources.
Router# clear ip audit statistics Resets statistics on packets analyzed and alarms sent.
Router# show ip audit statistics Displays the number of packets audited and the number of
alarms sent, among other information.
386
The following display provides sample output from the show ip audit statistics command:
Signature audit statistics [process switch:fast switch]

signature 2000 packets audited: [0:2]
Interfaces configured for audit 2
Session creations since subsystem startup or last reset 11
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:0]
Last session created 19:18:27
Last statistic reset never
HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0
Cisco IOS Firewall IDS Configuration Examples

The following sections provide Cisco IOS Firewall IDS configuration examples:
Cisco IOS Firewall IDS Reporting to Two Directors Example
In the following example, Cisco IOS Firewall IDS is initialized. Notice that the router is
reporting to two Directors. Also notice that the AUDIT.1 audit rule will apply both info and
attack signatures.
ip audit smtp spam 25
ip audit notify nr-director
ip audit notify log
ip audit po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1
ip audit name AUDIT.1 info action alarm

ip audit name AUDIT.1 attack action alarm drop reset
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
387
Adding an ACL to the Audit Rule Example
In the following example, an ACL is added to account for a Cisco Secure IDS Scanner (172.16.59.16)
that scans for all types of attacks. As a result, no packets originating from the device will be audited.

ip audit notify log
ip audit name AUDIT.1 info list 90 action alarm

ip audit name AUDIT.1 attack list 90 action alarm drop reset
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
access-list 90 deny 172.16.59.16

Disabling a Signature Example
The security administrator notices that the router is generating a lot of false positives for signatures
1234, 2345, and 3456. The system administrator knows that there is an application on the network
that is causing signature 1234 to fire, and it is not an application that should cause security concerns.
This signature can be disabled, as illustrated in the following example:

ip audit notify log
ip audit signature 1234 disable

interface e0
ip address 10.1.1.1 255.0.0.0
388
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in

Adding an ACL to Signatures Example
After further investigation, the security administrator discovers that the false positives for
signatures 2345 and 3456 are caused by specific applications on hosts 10.4.1.1 and 10.4.1.2,
as well as by some workstations using DHCP on the 172.16.58.0 subnetwork. Attaching an
ACL that denies processing of these hosts stops the creation of false positive alarms, as
illustrated in the following example:
ip audit notify log


interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in

access-list 91 deny host 10.4.1.1
access-list 91 deny 172.16.58.0 0.0.0.255
389
Dual-Tier Signature Response Example
The company has now reorganized and has placed only trusted people on the 172.16.57.0
network. The work done by the employees on these networks must not be disrupted by
Cisco IOS Firewall IDS, so attack signatures in the AUDIT.1 audit rule now will only alarm on
a match.
For sessions that originate from the outside network, any attack signature matches (other
than the false positive ones that are being filtered out) are to be dealt with in the following
manner: send an alarm, drop the packet, and reset the TCP session.
This dual-tier method of signature response is accomplished by configuring two different
audit specifications and applying each to a different ethernet interface, as illustrated in the
following example:
ip audit notify log


ip audit name AUDIT.1 attack list 90 action alarm
ip audit name AUDIT.2 info action alarm
ip audit name AUDIT.2 attack alarm drop reset
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.2 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in

access-list 91 deny 172.16.58.0 0.0.0.255
access-list 91 permit an
390
5.4 Configuring Snort
Snort is an open source network intrusion - sniffer mode: snort will read the network
detection system (NIDS) created by traffic and print them to the screen.
Martin Roesch. Snort is a packet sniffer
- packet logger mode: snort will record
that monitors network traffic in real time,
the network traffic on a file
scrutinizing each packet closely to detect
a dangerous payload or suspicious - IDS mode: network traffic matching
anomalies. There are two types of IDSs, security rules will be recorded (mode used
host-based and network-based, Snort is a in our tutorial)
network-based IDS.
- IPS mode: also known as snort-inline (IPS
This network intrusion detection and = Intrusion prevention system)
prevention system works through traffic
Another tool is needed to display the logs
analysis and packet logging on IP
generated by the Snort IDS and sent into
networks. Through protocol analysis,
the database. This tool is BASE for Basic
content searching, and various pre-
Analysis and Security Engine. It is in fact a
processors, Snort detects thousands of
php script displaying alerts on a web
worms, vulnerability exploit attempts,
port scans, and other suspicious behavior. interface.
Snort uses a flexible rule-based language Snort can be downloaded from
to describe traffic that it should collect or http://www.snort.org/dl/.
pass, and a modular detection engine.
In order to install and configure Snort
Snort can be runned in 4 modes: access the Snort Manual available at
http://manual.snort.org/.
391
5.5. Configuring Suricata

The Suricata Engine is an Open Source CPU chip sets. Suricata is developed for
Next Generation Intrusion Detection and ease of implementation and accompanied
Prevention Engine. More about suricata at by a step-by-step getting started
suricata-ids.org. documentation and user manual.
IDS/IPS Development and features

Suricata is a rule-based ID/PS engine that The goal of the Suricata Project Phase 1
utilises externally developed rule sets to was to have a distributable and functional
monitor network traffic and provide alerts ID/PS engine. The initial beta release was
to the system administrator when made available for download on January
suspicious events occur. Designed to be 1, 2010. The engine supports or provides
compatible with existing network security the following functionality: the latest
components, Suricata features unified Snort VRT, Snort logging, rule language
output functionality and pluggable library options, multi-threading, hardware
options to accept calls from other acceleration (with hardware and network
applications. The initial release of card dependencies/limitations), unified
Suricata runs on a Linux 2.6 platform that output enabling interaction with external
supports inline and passive traffic
log management systems, IPv6, rule-
monitoring configuration capable of based IP reputation, library plug-ability for
handling multiple gigabit traffic levels. interaction with other applications,
Linux 2.4 is supported with reduced
performance statistics output, and a
configuration functionality, such as no simple and effective getting started user
inline option. Available under Version 2 of manual. By engaging the open source
the General Public License, Suricata community and the leading ID/PS rule set
eliminates the ID/PS engine cost concerns resources available, OISF has built the
while providing a scalable option for the Suricata engine to simplify the process of
most complex network security maintaining optimum security levels.
architectures. Through strategic partnerships, OISF is
In order to install and use Suricata please leveraging the expertise of Emerging
follow Threats (www.emergingthreats.net) and
https://redmine.openinfosecfoundation.org/pr other prominent resources in the industry
ojects/suricata/wiki/Suricata_Installation to provide the most current and
comprehensive rule sets available. The
Multi-threading HTP Library is an HTTP normaliser and
parser written by Ivan Ristic of Mod
As a multi-threaded engine, Suricata
Security fame for the OISF. This integrates
offers increased speed and efficiency in
and provides very advanced processing of
network traffic analysis. In addition to
HTTP streams for Suricata. The HTP library
hardware acceleration (with hardware
is required by the engine, but may also be
and network card limitations), the engine
used independently in a range of
is build to utilise the increased processing
applications and tools.
power offered by the latest multi-core
392
UNIT VI
IPS Configuration
This Unit covers:
 Lesson Plan
393
LESSON PLAN

experts.
Dedicated)
KB1. fundamentals of  Access to all security
evaluation based on sites like ISO, PCI
• networks
394

Activity 1:
Activity 2:
Activity 3:
395
Cisco Intrusion Prevention

System (IPS)
Sensors are network devices that perform packets and flows to determine whether
real-time monitoring of network traffic for their contents appear to indicate an
suspicious activities and active network attack against your network.
attacks. The IPS sensor analyses network

Network sensing can be accomplished respond to perceived intrusions.
using Cisco IPS sensors (appliances, switch Cisco IPS sensors and Cisco IOS IPS devices
modules, network modules, and SSMs)
are often referred to collectively as IPS
and Cisco IOS IPS devices (Cisco IOS devices or simply sensors. However, Cisco
routers with IPS-enabled images and Cisco IOS IPS does not run the full dedicated IPS
ISRs). software, and its configuration does not
These sensing platforms are components include IPS device-specific policies.
of the Cisco Intrusion Prevention System Additionally, the amount of sensing that
and can be managed and configured you can perform with Cisco IOS IPS is
through Cisco Security Manager. These more limited. The following sections focus
sensing platforms monitor and analyse on using dedicated IPS devices, including
network traffic in real time. They do this service modules installed in IOS routers,
by looking for anomalies and misuse on rather than Cisco IOS IPS.
the basis of network flow validation, an When an IPS device detects unauthorized
extensive embedded signature library,
network activity, it can terminate the
and anomaly detection engines. However, connection, permanently block the
these platforms differ in how they can
associated host, and take other actions.
This section contains the following topics:
 Capturing Network Traffic

 Correctly Deploying the Sensor
 Tuning the IPS
Capturing Network Traffic shows how you can deploy a combination of

sensors operating in both inline (IPS) and
The sensor can operate in either promiscuous promiscuous (IDS) modes to protect your
or inline mode. The following illustration network.
396
Figure 1: Comprehensive IPS Deployment Solutions
The command and control interface is You should select the TCP reset action
always Ethernet. This interface has an only on signatures associated with a TCP-
assigned IP address, which allows it to based service. If selected as an action on
communicate with the manager non-TCP-based services, no action is
workstation or network devices (Cisco taken. Additionally, TCP resets are not
switches, routers, and firewalls). Because guaranteed to tear down an offending
this interface is visible on the network, session because of limitations in the TCP
you should use encryption to maintain protocol.
data privacy. SSH is used to protect the
 Make ACL changes on switches,
CLI and TLS/SSL is used to protect the
routers, and firewalls that the sensor
manager workstation. SSH and TLS/SSL
manages. ACLs may block only future
are enabled by default on the manager
traffic, not current traffic.
workstations.
 Generate IP session logs, session
When responding to attacks, the sensor
replay, and trigger packets display.
can do the following:
 IP session logs are used to gather
 Insert TCP resets via the sensing
information about unauthorized use.
interface.
IP log files are written when events
397
occur that you have configured the Tuning the IPS

appliance to look for.
Tuning the IPS ensures that the alerts you
 Implement multiple packet drop
see reflect true actionable information.
actions to stop worms and viruses.
Without tuning the IPS, it is difficult to do
security research or forensics on your
network because you will have thousands
Correctly Deploying the Sensor of benign events, also known as false
Before you deploy and configure your positives. False positives are a by-product
sensors, you should understand the of all IPS devices, but they occur much less
following about your network: frequently in Cisco IPS devices because
Cisco IPS devices are stateful, normalized,
 The size and complexity of your and use vulnerability signatures for attack
network. evaluation. Cisco IPS devices also provide
 Connections between your network risk rating, which identifies high risk
and other networks, including the events, and policy-based management,
Internet. which lets you deploy rules to enforce IPS
signature actions based on risk rating.
 The amount and type of traffic on your
network. Follow these tips when tuning your IPS
sensors:
This knowledge will help you determine
how many sensors are required, the  Place your sensor on your network
hardware configuration for each sensor behind a perimeter-filtering device.
(for example, the size and type of network  Proper sensor placement can reduce
interface cards), and how many managers the number of alerts you need to
are needed. examine by several thousands a day.
You should always position the IPS sensor  Deploy the sensor with the default
behind a perimeter-filtering device, such signatures in place.
as a firewall or adaptive security
appliance. The perimeter device filters  The default signature set provides
traffic to match your security policy thus you with a very high security
allowing acceptable traffic in to your protection posture. The Cisco
network. Correct placement significantly signature team has spent many
reduces the number of alerts, which hours on testing the defaults to give
increases the amount of actionable data your sensor the highest protection.
you can use to investigate security If you think that you have lost these
violations. If you position the IPS sensor defaults, you can restore them.
on the edge of your network in front of a  Make sure that the event action
firewall, your sensor will produce alerts on override is set to drop packets with
every single scan and attempted attack a risk rating greater than 90.
even if they have no significance to your
network implementation. You will receive  This is the default and ensures that
hundreds, thousands, or even millions of high risk alerts are stopped
alerts (in a large enterprise environment) immediately.
that are not really critical or actionable in  Filter out known false positives
your environment. Analysing this type of caused by specialized software, such
data is time consuming and costly. as vulnerability scanner and load
398
balancers by one of the following another device is doing

methods: reconnaissance on a device
protected by the IPS. Research the
– You can configure the sensor to
source IP addresses from these
ignore the alerts from the IP
Informational alerts to determine
addresses of the scanner and load
balancer. what the source is.
– You can configure the sensor to  Analyze the remaining actionable

allow these alerts and then use alerts:
Event Viewer to filter out the false – Research the alert.
positives. – Fix the attack source.
– Fix the destination host.
 Filter the Informational alerts.
– Modify the IPS policy to provide
 These low priority events more information.
notifications could indicate that
399

There are a wide variety of devices on run the full IPS software; and IPS-enabled
which you can configure the Intrusion routers running Cisco IOS Software
Prevention System. From a configuration 12.4(11)T and later (Cisco IOS IPS).The
point-of-view, you can separate the following procedure is an overview of IPS
devices into two groups: dedicated configuration on dedicated appliances and
appliances and service modules (for service modules.
routers, switches, and ASA devices) that
Step 1. Install and connect the device to  IPS modules on ASA devices—
your network. Install the device Configure the Platform > Service
software and perform basic device Policy Rules > IPS, QoS, and
configuration. Install the licenses Connection Rules policy on the
required for all of the services host ASA to specify the traffic that
running on the device. The amount should be inspected.
of initial configuration that you
Step 4. Use the Virtual Sensors policy to
perform influences what you will
assign interfaces to the virtual
need to configure in Security
sensors, including the base vs0
Manager.
virtual sensor that exists for all IPS
Follow the instructions in the Installing devices.
Cisco Intrusion Prevention System
If the device supports it, and you have a
Appliances and Modules document
need for it, you can also create
for the IPS version you are using.
user-defined virtual sensors so that
Step 2. Add the device to the Security a single device acts like multiple
Manager device inventory. You sensors. Most of the IPS
can discover router and Catalyst configuration is done on the parent
switch modules when adding the device, but you can configure
device in which the module is unique settings per virtual sensor
installed. For ASA devices, you for signatures, anomaly detection,
must add the service module and event actions.
separately. Step 5. Configure basic device access
Step 3. Configure the interfaces as platform policies. These policies
described in Configuring Interfaces. determine who can log into the
You must enable the interfaces device:
connected to your network for the
 AAA —Configure this policy if you
device to function.
want to use a RADIUS server to
For certain types of service module, control access to the device. You
there are additional policies to can use AAA control in conjunction
configure: with local user accounts defined in
the User Accounts policy.
 Router-hosted service modules—
Configure the IPS Module interface  Allowed Hosts —The addresses of
settings policy on the router. hosts who are allowed access.
IDSM—Configure the IDSM Ensure that the Security Manager
Settings Catalyst platform policy. server is included as an allowed
400
host, or you cannot configure the Block or Request Rate Limit event
device using Security Manager. actions, configure blocking or rate
 SNMP —Configure this policy if you limiting hosts.
want to use an SNMP application Step 10. Configure other desired
to manage the device. advanced IPS services.
 Password Requirements —You can
define the acceptable Step 11. Maintain the device:
characteristics of a user password.  Update and redeploy
 User Accounts —The user accounts configurations as necessary.
defined on the device.  Apply updated signature and
Step 6. Configure basic server access engine packages.
platform policies. These policies  Manage the device licenses. You
identify the servers to which the can update and redeploy licenses,
device can connect: or automate license updates.
 Manage the certificates required
 External Product Interface —If you
for SSL (HTTPS) communication.
use Management Center for Cisco These certificates expire, so you
Security Agents, configure this need to regenerate them
policy to allow the sensor to approximately every 2 years.
download host postures from the
application. Step 12. Monitor the device:
 NTP —Configure this policy if you  Use the Event Viewer application
want to use a Network Time to view alerts generated from the
Protocol server to control the device. You can open Event Viewer
device time. from the Launch menu in
 DNS, HTTP Proxy —The DNS and Configuration Manager or Report
HTTP Proxy policies are required Manager, or from the Windows
only if you configure global Start menu.
correlation. They identify a server  Use the Report Manager
that can resolve DNS names to IP application to generate reports on
addresses. Use the HTTP Proxy IPS usage, including comparisons of
policy if your network requires the inline vs. promiscuous mode, and
use of a proxy to make Internet global correlation vs. traditional
connections; otherwise, use the inspection. You can also analyze
DNS policy. top attackers, victims, signatures,
Step 7. Configure the Logging policy if blocked signatures, and perform
you want non-default logging. target analysis.
Step 8. Configure IPS signatures and
event actions. Event action policies
are easier to configure than
creating custom signatures, so try
to use event action filters and
overrides to modify signature
behaviour before trying to edit
specific signatures.
Step 9. If you use any of the Request
401
Identifying Allowed Hosts

Use the Allowed Hosts policy to identify cannot configure the device. Also add the
which hosts or networks have permission addresses of all other management hosts
to access the IPS sensor. By default, no that you use, such as CS-MARS.
hosts are permitted to access a sensor, so If you add host addresses only, you will be
you must add hosts or networks to this limited to using those workstations to
policy. access the device. Instead, you can specify
Specifically, you must add either the IP network addresses to allow all hosts
address of the Security Manager server, or connected to specific “safe” networks
its network address, or Security Manager access.
Click Select to select an existing

Step 1 Do one of the following to open
object or to create a new one. To
the Allowed Hosts policy:
use the object in this policy, it
 (Device view) Select Platform > must have a single value, either a
Device Admin > Device Access > single network or a single host.
Allowed Hosts from the Policy
selector.
 (Policy view) Select IPS > Platform
> Device Admin > Allowed Hosts,
then select an existing policy or
create a new one.
Step 2 Do one of the following:
 To add an entry, click the Add
Row button and fill in the Access
List dialog box.
 You can add up to 512 entries.
 To edit an entry, select it and click
the Edit Row button.
 To delete an entry, select it and
click the Delete Row button.
Step 3 When adding or editing an entry,
specify the host or network address in the
Add or Modify Access List dialog box, then
click OK. You can enter addresses using
the following formats:
 Host address—A simple IP address,
such as 10.100.10.10.
 Network address—A network
address and mask, such as
10.100.10.0/24 or
10.100.10.0/255.255.255.0.
 A network/host policy object—
402
Configuring SNMP
SNMP is an application layer protocol that and each device has a large number of
facilitates the exchange of management objects, it is impractical to poll or request
information between network devices. information from every object on every
SNMP enables network administrators to device. The solution is for each agent on
manage network performance, find and the managed device to notify the
solve network problems, and plan for manager without solicitation. It does this
network growth. by sending a message known as a trap of
SNMP is a simple request/response the event.
protocol. The network-management After receiving the event, the manager
system issues a request, and managed displays it and can take an action based
devices return responses. This behaviour on the event. For example, the manager
is implemented by using one of four can poll the agent directly, or poll other
protocol operations: Get, Get Next, Set, associated device agents to get a better
and Trap. understanding of the event.
You can configure the sensor for Trap-directed notification results in
monitoring by SNMP. SNMP defines a substantial savings of network and agent
standard way for network management resources by eliminating frivolous SNMP
stations to monitor the health and status requests. However, it is not possible to
of many types of devices, including totally eliminate SNMP polling. SNMP
switches, routers, and sensors. requests are required for discovery and
You can configure the sensor to send topology changes. In addition, a managed
SNMP traps. SNMP traps enable an agent device agent cannot send a trap if the
to notify the management station of device has had a catastrophic outage.
significant events by way of an unsolicited This procedure describes how to configure
SNMP message. SNMP on an IPS sensor so that you can
manage the sensor with an SNMP
Trap-directed notification has the
management station, including the
following advantage—if a manager is configuration of traps.
responsible for a large number of devices,
Step 1 Do one of the following  Enable SNMP Gets/Sets —Select

to open the SNMP policy: this option to enable the SNMP
management workstation to obtain
 (Device view) Select Platform > (get) information, and to modify (set)
Device Admin > Device Access > values on the IPS sensor. If you do no t
SNMP from the Policy selector. enable this option, the management
 (Policy view) Select IPS > Platform workstation cannot manage this
> Device Admin > Device Access > sensor.
SNMP, then select an existing policy or  Read-Only Community String —
create a new one. The community string required for
Step 2 On the General read-only access to the sensor. SNMP
Configuration tab, get requests from the management
configure at least the station must supply this string to get
following options. responses from the sensor. This string
403
gives access to all SNMP get requests. Step 4 If you configure trap
destinations, you must
 Read-Write Community String —
also ensure that the
The community string required for
desired alerts include
read-write access to the sensor. SNMP
the Request SNMP
set requests from the management
station must supply this string to get Trap action. You have the
following options for
responses from the sensor; it can also
adding this action:
be used on get requests. This string
gives access to all SNMP get and set  (Easy way.) Create an event action
requests. override to add the Request SNMP
Step 3 If you want to configure Trap action to all alerts of a specified
SNMP traps, click risk rating (IPS > Event Actions > Event
the SNMP Trap Action Overrides policy). For example,
Configuration tab and you could generate traps for all alerts
configure at least the with a risk rating between 85-100.
following options. Event action overrides let you add an
action without individually editing each
 Enable Notifications —Select this signature.
option to allow the sensor to send
 (Precise way.) Edit the Signatures
SNMP traps.
policy (IPS > Signatures > Signatures)
 Trap Destinations —Add the to add the Request SNMP Trap action
SNMP management stations that to the signatures for which you want
should be trap destinations. Click to send trap notifications. Traps are
the Add Row (+) button to add a new sent only for signatures that you
destination, or select a destination and configure to send traps.
click the Edit Row (pencil) button to
If the signature has Default for the
change its configuration.
source, you have to change the source
When adding or editing a trap to the Local source before you can
destination, the trap community string change the action. However, if you
that you enter overrides the default right-click the Action cell in the
community string entered on the signatures table and select Edit
SNMP Trap Configuration tab. The Actions, then select Request SNMP
community string appears in the traps Trap (along with any other desired
sent to this destination and is useful if action) and click OK, the source is
you are receiving multiple types of automatically changed to Local.
traps from multiple agents. For
example, a router or sensor could be Step 5 Add the SNMP management
sending the traps, and if you put stations to the Allowed Hosts policy.
something that identifies the router or The management stations must be
sensor specifically in your community allowed hosts to access the sensor.
string, you can filter the traps based
on the community string.
To remove a destination, select it and
click the Delete Row (trash
can) button.
404
General SNMP Configuration Options

Use the General Configuration tab on the parameters and apply them to IPS
SNMP page to configure general SNMP sensors.
Table 1: General Configuration Tab, SNMP Policy for IPS Sensors
Navigation Path
 (Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy
selector. Select the General Configuration tab.
 (Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one. Select the General Configuration tab.
Field Reference
Element Description
Enable SNMP Whether to enable the SNMP management workstation to obtain (get)
Gets/Sets information, and modify (set) values on the IPS sensor. If you do not enable
this option, the management workstation cannot manage this sensor; the
sensor will not respond to SNMP requests.
Read-Only The community string required for read-only access to the sensor. SNMP get
Community String requests from the management station must supply this string to get
responses from the sensor. This string gives access to all SNMP get requests.
Use the string to help identify the sensor.
Read-Write The community string required for read-write access to the sensor. SNMP
Community String set requests from the management station must supply this string to get
responses from the sensor; it can also be used on get requests. This string
gives access to all SNMP get and set requests. Use the string to help identify
the sensor.
Sensor Contact The network administrator or contact point who is responsible for this
sensor.
Sensor Location The physical location of the sensor, such as building address, name, and
room number.
Sensor Agent Port The port to use for SNMP get/set communication with the sensor. The
default is 161. The valid range is 1 to 65535.
Enter a port number or the name of a port list object, or click Select to
select a port list object from a list or to create a new object. The port list
object must identify a single port.
SNMP Agent Protocol The protocol you are using for SNMP, either UDP (the default) or TCP. Select
the protocol used by your SNMP management station.
405
SNMP Trap Configuration Tab

Use the SNMP Trap Communication tab recipients that the traps should be sent
on the SNMP page to configure traps and to.
apply them to sensors and to identify
Table 2: SNMP Trap Configuration Tab, SNMP Policy for IPS Sensors
Navigation Path
 (Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy
selector. Select the SNMP Trap Configuration tab.
 (Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one. Select the SNMP Trap Configuration tab.
Field Reference
Element Description
Enable Whether to enable the sensor to send trap notifications to the trap destinations
Notifications whenever a specific type of event occurs in a sensor. If you do not select this
option, the sensor does not send traps.
Tip To have the sensor send SNMP traps, you must also select Request SNMP Trap as
the event action when you configure signatures. Traps are sent only for
signatures that you configure to send traps.
Error Filter The type of events that will generate SNMP traps based on the severity of the
event: fatal, error, or warning. Select all severities that you want; use Ctrl+click
to select multiple values.
The sensor sends notifications of events of the selected severities only.
Enable Detail Whether to include the full text of the alert in the trap. If you do not select this
Traps option, sparse mode is used. Sparse mode includes less than 484 bytes of text
for the alert.
Default Trap The community string used for the traps if no specific string has been set for the
Community trap destination in the Trap Destinations table.
String
Tip All traps carry a community string. By default, all traps that have a community
string identical to that of the destination are taken by the destination. All other
traps are discarded by the destination. However, you can configure the
destination to determine which trap strings to accept.
Trap Destinations The SNMP management stations that will be sent trap notifications. The table
table shows the IP address of the management station, the community string added
to traps from this sensor, and the port to which traps are sent.
 To add a destination, click the Add Row button and fill in the Add SNMP
Trap Communication dialog box
 To edit a destination, select it, click the Edit Row button and make your
changes.
 To delete a destination, select it and click the Delete Row button.
406
SNMP Trap Communication Dialog Box

Use the Add or Modify SNMP Trap SNMP management stations that should
Communication dialog box to configure receive traps from the IPS sensor.
SNMP trap destinations. These are the
Table 3: SNMP Trap Communication Dialog Box
Navigation Path
Go to the IPS Platform > Device Admin > Device Access > SNMP policy, select the SNMP Trap
Configuration tab, and click the Add Row button beneath the Trap Destinations table, or select a
destination in the table and click the Edit Row button.
Field Reference
Element Description
IP Address The IP address of the SNMP management station that should receive trap
notifications. Enter the IP address or the name of a network/host object, or
click Select to select the object from a list or to create a new object. The
network/host object must specify a single host IP address.
Trap The community string of the trap. If you do not enter a trap string, the default trap
Community string defined on the SNMP Trap Communication tab is used for traps sent to this
String destination.
Trap Port The port used by the SNMP management station to receive traps. Enter the port
number or the name of a port list object, or click Select to select the object from a
list or to create a new one. The port list object must identify a single port.
Managing User Accounts and

Password Requirements
You can configure user accounts and If you change the password requirements,
passwords, and general password and then make changes to any local user
requirements, for your IPS devices. You account, the new requirements must be
can configure local users (defined directly met by all user accounts that have
on the device), use a RADIUS AAA server, passwords managed by Security Manager.
or use them both in conjunction. The This is because Security Manager
policies used are the AAA, User Accounts, reconfigures the passwords for all
and Password Requirements policies in managed accounts if any single account
the Platform > Device Admin > Device needs to be reconfigured.
Access folder. The User Accounts policy allows you to
When you create or edit a local user centrally manage the local user accounts
account in Security Manager, the for your IPS devices. Using a shared policy
password you enter must satisfy the can help you ensure that all IPS devices
requirements defined in the Password contain the same accounts with the same
Requirements policy. This ensures that passwords. However, it is important to
new passwords meet your security understand that passwords are encrypted,
requirements. so Security Manager cannot discover the
407
actual passwords defined on the device. password in Security Manager. Security

Security Manager manages the passwords Manager does not manage any user
for an account only if you define that accounts defined in a RADIUS AAA server.
The following topics describe IPS user accounts, and Security Manager discovery and
deployment considerations, in more detail:
 Understanding IPS User Roles

 Understanding Managed and Unmanaged IPS Passwords
 Understanding How IPS Passwords are Discovered and Deployed
 Configuring IPS User Accounts
 Configuring User Password Requirements
 Configuring AAA Access Control for IPS Devices
Understanding IPS User Roles – Assignment of physical

sensing interfaces.
There are four user roles for IPS user
accounts: – Enable or disable control of
physical interfaces.
 Viewer —Users can view the device
configuration and events, but they – Add and delete users and
passwords.
cannot modify any configuration data
except their user passwords. – Generate new SSH host keys
and server certificates.
 Operator —Users can view everything
and they can modify the following  Service —Only one user with service
options: privileges can exist on a sensor. The
– Signature tuning (priority, service user cannot log in to IDM or
disable or enable). IME. The service user logs in to a bash
shell rather than the CLI. The service
– Virtual sensor definition. role is a special role that allows you to
– Managed routers. bypass the CLI if needed.
 The purpose of the Service account is
– Their user passwords. to provide Cisco Technical Support
 Administrator —Users can view access to troubleshoot unique and
everything and they can modify all unusual problems. It is not needed for
options that Operators can modify in normal system configuration and
addition to the following: troubleshooting. You should carefully
consider whether you want to create a
– Sensor addressing service account. The service account
configuration. provides shell access to the system,
– List of hosts allowed to which makes the system vulnerable.
connect as configuration or However, you can use the service
viewing agents. account to create a password if the
administrator password is lost.
408
Analyse your situation to decide if you password requirements defined in the

want a service account existing on the Password Requirements policy.
system.
Thus, you can have a mix of managed and
unmanaged account passwords. For
Understanding Managed and example, you can have a set of shared
user accounts that are centrally managed,
Unmanaged IPS Passwords and manage these account passwords in
Every IPS local user account has a Security Manager. Other accounts might
password, which allows secure user login be unique to individuals; if you never edit
to the device. These user passwords are these account passwords in Security
encrypted on the IPS device. Thus, when Manager, the user can manage these
you add an IPS device to the Security passwords individually on the device.
Manager inventory, Security Manager If you do not want to manage any user
cannot read the actual user passwords. accounts in Security Manager, ensure that
Because Security Manager cannot read the User Accounts policy is empty, or
the password, it is unable to deploy simply unassign the policy (right-click the
newly-discovered user account passwords policy and select Unassign Policy).
to the device. To avoid putting user Security Manager will not modify user
accounts into a state where the account configurations.
passwords are unknown and unusable,
Security Manager marks discovered user
account passwords as unmanaged. The
status of a password is indicated in the Is
Password Managed? column of
Understanding How IPS
the Platform > Device Admin > Device Passwords are Discovered and
Access > User Accounts policy: Deployed
 If No is indicated, the password for Because user passwords are encrypted on
this account is not configured in IPS devices, Security Manager has to
Security Manager. When you deploy handle them with special care when
this policy, Security Manager will not discovering policies on the device or
attempt to configure the password for deploying configurations. When
this user account. discovering or deploying user accounts on
 If Yes is indicated, the password IPS devices, Security Manager does the
for this account was configured or following:
updated in Security Manager. When  Discovery —When you add an IPS
you deploy this policy, Security device to the inventory, or rediscover
Manager reconfigures the passwords policies on it, Security Manager
for all managed accounts, not just the determines the current status of each
passwords that changed since the last user account, updates the User
deployment. Account policy with each discovered
Because Security Manager configures username and associated role, and
even unchanged passwords, all marks the user password as
managed passwords must satisfy the unmanaged.
409
You cannot view the account status deployment, Security Manager

through Security Manager, because it updates the password in the
is dynamic and can change. However, device properties to the new
the Discovery Status window displays password. You do not need to
the status at discovery. Accounts can manually update the password.
have these statuses: To see device properties,
select Tools > Device Properties.
– Active —This state indicates that
the account is available for use. This behaviour assumes that you
Active accounts can be accessed selected Security Manager Device
using an authentication token if Credentials for the Connect to
one has been assigned to the Device Using option on the Tools >
account. Security Manager Administration
> Device Communication page. If
– Expired —This state indicates
you are using the logged-in users
that the account’s authentication
credentials for deployment, after
token has expired and the
successful deployment, the overall
account cannot be accessed using
deployment is marked as failed,
a token until the token has been
and a message explains how to re-
updated.
establish connection.
– Locked —This state indicates that
– If you use out-of-band change
logins to the account have been
detection, changes to passwords
disabled due to too many failed
are not detected. However,
authentication attempts. You
changes to usernames and roles
should update the password for
are detected.
these accounts.
– When previewing configurations,
 Deployment —You are warned if
you can see changes to the user
any deployed user accounts are in the
accounts by selecting to IPS(Delta
Expired or Locked state. Any
– User Passwords). However,
unmanaged passwords are not
passwords are masked.
deployed to the device. Also, keep in
mind the following points: – If you are rolling back
configurations, the user accounts
– If you make changes to any user
are never rolled back. The current
account on the device, all user
status and configuration of user
accounts with managed
accounts does not change.
passwords are reconfigured. If
you also changed the Password The IPS sensor can accept public
Requirements policy, all keys for RSA authentication when
passwords are compared to the logging into the device through an
new policy and must meet the SSH client. Each user has an
new requirements. associated list of authorized keys.
Users can use these keys instead
– If you change the password of the
of passwords. Security Manager
user account you defined in the
ignores these keys during
device’s properties for Security
discovery and deployment. Thus,
Manager to use when configuring
if keys are configured, Security
the device, after successful
410
Manager does not remove the However, you have the option of
configuration. having Security Manager use the user
account of the person deploying
configurations to log into the device.
Configuring IPS User Accounts You can configure this using
the Connect to Device Using option on
Use the User Accounts policy to configure the Tools > Security Manager
local user accounts for IPS devices. Users Administration > Device
can use these accounts to log into the Communication page.
device. You can create new users, modify
 Cisco IOS IPS devices use the same
user privileges and passwords, and delete
user accounts that are defined for the
users.
router. This procedure does not apply
The user accounts policy should have at to Cisco IOS IPS configurations.
least these accounts:
 If you change the password for the
 cisco—An account named “cisco” user defined in the device properties,
must exist on the device and you which Security Manager uses to deploy
cannot delete it. configurations to the device, Security
Manager uses the existing credentials
 An administrator account that
defined in the device properties to log
Security Manager can use—Security
into the device and deploy changes.
Manager must be able to log into the
After successful deployment, the
device to configure it. Typically, you
device properties are then changed to
create an account for this purpose.
use your new settings.
define the account.
Step 1 Do one of the following to open
the User Accounts policy:  To edit a user account, select it
and click the Edit Row
 (Device view) Select Platform >
(pencil) button and make the
Device Admin > Device Access >
User Accounts from the Policy required changes in the Edit User
dialog box.
selector.
You cannot change a user role to or from
the Service role.
> Device Admin > Device Access >
User Accounts, then select an  To delete a user account, select it
existing policy or create a new and click the Delete Row (trash
one. can) button. You cannot delete the
account named cisco.
The policy shows existing user accounts,
including the username, role, and
whether the password is managed by
Security Manager.
 To add a user account, click
the Add Row (+) button. This
opens the Add User dialog box.
Enter the information required to
411
All password changes must meet the deploy all of the accounts during the next
requirements of the Password configuration deployment. Passwords are
Requirements policy. If you change the checked for conformity when you validate
requirements policy, all new user policies, which typically happen when you
accounts, or edited accounts, are tested submit changes to the database.
against the new requirements. Although
Add User and Edit User Credentials Dialog
the passwords for existing unedited user
Boxes
accounts are not tested, they too must
meet the password requirements if you Use the Add User or Edit User Credentials
change any user account defined in this dialog boxes to add or edit IPS device user
policy, because Security Manager will accounts.
Table 4: Add or Edit User Dialog Box
Navigation Path Password The password for this user

Confirm account. Enter the password
From the IPS platform User Accounts in both fields.
policy, click the Add Row (+) button to The password must conform
create a new account, or select an existing to the Password
account and click the Edit Row Requirements policy for IPS
(pencil) button. devices;
Field Reference Role The role for this user. For an

explanation of these roles
Element Description When editing a user account,
User The username for the you cannot select the Service
Name account. The name can be 1 role. When editing an account
to 64 characters, including assigned to the Service role,
uppercase and lowercase you cannot change the role.
letters and numbers, plus the
special characters
() + :, _ / - ] + $.
You cannot change the
username when editing an
account.
412
Configuring User Password Requirements
Use the IPS platform Password To configure IPS password requirements,

Requirements policy to configure the rules select one of the following policies:
for passwords for local IPS device user  (Device view) Select Platform >
accounts. All user-created sensor Device Admin > Device Access >
passwords must conform to the Password Requirements from the
requirements defined in this policy. You Policy selector.
can configure password requirements for  (Policy view) Select IPS > Platform
sensor running IPS software version 6.0 or > Device Admin > Password
higher. Requirements from the Policy Type
The requirements you define here selector, then select an existing policy
determine what is considered an or create a new one.
acceptable password in the User Accounts The following table explains the password
policy. If you change this policy, it can be requirement options that you can
applied even to unchanged user accounts. configure.
Table 5: Password Requirements Policy

Element Description
Attempt Limit How many times a user is allowed to try to log into the device before you
lock the user account due to excessive failed attempts.
The default is 0, which indicates unlimited authentication attempts. For
security purposes, you should change this number.
Size Range The minimum and maximum size allowed for user passwords; separate the
minimum and maximum with a hyphen. The range is 6 to 64 characters; the
default is 8-64.
Tip If you configure non-zero values for any of the minimum characters options,
the minimum size you enter in the Size Range field must be equal to or
greater than the sum of those values. For example, you cannot set a
minimum password size of eight and also require that passwords must
contain at least five lowercase and five uppercase characters.
Minimum Digit The minimum number of numeric digits that must be in a password.
Characters
Minimum Uppercase The minimum number of uppercase alphabet characters that must be in a
Characters password.
Minimum Lowercase The minimum number of lowercase alphabet characters that must be in a
Characters password.
Minimum Other The minimum number of non-alphanumeric printable characters that must
Characters be in a password.
Number of Historical The number of historical passwords that you want the sensor to remember
Passwords for each account. Any attempt to change the password of an account fails if
the new password matches any of the remembered passwords. If you specify
0, no previous passwords are remembered.
413
Configuring AAA Access Control for IPS Devices
Use the AAA policy to configure AAA  Key — You must specify the
access control for your IPS devices. The shared secret key that is defined on
device must use IPS Software release the RADIUS server. Although this field
7.0(4) to configure AAA. is optional for a generic AAA server
You can configure the IPS device to use a object, IPS requires a key.
RADIUS AAA server to authenticate user  Port —Ensure that the RADIUS
access to the device. By configuring AAA, Authentication/Authorization port is
you can reduce the number of local users correct. Note that the default port in
defined on the device and take advantage the AAA server object is different from
of your existing RADIUS setup. If you the IPS default, which is 1812. You will
configure a AAA server, you can configure need to change the port if you want to
the device to allow local user accounts as use the IPS default.
a fallback mechanism if the RADIUS You must ensure that the user account
servers are unavailable.
configured in the device properties exists
When configuring AAA, you identify the in the RADIUS server or as a local user
RADIUS server using a AAA server policy account, depending on the authorization
object. You can create the object while method that you use. If you switch
configuring the policy, or you can create it between local and AAA modes, or change
in the Policy Object Manager. When you AAA servers, you must ensure that the
configure the AAA server object, you must account is defined in whatever user
adhere to the following restrictions: account database you are using. If you are
 Host —You must specify the IP using AAA with local fallback, the account
address; you cannot use a DNS name. should be defined in all databases. This
account must exist, with the same
 Timeout —If you enter a timeout
password defined in the Security Manager
value, it must be from 1 to 512 device properties for the device, or
seconds. The generic AAA server object
deployment to the device will fail. The
allows higher numbers, but IPS has a
user account used for discovery and
more limited timeout range. The deployment must have administrator
default is 3.
privileges.
 Protocol —RADIUS is the only
supported protocol.

 (Device view) Select Platform > Device Admin > Device Access > AAA from the Policy
selector.
 (Policy view) Select IPS > Platform > Device Admin > AAA, then select an existing
policy or create a new one.
Step 2 Configure the following basic properties:

 Authentication Mode —Whether to use Local or AAA mode. Local mode uses user
414
accounts defined on the IPS device only. With AAA mode, the RADIUS servers are the
primary means of user authentication, and you can configure local user accounts as a
fallback mechanism. The default is Local. You must select AAA to configure any other
options in this policy.
 Primary RADIUS Server, Secondary RADIUS Server —The main (primary) AAA server
and a backup server, if any. Enter the name of the AAA server policy object that
identifies the RADIUS server, or click Select to select it from a list of objects or to
create a new object.
When authenticating users, the IPS device sends the user authentication attempt to the
primary server. The secondary server is contacted only if the request to the primary server
times out.
Step 3 Configure the following optional properties if you want non-default values:
 Console Authentication —How you want to authenticate users who access the IPS
device through the console:
o Local—Users connected through the console port are authenticated through
local user accounts.
o Local and RADIUS—Users connected through the console port are
authenticated through RADIUS first. If RADIUS fails, local authentication is
attempted.
o RADIUS—Users connected through the console port are authenticated by
RADIUS. If you also select Enable Local Fallback, then users can also be
authenticated through the local user accounts.
 RADIUS NAS ID —The Network Access ID, which identifies the service requesting
authentication. The value can be no NAS-ID, cisco-ips, or a NAS-ID already configured
on the RADIUS server. The default is cisco-ips.
 Enable Local Fallback —Whether you want to fall back to local user account
authentication if all RADIUS servers are unavailable. This option is selected by
default. Note that local authentication is not attempted if the RADIUS server
responds negatively to the logon attempt; local authentication is tried only if no
response is received from the RADIUS server.
 Default User Role —The role to assign to users who do not have a role assigned in
the RADIUS server. You can make Viewer, Operator, or Administrator the default
roles, but not Service; select Unspecified to assign no default role (this is the
default).
User role configuration is very important. If you do not assign a role to the user, either through the
default user role or in the RADIUS server, the sensor prevents user login even if the RADIUS server
accepted the username and password. role=administrator, ips-role=operator, ips-

role=viewer, or ips-role=service. You
To assign roles specifically to users on the
configure the Accept Message individually
RADIUS server, you configure the Accept
for each user account. An example of a
Message for those accounts as either ips-
Reply attribute for a given user could be
415
configured to return “Hello <user> your analysis. NTP is the recommended way to
ips-role=operator.” configure time settings on an IPS device.
For detailed information on how to set
If you configure a service account in the
the time on a sensor, including how to set
RADIUS server, you must also configure an
up a Cisco IOS router as an NTP server,
identical service account locally on the
refer to Configuring Time in Configuring
device. For service accounts, both the the Cisco Intrusion Prevention System
RADIUS and Local accounts are checked Sensor Using the Command Line Interface
during login. Version 7.0.
Identifying an NTP Server Check the time on your IPS sensor if you
are having trouble updating your IPS
Use the NTP policy to configure a Network software. If the time on the sensor is
Time Protocol (NTP) server as the time ahead of the time on the associated
source for the IPS device. Using NTP helps certificate, the certificate is rejected, and
ensure synchronized time among your the sensor software update fails.
network devices, which can aid event
Step 1 Do one of the following to open the NTP policy:
 (Device view) Select Platform > Device Admin > Server Access > NTP from the Policy
selector.
 (Policy view) Select IPS > Platform > Device Admin > Server Access > NTP, then
select an existing policy or create a new one.
Step 2 In the NTP Server IP Address field, enter the IP address of the NTP server. You can
also enter the name of a network/host object that identifies the single host address of the
server, or click Select to select the object from a list or to create a new one.
Step 3 If the NTP server does not require authentication, deselect the Authenticated
NTP checkbox.
If the NTP server requires authentication, configure the following options:

 Authenticated NTP —Select this option to enable authenticated connections.
 Key, Confirm —The key value of the NTP server. The key is an MD5 type of key
(either numeric or character); it is the key that was used to set up the NTP server.
 Key ID —The key ID value of the NTP server, a numeric value between 1 and 65535.
The key and key ID are configured on the NTP server; you must obtain them from the NTP
server configuration.
Identifying DNS Servers

If you configure global correlation on an downloading global correlation updates.
IPS 7.0+ sensor, the sensor must be able Use the DNS policy to identify the Domain
to resolve domain names to successfully Name System (DNS) servers that the
connect to the update server when
416
sensor can use to resolve domain names configure the HTTP Proxy policy instead of
to IP addresses. the DNS policy.
If your network requires HTTP proxies The AIP-SSC-5 service module does not
when making Internet connections, support DNS servers.
Step 1 Do one of the following to open the HTTP Proxy policy:
 (Device view) Select Platform > Device Admin > Server Access > DNS from the
Policy selector.
 (Policy view) Select IPS > Platform > Device Admin > Server Access > DNS,
then select an existing policy or create a new one.
Step 2 Specify the IP addresses of up to three DNS servers in the Primary, Secondary,
and Tertiary Address fields. The sensor uses the servers in the order listed ; if one
server does not respond, the next server is contacted.
You can enter an IP address or the name requires the use of HTTP proxies to
of a network/host object that contains a connect to the Internet, you need to
server address. Click Select to select a configure the HTTP Proxy policy to
network/host object from a list or to identify a proxy that the IPS sensor can
create a new one. The network/host use. When downloading global correlation
object must specify a single host address. updates, the IPS sensor connects to the
update server using this proxy. The proxy
must be able to resolve DNS names.
Identifying an HTTP Proxy If you do not use HTTP proxies, configure
Server DNS servers so that the IPS sensor can
resolve the address of the update server.
If you configure global correlation on an
The AIP-SSC-5 service module does not
IPS 7.0+ sensor, and your network
support HTTP proxy servers.
Step 1 Do one of the following to open the HTTP Proxy policy:

 (Device view) Select Platform > Device Admin > Server Access > HTTP Proxy from the
Policy selector.
 (Policy view) Select IPS > Platform > Device Admin > Server Access > HTTP Proxy,
then select an existing policy or create a new one.
Step 2 Configure the following options:
 Enable Proxy —Select this option to tell the device to connect through the
configured proxy server.
 IP Address —Enter the IP address of the proxy server, or the name of the
network/host object that contains the server’s IP address. Click Select to select a
network/host object from a list or to create a new one. The network/host object
must contain a single host IP address.
 Port —Enter the port number used for HTTP connections to the proxy server. The
default is 80.
417
Configuring the External sensor to communicate with the external

product.
Product Interface Step 1 Do one of the following to open
Use the External Product Interface policy the External Product Interface policy:
to configure the way that Security
Manager works with Management Center  (Device view) Select Platform >
for Cisco Security Agents (CSA MC). Device Admin > Server Access >
External Product Interface from
In general, the external product interface
the Policy selector.
is designed to receive and process
information from external security and
> Device Admin > Server Access >
management products. These external
External Product Interface, then
security and management products
select an existing policy or create a
collect information that can be used to
new one.
automatically enhance the sensor
configuration information. Management
Center for Cisco Security Agents is the
only external product that can be
To add a server, click the Add Row (+)
configured to communicate with the IPS.
button. This opens the External Product
At most two Management Center for
Interface dialog box. Enter the
Cisco Security Agents servers can be
information required to identify the
configured per IPS device.
server and configure the posture ACLs.
Management Center for Cisco Security
Agents is no longer an active product. You can add at most two servers.
Configure this policy only if you are still
using that application. For more  To edit a server, select it and click
information, see About CSA the Edit Row (pencil) button and
MC in Installing and Using Cisco Intrusion make the required changes in the
Prevention System Device Manager External Product Interface dialog
6.0 and http://www.cisco.com/en/US/pro box.
ducts/sw/cscowork/ps5212/index.html.  To delete a server, select it and
Management Center for Cisco Security click the Delete Row (trash can)
Agents enforces a security policy on button.
network hosts. It has two components:
 Agents that reside on and protect
network hosts. External Product Interface
 A management console, which3 is Dialog Box
an application that manages agents. It
downloads security policy updates to Use the Add or Edit External Product
agents and uploads operational Interface dialog box to add or modify
information from agents. interfaces between Management Center
for Cisco Security Agents (CSA MC) and
Before You Begin the IPS device and the related posture
ACLs.
Add the external product as an allowed
host so that Security Manager allows the
418
Table 6 External Product Interface Dialog Box
Navigation Path
From the External Product Interface IPS platform policy, click Add Row or select an entry and click Edit
Row.
Field Reference
Element Description
External Product’s IP The IP address, or the network/host policy object that contains the address, of
Address the external product. Enter the IP address or object name, or click Select to
select an object from a list or to create a new one.
Interface Type Identifies the physical interface type, which is always Extended SDEE.
Enable receipt of Whether information is allowed to be passed from the external product to the
information sensor.
SDEE URL The URL on the CSA MC the IPS uses to retrieve information using SDEE
communication. You must configure the URL based on the software version of
the CSA MC that the IPS is communicating with as follows:
 For CSA MC version 5.0—/csamc50/sdee-server.
 For CSA MC version 5.1—/csamc51/sdee-server.
 For CSA MC version 5.2 and higher—/csamc/sdee-server (the default
value).
Port The port, or the port list object that identifies the port, being used for
communications. Enter the port or port list name, or click Select to select the
object from a list or to create a new object.
User name A username and password that can log into the external product.
Password
Enable receipt of host Whether to allow the receipt of host posture information from CSA MC. The
postures host posture information received from a CSA MC is deleted if you disable this
option.
Allow unreachable Whether to allow the receipt of host posture information for hosts that are
hosts’ postures not reachable by the CSA MC.
A host is not reachable if the CSA MC cannot establish a connection with the
host on any IP addresses in the host’s posture. This option is useful in filtering
the postures whose IP addresses may not be visible to the IPS sensor or that
might be duplicated across the network. This filter is most applicable in
network topologies where hosts that are not reachable by the CSA MC are also
not reachable by the IPS, for example if the IPS and CSA MC are on the same
network segment.
Posture ACL table Posture ACLs are network addresses for which host postures are allowed or
denied. Use posture ACLs to filter postures that have IP addresses that might
not be visible to the IPS or that might be duplicated across the network.
 To add a posture ACL, click the Add Row (+) button. This opens the
Add Posture ACL dialog box. For information on configuring the Posture
419
ACL, see Posture ACL Dialog Box.

 To edit a posture ACL, select it and click the Edit Row (pencil) button.
 To delete a posture ACL, select it and click the Delete Row (trash
can) button.
 To change the priority of an ACL, select it and click the Up or Down
button. ACLs are processed in order, and the action associated with the
first match is applied.
Enable receipt of Whether to allow the receipt of the watch list information from CSA MC. The
watch listed watch list information received from a CSA MC is deleted if you disable this
addresses option.
Manual Watch List RR The percentage of the manual watch list risk rating (RR). The default is 25, and
increase the valid range is 0 to 35.
Session-based Watch The percentage of the session-based watch list risk rating. The default is 25,
List RR Increase and the valid range is 0 to 35.
Packed-based Watch The percentage of the packet-based watch list risk rating. The default is 10,
List RR Increase and the valid range is 0 to 35.
Posture ACL Dialog Box Row (pencil) button.
Use the Add or Modify Posture ACL dialog

box to configure posture ACLs for Configuring IPS Logging
Management Center for Security Agents.
Posture ACLs are network addresses for Policies
which host postures are allowed or Use the IPS platform Logging policy to
denied. Use posture ACLs to filter configure traffic flow notifications and
postures that have IP addresses that Analysis Engine global variables. These
might not be visible to the IPS or that settings apply to the general operation of
might be duplicated across the network. the IPS sensor.
Configure the following fields to define a Traffic flow notifications have to do with
posture ACL: the flow of traffic across the interface of a
 Network Address —Enter the IP sensor. You can configure the sensor to
address of a host or network, or the monitor the flow of packets across an
name of a network/host object that interface and send notification if that flow
specifies one. You can click Select to changes (starts and stops) during a
select the object from a list or to specified interval. You can configure the
create a new object. missed packet threshold within a specific
 Action —Whether host postures notification interval and also configure the
will be permitted or denied from the interface idle delay before a status event
hosts on the network address. is reported.
The Analysis Engine performs packet
Navigation Path analysis and alert detection. It monitors
From the External Product Interface dialog traffic that flows through specified
box, click the Add Row (+) button interfaces. For the Analysis Engine, there
underneath the Posture ACL table, or is only one global variable: Maximum
select a posture ACL and click the Edit Open IP Log Files.
420
Table 7: IPS Logging Page
Navigation Path
 Device view) Select Platform > Logging from the Policy selector.
 (Policy view) Select IPS > Platform > Logging, then select an existing policy or create a new one.
Field Reference
Element Description
Interface Notifications Tab

Missed The percent of missed packets that has to occur before you want to receive
Packets notification. The default is 0, and the range is 0 to 100.
Threshold
Notification The length of time, in seconds, that you want to check for the percentage of missed
Interval packets. The default is 30, and the range is 5 to 3600.
Interface The length of time, in seconds, that you will allow an interface to be idle and not
Idle receiving packets before you want to be notified. The default is 30, and the range is 5
Threshold to 3600.
Analysis Engine Tab

Maximum The maximum number of open IP log files that you want to allow on the sensor. The
Open IP Log default is 20, and the range is 20 to 100.
Files
421
422
UNIT VII
Anti-virus and Antispam Software
This Unit covers:
 Lesson Plan
423
LESSON PLAN

experts.
Dedicated)
• networks
424

Activity 1:
Activity 2:
Activity 3:
425

Antivirus software is a type of utility used well. Antivirus software may also be
for scanning and removing viruses from bundled with firewall features, which
your computer. While many types of helps prevent unauthorized access to your
antivirus (or "anti-virus") programs exist, computer. Utilities that include both
their primary purpose is to protect antivirus and firewall capabilities are
computers from viruses and remove any typically branded "Internet Security"
viruses that are found. software or something similar.
Most antivirus programs include both While antivirus programs are available for
automatic and manual scanning Windows, Macintosh, and Unix platforms,
capabilities. most antivirus software is sold for
Windows systems. This is because most
The automatic scan may check files that
viruses are targeted towards Windows
are downloaded from the Internet, discs
computers and therefore virus protection
that are inserted into the computer, and
is especially important for Windows users.
files that are created by software
If you are a Windows user, it is smart to
installers. The automatic scan may also
have at least one antivirus program
scan the entire hard drive on a regular
installed on your computer. Examples of
basis.
common antivirus programs include
The manual scan option allows you to Norton Antivirus, Kaspersky Anti-Virus,
scan individual files or your entire system and ZoneAlarm Antivirus.
whenever you feel it is necessary.
The most important thing to remember
Since new viruses are constantly being about virus protection is that no system is
created by computer hackers, antivirus infallible. No matter how good your anti-
programs must keep an updated database virus (AV) software is, and how stringent
of virus types. This database includes a list your security processes are, there is still
of "virus definitions" that the antivirus the chance that a completely new virus
software references when scanning files. will enter your organization and disrupt
Since new viruses are frequently operations. Of course, completely
distributed, it is important to keep your isolating your systems from the Internet
software's virus database up-to-date. and removing them from external e-mail
Fortunately, most antivirus programs will greatly minimize your exposure;
automatically update the virus database however, in today's digital economy that
on a regular basis. is no longer a practical option.
While antivirus software is primarily

designed to protect computers against
viruses, many antivirus programs now
protect against other types of malware,
such as spyware, adware, and rootkits as
426
Protecting the Organization Deploy a multi-tiered defense

In order to protect your electronic strategy
messaging system, it is necessary to
There are multiple points of entry for
understand the flow of electronic
infected messages to enter an
messages within your organization and to
organization; as a result, it is important to
provide protection at each point of
provide virus protection to as many points
vulnerability.
as possible. This includes the electronic
Organizations now recognize the messaging gateways, desktops, PDA's,
importance of providing dedicated virus wireless devices, and the e-mail server
protection for their e-mail systems. itself.
The thought was that any virus being

carried by an e-mail would simply enter
the network as an attachment that could
either be detected as it came through the
Internet SMTP gateway or by the end-user
desktop AV scanner. However, over the
past few years, e-mail systems have
evolved significantly from simple message
distribution to providing collaborative
stores, Web-based user interfaces, and
access from wireless devices.
Steps to be taken for Virus

protection
Establish an organizational anti-virus
policy
In order to properly select, configure, and
maintain virus protection solutions, your
organization must clearly define what
levels of protection and countermeasures
it needs. This necessitates specifying the
types of data that will be permitted, what
content should be filtered or barred, who
is responsible for each aspect of the
implementation, how communications
with end-users will take place, and what
actions to take in the event of virus
outbreaks and hoax alerts.
.
427
Figure 2: Multi-tiered virus protection system
Update your anti-virus policy, it is not always able to provide

protection for all types of messages (such
definition files and engines as encrypted messages). As a result, it is
regularly crucial that desktop anti-virus software be
updated regularly to provide security that
While most organizations understand the server-based may not be able to offer.
importance of keeping their virus
definition files up-to-date, not everyone Always keep your operating system, Web
understands that it is equally important to browser, e-mail, and application programs
ensure that the detection engine is the up-to-date. Periodically review the
most current version. Updates can security sections of your key software
typically be automated, but it is important vendors and subscribe to any applicable
to periodically check the log files to electronic newsletters to notify you of any
ensure that the updates are executing new security vulnerabilities and fixes.
properly.
Back up your files on a regular

Update your desktop anti-virus basis
software regularly If a virus destroys your data, then you can
Server-based e-mail virus protection is the restore them from your archives. E-mail
most efficient way to provide protection backups and restores can be a bit
within an organization, but based upon temperamental, so it is advisable to also
the particulars of organization's security
428
have a standard procedure to verify recommended actions should they

restores from backups periodically. encounter a suspected virus.
Subscribe to an e-mail alert Protecting E-mail Users

service that issues warnings of With the closer integration of e-mail and
new virus threats office suite applications, it is no longer
sufficient to view anti-virus vulnerabilities
Many different organizations provide this solely from the perspective of the e-mail
service, but the most important one will client application. Instead, one must also
be your anti-virus vendor. The reason is adequately protect the whole PC that the
that due to differences in each AV user is using - whether they are using a
vendor's capabilities, new viruses will be local copy of an e-mail application or a
rated differently and the action necessary remotely-hosted thin client e-mail front-
will vary. For instance, one vendor may end.
have already provided generic virus
detection in a past update that provides The following is a list of recommended
protection against a new virus and so they steps that organizations can take to
would rate a particular virus as a low protect end users.
threat for their customers. However,
Disable the e-mail program
other vendors who may not be able to
provide immediate protection would rate preview pane feature
the same virus alert as a "high" risk.
Some e-mail programs, such as Microsoft
Provide anti-virus overview Outlook and Microsoft Outlook Express,
have a feature that allows users to view a
training to all employees message without opening it in a separate
Most virus outbreaks within organizations window; however, some viruses can still
could be greatly minimized if the general execute by simply being viewed because
staff were aware of e-mail virus the preview pane has the ability to
vulnerabilities, preventative measures and process embedded scripts.
429
Figure 3: Changing Outlook Express Preview pane settings from the View, Layout menu
Figure 4: Changing Microsoft Outlook Preview Pane settings
Make the file NORMAL.DOT Use .RTF and .CSV instead of

read-only .DOC and .XLS
If you use Microsoft Word as your e-mail Use .RTF instead of .DOC formatted word -
editor, then make NORMAL.DOT read- processing documents and .CSV instead of
only at the operating system level. You .XLS formatted spreadsheets because
should also change the Microsoft Word these formats do not support the use of
settings to "Prompt to Save Normal macros. However, even then, caution
Template". Many viruses propagate should be exercised because if the file was
themselves by changing the NORMAL.DOT first created as a .DOC, it could still
file, but this measure can provide at least contain macros. When exchanging files
some deterrent. The permissions can with others, it is safest to use .RTF and
always be switched off again if and when .CSV formatted files, but this should not
any intentional changes are required.
430
be relied upon as a fail-safe means of Due to the large number of viruses and
exchanging information. hoaxes, unnecessary time and e-mail
traffic can be wasted by people
Remove Windows Scripting forwarding virus warnings that may not be
Host legitimate. Before passing along warnings
to others, first check your virus protection
If your organization does not use vendor's Web site to determine if your
Windows Script Hosting (WSH), then you systems are already protected or if it is
should consider removing or disabling it. just a hoax.
To do this in Windows 9x, go to 'Control
Panel' and choose 'Add/Remove Write-protect removable
Programs'. Click on the 'Windows Setup'
media before using them in
tab and double click on 'Accessories'.
Scroll down to 'Windows Script Host' and other computers
uncheck it and choose 'OK'. It may be
If removable media is used to ferry e-
necessary to reboot the system. For
mails between computers (such as from
additional information, visit Microsoft's
work to home), then write-protecting the
support Web site.
medium before using it in a suspect
Use in-box rules to process system can protect it from becoming
infected.
suspicious e-mails
Protecting E-mail Servers
If your organization does not use e-mail
server-based content filtering, then you Some organizations believe that as long as
can use your e-mail inbox rules to they protect their e-mail gateways and
automatically delete or move suspect internal desktop computers, they do not
messages into a dedicated folder. need e-mail server-based anti-virus
solutions. While this may have been true a
Do not open any files attached few years ago, with today's Web-based e-
to an e-mail from an unknown, mail access, public folders, and mapped
network drive access to the stores, this
suspicious or untrustworthy stance is no longer prudent. Besides
source viruses entering the e-mail system from
the Internet SMTP gateway, infected files
Ensure that the source of any e-mail
can be transferred through an
attachments is a legitimate and reputable
organization's remote Web-based
one. If you're uncertain, don't download
interface, network-connected user
the file at all or download the file to a
devices such as PDAs, disk drives on
floppy and then scan it with your own
computers without up-to-date virus
anti-virus software.
protection, or copies from un-scanned
Don't pass along virus warnings from archives. Once an infected item gets into
others unless you have verified that it is the e-mail stores, then only an e-mail
applicable to your organization server-based solution will be able to
detect and remove the infected item.
431
The following is a list of overhead will be worth the additional

recommendations that organizations protection that heuristic scanning can
should follow to secure their e-mail provide.
servers.
Use virus outbreak response
Block common infecting features in your AV products
attachments
Mass-mailer viruses can spread very
Many e-mail transported infectors (a.k.a. quickly throughout an organization. They
mass-mailers) use executable files that are can also be very troublesome for
commonly found on most computers, administrators to eradicate while waiting
such as EXE, VBS, and SHS. Most e-mail for the appropriate detection driver to be
users do not need to receive attachments obtained from an AV vendor. Some virus
with these file extensions, so these can be protection products provide features that
blocked as they enter the e-mail server or can configure your system to
gateway. automatically notify you or take corrective
actions if certain virus outbreak
Schedule complete on-demand characteristics manifest themselves. For
scans whenever you update instance, you may configure your system
to send a cell phone warning if there are
your virus definition files more than 50 similar messages received in
Even if you keep all of your virus a short period of time, automatically
protection up-to-date, it is possible for a check the vendor's download site for the
new virus to enter your organization latest virus definition files, and then
before it has been properly identified and temporarily disable the e-mail gateway
a new definition file created for it by your until an administrator can respond if the
AV vendor. By scanning all of your data activity continues. This sort of outbreak
with the latest definitions, you can then response policy should be included in the
ensure that there are no undetected organization's anti-virus policy so that
infected files in your archives. there is a plan of action in place before an
outbreak happens.
Use heuristic scanning
Archive important data for at
Most of new viruses are simply variants of
previously known viruses; however, least one month
providing separate detection code for Not all viruses manifest themselves right
every conceivable variation would be away; depending upon where a virus is
impractical. As an alternative, heuristic located and how your system is
scanning looks for known virus configured, it may take some time for the
characteristics. While this does provide a virus to be discovered. The further back
higher level of protection, it requires that you can go in your archives, the
more processing time to scan items and greater the likelihood that you will be able
may occasionally lead to false-positive to successfully restore an infected item if
identifications. So long as your servers are
properly configured, the performance
432
it cannot automatically be cleaned by your wherever the option exists

AV solution.
 If possible, remove the error-prone
General principles of antivirus human element, by having infected
configuration stuff auto-quarantined or auto-
deleted upon detection. Shoot first,
 Antivirus software has options, some ask questions later.
of which may not be enabled by
default. It is recommended to enable  Configure the virus-definition updates
them all. to run daily or more often, if the
schedule is under your control
 Enable heuristics options if they're
user-configurable (if several levels are  Set up a daily scan of all hard-drive
offered, use Maximum) data, to catch stuff that slipped in
before the antivirus software
 Enable scanning within compressed recognized it as a threat.
files and archives wherever the option
exists  Never assume that your antivirus
software is infallible.
 Choose to scan all file types wherever
this option exists
 Allow no exemptions from scanning,
433
Email Spam is the electronic version of junk mail. It involves sending unwanted messages,
often unsolicited advertising, to a large number of recipients. Spam is a serious security
concern as it can be used to deliver Trojan horses, viruses, worms, spyware, and targeted
phishing attacks.
How Do You Know forwarded to the user’s Inbox.

Otherwise, spam is deleted
Messages that do not include your email automatically.
address in the TO: or CC: fields are  When your service is activated, all
common forms of Spam types of spam are typically filtered at a
Some Spam can contain offensive uniform level of aggressiveness. One
language or links to Web sites with group of users, however, might have
inappropriate content. its own idea about what constitutes
spam, or how aggressively to filter it. A
What to Do travel agency might have a zero-
 Install Spam filtering/blocking tolerance policy for adult content, for
software example, but want to receive special
 If you suspect an email is Spam, do not offers, such as “trips to Hawaii.”
respond, just delete it Another group might want to change
 Consider disabling the email’s preview its spam disposition, by changing how
pane and reading emails in plain text its spam is quarantined, or not
 Reject all Instant Messages from quarantining it at all.
persons who are not on your Buddy  Filtering aggressiveness affects how
list the protection service handles
 Do not click on URL links within IM messages that may or may not be
unless from a known source and spam. More aggressive spam filter
expected levels will quarantine messages that
 Keep software and security patches up are borderline cases. This will cause
to date more spam to be caught, but may
 Your message security service detects increase false positives. More lenient
spam by applying hundreds of rules to spam filters will allow borderline
each message that passes through the messages through, which reduces
data center. It can block obvious spam false positives but potentially let’s
immediately, then divert more more spam through.
borderline spam to a Quarantine for
later evaluation. From there, you or  For each of your organizations, you
your users can review the Quarantine can adjust the overall aggressiveness
for any legitimate messages that were of filtering, filter specific categories of
falsely quarantined and need to be spam more aggressively, and choose a
434
spam disposition. Some of these positives but potentially lets more spam
settings are made at the org level, and through.
some for a Default User. You can also
For each of your organisations, you can
adjust individual user’s filtering, or
adjust the overall aggressiveness
allow users to do this themselves at
of filtering, filter specific categories of
the Message Center.
spam more aggressively, and choose a
About Spam Filters spam disposition. Some of these settings
are made at the organisation level, and
Your message security service detects some for a Default User. You can also
spam by applying hundreds of rules adjust individual user’s filtering, or allow
to each message that passes through the users to do this themselves at the
data centre. It can block obvious spam Message Center.
immediately, then divert more borderline
spam to a Quarantine for later evaluation. Where Spam Filtering Is
From there, you or your users can review Managed
the Quarantine for any legitimate
messages that were falsely quarantined You manage spam filtering at the
and need to be forwarded to the user’s following locations:
Inbox. Otherwise, spam is deleted
Organisation level Enable Blatant Spam
automatically.
Blocking for users in the organisation, and
When your service is activated, all types choose a spam disposition—the method
of spam are typically filtered at a of disposing of filtered spam, for example,
uniform level of aggressiveness. One by changing how it’s quarantined, or by
group of users, however, might have its not quarantining it at all. Configure Null
own idea about what constitutes spam, or Sender Disposition to dispose of messages
how aggressively to filter it. A travel that do not contain an SMTP-envelop
agency might have a zero-tolerance policy sender address.
for adult content, for example, but want
If your service is provisioned with
to receive special offers, such as “trips to
Outbound Services, then you also have
Hawaii.” Another group might want to
the option to turn on Null Sender Header
change its spam disposition, by changing
Tag Validation.
how its spam is quarantined, or not
quarantining it at all. Default User Define user-level spam
settings that will apply to new users
Filtering aggressiveness affects how the
added to the organisation. This includes
protection service handles messages that
enabling spam filtering in the first place,
may or may not be spam. More aggressive
adjusting how aggressively to filter spam,
spam filter levels will quarantine
and filtering specific spam categories even
messages that are borderline cases. This
more aggressively. Making these settings
will cause more spam to be caught, but
for a Default User is how you apply a
may increase false positives. More lenient
single filtering policy across an
spam filters will allow borderline
organisation.
messages through, which reduces false
435
Specific User You can modify user- Message Center You can optionally
level spam settings for an allow users to modify their own
individual user, as well. But this filter levels by granting them
isn’t recommended if you want to appropriate User Access
maintain spam filtering policies permissions to the Message
across an organisation. Center.
Types of Spam Filters

When spam filtering is enabled for a user, the user’s messages are processed through the
following filters:
 If Blatant Spam Blocking is enabled for the user’s organisation, the user’s most obvious
spam is bounced or blackholed (deleted), before it reaches your email servers. This
eliminates more than half of users’ spam, so neither you nor they ever have to deal with
it.
 Each user (and Default User) has a Bulk Email filter that sets a base level of
aggressiveness for filtering the remaining spam, which is typically sent to a separate
Quarantine for review.
 Each user (and Default User) can also optionally adjust four additional Category filters to
filter spam containing particular content even more aggressively (sexually explicit
content, special commercial offers, racially insensitive material, or get-rich-quick
schemes).
 Null Sender Disposition lets you choose how to dispose of messages that do not include
an SMTP-envelope sender address. These types of messages are usually Non-Delivery
Reports (NDRs). When the system receives an inbound message, it checks for the SMTP -
envelope sender address. If there is no sender address, the message is disposed of
according to the Null Sender Disposition settings.
 Null Sender Header Tag Validation is the process by which the system examines each
inbound message for the presence of an SMTP-envelope sender address and for the
message security service’s digital signature. If your message security service has been
provisioned with Outbound Services and you have them configured for your mail server,
then the system tags the Received field on outbound messages with a digital signature.
When this filter is on and the system receives an inbound message, it checks for the
SMTP-envelope sender address and for the digital signature. If there is no sender
address and the message doesn’t have the system signature, then the message is
disposed of according to the Null Sender Disposition settings. If the system signature is
present, then the message bypasses this filter, and is evaluated by the others.
436
When Spam Filters Apply
Spam category filters are applied after all applies hundreds of rules to the message
other filtering, including Content Manager envelope, header, and content, all in a
filters, and any applicable Approved matter of milliseconds. Each rule
Senders list (the user’s own list, or one describes some attribute typical of spam,
defined for the organisation). Blatant and has a numerical value based on the
Spam Blocking occurs before most filters, likelihood that the attribute indicates
but doesn’t block messages from spam. An equation is then formulated
approved senders. That means: based on the weighted significance and
combination of all rules triggered, and the
 Approved senders bypass Spam resulting value is the
Filters message’s spam score. This score is
Even if their messages contain spam- measured against the sensitivity threshold
like content. set by the user’s spam filters, and a
decision is made: spam or valid email.
 Messages with approved content
bypass the category filters Specifically, a Bulk Email filter sets a base
But it will be blocked if it occurs in level for filtering all types of spam,
obvious spam detected by Blatant and individual category filters can be
Spam Blocking. adjusted to filter a specific category of
 Messages marked as advertisements spam even more aggressively. The Bulk
are blocked Email filter and category filters work
If the Subject line of a message independently of each other, but
contains the prefix “ADV:” (for parameters from all filters collectively
“advertisement”), the message is provide the final spam score, which can
considered spam, regardless of categorize the message as spam. A
approved content. category filter thus multiplies the Bulk
Email level and increases the number of
 Virus Blocking overrides Spam Filters
messages that get identified as spam.
Virus Blocking scans all messages that
either pass through the spam filter, You can see a message’s spam score,
are allowed to bypass spam filtering or whether or not it’s tagged as spam,
are quarantined as spam. For by looking at the message header.
example, if a message is quarantined
as junk, but also determined to be Why Catch Rates Might Vary
infected with a virus, the message will
be processed according to the virus Developing an effective technology for
filter disposition. filtering spam is an ongoing effort
since spammers are always evolving
How Spam Is Identified tactics to avoid detection. To combat new
As a message passes through the spam and ever-changing threats, the message
filters, the message security service security service continually calibrates its
437
detection and filtering mechanisms, You will enable spam filtering and set
always striking a balance between filter levels for the default user (the
catching the most spam while lowering template use for an organisation).
the rate of falsely quarantined messages.
Configure Blatant Spam
As we make adjustments, you might
notice slight variances in catch rates Blocking
for certain spam categories. Or you might Blatant Spam Blocking (BSB) is an
see an increase in falsely quarantined organisation level setting on the Spam
messages. If this happens, you might want Filters page that detects and deletes the
to increase or decrease your own spam most obvious spam before it reaches your
filter levels accordingly: Increase email server. This feature identifies more
sensitivity to catch more spam, or than half of all spam. Messages are either
decrease levels to prevent false bounced or black holed (deleted) without
quarantines. reaching the intended recipient or any
Quarantine.
When to Use Content Manager
Specifically, BSB calculates the message’s
Along With Blatant
spam score. If the score is below 0.00001
Spam Blocking (a perfectly valid message has a score of
100), the message is overwhelmingly
If you experience messages with
deemed spam, and blocked.
undesirable content like profanity not
being caught by your spam filters, you can Blatant Spam Blocking applies to all users
add Content Manager filters to catch in an organisation, but works only for
those messages. users whose Filter Status is On.
If the objectionable content is limited to a The Reports page has statistics regarding
few words and the other content does not how many messages are caught by Blatant
score as spam, then the message would Spam Blocking.
not trigger the spam filters. To stop these
To configure Blatant Spam Blocking:
types of messages, you can create content
filters that look for exactly the offending 1. Go to the Organisation
language you wish to prohibit. Management page for the relevant
organisation.
Configure Spam Settings for an
2. Under Inbound Services,
Organisation click Spam Filtering.
You configure Blatant Spam Blocking 3. Under Blatant Spam Blocking,
(BSB), which deletes the most choose one of the following options.
obvious spam, and Spam Disposition,
which determines how spam messages  BSB Off: Disables this feature for
are managed for a user organisation. the organisation.
 Bounce: Bounces obvious spam
back to the sender with the error
438
message “ERROR 571 Message To configure Null Sender Disposition:

refused.”
Select one of the following options:
 Blackhole: Deletes obvious spam
without sending a return error.  Ignore: Let the message bypass
From the sender's perspective, the this filter. Other filters still apply.
message has been accepted.  User Quarantine: Send the
message to the recipient’s
Note: Depending on your service package,
quarantine.
Blatant Spam Blocking might always be set
 Blackhole: Delete the message.
to a Black hole disposition.
 Bounce: Return the message to
Enable BSB without Additional the sender.
Filtering You can enter text to serve as the bounce

message. If you enter text, it must begin
Sometimes you might want to
with 4 or 5, followed by two digits, a
enable only Blatant Spam Blocking for an
space, and your text. This structure
organisation, without any additional
follows the format of SMTP reply codes.
filtering. For example: 554 Transaction failed.
1. Enable Blatant Spam Blocking for
If you leave this field blank, the following
the organisation, with either the Bounce
message is used:
or Black hole Disposition.
571 Domain does not accept delivery
2. Under Spam Disposition,
report messages
select Message Header Tagging.
Note: In order to deliver valid messages
3. For the organisation’s Default User
that do not include an SMTP-
(and any existing users), make sure the
envelope sender address, like voicemail or
Filter Status is On (go to Spam Filters on vacation responders, use Content
the user’s Overview page).
Manager to create a custom filter.
All obvious spam will be eliminated
without reaching the data center or Configure Null Sender Header
your server. Any remaining spam detected Tag Validation
by the filters is tagged with a spam score
Note: These options are available only if
written in the Header, and then delivered
you have been provisioned
to users.
with Outbound Services. If you configure
Configure Null Sender Outbound Services for your mail server,
then the system adds a digital signature to
Disposition each of your outbound messages.
Null Sender Disposition is an organisation Null Sender Header Tag Validation is the
level setting on the Spam Filters page that process by which the system
lets you choose how to dispose of examines NDRs for the presence of an
messages that do not include an SMTP- SMTP-envelope sender address and for
envelope sender address.
439
the message security service’s digital disposed of according to your Null Sender
signature. Disposition settings, and according to how
Content Manager is configured.
While this filter is an aspect of spam
filtering, it runs at the very beginning of Off: Any message without an SMTP-
the message filtering process to envelope sender address is disposed of
immediately dispose of messages like according to your Null Sender Disposition
invalid NDRs. settings.
Whether or not you have configured  Validate reports up to ___ hours after
Outbound Services for your mail server, message delivery: Enter the number
we recommend that you turn this filter of hours that the digital signature is
on. When the filter is on and it catches a considered valid. After that number of
message, the system looks ahead to hours, the signature expires, and
Content Manager to see whether it is messages with an expired signature
configured to let messages bypass the are treated the same as messages
junk filters and allow valid email that does with no signature.
not have an SMTP-envelope sender
address. Under these circumstances, you Configure Spam Disposition for
can let valid messages pass through to an Organisation
their recipients’ inboxes.
To determine what to do with filtered
If this filter is off, then the system does spam, you select a spam disposition. Do
not look ahead to Content Manager this at the organisation level, which sets
and you do not have the option to let the disposition for all users in that
valid null-sender-address messages pass organisation.
through to their recipients’ inboxes.
To configure Spam Disposition:
To configure Null Sender Header Tag
Validation: 1. Go to the Organisation
Management page for the
Use the following options to turn Null organisation.
Sender Header Tag Validation on or off,
and to set the length of time during which 2. Under Inbound Services,
the system can accept the digital click Spam Filtering.
signature: 3. Choose the Spam Disposition:
 On/Off: Select On or Off to turn Null  User Quarantine: Filtered spam for each
Sender Header Tag Validation on or user in the organisation is sent to a
off. separate User Quarantine.
On: Any message that does not include an Administrators can manage this
SMTP-envelope sender address, but does Quarantine from the user’s Overview
include the message security service’s page.
digital signature bypasses this filter. All If Quarantine Summary is also enabled for
other messages that do not include an the organisation (under Notifications),
SMTP-envelope sender address are each user receives a periodic summary of
440
recently quarantined messages. If User this administrator receives a periodic

Access is enabled for the organisation, as summary of recently quarantined
well, users can manage their own messages for the entire organisation. If
quarantined messages in the Message you choose this disposition, make sure to
Center. disable User Access permissions to the
Message Center for all users in the
 Quarantine Redirect: Delivers all
organisation.
users’ filtered spam to a single
administrator’s Quarantine—the one WARNING: The administrator’s
associated with the address entered Quarantine should be checked regularly
here. Enter the primary address (not to forward any legitimate messages that
an alias) of a user who has been added were accidentally quarantined.
to the message security service, has
 Message Header Tagging: Sends
administrative privileges for this
filtered spam for this organisation to
organisation, and is located under the
your email server with a spam score
same email config as this organisation.
written in the header. The message
Select this option if you don’t want to sort can then be processed at a dedicated
quarantined spam by user, and if you location on your server or on each
don’t want users to manage their own user's email client. No spam messages
spam. The administrator must review and are filtered. For this disposition to be
deliver all users’ legitimate messages from effective, you must set up rules on the
the shared Quarantine—either from the receiving email server for processing
administrator’s User Quarantine in the spam based on its spam score.
Administration Console or from the
WARNING: With this disposition, all spam
administrator’s Message Center. (The
for users in this organisation is delivered
Administration Console can display 5,000
to your email server intact, along with
messages at once, Message Center can
“good” traffic. This is an advanced setting
display an unlimited number of messages,
for administrators who want to create
and Message Center Classic can display
their own rules for filtering spam, or who
500 messages.)
don’t want to filter spam beyond what is
If Quarantine Summary is enabled for the caught by Blatant Spam Blocking. This
organisation (under Notifications), setting is not otherwise recommended.
441
442
UNIT VIII
Web Application Security
Configuration
This Unit covers:
 Lesson Plan
8.2 Configuring Cisco Web Application Security Module
8.3 Configuring ModSecurity
443
LESSON PLAN

experts.
Dedicated)
• networks
444

Activity 1:
Activity 2:
Activity 3:
445

The web application security feature application security and intrusion
enables the application appliance to act as protection.
an application firewall and provide web
Web application security is highly configurable, and can protect against the following kinds
of application attacks:
• identity theft
• SQL, OS, and LDAP command injection
• cross site scripting
• meta character and format string attacks
• buffer overflow
• form exploitation
• URL redirects and directory traversal
• error message exploitation
• cookie exploitation
• noncompliant HTTP
• web server fingerprinting
446
8.2 Configuring Cisco Web Application Security

Module
You configure web application security 4. Use the System Utilities Service
through the management console GUI by Policy command to choose the active
using the menu commands under the policy map.
Web Application Security folder that
appears under the Cluster Configuration 5. Use the System Utilities Commit
item under a cluster name. Config command to commit the
configuration.
To configure web application security, 6. If you have a cluster of application

follow these basic steps: appliance nodes, use the System
Utilities Publish Configuration command
1. Use the Traffic Class Maps command to publish the configuration to all nodes in
to define traffic class maps to classify web the cluster.
application traffic according to various
parameters such as hostname, URL,
cookie name and value, and so on. A
traffic map specifies a set of traffic to Map Summary Interface
which you want to apply a security policy.
Most of the features in the Web
2. Define web application security Application Security module use the term
feature maps that configure security "map" for a set of options that configure
features. To define feature maps, select the feature in a specific way. A map is
the individual features (URL named and stored, and then it can be
Normalization, Cookie Protection, ID Theft viewed, cloned, edited, or deleted. Every
Protection, Request Limits, Error/Redirect feature that uses maps presents a
Pages, Web Cloaking, URL Tagging, Input summary list of those that are defined
Validation Checks, HTTP Protocol when you first click on the feature
Conformance) under the Web Application command name under the Web
Security folder. Application Security module, as shown
in Figure below. If there are no maps yet
3. Use the Policy Maps command to defined for the feature, then the summary
define policy maps that associate a traffic says "No Maps Configured."
class with a set of security functions. A This section describes how to interact
policy map defines a series of actions with a map summary screen.
(functions) that you want to apply to a set
of classified traffic.
447
Figure 5: Map Summary Example
The example in Figure shows the map To add a new map, click the Add New
summary that is displayed when you click Map button to display a map editing
on the Request Limits command. Every screen where you can define the map and
other map summary looks similar and give it a name. The sections throughout
contains similar controls. The following this chapter describe the unique map
paragraphs describe how to use the editing screens for each feature.
controls on a map summary page. You can click the links in the blue bar at
Each row in the summary lists one defined the top of the frame to go directly to the
map. Using the controls on a summary screens identified by name.
row you can view, clone, edit, or delete
the map.
To view the definition of a map, click its
Global Configuration and
underlined name at the left end of the Utilities
row. The displayed page shows a read-
only listing of the map definition. This section describes the following global
configuration and utility items that appear
To copy a map to use as the basis of a new under the Web Application Security folder
map, click the Clone button next to the in the left hand menu of the management
map that you want to clone. AVS displays
console:
a map editing screen that is similar to the
one shown when you are adding a new • System Utilities
map, except that all the settings are • Traffic Class Maps
copied from the map that you cloned.
• Policy Maps
To edit a map, click the Edit button in the
• Pattern Definitions
summary. AVS displays a map editing
screen where you can change the settings System Utilities
in the map.
Various utilities let you manage web
To delete one or more maps, check the application security configuration, logging,
box in the Delete column for each map and statistics.
that you want to delete. Then click
the Delete Maps button to delete the Use the System Utilities command to
checked maps. display a page that contains links to the
system utilities, as shown in Figure below.
To use a utility function, click on its link.
448
Figure 6: Utilities Page
The following sections describe the two Startup Configuration

groups of items listed on the System
Utilities page: The Startup Configuration link displays
• Display Utilities the default web application security
configuration. This information is not
• Configuration Utilities relevant for users; it is for debugging only.
Running Configuration
Display Utilities
The Running Configuration link displays
The utilities grouped under the Display the web application security configuration
Utilities heading let you display various that is currently in effect. This information
information. The following items are is not relevant for users; it is for
included: debugging only.
• Startup Configuration New Configuration
• Running Configuration
The New Configuration link displays the
• New Configuration web application security configuration
• System Stats that is being configured, but not yet
committed. This information is not
• Traffic Level Stats relevant for users; it is for debugging only.
• Policy Level Stats
System Stats
• Current Log
• Saved Log Click System Stats to display statistics
related to the web application security
• Show Version operation and features, as shown
• Show Tech Support in Figure below.
• Default Config
449
Figure 7: System Statistics
The statistics are initially shown for the The statistics are initially shown for the
master node, which is the first AVS 3120 master node, which is the first AVS 3120
node that is added to the cluster in the node that is added to the cluster in the
management console. To show statistics management console. To show statistics
for a different node, click on the link with for a different node, click on the l ink with
the node name in the Nodes field at the the node name in the Nodes field at the
top of the screen. You can click the links top of the screen.
above the table to jump directly to the
section of the table that shows statistics
Policy Level Stats
for the feature named in the link. For each Click Policy Level Stats to display statistics
item in the table, the statistic shows a organized by policy map. The display looks
number of bytes or the number of times similar to that shown in Figure above, but
the event has occurred. a full set of statistics is listed for each
Traffic Level Stats policy map. Links to each of the policy
maps appear across the top of the screen;
Click Traffic Level Stats to display click one to jump to the statistics for that
statistics organized by traffic classification map.
map. The display looks similar to that The statistics are initially shown for the
shown in Figure above, but a full set of master node, which is the first AVS 3120
statistics is listed for each traffic class node that is added to the cluster in the
map. Links to each of the traffic class management console. To show statistics
maps appear across the top of the screen; for a different node, click on the link with
click one to jump to the statistics for that the node name in the Nodes field at the
map. top of the screen.
450
Current Log log file of the master node (the first

AVS 3120 node that was added to the
Click Current Log to display the current cluster).
web application security log, as shown • If you do not have an AVS 3180
in the following Figure. The content of the Management Station, then Current
current log varies depending on your Log displays the log file of the current
system configuration, as follows:
AVS 3120 node on which you are
• If you have an AVS 3180 Management running the management console.
Station, then Current Log displays the
Figure 8: Current Log Display
You can scroll the log window to the right You can clear the current log file by
to see additional columns that include the using Clear Current Logs.
URI, the feature responsible for the log
entry, the policy map, traffic class map,
Saved Log
feature map, and the log message. The Click Saved Log to display the saved log,
policy map, traffic class map, and feature which looks similar to the Figure above.
map names are hyperlinks, which when The saved log item works differently,
clicked will take you to a screen where depending on your system configuration,
you can edit the named map. as follows:
This page displays log entries from all web • If you have an AVS 3180 Management
application security features by default. Station, then Saved Log displays the
You can filter the displayed log items by aggregate log file of all AVS 3120
feature by choosing the feature from the nodes that are part of the cluster in
Filter By Feature drop-down list. Then the management console. (In order to
click Refresh Saved Logs. aggregate log files from all nodes in
451
the cluster, you must configure all Show Tech Support

nodes to send log messages to the
AVS 3180 Management Station. Click Show Tech Support to display
• If you do not have an AVS 3180 information about the web application
Management Station, then Saved security software that can be helpful for
technical support.
Log displays nothing and is not useful.
The log filtering works the same as Default Config
for Current Log.
Click Default Config to display a page that
Show Version controls the defaults for various web
application security features, as shown
Click Show Version to display version in the following Figure.
information about the web application
security software.
Figure 9: Default Configuration
This page lists the web application default configuration is the configuration
security features and pattern definitions that appears when you create a new map
that can have default configurations. A for a feature.
452
To view the default configuration for a

• Publish Configuration
feature or pattern definition, click the
View link next to its name. To enable the • Service Policy
feature or pattern definition to have a
default configuration, check the Enable • Clear System Config
check box.
• Commit Config
If you make any changes to this screen,
click Apply Changes at the top to save • Force Commit
your changes, or click another AVS
command in the lefthand menu to exit • Save Config
this screen without saving your changes.
You can change the default configuration • Clear Config
for a feature or pattern definition by
• Clear System Stats
creating a new map for it, configuring the
settings as needed, and clicking the Set As • Clear Traffic Stats
Default button. Creating a default in this
way will automatically enable the default • Clear Policy Stats
configuration if it is not already enabled.
• Log Server Config
Configuration Utilities
The utilities grouped under the • Clear Current Logs
Configuration Utilities heading let you System Settings
manage the global web application
security configuration and logging. The Click System Settings to display a page
following items are included: that controls overall web application
security system operation, as shown
• System Settings in Figure below.
• Cluster Control
453
Figure 10: System Settings
From the Mode of Operation drop-down in the application appliance. In this

list, choose one of the following operation mode, traffic enters and leaves the
modes for the web application security application appliance on port 1, which
module: is also used for management console
• Inline—This mode is used for web connectivity. The other three ports are
application security only; no other AVS not used.
features can be used or should be In gateway mode, SSL-encrypted
configured, including destination HTTPS traffic that arrives at the
mapping or SSL termination. In this application appliance is decrypted an d
mode, the application appliance acts forwarded to the web servers as
like a transparent bridge, monitoring unencrypted HTTP traffic if the web
traffic on incoming port 3, checking application firewall is in use. HTTPS
security policies and taking action if traffic between the application
necessary, then forwarding the traffic appliance and the web servers is not
to the web servers on outgoing port 4. supported unless the web application
Ports 3 and 4 do not have IP addresses firewall is disabled.
and so do not terminate TCP/IP • Monitor—This mode is used for
connections. Port 1 is used for monitoring traffic only; no other AVS
management console connectivity and features can be used or should be
port 2 is not used. configured. No packets are modified
• Gateway—This mode is used when by the web application security
you want to operate other AVS module, but instead it only logs events
features in addition to web application that match security policies. You can
security. For this mode, you must use this mode of operation if you want
configure at least destination mapping to passively examine your web
454
application traffic for possible security TCP/IP connections. Port 1 is used for
threats. Connect network traffic that management console connectivity and
you want to monitor to port 2 on the ports 3 and 4 are not used.
AVS 3120. For example, you can The port assignments for the various
connect port 2 to the monitor port or operating modes are summarized in the
Switched Port Analyzer (SPAN) port on following Table.
a switch. Port 2 does not have an IP
address and so does not terminate
Table 8: Port Assignments
Operating Mode Port 1 Port 2 Port 3 Port 4

Inline management not used incoming client outgoing server
console traffic traffic
Gateway management not used not used not used
console and web
traffic
Monitor management monitored not used not used
console traffic
If you change operating modes, for In the Old Configuration Expires After
example from inline to gateway mode, field, enter the time in seconds to allow
you must restart the web application any HTTP sessions that are in progress to
security module. This is a major change finish before changing configuration when
that will likely also require you to a new configuration is committed. During
reconfigure your network routing. this grace period, the old configuration
In all of the operation modes, the still applies to active HTTP sessions. When
application appliance inspects traffic that this period of time expires, any HTTP
is going to and coming from the web sessions that are still in progress are
servers. closed and the new configuration is
applied.
In the Software Auto Bypass drop-down
list, choose Yes if you want to enable In the Servers to protect area, you must
automatic bypass in inline mode. enter the IP addresses and ports of each
Automatic bypass causes the application web server that you want the web
appliance to bridge packets between the application security module to protect.
incoming and outgoing ports if the web Enter the IP address of a web server in the
application security module fails, which IP address field, check the Add box, and
allows clients to continue to access the click Update Servers. Then you will see a
web servers without security checks. If Port field displayed under the IP address.
you choose No and the web application Enter the port to protect, check the Add
security module fails, client requests will box next to the port, and click Update
not be forwarded to the web servers. Servers. Repeat this procedure to add
each port that you want to protect on the
web server.
455
Figure 11: Cluster Control
Repeat entering the IP address and ports return to the utilities main page without
of each web server that you want to saving your changes.
protect. To delete a port or web server IP
address, check the Delete check box next Cluster Control
to the port or IP address and click Update Click Cluster Control to display a page that
Servers. allows you to stop, start or restart the
When you are finished with this form, web application security firewall module
click Apply Changes at the top to save on individual application appliance nodes,
your changes, or click Discard Changes to as shown in the following Figure.
This screen shows the status (Running or that operation on the checked nodes. You
Stopped) of the web application security can use the Include All Nodes and Exclude
firewall module for each node in the All Nodes buttons at the top to check or
cluster. clear all check boxes.
You can run, stop, or restart the web If you want to control the status of both
application firewall module on the nodes the Condenser and web application
in the cluster. Check the check boxes next security firewall modules, you can use
to the nodes that you want to control, and the Cluster Control command under the
then click Run, Stop, or Restart to perform cluster name in the left hand menu.
Publish Configuration configuration to all nodes in a cluster, as
shown in Figure below.
Click Publish Configuration to display a
page that allows you to publish a
456
Figure 12: Publish Configuration
In the Publish Configuration area of the cluster, you must publish the web
form, click the Publish button to publish application security configuration of the
the running configuration of the master master node to all other nodes.
AVS 3120 node to all other nodes in the In the Synchronize Configuration area of
same cluster. If there are no other nodes the form, click the Sync button to publish
in the cluster, the Publish button is not the configuration that is saved on the
shown. management console to all nodes in the
The master node is the first AVS 3120 same cluster.
node that is added to the cluster in the Use the Sync button in situations where
management console. If that node is the master node is restarted with a
removed, then the next added node different configuration and you want to
becomes the master node, and so on. The resynchronize it and all other nodes with
master node is identified at the top of the the saved configuration that is stored in
Publish Configuration page. the management console.
To cancel the operation and go back to To view the saved configuration that will
the System Utilities page click Back. be published to all nodes, click the View
Use the Publish button in situations Last committed Configuration link.
where the master node is stable and one
Service Policy
of the other nodes restarts or a new node
is added to the cluster. Click Service Policy to display a page that
All AVS 3120 nodes in a cluster must have allows you to choose the active policy
the same web application security running map, as shown in the following Figure.
configuration. If you are operating a
457
Figure 13: Service Policy
In the Select Policy Map drop-down list, by the management console but are not
choose the policy map that you want to saved or applied to the AVS 3120 node
be active. Then click Apply Changes at the where the web application security
top to save your changes, or click Discard module operates.
Changes to discard your changes. Click Commit Config to commit the
Only one policy map can be active at a configuration changes to the master AVS
time. The setting on this screen interacts 3120 node and to save them on the
with enabling a policy map on the policy management console. The master node is
map summary screen shown in the the first AVS 3120 node that is added to
following figure. Setting a policy to be the cluster in the management console.
enabled in that screen will cause it to be You are asked in a confirmation dialog if
the selected service policy in this service you are sure that you want to commit the
policy screen. configuration. Click OK to commit
or Cancel to cancel.
Clear System Config
If any HTTP sessions are in progress, they
Click Clear System Config to clear the are given a grace period in which to finish,
saved System Settings on the master AVS before the new configuration takes effect.
3120 node. The master node is the first This grace period is configurable and is
AVS 3120 node that is added to the described in the "System Settings"
cluster in the management console. You section. During this period, you normally
are asked in a confirmation dialog if you cannot commit a second new
are sure that you want to clear the configuration. If you need to commit
configuration. Click OK to clear another configuration before this interval
or Cancel to cancel. has passed, use Force Commit.
This command clears only the system After committing a configuration, we
settings, not the policy configuration. To recommend that you save the
clear the policy configuration, use Clear configuration on the master node by
Config. using Save Config. If you have a cluster of
AVS 3120 nodes, you must also publish
Commit Config the configuration to all nodes in the
Configuration changes that you make to cluster by using Publish Configuration. The
web application security policies must be application appliance does not support a
committed before they take effect and cluster where the nodes have different
are applied to web traffic. Before they are web application security configurations.
committed, they are stored temporarily
458
Force Commit node. The master node is the first AVS

3120 node that is added to the cluster in
Click Force Commit to immediately
the management console. You are asked
commit configuration changes, if you have
in a confirmation dialog if you are sure
recently committed another configuration
that you want to clear the configuration.
and the grace period for that commit has
Click OK to clear or Cancel to cancel.
not yet expired. See the previous
section, Commit Config, for details. Clearing the configuration clears only the
saved copy of the configuration on the
You are asked in a confirmation dialog if
master AVS 3120 node. It does not clear
you are sure that you want to force
the running configuration, so the node
commit the configuration. Click OK to
commit or Cancel to cancel. will continue to operate with its running
configuration. If it is rebooted, that
After committing a configuration, we configuration will be lost because it is no
recommend that you save the longer saved.
configuration by using Save Config. If you
have a cluster of AVS 3120 nodes, you Clear System Stats
must also publish the configuration to all Resets the statistics accumulated and
nodes in the cluster by using Publish displayed by the System Stats command.
Configuration. The application appliance
does not support a cluster where the Clear Traffic Stats
nodes have different web application
Resets the statistics accumulated and
security configurations.
displayed by the Traffic Level
Save Config Stats command.
Click Save Config to save the running Clear Policy Stats

configuration on the master AVS 3120
Resets the statistics accumulated and
node so that it will be preserved across a
displayed by the Policy Level
reboot of that node. The master node is
Stats command.
the first AVS 3120 node that is added to
the cluster in the management console. Log Server Config
You are asked in a confirmation dialog if
you are sure that you want to save the The log server configuration page lets you
configuration. Click OK to save configure remote logging for the web
or Cancel to cancel. application security firewall. Web
application security logs are separate
After committing a configuration by from other AVS logs. Click the Log Server
using Commit Config, we recommend that
Config link to display the page shown
you save the configuration by using Save in the Figure below, where you can
Config.
configure remote syslog servers to which
Clear Config logs are sent by the web application
security module.
Click Clear Config to clear the saved policy
configuration on the master AVS 3120
459
Figure 14: Log Server Configuration
In the IP Address field, enter the IP accessible through the management

address of a remote server to which AVS console interface.
should send web application security logs. When you are finished with this form,
Check the Add check box and click Update click Apply Changes at the top to save
IP Addresses to add the address to the list your changes, or click Discard Changes to
of remote log servers. Repeat these steps discard your changes.
to add additional remote log servers. To
delete a log server from the list, check the Clear Current Logs
Delete check box next to it and
Clears the current log file. The current log
click Update IP Addresses.
file is different, depending on your
The servers that you specify must have configuration, as follows:
the syslog facility running and configured
• If you have an AVS 3180 Management
to receive messages from the network.
Station, then Clear Current Logs clears
If you are managing a cluster of AVS 3120 the log file of the first AVS 3120 node
nodes with the AVS 3180 Management that is listed in the cluster in the
Station, you must configure the AVS 3180 management console.
as one of the remote log servers. This
• If you do not have an AVS 3180
allows the management console to display
Management Station, then Clear
aggregated logs from all nodes in the
Current Log clears the log file of the
cluster. If you do not have an AVS 3180
current AVS 3120 node on which you
Management Station, you may still want
are running the management console.
to enter the IP address of at least one
remote log server where logs will be To view the current log file, use Current
aggregated, though these will not be Log.
Traffic Class Maps set of traffic before you can apply security
features to the traffic in a policy map.
Traffic mapping allows you to classify
Use the Traffic Class Maps command to
HTTP request and response traffic
display a page that summarizes the traffic
according to a set of definable criteria.
classification maps that are defined, as
You must define a traffic map to select a
shown in the following Figure
.
460
Figure 15: Traffic Map Summary
Figure 16: Edit New Traffic Classification MAP
Each row in the summary lists one defined similar to that shown in Figure below. is
traffic map. From here you can view, displayed where you can edit the traffic
clone, edit, or delete a traffic map, or add map.
a new map. To delete one or more traffic maps, check
To view the definition of a traffic map, the box in the Delete column for each
click its underlined name. The displayed map that you want to delete.
page shows a read-only listing of the Click Delete to delete the checked maps.
definition. To add a new traffic map, use the Add
The Match column lists the matching Traffic Class area below the summary
policy of the map. table. Give the map a name in the Map
To copy a map to use as the basis of a new Name field. To determine how the criteria
map, click the Clone button for the traffic in this map are to be applied, choose one
map that you want to copy. of the following radio buttons below this
field:
To edit a traffic map, click the Edit button
for the map that you want to edit. A form
461
• Match Any Criteria—This traffic map below. One criteria line has already been
is applied if any one of the criteria is added to this traffic map.
satisfied You can add criteria lines that describe
• Match All Criteria—This traffic map is one or more characteristics of the traffic
applied only if all of the criteria are that you want to classify. From the Type
satisfied drop-down list, select the traffic type:
Request or Response. Next select the type
Then click the Add New Map button to
of HTTP data that you want to examine
create the traffic map. You are returned
for a match in the Match Criteria drop-
to the map summary page where you will
down list.
see the new traffic map listed. To
continue the process of defining the new The match criteria choices are listed in the
map, click the Edit button for the map to following Table.
display the screen shown in the Figure
Table 9: Traffic Class Match Criteria
Type Match Criteria Description of Parameters

Request cookie-name Name of a request cookie
Request cookie-name-value Name and value of a request cookie
Request cookie-value Value of a request cookie
Request host Value of the Host header
Request method HTTP method used to make the request
Request param-name Name of a query parameter in the URL
Request param-name-value Name and value of a query parameter in the
URL
Request param-value Value of a query parameter in the URL
Request referer Value of the Referer header
Request request-body Value of the HTTP request body
Request request-date Value of the Date header
Request request-header-name Name of a request header
Request request-header-value Value of a request header
Request request-version HTTP version of the request
Request url Value of the URL
Request user-agent Value of the User-Agent header
Response content-encoding Value of the Content-Encoding header
Response content-location Value of the Content-Location header
Response content-type Value of the Content-Type header
Response reason-phrase Value of the reason phrase
Response response-body Value of the HTTP response body
Response response-date Value of the Date header
Response response-header-name Name of a request header
462
Response response-header-value Value of a request header

Response response-version HTTP version of the response
Response server Value of the Server header
Response set-cookie-name Name of a cookie being set
Response set-cookie-name-value Name and value of a cookie being set
Response set-cookie-value Value of a cookie being set
Response status-code Value of the status code
Response transfer-encoding Value of the Transfer-Encoding header
Next to the match criteria in the operating on a request. For example, if

Parameter1 and Parameter2 fields, enter you have a traffic map that uses the
the values that are the match criteria. content-type criteria (a response criteria),
Most match criteria items require only a this traffic map cannot be used in a policy
single value, which you enter into the where it is associated with a request limits
feature map.
Parameter1 field. A few of the match
criteria items require both a name and a Many features can apply to both requests
value, such as a cookie name and value or and responses. Such a feature can be
a parameter name and value. Enter the associated with a traffic map that contains
response criteria only if it does not
name into the Parameter1 field and the
operate on request data. For example, if
value into the Parameter2 field. If the
you have a traffic map that uses the set-
Parameter2 field is not needed, then it is
cookie-name criteria (a response criteria),
not shown. this traffic map can be used in a policy
For example, if you choose host for the where it is associated with a cookie
Match Criteria, then the Parameter1 value protection map, as long as the cookie
would be a host name such as protection map operates only on response
www.cisco.com; the Parameter2 field is cookies. If the cookie protection map
not used. If you choose param-name- includes any request cookie operations,
value for the Match Criteria, then the then the policy is invalid.
Parameter1 value would be the name of a When you are finished entering one
request parameter, and the Parameter2 criteria line, click the Update
value would be the value of the specified Parameters button to update the page
request parameter. and give you a new line on which to enter
Regular expressions are allowed; another criteria. To delete one or more
criteria lines, click the Delete check box on
Click the check box in the Negate column each line that you want to delete and
if you want to match all traffic that does then click Update Parameters to delete all
not meet the criteria. For example, if you
checked lines.
check Negate and enter www.cisco.com
for host, this criteria matches all requests When you are finished with this form,
where the host does not equal click Apply Changes to save your changes,
www.cisco.com. or click Discard Changes to return to the
summary page without saving your
Traffic maps that contain response criteria changes.
cannot be used to trigger a feature that is
463
Default Traffic Maps defined classes. At the end of an HTTP

request, if no user-defined classes
The system defines some default traffic
have matched, the actions and
class maps that you can use in policy
features in the policy map that is
maps. The following default maps are
defined: associated with the class-default-
request traffic map are executed.
• class-all—This traffic map includes all
traffic, both requests and responses. In a policy map, this traffic map can be
Actions and features that are associated with feature maps that
associated with class-all in a policy operate only on request data. A policy
map that contains the class-default-
map are always executed.
request traffic map cannot include
• class-default-request—This traffic other traffic maps that contain the
map includes all request traffic that request-body matching criteria (or
does not match any of the user- negation of this criteria).
• class-default-response—This traffic applies the individual security functions to
map includes all response traffic that the traffic class. Here is a summary of the
does not match any of the user- steps required to create a policy map:
defined classes. At the end of an HTTP
response, if no user-defined classes 1. Create one or more traffic class maps
have matched, the actions and and one or more application security
features in the policy map that is feature maps that you want to apply to
associated with the class-default- the traffic classes.
response traffic map are executed.
This traffic map can be associated with 2. Click the Policy Maps command and
feature maps that operate only on use the Add New Map button to name a
response data. A policy map that new policy map.
contains the class-default-response
3. In the policy map summary page, click
traffic map cannot include other traffic
the Edit button to add a traffic class to the
maps that contain the response-body
policy map.
matching criteria (or negation of this
criteria). 4. In the resulting page that lists traffic
You cannot edit or delete these default maps, click the Edit button next to the
traffic maps. No security features are newly added traffic map to associate
associated with these traffic maps by individual security feature maps with the
default. You must use the Policy Maps traffic map.
command to create a policy that
associates features with them.
The following sections describe the policy
Policy Maps map GUI in detail.
A policy map allows you to implement Adding a New Policy Map
specific web application security functions
Use the Policy Maps command to display
associated with a traffic class. First you
a page that summarizes the policy maps
must create a traffic class map and one or
that are defined, as shown
more application security feature maps,
in Figure below.
then you can create a policy map that
464
Figure 17: Policy Map Summary
Each row in the summary lists one defined To enable a policy map (make it active),
policy map. From here you can view, click the radio button in the Enable
clone, edit, delete, or enable a policy map, column for the map that you want to
or add a new map. enable, then click the Enable button at
To view the definition of a policy map, the bottom of the column. You can only
click its underlined name. The displayed enable a policy map that has associated
page shows a read-only listing of the traffic class maps, and you can only
definition. enable one policy map at a time. This
setting interacts with the policy map
The Associated Traffic Maps column lists selected in the Service Policy screen of the
the traffic class maps that are associated System Utilities. Selecting a policy to be
with a policy. If no traffic class maps are active in that screen will cause it to be
yet associated, it reads "No Maps displayed as enabled in this policy map
Associated." The Match Criteria column summary screen.
lists the matching policy of the map.
To add a new policy map, use the Add
To copy a map to use as the basis of a new Policy area below the summary table.
map, click the Clone button for the map Give the map a name in the Map Name
that you want to copy.
field. Choose when to execute the policy
To edit a policy map and add traffic class by clicking one of the following radio
maps, click the Edit button for the map buttons:
that you want to edit. A form similar to • First Match—Execute the policy only
that shown in the following Figure is on the first traffic map that matches
displayed where you can edit the policy the traffic
map.
• Match All—Execute the policy on all
To delete one or more policy maps, check
traffic maps that match the traffic
the box in the Delete column for each
map that you want to delete. Then click Add New Policy Map to add the
Click Delete to delete the checked maps. map to the summary. The new map is not
465
yet configured, and to do that click then this will cause a First Match policy to
the Edit button for the map. fire (if it uses this traffic map). The cookie-
When you choose First Match for the type class might also match this request, but it
of traffic map matching, it is important to is not invoked since the url-class already
understand the order in which AVS triggered its policy.
matches traffic maps. Traffic matching is The order in which traffic maps are listed
driven by the order in which the traffic in the traffic maps list (see Figure below)
data arrives, which is: HTTP method, HTTP is irrelevant and does not signify the order
version, host, URL, cookie name, and in which traffic maps are evaluated for a
cookie value. There can be multiple match.
cookies and they can arrive in any order,
so the value of one cookie could cause a Adding a Traffic Map to a Policy Map
match before the name of another cookie. To define a policy map and add traffic
Say that you have a traffic map, url-class, class maps, in the map summary table
that matches on a specific URL, and click the Edit button for the map that you
another traffic map, cookie-class that want to edit. A form similar to that shown
matches on a cookie name. In an incoming in the following Figure is displayed where
request, the URL arrives before any you can edit the policy map.
cookies, so if the URL matches url-class,
Figure 18: Edit New Policy Map
When you first edit a new policy map, List button to add the traffic map to the
there are no traffic maps included in it. To policy. For details on the predefined
begin defining a policy, choose a traffic default traffic maps.
map from the Traffic Map Name drop- After the update, the screen looks like
down list. Then click the Add check box to that shown in the following figure.
put a check in it and click the Update
466
Figure 19: Traffic Map Added to Policy Map
The newly added traffic map is shown in To view the policy for a traffic map, click
the first row under the Traffic Map Name its underlined name. The displayed page
heading. Each row summarizes one traffic shows a read-only listing of the policy
map that is part of this policy definition. definition.
The last row allows you to add a new To delete one or more traffic maps from
traffic map by selecting its name from the this policy definition, check the box in the
drop-down list of traffic maps, clicking the Delete column for each map that you
Add check box, and clicking the Update want to delete. Click Update List to delete
List button. the checked maps.
Using the controls in the summary row for To edit the policy for a traffic map, click
a traffic map, you can view the policy for the Edit button.
the map, delete it, or edit it.
Figure 20: Associating Features with a Traffic Class
When you are finished adding or editing click Discard Changes to return to the
traffic map policies, click Apply summary page without saving your
Changes to save your changes, or changes.
467
Associating Security Feature Maps with a Traffic maps that contain response criteria
Traffic Map cannot be used to trigger a feature that is
operating on a request. For example, if
To edit the policy for a traffic map, click
you have a traffic map that uses the
the Edit button in the summary. A form
content-type criteria (a response criteria),
similar to that shown in the Figure above
this traffic map cannot be used in a policy
is displayed where you can edit the policy
where it is associated with a request limits
definition by choosing which security
feature map.
feature maps to apply to the traffic class.
Many features can apply to both requests
On this screen, you choose which security
and responses. If such a feature operates
features to apply to the traffic map shown
only on response data and not on request
in the Traffic Map Name field. You can
data, then it can be associated with a
choose a general response action and/or
traffic map that contains response
apply one or more feature maps to the
criteria. For example, if you have a traffic
traffic.
map that uses the set-cookie-name
To apply a general response action, criteria (a response criteria), this traffic
choose one of the following actions from map can be used in a policy where it is
the Response Action drop-down list: associated with a cookie protection map,
• None—Take no action as long as the cookie protection map
operates only on response cookies. If the
• Reset client—Reset the client side of
cookie protection map includes any
the connection
request cookie operations, then the policy
• Drop—Drop the connection silently is invalid and will not be allowed.
• Reset server client—Reset both the The default traffic map class-default-
server and client sides of the request can be associated with feature
connection maps that operate only on request data. A
• Reset server—Reset the server side of policy map that contains the class-default-
the connection request traffic map cannot include other
traffic maps that contain the request-body
• Error Page—Send an error page. matching criteria.
Choose the error page to send from
the next drop-down list to the right. The default traffic map class-default-
You define such error pages by using response can be associated with feature
the send page feature. maps that operate only on response data.
A policy map that contains the class-
Click the Log check box to log the event.
default-response traffic map cannot
To apply a feature map to the traffic, include other traffic maps that contain the
choose a feature from the Feature drop- response-body matching criteria.
down list and then from the Map Name
To delete an associated feature map,
drop-down list, choose one of the feature check the Delete check box for the map
maps that you have defined for that and click Update List.
feature. Then click the Update List button
to take you back to the screen shown If you would rather cancel the changes
in Figure above. You can add multiple that you made on this form, click
feature maps to be applied to this traffic the Discard Changes button.
map by editing the traffic map again and The following features are available in the
following the same procedure. Feature drop-down list:
468
• Cookie Protection—Protects against • IV-Format String Attacks—Validates

cookie tampering by using hashed that input does not contain disallowed
cookies and provides cookie privacy by formatting strings;
encrypting cookies; • IV-LDAP Injection—Validates that
• HTTP Protocol conformance-MIME input does not contain disallowed
Type Controls—Validates that the LDAP strings;
content's MIME type matches the • IV-Meta Character Detection—
MIME type specified in the HTTP Validates that input does not contain
Content-type header; This features disallowed meta characters;
operates only on responses.
• IV-SQL Injection—Validates that input
• HTTP Protocol conformance-Control does not contain disallowed SQL
HTTP Method—Filters traffic based on command strings;
the HTTP method;
• ID Theft Protection—Guards against
• HTTP Protocol conformance-Generic the unsolicited disclosure of social
Pattern Matcher—Filters traffic based security and credit card numbers in
on any user-definable criteria; HTTP responses to clients; This
• HTTP Protocol conformance-Header features operates only on responses.
Integrity Check—Checks headers for • Request Limits—Enforces boundary
integrity; length checking on all inputs received
• HTTP Protocol conformance-IM from the client;
Controls—Filters instant messenger • URL Normalization—Secures web
traffic; applications from attacks that use the
• HTTP Protocol conformance-P2P URL in HTTP requests, such as
Controls—Filters peer-to-peer file directory traversal;
sharing traffic; • URL Tagging—Adds information to
• HTTP Protocol conformance-Transfer request URLs that can be used by
Encoding—Filters traffic based on the other downstream devices such as
HTTP Transfer-Encoding header; load balancers or application servers;.
• HTTP Protocol conformance- • Web Cloaking—Hides identifying
Tunnelling Policies—Filters traffic that information about the web server and
is tunneled over HTTP, such as application;
ShoutCast, GoToMyPC and the like;
Pattern Definitions
• HTTP Protocol conformance-URL
Black Listing—Blocks access to specific Pattern definitions define regular
URLs; expression sets for matching strings used
by other web security features. For
• IV-OS Command Injection—Validates
example, the identity theft protection
that input does not contain disallowed
feature uses regular expressions that
command strings;
match social security numbers and credit
• IV-Cross Site Scripting—Validates that card numbers.
input does not contain a cross site Use the Pattern Definitions command to
scripting attack; display a page that summarizes the
pattern maps that are defined and to
view, delete, clone, edit or add new maps.
469
When you click the button to add a new Figure below.

map, AVS displays the screen shown in the
Figure 21: Add Pattern Definition
Give the new regular expression set a • Meta Character Detection—Regular

name in the Pattern Definition Name field. expressions that describe meta
In the Type drop-down list, select the type characters
of regular expression set that you are • Format String Attacks—Regular
defining, from the following choices: expressions that describe format
• Social Security Number—Regular strings
expressions that describe social Select one or more regular expressions
security numbers that you want to use from the Standard
• Credit Card—Regular expressions that Regular Expressions list and add them to
describe credit card numbers the Included Regular Expressions list on
the right side of the page by clicking the
• Custom—Custom regular expression right arrow (-->) button. The list of
• Cross Site Scripting—Regular standard regular expressions changes
expressions that describe cross site depending on the type you choose. You
scripting strings can also add a custom regular expression
• SQL Injection—Regular expressions by typing it into the Custom field and
that describe SQL command strings clicking the right arrow (-->) button next
to that field. For details on the regular
• Command Injection—Regular expression syntax that is allowed. If you
expressions that describe command enter a value into the Custom field, in the
strings Size field you must also enter a maximum
• LDAP Injection—Regular expressions number of characters to search for this
that describe LDAP strings expression in the target data. Size must be
greater than 0 for the custom expression
470
to be added to the Included Regular When you are finished with this form,
Expressions list. click Apply Changes at the top to save
You can remove a regular expression from your changes, or click Discard Changes to
the Included Regular Expressions list by return to the summary page without
selecting it and clicking the left arrow (<--) saving your changes. If you want to use
button. the settings on this form as the default for
new maps of this type, click Set As
Default.
Security Feature Configuration
This section describes the following security feature configuration items that appear under
the Web Application Security folder in the left hand menu of the Management Console:
• URL Normalization
• Cookie Protection
• ID Theft Protection
• Request Limits
• Error/Redirect Pages
• Web Cloaking
• URL Tagging
• HTTP Protocol Conformance
• Input Validation Checks
URL Normalization Additionally, it can handle a combination

of encoding schemes and double encoding
The URL normalization feature lets you of the same character.
secure web applications from attacks that
Use the URL Normalization command to
use the URL in HTTP requests, such as
display a page that summarizes the URL
directory traversal.
normalization maps that are defined and
To deobfuscate potential attacks, the to view, delete, clone, edit or add new
application appliance first scans the URL maps. For details on using the summary
in incoming requests and normalizes it by page GUI.
decoding all encoded characters. It can
When you click the button to add a new
detect the following encoding schemes:
escaped encoding, %U encoding, unicode
following Figure.
encoding using UTF-8 (up to three bytes in
length), and IP address encoding.
471
Figure 22: Add URL Normalization Map
Give the new map a name in the Map • Overlong unicode encoding—
Name field. In the Normalize Case drop- Overlong unicode character encoding
down list, select True to normalize the • Null encoding—Null character
case of URLs or False to ignore case.
encoding
The following part of the form lists a • Forward directory traversal—Forward
number of conditions that may indicate a
directory traversal
possible attack and lets you determine
what action to take if one of the following • Backward directory traversal—
conditions is detected in a URL: Backward directory traversal
• Encoding—Any kind of character In the Action drop-down list for each item,
encoding choose one of the following actions to
take if the condition occurs:
• Escape encoding—Escape character
encoding • None—Take no action
• Percent-U encoding—Percent-U • Reset server—Reset the server side of
character encoding the connection
• Unicode encoding—Unicode • Reset client—Reset the client side of
character encoding the connection
• Combination of encoding schemes—A • Reset server and client—Reset both
combination of character encoding the server and client sides of the
schemes connection
• Multiple levels of encoding—Multi- • Drop—Drop the connection silently
level character encoding • [SEND-PAGE] pagename—Send the
• Unsupported encoding—Unsupported error page identified by pagename.
character encoding
472
You define such error pages by using application appliance protects against
the send page feature. cookie tampering by using hashed cookies
• [REDIRECT-PAGE] pagename—Send and provides cookie privacy by encrypting
the redirection page identified cookies. The application appliance also
by pagename. You define such supports adding and removing cookie
redirection pages by using the redirect attributes, and filtering cookies based on
page feature. user configurable attributes such as HTTP-
only cookies, maximum age, number of
For each item you can also click the Log cookies, and others. The cookie protection
check box to log the event. features operate both on server cookies
When you are finished with this form, sent to clients in HTTP responses and on
click Apply Changes at the top to save client cookies that are sent back to servers
your changes, or click Discard Changes to in HTTP requests.
return to the summary page without Use the Cookie Protection command to
saving your changes. If you want to use display a page that summarizes the cookie
the settings on this form as the default for protection maps that are defined and to
new maps of this type, click Set As view, delete, clone, edit or add new maps.
Default.
Cookie Protection map, AVS displays the screen shown in the
following Figure.
Web applications store a variety of
information in plain text cookies. The
473
Figure 23: Add Cookie Protection Map
474
Give the new map a name in the Map The next part of the form lists a number of
Name field. cookie problems and lets you determine
The next three Tamper Proof fields set the what action to take if one of the following
key and algorithm used for hashing events occurs:
cookies. In the Tamper Proof Key Length • Alien Cookie—A cookie is observed
drop-down list, choose the key length in that is not one processed by the AVS
bits that you want to use. In the Tamper cookie protection feature
Proof Key field, enter a key of the chosen • Old Cookie—A cookie sent from the
length. You must enter 16 characters for a client uses an old version of the hash
128-bit key or 32 characters for a 256-bit or encryption key. In this case, the
key. Spaces are not allowed in keys. In the cookie cannot be unhashed or
Tamper Proof Algorithm drop-down list, decrypted.
choose the hashing algorithm to use.
Currently, AVS supports only SHA-1. • Encrypt Fail—Cookie decryption failed
The next three Encrypt fields set the key • Tamper Proof Verification Fail—
and algorithm used for encrypting Verification that the cookie was not
cookies. In the Encrypt Key Length drop- tampered with failed, so this may
down list, choose the key length in bits indicate possible cookie tampering
that you want to use. In the Encrypt Key • Server Cookie Range not between—
field, enter a key of the chosen length. The number of server cookies is not
You must enter 16 characters for a 128-bit within the specified range. Enter a
key or 32 characters for a 256-bit key. range of integers, with the smaller
Spaces are not allowed in keys. In the number in the first field and the larger
Encrypt Algorithm drop-down list, choose number in the second field.
the encryption algorithm to use.
• Client Cookie Range not between—
Currently, AVS supports only AES.
The number of client cookies is not
In the Process Response Cookies drop- within the specified range. Enter a
down list, choose the cookie protection range of integers, with the smaller
actions to take on all response cookies number in the first field and the larger
(cookies sent from the server to the number in the second field.
client). The following actions are defined:
In the Action drop-down list for each item,
• Allow individual cookie processing— choose one of the following actions to
Allow response rule map processing take if the event occurs:
whereby you can enable encryption
• Allow—Allow the request unchanged
and/or tamper proofing on selected
cookies, based on cookie/attribute • Remove cookie—Remove the cookie
names and values; that triggered the event
• Encrypt all cookies—Encrypt all • Drop—Drop the connection silently
cookies • Reset—Reset the connection
• Tamper proof all cookies—Hash all • [SEND-PAGE] pagename—Send the
cookies to prevent tampering error page identified by pagename.
• Encrypt and tamper proof all You define such error pages by using
cookies—Encrypt and hash all cookies the send page feature.
• [REDIRECT-PAGE] pagename—Send
the redirection page identified
475
by pagename. You define such the settings on this form as the default for
redirection pages by using the redirect new maps of this type, click Set As
page feature. Default.
For each item you can also click the Log
check box to log the event.
Response Attribute Rule Maps
By using the next parts of the form, you
can add rule-based processing to cookies In the Response Attribute Rule Maps
that is based on their values and section, you can define operations to set,
attributes. These next form parts are insert, or remove specific cookie
described in the following sections: attributes from response cookies (cookies
• Response Attribute Rule Maps sent from the server to the client). You
can delete one or more operations by
• Response Rule Maps clicking the Delete check box next to each
• Request Rule Maps operation that you want to delete and
then clicking the Delete button.
When you are finished with this form,
click Apply Changes at the top to save To add a new attribute operation, click
your changes, or click Discard Changes to the Add New button to open the window
return to the summary page without shown in the following Figure.
saving your changes. If you want to use
Figure 24: Add Attribute Operation
From the Operation drop-down list, select • Set—Set an existing attribute with the
the type of operation you want to specified name to the specified value.
perform, as follows: If the attribute does not exist, it is not
• Insert—Insert an attribute with the added. To insert a new attribute, use
specified name and value. If the Insert.
attribute already exists, its value is Enter the attribute name in the Attribute
replaced with the specified value. Name field and its value in the Attribute
• Remove—Remove the attribute with Value field. When you are finished,
the specified name and value. If the click Create to add the operation or Close
attribute exists but the value is Window to cancel the operation.
different from the specified value, it is When you add a new operation, it will be
not removed. listed in the Response Attribute Rule
476
Maps section of the cookie protection individual cookie processing in the cookie
map form. protection map.
If there are already rule maps listed here,
you can view them by clicking on the
Response Rule Maps underlined identifier in the RuleMaps
In the Response Rule Maps section, you column. You can edit a rule map by
can define rule maps for response cookies clicking the Edit button next to the map
(cookies sent from the server to the name. You can delete one or more rule
client). In a response rule map, you can maps by clicking the Delete check box
specify specific cookies to which to apply next to each rule map that you want to
encryption and/or tamper proofing delete and then the clicking
actions. This response rule map the Delete button.
processing applies only if the Process To add a new rule map, click the Add
Response Cookies element is set to Allow New button to open the window shown
in Figure below.
Figure 25: Add Response Rule Map
Enter a unique name for the rule map in the Cookie Name and Cookie Value fields.
the Rule Map Name field. You can specify You can use regular expressions in these
a numeric priority (from 1 to 65535) in the fields.
Numeric Priority field, which is used to You can also identify cookies by attribute
order the rule maps. Rule maps are name and/or value by specifying one or
applied to cookies in descending order of more regular expressions in the Attribute
priority (highest number priority first). If Name and Attribute Value fields. If you
the criteria in the next priority rule map specify more than one name/value pair,
do not match the cookie, then the rule all specified attributes must be present in
map with the next highest priority that order for this rule to match a cookie.
matches is applied.
Identify the cookie to which this rule map
is to be applied by name and/or value in
477
In the Action drop-down list, select the Response Cookies drop-down list, but
action to apply to matched cookies, as operates only on request cookies that
follows: were initially processed by the cookie
• Encrypt—Encrypt all cookies protection feature in the server to client
direction. Any cookies that do not meet
• Tamper proof—Hash all cookies to this criteria are implicitly allowed, though
prevent tampering they are processed by other cookie
• Encrypt and tamper proof—Encrypt protection features and may be removed
and hash all cookies as a result of that processing.
If you want to log the event, click the Log If there are already rule maps listed here,
check box next to the Action field. you can view them by clicking on the
underlined identifier in the RuleMaps
When you are finished, click Create to add
column. You can edit a rule map by
the rule map or Close Window to cancel
clicking the Edit button next to the map
the operation.
name. You can delete one or more rule
Request Rule Maps maps by clicking the Delete check box
next to each rule map that you want to
In the Request Rule Maps section, you can delete and then the clicking
define rule maps for request cookies the Delete button.
(cookies sent from the client to the
To add a new rule map, click the Add
server). In a request rule map, you can
New button to open the window shown
specify cookies to drop or to cause a
in the following figure.
connection reset.
Request rule map processing occurs
regardless of the setting of the Process
Figure 26: Add Request Rule Map
Enter a unique name for the rule map in applied to cookies in descending order of
the Rule Map Name field. You can specify priority (highest number priority first). If
a numeric priority (from 1 to 65535) in the the criteria in the next priority rule map
Numeric Priority field, which is used to do not match the cookie, then the rule
order the rule maps. Rule maps are
478
map with the next highest priority that ID Theft Protection

matches is applied.
Identity theft protection guards against
Identify the cookie to which this rule map the unsolicited disclosure of social
is to be applied by name and/or value in security and credit card numbers in HTTP
the Cookie Name and Cookie Value fields. responses to clients. The web application
You can use regular expressions in these firewall searches for numbers that
fields. resemble social security or credit card
In the Action drop-down list, select the numbers and performs a configurable
action to apply to matched cookies, as action when it finds them.
follows: Use the ID Theft Protection command to
• Drop—Drop the connection silently display a page that summarizes the
identity protection maps that are defined
• Reset—Reset the connection
and to view, delete, clone, edit or add
If you want to log the event, click the Log new maps. For details on using the
check box next to the Action field. summary page GUI.
When you are finished, click Create to add When you click the button to add a new
the rule map or Close Window to cancel map, AVS displays the screen shown in the
the operation. following figure.
Figure 27: Add Identity Theft Map
Give the new map a name in the Map choose one of the defined custom regular
Name field. expression sets. These regular expression
You can protect social security numbers, sets are defined by using the Pattern
credit card numbers, and custom types of Definitions command.
numbers by using the SSN, Credit Card, In the Action drop-down lists that are to
and Custom controls. In the SSN drop- the right of the other fields, choose the
down list, choose one of the defined SSN action to perform when the firewall finds
regular expression sets. In the Credit Card a number that matches one of these sets
drop-down list, choose one of the defined of regular expressions. The following
credit card number regular expression actions are defined:
sets. In the Custom drop-down list, • None—Take no action
479
• Reset server—Reset the server side of validation of inputs such as URL, URL
the connection query string, and HTTP headers, can lead
• Reset client—Reset the client side of to buffer overflow attacks. A buffer
the connection overflow attack is when a program writes
data beyond its allocated space. These
• Reset server client—Reset both the attacks can cause denial of service by
server and client sides of the crashing the server and/or injecting
connection malicious code to alter program
• Blank out—Substitute an "x" execution. Execution of the malicious
character for each number in the code facilitates exploit of downstream
string that matches the regular resources. Such attacks can be prevented
expression. This action is not available by enforcing boundary length checking on
for Custom expressions. all inputs received from the client.
If you want to log the event, click the Log Use the Request Limits command to
check box next to the Action field. display a page that summarizes the
request limit maps that are defined and to
click Apply Changes at the top to save
For details on using the summary page
your changes, or click Discard Changes to
GUI.
return to the summary page without
saving your changes. When you click the button to add a new
Request Limits following figure.
Many web sites use user-supplied input to
create dynamic web pages. Improper
Figure 28: Add Request Limit Check Map
Give the new map a name in the Map In the URL length checks area you can
Name field. enter the maximum lengths, in bytes, for
various parts of the URL, as follows:
480
• URI Length—Maximum length of the of headers exceeds this limit. The actions
URI not including the query portion are the same as those for the URL length
• Query Length—Maximum length of settings. If you want to log the event
the query portion of the URI when the header limit is exceeded, click
the Log check box next to the Action drop-
• URI+Query Length—Maximum length down list.
of the full URI including the query
In the Advanced Checks area, you can
portion
check if a particular header value exceeds
In the Action drop-down list, choose the a length limit. Choose the header to check
action to apply if one of the above lengths from the Parameter Name drop-down list.
is exceeded. Actions include these: If the header you want to check is not
• None—Take no action listed, select custom and enter the header
name in field below the drop-down list.
• Drop—Drop the connection silently
Enter the maximum length of the header's
• Reset client—Reset the client side of value in the Parameter Value field. Then
the connection check the Add check box and click Update
• [SEND-PAGE] pagename—Send the Parameters to add this header value
error page identified by pagename. check to the map. You can repeat this
You define such error pages by using procedure to add more header value
the send page feature. checks to the map. In the Action drop-
down list, choose the action to apply if
• [REDIRECT-PAGE] pagename—Send
any of the header values exceeds the
the redirection page identified
specified limits. The actions are the same
by pagename. You define such
as those for the URL length settings. If you
redirection pages by using the redirect
want to log the event when a header
page feature.
value length limit is exceeded, click the
If you want to log the event when a URL Log check box next to the Action drop-
length parameter is exceeded, click the down list.
Log check box next to the Action drop-
To delete a header value length check,
down list.
click the Delete check box next to the
To limit header length, in the Default header check that you want to delete and
Header Length field you can enter the then click Update Parameters.
maximum length allowed for any single
HTTP header. In the Action drop-down
list, choose the action to apply if any
header exceeds this limit. The acti ons are
the same as those for the URL length saving your changes. If you want to use
settings. If you want to log the event
the settings on this form as the default for
when a header length limit is exceeded,
click the Log check box below the Action Default.
drop-down list.
To limit the number of headers, in the Error/Redirect Pages
Number of Headers field you can enter Error obfuscation makes it more difficult
the maximum number of HTTP headers for hackers to discover identifying
allowed. In the Action drop-down list, information about the web server and
choose the action to apply if the number application by masking or mapping error
481
messages that might normally be returned Error obfuscation can be triggered as the
to the user. Many security vulnerabilities action to perform when one of the
are dependent on specific software following web application security
versions and hiding this information can features encounters an error: URL
increase the security of the system. Normalization, Cookie Protection, Request
AVS implements the following techniques Limits, Input Validation Checks, and HTTP
for error obfuscation: Protocol Conformance.
• Mapping errors by sending custom Use the Error/Redirect Pages command

configured error pages to clients; to configure this feature. Click this
command to display a page that
• Masking errors by redirecting the summarizes the error obfuscation maps
client when an error occurs; that you have configured, as shown in the
following figure.
Figure 29: Error Obfuscation Map Summary
Each of the four summary sections of the To edit a map, click the Edit button in the
page lists the maps configured for a sub- summary. A form similar to that shown
feature of error obfuscation. Each defined when adding a map is displayed where
map is summarized on one line. From you can edit the map.
here you can view, clone, edit, or delete a To delete one or more maps, check the
map, or add a new map. box in the Delete column for the map.
To view the definition of a map, click its Click Delete Maps to delete the checked
underlined name. The displayed page maps.
shows a read-only listing of the definition. To add a new map or template, click
To copy a map to use as the basis of a new the Add New Map or Add New
map, click the Clone button next to the Template button for the item that you
map that you want to clone. want to add.
482
Send Page Configuration headers that can be sent on error pages.

To define a send page header template,
Before you can configure a send page map on the summary page, click on the Add
you must first define a send page header New Template button to display the form
template, which is a template of HTTP shown in the following figure.
Figure 30: Add Send Page Header Template
Give the template a name in the Template When you are finished with this form,
Name field. click Apply Changes at the top to save
Add one or more headers to the template your changes, or click Discard Changes to
by choosing a header name from the return to the summary page without
Header Name drop-down list. If you want saving your changes. If you want to use
to add a header that is not in the list, the settings on this form as the default for
choose Custom and enter the name of the new maps of this type, click Set As
header in the field below the list. Enter Default.
the value of the header in the Header After at least one send page header
Value field next to the name. Then click template is defined, you can define a send
the Add check box and click the Update page map, which defines the error page
Headers button to add the header to the that you want to send to the client. Click
template. You can add multiple headers the Add New Map button on the
by following the same procedure for each summary page to display the form shown
one. in the following figure.
To delete a header from the template,
click the Delete check box next to it and
click the Update Headers button.
483
Figure 31: Add Send Page Map
Give the error page map a name in the the selected error code, but you can
Map Name field. change it.
You can define two different sets of error In the Header Template drop-down list,
codes, error phrases, and header select the name of the send page header
templates that are to be sent in response template map that you want to use for
to HTTP requests that use HTTP versions this error page. If no header templates are
1.0 and 1.1. If you want to define an error defined, only --Select-- is shown in this
page that is to be sent in response to list, and you must define a send page
HTTP version 1.0 requests, check the HTTP header template before you can define a
Version 1.0 check box and complete the send page map. Go back to the summary
fields on that line. To send this error page page and use the Add New
in response to HTTP version 1.1 requests, Template button to define a header
check the HTTP Version 1.1 check box and template.
complete the fields on that line. To In the Include Date Header drop-down
respond to both versions of HTTP list, select Yes or No to include a date
requests, check both check boxes. This header or not in the error page.
error page is sent only if the HTTP version
setting matches the HTTP version of the In the HTTP Body field, enter the HTML for
the body of the error page.
request.
In the Error Code drop-down list, choose In the Content Type drop-down list, select
the MIME type of the page content: either
the error code that this error page should
text/plain or text/html.
show to the client. In the Error Phrase
field, enter the phrase that should be When you are finished with this form,
used to describe this error. By default, the click Apply Changes at the top to save
Error Phrase field initially shows the your changes, or click Discard Changes to
standard error phrase that corresponds to return to the summary page without
saving your changes. If you want to use
484
the settings on this form as the default for Before you can configure a redirect page
new maps of this type, click Set As map, you must first define a redirect page
Default. header template, which is a template of
HTTP headers that can be sent on redirect
pages. To define a redirect page header
Redirect Page Configuration template, on the summary page, click on
the Add New Template button to display
the form shown in the following figure.
Figure 32: Add Redirect Page Header Template
Give the template a name in the Template When you are finished with this form,
Name field. click Apply Changes at the top to save
Add one or more headers to the template your changes, or click Discard Changes to
by choosing a header name from the return to the summary page without
Header Name drop-down list. If you want saving your changes. If you want to use
to add a header that is not in the list, the settings on this form as the default for
choose Custom and enter the name of the new maps of this type, click Set As
header in the field below the list. Enter Default.
the value of the header in the Header After at least one redirect page header
Value field next to the name. Then click template is defined, you can define a
the Add New check box and click redirect page map, which defines the
the Update Headers button to add the redirect page that you want to send to the
header to the template. You can add client. Click the Add New Map button on
multiple headers by following the same the summary page to display the form
procedure for each one. shown in the following figure.
To delete a header from the template,
click the Delete check box next to it and
click the Update Headers button.
485
Figure 33: Add Redirect Page Map
Give the redirect page map a name in the templates are defined, only --Select-- is
Map Name field. shown in this list, and you must define a
You can define two different sets of error redirect page header template before you
codes, error phrases, and header can define a send page map. Go back to
templates that are to be sent in response the summary page and use the Add New
to HTTP requests that use HTTP versions Template button to define a header
1.0 and 1.1. If you want to define a template.
redirect page that is to be sent in In the Location Header field, enter the
response to HTTP version 1.0 requests, absolute URI of the location to which the
check the HTTP Version 1.0 check box and client should be redirected.
complete the fields on that line. To send In the Include Date Header drop-down
this redirect page in response to HTTP list, select Yes or No to include a date
version 1.1 requests, check the HTTP header or not in the redirect page.
Version 1.1 check box and complete the
fields on that line. To respond to both In the HTTP Body field, enter the HTML for
versions of HTTP requests, check both the body of the redirect page.
check boxes. This redirect page is sent In the Content Type drop-down list, select
only if the HTTP version setting matches the MIME type of the page content: either
the HTTP version of the request. text/plain or text/html.
In the Error Code drop-down list, choose When you are finished with this form,
the error code that this error page should click Apply Changes at the top to save
show to the client. In the Error Phrase your changes, or click Discard Changes to
field, enter the phrase that should be return to the summary page without
used to describe this error. By default, the saving your changes. If you want to use
Error Phrase field initially shows the the settings on this form as the default for
standard error phrase that corresponds to new maps of this type, click Set As
the selected error code, but you can Default.
change it.
Web Cloaking
In the Header Template drop-down list,
select the name of the redirect page Web cloaking makes it more difficult for
header template map that you want to hackers to discover identifying
use for this redirect page. If no header information about the web server and
486
application. Many security vulnerabilities the sequence of header fields in the

are dependent on specific software response)
versions and hiding this information can • Changing the case of header names
increase the security of the system. (web servers can be fingerprinted
AVS focuses on the HTTP response based on the capitalization of header
headers and implements the following names)
techniques for web server cloaking:
• Changing the value of a header based
• Changing the sequence of individual on its name and value
header fields in the response (web
• Removing a header based on its name
servers can be fingerprinted based on
and value
Figure 34: Edit Web Cloaking Map
• Adding false headers to confuse cloaking maps that are defined and to
attackers view, delete, clone, edit or add new maps.
Use the Web Cloaking command to When you click the button to add a new
display a page that summarizes the web map, AVS displays the screen shown in the
following figure.
Give the new map a name in the Map In the Available Headers/Header
Name field. Sequence area you can change the
If you want to log web cloaking actions, sequence of individual HTTP headers in
click the Enable Log check box. responses. Select the header that you
want to be first from the Standard list and
487
click the right arrow (>) to add it to the • If you are removing a header, enter a
Header Sequence list on the right side of value in the Old Value field only, to
the page. Then select the header that you remove only headers that have this
want to be second, and so on, adding value.
each one in turn to the Header Sequence Finally, click the Add check box to add the
list. When you add a header, it is always header operation to this web cloaking
added at the bottom of the list. You can map. The operation is added after you
also add a custom header that is not listed click Update Parameters, and a new blank
by typing its name into the Custom field operation line is shown below the newly
and clicking the right arrow (>) next to added one, where you can add another
that field. operation. Also, a Delete check box is
To reorder the headers listed in the shown at the right end of each operation
Header Sequence list, select a header and line, which you can use to delete an
click the up arrow next to the list to move operation by checking it and
the header up one position in the list, or clicking Update Parameters.
click the down arrow to move it one In the Header Name Normalization area,
position down. Repeat the process each you can force specific header names to be
time that you want to move the header all uppercase or all lowercase. To
one more position up or down. normalize the case of a header name,
In the Add/Modify/Remove Response select it in the list at the left side of the
Headers area you can add, modify, or page and click the Uppercase right arrow
remove HTTP headers in responses. You (>) button to make it uppercase, or click
can add multiple functions in this area; the Lowercase right arrow button to make
one operation is summarized on each line. it lowercase. Do the same for each header
To add an operation, in the Operation name that you want to normalize. If you
drop-down list choose the type of want to normalize a custom header name,
operation: ADD, MODIFY, or REMOVE. In choose Custom in the list and type the
the Response Header drop-down list, name in the Custom field below the list.
choose the name of the header that you Then click the appropriate right arrow
want to add, modify, or remove. If the button. To remove a header name from a
header name is not listed, choose custom normalization list at the right side, select
from the list and type the name of the it and click the left arrow (<) button next
header in the Response Header field to the list.
below the drop-down list. Next, enter When you are finished with this form,
values in the Old Value and New Value click Apply Changes at the top to save
fields, as follows: your changes, or click Discard Changes to
• If you are adding a header, enter a return to the summary page without
value in the New Value field only and saving your changes. If you want to use
leave Old Value empty. the settings on this form as the default for
• If you are modifying a header, enter Default.
the existing value to match in the Old
Value field and enter the value to
change it to in the New Value field.
Only headers whose value matches
the Old Value will be changed to New
Value.
488
Interaction with AVS headers, the AVS acceleration processing

may undo or change these actions in the
Acceleration in Gateway Mode response.
When you use web cloaking and operate URL Tagging
the web application firewall in gateway
mode, the AVS acceleration features The URL tagging feature lets you add
interact with the response and can change information to request URLs that can be
HTTP response headers. AVS acceleration used by other downstream devices such
processing occurs after web application as load balancers or application servers.
firewall processing, so the response might You can search for a string in the URL and
contain headers different from those set if there is a match you can either replace
by web cloaking. the complete URL with another URL or
replace only the matched string.
Specifically, AVS acceleration features Additionally, you can insert or remove
may add, remove, or change the following parameter name/value pairs.
headers:
Use the URL Tagging command to display
• Add—Content-Encoding, Transfer- a page that summarizes the URL tagging
Encoding, Set-Cookie maps that are defined and to view, delete,
• Remove—Content-Length clone, edit or add new maps. When you
• Change—Connection click the button to add a new map, AVS
displays the screen shown in the following
If Web Cloaking normalizes, sequences, figure.
adds, removes, or modifies any of these
Figure 35: Add URL Tagging Map
Give the new map a name in the Map • Parameter rewrite—By using the
Name field. Parameter Rules area, you can insert
Using the following areas of the form you or remove parameter name/value
can configure these functions: pairs in the query portion of matched
URLs. Enter a parameter name in the
489
Parameter field and its value in the To delete an existing parameter or URL
Value field. Choose either Add or rewriting rule, click the Delete check box
Remove from the Operation drop- on the same line as the rule, and when
down list. If you choose Remove, the you click Update Parameter Rule (to
parameter name and value must delete parameter rules) or Update URL
match exactly for it to be removed. Rule (to delete URL rewrite rules), the rule
Click the Update Parameter will be deleted.
Rule button to add the rule. When you are finished with this form,
Regular expressions and the following click Apply Changes at the top to save
characters are not allowed in the your changes, or click Discard Changes to
Parameter and Value fields when you return to the summary page without
are adding a parameter: ?*{}[]()^$, saving your changes. If you want to use
When you are removing a parameter, the settings on this form as the default for
regular expressions are allowed and new maps of this type, click Set As
there are no character restrictions in Default.
the Parameter and Value fields.
HTTP Protocol Conformance
• URL rewrite—By using the URL Rules
area, you can search for a string in the HTTP protocol conformance provides
URL and if there is a match you can deep analysis of web traffic, enabling
either replace the complete URL with granular control over HTTP sessions for
another URL or replace only the improved protection from a wide range of
matched string with another string. web-based attacks. In addition, this
Enter the string to search for in the feature allows administrative control over
Find field and enter the replacement instant messaging applications, peer-to-
string or URL in the Replace field. peer file sharing applications, and
From the Type drop-down list, choose applications that attempt to tunnel over
either Replace URL (to replace the port 80 or any port used for HTTP
whole URL with the URL entered in the transactions. Capabilities provided include
Replace field) or Replace matched RFC compliance enforcement, HTTP
string (to replace just the matched command authorization and enforcement,
string in the URL with the string response validation, Multipurpose
entered in the Replace field). Click Internet Mail Extension (MIME) type
the Update URL Rule button to add validation and content control, URL
the rule. Rewritten URLs are escape blacklisting, and more.
encoded before being sent out.
The following sections describe the HTTP
Regular expressions and the following Protocol Conformance menu commands:
characters are mostly not allowed in
the Find and Replace fields: ?*{}[]()^$, 1. IM Controls
When you are replacing a complete
URL, then regular expression are 2. P2P Controls
allowed and there are no character
3. Tunnelling Policies
restrictions in the Find field.
For details on the regular expression 4. Generic Pattern Matcher
syntax that is allowed.
5. Transfer Encoding
490
Use the IM Controls command to display

6. MIME Type Controls
a page that summarizes the instant
7. URL Black Listing messaging maps that are defined and to
8. Control HTTP Methods When you click the button to add a new
9. Header Integrity Check following figure.
1. IM Controls
The IM controls feature allows you to
control incoming and outgoing instant
messaging traffic by logging or denying it.
Figure 36: Add Instant Messaging Map
Use this form to define criteria for messaging traffic is added, it is listed in a
identifying instant messaging traffic in criteria section at the top of the form.
either requests or responses. In the New Criteria section, click the Add
Give the instant messaging map a name in check box to indicate that you are adding
the Map Name field. a new criteria. Then in the Message Type
If you are creating a new map, only the drop-down list, choose the message type
New Criteria section of the form is shown. that you want to examine: either Request
As each criteria for identifying instant or Response messages. In the Search Type
491
drop-down list, choose the part of the The Obfuscation Option check box is
request or response that you want to available in certain cases. Checking this
examine, and in the next three fields box deobfuscates the URL before
(Name, Value, and Max No of bytes to performing regular expression matching
search), enter the criteria that must be with the specified criteria. Deobfuscation
matched to consider the traffic to be decodes encoded URLs. For example, a
instant messenger related. For each URL might contain the string "%20", which
message type/search type pair, only is decoded to a space character.
certain criteria fields are used, and these
are described in Table below.
Table 10: Instant Messaging Criteria
Message Type/ Search Type Criteria Fields Used Description

Request/Method Name Enter the HTTP request method name in
the Name field.
Request/Url Value, Obfuscation In the Value field, enter a string to match in
Option check box the URL and check the Obfuscation Option
check box to deobfuscate the URL before
matching. You can enter either a full URL or
a partial string. If any part of the value is
found in the URL, then the match is
successful. Only the URL is searched for a
match, not the query parameters.
Request/Arg Value, Obfuscation In the Value field, enter a string to match in
Option check box the query portion of the URL and check the
Obfuscation Option check box to
deobfuscate the URL before matching. If
any part of the value is found in the query
parameters, then the match is successful.
Only the query parameter portion of the
URL is searched.
Request/Header Name, Value Enter the name of the HTTP request header
in the Name field and the header value in
the Value field.
Request/Body Value, Max No of bytes Enter the string to search for in the body of
to search the request in the Value field, and enter the
maximum number of bytes to search in the
body in the Max No of bytes to search field.
The match is successful if the specified
string is found anywhere in the body,
ending at the byte specified in Max No of
bytes to search.
Response/StatusCode Value Enter the numeric response status code to
search for in the Value field.
492
Response/Header Name, Value Enter the name of the HTTP response

header in the Name field and the header
value in the Value field.
Response/Body Value, Max No of bytes Enter the string to search for in the body of
to search the response in the Value field, and enter
the maximum number of bytes to search in
the body in the Max No of bytes to search
field. The match is successful if the
specified string is found anywhere in the
body, ending at the byte specified in Max
No of bytes to search.
The Value field can be a regular • Deny—Block the traffic

expression; • [SEND-PAGE] pagename—Send the
When you are done entering the criteria, error page identified by pagename.
make sure the Add check box is checked You define such error pages by using
and click the Update Criteria button to the send page feature.
add the criteria to the map. You can add • [REDIRECT-PAGE] pagename—Send
more criteria by following the same the redirection page identified
procedure for each one. To delete a by pagename. You define such
criteria from the map, click the Delete redirection pages by using the redirect
check box next to it and click the Update
page feature.
Criteria button.
If you want to log the event, click the Log
After you have defined the criteria to
check box next to the Action drop-down
identify instant messenger traffic, you can
lists.
configure the action to apply when such
traffic is observed. In the first Action drop- When you are finished with this form,
down list, choose one of the following click Apply Changes at the top to save
items: your changes, or click Discard Changes to
• Match All—All criteria must be saving your changes.
matched to apply the action
• Match Any—Any single criteria must 2. P2P Controls
be matched to apply the action The P2P controls feature allows you to
Click the Not check box if you want to control incoming and outgoing peer-to-
match all traffic that does not meet the peer application traffic by logging or
criteria. If Not is checked, the match denying it. Use the P2P
criteria are interpreted as follows: Controls command to configure peer-to-
• Match All—Fewer than all criteria peer application control. This command
works exactly like the IM
must be matched to apply the action
Controls command.
• Match Any—None of the criteria must
be matched to apply the action 3. Tunnelling Policies
In the second drop-down list, choose one The tunnelling policies feature allows you
of the following actions: to control incoming and outgoing
• None—Take no action tunnelled application traffic by logging or
493
denying it. Use the Tunelling 5. Transfer Encoding

Policies command to configure tunnelling
The transfer encoding feature allows you
application control. This command works
to control incoming and outgoing traffic
exactly like the IM Controls command.
that has a specific Transfer-Encoding
4. Generic Pattern Matcher header by logging or denying it.
The generic pattern matcher feature Use the Transfer Encoding command to
display a page that summarizes the
allows you to configure a policy based on
transfer encoding maps that are defined
any user-definable criteria in the traffic, to
control incoming and outgoing traffic by
new maps.
logging or denying it. Use the Generic
Pattern Matcher command to configure When you click the button to add a new
such control. This command works exactly map, AVS displays the screen shown in the
like the IM Controls command. following figure.
Figure 37: Add Transfer Encoding Map
Give the transfer encoding map a name in • Gzip—gzip encoding

the Map Name field. • Chunked—chunked encoding
In the next part of the form, you can add
• Deflate—deflate encoding
criteria lines that describe one or more
transfer encodings of the traffic that you • Compress—compress encoding
want to act on. First choose the type of In the Type drop-down list, choose
transfer encoding in the Transfer Encoding whether you want to act on request or
drop-down list. The following choices are response traffic. In the Action drop -down
available: list, choose one of the following actions:
• Custom—an encoding other than • None—Take no action
those listed; enter the encoding type
• Deny—Block the traffic
in the field below the list
• [SEND-PAGE] pagename—Send the
• Identity—no transfer encoding used
error page identified by pagename.
494
You define such error pages by using encoding that does not match any of the
the send page feature. criteria on this form. You can choose the
• [REDIRECT-PAGE] pagename—Send same actions as on the other Action list.
the redirection page identified Also, you can click the Log check box next
by pagename. You define such to this drop-down list if you want to log
redirection pages by using the redirect such traffic. When you are finished with
page feature. this form, click Apply Changes at the top
to save your changes, or click Discard
If you want to log the event, click the Log Changes to return to the summary page
check box next to the Action drop-down without saving your changes.
list. Finally, check the Add check box and
click Update to add the criteria to this
form and give you a new line on which to
enter another criteria. To delete one or
more criteria lines, click the Delete check
box on each line that you want to delete
and then click Update to delete all
checked lines.
There is another Action drop-down list at
the bottom of the form, labelled Action
for Nonmatching Traffic. This action
applies to all traffic that has a transfer
6. MIME Type Controls

The MIME type controls feature allows you
to validate that the MIME type specified in
the HTTP Content-Type header matches the
content type's magic number in the body of
the message. (Magic numbers are byte
sequences that are always present in a
particular MIME type and thus can be used
to identify entities as being of a given media
type.)
Use the MIME Type Controls command to
display a page that summarizes the content
type verification maps that are defined and
to view, delete, clone, edit or add new maps.
following figure.
Give the content type verification map a

name in the Map Name field. The content
types that are validated are listed below this
field. Ensure that the Select check box is
checked for each MIME type that you want
495
to verify. All MIME types listed are checked initially.

In the Action drop-down list, choose one of the following actions:
• None—Take no action
• Deny—Block traffic with one of the listed content types
• [SEND-PAGE] pagename—Send the error page identified by pagename. You define such error
pages by using the send page feature.
• [REDIRECT-PAGE] pagename—Send When you are finished with this form,
the redirection page identified click Apply Changes at the top to save
by pagename. You define such your changes, or click Discard Changes to
redirection pages by using the redirect return to the summary page without
page feature. saving your changes.
list.
7. URL Black Listing blacklist maps that are defined and to

The URL black listing feature allows you to For details on using the summary page
block incoming requests for particular GUI.
URLs.
Use the URL Black Listing command to map, AVS displays the screen shown in the
display a page that summarizes the URL following figure.
Figure 39: Add URL Blacklist Map
Give the URL black listing map a name in In the next part of the form, you can add
the Map Name field. regular expressions for URLs that you
want to block traffic to. In the URL field,
enter a regular expression that is used to
496
match part of a URL string in incoming when such traffic is observed. In the first
requests. The regular expression is Action drop-down list, choose one of the
matched against only the URL and not the following items:
query parameters. If the regular • Match All—All criteria must be
expression matches any part of the URL, matched to apply the action
the match is considered successful.
• Match Any—Any single criteria must
Check the Obfuscation check box to be matched to apply the action
deobfuscate the URL before performing
regular expression matching. Click the Not check box if you want to
Deobfuscation decodes encoded URLs. For match all traffic that does not meet the
example, a URL might contain the string criteria. If Not is checked, the match
"%20", which is decoded to a space criteria are interpreted as follows:
character. • Match All—Fewer than all criteria
Check the Add check box and must be matched to apply the action
click Update to add the URL to this form • Match Any—None of the criteria must
and give you a new line on which to enter be matched to apply the action
another URL. To delete one or more URL
In the second drop-down list, choose one
lines, click the Delete check box on each of the following actions:
line that you want to delete and then
click Update to delete all checked lines. • None—Take no action
After you have defined the URLs to black • Deny—Block the traffic
list, you can configure the action to apply
Figure 40: Add Content Methods Map
• [SEND-PAGE] pagename—Send the If you want to log the event, click the Log
error page identified by pagename. check box next to the Action drop-down
You define such error pages by using lists.
the send page feature. When you are finished with this form,
• [REDIRECT-PAGE] pagename—Send click Apply Changes at the top to save
the redirection page identified your changes, or click Discard Changes to
by pagename. You define such return to the summary page without
redirection pages by using the redirect saving your changes.
page feature.
497
URL black listing can also be done directly specific HTTP method by logging or
in a policy map by defining the traffic to denying it.
black list in a traffic map, then setting a Use the Control HTTP Methods command
general policy to drop the connection to display a page that summarizes the
when such traffic is encountered. HTTP content method maps that are
defined and to view, delete, clone, edit or
add new maps..
8. Control HTTP Methods
The HTTP method control feature allows map, AVS displays the screen shown in the
you to control incoming traffic that uses a following figure.
Give the HTTP content methods map a • None—Take no action
name in the Map Name field. • Deny—Block the traffic
In the next part of the form, you can add • [SEND-PAGE] pagename—Send the
one or more HTTP methods to act on. In error page identified by pagename.
the Methods drop-down list choose an
HTTP method. Check the Add check box • [REDIRECT-PAGE] pagename—Send
and click Update to add the method to the redirection page identified
this form and give you a new line on by pagename.
which to enter another method. To delete If you want to log the event, click the Log
one or more method lines, click the Delete check box next to the Action drop-down
check box on each line that you want to lists.
delete and then click Update to delete all
checked lines.
After you have defined the HTTP methods your changes, or click Discard Changes to
to look for, you can configure the action return to the summary page without
to apply when such traffic is observed. In saving your changes.
the first Action drop-down list, choose
one of the following items:
• Match All—All criteria must be 9. Header Integrity Check
matched to apply the action The header integrity check feature allows
• Match Any—Any single criteria must you to check the integrity of HTTP headers
be matched to apply the action and take action if problems are found.
Click the Not check box if you want to Use the Header Integrity Check command
match all traffic that does not meet the to display a page that summarizes the
criteria. If Not is checked, the match header integrity check maps that are
criteria are interpreted as follows: defined and to view, delete, clone, edit or
add new maps.
• Match All—Fewer than all criteria
must be matched to apply the action When you click the button to add a new
• Match Any—None of the criteria must
following figure.
be matched to apply the action
In the second drop-down list, choose one
of the following actions:
498
Figure 41: Add Header Integrity Check Map
Give the header integrity check map a • Reset server client—Reset both the
name in the Map Name field. server and client sides of the
In the next part of the form, you can connection
configure actions to take when the • Drop—Drop the connection silently
following problems are found in a header:
• [SEND-PAGE] pagename—Send the
• Null Encoding—Transfer-encoding error page identified by pagename.
header has no encodings listed You define such error pages by using
• Non ASCII Characters—Non-ASCII the send page feature.
characters are found in a header • [REDIRECT-PAGE] pagename—Send
• Illegal Content Length—Content- the redirection page identified
length header contains non-numeric by pagename. You define such
characters redirection pages by using the redirect
page feature.
• Illegal Chunk Encoding—Chunk
encoding is not valid If you want to log a problem, click the Log
• Multiple Length Headers—Multiple list.
content-length headers appear in the
request When you are finished with this form,
For each listed header integrity problem, your changes, or click Discard Changes to
select one of the following actions from return to the summary page without
the Action drop-down list: saving your changes. If you want to use
• None—Take no action the settings on this form as the default for
• Reset server—Reset the server side of new maps of this type, click Set As
the connection Default.
• Reset client—Reset the client side of Input Validation Checks

the connection
The input validation module inspects
incoming HTTP messages from clients and
web servers to protect against a variety of
499
attacks that use form input submitted by Cross Site Scripting

the GET or POST methods. The following
sections describe these input validation A cross site scripting attack takes
checks: advantage of dynamically generated web
pages in which data is usually gathered in
• Cross Site Scripting the form of a hyperlink. An attacker, when
prompted to enter information like a user
• SQL Injection
name, will instead pass a script to be
• OS Command Injection executed. A web server that does not
properly perform input validation will
• LDAP Injection execute the script and wait for an
innocent user to click the link provided by
• Meta Character Detection the attacker. The victim may unknowingly
release information to the attacker.
• Format String Attacks
Use the Cross Site Scripting command to
display a page that summarizes the cross
All input validation checks use regular site scripting maps that are defined and to
expression sets that have been defined view, delete, clone, edit or add new maps.
with the Pattern Definitions command. When you click the button to add a new
following figure.
Figure 42: Add Cross Site Scripting Map
Give the map a name in the Map Name In the map, you can configure protection
field. in three ways:
• Scan all of the form input data.
500
Set the Type to Scan All Parameters. choose a regular expression pattern
Choose a regular expression pattern set that lists regular expressions that
set from the Pattern Set drop-down you want to allow in the value of the
list that lists regular expressions that exception parameter. Check the Add
you want to exclude from form input. check box to the right of the Allow
The regular expression patterns that Pattern Set drop-down list and
are listed here are those that are click Update Parameters. You can
defined in the Pattern Definitions page enter as many exception parameters
where the type is Cross Site Scripting. as you want by repeating this
If you see the message "No Pattern procedure. Each parameter can have
Set of this type is defined," you must its own associated regular expression
define at least one pattern map of the that defines the values that are
Cross Site Scripting type before you allowed. To delete a parameter, click
can complete this form. Any form the Delete check box to the right of
input that contains a string that the Allow Pattern Set drop-down list
matches one of the regular and click Update Parameters.
expressions in the specified pattern Any form input that contains a string
set is flagged for the action specified that matches one of the regular
in the Action drop-down list. Leave the expressions in the Pattern Set is
Parameter field empty and make no flagged for the action specified in the
selection from the Allow Pattern Set Action drop-down list. If an exception
drop-down list. parameter value contains a string that
• Scan all of the form input data except matches both the Pattern Set and
for the values of one or more specific Allow Pattern Set regular expressions,
form parameters, in which certain then it is allowed rather than being
expressions are allowed. flagged for action.
Set the Type to Scan All Parameters. • Scan the values of a one or more
Choose a regular expression pattern specific form parameters within the
set from the Pattern Set drop-down input data.
list that lists regular expressions that Set the Type to Scan Specific
you want to exclude from form input. Parameters. Choose a regular
The regular expression patterns that expression pattern set from the
are listed here are those that are Pattern Set drop-down list and enter
defined in the Pattern Definitions page the name of a form parameter to scan
where the type is Cross Site Scripting. in the Parameter field. Check the Add
If you see the message "No Pattern check box to the right of the
Set of this type is defined," you must parameter name and click Update
define at least one pattern map of the Parameters. You can enter as many
Cross Site Scripting type before you parameters as you want by repeating
can complete this form. this procedure. To delete a parameter,
In the Parameter field enter the name click the Delete check box to the right
of an exception parameter in which of the parameter name and
you want to allow input that might click Update Parameters. If any of the
otherwise be flagged by the Pattern specified parameter values contain a
Set regular expression set. In the string that matches one of the regular
Allow Pattern Set drop-down list, expressions in the specified pattern
501
set, the request is flagged for the

action specified in the Action drop-
down list.
Figure 43: Add SQL Injection Map
Check the Ignore Case check box if you do If you want to log the event, click the Log
not need to match the case of a check box below the Action drop-down
parameter specified in the Parameter list.
field. If you do need to match the case When you are finished with this form,
exactly, leave this check box unchecked. click Apply Changes at the top to save
In the Action drop-down list, choose the your changes, or click Discard Changes to
action to apply if a form input string that return to the summary page without
matches this map is detected. Actions saving your changes.
include these:
SQL Injection
• Reset server client—Reset both the A SQL injection attack appends or
modifies SQL commands in form input
server and client sides of the
connection with the intention of gathering
information regarding the application and
• Drop—Drop the connection silently obtaining access to unauthorized data.
• [SEND-PAGE] pagename—Send the Use the SQL Injection command to display
error page identified by pagename.. a page that summarizes the SQL injection
• [REDIRECT-PAGE] pagename—Send maps that are defined and to view, delete,
the redirection page identified clone, edit or add new maps. When you
by pagename. click the button to add a new map, AVS
displays the screen shown in the following
figure.
Give the map a name in the Map Name Set the Type to Scan All Parameters.
field. Choose a regular expression pattern
In the map, you can configure protection set from the Pattern Set drop-down
in three ways: list that lists regular expressions that
you want to exclude from form input.
• Scan all of the form input data. The regular expression patterns that
502
are listed here are those that are enter as many exception parameters
defined in the Pattern Definitions page as you want by repeating this
where the type is SQL Injection. If you procedure. Each parameter can have
see the message "No Pattern Set of its own associated regular expression
this type is defined," you must define that defines the values that are
at least one pattern map of the SQL allowed. To delete a parameter, click
Injection type before you can the Delete check box to the right of
complete this form. Any form input the Allow Pattern Set drop-down list
that contains a string that matches and click Update Parameters.
one of the regular expressions in the Any form input that contains a string
specified pattern set is flagged for the that matches one of the regular
action specified in the Action drop- expressions in the Pattern Set is
down list. Leave the Parameter field flagged for the action specified in the
empty and make no selection from the Action drop-down list. If an exception
Allow Pattern Set drop-down list. parameter value contains a string that
where the type is SQL Injection. If you in the Parameter field. Check the Add
see the message "No Pattern Set of check box to the right of the
this type is defined," you must define parameter name and click Update
at least one pattern map of the SQL Parameters. You can enter as many
Injection type before you can parameters as you want by repeating
complete this form. this procedure. To delete a parameter,
choose a regular expression pattern set, the request is flagged for the
set that lists regular expressions that action specified in the Action drop-
you want to allow in the value of the down list.
exception parameter. Check the Add Check the Ignore Case check box if you do
check box to the right of the Allow not need to match the case of a
Pattern Set drop-down list and parameter specified in the Parameter
click Update Parameters. You can
503
field. If you do need to match the case If you want to log the event, click the Log
exactly, leave this check box unchecked. check box below the Action drop-down
In the Action drop-down list, choose the list.
action to apply if a form input string that When you are finished with this form,
matches this map is detected. Actions click Apply Changes at the top to save
include these: your changes, or click Discard Changes to
• None—Take no action return to the summary page without
saving your changes.
• Reset server client—Reset both the
server and client sides of the OS Command Injection
connection
An OS command injection attack inserts
• Drop—Drop the connection silently OS commands into form input with the
• [SEND-PAGE] pagename—Send the intention to gain elevated privileges to
error page identified by pagename. access a web server.
• [REDIRECT-PAGE] pagename—Send Use the OS Command Injection command
the redirection page identified to display a page that summarizes the
by pagename. command injection maps that are defined
new maps.
When you
click the
button to
add a new
map, AVS
displays the
screen
shown
in the
following
figure.
Figure 44: Add

Command
Injection Map
Give the map a name in the Map Name you want to exclude from form input.
field. The regular expression patterns that
In the map, you can configure protection are listed here are those that are
in three ways: defined in the Pattern Definitions page
where the type is Command Injection.
• Scan all of the form input data. If you see the message "No Pattern
Set the Type to Scan All Parameters. Set of this type is defined," you must
Choose a regular expression pattern define at least one pattern map of the
set from the Pattern Set drop-down Command Injection type before you
list that lists regular expressions that can complete this form. Any form
504
input that contains a string that the Allow Pattern Set drop-down list
matches one of the regular and click Update Parameters.
expressions in the specified pattern Any form input that contains a string
set is flagged for the action specified that matches one of the regular
in the Action drop-down list. Leave the expressions in the Pattern Set is
Parameter field empty and make no flagged for the action specified in the
selection from the Allow Pattern Set Action drop-down list. If an exception
drop-down list. parameter value contains a string that
where the type is Command Injection. in the Parameter field. Check the Add
If you see the message "No Pattern check box to the right of the
Set of this type is defined," you must parameter name and click Update
Command Injection type before you parameters as you want by repeating
can complete this form. this procedure. To delete a parameter,
exception parameter. Check the Add Check the Ignore Case check box if you do
check box to the right of the Allow not need to match the case of a
Pattern Set drop-down list and parameter specified in the Parameter
click Update Parameters. You can field. If you do need to match the case
enter as many exception parameters exactly, leave this check box unchecked.
as you want by repeating this
In the Action drop-down list, choose the
procedure. Each parameter can have
its own associated regular expression action to apply if a form input string that
matches this map is detected. Actions
that defines the values that are
include these:
allowed. To delete a parameter, click
the Delete check box to the right of • None—Take no action
505
• Reset server client—Reset both the Lightweight Directory Access Protocol

server and client sides of the (LDAP) is widely used to query and
connection manipulate X.500 directory services. Web
• Drop—Drop the connection silently applications may use form input to create
custom LDAP statements for dynamic web
• [SEND-PAGE] pagename—Send the page requests. An LDAP injection attack
error page identified by pagename. modifies an LDAP statement, letting the
• [REDIRECT-PAGE] pagename—Send process run with the same permissions as
the redirection page identified the component that executed the
by pagename. command, and can let the attacker obtain
unauthorized information from the
database.
check box below the Action drop-down
list. Use the LDAP Injection command to
display a page that summarizes the LDAP
injection maps that are defined and to
saving your changes. map, AVS displays the screen shown in the
following Figure.
LDAP Injection
Figure 45: Add LDAP Injection Map
Give the map a name in the Map Name • Scan all of the form input data.
field. Set the Type to Scan All Parameters.
In the map, you can configure protection Choose a regular expression pattern
in three ways: set from the Pattern Set drop-down
506
list that lists regular expressions that check box to the right of the Allow
you want to exclude from form input. Pattern Set drop-down list and
The regular expression patterns that click Update Parameters. You can
are listed here are those that are enter as many exception parameters
defined in the Pattern Definitions page as you want by repeating this
where the type is LDAP Injection. If procedure. Each parameter can have
you see the message "No Pattern Set its own associated regular expression
of this type is defined," you must that defines the values that are
define at least one pattern map of the allowed. To delete a parameter, click
LDAP Injection type before you can the Delete check box to the right of
complete this form. Any form input the Allow Pattern Set drop-down list
that contains a string that matches and click Update Parameters.
one of the regular expressions in the Any form input that contains a string
specified pattern set is flagged for the that matches one of the regular
action specified in the Action drop- expressions in the Pattern Set is
down list. Leave the Parameter field flagged for the action specified in the
empty and make no selection from the Action drop-down list. If an exception
Allow Pattern Set drop-down list. parameter value contains a string that
where the type is LDAP Injection. If in the Parameter field. Check the Add
you see the message "No Pattern Set check box to the right of the
of this type is defined," you must parameter name and click Update
LDAP Injection type before you can parameters as you want by repeating
complete this form. this procedure. To delete a parameter,
exception parameter. Check the Add
507
Check the Ignore Case check box if you do When you are finished with this form,
not need to match the case of a click Apply Changes at the top to save
parameter specified in the Parameter your changes, or click Discard Changes to
field. If you do need to match the case return to the summary page without
exactly, leave this check box unchecked. saving your changes.
In the Action drop-down list, choose the
action to apply if a form input string that
matches this map is detected. Actions
Meta Character Detection
include these: A meta character attack inserts meta
• None—Take no action characters in the form input. Meta
• Reset server client—Reset both the characters include characters such as
server and client sides of the semicolons (;), pipes (|), tildes (~), and so
on.
connection
Use the Meta Character
• Drop—Drop the connection silently
Detection command to display a page
• [SEND-PAGE] pagename—Send the that summarizes the meta character maps
error page identified by pagename.. that are defined and to view, delete,
• [REDIRECT-PAGE] pagename—Send clone, edit or add new maps. When you
the redirection page identified click the button to add a new map, AVS
by pagename. displays the screen shown in the following
Figure.
check box below the Action drop-down
list.
Figure 46: Add Meta Character Detection Map
508
Give the map a name in the Map Name type before you can complete this
field. form.
In the map, you can configure protection In the Parameter field enter the name
in three ways: of an exception parameter in which
• Scan all of the form input data. you want to allow input that might
otherwise be flagged by the Pattern
Set the Type to Scan All Parameters. Set regular expression set. In the
Choose a regular expression pattern Allow Pattern Set drop-down list,
set from the Pattern Set drop-down choose a regular expression pattern
list that lists regular expressions that set that lists regular expressions that
you want to exclude from form input. you want to allow in the value of the
The regular expression patterns that exception parameter. Check the Add
are listed here are those that are check box to the right of the Allow
defined in the Pattern Definitions page Pattern Set drop-down list and
where the type is Meta Character click Update Parameters. You can
Detection. If you see the message "No enter as many exception parameters
Pattern Set of this type is defined," as you want by repeating this
you must define at least one pattern procedure. Each parameter can have
map of the Meta Character Detection its own associated regular expression
type before you can complete this that defines the values that are
form. Any form input that contains a allowed. To delete a parameter, click
string that matches one of the regular the Delete check box to the right of
expressions in the specified pattern the Allow Pattern Set drop-down list
set is flagged for the action specified and click Update Parameters.
in the Action drop-down list. Leave the
Parameter field empty and make no Any form input that contains a string
selection from the Allow Pattern Set that matches one of the regular
drop-down list. expressions in the Pattern Set is
flagged for the action specified in the
 Scan all of the form input data except Action drop-down list. If an exception
for the values of one or more specific parameter value contains a string that
form parameters, in which certain matches both the Pattern Set and
expressions are allowed. Allow Pattern Set regular expressions,
Set the Type to Scan All Parameters. then it is allowed rather than being
Choose a regular expression pattern flagged for action.
set from the Pattern Set drop-down  Scan the values of a one or more
list that lists regular expressions that specific form parameters within the
you want to exclude from form input. input data.
The regular expression patterns that
are listed here are those that are Set the Type to Scan Specific
defined in the Pattern Definitions page Parameters. Choose a regular
where the type is Meta Character expression pattern set from the
Detection. If you see the message "No Pattern Set drop-down list and enter
Pattern Set of this type is defined," the name of a form parameter to scan
you must define at least one pattern in the Parameter field. Check the Add
map of the Meta Character Detection check box to the right of the
parameter name and click Update
Parameters. You can enter as many
509
parameters as you want by repeating • [REDIRECT-PAGE] pagename—Send

this procedure. To delete a parameter, the redirection page identified
click the Delete check box to the right by pagename.
of the parameter name and If you want to log the event, click the Log
click Update Parameters. If any of the check box below the Action drop-down
specified parameter values contain a list.
string that matches one of the regular
expressions in the specified pattern When you are finished with this form,
set, the request is flagged for the click Apply Changes at the top to save
action specified in the Action drop- your changes, or click Discard Changes to
down list. return to the summary page without
saving your changes.
Check the Ignore Case check box if you do
not need to match the case of a
parameter specified in the Parameter Format String Attacks
field. If you do need to match the case
exactly, leave this check box unchecked. A format string attack passes format
In the Action drop-down list, choose the string characters as form input, which may
action to apply if a form input string that result in the unwarranted change of the
matches this map is detected. Actions stack, which can cause segmentation
include these: faults or an unanticipated program to run.
• None—Take no action Use the Format String Attacks command

to display a page that summarizes the
• Reset server client—Reset both the format string attack maps that are defined
server and client sides of the and to view, delete, clone, edit or add
connection new maps.
• Drop—Drop the connection silently When you click the button to add a new
• [SEND-PAGE] pagename—Send the map, AVS displays the screen shown in the
error page identified by pagename. following Figure.
510
Figure 47: Add Format String Attack Map
Give the map a name in the Map Name • Scan the values of a one or more
field. specific form parameters within the
In the map, you can configure protection input data.
in two ways: Set the Type to Scan Specific
• Scan all of the form input data. Parameters. Choose a regular
expression pattern set from the
Set the Type to Scan All Parameters. Pattern Set drop-down list and enter
Choose a regular expression pattern the name of a form parameter to scan
set from the Pattern Set drop-down in the Parameter field. Check the Add
list that lists regular expressions that check box to the right of the
you want to exclude from form input. parameter name and click Update
The regular expression patterns that Parameters. You can enter as many
are listed here are those that are
parameters as you want by repeating
defined in the Pattern Definitions page this procedure. To delete a parameter,
where the type is Format String click the Delete check box to the right
Attacks. If you see the message "No of the parameter name and
Pattern Set of this type is defined," click Update Parameters. If any of the
you must define at least one pattern specified parameter values contain a
map of the Format String Attacks type string that matches one of the regular
before you can complete this form.
expressions in the specified pattern
Any form input that contains a string set, the request is flagged for the
that matches one of the regular action specified in the Action drop-
expressions in the specified pattern down list.
set is flagged for the action specified
in the Action drop-down list. Leave the Scanning all form input data except
Parameter field empty and make no for the values of one or more specific
selection from the Allow Pattern Set form parameters is not allowed in the
drop-down list. Format String Attacks form. If Type is
set to Scan All Parameters, and you
511
enter an exception parameter in the • [REDIRECT-PAGE] pagename—Send

Parameter field, you will receive an the redirection page identified
error when you click Apply Changes. by pagename.
Check the Ignore Case check box if you do If you want to log the event, click the Log
not need to match the case exactly of a check box that is below the Action drop-
parameter specified in the Parameter down list.
field. If you do need to match the case When you are finished with this form,
exactly, leave this check box unchecked.
In the Action drop-down list, choose the your changes, or click Discard Changes to
action to apply if a form input string that return to the summary page without
matches this map is detected. Actions saving your changes.
include these:
Web Application Security
• Reset server client—Reset both the
server and client sides of the Regular Expression Syntax
connection
The web application security module uses
• Drop—Drop the connection silently a regular expression syntax that is
• [SEND-PAGE] pagename—Send the different from the regular expression
error page identified by pagename. syntax used by other AVS features. The
regular expression syntax used by the web
application security module is
summarized in the following table.
Table 11: Web Application Security Regular Expression Syntax
Metacharacter Description
. Matches any single character, except for the new line character (0x0A). For
example, the regular expression r.t matches the strings rat, rut, r t, but not root.
^ Matches the beginning of a line. For example, the regular expression ^When
in matches the beginning of the string "When in the course of human events"
but not the string "What and When in the"
* Matches zero or more occurrences of the character immediately preceding. For
example, the regular expression .* means match any number of any characters.
\ This is the quoting character; use it to treat the following metacharacter as an
ordinary character. For example, \^ is used to match the caret character (^)
rather than the beginning of a line. Similarly, the expression \. is used to match
the period character rather than any single character.
[] Matches any one of the characters between the brackets. For example, the
[c1-c2] regular expression r[aou]t matches rat, rot, and rut, but not ret. Ranges of
characters are specified by a beginning character (c1), a hyphen, and an ending
[^c1-c2] character (c2). For example, the regular expression [0-9] means match any digit.
Multiple ranges can be specified as well. The regular expression [A-Za-z] means
match any upper or lower case letter. To match any character except those in
the range (that is, the complement range), use the caret as the first character
after the opening bracket. For example, the expression [^269A-Z] matches any
512
characters except 2, 6, 9, and uppercase letters.

() Treat the expression between ( and ) as a group, limiting the scope of other
metacharacters.
| Logical OR two conditions together. For example (him|her) matches the line "it
belongs to him" and matches the line "it belongs to her" but does not match the
line "it belongs to them."
+ Matches one or more occurrences of the character or regular expression
immediately preceding. For example, the regular expression9+ matches 9, 99,
and 999.
? Matches 0 or 1 occurrence of the character or regular expression immediately
preceding.
{i} Matches a specific number (i) or minimum number (i,) of instances of the
{i,} preceding character. For example, the expression A[0-9]{3} matches "A"
followed by exactly 3 digits. That is, it matches A123 but not A1234. The
expression [0-9]{4,} matches any sequence of 4 or more digits.
\r Matches the carriage return character (0x0D).
\n Matches the new line character (0x0A).
\t Matches the tab character (0x09).
Matches the form feed character (0x0C).

\xNN Matches the character with the hexadecimal code NN, where N is between 0
and F.
\NNN Matches the character with the octal code NNN, where N is between 0 and 8.
513
8.3 Configuring ModSecurity

One of the more commonly used Parsing: ModSecurity tries to make sense
application layer firewalls is ModSecurity, of as much data as available. The
which is an open source intrusion supported data formats are backed by
detection and prevention system. security-conscious parsers that extract
Mod_security is an apache module that bits of data and store them for use in the
helps to protect your website from rules.
various attacks. It is used to block
commonly known exploits by use of Buffering: In a typical installation, both
regular expressions and rule sets and is request and response bodies will be
enabled on all InMotion servers by buffered. This means that ModSecurity
default. Mod_Security can potentially usually sees complete requests before
block common code injection attacks they are passed to the application for
which strengthens the security of the processing, and complete responses
server. In order to make ModSecurity before they are sent to clients. Buffering is
more useful, it must be configured with an important feature, because it is the
rules. These rules can be created by us only way to provide reliable blocking. The
according to need, or we can use the downside of buffering is that it requires
Open Web Application Security Project additional RAM to store the request and
(OWASP) rules. response body data.
OWASP is a group of security communities Logging: Full transaction logging (also

that develops and maintains a free set of referred to as audit logging) is a big part of
application protection rules, which is what ModSecurity does. This feature
called the OWASP ModSecurity Core Rules allows you to record complete HTTP
Set (CRS). You can think of OWASP as an traffic, instead of just rudimentary access
enhanced core rule set that the log information. Request headers, request
ModSecurity will follow to prevent attacks body, response header, response body—
on the server. all those bits will be available to you. It is
only with the ability to see what is
ModSecurity is a hybrid web application happening that you will be able to stay in
firewall engine that relies on the host web control.
server for some of the work. The only
supported web server at the moment is Rule engine: The rule engine builds on the
Apache 2.x, but it is possible, in principle, work performed by all other components.
to integrate ModSecurity with any other By the time the rule engine starts
web server that provides sufficient operating, the various bits and pieces of
integration APIs. data it requires will all be prepared and
ready for inspection. At that point, the
The functionality offered by ModSecurity rules will take over to assess the
falls roughly into four areas: transaction and take actions as necessary.
To know more about Modsecurity and its configuration please visit https://www.modsecurity.org
and use the following https://www.feistyduck.com/library/modsecurity-handbook-free/online/ to
know more about installation and configuration.
514
UNIT IX
Patch Management
This Unit covers:
 Lesson Plan
9.3 Windows Patch Management Tools
515
LESSON PLAN

experts.
Dedicated)
• networks
516

Activity 1:
Activity 2:
Activity 3:
517

Also called a service patch, a fix to a knowledge of available patches, deciding
program bug. A patch is an actual piece of what patches are appropriate for
object code that is inserted into (patched particular systems, ensuring that patches
into) an executable program. Patches are installed properly, testing systems
typically are available as downloads over after installation, and documenting all
the Internet. associated procedures, such as specific
configurations required.
Patch management is an area of systems
management that involves acquiring, A number of products are available to
testing, and installing multiple patches automate patch management tasks,
(code changes) to an administered including RingMaster's Automated Patch
computer system. Patch management Management, PatchLink Update, and
tasks include: maintaining current Gibraltar's Everguard.
518
Patch management is a circular process threat to your current environment.

and must be ongoing. The unfortunate
reality about software vulnerabilities is Acquire. If the vulnerability is not
addressed by the security measures
that, after you apply a patch today, a new
already in place, download the patch for
vulnerability must be addressed
testing.
tomorrow.
Test. Install the patch on a test system to
Develop and automate a patch verify the ramifications of the update
management process that includes each against your production configuration.
of the following:
Deploy. Deploy the patch to production
Detect. Use tools to scan your systems for computers. Make sure your applications
missing security patches. The detection are not affected. Employ your rollback or
should be automated and will trigger the backup restore plan if needed.
patch management process.
Maintain. Subscribe to notifications that
Assess. If necessary updates are not alert you to vulnerabilities as they are
installed, determine the severity of the reported. Begin the patch management
issue(s) addressed by the patch and the process again.
mitigating factors that may influence your
decision. By balancing the severity of the
issue and mitigating factors, you can
determine if the vulnerabilities are a
519
9.3 Windows patch management tools
Different approaches to patch Management or deployment

management tools tools:
An organization with more than a few Microsoft's own Windows Server Update
workstations or servers needs some kind Services
of automated way to handle patch
Gravity Storm Software's Service Pack
management, and there is a plethora of
Manager
free patch management tools choose
from. Because there's more than one way Ecora Patch Manager 5.0
to accomplish patch management, it's not
These programs do the actual work of
uncommon for two or more parts of the
downloading and applying patches to
same organization to be updated and
local or remote machines. In many cases,
managed using different applications.
they are also reporting tools -- they audit
You can find that situation in computers to see what's installed and
environments where a branch office or what's needed, then download the
division of a company is moved or needed updates and push them out
acquired. Suddenly, what worked before according to an administrator's directives.
is not what works for the new parent. In
If you use multiple auditing or reporting
this and almost all other cases, the best
tools, one caveat is that if there are
approach is to pick one system and
inconsistencies between the depth or
consolidate on it as aggressively as
breadth of reporting provided by each
possible.
tool, you should be aware of that ahead of
There are two types of patch time so you're not thrown off. If you are
management tools out there: using multiple patch management or
deployment tools, the problem isn't so
 Reporting tools
much that one tool duplicates or undoes
 Microsoft's HFNETCHK tool
the work of another, but that the
The commercial version of the same administrator (or administrators)
program, HFNetChkPro becomes confused by the presence of
multiple tools to get the same job done.
These tools scan local machines or
computers on a network, audit whatever's Using third-party tools for
in reach and then produce detailed
Windows patch management
summaries or digests about what is
installed where as well as what might Here are some reasons to say yes to third
need to be installed or updated. They do party patching tools.
the research and make recommendations,
but they don't make any actual changes. Yes to third-party patching tools
520
Additional features: Third-party patch often, it can be a drain on time and

management systems often have energy.
additional features that aren't present in
Unneeded additional features: Not every
the standard Microsoft way of doing
organization needs the advanced features
things. For instance, Service Pack Manager
offered by third-party products.
2000 allows the administrator to create
Sometimes the defaults work just fine.
multiple arbitrary groups of computers to
better govern who gets what updates. These are not the only reasons to use or
not use third-party tools for patching. If
Automation: Some third-party
you need more convincing on either side
applications have automated functions
of the topic, check out security expert
that are above and beyond what's
Serdar Yegulalp's article on third-party
available by default, and they don't
patch management tools.
require scripting to be effective.
Additional coverage and information: Free patch management tools

Many of these tools have detailed Numara patch management
reporting and research functions -- for
instance, the ability to automatically Numara™ Patch Manager is the complete
generate a summary of what's installed on patch management solution that scans,
a given machine and relevant details from updates and downloads patches for
Microsoft Knowledge Base articles that Microsoft Operating Systems and
apply to each fix. applications across your entire network —
directly from your desktop.
No to third party patching tools
PatchLink Security Patch and
Internal consistency: If you have one Vulnerability Management Solution
department that's using a third-party tool
and another that's using the standard PatchLink is a security patch and
Microsoft patch deployment methods, it vulnerability management solution that
can become confusing for people trying to combines vulnerability assessment, patch
maintain standards across organizations -- management, network access control and
and it might not be convenient or reporting to help organizations address
politically possible to get everyone to use the emerging security threats while
the same tools. In such a case it might be minimizing costs and complexity.
best to fall back on Microsoft standards. UpdateEXPERT Premium
Retraining: When people come in from UpdateEXPERT Premium is another
another company or department where advanced policy-based patch
no such third-party tools are in use, you'll
management solution.
need to retrain them. If this happens
521
To learn more about Patch Management, please visit the following
https://ics-cert.us-
cert.gov/sites/default/files/recommended_practices/PatchManagementRecommendedPrac
tice_Final.pdf
https://www.sans.org/reading-room/whitepapers/bestprac/practical-methodology-
implementing-patch-management-process-1206
https://support.symantec.com/en_US/article.HOWTO3124.html
522
Trainer’s Handbook – SSC/ Q0904/0905 – Security Analyst
SSC/ N 0904:
SSC/ N 0905:
Contribute to information security audits
Support teams to prepare for and
undergo information security audits
UNIT I: Information Security Audit

UNIT II: Types of Security Audits
UNIT III: Role of an Auditor
UNIT IV: Vulnerability Analysis
UNIT V: Penetration Testing
UNIT VI: Information Security Audit Tasks
UNIT VII: Audit Report and Actions
UNIT VIII: Audit Support Activities
523
Unit Title (Task) Contribute to information security audits
Description This unit is about carrying out specific audit tasks as part of information security
audits.
Appropriate people:
 line manager
 members of the security team
Information security audits may cover:
 networks (wired and wireless)
 devices
 endpoints/edge devices
 storage devices
 servers
 software
 application hosting
 application penetration
 application testing
 messaging
 web security
 security of infrastructure
 computer assets, server s and storage networks
 messaging
 intrusion detection/prevention
 security incident management
 third party security management
 personnel security requirements
 physical security
 risk assessment
 business continuity
 disaster recovery planning
524

PC1. establish the nature and scope of information security audits and your
role and responsibilities within them
PC2. identify the procedures/guidelines/checklists for the audit tasks you are
required to carry out
PC3. identify any issues with procedures/guidelines/checklists for carrying out
audit tasks and clarify these with appropriate people
PC4. collate information, evidence and artefacts when carrying out audits
PC5. carry out required audit tasks using standard tools and following
established procedures/guidelines/checklists
PC6. refer to appropriate people where audit tasks are beyond your levels of
knowledge, skills and competence
PC7. record and document audit tasks and audit results using standard tools
and templates
PC8. review results of audit tasks with appropriate people and incorporate
their inputs
PC9. comply with you organization’s policies, standards, procedures, guidelines
and checklists when contributing to information security audits
A. Organization The user/individual on the job needs to know and understand:

al KA1. your organization’s policies, standards, procedures, guidelines, systems
Context and checklists for information security testing and auditing and your role
(Knowledge in applying these
of the KA2. scope of work to be carried out and the importance of keeping within
company / these boundaries
organization KA3. limits of your knowledge, skills and competence and who to seek guidance
and its from
processes) KA4. different types of information/security audits
KA5. who to involve when carrying out information security audits
KA6. how to record and report audit tasks
KA7. the importance of recording the results of audit tasks
KA8. how to obtain and use input from others when carrying out information
security audit tasks
KA9. the purpose of information security audits and importance of taking part
in these
KA10. how to improve the process and outcomes of future audits
KA11. the range of standard tools, templates and checklists available and how to
use these
KA12. the role of teams in information security audits
KB1. common issues that may affect carrying out audit tasks and how to deal
Knowledge
with these
525
KB2. different systems and structures that may need information security
audits and how they operate, including:
 servers and storage devices
 infrastructure and networks
 application hosting and content management
 communication routes such as messaging
KB3. features, configuration and specifications of information security systems
and devices and associated processes and architecture
KB4. the importance of auditing and the key principles and rules of conduct
that apply when auditing
KB5. common audit techniques and how to record and report audit tasks
KB1. methods and techniques for testing compliance against your organizations
security criteria, legal and regulatory requirements
526
Unit Code SSC/N0905
Unit Title
Support teams to prepare for and undergo information security audits
(Task)
Description This unit is about supporting functional teams to prepare for and undergo information
security audits carried out by internal or external auditors.

Information security audits:
 internal
 external
Appropriate people:
 line manager
 members of functional teams
Audit tasks on:
 networks
 storage devices
 servers
 applications
 application penetration and testing
 application hosting
 messaging
 computer assets, servers and storage networks
 third parties
 personnel requirements
 support functions (e.g. HR support)
PC1. establish the nature and scope of information security audits and your role
and responsibilities in preparing for them
PC2. identify the procedures/guidelines/checklists that will be used for
information security audits
PC3. identify the requirements of information security audits and prepare for
audits in advance
PC4. liaise with appropriate people to gather data/information required for
527
PC5. organize data/information required for information security audits using

PC6. provide immediate support to auditors to carry out audit tasks
PC7. participate in audit reviews, as required
PC8. comply with you organization’s policies, standards, procedures, guidelines
and checklists when supporting teams to prepare for and undergo
A. Organizational You need to know and understand:

Context
KA1. your organization’s policies, standards, procedures, guidelines, systems and
(Knowledge of the
checklists for information security audits and your role in applying these
company/
KA2. scope of work to be carried out and the importance of keeping within these
organization and
boundaries
its processes)
KA3. limits of your role, responsibilities, skills and competence and who to seek
guidance from when these are exceeded
KA4. the purpose of information security audits and importance in taking part in
these
KA5. the role of teams in information security audits
KA6. what information is required for information security audits and the
importance of preparing this is advance of the audit
KA7. how to improve the process and outcomes for future audits
KA8. types of support required by teams for information security audits
and how to provide this
KA9. different types of information security audits
KA10. different approaches and ways of working for internal and external
KA11. who to involve when carrying out information security audits
KA12. your organization’s knowledge base and how to use this to support
KA13. how to carry out, record and report audit tasks
KA14. the range of data and information required for information security audits
and where to obtain this
KA16. standard tools, templates and checklists available and how to use these
KA17. the importance of providing immediate support to auditors as required
Knowledge KB1. different information systems that may require audit tasks:
 servers and storage devices
 infrastructure, assets and networks
 application hosting, testing, penetration and support
 communication routes such as messaging
528
 support functions such as personnel and HR services

 third party systems
KB2. features, configuration and specifications of information security systems and
devices which may be audited
KB3. how to collate data for information security audits
KB4. additional information that may be required by auditors and where to source
this
529
THE UNITS
The module for this NOS is divided in 8 Units based on the learning objectives as given below.
UNIT I: Information Security Audit
1.1. Information Systems Audit versus Information Security Audit
1.2. What is an Information Security Audit?
1.3. Scope of the Audit
1.4. What makes a good security audit?
1.5. Constraints of a security audit
UNIT II: Security Audits Features
2.1. Types of Security Audits
2.2. Phases of Information Security Audit
2.3. Information Security Audit Methodology
2.4. Security Testing Frameworks
2.5. Audit Process and Audit Security Practices
2.6. Testing Security Technology and Templates
UNIT III: Information Security Auditor
3.1 Role of an Auditor
3.2 Hiring an Information Security Auditor
3.3 Required Skills Sets of an Information Security Auditor
3.4 Ethics of an Information Security Auditor
3.5 What Makes an Information Security Auditor
UNIT IV: Vulnerability Analysis
4.1. What Is Vulnerability Assessment?
4.2. Vulnerability Classification
4.3. Types of Vulnerability Assessment
4.4. How to Conduct a Vulnerability Assessment
4.5. Vulnerability Analysis Tools
UNIT V: Penetration Testing
5.1. About penetration testing
5.2. Penetration testing stages
UNIT VI: Information Security Audit Tasks
6.1 Pre-audit tasks
6.2 Information Gathering
6.3 External Security Audit
6.4 Internal Network Security Auditing
6.5 Firewall Security Auditing
6.6 IDS Security Auditing
UNIT VII: Audit Reports and Actions
UNIT VIII: Audit Support Activities
530
UNIT I
Information Security Audit
This Unit covers:

 Lesson Plan
1.1. Information Systems Audit versus Information Security Audit
1.4. What makes a good security audit?
1.5. Constraints of a security audit
531
LESSON PLAN

experts.
Dedicated)
• networks
532

Activity 1:
Activity 2:
Activity 3:
Activity 4:
Divide the class into teams and ask them to audit various aspects of the training institute
or the classroom, such as cleanliness, safety and security, hygiene, etc. Ask them to
present their report in class. Highlight the need for planning, scoping, resourcing, detailing,
discipline, integrity, teamwork, eliminating bias and presentation as some of the key
elements in conducting a good audit.
533
Lesson
An information security audit is one of the incurring the cost and other associated
best ways to determine the security of an damages of a security incident.
organization's information without
1.1. Information Systems Audit versus Information
Security Audit
Information System Audit and Information division, safety, security and privacy
Security Audit are two tools that are used assurance etc.
to ensure safety and integrity of
information and sensitive data. People Information security audit is only focused
often confuse the two tools and feel they on security of data and information
(electronic and print) when it is in the
are same. But this is not the case.
process of storage and transmission. Both
Information systems audit is a large, audits have many overlapping areas.
broad term that encompasses
demarcation of responsibilities, server Information systems audit deals with
and equipment management, problem operations, and infrastructure whereas
information security audit deals with data
and incident management, network
on the whole.
534

Information security audits, vulnerability “Penetration test"(Pen Test) is often
assessments, and penetration testing are confused with "computer security audit".
the three main types of security They are not the same thing. Pen test is a
diagnostics. clandestine operation, in which a security
expert attempts various attacks to test
Security audits are a formal process, whether or not a system could withstand
carried out by certified auditing similar attacks from a malicious hacker
professionals to measure an information and may include anything a real attacker
system's performance against a list of might try, such as social engineering. This
criteria. is a narrowly focused attempt to look for
A vulnerability assessment, on the other security holes in a critical and specific
hand, involves a comprehensive study of resource, such as a firewall or Web server.
an entire information system, seeking
A computer security audit is a formal,
potential security weaknesses, usually systematic, measurable technical
carried out by industry experts who may
assessment of an organization's security
or may not be certified. policies to evaluate the overall
Some of the purpose of audits are listed effectiveness of these at a specific site.
below: Computer security auditors work with the
full knowledge and support of the
a. Build awareness of current organization, in order to carry out the
practices and risks audit. This usually includes receiving
b. Reducing risk, by evaluating, documentation and access by the
planning and supplementing organisation representative. A security
security efforts analyst may be assigned to support and
c. Strengthening controls including facilitate the audit.
both automated and human
d. Compliance with customer and Computer security auditors perform their
regulatory requirements and work though personal interviews,
expectations reviewing policies, vulnerability scans,
e. Building awareness and interaction examination of operating system settings,
between technology and business analyses of network shares, and historical
teams data and logs.
f. Improving overall IT governance in
the organisation
535

The scope of the audit depends upon:  Security Incident Management
 Security Of Infrastructure
a) Site business plan
 Security Planning
b) Type of data assets to be protected
 Software
c) Value of importance of the data and
relative priority  Storage Devices
d) Previous security incidents  System And Information Integrity
e) Time available  System Services And Acquisition
f) Auditors experience and expertise  Systems And Communications
Protection
What should be covered in  Third Party Security Management
 Web Security
audits?
There are a number of key questions that
 Access Control
security audits attempt to answer which
 Accountability And Audit
include but are not limited to:
 Application Hosting
 Application Penetration  Are passwords secure and difficult to
 Application Security crack?
 Application Support  Are access control lists (ACLs) in place
 Application Testing on network devices to control who has
 Awareness And Training access to shared data?
 Business Continuity  Are there audit logs to record to
 Certification, Accreditation And identify who accesses data?
Security Assessments  Are the audit logs reviewed effectively
 Computer Assets, Servers And Storage and how are they reviewed?
Networks  Are the security settings for operating
 Configuration Management systems in accordance with accepted
 Content Management industry security practices?
 Contingency Planning  How are unnecessary applications and
 Disaster Recovery Planning computer services managed? Are they
 Endpoints/Edge Devices eliminated in a timely and effective
 Identification, Authentication And manner for each system?
Access Management  Are these operating systems and
 Incident Response commercial applications patched?
 Infrastructure Devices (E.G. Routers, How and when did the patching take
Firewall Services) place?
 Intrusion Detection/Prevention  How is backup media stored? What is
 Maintenance the backup policy and is it followed?
Who has access to the backup media
 Media Protection
and is it up-to-date?
 Messaging
 Is there a disaster recovery plan? Have
 Networks (Wired And Wireless)
the participants and stakeholders ever
 Personnel Security
rehearsed the disaster recovery plan?
 Physical And Environmental Protection
Does it have gaps in its construct?
 Risk Assessment
536
 Are there adequate cryptographic according to the following criteria, for

tools in place to govern data example:
encryption, and have these tools been
• What does the system landscape
properly configured?
look like (number of systems and
 What security considerations were
level of heterogeneity of the
used while writing custom-built
systems used)?
applications, are these adequate and
• How many network gateways are
well documented?
there?
 How have these custom applications
• Which and how many IT
been tested for security flaws?
applications are used in the
 How are configuration and code organisation? Are they used to
changes documented at every level? support critical business
How are these records reviewed and processes?
who conducts the review? • Are higher-level procedures used
The duration of the cross-cutting audit that may affect realms outside of
depends on the size as well as the the organisation?
complexity of the organisation. The size of • How high is the protection
the organisation is determined by the requirement for the infrastructure,
number of employees and locations. systems, and IT applications?
The selection of the level of complexity of • Is the organisation active in areas
an organisation can only be performed on critical to security (for example, is
an organisation-by-organisation basis the organisation a security
agency)?
537
1.4 What makes a good security audit?

A good security audit is part of a regular instructions for making changes to the
and comprehensive framework of objects being audited.
information security. The development  Management responsibility for
and dissemination of the IS Auditing supporting the conduct of a fair and
Standards by Information Systems Audit comprehensive audit. Appropriate
and Control Association (ISACA) is already communication and appointment of
in circulation for further information. central point of contact and other
support for the auditors.
A good security audit may likely include
 The execution is planned and carried
the following:
out in a phase wise manner
 Clearly defined objectives
 Coverage of security is comprehensive All audits have common functions that
and cross-cutting audit across the must be performed if they are to be
entire organisation. Partial audits may successful. These usually include:
be done for specific purposes.
 Audit team is experienced, A. Define the security perimeter – what
independent and objective. Every is being examined?
audit team should consist of at least
two auditors to guarantee the  Determine how intensive the audit
independence and objectivity of the is going to be. Are all facets of the
audit (”two-person rule”). There organization to be examined, or is
credentials should be verifiable. this to be a common ‘security’
 There is unrestricted right to obtain audit based on the IT
and view information. infrastructure.
 Important IS audit meetings such as  Detail how intrusive the audit is. It
the opening and the closing meetings is important to avoid adversely
as well as the interviews should be impacting the production
conducted as a team. This procedure environment during the audit
ensures objectivity, thoroughness, and process; whether this is by
impartiality. equipment downtime or personnel
being taken away from their
 No member of the team, for reasons
primary duties to participate in the
of independence and objectivity,
audit.
should have participated directly in
 Does the corporation have existing
supporting or managing the areas to
be audited, e.g. they must not have methodologies to actively mitigate
risk on an ongoing basis?
been involved in the development of
concepts or the configuration of the IT
B. Describe the components – and be
systems.
detailed about it.
 It should be ensured that actual
operations in the organisation are not
 Assemble a detailed list of the
significantly disrupted by the audit
components within the security
when initiating the audit. The auditors
perimeter. While this is not an
never actively intervene in systems,
exhaustive list, these devices often
and therefore should not provide any
include:
538
o Computing equipment (main  Assemble the various documents

frames, servers, desktops, laptops, and datagram’s of the systems
terminals). under audit.
o Networking equipment (firewalls,  Gather the tools already in use to
routers, and switches, hubs, and mitigate risk
UPS devices). o Determine if the existing
o Communications equipment (PBX, tools are functional.
phones, cell/smart phones, PDA’s, o Determine if new tools are
fax machines). needed.
o Input / Output devices (printers,
copiers, scanners, cameras, web- E. Reporting mechanism – how will you
cams, tablets). show progress and achieve validation
o Data storage (databases: sales, in all areas?
customer, employee, other; email,
voicemail, files on server, files in  Determine what the reporting
cabinets, customer and employee mechanism will be.
information, log files). o What is the report format?
o Common security items o Who will sign off on the
(passwords, access scanners / report as being acceptable?
cards and ID cards, physical o Who determines that a
security, data diagrams, daily specific threat on a
schedules and employee activity particular component is
charts). mitigated?
o Internet exposure (company
websites: internet and intranet, F. Review history – is there institutional
collaborative sites, outbound knowledge about existing threats?
access availability and restrictions,
open ports and other visible  Determine what threats existed in
devices). the past and determine if those
have been mitigated.
C. Determine threats – what kinds of  Interview members of the
damage could be done to the systems institution to determine if any
known threats exist.
 Generate a list of threat vectors
based on the scope of the audit. G. Determine Network Access Control list
i.e.: if physical security is beyond – who really needs access to this?
the scope of the audit you won’t
have to check to see if the server  Develop a matrix of all personnel
room is locked. that need access to each device o n
 Examine each type of device on the component chart.
the components list for known  Develop a matrix of all devices that
vulnerabilities. need access to other devices on
the component chart.
D. Delineate the available tools – what  Each device on the component list
documents and tools are in use or should have a minimal set of entry
need to be created? points.
539
 How much privilege is required for K. Review results – perform an After

each person or system to perform Action Review (AAR) on the audit
their functions? process
H. Prioritize risk – calculate risk as Risk =  Perform a standard AAR on the

probability * harm audit.
o What went well?
 Given the list of possible threats, o What process needs
what are the possibilities a given revision before it will go
threat will materialize. well?
 If a threat were to materialize, o What issues are still
how great would its impact be? outstanding at this time?
 Establish the greatest pain points o Who is responsible for
for the company. Determine if the ensuring that outstanding
approach is to work on the big issues will be addressed?
stuff first, or get all of the minor o What is the timeline for
issues out of the way before issue resolution?
making any major changes. o Who will validate issue
resolution?
I. Delineate mitigation plan – what are
the exact steps required to minimize Risks that are extremely unlikely happen
the threats? but that have the potential to cause
catastrophic damage are called ‘Black
 Generate a detailed project plan to Swans’. These risks are often not cost
reach the goal. Include tasking, effective to address, so a formal
timelines, costs, reporting acceptance from management for these
methods, checkpoints – all the risks may the only strategy available.
components of a successful project Every audit needs to have management’s
plan are necessary. participation to be completely successful.
 Ensure that the organization is in
agreement with the plan to Constraints of a security audit
mitigate risks.
 Time constraints
J. Implement procedures – start making  Third party access constraints
changes.  Business operations continuity
constraints
 Begin the mitigation process, using  Scope of audit engagement
the priority decided upon by the  Technology tools constraints
stakeholders.
540
UNIT II
Security Audit Features
This Unit covers:
 Lesson Plan
2.1. Planning Work and Work environment
2.2. Types of Security Audits
2.3. Phases of Information Security Audit
2.4. Information Security Audit Methodology
2.5. Security Testing Frameworks
2.6. Audit Process and Audit Security Practices
2.7. Testing Security Technology and Templates
541
LESSON PLAN

experts.
Dedicated)
• networks
542

Activity 1:
Activity 2:
Activity 3:
543
Lesson
2.1 Types of Security Audits

Broadly, there are two types of Audit, examples include SSAE 16 audits (Type I or
internal and external. II), audits of ISO 9001, ISO/IEC 17799,
ISO/IEC 27001, ISO 27018 cloud security
External audits are commonly conducted
standard and audits of Industry specific
by independent, certified parties in an
standards such as HIPPA controls.
objective manner. They are scoped in
advance, finally limited to identifying and Within the broad scope of auditing
reporting any implementation and control information security there are multiple
gaps based on stated policies and types of audits, multiple objectives for
standards such as the COBIT (Control different audits, etc. Audits can be broken
Objectives for Information and related down into a number of types, from the
Technology). At the end the objective is to simple analysis of security architecture
lead the client to a source of accepted based on opinion, to a full-blown, end-to-
principles and sometimes correlated to end audit against a security framework
current best practices such as ISO27001. Auditing information
security covers topics from auditing the
Internal audits usually are conducted by
physical security of data centers to
experts linked to the organisation, and it
auditing the logical security of databases
involves a feedback process where the
and highlights key components to look for
auditor may not only audit the system but
and different methods for auditing these
also potentially provide advice in a limited
areas. When centred on the IT aspects of
fashion. They differ from the external
information security, it can be seen as a
audit in allowing the auditor to discuss
part of an information technology audit. It
mitigation strategies with the owner of
is often then referred to as an information
the system that is being audited.
technology security audit or a computer
There is a large variety of audit types security audit. However, information
based on standards followed. Some security encompasses much more than IT.
Security Review
A security review is when the security posture of an organization is examined based on
professional experience and opinion. In this type of examination, issues that stand out are
sought as a way to help define the starting point for further activities. Running a vulnerability
scanner such as Nessus would fall under this category. The tool generates a list of potential
security issues, but the data must be analysed further to determine on what needs to be acted
on. This is the most basic form of security analysis and the primary output is in the form of an
opinion. Examples include: Penetration test, Vulnerability scan, Architecture review, Policy
review, Compliance review, Risk analysis
544
Security Assessment
Security assessments utilize professional opinion and expertise, but they also analyse the
output for relevancy and criticality to the organization. The analysis aspect of an
assessment attempts to quantify the risk associated with the items discovered to
determine the extent of the problem. If you an organisation has two servers with the same
vulnerability, but one is the financial server, and the other operates as a print server a
security assessment would rank the financial server as a high risk and the print server as a
lower risk based on the severity and damage potential. The biggest differentiator between
an assessment and a review is the depth to which the auditor examines the system and
analyses the results. Examples include: Vulnerability assessment, Risk assessment,
Architecture assessment, Policy assessment
Security Audit
A security Audit examines the organization’s security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies. Audits take into account people, processes, and
technologies, and it compares them to a benchmark in a standardized and repeatable way.
Examples include: Compliance audit, Policy audit, Procedure audit, Risk audit.
Some of the specific audits that can be included in the above categories are:
• Penetration Test
• Vulnerability Audit
• Web Application Security Audit
• Mobile Application Security Audit
• Audit Overall Concept
• IT-Risk Analyses
• Audit Access Control / Social Engineering
• Architecture, Design and Code Review
• Wireless Systems Audit
• Embedded Systems Audit
• Information Protection Audit
• Roles and Rights Audit
• Endpoint Audit (clients)
• Digital Guard Service
• Configuration Audit (firewalls, servers, etc.)
545
2.2 Phases of Information Security Audit
Phases of Information Security Audit practices, perform automated and manual

• Pre-audit agreement stage tests, and other tasks. Fieldwork activities
may be performed at the client’s
Agree scope and objective of the audit.
worksite(s) or at remote locations,
Agree on the level of support that will be
depending on the nature of the audit.
provided. Agree locations, duration and
other parameters of the audit. Agree • Analysis
financial and other considerations.
Analyses are performed after
Confidentiality agreements and documentation of all evidence and data,
contracting to be completed at this stage. to arrive at the audit findings and
Developing/creating a formal agreement recommendations. Any inconsistencies or
(e.g., statement of work, audit
open issues are addressed at this time.
memorandum, or engagement memo) to
The auditor may remain on-site during
state the audit objectives, scope, and this phase to enable prompt resolution of
audit protocol questions and issues. At the end of this
• Initiation and Planning stage phase, the auditor will hold an Exit
Meeting with the client to discuss findings
Conducting a preliminary review of the
and recommendations, address client
client’s environment, mission, operations,
questions, discuss corrective actions, and
polices, and practices. Performing risk
resolve any outstanding issues. A first
assessments of client environment, data,
draft of the findings and
and technology resources. Completing
recommendations may be presented to
research of regulations, industry
the client during the exit meeting.
standards, practices, and issues.
Reviewing current policies, controls, • Reporting
operations, and practices. Holding an Generally, the Information Security Audit
Entrance Meeting to review the Program will provide a draft audit report
engagement memo, to request items after completing fieldwork and analysis.
from the client, schedule client resources, Based on client response if changes are
and to answer client questions. This will required to the draft, the auditor may
also include laying out the time line and
issue a second draft. Once the client is
specific methods to be used for the
satisfied that the terms of the audit are
various activities. complied with the final report will be
• Data collection and fieldwork issued with the auditor’s findings and
(Test phase) recommendations.
This stage is to accumulate and verify • Follow-through
sufficient, competent, relevant, and useful Depending on expectations and
evidence to reach a conclusion related to agreements the auditor will evaluate the
the audit objectives and to support audit effectiveness of the corrective action
findings and recommendations. During
taken by the client, and, if necessary,
this phase, the auditor will conduct advise the client on alternatives that may
interviews, observe procedures and
be utilized to achieve desired
546
improvements. In larger, more complex

audit situations, follow-up may be
repeated several times as additional
changes are initiated. Additional audits
may be performed to ensure adequate
implementation of recommendations. The
level of risk and severity of the control
weakness or vulnerability dictate the time
allowed between the reporting phase and
the follow-up phase. The follow-up phase
may require additional documentation for
the audit client.
547
2.3 Information Security Audit Methodology

Need for a Methodology participants within the audit approach the
subject in the same manner.
Audits need to be planned and have a
certain methodology to cover the total Audit methodologies
material risks of an organisation. A
planned methodology is also important as There are two primary methods by which
this clarifies the way forward to all in the audits are performed. Start with the
organisation and the audit teams. Which overall view of the corporate structure
methodology and techniques is used is and drill down to the minutiae; or begin
less important than having all the with a discovery process that builds up a
view of the organization.
Audit methods may also be classified according to type of activity. These include three types
a. Testing – Pen tests and other testing methodologies are used to explore
vulnerabilities. In other words, exercising one or more assessment objects to
compare actual and expected behaviours.
b. Examination and Review – This include reviewing policies, processes, logs, other
documents, practices, briefings, situation handling, etc. In other words checking,
inspecting, reviewing, observing, studying, or analysing assessment objects
c. Interviews and Discussion – This involves group discussions, individual interviews,
etc.
The three methods combine together to form an effective methodology for an overall audit.
Auditing techniques: Target Identification and Analysis Techniques

Testing techniques, generally performed using
There are various Auditing techniques used: automated tools used to identify systems,
Examination Techniques ports, services, and potential vulnerabilities
Examination techniques, generally conducted  Techniques include
manually to evaluate systems, applications, o Network discovery
networks, policies, and procedures to discover o Network port and service
vulnerabilities identification
 Techniques include o Vulnerability scanning
o Documentation review o Wireless scanning
o Log review o Application security
o Ruleset and system examination
configuration review
o Network sniffing Target Vulnerability Validation Techniques
o File integrity checking Testing techniques that corroborate the
existence of vulnerabilities, these may be
548
performed manually or with automated tools

 Techniques include
o Password cracking Organisations use a combination of these
o Penetration testing techniques to ensure effectiveness and
o Social engineering meeting the objectives of the audit.
o Application security testing
549
2.4 Security Testing Frameworks

There are numerous security testing security auditors for technical control
methodologies being used today by assessment.
Four of the most common are as follows:
 Open Source Security Testing Methodology Manual (OSSTMM)

 Information Systems Security Assessment Framework (ISSAF)
 NIST 800-115
 Open Web Application Security Project (OWASP)
All of these frameworks provide a detection, password cracking,

detailed, process-oriented manner in denial of service, and policy review
which to conduct a security test, and each  Communications Security: Private
has its particular strengths and branch exchange (PBX)/phone
weaknesses. Most auditors and fraud, voicemail, fax, and modem
penetration testers use these frameworks  Wireless Security: 802.11,
as a starting point to create their own Bluetooth, handheld scanning,
testing process, and they find a lot of surveillance, radio frequency
value in referencing them. identification (RFID), and infrared
 Physical Security: Perimeter,
OSSTMM monitoring, access control, alarm
systems, and environment
OSSTMM manual highlights the systems
approach to security testing by dividing ISSAF
assessment areas into six interconnected
modules: The ISSAF is one of the largest free-
assessment methodologies available. Each
 Information Security: Competitive control test has detailed instruction for
intelligence, data leakage, and operating testing tools and what results to
privacy review look for. It is split into two primary
 Process Security: Access granting documents. One is focused on the
processes and social engineering business aspect of security, and the other
testing is designed as a penetration test
 Internet Technologies framework. The level of detailed
Security: Network mapping, port explanation of services, security tools to
scanning, service and operating use, and potential exploits is high and can
system (OS) identification, help an experienced security auditor and
vulnerability scanning, Internet someone getting started in auditing.
app testing, router/firewall testing,
IDS testing, malicious code
550
NIST 800-115 applications. A proliferation of poorly

written and executed web applications
The NIST 800-115, Technical Guide to has resulted in numerous, easily
Information Security Testing, provides exploitable vulnerabilities that put the
guidance and a methodology for Internet community at risk to malware,
reviewing security that is required for the identity theft, and other attacks. The
U.S. government's various departments to OWASP testing guide has become the
follow. Like all NIST-created documents, standard for web application testing and
800-115 is free for use in the private has helped increase the awareness of
sector. It includes templates, techniques, security issues in web applications
and tools that can be used for assessing through testing and better coding
many types of systems and scenarios. It is practices.
not as detailed as the ISSAF or OSSTMM,
but it does provide a repeatable process The OWASP testing methodology is split
for the conduction of security reviews. as follows:
The document includes guidance on the
following:  Information gathering
 Configuration management
 Security testing policies  Authentication testing
 Management's role in security  Session management
testing  Authorization testing
 Testing methods  Business logic testing
 Security review techniques  Data validation testing
 Identification and analysis of  Denial of service testing
systems  Denial of service testing
 Scanning and vulnerability  Web services testing
assessments  AJAX testing
 Vulnerability validation (pen
testing) The OWASP project also has a subproject
 Information security test planning called WEBGOAT that enables one to load
 Security test execution a vulnerable website in a controlled
 Post-test activities environment to test these techniques
against a live system.
OWASP
Whatever the approach is to testing
The OWASP testing guide was created to security controls, it must be ensured that
assist web developers and security it is consistent, repeatable, and based on
practitioners to better secure web best practices.
551
2.5 Audit Process
A successful audit will minimally: 4. Develop an ongoing process to

minimize risk.
1. Establish a prioritized list of risks to an
organization. 5. Establish a cycle of reviews to validate
the process on a perpetual basis.
2. Delineate a plan to alleviate those risks.
3. Validate that the risks have been
mitigated.
2.6 Auditing Security Practices

The first step for evaluating security  Regulatory/industry compliance—
controls is to examine the organization’s Health Insurance Portability and
policies, security governance structure, Accountability Act (HIPAA), Sarbanes-
and security objectives because these Oxley Act (SOX), Grahmm-Leach-Bliley
three areas encompass the business Act (GLBA), and Payment Card
practices of security. Security controls are Industry (PCI)
selected and implemented because of  Evaluation against standards such as
security policies or security requirements NIST 800 or ISO 27002
mandated by law.  Governance frameworks such as
COBIT or Coso
Security is a service provided by IT to the
business, so measuring it as such enables After you have identified the security
you to see many of the connections to the audit criteria that the organization needs
various functions of the business. There to comply with, the next phase is to
are standards, laws, and benchmarks that perform assessments to determine how
you can use as your baseline to compare well they achieve their goals. A number
against. of assessments are usually required to
determine appropriate means for
Normally, you include content from referring back to the scope, which defines
multiple areas, as businesses may have the boundaries of the audit. The following
more than one regulation with which they are types of assessments that might be
must comply. It is easiest to start with the performed to test security controls:
organization’s policies and build your
security auditing plan from there. Some  Risk assessments: This type of
criteria you can use to compare the assessment examines potential
service of security against are: threats to the organization by listing
areas that could be sources of loss
 Evaluation against the organization’s such as corporate espionage, service
own security policy and security outages, disasters, and data theft.
baselines Each is prioritized by severity,
matched to the identified
552
vulnerabilities, and used to determine  Observation: Physical security can be

whether the organization has tested by walking around the office
adequate controls to minimize the and observing how employees
impact. conduct themselves from a security
 Policy assessment: This assessment perspective. Do they walk away
reviews policy to determine whether without locking their workstations or
the policy meets best practices, is have sensitive documents sitting on
unambiguous, and accomplishes the their desks? Do they leave the data
business objectives of the center door propped open, or do they
organization. not have a sign-out procedure for
 Social engineering: This involves taking equipment out of the building?
penetration testing against people to It is amazing what a stroll through the
identify whether security awareness cubicles of a company can reveal
training, physical security, and about the security posture of an
facilities are properly protected. organization.
 Security design review: The security  Document review: Checking the
design review is conducted to assess effectiveness and compliance of the
the deployment of technology for policy, procedure, and standards
compliance with policy and best documents is one of the primary ways
practices. These types of tests involve an auditor can gather evidence.
reviewing network architecture and Checking logs, incident reports, and
design and monitoring and alerting trouble tickets can also provide data
capabilities. about how IT operates on a daily basis.
 Security process review: The security  Technical review: This is where
process review identifies weaknesses penetration testing and technical
in the execution of security vulnerability testing come into play.
procedures and activities. All security One of the most important services an
activities should have written auditor offers is to evaluate the
processes that are communicated and competence and effectiveness of the
consistently followed. The two most technologies relied upon to protect a
common methods for assessing corporation’s assets.
security processes are through
interviews and observation: This section covered evaluation
 Interviews: Talking to the actual techniques for auditing security practices
people responsible for maintaining within an organization. Many of the
security, from users to systems security practices used to protect a
administrators, provides a wealth of company are process - and policy-focused.
evidence about the people aspect of They represent the primary drivers for
security. How do they feel about technology purchases and deployment.
corporate security methods? Can they Technology can automate many of these
answer basic security policy processes and policies and needs a
questions? Do they feel that security is different approach to testing
effective? The kind of information effectiveness. The remainder of this
gathered helps identify any weakness chapter covers tools that can be used to
in training and the organization’s test security technologies.
commitment to adhering to policy.
553
2.7 Testing Security Technology
There are many terms used to describe the systems and services. Penetration testers
technical review of security controls. Ethical (also known as pentesters) scan for
hacking, penetration test, and security testing vulnerabilities as part of the process just
are often used interchangeably to describe a like a vulnerability assessment, but the
process that attempts to validate security primary difference between the two is
configuration and vulnerabilities by exploiting that a pentester also attempts to exploit
them in a controlled manner to gain access to those vulnerabilities as a method of
computer systems and networks. There are validating that there is an exploitable
various ways that security testing can be weakness. Successfully taking over a
conducted, and the choice of methods used
system does not show all possible vectors
ultimately comes down to the degree to
of entry into the network, but can identify
which the test examines security as a system.
where key controls fail. If someone is able
There are generally two distinct levels of
to exploit a device without triggering any
security testing commonly performed
alarms, then detective controls need to be
today:
strengthened so that the organization can
Vulnerability assessment: better monitor for anomalies.
This technical assessment is intended to Security control testing is an art form in

identify as many potential weaknesses in addition to a technical security discipline.
a host, application, or entire network as It takes a certain type of individual and
possible based on the scope of the mindset to figure out new vulnerabilities
engagement. Configurations, policies, and and exploits. Penetration testers usually
best practices are all used to identify fit this mold, and they must constantly
potential weaknesses in the deployment research new attack techniques and tools.
or design of the entity being tested. These Auditors, on the other hand, might not
types of assessments are notorious for test to that degree and will more than
finding an enormous amount of potential likely work with a penetration tester or
problems that require a security expert to team if a significant level of detailed
prioritize and validate real issues that knowledge in required for the audit.
need to be addressed. Running
vulnerability scanning software can result When performing these types of
in hundreds of pages of items being engagements, four classes of penetration
flagged as vulnerable when in reality they tests can be conducted and are
are not exploitable. differentiated by how much prior
knowledge the penetration tester has
Penetration test:
about the system. The four types are:
The penetration test is intended to assess
the prevention, detection, and correction  Red Team/Blue Team assessment
controls of a network by attempting to  Whitebox
exploit vulnerabilities and gain control of  Blackbox
 Graybox
554
Red Team/Blue Team assessment: The designate is the attacker and the Blue
terms Red and Blue Team come from the team is the defence mechanism builder.
military where combat teams are tested
to determine operational readiness. In the The two teams sharpen an organisation’s
computer world, a Red and Blue Team detection and response capability. This is
assessment is like a war game, where the through sharing of intelligence data,
organization being tested is put to the test understanding threat actors' TTPs,
in as real a scenario as possible. Red Team
mimicking these TTPs through a series of
assessments are intended to show all of
the various methods an attacker can use scenarios and configuring, tuning and
to gain entry. It is the most improving the detection and response
comprehensive of all security tests. This capability.
assessment method tests policy and
procedures, detection, incident handling, Penetration tests as part of auditing can
physical security, security awareness, and be conducted in several ways. The most
other areas that can be exploited. Every common difference is the amount of
vector of attack is fair game in this type of knowledge of the implementation details
assessment. This is used to simulate of the system being tested that are
attacks and test the ability to develop available to the testers.
defences for these attacks. The Red team
• Black box testing
This assumes no prior knowledge of the infrastructure to be tested. The testers must first
determine the location and extent of the systems before commencing their analysis.
• White box testing
This provides the testers with complete knowledge of the infrastructure to be tested, often
including network diagrams, source code, and IP addressing information.
• Grey box testing
These are the several variations in between the white and the black box, where the testers
have partial information.
Penetration tests can also be described as "full disclosure" (white box), "partial disclosure"
(grey box), or "blind" (black box) tests based on the amount of information provided to the
testing party.
Features and Uses White box testing simulates what might

happen during an "inside job" or after a
Black box testing simulates an attack from "leak" of sensitive information, where the
someone who is unfamiliar with the attacker has access to source code,
system.
555
network layouts, and possibly even some finding security defects in custom
passwords. applications than black box techniques.
White box techniques involve direct Black box techniques should be used
analysis of the application’s source code, primarily to assess the security of
and black box techniques are performed individual high-risk compiled components;
against the application’s binary interactions between components; and
executable without source code interactions between the entire
knowledge. application or application system with its
users, other systems, and the external
Most assessments of custom applications environment. Black box techniques should
are performed with white box techniques, also be used to determine how effectively
since source code is usually available— an application or application system can
however, these techniques cannot detect handle threats.
security defects in interfaces between
components, nor can they identify Auditors should have a base knowledge of
security problems caused during testing tools and techniques. Using testing
compilation, linking, or installation-time frameworks is a useful way to develop a
configuration of the application. technical testing planning.
White box techniques still tend to be
more efficient and cost-effective for
2.8 Reliance on Checklists and Templates
It is important to develop and use use and from recognised sources. These
standard checklists for audits as this should be understood commonly by all
ensures that data is collected in a uniform participating in the audit. It is important
manner. It also ensures that no data point that those carrying out the audit
or activity critical to be covered is understand the importance of capturing
omitted. One must ensure the templates information in detail.
and checklists are agreed upon prior to
556
UNIT III
Information Security Auditor
This Unit covers:

 Lesson Plan
 Trainer Resource Material
3.1. Role of an Auditor
3.2. Auditor Activities
3.3. Information Security Audit Consultants
3.4. Hiring an Information Security Auditor
3.5. Required Skills Sets of an Information Security Auditor
3.6. Ethics of an Information Security Auditor
3.7. What Makes an Information Security Auditor
3.8.
557
LESSON PLAN

experts.
KA4. the organizational (24/7)
Industry experts. 10 Hrs offline
Dedicated)
• networks
558

Activity 1:
Activity 2:
Activity 3:
559
Lesson
3.1 Role of an Auditor

 The role of the auditor is to identify,  The auditor functions as an
measure, and report on risk. The independent advisor and inspector.
auditor is not tasked to fix the  The auditor is responsible for planning
problem, but to give a snapshot in and conducting audits in a manner
time of the effectiveness of the
 that is fair and consistent to the
security program. The objective of the
people and processes that are
auditor is to report on security
examined.
weakness.
 The auditing charter or engagement
 Auditors ask the questions, test the
letter defines the conduct and
controls, and determine whether the
responsibilities of an auditor.
security policies are followed in a
manner that protects the assets the  Depending on how a company’s
controls are intended to secure by auditing program is structured,
measuring the organization’s activities ultimate accountability for the auditor
versus its security best practices. is usually to senior management or
the Board of Directors.
Auditors are usually required to present a report to management about the findings of the audit
and also make recommendations about how to reduce the risk identified.The auditors are
responsible for the following:
 Plan, execute and lead security audits across an organization.
 Inspect and evaluate financial and information systems, management procedures and
security controls
 Evaluate the efficiency, effectiveness and compliance of operation processes with
corporate security policies and related government regulations
 Develop and administer risk-focused exams for IT systems
 Review or interview personnel to establish security risks and complications
 Execute and properly document the audit process on a variety of computing
environments and computer applications
 Assess the exposures resulting from ineffective or missing control practices
 Accurately interpret audit results against defined criteria
 Weigh the relevancy, accuracy and perspective of conclusions against audit evidence
 Provide a written and verbal report of audit findings
 Develop rigorous “best practice” recommendations to improve security on all levels
 Work with management to ensure security recommendations comply with company
procedure
 Collaborate with departments to improve security compliance, manage risk and bolster
effectiveness
560
3.2 Auditor Activities

The following tasks and activities area  During the audit of policies and
carried out by the auditor in discharging standards, the auditor should
their responsibilities understand how the policies and
standards are being communicated
 Auditing the information asset across the enterprise. Every
management process will verify that organization has a communication
the critical assets are being managed method (e-mail, posting on an intranet
in accordance with the IT/IS policies. web page, periodic security seminars,
monthly security awareness training,
 The auditor audits the information lunch-n-learns, etc.).
security and privacy policies and
standards. The auditor begins with  The responsible auditor should
policies and standards related to determine if logging is enabled in
access control, data classification and critical systems. Where logs are
network security. In addition they enabled, the auditor verifies that
focus on other policies and standards there is a process for monitoring. The
such as vendor management, auditor also verifies that the process
vulnerability management and data has been assigned to a person and
leakage prevention. that this person is executing this
process. The focus here is on data
 One of the important roles of audit is leakage prevention (DLP). Besides
to verify that the policies and verifying that the proper access is
standards are not just documented granted to each individual, the auditor
but are actually being implemented by focuses on how the approved users
users across the enterprise. This are using the data assets. Are data
verification can be accomplished by being encrypted properly before they
performing an audit of the security are sent outside of the organization?
training and awareness program Depending on an organization’s DLP
policy, the SIEM system can
 Instead of focusing on the actual potentially help the auditor determine
access of each user, the auditor if the data are being copied on USB
focuses on the IAM process and verify drives and leaving the organization.
that the IAM process is working as
designed. Auditing an automated IAM  In today’s business environment,
process ensures the integrity of the Governance, Risk Management and
process. The audit also focuses on the Compliance (GRC) processes are
workflow, which includes the approval critical to the auditor. The auditor
hierarchy. Several IAM vendors are examines corporate governance
starting to provide mechanisms to processes and verifies that an
incorporate segregation of duties infrastructure has been created to
(SoD) checks within the workflow. If identify and manage risks. The
an organization has incorporated the governance structure should be active
SoD checks in the workflow, it is and ongoing, which means that the
important to include this process executives should conduct periodic
within its audit scope. meetings to address risks. The auditor
561
also identifies all relevant regulations of protecting critical data assets within
and industry standards and performs the enterprise, but an unencrypted
periodic compliance reviews based on backup tape can fall off a vendor’s
identified and relevant risks. truck and expose critical information
Noncompliance should be tracked and and put the enterprise at risk. An audit
managed by executive management. of the entire process will definitely
reduce the risks associated with the
 The internal auditor should identify extended enterprise. This extended
how the organization is connected to enterprise may exist globally and
the outside, and who on the outside is could add more complexity to the
connected to the organization. There audit plans.
is a total reliance by some
organizations on Statement on  The auditor verifies that a business
Auditing Standards No. 70 (SAS 70) continuity plan exists and is
Type II reports for review of external maintained and tested periodically.
vendors. While SAS 70 is good, it is not The auditor should also make sure
final. The auditor first verifies that that the plan covers all the risks
there is a policy in place to address associated with the business and that
third-party connections. In addition to it is enough to keep the business in
the SAS 70 report, the organization operation in times of disruption. The
should periodically perform its own IT auditor should understand the
audit of the vendor to certify that its difference between business
policies and security needs are being continuity and disaster recovery and
adequately addressed (the make sure that each is adequately
organization may have to ensure that addressed and periodically tested.
the vendor contracts allow for this
audit). Changes performed by the  The auditor identifies a catalog of IT
third-party vendor on systems initiatives, reviews the business
affecting the organization should reasons for the project and identifies
follow the organization’s normal the executive sponsor for the project.
change management process. The auditor obtains and reviews the
management reports from IT to
 Also, the auditor should follow the executive management and verifies
entire process within the extended that sufficient information is provided
enterprise where the critical data to management. The auditor verifies
assets reside. For example, an that IT initiatives are adequately
enterprise may do an exceptional job aligned with business objectives.
562
3.3 Information Security Audit Consultants

Information Security Audit Consultants – regulatory compliance, management
These consultants (individual or consulting, training or defence of an
organisations) are usually found in inadequate security claim? Only after the
advising or auditing roles for information requirements of the job are defined can
security. you select the right type of consultant to
complete the work.
Security consultants generally fall into one
of three categories: A consultant should be independent and
not affiliated with a product or service. If
• Management your consultant is not independent, you
• Technical should know about his or her relationship
• Forensic with a product or service line and
understand that it may result in a conflict
The first step in hiring a reliable of interest.
consultant is to define the requirements
of the job. Does it involve the analysis of
risk, implementation of security systems,
3.4. Hiring an Information Security Auditor
for security consulting?

The following things has to be borne in mind
before hiring of an audit company as auditors:
Are the organization’s security professional
having certificates like CISSP, CISA, CSM and
Does the consultant organization offer a
CIPP?
comprehensive suite of services, tailored to
specific requirements?
Does the Organization have sound
methodology to follow?
Does the consulting organization have a
quality certification?
Is the organization recognized contributor
within the security industry in terms of
Does the consulting organization have a track
research and publication etc.?
record of having handled a similar assignment
563
3.5. Required Skills Sets of an Information Security

Auditor
A good auditor requires the following  Skills to perform penetration testing of

skills and knowledge in the various areas the organization’s applications and
listed below: supporting computer systems
Organization wide security program Application software development and
planning and management change control
 Knowledge of the legislative  Knowledge of the concept of a system
requirements for an agency security life cycle and of the System
program Development Life Cycle (SDLC) process
 Knowledge of the sensitivity of data  Knowledge of the auditor’s role during
and the risk management process system development and of federal
through risk assessment and risk guidelines for designing controls into
mitigation systems during development
 Knowledge of the risks associated with  Knowledge of the procedures, tools,
a deficient security program and techniques that provide control
 Knowledge of the elements of a good over application software
security program development and modification
 Ability to analyse and evaluate an  Knowledge of the risks associated with
organization’s security policies and the development and modification of
procedures and identify their application software
strengths and weaknesses  Ability to analyse and evaluate the
Access control organization’s methodology and
 Knowledge across platforms of the procedures for system development
access paths into computer systems and modification and identify the
and of the functions of associated strengths and weaknesses
hardware and software providing an
access path System software
 Knowledge of access level privileges  Knowledge of the different types
granted to users and the technology of system software and their
used to provide and control them functions
 Knowledge of the procedures, tools,  Knowledge of the risks associated with
and techniques that provide for good system software
physical, technical, and administrative  Knowledge of the procedures, tools,
controls over access and techniques that provide control
 Knowledge of the risks associated with over the implementation,
inadequate access controls modification, and use of system
 Ability to analyse and evaluate an software
organization’s access controls and  Ability to analyse and evaluate an
identify the strengths and weaknesses organization’s system software
 Skills to review security software controls and identify the strengths and
reports and identify access control weaknesses
weaknesses  Skills to use software products to
review system software integrity
564
Segregation of duties Network analyst

 Knowledge of the different functions  Advanced knowledge of network
involved with information systems and hardware and software
data processing and incompatible  Understanding of data
duties associated with these functions communication protocols
 Knowledge of the risks associated with  Ability to evaluate the
inadequate segregation of duties configuration of routers and
 Ability to analyse and evaluate an firewalls
organization’s organizational structure  Ability to perform external and
and segregation of duties and identify internal vulnerability tests with
the strengths and weaknesses manual and automated tools
 Knowledge of the operating
Service continuity systems used by servers
 Knowledge of the procedures, tools, Windows/Novell analyst
and techniques that provide for  Detailed understanding of
service continuity microcomputer and network
 Knowledge of the risks that exist when architectures
measures are not taken to provide for  Ability to evaluate the
service continuity configuration of servers and the
 Ability to analyse and evaluate an major applications hosted on
organization’s program and plans for servers
service continuity and identify the  Ability to perform internal
strengths and weaknesses vulnerability tests with manual and
Application controls automated tools
 Knowledge about the practices, Unix analyst
procedures, and techniques that  Detailed understanding of the
provide for the authorization, primary variants of the Unix
completeness, and accuracy of architectures
application data
 Ability to evaluate the
 Knowledge of typical applications in configuration of servers and the
each business transaction cycle major applications hosted on
 Ability to analyse and evaluate an servers
organization’s application controls and  Ability to perform internal
identify the strengths and weaknesses vulnerability tests with manual and
 Skills to use a generalized audit automated tools
software package to conduct data Database analyst
analyses and tests of application data,  Understanding of the control
and to plan, extract, and evaluate data functions of the major database
samples management systems
Auditors performing tasks in two of the  Understanding of the control
above areas, access controls (which considerations of the typical
includes penetration testing) and system application designs that use
software, require additional specialized database systems
technical skills. Such technical specialists  Ability to evaluate the
should have skills in one or more of the configuration of major database
categories listed below: software products
565
Mainframe system software analyst  Ability to analyse mainframe audit

 Detailed understanding of the log data
design and function of the major  Ability to develop or modify tools
components of the operating to extract and analyse access
system control information
 Ability to develop or modify tools
necessary to extract and analyse
control information from
mainframe computers
 Ability to use audit software tools
 Ability to analyse modifications to
system software components
Mainframe access control analyst
 Detailed understanding of auditing
access control security software
such as ACF2, Top Secret, and
RACF
566
3.6 Ethics of an Information Security Auditor

Their code also states that: representations they make. The goal is to
build trust with clients. Their behaviour
Ethics statements are necessary to should reflect a positive image on their
demonstrate the level of honesty and profession. All IS auditors are depending
professionalism expected of every on them to help maintain the high quality
auditor. Overall, the profession requires and integrity that clients expect from a
them to be honest and fair in all CISA.
The Information Systems Audit and Control Association (ISACA) set forth a code governing
the professional conduct and ethics of all certified IS auditors and members of the
association. As a CISA, they expect them to be bound to uphold this code. The following
points form part of this code:
The auditor agrees to
Support the implementation of, and encourage compliance with, appropriate standards
and procedures for the effective governance and management of enterprise information
systems and technology, including: audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professional care, in accordance
with professional standards.
Serve in the interest of stakeholders in a lawful manner, while maintaining high standards
of conduct and character, and not discrediting their profession or the Association.
Maintain the privacy and confidentiality of information obtained in the course of their
activities unless disclosure is required by legal authority. Such information shall not be
used for personal benefit or released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities
they can reasonably expect to complete with the necessary skills, knowledge and
competence.
Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the
results.
Support the professional education of stakeholders in enhancing their understanding of

the governance and management of enterprise information systems and technology,
including: audit, control, security and risk management.
The failure of a CISA to comply with this code of professional ethics may result in an
investigation with possible sanctions or disciplinary measures.
567
3.7 What Makes an Information Security Auditor

• At minimum, a bachelor's qualified to perform
degree information systems audit. This
• Certification is often highly has uplifted the status of the
recommended and may be CISA designation, which is
required by some employers often a mandatory
prior to hiring. qualification for an information
• A Certified Information systems auditor.
Systems Auditor or CISA is an
independent expert who is
ABOUT CISA
This certification is recognized worldwide as completion of a standardized security auditing

certification program.
Information Systems Audit and Control Association (ISACA) is a world recognized body that
was founded in 1969. The CISA examination and certification was initiated by ISACA in 1978, to
address industry requirements.
The CISA designation is awarded to individuals with an interest in Information Systems

auditing, control and security who meet the following requirements:
• Successful completion of the CISA examination

• Submit an Application for CISA Certification
• Adherence to the Code of Professional Ethics
• Adherence to the Continuing Professional Education Program
• Compliance with the Information Systems Auditing Standards
It is important to note that many individuals choose to take the CISA exam prior to meeting
the experience requirements. This practice is acceptable and encouraged although the CISA
designation will not be awarded until all requirements are met.
ABOUT CISSP
CISSP® (Certified Information Systems Security Professional) is a vendor-neutral CISSP

certification is for those with proven deep technical and managerial competence, skills,
experience, and credibility to design, engineer, implement, and manage their overall
information security program to protect organizations from growing sophisticated attacks.
Backed by (ISC), the globally recognized, not-for-profit organization dedicated to advancing the
information security field.
568
UNIT IV
VULNERABILITY ANALYSIS
This Unit covers:
 Lesson Plan
4.1. What Is Vulnerability Assessment?
4.2. Why to carry out Vulnerability Assessment?
4.4. Types of Vulnerability Assessment
4.5. How to Conduct a Vulnerability Assessment
4.6. Vulnerability Analysis Tools
569
LESSON PLAN

experts.
Dedicated)
• networks
570

Activity 1:
Activity 2:
Activity 3:
571
Lesson
Vulnerability analysis, also known as vulnerability assessment, is a process that defines,

identifies, and classifies the security holes (vulnerabilities) in a computer, network, or
communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness
of proposed countermeasures and evaluate their actual effectiveness after they are put into
use.
4.1 What Is Vulnerability Assessment?

A key component of the vulnerability weaknesses that need to be fixed/patched
assessment is properly defining the – before they ever get breached. With
ratings for impact of loss and ever growing new vulnerabilities being
vulnerability. The deliverable for the announced each week, a company’s
assessment is, most importantly, a network is only as secure as its latest
prioritized list of discovered vulnerabilities vulnerability assessment. An ongoing
(and often how to remediate). The vulnerability assessment process, in
findings are classified into categories of combination with proper remediation, will
high, medium, and low risk. help ensure that the network is fortified
to withstand the latest attacks.
A vulnerability assessment system, will
look at the network and pinpoint the
572
4.2 Why to carry out Vulnerability Assessment?

Vulnerability assessment is important become problematic, allowing companies
because it is a powerful proactive process to fend off attacks before they occur.
for securing an enterprise network. With Virtually all attacks come from already
vulnerability assessment potential known vulnerabilities.
security holes are fixed before they
CERT/CC (the federally funded research and development center operated by Carnegie Mellon
University) reports that nearly 99% of all intrusions resulted from exploitation of known
vulnerabilities or configuration errors.
The following are categories of an attacker right into the system and
vulnerabilities commonly recognised. result in a partially or totally compromised
Even though classification is an ongoing system. Attackers find these
discussion that has not yet been fully misconfigurations through unauthorized
agreed by various stakeholders: access to default accounts, unused web
1. Misconfigurations pages, unpatched flaws, unprotected files
2. Default installations and directories, and more. If a system is
3. Buffer overflows compromised through faulty security
4. Unpatched servers configurations, data can be stolen or
5. Default passwords modified slowly over time and can be
6. Open services time-consuming and costly to recover.
7. Application flaws Default installations
8. Open system flaws
9. Design flaws Most server applications included in a
default installation are solid, thoroughly
tested pieces of software. Having been in
Some of these are explained below use in production environments for many
Misconfigurations years, their code has been thoroughly
refined and many bugs that have been
Security misconfiguration is simply,
found are fixed. However, there is no
incorrectly assembled safeguards for a
perfect software and there is always room
web application. These misconfigurations
for further refinement. Moreover, newer
typically occur when holes are left in the
software is often not as rigorously tested
security framework of an application by
because of its recent arrival to production
systems administrators, DBAs or
environments or because it may not be as
developers. They can occur at any level of
popular as other server software.
the application stack, including the
Developers and system administrators
platform, web server, application server,
often find exploitable bugs in server
database, framework, and custom code.
applications and publish the information
These security misconfigurations can lead
573
on bug tracking and security-related problems, poorly designed patches can

websites such as the Bugtraq mailing list sometimes introduce new problems.
(http://www.securityfocus.com) or the Server applications which languish
Computer Emergency Response Team unpatched by developers or
(CERT) website (http://www.cert.org). administrators who fail to patch their
systems leave this as one of the most
Buffer overflows
exploited vulnerabilities.
A buffer overflow occurs when a program
Default passwords
or process tries to store more data in a
buffer (temporary data storage area) than Another common error is to leave the
it was intended to hold. Since buffers are default passwords or keys in services that
created to contain a finite amount of data, have such authentication methods built
the extra information - which has to go into them. For example, some databases
somewhere - can overflow into adjacent leave default administration passwords
buffers, corrupting or overwriting the under the assumption that the system
valid data held in them. Although it may administrator will change this
occur accidentally through programming immediately upon configuration. Even an
error, buffer overflow is an increasingly inexperienced cracker can use the widely-
common type of security attack on data known default password to gain
integrity. In buffer overflow attacks, the administrative privileges to the database.
extra data may contain codes designed to
trigger specific actions, in effect sending
new instructions to the attacked
computer that could, for example,
damage the user's files, change data, or
disclose confidential information.
Unpatched servers
According to Wikipedia, a patch is a piece
of software designed to update a
computer program or its supporting data,
to fix or improve it. This includes fixing
security vulnerabilities and other bugs,
with such patches usually called bugfixes
or bug fixes, and improving the usability
or performance. Although meant to fix
574
4.4 Types of Vulnerability Assessment
Types of Vulnerability Assessment vulnerabilities are available to the outside

world.
Active Assessment: Scans the network
using any network scanner to find hosts, Application Assessment: This tests the
services and vulnerabilities. web server infrastructure for any
misconfiguration, outdated content and
Passive Assessment: This is a technique known vulnerabilities.
that sniffs the network traffic to find out
active systems, network services, Network Assessment: This determines
applications and vulnerabilities present. the possible network security attacks that
may occur on the organization system.
Host based Assessment: This is a sort of
security check carried out through a Wireless network Assessment: This
configuration level test through command determines and tracks all the wireless
line. network prevalent at the client side.
Internal Assessment: This is a technique

to scan the internal infrastructure to find
out the exploit and vulnerabilities.
External Assessment: This is used to

assess the network from a hacker point of
view to find out what exploits and
4.5 How to Conduct a Vulnerability Assessment

The method for performing the VA will include reviewing appropriate policies and
procedure relating to the systems being STEP 3. Identifying potential threats to
assessed, interviewing system
administrators, and security scanning. each resource
STEP 4. Developing a strategy to deal with
Vulnerability analysis consists of several
the most serious potential problems first
steps:
STEP 5. Defining and implementing ways
STEP 1. Defining and classifying network or
to minimize the consequences if an attack
system resources
occurs.
STEP 2. Assigning relative levels of
importance to the resources
575
The following tasks are involved in  Performs a risk characterization

conducting a VA Post Assessment phase
 Use vulnerability assessment tools  Prioritising assessment
 Check for misconfigured web servers, recommendations
mail servers, firewalls, etc.  Providing action plan development to
 Search the web for more postings implement the proposed
about the company’s vulnerabilities recommendation
 Search at underground websites for  Capturing lessons that are learned to
more postings about the company’s improve the complete process in the
vulnerabilities future
 Conducting training
The VA is done in three phases:
Vulnerability Analysis phase
Pre-assessment phase
 Describe the scope of the Assessment This phase refers to identifying areas
 Creates proper information protection where vulnerability exists. This entails
procedures such as effective planning, performing vulnerability analysis and
scheduling, coordination and logistics listing of areas that need testing and
 Identifies and ranks the critical assets penetration.
Assessment phase
Vulnerability penetration capabilities can be
 Examine the network architecture
broken down into three steps:
 Evaluates the threat environment
 Carries out penetration testing 1. Locating nodes
2. Performing service discoveries on
 Examines and evaluates physical
security them
 Performs a physical asset analysis 3. Testing those services for known

security holes
 Observes policies and procedures
 Conducts and impact analysis
Now that auditors have identified and the business’ executives. Once the
verified the vulnerabilities, they must auditors have completed their
perform in-depth analysis of all the assessment, the IT department or the
assembled data. The goal here is to consultants work alongside the executives
identify systemic causes, and then they to fix those problem areas. Once the
formulate plans to remedy each cause. business rectifies vulnerabilities, they can
These plans are the basis of the strategic direct their attention to upgrading or
recommendations that they bring before transitioning the network.
576
4.6 Vulnerability Analysis Tools
Types of tools available for vulnerability assessment are classified as follows:

Host based VA tools
These find and identify the OS running on a particular host computer and tests it for
known deficiencies. These search for common application and services.
Application-layer VA tools
These are directed towards web servers or databases
Scope assessment tools
They provide security to the IT system by testing for vulnerabilities in the application and
OS
Depth assessment tools
These tools find and identify previously unknown vulnerabilities in a system, and include
‘fuzzers’. A fuzzer is a program that attempts to discover security vulnerabilities by
sending random input to an application. If the program contains a vulnerability that can
leads to an exception, crash or server error (in the case of web apps), it can be
determined that a vulnerability has been discovered. Fuzzers are often termed Fault
Injectors for this reason, they generate faults and send them to an application.
Active/passive tools
Active scanners perform vulnerability checks on the network that consumes resources on
the network. Passive scanners do not materially affect system resources, these only
observe system data and performs data processing in a separate analysis machine
Tools may also be classified based on data Network-based scanner, agent based
examined or location. For example scanner, proxy scanner or cluster scanner.
While new vulnerabilities are discovered every day and new tools are required to tackle
these, a list of available tools are listed below:
1. Qualys Vulnerability Scanner

2. Cycorp CycSecure Scanner
3. eEye Retina Network Security Scanner
4. Foundstone Professional Scanner
5. GFI LANguard Network Security Scanner
6. ISS Network Scanner
7. Saint Vulnerability Scanner
8. Symantec NetRecon Scanner
9. Shadow Security Scanner
10. Microsoft Baseline Security Analyzer
11. SPIKE Proxy 577
12. Foundstone’s ScanLine
13. Cerebrus Internet Scanner
Some of the free scanners available on the web server being run. It is easy to update
internet include: and has many useful features.
Nmap For more information visit
Nmap is a utility for network discovery http://www.wiretrip.net/rfp/p/doc.asp?id
=21&iface=2
and/or security auditing. It can be used to
scan large networks or single hosts quickly Enum
and accurately, determining which hosts Enum is a console-based Win32
are available, what services each host is information enumeration utility. Using
running and the operating system that is null sessions, enum can retrieve userlists,
being used. machine lists, sharelists, namelists, group
For more information visit and member lists, password and LSA
http://www.insecure.org/nmap policy information. enum is also capable
of a rudimentary brute force dictionary
Nessus
attack on individual accounts.
Nessus is a remote security scanner. This
For more information visit
software can audit a given network and
http://razor.bindview.com/tools/desc/en
determine if there are any weaknesses
um_readme.html
present that may allow attackers to
penetrate the defences. It launches Firewalk
predefined exploits, and reports on the Firewalking is a technique that employs
degree of success each exploit had. traceroute-like techniques to analyze IP
For more information visit packet responses to determine gateway
http://www.nessus.org ACL filters and map networks. It can also
be used to determine the filter rules in
Whisker
place on a packet forwarding device.
Whisker is a CGI web scanner. It scans for
For more information visit
known vulnerabilities found in web
http://www.packetfactory.net/Projects/Fi
servers, giving the URL that triggered the
rewalk
event as well, it can determine the type of
578
UNIT V
PENETRATION TESTING
This Unit covers:
 Lesson Plan
5.1. About penetration testing
5.2. Penetration testing stages
579
LESSON PLAN

experts.
KA4. the organizational (24/7)
Industry experts. 10 Hrs offline
Dedicated)
• networks
580

Activity 1:
Activity 2:
Activity 3:
581
Lesson
A penetration test is the process of actively evaluating company’s information security

measures. Security measures are Security measures are actively analysed for actively analysed
for design weaknesses, technical flaws and vulnerabilities. The results are delivered
comprehensively in a report, to executive, management, and technical audiences.
5.1. Why conduct penetration testing?
Reasons for conducting pentests: For testing and validating the efficiency of
security protections and controls
Identify the threats facing an
organization's s information assets For enabling vulnerability perspectives to
the organization internally and externally
Reduce an organization's IT security costs
and provide a better Return on IT Security Providing indisputable information usable
Investment (ROSI) by identifying and by audit team’s gathering data for
resolving vulnerabilities and weaknesses regulatory compliance
Provide an organization with assurance - a Providing comprehensive approach of

thorough and comprehensive assessment preparation steps that can be taken to
of organizational assessment of prevent upcoming exploitation
organizational security covering policy
Evaluating the efficiency of network
Gain and maintain certification to an security devices such as firewalls, routers,
industry regulation (BS7799, HIPAA etc.) and web servers
Adopt best practice by conforming to For changing or upgrading existing

Adopt best practice by conforming to legal infrastructure of software, hardware, or
and industry regulations network design
It focuses on high severity vulnerabilities

and emphasizes application-level security
issues to development security issues to
development teams and teams and
management
582
5.2. What should be tested?
An organization should conduct a risk assessment operation before the penetration testing that
will help to identify the main threats, such as:
• Communications failure, e-commerce failure, and loss of confidential information.

• Public facing systems; websites, email gateways, and remote access platforms.
• Mail, DNS, firewalls, passwords, FTP, IIS, and web servers.
Testing should be performed d be performed on all hardware and software components of a

network security system.
5.3 Penetration testing stages

According to one classification, there are
three stages in penetration testing
 Pre-attack
 Attack Phase
 Post-attack phase
Penetration (or external assessment) testing usually starts with three pre-test phases:
• Footprinting
• Scanning
• Enumerating
Together, the three pre-test phases are called reconnaissance.
Pre-attack phase STEP 7. Map the network
This process seeks to gather as much

information about the target network as
The goal of reconnaissance is primarily to
possible, following these seven steps: discover the following information:
STEP 1. Gather initial information
STEP 2. Determine the network range o IP addresses of hosts on a target
network
STEP 3. Identify active machines o Accessible User Datagram Protocol
STEP 4. Discover open ports and access (UDP) and Transmission Control
points Protocol (TCP) ports on target systems
o Operating systems on target systems
STEP 5. Fingerprint the operating system
STEP 6. Uncover services on ports
583
Malicious hackers also value discovery, and although the process is

reconnaissance as the first step in an commonly executed in this order, a good
effective attack. Keep in mind the tester knows how to improvise and head
penetration test process is more organic in a different direction, depending upon
than these steps would indicate. These the information found.
pre-test phases entail the process of
There are two different reconnaissance methods to discover information on the hosts in
your target network:
• Passive reconnaissance
• Active reconnaissance
a. Passive Host Reconnaissance

Passive reconnaissance gathers data from open source information. Open source means
that the information is freely available to the public. Looking at open source information is
entirely legal. A company can do little to protect against the release of this information, but
later sections of this chapter explore some of the options available. Following are examples
of open source information:
• A company website
• Electronic Data Gathering, Analysis, and Retrieval (EDGAR) filings (for publicly
traded companies)
• Network News Transfer Protocol (NNTP) USENET Newsgroups
• User group meetings
• Business partners
• Dumpster diving
• Social engineering
b. Active reconnaissance
Active reconnaissance, in contrast, involves using technology in a manner that the target
might detect. This could be by doing DNS zone transfers and lookups, ping sweeps,
traceroutes, port scans, or operating system fingerprinting. Some of the tools that are useful
in active host reconnaissance include the following:
• NSLookup/Whois/Dig lookups
• SamSpade
• Visual Route/Cheops
• Pinger/WS_Ping_Pro
584
The three stages of reconnaissance are: customer's network to create a unique

profile of the organization's networks and
Footprinting systems. It's an important way for an
attacker to gain information about an
Footprinting is the active blueprinting of organization passively, that is, without the
the security profile of an organization. It organization's knowledge.
involves gathering information about your
Footprinting employs the first two steps of reconnaissance, gathering the initial target
information and determining the network range of the target. Common tools/resources used in
the footprinting phase are:
• Whois
• SmartWhois
• NsLookup
• Sam Spade
Footprinting may also require manual • Disgruntled employee blogs and Web
research, such as studying the company's sites
Web page for useful information, for • Trade press
example:
You can also get more active with
• Company contact names, phone footprinting. For example, you can call the
numbers and email addresses organization's help desk, and by
• Company locations and branches employing social engineering techniques,
• Other companies with which the get them to reveal privileged information.
target company partners or deals
• News, such as mergers or acquisitions Scanning
• Links to other company-related sites
• Company privacy policies, which may The next four information-gathering steps
help identify the types of security -- identifying active machines, discovering
mechanisms in place open ports and access points,
• Other resources that may have fingerprinting the operating system, and
information about the target company uncovering services on ports -- are
are: considered part of the scanning phase.
• The Capital Market database if the The goal here is to discover open ports
company is publicly traded and applications by performing external
• Job boards, either internal to the or internal network scanning, pinging
company or external sites machines, determining network ranges
and port scanning individual systems.
585
Although this is still information gathering footprinting, it provides a more detailed

mode, scanning is more active than picture of the customer operations.
Some common tools used in the scanning phase are:
• NMap
• Ping
• Traceroute
• Superscan
• Netcat
• NeoTrace
• Visual Route
Enumerating • Obtaining Active Directory information

and identifying vulnerable user
In enumeration, a tester tries to identify accounts
valid user accounts or poorly-protected • Discovering NetBIOS name
resource shares using active connections enumeration with NBTscan
to systems and directed queries. The type • Using snmputil for SNMP enumeration
of information sought by testers during • Employing Windows DNS queries
the enumeration phase can be users and • Establishing null sessions and
groups, network resources and shares, connections
and applications.
Remember that during a penetration test,
The techniques used for enumeration you'll need to document every step and
include: finding, not only for the final report, but
also to alert the organization immediately
to serious vulnerabilities that may exist.
This is also known as the Discovery phase.
The next phase is the Vulnerability Analysis. This involves comparing the services, applications,
and operating systems of scanned hosts against vulnerability databases (a process that is
automatic for vulnerability scanners) and the testers’ own knowledge of vulnerabilities. Human
testers can use their own databases—or public databases such as the National Vulnerability
Database (NVD) — to identify vulnerabilities manually. Manual processes can identify new or
obscure vulnerabilities that automated scanners may miss, but are much slower than an
automated scanner.
586
Attack Phase system. In the event an attack on a

specific vulnerability proves impossible,
The next phase is the attack phase, where the tester should attempt to exploit
if an attack is successful, the vulnerability another discovered vulnerability.
is verified and safeguards are identified to
mitigate the associated security exposure. If testers are able to exploit a
In many cases, exploits that are executed vulnerability, they can install more tools
do not grant the maximum level of on the target system or network to
potential access to an attacker. They may facilitate the testing process. These tools
instead result in the testers learning more are used to gain access to additional
about the targeted network and its systems or resources on the network, and
potential vulnerabilities, or induce a obtain access to information about the
change in the state of the targeted network or organization. Testing and
network’s security. analysis on multiple systems should be
conducted during a penetration test to
Some exploits enable testers to escalate determine the level of access an adversary
their privileges on the system or network could gain.
to gain access to additional resources. If
this occurs, additional analysis and testing While vulnerability scanners check only
are required to determine the true level for the possible existence of a
of risk for the network, such as identifying vulnerability, the attack phase of a
the types of information that can be penetration test exploits the vulnerability
gleaned, changed, or removed from the to confirm its existence.
Most vulnerabilities exploited by penetration testing fall into the following categories:
Misconfigurations
Misconfigured security settings, particularly insecure default settings, are usually easily
exploitable.
Kernel Flaws
Kernel code is the core of an OS, and enforces the overall security model for the system—
so any security flaw in the kernel puts the entire system in danger.
Buffer Overflows
A buffer overflow occurs when programs do not adequately check input for appropriate
length. When this occurs, arbitrary code can be introduced into the system and executed
with the privileges—often at the administrative level—of the running program.
Insufficient Input Validation
Many applications fail to fully validate the input they receive from users. An example is a
Web application that embeds a value from a user in a database query. If the user enters
SQL commands instead of or in addition to the requested value, and the Web application
does not filter the SQL commands, the query may be run with malicious changes that the
user requested—causing what is known as a SQL injection attack.
Symbolic Links
587
A symbolic link (symlink) is a file that points to another file. Operating systems include
programs that can change the permissions granted to a file. If these programs run with
privileged permissions, a user could strategically create symlinks to trick these programs
into modifying or listing critical system files.
File Descriptor Attacks
File descriptors are numbers used by the system to keep track of files in lieu of filenames.
Specific types of file descriptors have implied uses. When a privileged program assigns an
inappropriate file descriptor, it exposes that file to compromise.
Race Conditions
Race conditions can occur during the time a program or process has entered into a
privileged mode. A user can time an attack to take advantage of elevated privileges while
the program or process is still in the privileged mode.
Incorrect File and Directory Permissions
File and directory permissions control the access assigned to users and processes. Poor
permissions could allow many types of attacks, including the reading or writing of
password files or additions to the list of trusted remote hosts.
Attack Phase Activities
The attack phase activities include: private network, the IDS or IPS monitors
all traffic, and the VPN (Virtual Private
a. Activity: Perimeter Auditing Network) provides remote access; all of
which provide the necessary defence-in-
The perimeter layer of a network starts depth features for the perimeter.
when and where an outside connection is
established and ends with access to a Complex configurations of various
private network. A private network will be organisations make it very difficult to
at risk from many threats because of the secure the perimeter 100%.
need to establish connections to other
networks, especially the Internet. An IDS A sound network security perimeter
(Intrusion Detection System) or IPS architecture requires multiple layers of
(Intrusion Prevention System) is usually defence, up-to-date and hardened policies
included in the perimeter to detect and and controls and segmentation. All of
stop any malicious activity on a private these things make it harder for an
network. The overall network perimeter attacker to gain access to the critical data
complexity will depend on the services assets and easier for the organisation to
provided over the Internet. The router isolate and respond to breaches when
and firewall separate the Internet from a they occur.
588
Audits performed for the purpose of security tests.

determining the security stance of a
private network are known as perimeter
A channel is the means of interaction with an asset and an asset is what has value to the owner.
Channels are classified as
• Physical security
• Spectrum security
• Communications security
The definition of the scope will determine the costs associated with third-party audits.
The scope consists of targets as determined by the selection of channel, test type, and vectors.
These targets are then indexed to allow for unique identification by the test vector.
The vectors represent how the security of a channel will be tested.
The more channels and vectors in a scope, the longer it will take to complete an audit.
Performing an external security installs, configures, and manages the

assessment on the perimeter at least perimeter to ensure impartiality.
annually is recommended and should be
affordable since only the external vector is Documenting the effectiveness of
tested. perimeter security measures is an
important audit activity. The auditors
Audits could be used to verify rules have to ensure these are established
configured for firewall, IDS and spam properly as many organizations use
filtering devices. The audit needs to be perimeter security as their main line of
performed independently from whoever defence against external threats.
Common problems during and after the perimeter security implementation process
include:
Management and IT staff believe that once a firewall is in place, they have sufficient
security and no further checks and controls are needed on the internal network.
Analog lines and modems are provided to connect to an Internet service provider or have
dial-in access to the desktop system, thus bypassing perimeter security measures.
Internal host network services are passed through security perimeter control points
unscreened.
589
Firewalls, hosts, or routers accept connections from multiple hosts on the internal
network and from hosts on the DMZ network.
The organization allows incorrect configuration of access lists, which results in allowing
unknown and dangerous services to pass through the network freely.
The details of logged user activities are not reviewed regularly or are insufficient, thus
deteriorating the effectiveness of the monitoring system.
Hosts on the DMZ or those running firewall software also are using unnecessary services.
Support personnel use unencrypted protocols to manage firewalls and other DMZ
devices.
Employees are allowed to run encrypted tunnels through the organization's perimeter
device without fully validating the tunnel's end-point security.
The company uses unsecured or unsupported wireless network applications.
Organizations purchase security tools to and intrusion detection system tools,

help evaluate the IT network's strength security management and improvement
and detect network vulnerabilities and programs, and network-based audit and
risk areas. Some of the tools available for encryption software. The auditors will
different activities include host-based check the effectiveness of these tools and
audit software, network traffic analysis their application.
590
b. Activity: Web Application Auditing
Web application vulnerabilities account for the largest portion of attack vectors outside of
malware. It is crucial that any web application be assessed for vulnerabilities and any
vulnerabilities by remediated prior to production deployment.
• Areas Covered by Web Application Testing

 Configuration errors
 Application loopholes in server code or scripts
 Advice on data that could have been exposed due to past errors
 Testing for known vulnerabilities
 Reducing the risk and enticement to attack
 Advice on fixes and future security plans
• Typical Issues Discovered in an Application Test
 Cross-site scripting
 SQL injection
 Server misconfigurations
 Form/hidden field manipulation
 Command injection
 Cookie poisoning
 Well-known platform vulnerabilities
 Insecure use of cryptography
 Back doors and debug options
 Errors triggering sensitive information leak
 Broken ACLs/Weak passwords
 Weak session management
 Buffer overflows
 Forceful browsing
 CGI-BIN manipulation
 Risk reduction to zero day exploits
Web Application Audit Tools: Burp Suite, fuzzing tool, dotDefender, IBM Security AppScan, HP
WebInspect, SQL Block Monitor, Microsoft Source Code Analyzer, Acunetix Web Vulnerability
Scanner, WebCruiser, GreenSQL, Microsoft UrlScan, Absinthe, CORE IMPACT Pro, Safe3SI,
BSQLHacker, SQL Power Injector, Havij, BobCat, Sqlninja, sqlmap, Pangolin – Automatic SQL
Injection Penetration Testing Tool, NGSSQuirreL
591
Web applications are subject to security assessments based on the following criteria:
 New or Major Application Release

This will be subject to a full assessment prior to approval of the change control
documentation and/or release into the live environment.
 Third Party or Acquired Web Application

This will be subject to full assessment after which it will be bound to policy requirements.
 Point Releases
This will be subject to an appropriate assessment level based on the risk of the changes in
the application functionality and/or architecture.
 Patch Releases
This will be subject to an appropriate assessment level based on the risk of the changes to
the application functionality and/or architecture.
 Emergency Releases
An emergency release will be allowed to forgo security assessments and carry the
assumed risk until such time that a proper assessment can be carried out.
592
c. Activity: Wireless Auditing
Wireless network security audits provides

information concerning the actual security
level of the examined infrastructure.
The wireless network security audit adopted wireless network protection

service includes mechanisms, users rights as well as data
transmission security;
wireless network security-centered
topology analysis; penetration tests; non-invasive or invasive
attempts to break the employed
examination of wireless network
protection measures by means of special
accessibility on and outside of company
tools;
premises by examining the network range
followed by recording the results on a procedural audit, examining the
situation map; completeness and correctness of
procedures relating to wireless network
this allows for the identification of areas
security;
in which the network transgresses the
planned limits and is accessible to random this examination can include e.g. analysis
persons; of access rights granting procedure or
periodical unauthorized access points
analysis of the adopted protection
detection procedure.
measure, consisting of the analysis of the
593
d. Activity: Application Security Assessment
Application security can be assessed in a Tests should also be performed

number of ways, ranging from source periodically once an application has gone
code review to penetration testing of the into production; when significant patches,
implemented application. Many updates, or other modifications are made;
application security tests subject the or when significant changes occur in the
application to known attack patterns threat environment where the application
typical for that application’s type. These operates.
patterns may directly target the
application itself, or may attempt to Assessors performing application security
attack indirectly by targeting the assessments should have a certain
execution environment or security baseline skill set. Guidelines for the
infrastructure. minimum skill set include knowledge of
specific programming languages and
Examples of attack patterns are protocols; knowledge of application
information leakage (e.g., reconnaissance, development and secure coding practices;
exposure of sensitive information), understanding of the vulnerabilities
authentication exploits, session introduced by poor coding practices; the
management exploits, subversion (e.g., ability to use automated software code
spoofing, impersonation, command review and other application security test
injections), and denial of service attacks. tools; and knowledge of common
application vulnerabilities.
Application security assessment should be
integrated into the software development Application Security Assessments provide
life cycle of the application to ensure that assurance that mobile applications,
it is performed throughout the life cycle. external applications, internal applications
and APIs are secure. Security consultants
For example, code reviews can be test the state of applications and provide
performed as code is being implemented, actionable recommendations to enhance
rather than waiting until the entire
an organization’s security posture.
application is ready for testing.
Application security testing and examination help an organization determine whether its custom
application software—for example, Web applications—contains vulnerabilities that can be
exploited, and whether the software behaves and interacts securely with its users, other
applications (such as databases), and its execution environment.
Application Testing services include: supporting backend infrastructure and

data flows are secure and compliant.
Mobile Application Security Assessments
Application Security Assessments
Whether mobile apps for use by
customers, employees or business When application security assessments
partners, this ensures that the application, are conducted, it aims to validate that the
594
applications are secure by identifying as application glue (“middleware”) to

known vulnerabilities, and by providing connect systems and to support business
risk identification, consequences of operations. They are high-value targets
exploitation and expert guidance and for attackers, and therefore ideally should
recommendations of what the be examined thoroughly. Testing
organization should specifically do to application Web Services and APIs
improve the overall security posture of an requires a strong knowledge of coding
application. techniques and of the packages used in
delivering applications and services.
Web API Testing
Web Services and APIs are typically used
e. Activity: Network Security Unauthorized individuals use the

Assessment weaknesses to gain access to critical or
sensitive information stored, processed,
An enterprise's network includes or transmitted by the network. An
computers and workstations, routers, authorized user may exploit a weakness
bridges, modems, etc. as well as the to misuse the network. The security
operating, executive, communications, mechanisms that protect the network can
and application software that govern how fail, be improperly configured, or not be
these components operate. Most implemented at all.
components have some built in
automated (technical) security The network security assessment process
mechanisms. These mechanisms provide is used to identify technical and
protection services for the information environmental weaknesses in a network.
that the components process, store, or Network security assessment also
transmit. These services are usually identifies real and potential threats to the
referred to as technical security controls. network. Real versus theoretical threats
The environment that surrounds the must be effectively addressed and over-
network also has protective mechanisms. protecting marginally valuable assets at
Security controls within the environment the expense of under-protecting critical
(nontechnical security controls) reinforce assets must be avoided.
protection afforded by the component.
Physical, procedural, and administrative The network security assessment
security mechanisms like back-up power, identifies errors in the configuration and
door locks, badge systems, policies, operation of the network. It assesses the
operational procedures, location, trusted enterprise's capabilities to detect external
users, etc., are all examples of security and internal attacks on the network. Audit
mechanisms present in the network’s reports identified threats and
environment. Although the component vulnerabilities to management with
and environment offer security recommendations concerning their
mechanisms to protect information, the seriousness and possible impacts on the
protection is not absolute — both can enterprise. These recommendations and
have weaknesses. ways are provided, sometimes at added
expense, to either mitigate or remove
595
identified vulnerabilities. Management expense against mitigating these risks to

makes the final judgement on the cost- the Enterprise.
benefit trade-offs of added security
When a company's network infrastructure network
security is assessed some of this things • Interaction of installed
assessed include: security devices such as
• Where devices such as a firewalls, IDSs, antivirus
firewall or IPS are placed and so on
on the network and how • What protocols are in use
they are configured • Commonly attacked ports
• What hackers see when that are unprotected
they perform port scans, • Network host configuration
and how they can exploit • Network monitoring and
vulnerabilities in the maintenance
network hosts
• Network design, such as
Internet connections,
remote access capabilities,
layered defences and
placement of hosts on the
If a hacker exploits a vulnerability in one Before moving forward with assessing
of the items above or anywhere in your your network infrastructure security,
network's security, bad things can remember to do the following:
happen:
• Test your systems from the
• A hacker can use a DoS attack, outside in, the inside out and the
which can take down your Internet inside in (that is, between internal
connection -- or even your entire network segments and DMZs).
network. • Obtain permission from partner
• A malicious employee using a networks that are connected to
network analyzer can steal your network to check for
confidential information in emails vulnerabilities on their ends that
and files being transferred on the can affect your network's security,
network. such as open ports, the lack of a
• A hacker can set up backdoors into firewall or a misconfigured router.
your network.
• A hacker can attack specific hosts
by exploiting local vulnerabilities
across the network.
Tools used for Network Security Assessment
External Penetration Testing Tools: Network Topology Mapper, VisualRoute, Visual Trace Route,
nslookup, NetInspector, SmartWhois, Nmap, Hping3, IDA Pro, Httprint, Netcat, Acunetix Web
Vulnerability Scanner, HP WebInspect, HTTPTunnel.
Internal Network Penetration Testing Tools: Angry IP Scanner, SuperScan, TCPView, GFI 596
LANguard, Winfingerprint, Wireshark, Tcpdump, Power Spy 2013, L0phtCrack, Arpspoof, Cain and
Able, Activity Monitor, Active@ Password Changer, Netcat, SMAC, Metasploit, Nessus, Retina
Network Security Scanner.
f. Activity: Wireless/Remote Access the SSID, the use and strength of WEP
Assessment encryption, network segmentation, and
access control devices. The testing is
Wireless Security Assessments meet the executed from the perspective of an
security challenges of business-critical authenticated external user connected to
wireless technologies. These technologies the organization's network through
pose unique threats because their signals remote access technologies such as VPN,
propagate outside physical boundaries SSLVPN, Citrix, etc.
and are therefore difficult to control.
Misconfigurations and weak security
protocols allow for unauthorized
eavesdropping and easy access. Auditors Exploit Vulnerabilities and Access Other
attempt to detect the wireless networks Networks, auditors use the previously
in place (including any ad-hoc networks discovered vulnerabilities to obtain access
identified), determine the locations and to other network segments. If the team is
ranges of the wireless networks, evaluate successful, they will test different
the range of the wireless access area, methods to exploit that access. This phase
determine network configuration will determine which network segments
information, and probe points of entry for and systems the wireless network
identifying system information or access infrastructure can access, the security
parameters. Assess Wireless controls that separate the wireless
Implementation for Vulnerabilities, network from other network segments
auditors evaluate the security measures and if the wireless network can be used as
taken to secure infrastructure, including a launching point to attack other systems.
(SSID is short for service set identifier. SSID is a case sensitive, 32 alphanumeric character unique
identifier attached to the header of packets sent over a wireless local-area network (WLAN) that
acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a
component of the IEEE 802.11 WLAN architecture. The SSID differentiates one WLAN from
another, so all access points and all devices attempting to connect to a specific WLAN must use
the same SSID to enable effective roaming. As part of the association process, a wireless network
interface card (NIC) must have the same SSID as the access point or it will not be permitted to join
the BSS.)
597
g. Activity: Database Information o Capacity planning

Security Audit o Who can access the database without
going through the application?
Database management system (DBMS) is
a complex set of software programs that One of the major audit concerns is what
control the organization, storage and access does the DBA have? A DBA
retrieval of data in a database. It also basically has the access to everything and
controls the security and integrity of the can do (read, write, change, delete)
database anything. Supervising and monitoring the
DBA is of critical importance. The
When auditing the controls of a database, monitoring (logging) of actions of the DBA
the auditor would check to see that the along with not having the ability to de-
following controls have been activate the log nor having access to the
implemented and maintained to ensure log are prime requirements.
database integrity and availability:
It goes without saying that Access Control
o Definition standards is the number one issue with database
o Data backup and recovery management systems. Apart from that
procedures audit disaster recovery and restoration,
o Access controls patch management, change management,
o Only authorized personnel can incident logging and all the other issues an
update the database auditor would usually look for.
o Controls to handle concurrent access
problems such as multiple users There is another issue that auditors need
trying to update the same record at to deal with when auditing DBMS and that
the same time is to perform some type of data integrity
o Controls to ensure the accuracy, testing. Data integrity testing is a set of
completeness and consistency of substantive tests (NOTE: Substantive not
data elements and relationships. Compliance testing) that examines
o Checkpoints to minimize data loss accuracy, completeness, consistency and
o Database re-organizations authorization of data presently held in a
o Monitoring database performance system.
598
h. Activity: File Integrity Checking File integrity monitoring ensures that

program and operating system files have
File integrity monitoring is critical for not been compromised. Using file
security and compliance. To minimize the integrity monitoring technology is
risk to sensitive data, detection of important to verify that malicious code
unmanaged changes in file servers and has not been inserted into sensitive
storage appliances is necessary. File system, configuration and/or content
integrity monitoring tools are deployed to files. Knowledge of exactly who modified
alert personnel to unauthorized the file, what the change was, when and
modifications of critical system or content where the change was made in order to
files, and for performing file comparisons prevent possible security and business
if the process can be automated.” impact is critical.
There are two common types of data integrity tests;

• Relational
• Referential.
Relational integrity tests are performed at the data element and record-based levels. It is
enforced through data validation routines built into the application or by defining the input
condition constraints and data characteristics at the table definition in the database stage.
Sometimes it is a combination of both.
Referential integrity test define existence relationships between entities in different tables of a
database that needs to be maintained by the DBMS. Referential integrity checks involve ensuring
that all references to a primary key from another table actually exist in their original table.
Tools provide protection of critical data by • who made the change

providing the following file integrity • where the change was made
details: • previous and current values for the
• file size change
• when it was created • its attributes (e.g., read-only,
• when the change was made hidden, system, etc.)
• what exactly was changed
Be aware of all changes, protect sensitive again and test the current value against
data, significantly reduce audit the stored value to determine if the file
preparation time and maintain has been modified. A file integrity checker
compliance with the regulations requiring is a capability that you should expect to
file integrity monitoring. receive with any commercial host based
intrusion detection system.
It is very difficult to compromise a system
without altering a system file, so file The primary checksum that was used for
integrity checkers are an important this was a 32 bit CRC (Cyclic Redundancy
capability in intrusion detection. A file Check). Attackers have demonstrated the
integrity checker computes a checksum ability to modify a file in ways the CRC
for every guarded file and stores this. At a checksum could not detect, so stronger
later time you can compute a checksum checksums known as cryptographic
599
hashes are recommended. Example of  document where both the events

cryptographic hashes include MD5, and and follow up records can be
snefru. found
 document how long events and
Auditors check the file integrity tickets are kept
monitoring reports and logs, to evaluate
effectiveness and use. By defining which events are of interest
and what should be done about them,
i. Log Management Information security and log analysis not only aids in
Security Audit compliance, but becomes proactive. Log
analysis used in this manner can be used
Organizations often spend a great deal of to detect emerging threats and trends,
money on Log Management and Security and even to tune and improve overall
Information and Event Management security. It is easy to become
(SIEM). While there are any number of overwhelmed by the millions of events
compliance regulations and auditors generated by firewalls, authentication
follow various standards, there are a few logs, intrusion logs, and other logs ad
common core elements to success. nauseum, however certain anomalous
behavioural patterns, and repeat events
 log all relevant events are common relatively easy to detect
 define the scope of coverage signs of malware.
 define what events constitute a
threat Log management (LM) comprises an
 detail what should be done about approach to dealing with large volumes of
them in what time frame computer-generated log messages (also
 document when they occurred and known as audit records, audit trails,
what was done event-logs, etc.).
LM covers: • log rotation

• log collection • log analysis (in real-time and in
• centralized aggregation bulk after storage)
• long-term retention • log search and reporting
Concerns about security, system and • log-format diversity

network operations (such as system or • undocumented proprietary log-
network administration) and regulatory formats (that resist analysis)
compliance drive log management. • the presence of false log records in
some types of logs (such as
Effectively analysing large volumes of intrusion-detection logs)
diverse logs can pose many challenges —
such as: Logs can contain a wide variety of
information on the events occurring
• huge log-volumes (reaching within systems and networks. Security
hundreds of gigabytes of data per software logs primarily contain computer
day for a large organization) security-related information. Operating
600
system logs and application logs typically and appliance-based devices;

contain a variety of information, including administrators can either transfer data
computer security-related data. manually to the infrastructure from these
hosts through removable media, or
Under different sets of circumstances, manage and analyse the data locally.
many logs created within an organization
could have some relevance to computer Syslog
security. For example, logs from network
devices such as switches and wireless In a syslog-based centralized logging
access points, and from programs such as infrastructure, each log generator uses
network monitoring software, might the same standard log format and
record data that could be of use in forwards its log entries to a centralized log
computer security or other information server. Because syslog is a simple
technology (IT) initiatives, such as standard protocol, it can be used by many
operations and audits, as well as in OSs, security software programs, and
demonstrating compliance with applications. The original syslog standard
regulations. does not offer much granularity in
handling different types of events. Also,
Log management infrastructures, which because it has few data fields, it can be
are typically based on either syslog-based very difficult to extract the meaning of the
centralized logging software or security data logged for each event when multiple
information and event management log sources are generating events. Syslog
software, usually use a three-tiered was developed when log security was not
design. a major concern; the original syslog
standard offers no features for preserving
 The first tier encompasses the the confidentiality, integrity, and
hosts that generate the original log availability of logs.
data.
 The second tier includes To improve the security of syslog
centralized log servers, which deployments, a new proposed standard
perform consolidation and data has been created that offers stronger
storage. security capabilities, and various syslog
 The third tier contains consoles implementations have added features
that are used to monitor and such as reliable log delivery; transmission
review log data, and optionally encryption, integrity protection, and
may also be used to manage the authentication; robust filtering;
log servers and clients. automated event responses; log file
encryption; and event rate limiting.
Communications between the tiers Organizations using syslog should consider
usually occur over the organization’s using secure syslog implementations,
regular networks, but may be routed over paying particular attention to
a separate logging network instead. interoperability because many syslog
Organizations may also have log- clients and servers offer features not
generating hosts that cannot actively specified in current standards.
participate in the log management
infrastructure, such as computers that are SIEM
not network connected, legacy systems,
601
Unlike syslog-based infrastructures, which capabilities than syslog, SIEM software is

are based on a single standard, security usually much more complicated and
information and event management expensive to deploy than a centralized
(SIEM) software primarily uses proprietary syslog implementation. Also, SIEM
data formats. SIEM products have software is often more resource-intensive
centralized servers that perform log for individual hosts than syslog because of
analysis and database servers for log the processing that agents perform.
storage. Most SIEM products require
agents to be installed on each log In addition to syslog and SIEM software,
generating host; the agents perform there are several other types of software
filtering, aggregation, and normalization that may be helpful for log management.
for a particular type of log. The agents are Host-based intrusion detection systems
also responsible for transferring log data (IDS) monitor the characteristics of a host
from the individual hosts to a centralized and the events occurring within it, which
SIEM server on a real-time or near-real- might include OS, security software, and
time basis. Other SIEM products are application logs. Hostbased IDS products
agentless and rely on an SIEM server to are often part of a log management
pull data from the logging hosts and infrastructure, but they cannot take the
perform the functions that agents place of syslog and SIEM software. Other
normally perform. utilities that are helpful for log
management include visualization tools,
SIEM products usually support several log rotation utilities, and log conversion
dozen types of log sources, including utilities.
generic formats such as syslog. Because
the SIEM products typically understand Auditors check for these logs and their
the meaning of each logged field for management as part of the Information
specific log source formats, an SIEM- Security Audit. A security analyst may be
based log management infrastructure is directly involved in log monitoring and
usually superior to a syslog-based following established log management
infrastructure in performing processes and therefore can be directly be
normalization, analysis, and correlation of interviewed for this.
log data from multiple log sources.
j. Telephony Security Assessment
SIEM products can analyse data from
many sources, identify significant events, VoIP and Telephony assessment is a
and initiate automated responses if significant concern ever more so in light of
desired. SIEM products may also include recent development with the convergence
analysis GUIs, security knowledge bases, of voice, data, and video. The robustness
incident tracking and reporting of the telephony system in isolation is a
capabilities, and asset information storage significant concern; there are a range of
and correlation capabilities. SIEM threats to the confidentiality, availability
products also usually offer capabilities to and integrity of the telephony system an d
protect the confidentiality, integrity, and testing evaluates all of these. VoIP and
availability of log data. Telephony Assessment Testing typically
includes reviewing handsets, soft-phones,
Although SIEM software typically offers the telephony servers and a range of
more robust and broad log management network layer activities to fully
602
understand whether the telephony between the corporate LAN and the
system can be considered secure and firewall and between the external e-mail
reliable. gateway and the firewall. They would also
use software on servers to monitor
The need to segregate voice services from unencrypted traffic. Then they analyse the
the traditional corporate network is well traffic with respect to company policy.
publicised and this is the second area of
attention. The method of segregation l. Social Engineering
(commonly VLANs) will be subject to
review, as will any servers that bridge Social engineering is an attempt to trick
both data and voice networks to ensure someone into revealing information (e.g.,
that they are capable of maintaining the a password) that can be used to attack
required level of segregation. systems or networks. It is used to test the
human element and user awareness of
The type of testing conducted will be security, and can reveal weaknesses in
dictated by the nature of the solution and user behaviour—such as failing to follow
in addition to telephony specific skills, standard procedures. Social engineering
tests may include elements of wireless can be performed through many means,
testing, infrastructure penetration testing, including analog (e.g., conversations
application testing, build reviews, remote conducted in person or over the
access testing and more. The mission telephone) and digital (e.g., e-mail, instant
critical nature of voice services and the messaging). One form of digital social
challenges of the multipartite ownership engineering is known as phishing, where
of voice services cannot be undermined or attackers attempt to steal information
ignored. Auditors test these services and such as credit card numbers, Social
related infrastructure to establish - Security numbers, user IDs, and
government and industry regulatory passwords. Phishing uses authentic-
compliance requirements; discover looking emails to request information or
Telephony network vulnerabilities and direct users to a bogus Web site to collect
risks to business systems; validate the information. Other examples of digital
effectiveness of current security social engineering include crafting
safeguards; identify remediation steps to fraudulent e-mails and sending
help prevent network compromise. attachments that could mimic worm
activity.
k. Data Leakage Information Security
Audit
Data leakage audits are conducted to

establish the loss of data from various Social engineering may be used to target
parts of the organisations. Auditors specific high-value individuals or groups in
usually examine outbound e-mail, FTP and the organization, such as executives, or
Web communications. They explore leaks may have a broad target set. Specific
of general financial information, corporate targets may be identified when the
plans and strategies, employee and other organization knows of an existing threat
personal identifiable information, or feels that the loss of information from a
intellectual property and proprietary person or specific group of persons could
processes. Usually auditors may place taps have a significant impact. For example,
603
phishing attacks can be targeted based on Post-Attack Phase and Activities

publicly available information about
specific individuals (e.g., titles, areas of The reporting phase occurs
interest). Individual targeting can lead to simultaneously with the other three
embarrassment for those individuals if phases of the penetration test. In the
testers successfully elicit information or planning phase, the assessment plan—or
gain access. It is important that the results ROE—is developed. In the discovery and
of social engineering testing are used to attack phases, written logs are usually
improve the security of the organization kept and periodic reports are made to
and not to single out individuals. Testers system administrators and/or
should produce a detailed final report that management. At the conclusion of the
identifies both successful and test, a report is generally developed to
unsuccessful tactics used. This level of describe identified vulnerabilities, present
detail will help organizations to tailor their a risk rating, and give guidance on how to
security awareness training programs. mitigate the discovered weaknesses.
604
UNIT VI
Information Security Audit
Tasks
This Unit covers:
 Lesson Plan
6.1. Pre-audit tasks
6.2. Information gathering
6.3. External Security Audit
6.4. Internal Network Security Auditing
6.5. Firewall Security Auditing
6.6. IDS Security Auditing
6.7. Social Engineering Audit
605
LESSON PLAN

experts.
Dedicated)
sites like ISO, PCI
DSS, Center for
• networks
606

Activity 1:
Activity 2:
Activity 3:
607
A security analyst may contribute to

activities during the audit process which
includes the following task.
6.1 Pre-audit tasks

During this phase, the auditors determine ISMS, or some combination of local and
the main area/s of focus for the audit and centralized ISMS. If the ISMS certification
any areas that are explicitly out-of-scope, is for the entire organization, the auditors
based normally on an initial risk-based may need to review the ISMS in operation
assessment plus discussion with those at all or at least a representative sample
who commissioned the of business locations, such as the
audit. Information sources include headquarters and a selection of discrete
general research on the industry and the business units chosen by the auditors.
organization, previous and perhaps other
audit reports, and documents such as the The auditors should pay particular
Statement of Applicability, Risk Treatment attention to information security risks and
Plan and Security Policy. controls associated with information
conduits to other entities (organizations,
business units etc.) that fall outside the
The auditors should ensure that the scope
scope of the ISMS, for example checking
‘makes sense’ in relation to the
the adequacy of information security-
organization. The audit scope should
related clauses in Service Level
normally match the scope of the
Agreements or contracts with IT service
Information Security Management System
suppliers. This process should be easier
(ISMS) being certified. For example, large
where the out-of-scope entities have
organizations with multiple divisions or
been certified compliant with ISO/IEC
business units may have separate ISMS's,
27001.
an all-encompassing enterprise-wide
The primary output of this phase is an pertinent information prior to the on -site
agreed ISMS audit scope, charter, visit. Information gathered from the pre-
engagement letter or similar. Contact lists audit questionnaire is used to formulate
and other preliminary documents are also additional questions to be answered
obtained and the audit files are opened to during the on-site visit and to assist in
contain documentation (audit working determining policy compliance.
Additionally, the pre-audit questionnaire
papers, evidence, reports etc.) arising
is used as a tool by audit managers to
from the audit.
prepare information sheets for local
auditors, outlining/summarizing the CSAs
The pre-audit questionnaire is used to audit program and procedures.
assist the audit manager in gathering
608
During the pre-audit survey, the ISMS auditors identify and ideally make contact with the
main stakeholders in the ISMS such as the ISM manager/s, security architects, ISMS
developers, ISMS implementers and other influential figures such as the CIO and CEO, taking
the opportunity to request pertinent documentation etc. that will be reviewed during the
audit. The organization normally nominates one or more audit "escorts", individuals who are
responsible for ensuring that the auditors can move freely about the organization and rapidly
find the people, information etc. necessary to conduct their work, and act as management
liaison points.
6.2 Information Gathering

Information gathering is essentially using the Internet to find all the information you can about
the target (company and/or person) using both technical (DNS/WHOIS) and non-technical
(search engines, news groups, mailing lists etc.) methods.
a. What Is Information Gathering? scanners, sending simple HTTP requests,

or specially crafted requests, it is possible
Information gathering does not require to force the application to leak
that the assessor establishes contact with information, e.g., disclosing error
the target system. Information is collected messages or revealing the versions and
(mainly) from public sources on the technologies used. And it includes the
Internet and organizations that hold following steps:
public information (e.g. tax agencies,
libraries, etc.) Information gathering 1. Spiders, Robots and Crawlers: This
section of the penetration test is phase of the Information Gathering
important for the penetration tester. process consists of browsing and
Assessments are generally limited in time capturing resources related to the
and resources. application being tested.
Therefore, it is critical to identify points 2. Search Engine

that will be most likely vulnerable, and to Discovery/Reconnaissance: Search
focus on them. Even the best tools are engines, such as Google, can be used to
useless if not used appropriately and in discover issues related to the web
the right place and time. That’s the reason application structure or error pages
why experienced testers invest an produced by the application that have
important amount of time in information been publicly exposed.
gathering.
3. Identify application entry points:
Information Gathering is a necessary step Enumerating the application and its attack
of a penetration test. This task can be surface is a key precursor before any
carried out in many different ways. By attack should commence. This section will
using public tools (search engines), help you identify and map out every area
609
within the application that should be Phase One

investigated once your enumeration and
mapping phase has been completed. Network survey: A network survey is like
an introduction to the system that is
4. Testing Web Application Fingerprint: tested. By doing that, you will have a
Application fingerprint is the first step of “network map”, using which you will find
the Information Gathering process; the number of reachable systems to be
knowing the version and type of a running tested without exceeding the legal limits
web server allows testers to determine of what you may test. But usually more
known vulnerabilities and the appropriate hosts are detected during the testing, so
exploits to use during testing. they should be properly added to the
“network map”. The results that the
5. Application Discovery: Application tester might get using network surveying
discovery is an activity oriented to the are: - Domain Names - Server Names - IP
identification of the web applications Addresses - Network Map - ISP / ASP
hosted on a web server/application information - System and Service Owners
server. This analysis is important because Network surveying can be done using TTL
often there is not a direct link connecting modulation(traceroute), and record route
the main application backend. Discovery (e.g. ping -R), although classical 'sniffing' is
analysis can be useful to reveal details sometimes as effective method
such as web applications used for
administrative purposes. In addition, it Phase Two
can reveal old versions of files or artefacts
such as undeleted, obsolete scripts, OS Identification (sometimes referred as
crafted during the test/development TCP/IP stack fingerprinting): The
phase or as the result of maintenance. determination of a remote OS type by
comparison of variations in OS TCP/IP
6. Analysis of Error Codes: During a stack implementation behaviour. In other
penetration test, web applications may words, it is active probing of a system for
divulge information that is not intended responses that can distinguish its
to be seen by an end user. Information operating system and version level. The
such as error codes can inform the tester results are: - OS Type - System Type -
about technologies and products being Internal system network addressing.
used by the application. In many cases,
error codes can be easily invoked without Phase Three
the need for specialist skills or tools, due
to bad exception handling design and Port scanning: Port scanning is the
coding. Clearly, focusing only on the web invasive probing of system ports on the
application will not be an exhaustive test. transport and network level. Included
It cannot be as comprehensive as the here is also the validation of system
information possibly gathered by reception to tunnelled, encapsulated, or
performing a broader infrastructure routing protocols. Testing for different
analysis protocols will depend on the system type
and services it offers. However, it is not
always necessary to test every port for
every system. This is left to the discretion
b. Information Gathering Methodology of the test team. Port numbers that are
610
important for testing according to the The methods in service identification are
service are listed with the task. Additional same as in Port scanning. There are two
port numbers for scanning should be ways using which one can perform
taken from the Consensus Intrusion information gathering:
Database Project Site. The results that the
tester might get using Port scanning are: - 1. 1st method of information gathering is
List of all Open, closed or filtered ports - IP to perform information gathering
addresses of live systems - Internal system techniques with a 'one to one' or 'one to
network addressing - List of discovered many' model; i.e. a tester performs
tunnelled and encapsulated protocols - techniques in a linear way against either
List of discovered routing protocols one target host or a logical grouping of
supported. Methods include SYN and FIN target hosts (e.g. a subnet). This method is
scanning, and variations thereof e.g. used to achieve immediacy of the result
fragmentation scanning. and is often optimized for speed, and
often executed in parallel
Phase Four 2. Another method is to perform
information gathering using a 'many to
Services identification: This is the active one' or 'many to many' model. The tester
examination of the application listening utilizes multiple hosts to execute
behind the service. In certain cases more information gathering techniques in a
than one application exists behind a random, rate-limited, and in non-linear
service where one application is the way. This method is used to achieve
listener and the others are considered stealth. (Distributed information
components of the listening application. gathering)
The results of service identification are: -
Service Types - Service Application Type
and Patch Level - Network Map
c. Information gathering steps
Information Gathering Steps 10. Search for link popularity of the

1. Crawl the website and mirror the company website
pages on your PC 11. Compare price of product or
2. Crawl the FTP website and mirror service with competition
the pages on your PC 12. Find the geographical location
3. Lookup registered information in 13. Search the internet archive pages
WHOIS database about the company
4. List the products sold by the 14. Search similar or parallel domain
company name listings
5. List the contact information, email 15. Search job postings sites about the
addresses, and telephone numbers company
6. List the company’s distributors 16. Browse social network websites
7. List the company’s partners 17. Write down key employees
8. Search the internet, newsgroups, 18. Investigate key personnel –
bulletin boards and negative websites searching in Google, look up their
for information about the company resumes and cross reference
9. Search for trade association information
directories 19. List employee company and
611
personal email address investigate the company’s domain

20. Search for web pages posting 28. Use various public Database to
patterns and revision numbers research company information
21. Email the employee disguised as 29. Use Google/Yahoo!Finance and
customer asking for quotation other sites to search for press releases
22. Visit the company as inquirer and issued by the company
extract privileged information 30. Search company business reports
23. Visit the company locality and profiles at various databases
24. Use web investigation tools to 31. Search for telephone numbers
extract sensitive data targeting the using directories and other services
company 32. Retrieve the DNS record of the
25. Conduct background check on key organisation from publicly available
company personnel servers
26. Search on Ebay and other sites for
company presence
27. Use the Domain Research Tool to
6.3 External Security Audit

External Intrusion Audit and Analysis their ability to protect data, information
and resources.
An External Intrusion Audit and Analysis
identifies strengths and weaknesses of a External Security Auditing – How is it
client system and network as they appear done?
from the outside the client’s security
perimeter, usually from the internet.  Gather externally accessible
configuration information
Why Is It Done?  Scan client external network
gateways to identify services and
This is done to demonstrate the existence topology
of known vulnerabilities in the client  Scan client Internet servers for
system and network that could be ports and services vulnerable to
exploited by an external hacker. attack
 Attempt intrusion of vulnerable
Client Benefits internal systems
The client benefits by anticipating external Steps for Conducting External Security
attacks, that might cause security Auditing
breaches and to proactively reduce risks
to information, system and networks. It • Inventory the company’s external
also improves the security of the client’s infrastructure and create a
networked resources. This provides topological map of the network
improved e-commerce and e-business • Identify the IP address of the
operations with increased confidence in targets
612
• Locate the traffic route that goes • Guess different sub domain names
to the web servers and analyse different responses
• Locate TCP and UDP traffic path to • Examine the session variables
the destination • Examine cookies generated by the
• Identify the physical location of server
the target servers • Examine the access controls used
• Examine the use IPV6 at the in the web applications
remote location • Brute force URL injections and
• Lookup domain registry for IP session tokens
information, find IP block • Check for directory consistency
information about the target and page naming syntax of the
• Locate the ISP servicing the client web pages
• List open and closed ports • Look for sensitive information in
• List suspicious ports that are half web page source code
open/close • Attempt URL encodings on the
• Port scan every port on the web pages
target’s network • Try buffer overflow attempts at
• Use SYN scan and connect scan on input fields
the target and see the response • Try Cross Site Scripting (XSS)
• Use XMAS scan, FIN scan and techniques
NULL scan on the target and see • Record and replay the traffic to the
the response target web server and note the
• Firewalk on the router’s gateway response
and guess the access-list • Try various SQL injection
• Examine TCP sequence number techniques
prediction • Examine hidden fields
• Examine the use standard and • Examine e-commerce and
non-standard protocols payment gateways handled by the
• Examine IPID sequence number web server
prediction • Examine welcome messages, error
• Examine the system uptime of messages, and debug messages
target • Probe the service by SMTP mail
• Examine the operating system bouncing
used for different targets • Grab the banner of HTTP servers,
• Examine the applied patch to the SMTP servers, POP3 servers, FTP
operating system Servers
• Locate DNS record of the domain • Identify the web extensions used
and attempt DNS hijacking at the server
• Download applications from the • Try to use an HTTPS tunnel to
company’s website and reverse encapsulate traffic
engineer the binary code • OS fingerprint target servers
• List programming languages used • Check for ICMP responses (type 3,
and application software to create port unreachable), (type 8, echo
various programs from the target request), (type 13, timestamp
server request), (type 15, information
• Look for error and custom web request), (type 17, subnet address
pages mask request)
613
• Check for ICMP responses from • Test for Compaq, HP Inside

broadcast address Manager ports (Port 2301, 2381)
• Port scan DNS servers (TCP/UDP • Test for Remote Desktop ports
53) (Port 3389)
• Port scan TFTP servers (Port 69) • Test for Sybase ports (Port 5000)
• Test for NTP ports (Port 123) • Test for SIP ports (Port 5060)
• Test for SNMP ports (Port 161) • Test for VNC ports (Port
• Test for Telnet ports (Port 23) 5900/5800)
• Test for LDAP ports ( Port 389) • Test for X11 ports (Port 6000)
• Test for NetBIOS ports ( Ports 135- • Test for Jet Direct ports (Port
139, 445) 9100)
• Test for SQL server ports (Port • Port scan FTP data (Port 20)
1433, 1434) • Port scan web servers (Port 80)
• Test for Citrix ports (Port 1495) • Port scan SSL servers (Port 443)
• Test for Oracle ports (Port 1521) • Port scan Kerberos-Active
• Test for NFS ports (Port 2049) directory (Port TCP/UDP 88)
• Port scan SSH servers (Port 22)
6.4 Internal Network Security Auditing

Internal testing involves testing easily access another user’s machine using
computers and devices within the well-known exploits, trust relationships
company. It is more like white-box testing. and default settings. Most of these attacks
What if an employee of the company require little or no skill, putting the
penetrates the network with the amount integrity of a network at stake.
of IT knowledge he knows? What if a
hacker breaks-in to the internal network Most employees do not need and should
that houses employees’ PC and databases not have access to each other’s machines,
and steals sensitive information? administrative functions, network devices
and so on. However, because of the
What if a casual guest visitor walks by the amount of flexibility needed for normal
company and steals data from one of the operation, internal networks cannot
isolated machines? Internal network afford maximum security. On the other
penetration test process will test and hand, with no security at all, internal users
validate the level of internal security on can be a major threat to many corporate
the client network. Based on statistics internal networks. A user within the
maintained by the Federal Bureau of company already has access to many
Investigations (FBI), fifty percent of internal resources and does not need to
companies reporting break-ins to their bypass firewalls or other security
networks and/or business applications mechanisms which prevent non-trusted
state they were compromised by internal sources, such as Internet users, to access
attacks. Internal network security is, the internal network. Poor network
more often than not, underestimated by security also means that, should an
administrators. Very often, such security external hacker break into a computer on
does not even exist, allowing one user to your network, he/she can then access the
614
rest of the internal network more easily. • Access privileges and levels
This would enable a sophisticated attacker
to read and possibly leak confidential
emails and documents; trash computers,
leading to loss of information; and more. • File, directory, event log and
Not to mention that they could then use registry permissions
your network and network resources to • Audit logs
start attacking other sites, that when • Software Patch management
discovered will lead back to you and your • Physical network cabling
company, not the hacker. • Backup methodology & disaster
recovery plans
Most attacks, against known exploits,
could be easily fixed and, therefore, Internal testing involves testing
stopped by administrators if they knew computers and devices within the
about the vulnerability in the first place. company. The internal penetration testing
During an Internal Network Security involves:
Assessment, security experts scan the
entire internal local-area and wide-area • Performing port scanning on
networks for known vulnerabilities. These individual machines and
scans include all servers, workstations, establishing null sessions.
and network devices. • Attempting replay attacks, ARP
poisoning, MAC flooding.
Steps for Internal Network Security • Conducting man-in-the-middle
Auditing attack and trying to login to a
console machine.
Internal Network Review includes: • Attempting to plant keylogger,
Trojan, and Rootkit on target
• Examining the internal machine.
configuration and setup of the • Attempting to send virus using
organizations computing target machine.
resources. • Hiding sensitive data and hacking
• Users’ accounts & password tools in target machine.
policies and practices • Escalating user privileges.
Internal testing which is a critical part of • Attempt ARP poisoning
this includes the following steps: • Attempt MAC flooding
• Map the internal network • Conduct a man-in-the middle
• Scan the network for live hosts attack
• Port scan individual machines • Attempt DNS poisoning
• Try to gain access using known • Try a login to a console machine
vulnerabilities • Boot the PC using alternate OS and
• Attempt to establish null sessions steal the SAM file
• Enumerate users/identify domains • Attempt to plant a software
on the network keylogger to steal passwords
• Sniff the network using Wireshark • Attempt to plant a hardware
• Sniff POP3/FTP/Telnet passwords keylogger to steal passwords
• Sniff email messages • Attempt a plant a spyware on the
• Attempt replay attacks target machine
615
• Attempt to plant a Trojan on the • Capture the communications

target machine between the FTP client and FTP server
• Attempt to create a backdoor • Capture HTTP/HTTPS/RDP/VoIP
account on the target machine traffic
• Attempt to bypass anti-virus • Run Wireshark with the filter -
software installed on the target machine ip.src == ip_address
• Attempt to send virus using the • Run Wireshark with this filter -
target machine ip.dst == ip_address
• Attempt to plant rootkits on the • Run Wireshark with this filter -
target machine tcp.dstport == port_no
• Hide sensitive data on target • Run Wireshark with this filter -
machines ip.addr == ip_address
• Hide hacking tools and other data • Spoof the MAC address
on target machines • Poison the victim’s IE proxy server
• Use various Steganography • Attempt session hijacking on
techniques to hide files on target machine Telnet/FTP/HTTP traffic
• Escalate user privileges
• Capture POP3/SMTP/IMAP email
traffic
Continue to compromise every machine in steps. Make sure you can undo your
the network and perform the previous actions based on the pen-test process you
had conducted.
Internal Security Auditing Tools
a. Automated penetration tools

• Core Impact
• Metasploit
• Canvas
b. Scanning tools
• Internet Scanner (www.iss.net)
• NetRecon (www.symantec.com)
• CyberCop (www.nai.com)
• Nessus (www.nessus.org)
• Cisco Secure Scanner (www.cisco.com)
• Retina (www.eeye.com)
616
6.5 Firewall Security Auditing

A firewall is a set of related programs, against attacks that firewalls are not
located at a network gateway server that designed to prevent.
protects the resources of a private
Address filtering:
network from users from other networks.
A firewall sits at the junction point or • Firewalls can filter packets based on
gateway between the two networks, their source and destination addresses
usually a private network and a public and port numbers.
network, such as the Internet. Firewalls
Network filtering:
protect against hackers and malicious
intruders. It is a combination of hardware • Firewalls can also filter specific types of
and software that separates a LAN into network traffic. The decision to forward
two or more parts for security purposes or reject traffic is dependent upon the
protocol used, for example HTTP, FTP, or
Firewalls are top on the list of critical
Telnet.
security devices that businesses use to
protect their assets. Firewalls come in all • Firewalls can also filter traffic by packet
shapes and sizes, they operate on the attribute or state.
same basic principle that you should limit
If you have an attack against an
the exposure of computer systems to only
authorized port and service, and your
those protocols and ports necessary to
server is compromised, it isn’t the firewall
provide services, thus reducing the size of
that failed but the lack of defence in
the attack surface of the system. The
depth. Of course the concept of what a
auditing of a firewall primarily revolves
firewall is just isn’t as clear as it used to
around inspecting the firewall rules to
be in the days of single purpose firewalls.
make sure that they are accurately
We live in a unified threat management
enforcing security policy, and providing as
world, and today’s firewalls perform a
high a degree of protection as feasible.
great many security tasks. IPS and VPN
A firewall examines all traffic routed has been integrated into the firewall line.
between the two networks to see if it Unified Threat Management (UTM)
meets certain criteria. It routes packets devices operate as a combined threat
between the networks. It filters both management device, but the foundational
inbound and outbound traffic. It manages elements of the firewall are central to
public access to private networked how the device operates.
resources such as host applications. It logs
A firewall may allow all traffic through
all attempts to enter the private network
unless it meets certain criteria, or it may
and triggers alarms when hostile or
deny all traffic unless it meets certain
unauthorized entry is attempted.
criteria. The type of criteria used to
Firewalls block unauthorized traffic, but if
determine whether traffic should be
an organization wants to follow good
allowed through varies from one type of
practices, then it needs to layer on other
firewall to another. Firewalls may be
security countermeasures to defend
concerned with the type of traffic, or with
617
source or destination addresses and Information passed to remote computer

ports. They may also use complex rule through a circuit level gateway appears to
bases that analyse the application data to have originated from the gateway. Circuit
determine if the traffic should be allowed level gateways are relatively inexpensive.
through. They have the advantage of hiding
information about the private network
Types of firewall
they protect. Circuit level gateways do not
Firewalls fall into four broad filter individual packet
categories:
Application level gateways are also called
• Packet filters proxies. They can filter packets at the
• Circuit level gateways application layer of the OSI model.
• Application level gateways Incoming or outgoing packets cannot
• Stateful multilayer inspection access services for which there is no
firewalls proxy. In plain terms, an application level
gateway that is configured to be a web
Packet filtering firewalls work at the proxy will not allow any FTP, gopher,
network level of the OSI model (or the IP Telnet or other traffic through. Because
layer of TCP/IP). they examine packets at application layer,
they can filter application specific
They are usually part of a router. In a commands such as http:post and get.
packet filtering firewall, each packet is
compared to a set of criteria before it is Stateful multilayer inspection firewalls
forwarded. combine the aspects of the other three
types of firewalls. They filter packets at
Depending on the packet and the criteria, the network layer, determine whether
the firewall can: session packets are legitimate and
• Drop the packet. evaluate contents of packets at the
• Forward it or send a message to application layer. They are expensive and
the originator. require competent personal to administer
the device.
Rules can include source and destination
Review Firewall Design
IP address, source and destination port
Assessing firewall design requires that the
number and protocol used.
auditor understand the various ways in
The advantage of packet filtering firewalls which a firewall can be deployed. There
is their low cost and low impact on are many factors that cause an
network performance. organization to choose one design over
another, and technical requirements
Most routers support packet filtering.
sometimes are shaped by politics and
Circuit level gateways work at the session budget as well. The firewall is a policy
layer of the OSI model, or the TCP layer of enforcement tool that should be placed at
TCP/IP. They monitor TCP handshaking key network zone boundaries. It is
between packets to determine whether a ultimately up to the business to
requested session is legitimate. determine its tolerance for risk and
618
deploy the countermeasures that make also conducts application layer

sense. The following examples illustrate inspection to enforce RFC compliance
common firewall designs that an auditor and application use policies. Layering
might find. in an IPS via an SSM module inside the
firewall or through a dedicated
Simple Firewall
appliance can give full IPS protection
The simple firewall design is common for all traffic passing through the
for small or branch networks and device.
involves a firewall or router
(configured as a firewall) between the Firewall with DMZ and Services
Internet and the internal network. Network
NAT is typically used, and providing As the criticality of web services
Internet access is the primary function increases, a single DMZ can
of the firewall. There might be port sometimes become crowded with
forwarding configured to internal applications and services. The more
servers for e-mail delivery or limited applications, the more complicated
web hosting. These designs typically the access rules can become, and
suffer from minimal layered security, before long policies become difficult
but are by far the least expensive to implement on a single DMZ.
deployment method to connect a very Creating service networks on separate
small remote office or mobile worker firewall interfaces addresses this, by
situation. grouping like services together to
simplify policy enforcement. Web
Screening Router and Firewall
servers can go into the DMZ, and
A screening router provides frontline internal servers can go into the
defence at the network edge. Not only services network. The amount of
does this router act as a basic firewall, configuration starts to increase as the
but can also perform services such as number of interfaces increases, but
routing, Netflow collection, quality of the capability to be able to create
service, and anti-spoofing. The point
more effective policies is vastly
of a screening router is to provide improved.
defence in depth and another place
where access rules can be applied. High Availability Firewall
High availability firewall designs are
Firewall with DMZ
common in organizations that rely on
A better design for an organization the Internet as both a source of
that hosts its own websites, e-mail, or
revenue and an important mechanism
other Internet facing services is the for reaching customers. For these
firewall with DMZ design. This design types of organizations, downtime can
provides segmentation of Internet- create significant monetary loss, so
facing services to their own dedicated the expense of a redundant
subnet where policies and access architecture is well worth it. Another
control can be better enforced. high availability option is active/active
Typically the firewall provides NAT where both firewalls enforce policy
services to the web applications, and
619
and pass traffic at the same time, and than a single firewall. The downside to
in the event of a failure of one device active/active is that both firewalls
all traffic flows through the single must be able to support their own
remaining firewall. The benefits of traffic loads in addition to the other
active/active over active/standby are firewall if one fails or the organization
that both firewalls are being utilized must be able to accept.
and can support higher data rates
Firewall testing
The steps involved in firewall penetration • Test the firewall policy

testing include: • Test firewall using firewalking tool
• Locate the firewall and traceroute • Test for port redirection
to identify the network range • Testing the firewall from both
• Port scan the router sides
• Grab the banner • Overt firewall test from outside
• Create custom packets and look • Test covert channels
for firewall responses • Covert firewall test from outside
• Test access control enumeration • Test HTTP tunnelling
• Test to identify firewall • Test firewall specific vulnerabilities
architecture
After the testing the following is documented:
• Firewall logs.
• Tools output
• The analysis
• Recommendations (if any).
Firewall Auditing Tools: HTTPORT, HTTHOST, Firewall Test Agent, Hping3, Netfilter, fragroute,
IP Filter, Ftester, Fwanalog, Fpipe, Firewall Builder, Port Test/ Firewall Tester, VisualRoute,
datapipe, firewalking;
620
6.6 IDS Security Auditing

Introduction to IDS anomalous activity. IDSes are typically
characterized based on the source of the
IDS is a software/hardware that detects data they monitor.
and logs inappropriate, incorrect, or
There are 2 types of IDS:
• Host-based: A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity.
• Network-based: A network-based IDS uses a sensor to monitor packets on the network to

which it is attached.
A network intrusion detection system monitoring software logs, system logs, IDS
(NIDS) is a system that tries to detect logs, and firewall logs into a single
malicious activity such as denial of service monitoring and analysis source.
attacks, port-scans or even attempts to
crack into computers by monitoring Benefits:
network traffic.
• Improves detection time
A host-based IDS monitors individual • Increases situational awareness
hosts on the network for malicious • Incident handling and analysis
activity; for example, Cisco Security Agent. • Shortens response time
Host systems are more accurate than • Decreases detection and reaction
network-based IDS because they analyse time
the server's log files and not just network • Decreases consumed employee
traffic patterns. The host monitors the time and increases in system’s
system and reports its activities to a uptime
centralized server. They are expensive and • Provides a clear picture of what
resource intensive. happened during an incident
An application-based IDS is like a host-

based IDS designed to monitor a specific
application (similar to antivirus software Wireless Intrusion Detection Systems
designed specifically to monitor your mail
server). An application-based IDS is WIDS monitor and evaluate user and
extremely accurate in detecting malicious system activities, identify known attacks,
activity for the applications it protects. determine abnormal network activity, and
detect policy violations for WLANs.
Multi-Layer Intrusion Detection Systems
Check for potential weakness that
mIDS integrates many layers of IDS damage the WLAN security.
technologies into a single monitoring and
analysis engine. It aggregates integrity • Rough wireless APs.
621
• Man-in-the-middle attacks. • RF interference.

• Isolates an attacker's physical
A WIDS detects the following: location
• Identifies non-encrypted traffic.
• DoS attacks.
• MAC spoofing. IDS Security Auditing Steps
IDS Security Auditing Steps: floods/sequence number prediction
• Test for resource exhaustion/ IDS by • Test for backscatter
sending ARP flood • Test the IDS with ICMP
• Test the IDS by MAC spoofing/ IP packets/IDS using covert channels
spoofing • Test using TCP replay
• Test by sending a packet to the • Test using TCP opera
broadcast address/ inconsistent packets • Test using method matching
• Test IP packet • Test the IDS using URL encoding
fragmentation/duplicate fragments • Test the IDS using double slashes
• Test for overlapping • Test the IDS for reverse traversal
fragments/ping of death • Test for self-reference directories
• Test for odd sized packets/ TTL • Test for premature request ending
evasion • Test for IDS parameter hiding
• Test by sending a packet to port • Test for HTTP-mis-formatting
0/UDP checksum • Test for long URLs
• Test for TCP retransmissions/ TCP • Test for DOS/Win directory syntax
flag manipulation • Test for null method processing
• Test TCP flags • Test for case sensitivity
• Test the IDS by sending SYN • Test session splicing
IDS Security Auditing Tools:

• IDS Informer
• Firewall Informer
• Traffic IQ professional
• OSSEC HIDS
Evasion tools:
• EVADE IDS
• Evasion Gateway
622
6.7 Social Engineering Audit

What is Social Engineering? websites, theft and phishing attacks,
satellite imagery and building blue
The term social engineering is used to prints, details of an employee from
describe the various tricks used to fool people social networks sites, telephone
(employees, business partners, or customers) monitoring device to capture
into voluntarily giving away information that conversation, video recording tools to
would not normally be known to the general capture images, vehicle/asset tracking
public. system to monitor motor vehicles,
identified “disgruntled employees”
Examples: and engage in conversation to extract
sensitive information
• Names and contact information for • Document everything including
key personnel approach, response, information
• System user IDs and passwords sought and retrieved
• Proprietary operating procedures
• Customer profiles Web Application Security Auditing
Steps in conducting Social Engineering Web application vulnerabilities generally stem

from improper handling of client requests
• Attempt social engineering and/or a lack of input validation checking on
techniques using phone, vishing, the part of the developer. A web application is
telephone, email, traditional mail, in an application, generally comprising a
person, dumpster diving, insider collection of scripts that resides on a web
accomplice, shoulder surfing, desktop server and interacts with databases or other
information, extortion and blackmail, sources of dynamic content.
Steps for Web Application Testing • Test for cross site scripting
• Fingerprinting the web application • Test for hidden fields
environment • Test cookie attacks
• Investigate the output From HEAD • Test for buffer overflows
and OPTIONS HTTP requests • Test for bad data
• Investigate the format and • Test client-side scripting
wording of 404/other error pages • Test for known vulnerabilities
• Test for recognized file • Test for race conditions
types/extensions/directories • Test with user protection via
• Examine source of available pages browser settings
• Manipulate inputs in order to elicit • Test for command execution
a scripting error vulnerability
• Test inner working of a web • Test for SQL injection attacks
application • Test for blind SQL injection
• Test database connectivity • Test for session fixation attack
• Test the application code • Test for session hijacking
• Testing the use of GET and POST in • Test for XPath injection attack
web application • Test for server side include
• Test for parameter-tampering injection attack
attacks on website • Test for logic flaws
• Test for URL manipulation • Test for binary attacks y
623
• Test for XML structural • Test for naughty SOAP

• Test for XML content-level attachments
• Test for WS HTTP GET • Test for WS replay
parameters/REST attacks
Web Application Testing Tools

Burp Suite, fuzzing tool, dotDefender, IBM Security AppScan, HP WebInspect, SQL Block Monitor,
Microsoft Source Code Analyzer, Acunetix Web Vulnerability Scanner, WebCruiser, GreenSQL,
Microsoft UrlScan, Absinthe, CORE IMPACT Pro, Safe3SI, BSQLHacker, SQL Power Injector, Havij,
BobCat, Sqlninja, sqlmap, Pangolin – Automatic SQL Injection Penetration Testing Tool,
NGSSQuirre, AtStake WebProxy, SPIKE Proxy, WebserverFP, KSES, Mieliekoek.pl, Sleuth, Webgoat,
AppScan
624
UNIT VII
Audit Reports and Actions
This Unit covers:
 Lesson Plan
7.1. Audit Reports and Actions
625
LESSON PLAN

experts.
Dedicated)
• networks
626

Activity 1:
Activity 2:
Activity 3:
Lesson
The auditor report’s goal is to show the End-user test results. Examine all exploits
organization that the team honestly wants performed. The summary should include
to improve the company’s security details of discovered vulnerabilities.
posture this is to be borne in mind when Scope of the project should include the IP
writing the report. Documentation report address ranges that are tested and
should contain the final result and mentioned in the contract.
recommendations to rectify the problem • Examining whether social engineering
if occurred during the penetration testing was employed or not.
process. The document report includes:
• Examining whether public or private
• Summary of the test execution. networks are tested or not.
• Scope of the project • Examining whether Trojans and
• Result analysis. backdoor software applications are
• Recommendations. permitted or not.
• Appendixes
After documentation, submit the The results analysed should include:
document to the client and get the • Domain name and IP address of the
signature from them and keep a copy of host
the report. • TCP and UDP ports
The summary should provide a short,
• Description of the service
high-level overview of the test. It should
contain the client’s name, testing firm, • Details of the test performed
date of test, and so on. Information about • Vulnerability analysis
the targeted systems and applications.
627
If one would simply run a handful of tools Appendices should include:

and provide a report, then the company • Contact information
will never want to see you again.
• Screen shots
Recommendations to their security is very
important for the report to be accepted • Log output
by the customer.
Network penetration testing should include the following reports:
• Executive report - Generate reports for various hosts, users, and vulnerabilities
that were identified, targeted, and exploited during the test process.
• Active report - Generates a detailed report for various executed exploits.
• Host report - Generate a detailed report on various hosts that were tested.
• Vulnerability report - Generate report on various vulnerabilities that were
exploited effectively during the penetration testing process.
• Payment Card Industry (PCI) report - Display the results of vulnerabilities that are
performed by the Payment Card Industry (PCI) data security standard. (Where
applicable)
Client-side penetration testing should include the following reports:
• Client-side penetration report - Provide report for client side test that includes the
email template sent, exploit launched, test result, and details about the
compromised systems.
• User report - Provide information about which links were clicked, when the links
were clicked, and who have clicked the link. Display summarized report on all the
users who were identified and targeted during the testing process.
Web application penetration testing should include the following reports:
• Web application vulnerability report:
• Provides detailed report on every vulnerability that were found during the testing
process.
• Web application execution report:
• Provides summarized report of every vulnerable web page found during the
penetration testing process.
• Technical summary
Writing the final report does not have to
be the responsibility of one person. In Findings are security issues that the team
many cases, multiple team members will uncovered during the penetration testing.
contribute to the actual writing of the Findings are categorized as:
final report. Assigning the writing • High
responsibility is usually according to the • Medium
abilities of individual team members and • Low
the scope they covered.
High criticality findings: Loss could result
Divide the reports into sessions as follows:
in the unauthorized release of information
• Network test reports
that could have a significant impact on the
• Client side test reports
organization’s mission or financial assets
• Web application test reports
or result in loss of life
Common structure for penetration report
includes: Executive summary Medium criticality findings: Loss could
• Management summary result in the unauthorized release of
628
information that could have an impact on and security organizations such as

the organization’s mission or financial NIST and NSA.
assets or result in harm to an individual • Improve the level of control for the
purchased software's by checking for
Low criticality findings: Loss could result in updates and patches from the
the unauthorized release of information vendors.
that could have some degree of impact on • Create a policy for applying patches in
the organization’s mission or financial a timely manner.
assets or result in harm to an individual. • Create guidelines for best practices to
be followed based on the
Recommendations: recommendations of pen test report.
• Regular auditing of organization
Focus on high priority security concerns reduces exposure to vulnerabilities.
first. Develop strategies to achieve short • Conduct training for analysing security
term and long term security postures. posture of a network. Technical
Decide on required and available security training programs for people
resources to maintain a consistent level of managing information technology.
information security. Training for application developers to
Organizations should develop an action develop secure code.
plan to: Security education and awareness
• Address the security concerns on time programs need to be implemented, such
and systematically. as:
• Reduce the misuse or threat of attacks • General security awareness for new
on the organization. employees in the organisation
• Create a configuration management • Awareness program through e-
process. learning.
• Create or use configuration checklists • Provide training on social engineering
available from the product vendors to each and every employee.
Contribute to creation and strengthening of Security Policies:

• Systems Security Policy
• Information Classification Policy
• Password Policy
• Strong Authentication Policy
• Virus Detection and Management Policy
• Encryption Policy
• Security Change Management Policy
• Remote Network Access Policy
• Firewall Security Policy
Final report format department it is for, the date as to

The final report will contain when the report was published.
• The cover letter • A table of contents: Seems obvious,
• A title page: this will indicate the but these documents can get lengthy,
report name, the agency or include this as courtesy.
629
• An executive summary: This will be a be repeatable in the event a finding is

high level summary of the results, disputed or deemed not worthy of
what was found and what the bottom fixing by management.
line is. The sections of the executive • Conclusion: Basic conclusion,
summary will include: summarize the information you have
o Organization synopsis already put together.
o Purpose for the evaluation • Appendixes: This will be any extra
o System description attachments needed for reference.
o Summary of evaluation
o Major findings and The final report should be delivered
Recommendations personally and the report should not be
o Conclusion sent by emails or CD-ROM. A printed
• An introduction: A simple statement report is the best format. The pen-test
of your qualifications, the purpose of information is very sensitive. One should
the audit and what was in scope. only store it for a certain period of time
• Findings: This section will contain your (30–45 days is typical). One should be able
findings and will list the vulnerabilities to answer questions during this period.
or issues that should be re-mediate. After the 30–45 days, one should destroy
This listing should be ordered by the information from the storage. This
critical levels, of which are hopefully clause is usually mentioned in the
defined by internal policies (i.e. if your contract with the customer before the
vulnerability scanner finds a high engagement begins. Pentest reports on
critical vulnerability, based upon how discovered vulnerabilities, available
that vulnerability is implemented in options, recommendations, and
your environment, it may not be a suggestions. Recommendations make the
true high critical, so internal policies most important part of the report for the
should assist in defining the critical user to implement for improving the
levels) network security. A pen tester should
• Methodologies: Here you will discuss hand over the sensitive information
tools used, how false positives were within 45 days or should destroy from the
ruled out, what processes completed storage. Create a final report,
this audit. This is to provide documenting the test findings. Deliver the
consistency and allow your audits to report to the concerned officer.
630
UNIT VIII
Audit Support Activities
This Unit covers:
 Lesson Plan
7.1. Audit Support Activities
631
LESSON PLAN

experts.
Dedicated)
apply these, including: DSS, Center for
• networks
632

Activity 1:
Activity 2:
Activity 3:
633
Lesson
Assisting the auditors The various responsibilities of the Security
Analyst in supporting the auditors can
Security Analyst: A security analyst may
include the following:
be assigned responsibilities to carry out
activities supporting the audit team or Assisting with Security Policy
independently carrying out a set of
security auditing activities. It is important As stated, a security audit is essentially an
for the security analyst to clarify and assessment of how effectively the
organization's security policy is being
understand their scope of responsibilities
and work within these limits. In case they implemented. Of course, this assumes
that the organization has a security policy
are not clear about any aspect of their
limits of authority, or scope of in place which, unfortunately, is not
responsibilities they should speak to their always the case. A Security Analyst will
support the auditors in getting the
supervisor and clarify the same. It always
helps to get written clarifications for necessary information by getting them
access to policies and procedures
eliminating the scope of confusion later
on. documents or explaining the processes
where such documents are not available.
Auditors need organizational support,
Facilitating access
such as having access to certain data or
staff. The Security analyst often assists Natural tensions frequently exist
and supports the information audit. This between workplace culture and security
support often includes actions such as policy. Even with the best of intentions,
employees often choose convenience
obtaining access to copies of policies or
over security. Sometimes teams and
system configuration data. These individuals need to be spoken to and
expectations should be clarified or auditors need to be helped in gaining
directed by seniors to the security analyst access to the facilities required for
and the auditors. The security analyst auditing. This may also be the case with
should also get clear information about getting time with individuals to get their
units whose systems will be audited. The time for auditing.
security analyst would communicate the Pre-Audit Homework
same to co-workers and other users in the
Before the computer security auditors
organization to ensure a least disruptive even begin an organizational audit, there's
and smooth audit. For this purpose a fair amount of homework that should be
business and IT unit managers of the done. Auditors need to know what they're
audited systems should be involved in the auditing. In addition to reviewing the
process early in the process. This will results of any previous audits that may
ensure there are no disputes and delays have been conducted, there may be
several tools they will use or refer to
regarding auditor's access to areas and
before. The first is a site survey. This is a
information. technical description of the system's
hosts. It also includes management and
634
user demographics. This information may personnel along with some of the
be out of date, but it can still provide a logistical details, such as the time of the
general framework. Security audit, which site staff may be involved
questionnaires may be used as to follow and how the audit will affect daily
up the site survey. These questionnaires operations. The security analyst may be
are, by nature, subjective measurements, called upon to coordinate and smoothen
but they are useful because they provide the audit execution.
a framework of agreed-upon security
practices. The respondents are usually At the Audit Site
asked to rate the controls used to govern When the auditors arrive at the site, their
access to IT assets. These controls include: aim is to not to adversely affect business
management controls, transactions during the audit. They should
authentication/access controls, physical conduct an entry briefing where they
security, outsider access to systems, again outline the scope of the audit and
system administration controls and what they are going to accomplish. Any
procedures, connections to external questions that site management may have
networks, remote access, incident should be addressed and last minute
response, and contingency planning. requests considered within the framework
A security analyst may be called upon to of the original audit proposal. This
assist in conducting site surveys and communication may be further passed on
administering security questionnaires. with the help of the security analyst.
Accompanying communication may be During the audit, they will collect data
required to acquire the specific responses about the physical security of computer
of specific requirements. assets and perform interviews of site staff.
Auditors, review previous security They may perform network vulnerability
incidents at the client organization to gain assessments, operating system and
application security assessments, access
an idea of historical weak points in the
organization's security profile. It may controls assessment, and other
evaluations. Throughout this process, the
require the support of organisational staff
to support auditors examine current auditors should follow their checklists, but
conditions to ensure that repeat incidents also keep eyes open for unexpected
problems. Here they get their noses off
cannot occur. If auditors are asked to
examine a system that allows Internet the checklist and start to sniff the air.
connections, they may also want to know They should look beyond any
about IDS/Firewall log trends. Do these preconceived notions or expectations of
logs show any trends in attempts to what they should find and see what is
actually there. In this case the security
exploit weaknesses? A security analyst
may be called upon to provide such analyst may be of immense help providing
the auditors with background information
support to auditors.
and facilitating ad-hoc activities that may
The auditors develop an audit plan. This not be registered in the original plan.
plan will cover how will audit be executed,
with which personnel, and using what Conduct Outgoing Briefing
tools. They will then discuss the plan with After the audit is complete, the auditors
the requesting agency. Next they discuss will conduct an outgoing briefing,
the objective of the audit with site ensuring that management is aware of
635
any problems that need immediate Depending on company policy, auditors

correction. Questions from management should be ready to guide the audited site
are answered in a general manner so as staff (Security Analysts) in correcting
not to create a false impression of the deficiencies and help them measure the
audit's outcome. It should be stressed success of these efforts. Management
that the auditors may not be in a position should continually supervise deficiencies
to provide definitive answers at this point that are turned up by the audit until they
in time. Any final answers will be provided are completely corrected.
following the final analysis of the audit
The Ongoing Audit
results. The security analyst may be the
conduit for channelling the information It must be kept in mind that as
and supporting interim measures for organizations evolve, their security
strengthening security. structures will change as well. With this in
Back in the Office mind, the computer security audit is not a
one-time task, but a continual effort to
Once back in the home office, the auditors improve data protection.
will begin to comb their checklists and
Security analysts learn with each audit
analyze data discovered through
vulnerability assessment tools. There and testing activity and can carry on
should be an initial meeting to help focus evaluation of the strength of the
the outcome of the audit results. During organisations security policy and its
this meeting, the auditors can identify implementation. The analyst makes
ongoing efforts to help refine the policy
problem areas and possible solutions.
They may require some pending and correct deficiencies that are
information or call for information to fill in discovered through the audit process.
some gaps. This may be provided by the Whereas tools are an important part of
Security Analyst. the audit process, the audit is less about
the use of the latest and greatest
Post-recommendation stage vulnerability assessment tool, and more
about the use of organized, consistent,
Finally, the audit staff should prepare the accurate, data collection and analysis to
report as speedily as accuracy allows so produce findings that can be measurably
that the site staff can correct the corrected. This is where the security
problems discovered during the audit. analyst continues to contribute to.
636
SSC/ N 9001:
Manage your work to meet requirements
UNIT I: Understanding scope of work and working within limits of authority

UNIT II: Work and work environment
UNIT III: Maintaining confidentiality
637
Unit Title (Task) Manage your work to meet requirements
Description This unit is about planning and organizing your work in order to complete it to the
required standards on time.
Work requirements:
 activities (what you are required to do)

 deliverables (the outputs of your work)
 quantity (the volume of work you are expected to complete)
 standards (what is acceptable performance, including compliance with
Service Level Agreements)
 timing (when your work needs to be completed)
Appropriate people:
 line manager
 the person requesting the work
 members of the team/department
 members from other teams/departments
Resources:
 equipment
 materials
 information

PC1. establish and agree your work requirements with appropriate people
PC2. keep your immediate work area clean and tidy
PC3. utilize your time effectively
PC4. use resources correctly and efficiently
PC5. treat confidential information correctly
PC6. work in line with your organization’s policies and procedures
PC7. work within the limits of your job role
PC8. obtain guidance from appropriate people, where necessary
PC9. ensure your work meets the agreed requirements

al KA1. the organization’s policies, procedures and priorities for your area of work
Context and your role and responsibilities in carrying out your work
(Knowledge KA2. the limits of your responsibilities and when to involve others
KA3. your specific work requirements and who these must be agreed with
of the
KA4. the importance of having a tidy work area and how to do this
638
company / KA5. how to prioritize your workload according to urgency and importance and
organization the benefits of this
and its KA6. the organization’s policies and procedures for dealing with confidential
information and the importance of complying with these
processes)
KA7. the purpose of keeping others updated with the progress of your work
KA8. who to obtain guidance from and the typical circumstances when this may
be required
KA9. the purpose and value of being flexible and adapting work plans to reflect
change
KB1. the importance of completing work accurately and how to do this
Knowledge KB2. appropriate timescales for completing your work and the implications of
not meeting these for you and the organization
KB3. resources needed for your work and how to obtain and use these
639
THE UNITS
The module for this NOS is divided in 3 Unit based on the learning objectives as given below.
UNIT I: Understanding scope of work and working within limits of authority

1.1. Scope of work
1.2. Seeking/providing clarity, assistance and support
1.3 Seeking feedback and approvals
1.4 Change and flexibility
UNIT II: Work and work environment
2.1. Planning work and work environment
2.2. Cleanliness and tidiness
UNIT III: Maintaining Confidentiality
3.1. Confidentiality of information
3.2. Policies and procedures for confidential information
640
UNIT I
Understanding scope of work and
working within limits of authority
This Unit covers:
 Lesson Plan
 Resource Material
1.1. Scope of work
1.2. Seeking and providing clarity, assistance and support
1.3. Seeking feedback and approvals
1.4. Change and Flexibility
641
LESSON PLAN
Outcomes Learning Activites Performance Duration Work

Ensuring (Hrs) Environment / Lab
Measures Requirement
PC1. establish and Discuss the benefits The learners must 1 hour Copies of the written
agree your work of working as per demonstrate PC1, instructions for the
requirements with PC1, PC6, and PC7 PC6, PC7, PC8 before mentioned task, and
appropriate people when one gets any starting work and the material and
work, and the negative demonstrate PC9 after equipment required to
Appropriate people: consequences of not completion of work perform the task for
line manager, the doing so. each group.
person requesting
the work, members of Question the
the team/department, participants about what
members from other can they do if they are
teams/departments not clear about their
work or if they face a
PC6. work in line with problem, who all can
your organization’s they seek help from.
policies and
procedures Divide the class into
groups and provide
PC7. work within the each group with a set
limits of your job role of written instructions
for a task with multiple
PC8. obtain guidance parameters and
from appropriate division of roles. Give
people, where them a tight time limit
necessary and ask each group to
perform accurately as
PC9. ensure your per instructions and
work meets the within the time limit.
agreed requirements Keep track of which
group were
demonstrating PC1,
PC6,PC7, PC8 &
PC9. Provide
feedback in the end to
each group w.r.t the
same
642
Outcomes Learning Activites Performance Duration Work

Ensuring (Hrs) Environment / Lab
You need to know and KA1 to K9, KA1 to K9, 1Hrs (Inclusive of
understand: classroom Hardware / Software
Learn to use the Sharing of information assessment Specifications)
KA1. the organization’s system resources obtained through and 5Hrs
policies, procedures effectively LinkedIn , Facebook offline Standard
and priorities for your and other social media Research Environment PLUS
area of work and your Learn to creates the contacts for evaluation and Create Discussion
role and responsibility chart of peer group and Learning forums at college
responsibilities in involving your peer faculty activity. level
carrying out your work groups
KA2. the limits of your Create discussion Create contacts in
responsibilities and Linkup with industry forums and discuss LinkedIn and other
when to involve others experts through about the learning social media sites.
KA3. your specific LinkedIn, Twitter and through social media
work requirements and Facebook and create a document
who these must be for the evaluation by
agreed Accommodate your the peer group and
with fellow students by faculty
KA7. the purpose of sharing your system
keeping others resources
updated with the
progress of your work Group discussion
KA8. who to obtain amongst the groups
guidance from and
the typical Sharing the knowledge
circumstances when within the intra and
this may be inter groups during
required Coffee meets
KA9. the purpose and
value of being flexible
and adapting work
plans to reflect change
643
Activity 1:
 Ask students to discuss the importance (advantages and disadvantages)

of doing work with as per the following:
o agreeing work requirements with appropriate people before
commencing work
o purpose of having policies and procedures and working as per
these
o knowing job limits and working within one’s span of responsibility
 Once done use the resource material to explain the same.
Activity 2:
 Ask students to work in pairs and link up with professional from various
companies and to research the internet to list various policies and their
purpose in companies.
 Praise the top three duos that prepare the most comprehensive list with
accurate description of the purpose and components of the policy.
Activity 3:
 Ask the participants about what can they do if they are not clear about
their work or if they face a problem, who all can they seek help from?
Activity 4:
 Divide the class into groups and provide each group with a set of written
instructions for a task with multiple parameters and division of roles.
Give them a tight time limit and ask each group to perform accurately as
per instructions and within the time limit. Keep track of which group
were demonstrating the following principles.
o establish and agree your work requirements with appropriate
people
o Appropriate people: line manager, the person requesting the
work, members of the team/department, members from other
teams/departments
o work in line with your organization’s policies and procedures
o work within the limits of your job role
o obtain guidance from appropriate people, where necessary
o ensure your work meets the agreed requirements
644
o Provide feedback in the end to each group with respect to the

same.
 Ensure members represent different levels of hierarchy in an
organisation, including supervisor, subordinate, department head,
specialist, customer, etc.
Activity 5:
 Ask the class the importance of receiving and giving feedback. Encourage
them to receive feedback from the person next to them on their
behavior in class and their overall performance in the course.
 Once this is done ask the students to highlight how they felt while giving
and receiving feedback. Explain the importance of giving and receiving
feedback in the right spirit, paying attention the emotions of others. Also
explain the importance to work on feedback and how they can validate
its accuracy?
 Now explain to the students how in order to incorporate feedback they
have to change, the way they are, including habits, work style, etc. This
often may result in changing expectations of others.
Activity 6:
Explain to the students how to effect change in work practices or policies it is

important to follow protocol and go through the right channels and procedures. This is
particularly important as any change has many facets of impact and in organisatio ns it
usually impacts others, also that the original practices and processes were made for a
purpose and served some need.
645
1.1 Scope of Work
Scope of work refers to the range of tasks and expectations around performance of each
activities to be performed or expected to be other and it helps everyone know and rely on
performed by someone or within a project or others to do their part, especially where there
contract, as agreed. This is usually a result of are interdependencies involved. If co-workers
division or defining and limiting of work and do their part as expected or required then
responsibilities. This usually is understood to there is development of trust between co-
be performed within agreed timelines and workers. Where co-workers do not deliver
rules or standards of performance. performance as expected or required there is
disappointment and lack of trust.
It is important to understand clearly one’s own
and others’ scope of work and responsibilities A clear division of work and responsibilities
clearly and commonly between co-workers for also helps plan and carry out work in a
the following reasons: manner that no work is left unassigned or
erroneously assigned duplicitously to multiple
 Helps in planning and organising work
people causing lack of clarity on who is
better
responsible and accountable for carrying out
 Builds trust and reliability
that work.
 Reduces scope of conflict and confusion
 Helps optimise effort through reducing The main difference between responsibility
omissions and overlaps and accountability is that responsibility can be
 Helps secure the right level of support shared while accountability cannot.
from the right people
Ways to clarify scope of work

Every worker needs to know what they are
meant to do at work and the limits of their  Job descriptions
work and authority. This helps everyone in  Seniors (Supervisors or managers)
planning and organising their own work
 Job or duty assignment
better as it reduces uncertainty and the need
sheet/document/roster
to constantly clarify with seniors and others
the expectations of work, as to what to do and  Colleagues
what not to.  Policy and procedure documents
Also if it everyone is clear about their and
their co-workers work then there is clarity of
646
Organisations policies and procedures
Why do companies have policies and procedures?
a. Ease of working and common understanding

b. Regulatory and statutory compliance
c. Optimising performance and productivity
d. Setting standards for performance and quality
e. Reduction of errors, safety and security
Why is it important to follow policies and procedures while working?
a. To be safe, productive and maintain company standards

b. Reliability and trustworthiness
c. To remain compliant with legal, regulatory and statutory requirements
647
1.2 Seeking/Providing Clarity, Assistance and Support

When working in an organisation, very
often, work dependencies means
stay and
executing work that involves or impacts
keep
different departments, co-workers and
others
other stakeholders.
informed,
collaborate
, assist and
support
each other,
participate in
planning and
decision
Executing the work well may require making, etc.
people to:
The organisation being divided into 3. Authority and remit of decision

hierarchies, departments, divisions and making
teams to use and develop people’s 4. Stakeholders impacted by the
expertise in accordance with capability actions
requirements of organisations. 5. To generate more and diverse
ideas
It is important to involve, seek assistance
and support from those who are It is important to know one’s own limits of
designated in the organisations as decision making. When one is unclear
authorities for decision making over their about it or needs to execute or make
remit of work, where required. It is decisions about work that extends beyond
important that people respect other one’s remit and authority, it is important to
people’s authority and expertise over their secure formal permissions, advice and
areas of work. assistance from those designated for the
same.
There are various reasons why others need
to be involved:
1. To contribute their expertise
2. Complex work and
interdependencies that requires
more people to complete tasks
648
Information on whom to secure permissions, advice or assistance from may be derived from
the following sources:
Organisational chart
Organisation
depicting hierarchy Employee
policies and
and reporting handbook
procedures
relationships
Designated person from the

Own manager or designated or relevant
others
supervisor department or Division such as
Human Resources Department
All tasks at work must be performed accurately as per instructions and within the
time limit while demonstrating the following principles.
 establish and agree your work requirements with appropriate people
 Appropriate people: line manager, the person requesting the work, members
of the team/department, members from other teams/departments
 work in line with your organization’s policies and procedures
 work within the limits of your job role
 obtain guidance from appropriate people, where necessary
 ensure your work meets the agreed requirements
 Provide feedback in the end to each group with respect to the same.
 Ensure members represent different levels of hierarchy in an organization,
including supervisor, subordinate, department head, specialist, customer, etc.
When to keep others informed of progress and problems?
It is important in many contexts to inform  quality of work

others of work related issues, problems and  time within which the work needs to
progress. Any work being assigned also comes be completed.
with a set of expectations of customers, co-
Since others are usually depending on the
workers, supervisors or managers, other
work being completed as per expectations, it
departments, etc.
is important that they are made aware of
progress and any problems that may arise
These expectations are around:
during execution of work.
 volume of work,
649
1.3 Seeking Feedback and Approvals
Seeking feedback and getting work quality 2. Identifying areas of strength and
checked by appropriate persons is improvement
important for various reasons including: 3. Gathering evidence of satisfactory
performance
1. Ensuring internal and external 4. Compliance with set procedures
customer satisfaction and organisation guidelines
Internal
Customers
Department External
head, etc. customers
Feedback
is sought
from
Team these: Own direct
members supervisor
Fellow Team
leader or
co-workers manager
The person providing the feedback should of the same. This gets greater support,
be thanked for taking the time to do so. generates positivity in the mind of the
person providing the feedback and usually
Feedback must be analysed and used to gets greater buy-in from them.
improve our work and achieve better.
Feedback sought and not worked on is To incorporate feedback may sometimes
wasted feedback and often can cause require change of work processes and
disappointment to the person providing methods, which may require approval of
the feedback. Usually once feedback is others. This may be a formal requirement
used to improve or change work with set processes that may need to be
processes and performance, the person followed to affect the change.
providing the feedback must be informed
650
1.4 Change and flexibility
While scope of work, limits of authority, However, to effect change in work

remit of work, set policies, processes and practices or policies It is important to
procedures define what one must do and follow protocol and go through the right
expectations of workers, it is also channels and procedures. This is
important to balance this with flexibility particularly important as any change has
and willingness to change. many facets of impact and in organisations
it usually impacts others, also that the
This is important because of the dynamic original practices and processes were
environment that we work within and the made for a purpose and served some need.
ever evolving nature of our work, work
environment, customer expectations and Those people and organisations which are
related policies and procedures. not willing to change often fail to improve
and adapt to newer conditions and
The field of Information security is an environments, which may make them
evolving and rapidly changing field. The redundant.
greatest challenge for a security analyst
will be to keep abreast and be in sync with Change must be communicated to all
the changes. those who are impacted by it and often
their views must be collected regarding the
Our professional, social and personal lives same in a timely manner, in order to
also will undergo changes that we have to ensure that the change is not causing
accept and make the best use of. undesired impact that can escalate into
larger problems.
Flexibility to change is required to:
 incorporate new and improved
methods of working
 adjusting to environmental
changes
 supporting others
 refining goals and objectives
651
UNIT II
Work and Work Environment
This Unit covers:
 Lesson Plan
2.1 Planning Work and Work environment
2.2 Cleanliness and Tidiness
652
LESSON PLAN

PC2. keep your immediate work Provide the learners a 2 hours Copies of the written
area clean and tidy similar task as above and instructions for the
ask them to do the task mentioned task, and
PC3. utilize your time effectively keeping in mind the the material and
PC4. use resources correctly and learning from the previous equipment required to
efficiently unit as well as this. perform the task for
each group.
Ask 1 member of each
group to take notes for
the neighbouring group on
PC1-9 while the task is
being performed on what
went well and what could
be done better. The
trainer can also take
notes. Have each member
present the trainer can
value add.
The learners must
demonstrate PC2-4 while
on the job.
You need to know and understand: Ask each individual to 1Hrs (Inclusive of Hardware
write a note keeping their classroom / Software
KA4. the importance of having a work area clean. assessment Specifications)
tidy work area and how to do this and 5Hrs
All learners to listen to all Standard Environment
offline
KA5. how to prioritize your the tips and list 5 best PLUS Create Discussion
Research and
workload according to urgency and ideas for prioritization that forums at college level
Learning
importance and the benefits of this they would practice. activity. Create contacts in
LinkedIn and other
social media sites.
KB1. the importance of completing KB1 to KB3 1Hrs Standard Environment

work accurately and how to do this classroom PLUS Create Discussion
Create documents and assessment forums at college level
KB2. appropriate timescales for present it to the group for and 5Hrs
completing your work and the peer group and faculty Create contacts in
offline
implications of not meeting these evaluation LinkedIn and other
Research and
for you and the organization social media sites.
Learning
KB3. resources needed for your activity.
work and how to obtain and use
these
653
Activity 1:
 Ask all learners to make a list of to-do tasks.

 Then ask them to write against each the time by when they are expected to finish.
 Then ask them to write how important each of the task is to them – very
important/important/not important.
 Ask them to plan their day by allocating time to the very important tasks as per
their timelines.
 Then fit in important tasks and see how the not important tasks can be avoided,
delegated, negotiated. Make sure to use resources efficiently while planning.
 Ask them to follow their plan for a day and share their experiences the next day
Activity 2:
 Ask the learners to write what they think are their individual goals and team goals
in a page.
 Then ask them to show it to their team head for feedback and discussion. Modify if
required and bring to the next class.
 In the next class ask them to retrieve their earlier list of important tasks and see,
which tasks lead to their individual and team goals and which don’t.
 Discuss what to do with the tasks that do not help in one’s goals. – Eliminate,
Delegate or Negotiate
 Now ask them to also make a list of their personal goals and consider if they are
doing anything for their personal goals.
Activity 3:
 Ask all learners to research and share with the class 2 most important ways to
prioritize your workload according to urgency and explain the importance and the
benefits of this.
Activity 4:
 Ask learners to prioritize completing the work right first time by proper planning,
required to achieve results. Ask them to prepare a list of things to be considered to
get things right the first time and present this in class.
Activity 5:
 Ask students to surf the net to find out the appropriate resources for any task.
Explain to the students various processes for acquiring required resources for any
tasks in the organisation.
654
2.1 Planning work and work environment
Work planning important to recognise and respect the

right of others to use these resources too
Planning work and work environment can and one has to plan to secure the right
have a substantial impact on the quality amount of usage within the constraints of
and quantity of work and contributes availability of these resources carefully.
towards efficiency and productivity. Work
planning involves various things including Resources required can be identified by
1. Defining goals and sub goals analysing the work, tasks and sub-tasks
2. Sequence of activities involved and the volume of work required.
3. Time allocation Most organisations have standard
procedures for requisitioning for
4. Resource planning
resources. For example the IT supplies
5. Anticipating events and issues
team may have IT equipment that the user
impacting work department may requisition through a
6. Mechanisms for checking accuracy formal request approved by a designated
and quality of work level of authority (authorised person).
Organisations also have procedures to
Defining goals and sub-goals includes request for purchase of new resources and
breaking the overall objective into materials that may not be available within
measureable and well defined constituent the organisation. This has to be routed as
results, that can help in planning, per procedure through the authorised
implementation and tracking achievement department and personnel and requires
and progress. It is important that these are necessary approvals before the resources
further evaluated in terms of realistic and can be procured. While planning one’s own
required time frames and time available is work one has to bear in mind not only the
allocated in such a manner that these goals correct procedure but also factor in time
are achieved within optimal time frames. taken for such requests to be processed.
Most organisations will have different
One has to also look at financial, materials procedures for routine procurement and
and other human resources required to ad-hoc or emergency procurement. There
carry out this work successfully. Usually are checks and balances to ensure these
there are constraints with respect to these are not misused. This is applicable to both
and therefore planning to use them material and human resources.
optimally becomes very important. One
has to plan in securing these resources in One also has to plan for foreseen and
adequate quantity and of the desired unforeseen events or occurrences that
quality in a timely fashion for achieving may impact the work and ensure to factor
work results. these in for timelines, costs, material and
human resource requirements, etc.
Many times organisations have shared These may include things causing
resources and often one has to plan and distractions, time delays, wastage, change
accommodate sharing and utilising these of environmental conditions and
resources with other within the assumptions, resource availability, etc.
department or the wider organisation. It is
655
To-Do List
Sr.No To-do tasks To finish by Very important

when Important
Not important
1
10
Plan for the Day
Time Task to be done Interaction Status/comments

with whom
9.00am –
10.00am
10.00am -
11.00am
11.00am –
12.00pm
12.00pm –
01.00pm
01.00pm –
02.00pm
02.00pm –
03.00pm
03.00pm –
04.00pm
04.00pm –
05.00pm
656 | P a g e
Prioritizing
Individual Goals Team Goals

1. 1.
2. 2.
3. 3.
4. 4.
5. 5.
 Discuss with Supervisor/Faculty and Finalize

 Decide as per goals which work is important and needs to be prioritise and
what can be avoided, delegated or negotiated.
Important work as per Goal Not so Important as per Goals
Planning work and work environment can have a substantial impact on the quality and
quantity of work and contributes towards efficiency and productivity.
657 | P a g e
Work planning involves various things including
1. Defining goals 2. Sequence of 4. Resource

3. Time allocation
and sub goals activities planning
6. Mechanisms for
5. Anticipating events and
checking accuracy and
issues impacting work
quality of work
 Defining goals and sub-goals includes may have IT equipment that the user
breaking the overall objective into department may requisition through a
measureable and well defined formal request approved by a
constituent results, that can help in designated level of authority
planning, implementation and tracking (authorised person).
achievement and progress. It is
 Organisations also have procedures to
important that these are further request for purchase of new resources
evaluated in terms of realistic and
and materials that may not be available
required time frames and time within the organisation. This has to be
available is allocated in such a manner routed as per procedure through the
that these goals are achieved within authorised department and personnel
optimal time frames. and requires necessary approvals.
 Sequencing activities right is also of  One also has to plan for foreseen and
great importance in efficient and unforeseen events or occurrences that
effective working. Factors that need to may impact the work and ensure to
be considered while sequencing factor these in for timelines, costs,
activities include:
material and human resource
o Dependencies on interim requirements, etc.
outputs  It is very important to check one’s work
o Availability of resources for accuracy, completeness and
o Space design quality.
o Schedule of deliverables and
As a security analyst this is particularly
urgencies important as your work is very detailed and
o Work styles, interests and a minor omission may result in
preferences vulnerabilities being ignored and causing
o Capabilities greater damage.
 Resources required can be identified It is also important to meet time
by analysing the work, tasks and sub- commitments and agreed deadlines.
tasks involved and the volume of work
1. Loss of reputation and being
required.
recognised as incompetent or
 Most organisations have standard unprofessional.
procedures for requisitioning for
resources. For eg. the IT supplies team
658 | P a g e
2. Not being able to meet time A place for everything and everything in its
commitments also means that it place’ is a principle used by many to
impinges on further commitments of organise their environment. One can
other work that has to follow. There contribute effectively towards making
one’s work environment conducive for
might be others depending on the
efficient working.
output of work done.
 Some of the key requirements for
3. Delays can also cause financial losses, this are
as there may be penalty clauses on
 cleanliness and tidiness,
delayed delivery.
4. Also time spent on the job is budget at  organising the space layout for
a certain cost any delay means efficient working,
increases in costs  ergonomic design, optimal space
Planning the Work for people and the work to be
environment carried out,
 right ambient conditions (lighting,
ventilation, etc.).
659 | P a g e
2.2 Cleanliness and tidiness
Cleanliness and tidiness of work environment is also essential for

 the working of others and conveying a professional image of the worker and the organisation.
 preventing loss and wastage through 3. Ensure windows and doors are kept
misplaced items and spoilage due to closed, especially in environments where
improper storage.
there is risk of dust accumulation.
 inhibiting growth of pests and harmful 4. Identify places for all materials and
microbes that may result in illness or objects used in work and return these to
materials damage.
their rightful place after use.
5. Do not litter trash and use the
In order to maintain a clean and tidy work area appropriate dustbin for disposing waste.
the following practices may need to be
followed: Follow organisational waste disposal
procedures if specified.
1. Ensure routine cleanliness done by
housekeeping or designated staff is 6. Ensure surfaces are not damaged,
carried out. Bring to their notice or report scratched or dampened. It looks bad and
at the same time cause further
areas which require cleanliness or have
deterioration and accumulation of
not been done so.
harmful microbes or pest infestation.
2. Ensure that food and beverage items and
other organic materials are not brought 7. Ensure that papers and files are not
strewn around.
into the work area, where avoidable.
8. Encourage others to follow the same
practices, in a polite and respectful
manner.
660 | P a g e
UNIT III
Maintaining Confidentiality
This Unit covers:
 Lesson Plan
3.1. Treating confidential information
3.2. Policies and procedures for confidential information
661
LESSON PLAN

PC5. treat confidential Share the training 1Hrs classroom 2 copies of the
information correctly organisations policy and assessment and training organisations
procedures for dealing with 5Hrs offline policy and
You need to know and confidential information, Research and procedures for
understand: have all learners sign the Learning activity. dealing with
KA6. the organization’s policies same. confidential
and procedures for dealing with information
During the course of the
confidential information and training take measures to Online research
the importance of complying check that confidentiality facility
with these has been maintained and
procedures were followed
Activity 1:
Ask the students to download samples of organization’s policies and procedures

for dealing with confidential information and share key points of the policies.
Activity 2:
Discuss - Why the organisations would have chosen to have these policies? What
would have if these policies are violated?
662 | P a g e
3.1 Confidentiality of Information
Privacy is having control over the extent,  In the wrong hands, confidential
timing, and circumstances of sharing information can be misused to commit
oneself with others, physically, illegal activity (e.g., fraud or
behaviorally, or intellectually discrimination), which can in turn
result in costly lawsuits for the
Confidentiality is the treatment of employer.
information that an individual has  There are laws protecting the
disclosed in trust and with the expectation confidentiality of certain information in
that it will not be given away to others in the workplace.
ways that are inconsistent with the  The disclosure of sensitive employee
understanding of the original disclosure and management information can lead
without permission. to a loss of employee trust, confidence
and loyalty. This will almost always
Confidential information refers to items result in a loss of productivity.
that should be kept private. This can
include: What Type Of Information Must Or
Should Be Protected?
Audio
Documents, Images,
materials, etc Restricted Information or Data: "Restricted
information" is UC's term for the most
sensitive confidential information.
Confidential information is often Restricted information or data is any
generated in client-professional, or confidential or personal information that is
employee-employer relationships and protected by law or policy and that
requires the highest level of access control
could also be conversations. If information
and security protection, whether in
is not public then it generally has an
storage or in transit.
owner, which can be an individual or an
organization. In most cases, only the Examples of Restricted Data
owner is permitted to share or authorize  Personal Identity Information (PII)
the sharing of private items.  Electronic protected health
In today’s increasingly litigious and highly information (ePHI) protected by
competitive workplace, confidentiality is Federal HIPAA legislation
important for a host of reasons:  Credit card data regulated by the
 Sharing confidential information is Payment Card Industry (PCI)
often a professional violation and a  Passwords providing access to
legal violation. There are a wide range restricted data or resources
of consequences including financial  Information relating to an ongoing
damages, loss of reputation, litigation, criminal investigation
etc.  Court-ordered settlement
 Failure to properly secure and protect agreements requiring non-disclosure.
confidential business information can  Information specifically identified by
lead to the loss of business/clients. contract as restricted.
663
 Other information for which the research data, intellectual property

degree of adverse effect that may (IP), patent information and other
result from unauthorized access or proprietary data
disclosure is high.  Academic evaluations and letters of
recommendation
Examples of Other Types of Non-  Responses to a Request for Proposal
Restricted, Confidential Information (RFP) before a decision has been
 Home address or home telephone reached
number  Some kinds of personnel actions
 Personal information protected by  "Pre-decisional" budget projections
anti-discrimination and information for a campus department (can also be
privacy laws such as: marked "Draft" or "Not for
o Ethnicity or Gender Distribution")
o Date of birth
o Citizenship Confidential workplace information can
o Marital Status generally be broken down into three
o Religion or Sexual orientation categories:
 Certain types of student records
 Exams, answer keys, and grade books 1) employee information,
 Applicant information in a pending
recruitment 2) management information,
 Information subject to a non-
3) business information.
disclosure agreement, including
664
3.2 Policies and procedures for confidential

information
To Better Protect Confidential Information,  Employees should avoid using e-mail to
organisations can develop written transmit certain sensitive or
confidentiality policies and procedures. controversial information.
 Limit the acquisition of confidential
Every business/organization should have a client data (e.g., social security
written confidentiality policy (typically in numbers, bank accounts, or driver’s
its employee handbook) describing both license numbers) unless it is integral to
the type of information considered the business transaction and restrict
confidential and the procedures access on a “need-to-know’ basis.
employees must follow for protecting  Before disposing of an old computer,
confidential information. At the very least, use software programs to wipe out the
we recommend employers adopt the data contained on the computer or
following procedures for protecting have the hard drive destroyed.
confidential information:
A confidentiality policy should also
 All confidential documents should be describe the level of privacy employees
stored in locked file cabinets or rooms can expect relating to their own personal
accessible only to those who have a property (e.g., “for your own protection,
business “need-to-know.” do not leave valuable personal property at
 All electronic confidential information work and do not leave personal items —
should be protected via firewalls, especially your purse, briefcase or wallet
encryption and passwords. — unattended while you are at work”) and
 Employees should clear their desks of personal information (e.g., “your medical
any confidential information before records are kept in a separate file and are
going home at the end of the day. kept confidential as required by law”).
 Employees should refrain from leaving
confidential information visible on Finally, all businesses/organizations should
their computer monitors when they have their confidentiality policies reviewed
leave their work stations. regularly to reflect legal updates and
 All confidential information, whether expectations of people.
contained on written documents or
electronically, should be marked as It is important for Training management
“confidential.” and employees on confidentiality policy:
 All confidential information should be Oftentimes, simply having a written
disposed of properly (e.g., employees confidentiality policy is not enough. In
should not print out a confidential order for the confidentiality policy to be
document and then throw it away effective, managers, supervisors and
without shredding it first.) employees must be educated on
 Employees should refrain from confidentiality issues and the company’s
discussing confidential information in policies and procedures. Management and
public places. employees should be allowed an
opportunity to ask questions about the
policies, and everyone should be trained to
665
avoid putting sensitive information in e-

mails. Many companies and organizations New and/or Current Employees Sign a
include this training as part of the new- “Non-Disclosure” Agreement:
hire/orientation process.
These agreements go by many names.
Enforcement of Confidentiality Policy: Sometimes they are called “non-disclosure
agreements,” and other times they are
This is one of the most important steps a called “proprietary information
business/organization can take to protect agreements.” Regardless of title, these
its confidential information, and agreements are contracts designed to
unfortunately, it’s oftentimes the one step protect the confidential “business
that is ignored. All the policies, procedures information” described above (e.g., “trade
and training in the world will not matter if secrets”). These agreements are vital to
those policies and procedures are not most businesses today, especially
enforced. In order for a confidentiality considering the ease in which employees
policy to have “teeth,” employees who can now electronically transfer large
violate the policy must be disciplined in amounts of information, much of which
accordance with an employer’s corrective would be incredibly damaging in the hands
action procedures. of a competitor.
666
Student Handbook – Security Analyst SSC/N9002
SSC/ N 9002:
Work effectively with colleagues
UNIT I: Effective Communication
UNIT II: Working Effectively
667
Unit Title(Task) Work effectively with colleagues
33Description This unit is about working effectively with colleagues, either in your own work
group or in other work groups within your organization.
Colleagues:
 line manager
 members of your own work group
 people in other work groups in your organization
Communicate:
 face-to-face
 by telephone
 in writing

PC1. communicate with colleagues clearly, concisely and accurately
PC2. work with colleagues to integrate your work effectively with theirs
PC3. pass on essential information to colleagues in line with organisational
requirements
PC4. work in ways that show respect for colleagues
PC5. carry out commitments you have made to colleagues
PC6. let colleagues know in good time if you cannot carry out your
commitments, explaining the reasons
PC7. identify any problems you have working with colleagues and take the
initiative to solve these problems
PC8. follow the organization’s policies and procedures for working with
colleagues

al KA1. the organization’s policies and procedures for working with colleagues and
Context your role and responsibilities in relation to this
(Knowledge KA2. the importance of effective communication and establishing good working
relationships with colleagues
of the
KA3. different methods of communication and the circumstances in which it is
company / appropriate to use these
organization KA4. benefits of developing productive working relationships with colleagues
and its KA5. the importance of creating an environment of trust and mutual respect in
668
processes) an environment where you have no authority over those you are working
with
KA6. where you do not meet your commitments, the implications this will have
on individuals and the organization
KB1. different types of information that colleagues might need and the
Knowledge importance of providing this information when it is required
KB2. the importance of understanding problems from your colleague’s
perspective and how to provide support, where necessary, to resolve
these
669
THE UNITS
UNIT I: Effective Communication

1.1. What is Communication?
1.2. Barriers to Effective Communication
1.3. Communicating Effectively at work
Time Duration: 3 hours Classroom and 5 hrs Research
UNIT II: Working Effectively

2.1. Importance of establishing Good Working Relationships
2.2. Environment of Trust and Mutual Respect
2.3. Implication of not meeting commitments
2.4. Performance Evaluation
Time Duration: 6 hours Classroom and 10 hrs Research
670
UNIT I
Effective Communication
This Unit covers:
 Lesson Plan
1.1. What is Communication?
1.2. Barriers to Effective Communication
1.3. Communicating Effectively at work
671
LESSON PLAN
Outcomes Performance Ensuring Duration of Work Environment

Measures training (Hrs) / Lab Requirement
PC1.communicate with colleagues The learners must 2 Hrs in Class Standard
clearly, concisely and accurately demonstrate PC1, during Environment plus
group activities Cluster
arrangement in
classroom for group
work.
Chart paper, sketch
pens, A4 size blank
sheets for activities
You need to know and understand: KA2 to K3, 1Hr in class Standard
KA2.the importance of effective Question and Answer assessment & Environment PLUS
communication and establishing good session. Descriptive write 2Hrs offline Create Discussion
working relationships with colleagues up on understanding. Research and forums at college
KA3.different methods of Learning level
Group presentation and
communication and the circumstances activity
peer evaluation along Create contacts in
in which it is appropriate to use these
with Faculty. LinkedIn and other
social media sites.
Performance evaluation
from Faculty and
Industry with reward
points.
Writing Skills SA1, SA2. 1Hrs Standard

You need to know and understand how Online assessment. Quiz, classroom Environment.
to: Document review by assessment
Group discussions.
SA1.complete accurate, well written peer group and Faculty. and 10Hrs
work with attention to detail offline.
SA2.communicate effectively with
colleagues in writing
Reading Skills
You need to know and understand how SA3. Quiz, Document 1Hrs
to: review by peer group classroom
SA3.read instructions, guidelines and Faculty. assessment
/procedures and 10Hrs
offline.
Oral Communication (Listening and
Speaking skills)
You need to know and understand how
to: SA4, SA5. Online
SA4.listen effectively and orally assessment. Strongly 10Min per
communicate information accurately recommends student
SA5.ask for clarification and advice from Versant/SVAR (approx. 4
the line manager hours)
672
Activity 1:
 Ask the class about the importance of good communication skills:

 Where all in a plumber’s job, are good communication skills required?
 Do they feel they face any disadvantage if they are unable to master
communication skills?
 Ask them to share experiences.
Activity 2:
 Have the entire batch sit in a semi-circle. Now write the following sentence on a
piece of paper such that no-one can see what’s written on it. (You may write it
in Hindi, if the majority does not speak and understand English).
“I AM RISHI, YOU HAVE LOGGED IN COMPLAINT NUMBER 4628, I HAVE SOME
QUESTIONS REGARDING THAT, DO YOU HAVE THE TIME TO DISCUSS THAT
NOW?”
 Now whisper softly in the ear of the first participant at one end of the semi-
circle this sentence as it is. Repeat the message. If he/she is still not sure, show
him the slip. ask him to state the message back to you. Ensure that he/she is
able to say the message verbatim.
 Now ask the participant to pass the message, like in a Chinese whisper game.
And each participant will whisper the message as understood by him or her to
the next participant till the last person will state it aloud.
 As in most Chinese whispers, the message will be distorted. Now ask the first
person to state the actual message. Inform the participants that this was a
communication gone wrong.
 Discuss with them the reasons for the same and what all they could have done
to ensure that even the last person get the correct message. Note down all the
suggestions on the board.
 Share with them the Effective communication cycle chart and the role of each
factor in the same i.e.
o Sender
o Receiver
o message
o feedback
o encoding / decoding
o noise
 Now linking to points noted on the board/flipchart during the earlier discussion,
share the various “Barriers to communication.”
Activity 3:
 Ask the class
673
 Ask the students to enlist the types of colleagues that an Information Security
Analyst is likely to encounter in an organisation and then mention the type of
communication they expect to have with them by which mode.
Type of Type of Mode of

Colleague Communication communication
 At the end of this activity, the students should be able to broadly classify the
colleague types into three categories- line manager, members of the same work
group, and members of other work groups.
 And mode of Communication would include the following categories:
o Face-to-Face
o Written- emails, letters, memos, forms, etc.
o Telephonic
o Virtual- Skype, or any other virtual face-to-face interaction application
Now ask the students to consider the following scenario.

Scenario : Increasingly you, the Information Security Analyst, have been getting
negative feedback from your colleagues. They say that their work is getting hampered
because of the multiple security alerts that keep popping up and certain sites that have
been blocked. You cannot understand this because you have followed the company
policy to set up the systems. That is why you send an email to all referring to the
relevant sections of the company policy. However, this has not satisfied your colleagues
who are increasingly becoming dissatisfied.
 Ask the students what they would do in such a scenario?

 After getting responses from them, you can give them some ideas. One such
idea would be to have an open house discussion where you can address the
colleagues who have a problem with your systems. This way, you will get instant
feedback and you can explain the rationale to all.
 At the end of the exercise, you can compare the two types of interaction- email
and open house discussion.
 You can extend the logic to compare written and face-to-face communication,
and explain why the latter was better in the given scenario.
Activity 4:
Have the students prepare written documents following the correct approach to
preparing documents. E.g :Story writing, Handouts.
Activity 5:
Have the students write emails to each other with cc to trainer. Trainer can use these a
few of these emails to highlight many commonly occurring email etiquette mistakes and
have the students identify how to improve some more.
674
2.1. EFFECTIVE COMMUNICATION
Communication  Giving a disapproving look to

someone
Any activity that involves exchange of  Nodding of head in agreement
information between two or more  Smiling in appreciation
persons to meet a desired objective, is
known as communication. Written Communication- Written
communication is the form of
Types of Communication communication that uses written
language, signs or symbols for
Verbal Communication- Verbal communicating. Here, the message is
communication refers to the form of influenced by the vocabulary and
communication in which the message is grammar used, writing style, precision and
transmitted verbally. An important aspect clarity of the language used.Some
of verbal communication is to ensure that examples of written communication:
the person who is listening is also on the
same page. Sometimes what the speaker Some examples of written
intends to say is not what the listener communication:
hears. Hence, the former has to make  Emails
sure that he communicates clearly. Some  Letters
examples of oral communication:  Memos
 Notes
Some examples of oral communication:  Notices
 Face-to-face interactions  Reports
 Video  PowerPoint Presentations
 Radio  Manuals
 Virtual communication like Skype
chats
 Television Barriers to Effective
 Telephonic conversations Communication
Non-Verbal Communication- Non-Verbal The following are some impediments that
Communication refers to the form of can come in the way of communicating
communication that does not use any effectively with others:
words to convey the message. It uses
gestures, posture, body language,  Physical barriers- When two persons
expressions and tone of voice for are not present at the same physical
communicating.Some examples of non- location, communicating with each
verbal communication: other becomes difficult. However,
technology like virtual meeting
Some examples of non-verbal applications has made things easier.
communication:
 Perceptual barriers- When two people
 Frowning at someone
have a different perception of the
same thing, communication becomes
675
difficult. For example, for somebody in your message, or is still

a formal setting, talking softly would interested.
be the norm, whereas for another  The message being sent out
person, talking softly could mean the should be consistent and not self-
other person is trying to hide contradictory.
something.
 Listen to the other person’s point
 Emotional barriers- Emotions too play of view during a communication.
a very important role in
communication. For somebody,  Follow-up after the
discussing personal issues in the office communication to ensure the
may be okay, while another person message has gone across.
could consider that as unacceptable.  Choose the medium of
 Cultural barriers- Given the global communication carefully.
nature of workplaces these days,  Do not let your personal biases
people from different cultures work creep in.
together, thereby leading to cultural
misunderstandings. For example, in Email Etiquettes
some cultures shaking hands with Research has found that on average, IT
female colleagues is acceptable, while professionals spend about a quarter of
in the others, it may be unacceptable. their time at work combing through the
 Language barriers- When two people numerous emails and other digital
who are communicating, do not know messages one sends and receives each
the same language, day.
miscommunication can happen.
In many cases more communication is
conducted through emails, and other
How to Communicate Effectively at digital messaging options like online
Work discussion forums, whatsapp, sms, than
through personal meetings or phones.
The following are some ways to
communicate effectively: Hence it becomes imperative for a
Security Analyst to be able to use this
 Be clear about what you want to mode of communication effectively.
say before communicating.
 Modify your message according Here are some considerations that one
to the recipient, if required. The needs to take care while communicating
background and need of the through emails or other digital messaging
recipient should be kept in mind. options:
 Be careful about the language,
 Include a subject line that is crisp and
tone and content of the message.
clear and matches the content of the
 Take cues from the non-verbal message. Remember, people often
messages that the receiver may decide whether to open an email
be sending that may help you based on the subject line.
understand whether he is getting
676
 Use your official email in a written message will seem

address/account to conduct all heightened.
official messaging. However if you
have to use some other  Know that people from different
address/name/account due to cultures speak and write differently.
pressing reasons, then choose one Tailor your message depending on
that is appropriate for the workplace. the receiver's cultural background or
how well you know them.
 Avoid using "reply all" unless there is
a reason everyone on the list needs to  It's better to leave humour out of
receive the email. Check before emails unless you know the recipient
sending the message that it is being well. Something that you think is
sent to all the people it is meant for, funny might not be funny to someone
and there is no-one who will find the else.
message a waste of their time.
 Reply to your emails — even if the
 Use professional salutations. email wasn't intended for you. It's
difficult to reply to every email
 Avoid emoticons as far as possible message ever sent to you, but you
and use exclamation points sparingly. should try to. Even if the email was
If you choose to use an exclamation accidentally sent, you can reply
point, use only one to convey informing the sender of the same so
excitement. While emoticons are fun, that it can be sent to correct person
you don’t know how the recipient will on time.
take them. It's better to spell it out
and write what you mean.  Proofread every message. Don't rely
only on spell-checkers. Read and re-
 Make your message easy to read. read your email a few times,
Don’t use long sentences. Use bullets preferably aloud, before sending it off.
to set off points you want to make. If
it is an important or complex content,  Be cautious with colour or All capitals
have someone trusted read it and let in the message. It's distracting and
you know where was it difficult to may be perceived the wrong way.
understand, so that you may correct Writing in all capitals can convey that
it. you are shouting in your message, and
nobody likes to be yelled at.
 Keep it short and get to the point. The
long e-mail is a thing of the past. Write  Don't use email to discuss
concisely, with lots of white space, so Confidential Information. Email
as to not overwhelm the recipient. messages are easy to copy, print and
Make sure when you look at what forward.
you're sending it doesn't look like a
burden to read.  Your e-mail greeting and sign-off
should be consistent with the level of
 Do not sound abrupt or harsh. "Read respect and formality of the person
your message out loud. If it sounds you're communicating with.
harsh to you, it will sound harsher to
the reader. Any emotion when passed
677
 Always include a signature. You never

want someone to have to look up how
to get in touch with you. If you're “Remember - Your e-mail is a
social media savvy, include all of your reflection of you. Every e-mail you
social media information in your send adds to, or detracts from your
signature as well. reputation.”
678
UNIT II
Working Effectively
This Unit covers:
 Lesson Plan
2.1. Working Effectively
679
LESSON PLAN
Outcomes Performance Ensuring Work Environment / Lab

PC2.work with colleagues to integrate your The learners must Standard Environment plus
work effectively with theirs demonstrate PC2-8, during Cluster arrangement in
PC3.pass on essential information to group activities classroom for group work.
colleagues in line with organisational
Chart paper, sketch pens, A4
requirements
size blank sheets for
PC4.work in ways that show respect for
activities
colleagues
PC5.carry out commitments you have made
to colleagues
PC6.let colleagues know in good time if you
cannot carry out your commitments,
explaining the reasons
PC7.identify any problems you have
working with colleagues and take the
initiative to solve these problems
PC8.follow the organization’s policies and
procedures for working with colleagues
You need to know and understand: KA1 to KA6. QA session and a Standard Environment
KA1.the organization’s policies and Descriptive write up on PLUS Create Discussion
procedures for working with understanding. forums at college level
colleagues and your role and responsibilities Group presentation and peer
Create contacts in LinkedIn
in relation to this evaluation along with Faculty.
and other social media sites.
KA4.benefits of developing productive Performance evaluation from
working relationships with colleagues Faculty and Industry with
KA5.the importance of creating an reward points.
environment of trust and mutual respect in
an environment where you have no
authority over those you are working with
KA6.where you do not meet your
commitments, the implications this will
have on individuals and the organization
You need to know and understand: KB1, KB2. Standard Environment PLUS
KB1.different types of information that Group and Faculty evaluation Access to online forums.
colleagues might need and the importance based on anticipated out
of providing this information when it is comes.
required
KB2.the importance of understanding
problems from your colleague’s
perspective and how to provide support,
where necessary, to resolve these
680
2.2. WORKING EFFECTIVELY
Importance of establishing Good Also, you need to test the systems on

Working Relationships Saturdays, when the company has a
weekly off, but some employees do come
The following are some benefits of to work overtime. You need to convince
developing productive relationships with them that they cannot work overtime one
colleagues: of the Saturdays as testing is important for
 Getting tasks done gets easier. you. Getting approval from all the
 Colleagues are more likely to go along colleagues and departments and zeroing
with the changes that you in on a date would be a challenge.
recommend.
 Instead of spending time and energy Such tasks are only possible when you
on negative relationships, you can have a good relationship with your
focus on opportunities. colleagues and they understand the
 You can get ideas and feedback from importance of your job .
others.
 You can take help in hours of need, if
required. Benefits of productive working
 Your productivity increases. relationship with colleagues
 Your performance gets appraised
better. One important aspect of inter-
 You can learn from others and add to dependence is mutual respect and trust.
your existing skill-set. This is as much true in professional
relationships and as it is in personal
To explain this further, consider this
relationships. It is the former that have to
example.
be explained to the students. This again
Example 1 can be best done with an example.
The Information Security Analyst of a Example-2

company has been entrusted with the
task of upgrading the organization’s A new colleague joins an organisation in
security systems. You have been able to the Finance department. He is not able to
upgrade the system, but you cannot be understand the networking system of the
sure of its success till you test the system. organisation. He calls you, the Information
Security Analyst, and asks for help. You
For that, you would need help from all the
give him the Help Manual and ask him to
people in the organization who use refer to it. He calls you back and says that
computer systems. he is not able to understand much from
the Manual and needs some time with
You need their feedback to ascertain if you. You tell him this way beyond your
they are getting any technical glitches. scope of work.
681
After a few months, your company’s CEO will have to share the details of the
asks you to install special security systems firewalls and other security systems that
for the Finance department as the data she has installed on the network wit h the
with them was more vulnerable than that other two sub-departments.
of the other departments. For this, you Jai handles the Hardware part, while Amit
need to understand the workings of the handles the Software part.
department and come up with a plan that
would be approved by the department Both, Amit and Reena have been in the
representative. As luck may have it, the organisation for over two years and have
department representative turns out to therefore reached a point where they can
be that very person whom you had trust each other with their confidential
refused to help earlier. You can ask the information. On the other hand, Jai is new
students what they think will happen now. to the organisation. Reena is
How will it affect your work? At the end of uncomfortable sharing all the details with
this discussion, the students should be him. Jai, however, trusts her and share his
able to understand the need for having information freely.
good relationships with other colleagues, After a while, he realises that Reena is not
even if they are not directly related to reciprocating and is hiding some crucial
your profile. information from him. At one instance, Jai
had to make a Hardware Procurement
Plan for the coming year, for which he
Importance of an environment of needed to understand Reena’s system
trust and mutual respect requirements for the coming year. Reena
did not share all the information with Jai
One important aspect of inter- because of which Jai’s plan suffered.
dependence is mutual respect and trust. Because Reena and Amit were friends, Jai
This is as verytrue in professional started mistrusting Amit as well.
relationships and as it is in personal As a result, the entire IT department’s
relationships. It is the former that have to
plans suffered.
be explained to the students. This again
can be best done with an example.
You can ask the students to give their
Example-3 comments on this scenario and discuss
what steps could the organisation, or
Share the following scenario with the Reena and Amit have taken to prevent the
students. The IT department of a company trust gap. With the help of this discussion,
has three sub-departments – you can explain how their bosses could
have ensured that the three work in
1. Hardware,
tandem with each other. The seniors
2. Software and
could have instilled confidence in Reena
3. Security.
and Amit by telling them that they had
Reena is responsible for the Security part
taken the necessary preventive measures
of it as she is the Information Security
like getting Jai to sign a Non Disclosure
Analyst of the company. Given the nature
Agreement at the time of his joining, and
of the job, all three sub-departments need
that they could trust him with their
to work in tandem with each other, which
information. They could have also
means giving access to each other’s
handheld them for a while and let go once
systems. For Reena, this means that she
682
things started rolling. Also, the seniors  And, the other fell sick.
should have monitored their activities and
As a result, the task could not be
paid heed to the early warning signs.
completed over the weekend. As luck may
have it, there was a virus attack on the
Some of the benefits of an environment of
systems on Monday morning as a result of
trust and mutual respectare as follows:
which some financial transactions of some
customers were leaked to some
 Getting tasks done gets easier.
unauthorised people.
 It encourages free flow of ideas.
The customers got to know of this and as
 It saves time spent in gauging whether a result, there was a huge backlash
the other person is speaking the truth, against the bank. The company’s senior
or is giving genuine advice. management and the Public Relations
 Colleagues are more likely to go along department had to work overtime to allay
with the changes that you the fears of the customers. Some other
recommend. employees too had to work overtime to
ensure that no unauthorised transactions
 You can take help in hours of need, if were performed from the leaked data. In
required. short, the whole company suffered. At the
 Your productivity increases. end of this example, the students should
be able to appreciate the importance of
 Your performance gets appraised the role of an Information Security Analyst
better. and the ripple effect it can have on an
organisation if the Analyst does not
Implications of not meeting perform his duties properly.
commitments on individuals and You can summarize the following key
organisation points:
 The performance of the entire team
Example-4 suffers, which has an impact on the
performance of the department and
The Information Security department of a organization as a whole.
bank was entrusted with the task of
 Customers get annoyed and the
upgrading the anti-virus software of all
the computers at the bank over the organization’s reputation gets
weekend. The Information Security tarnished.
department had only two employees who  Remedial action eats up resources that
were responsible for this. could have been used for more
 One of them had his annual leave productive activities
planned for that weekend, which
he availed.
References
http://www.quintcareers.com/job_skills_values.html
http://www.kent.ac.uk/careers/sk/skillsmenu.htm https://www.mymajors.com/career/information-
security-analysts/skills/
683
Assessment Criteria for Trainees

Job Role Security Analyst
Qualification Pack SSC/ N 9002:
Sector Skill Council IT-ITeS
Guidelines for Assessment:
1. Criteria for assessment for each Qualification Pack (QP) will be created by the Sector Skill
Council (SSC). Each performance criteria (PC) will be assigned Theory and Skill/Practical marks
proportional to its importance in NOS.
2. The assessment will be conducted online through assessment providers authorised by SSC.
3. Format of questions will include a variety of styles suitable to the PC being tested such as
multiple choice questions, fill in the blanks, situational judgment test, simulation and
programming test.
4. To pass a QP, a trainee should pass each individual NOS. Standard passing criteria for each
NOS is 70%.
5. For latest details on the assessment criteria, please visit www.sscnasscom.com.
MarksAllocation
Total Out Skills

Mark of Theory Practical
7. SSC/N9002 PC1. communicate with colleagues clearly, concisely 20 0 20
(Work and accurately
effectively
with
colleagues)
PC2. work with colleagues to integrate your work 10 0 10
effectively with theirs
PC3. pass on essential information to colleagues in 10 10 0

line with organizational requirements
PC4. work in ways that show respect for colleagues 20 0 20

100
PC5. carry out commitments you have made to 10 0 10
colleagues
PC6. let colleagues know in good time if you cannot 10 0 10
carry out your commitments, explaining the reasons
PC7. identify any problems you have working with 10 0 10

colleagues and take the initiative to solve these
problems
PC8. follow the organization’s policies and 10 0 10
Total 100 20 80
684
Trainer’s Handbook – SSC/ Q09003 – Security Analyst
SSC/ N 9003:
Maintain a healthy, safe and secure working
environment
UNIT I: Need For a Health and Safety at Work
UNIT II: Security Analyst’s role
UNIT III: Emergency Situations
UNIT IV: Skills Required to Maintain a Health and Safety at Work
685
Unit Title (Task) Maintain a healthy, safe and secure working environment
Description This unit is about monitoring the working environment and making sure it meets
requirements for health, safety and security.
Emergency procedures:
 illness
 accidents
 fires
 other reasons to evacuate the premises
 breaches of security
Resources(needed to achieve the unit objectives):

 information
 government agencies in the areas of safety, health and security and their
norms and services
PC1. comply with your organization’s current health, safety and security policies
and procedures
PC2. report any identified breaches in health, safety, and security policies and
procedures to the designated person
PC3. identify and correct any hazards that you can deal with safely, competently
and within the limits of your authority
PC4. report any hazards that you are not allowed to deal with to the relevant
person in line with organizational procedures and warn other people who
may be affected
PC5. follow your organization’s emergency procedures promptly, calmly, and
efficiently
PC6. identify and recommend opportunities for improving health, safety, and
security to the designated person
PC7. complete any health and safety records legibly and accurately
A. Organization You need to know and understand:

al
KA1. legislative requirements and organization’s procedures for health, safety
Context
and security and your role and responsibilities in relation to this
(Knowledge KA2. what is meant by a hazard, including the different types of health and
of the safety hazards that can be found in the workplace
company / KA3. how and when to report hazards
organization KA4. the limits of your responsibility for dealing with hazards
686
and its KA5. the organisation’s emergency procedures for different emergency
processes) situations and the importance of following these
KA6. the importance of maintaining high standards of health, safety and
security
KA1. implications that any non-compliance with health, safety and security
may have on individuals and the organization
Knowledge KB1. different types of breaches in health, safety and security and how and
when to report these
KB2. evacuation procedures for workers and visitors
KB3. how to summon medical assistance and the emergency
services, where necessary
KB4. How to use the health, safety and accident reporting
procedures and the importance of these
KB1. government agencies in the areas of safety, health and security and their
norms and services
687
THE UNITS
UNIT I: Need For Health and Safety at Work
UNIT II: Security Analyst’s role
UNIT III: Emergency Situations
UNIT IV: Skills for Maintaining Health and Safety at Work
688
UNIT I
Need For Health and Safety
at Work
This Unit covers:
 Lesson Plan
1.1. Need for Health and Safety at Work
689
LESSON PLAN
Outcomes Performance Duration of Work

Ensuring Measures training (Hrs) Environment /
Lab Requirement
You need to know and KA1. QA session and a 2Hr in class Standard Environment
understand: Descriptive write up on assessment PLUS Access to online forums.
KA1. implications that any understanding. & 5Hrs
non-compliance with KA2 & KA6. Group offline
health, safety and security presentation and peer Research and
may have on individuals evaluation along with Learning
and the organization Faculty. activity
KA2. what is meant by a Performance evaluation
hazard, including the from Faculty with reward
different types of health points.
and safety hazards that Faculty and peer review.
can be found in the
workplace
KA6. the importance of
maintaining high standards
of health, safety and
security
You need to know and KB1 & KB5. 2Hr in class Standard Environment
understand: QA session and a assessment PLUS Access to online forums.
KB1. different types of Descriptive write up on & 2Hrs
breaches in health, safety understanding. offline
and security and how and Group presentation and Research and
when to report these peer evaluation along with Learning
Faculty. activity
KB5. government agencies
Performance evaluation of
in the areas of safety,
the report by Faculty with
health and security and
reward points.
their norms and services
690
Activity 1:
To set the tone of the session, can ask the students if they think having a healthy,
safe and secure environment at the workplace is important. If yes, then why.
The objective of this exercise is to gauge the current level of understanding of the
students.
Activity 2:
Can share the following definition with them.
Since 1950, the International Labour Organisation (ILO) and the World Health
Organisation (WHO) have shared a common definition of occupational health. The
definition reads:
“The main focus in occupational health is on three different objectives:
(i) the maintenance and promotion of workers’ health and working capacity;
(ii) the improvement of working environment and work to become conducive to safety
and health, and
(iii) development of work organisations and working cultures in a direction which
supports health and safety at work, and in doing so also promotes a positive social
climate and smooth operation, and may enhance productivity of the undertakings.
The concept of working culture is intended in this context to mean a reflection of the
essential value systems adopted by the undertaking concerned. Such a culture is reflected
in practice in the managerial systems, personnel policy, principles for participation,
training policies and quality management of the undertaking.”
Can throw open a discussion on each point of the discussion, in terms of:
• Why is it important?
• What measures it would entail?
Activity 3:
Ask the students to go through various organizations websites and understand the
policies and guidelines for health, safety and security. Define a role and
responsibilities relates to this in an employee context (Research & report)
You can ask the students to enlist some implications that they have learnt so far.
During the discussion, make sure that the following points have been covered:
• Potential employees may be reluctant to join your organisation. As a result, good talent
may get diverted to your competitors.
691
• Job performance of employees may suffer due to time devoted to safeguarding

themselves and taking care of issues that may arise.
• Increased company expenses in damage control.
• Loss of goodwill.
• Increased litigation costs.
• Increased accidents and injuries.
• Work-related illnesses
• Job dissatisfaction
• Lack of job commitment
• Burnout
• Depression
• Workplace violence
• Increased health insurance claims
• Lowered quality
Activity 4:
Can ask the students to work in groups and understand, summarize and articulate the
hazards w.r.t. health, safety and security. Report them into a standard template.
692
1.1. Need for Health and Safety at Work

Why is Health and Safety Important?
Since 1950, the International Labour Organisation (ILO) and the World Health Organisation
(WHO) have shared a common definition of occupational health. The definition reads:
"The main focus in occupational health is on three different objectives:
(i) the maintenance and promotion of workers’ health and working capacity;
(ii) the improvement of working environment and work to become conducive to safety and
health, and
(iii) development of work organisations and working cultures in a direction which supports
health and safety at work, and in doing so also promotes a positive social climate and smooth
operation, and may enhance productivity of the undertakings.
The concept of working culture is intended in this context to mean a reflection of the essential
value systems adopted by the undertaking concerned. Such a culture is reflected in practice
in the managerial systems, personnel policy, principles for participation, training policies and
quality management of the undertaking."
Having a healthy, safe and secure working environment is important for the following reasons:
Moral case- Ensuring safety and Ethical case- Exposing employees

well-being of workers, and to toxic chemicals and other risk
providing an environment that factors is unethical. Hence,
causes no harm to mental, or providing healthy, safe and secure
physical health, is a moral working environment becomes an
obligation of organisations. ethical obligation of organisations.
Legal case- There are many laws in

our country that mandate
organisations to have a healthy,
safe and secure working
environment.
Examples: victims of a nuclear incident

through a no-fault liability regime
 Civil Liability for Nuclear Damage
channelling liability to the
Act, 2010 - An Act to provide for
operator, appointment of Claims
civil liability for nuclear damage
Commissioner, establishment of
and prompt compensation to the
Nuclear Damage Claims
693
Commission and for matters employment of young persons,

connected therewith or incidental annual leave with wage, and
thereto. penalties and procedures.
 Atomic Energy (Factories) Rules  Employer's Liability Act 1938-
1996- Applies to all factories owned Provides that certain defences shall
by the Central Government not be raised in suits for damages
engaged in activities under the in respect of injuries sustained by
Atomic Energy Act 1962 (33 of workmen.
1962). Regulates health inspectors,
 Indian Boilers Act, 1923- Provides
workplace hygiene, safe use of
for the registration and
machinery, manual labour, and
certification of boilers, reporting of
protective equipment. Chapter VI
boiler-related accidents, and duties
covers hours of work; Chapter VII
of boiler owners at examination.
forbids the employment of persons
under the age of 18. Provides for
special working conditions for work Business case
involving lasers and toxic
Employers are recognizing the competitive
substances. Repeals the Atomic
advantage that a healthy workplace can
Energy (Factories) Rules, 1984.
provide to them, in contrast to their
 The Plantations Labour Act 1951- competition, who would feel that a healthy
Provides for the welfare of labour and safe workplace is just a necessary cost
and regulates the conditions of of doing business.
work in plantations. Contains 43
sections and 8 chapters concerning
registration of plantations; Global case
inspection staff; health provisions; There is a widespread agreement among
welfare; hours and limitation of global agencies, including the World
employment; leave with wages; Health Organisation (WHO) and the
accidents; and penalties and International Labour Organisation (ILO)
procedure. that the health, safety and well-being of
 Factories Act 1948- This Act workers, who make up nearly half the
contains 120 sections, and is global population, is of paramount
divided into Chapters concerning importance. Thus, in order to comply with
inspection staff, health, safety, international standards and to have a good
hazardous processes, welfare, reputation globally, organisations in India
working hours of adults, too need to maintain a healthy, safe and
secure working environment.
734
This can be best explained with the help of the following diagram:
Different types of breaches in frequent lifting, repetitive or awkward

movements.
health, safety and security
3. Chemical hazards are present when
There are five main types of breaches in
you are exposed to any chemical
health, safety and security:
preparation (solid, liquid, or gas) in the
1. Physical hazards are the most common
workplace. For example, cleaning
hazards and are present in most
workplaces at some time. For example, products and solvents, vapours and
frayed electrical cords, unguarded fumes, carbon monoxide or other
machinery, exposed moving parts, gases, gasoline or other flammable
constant loud noise, vibrations, materials.
working from ladders, scaffolding or
4. Biological hazards come from working
heights, spills, tripping hazards.
with people, animals, or infectious
2. Ergonomic hazards occur when the
plant material. For example, blood or
type of work you do, your body
other bodily fluids, bacteria and
position and/or your working
viruses, insect bites, animal and bird
conditions put a strain on your body.
droppings.
They are difficult to identify because
5. Electrical Hazards as there are many
you don’t immediately recognize the
equipment in the workplace that are
harm they are doing to your health. For
run by electricity, which if due
example, poor lighting, improperly
precautions are not taken can cause
adjusted workstations and chairs,
fire, electric shock, electrocution.
735
Types of health and safety nervous system. Other conditions

include degeneration of the liver, and
hazards at a workplace
kidneys and rotting of the intestines.
A workplace hazard is anything that has The stillbirth rate was 300% and
the potential to cause harm to a person. neonatal mortality (death as an infant)
Hazards can take the form of items such as was about 200% right after the
machinery that is high at risk. For example, tragedy.
working at heights, or on a slippery floor is
Years later, the effects of the gas leak are
a workplace hazard. Hazards in the
still seen. In the year 2002 a report
workplace should be identified and the risk
published by the Fact-Finding Mission on
of the hazard causing an injury should be
Bhopal found a number of toxins, including
assessed. Reducing the risk of the hazard
mercury, lead, trichlorobenzene,
causing injury is an important step towards
dichloromethane and chloroform in the
maintaining workplace safety.
breast milk of nursing mothers. In 2004
Occupational hazards can be broadly BBC Radio 5 broadcast reported that the
classified into the following two types: area where UCIL had set up the plant, was
 Safety hazards that cause accidents still contaminated with toxic chemicals
that physically injure workers. For including benzene hexachloride and
example, many tall buildings that have mercury, which were stored in open
glass windows, require cleaners to containers and in some cases spilled into
hang from the rooftop to clean the the ground. In 2009 the same body also
glasses. If the rope snaps, or if there is took samples from a commonly used hand
some other mistake, it can get fatal for pump situated north of the plant and
the cleaner. found that the water contained 1000 times
 Health hazards that result in the the World Health Organisation’s
development of some disease. For recommended maximum amount of
example: Though the Bhopal gas Carbon tetrachloride, a known carcinogen.
tragedy took place over 30 years ago, Government agencies in
the city is still experiencing the effects health, safety and security
of the gas leak. Around 3700 people
Various government agencies are involved
died almost immediately following the
in the area of health, safety and security.
incident in December 1984. The
For example, Ministry of Labour and
immediate cause of death was due to
Employment, Government of India, which
choking, circulatory collapse and
has defined the National Policy on Safety,
pulmonary oedema (filling up of fluid in
Health and Environment at Workplace;
the lungs). Further post mortem
Bureau of India Standards that sets up
reports revealed that people died not
various committees for the same; etc. Also,
only of suffocation but also because
the toxins had caused swelling in the international organisations like WHO and
ILO set the benchmarks for organisations
brain, leading to disorientation and
across the globe, to follow.
finally death, due to collapse of the
736
UNIT II
Security Analyst’s role
This Unit covers:
 Lesson Plan
 Lesson
2.1. Security Analyst’s Role
737
LESSON PLAN
Outcomes Performance Duration Work

Ensuring Measures of Environment /
training Lab
(Hrs) Requirement
To be competent, you must be able to: During the course of the 3 Hrs in Standard
PC1. comply with your organization’s current training, the faculty can Class Environment plus
health, safety and security policies and keep a record of all excel and word on
procedures instances where a computers and
learner violated any access to sourses
PC2. report any identified breaches in
health and safety norm. for data to be
health, safety, and security policies and
The record can remain collected
procedures to the designated person
public so everyone
PC3. identify and correct any hazards that knows how they are
you can deal with safely, competently and faring.
within the limits of your authority
PC4. report any hazards that you are not
allowed to deal with to the relevant person
in line with organizational procedures and
warn other people who may be affected
PC5. follow your organization’s
emergency procedures promptly, calmly,
and efficiently
PC6. identify and recommend
opportunities for improving health, safety,
and security to the designated person
PC7. complete any health and safety records
legibly and accurately
You need to know and understand: QA session and a 2Hr in class Standard
KA1. legislative requirements and Descriptive write up on assessment Environment
organization’s procedures for health, safety understanding. & PLUS access to
and security and your role and Group presentation and 30Hrs online forums,
responsibilities in relation to this peer evaluation along with offline blogs etc.
Faculty. Research
KA3. how and when to report hazards
and
KA4. the limits of your responsibility for Performance evaluation
Learning
dealing with hazards from Faculty and Industry
activity
with reward points.
Online exam and rewards
points based on reviews
from the forums.
738

Activity 1:
• Have the learners state the key items from the organization’s current health,
safety and security policies and procedures that they would have to follow.
• Ask each of them to do a field study of the training institute and make
a report of:
o the items that are being followed and those that are being violated.
o areas that could be potential health and safety Hazards
o recommendations for improving health, safety, and security
• Then in the classroom have them work in group to collate the more relevant points and
present in the class.
Activity 2:
• Can ask the learners to go through various organizations websites and
understand the policies and guidelines for health, safety and security.
Define a role and responsibilities relates to this in an employee context
(Research & report)
• Have them collate the role and responsibilities in groups and further have a volunteer
collate it into one list.
• Use this as a basis to to conduct the following activity
Activity 3:
Ask the students to work in groups and fill the following table based on whatever
they have learnt so far. You can share one example with them to explain what is
expected out of them, if required.
Tasks Sub Tasks Performance Evaluation Criteria

Example: Improving data Submits a proposal for Goes the extra mile to ensure he
backup system in case of purchasing a new backup delivers up-to-date solutions
a natural disaster tool
Can think proactively and pre-empt

disasters
Is conscious about the quality of
output
Keeps abreast with the latest
technological solutions
Take a print out of the best list and add/modify if necessary and use it for the rest of the
training program to keep record of achievements and violations in the area.
This can later be basis for performance review in this topic.
739
2.1. Security Analyst’s Role
Understanding ‘Safety’
Accident is an unplanned and undesired Natural
Unsafe
occurrence, which may or may not result in Calamiti
injury, or damage to self, others and/or
Conditions,
es, 2%
property. Main causes of accidents are: 18%
Thus lack of awareness about

safety is the main cause of accidents. Unsafe
Actions,
Safety is freedom from accidents, injury or
80%
damage; it is a pro-active means to give
protection from known dangers. A safe  Wet/oily/soapy surfaces are can lead
workplace is free of risks and hazards. to accidents by slipping or falling and
breaking of glassware.
Hazards are the potential to cause harm
 Working with wooden tables that have
(accidents, injury or damage) e.g. nails protruding on the surface.
 Naked wires How to Control?
 Heavy equipment and machines
 Heat being generated in the  Keep the work area neat and tidy
computers, Servers, etc.  Wet areas should be mopped and kept
 Sharp edges on furniture dry
 Handling glassware properly
Risks are the likelihood of harm (accidents,
 Precautions should be taken while
injury or damage) e.g. dealing with surfaces with sharp or
 Plugging equipment with naked wires pointed edges or object protruding
 Lifting heavy equipment in a wrong Equipment/items related Hazards & Risk:
posture
 Working in a non-temperature  Certain equipment used in the
regulated environment with workplace like staplers, heavy laptops
Technology that heats up and computers, etc. which if not used
 Using duplicate parts in IT equipment carefully can cause physical hurt.
that could pose a safety threat How to Control?
 Never use a tool to do a job for which it
Common Safety Hazards was not designed
Some safety and health related hazards  Handling the equipment properly as
and how they can be controlled are as required
follows: Materials & Chemical Hazards & Risks:
Surfaces/Places related Hazards & Risks:  Cleaning chemicals used by
 Dirty, dusty and littered areas can lead housekeeping, kept in the washroom
to infections as well as accidents from and housekeeping cabinets
slipping, tripping, etc.  Solutions for cleaning IT equipment
 Pest control sprays, etc.
740
How to Control?  Never mix chemicals unless

particularly advised by the product
 While using hazardous materials &
chemicals ensure the following manufacturer
 Do not ingest any chemical, if by
 Wear gloves, Avoid skin coming
mistake someone swallows some
into contact with the chemical
chemical see a doctor immediately
 Keep the chemical away from eyes
 Identify common warning signs
and nose
associated with different types of
hazardous materials
Biohazard Radiation hazard
Physical Hazards & Risks:  Cupboards and shelves should be

 Any obstruction at the neatly arranged, preferably
entry/exits/blind turns could be supported by the wall or fixed on
dangerous in a time of emergency the floor.
when people have to run in or out.  Warning signs should be placed if a
 Overstocked cupboards or shelves can physical hazard cannot be
be hazards as they can topple over removed.
anytime.  Always try to use a machine or tool
 Work may require lifting or moving if required to lift a heavy object.
heavy objects, which if not done  If it is not possible then try to split
properly can cause injury or aches. the load and lift it in more than one
turns. Can also take help.
How to control?  If one has to lift a heavy object,
 Entry/exits/blind turns should be then follow right lifting practices
clear of obstructions/faults at all while lifting or moving heavy
times. objects.
741
LIFTING HEAVY OBJECTS
 Stand the object upright.

 Position feet shoulder-width apart, close to the object.
 Approach the load upfront and facing the direction in which it has to be taken.
 Bend at the knees.
 Place hands under the load and pull the load close to the body.
 Lift the load such that the thigh muscles are doing most of the work, and not the back.
 Slowly lift by straightening knees.
 Lower the load also by bending the knees.
 While releasing the load take care that the fingers are not trapped under it.
WARNING SIGNS
Danger – General Danger – Watch your step
Danger – Watch your step Danger – Under construction Danger – Watch your step
Electrical Risks: with power tools or electrical circuits there

is a risk of electrical hazards, especially
Electricity is an amazing thing when used
electrical shock.
properly, but can very easily hurt, harm
and even fatally injury a person that comes One must pay special attention to
in contact with it. Whenever one works electrical hazards because they work with
742
electrical supplies and circuits. Coming in  observing all unsafe condition and
contact with an electrical voltage can cause warning people of potential
current to flow through the body, resulting hazards
in electrical shock, burns or serious injury.  reporting any violations of safety
Even death may occur. rules and
Electric Shock: An electrical shock is  setting a good example by his or
received when electrical current passes her own behaviour
through the body. One gets an electrical Far too many accidents happen due to
shock if: unsafe conditions that were not noted,
• touching a live wire and an reported, or corrected. After finding an
electrical earth, or unsafe condition, the security analyst must
• touching a live wire and either correct the condition or report it to
another wire at a different someone who can make the correction.
voltage.
Safety is purely a matter of common sense.
Electricity travels in closed circuits, and its Corrective action should be taken when
normal route is through a conductor. possible or the proper authority called to
Electric shock occurs when the body handle the situation. It is important both to
becomes part of a circuit and works like a the guest and the people being protected
conductor. Earthing is a physical from injuries due to careless safety
connection to the earth, which is at zero practice.
volts.
Freeing a victim from electrocution
Role of a Security Analyst in
 The first person to reach a shocked
worker should cut off the current if
maintaining health and safety
this can be done quickly. at work
 If this is not possible, the victim
should be removed from contact The role and responsibilities of an
with the charged equipment. Either Information Security Analyst related to
the equipment/wire should be maintaining a healthy, safe and secure
pulled away or the victim. working environment would be defined in
 Bare hands should not be used, the organisation’s policy on the same.
use a dry board, dry rope, leather
Thus, he would have to ensure that he
belt, coat, overalls or some other
non-conductor. follows the rules. For example, if the
 Be sure to stand on a non- company policy states that all IT
conducting surface when pulling – equipment that is more than two years
dry rubber slippers, dry wooden old, should go for annual maintenance,
board, etc. then it would be the Information Security
Accident prevention is said to be Analyst’s responsibility to ensure the
everybody’s job. The security analyst can same.
at least do the following:
743
How to identify job hazards  Do tools, machines, or equipment

present any hazards?
The following are the major steps to
identifying and analysing job hazards:  Can the worker make harmful contact
with moving objects?
Step 1- Decide whether a job is to be
analyzed, based on the following criteria:  Can the worker slip, trip, or fall?
 Incident frequency and severity- Jobs  Can the worker suffer strain from
where incidents occur frequently, or lifting, pushing, or pulling?
where they occur infrequently but
 Is the worker exposed to extreme
result in disabling injuries.
heat, or cold?
 Potential for severe injuries or illness-
 Is excessive noise, or vibration a
The consequences of the incident,
problem?
hazardous conditions, or exposure to
harmful substances are potentially  Is there a danger from falling objects?
severe.
 Is lighting a problem?
 Newly established jobs- Due to lack of
 Can weather conditions affect safety?
experience in these jobs, hazards may
not be evident or anticipated.  Is harmful radiation a possibility?
 Modified jobs- New hazards may be  Can contact be made with hot, toxic,
associated with changes in job or caustic substances?
procedures.
 Are there dusts, fumes, mists, or
 Infrequently performed jobs- vapours in the air?
Employees may be at greater risk
Step 4- Hazard Mitigation- Upon completion
when undertaking non-routine jobs,
of the first three steps of the job hazard
and an analysis provides a means of
analysis, determine the appropriate controls
reviewing hazards.
to overcome the hazards. You can remind the
Step 2- Break the job down into a sequence of students that these steps have already been
steps. Ensure that each step is not too specific, discussed in this chapter earlier: elimination,
or too general. Steps should be kept in the substitution, isolation, engineering controls,
correct sequence. Document using the administrative controls, and personal
company template. Make notes on what is protective clothing and equipment.
done, rather than how it is done.
Step 3- Identify the potential hazards. Based

on observations of the job, knowledge of Responsibilities w.r.t Health and
incident and injury causes, and personal Safety at Work
experience, list the things that could go wrong
 Complies with his organisation’s current
at each step. The following is a list of questions
health, safety and security policies and
that may be used to help identify potential
procedures.
hazards:
 Reports any identified breaches in health,
 Can any body part get caught in or safety and security policies and
between objects? procedures to the designated person.
744
 Identifies and corrects any hazards that he in advance and suggests

can deal with safely, competently and alternatives.
within the limits of your authority.  Maintains good relationships with
 Reports any hazards that he is not colleagues.
competent to deal with to the relevant o Sorts out problems with them, if
people in line with organisational any.
procedures. o Shows respect for others.
o Warns others who may be  Follows the policies, procedures and
affected. culture of the organisation.
 Follows the emergency procedures  Keeps abreast with the technological
promptly, calmly and efficiently. developments.
 Identifies and recommends opportunities  Takes care of quality issues.
for improving health, safety and security o Maintains the data in the required
to the designated person. formats
 Completes any health and safety records o Keeps data up-to-date
legibly and accurately. o Provides accurate information
 Coordinates with the appropriate people o Provides complete information
for his information needs.  Takes logical and practical approach to
 Is reliable; gets information from reliable problems, keeping the constraints of the
sources organisation in mind.
 Communicates with colleagues clearly,  Gives importance to the needs of the
concisely and accurately. colleagues and responds to their
 Integrates his work effectively with others. feedback.
 Shares essential information on time.
 Takes help from the appropriate people
when there are any problems in the How and when to report hazards
information. After developing the ability to identify hazards,
 Follows the company rules while analysing the Information Security Analyst should report
data. them to his line manager, or the person
 Keeps a track of the needs of the
assigned the responsibility in the company
organisation. policy. This should be done immediately
 Honours his commitments. without any delay.
o If for some reason, he is unable to
carry out his promises, he informs
745
746
UNIT III
Emergency Situations
This Unit covers:
 Lesson Plan
3.1. Emergency Situations
747
LESSON PLAN

Ensuring Measures training (Hrs) Environment /
Lab Requirement
You need to know and QA session and a 1Hr in class Standard Environment
KA5. the understanding. & 2Hrs
organisation’s offline
emergency Research and
procedures for Learning
different emergency activity
situations and the
importance of
following these
KB2. evacuation
procedures for workers
and visitors
You need to know and QA session and a 1Hr in class Standard Environment
KB3. how to summon understanding & reporting. & 2Hrs
medical assistance and the Group presentation and offline
emergency services, peer evaluation along with Research and
where necessary Faculty. Learning
activity
KB4. How to use the Performance evaluation of
health, safety and accident the report by Faculty with
reporting procedures and reward points.
the importance of these
748
Activity 1:
You can throw open this question to the students. During the discussion, make
sure the following commonly occurring emergency situations get covered.
Emergencies may be natural, or man-made, and include the following:
• Floods
• Hurricanes
• Tornadoes
• Fires
• Toxic gas releases
• Chemical spills
• Radiological accidents
• Explosions
• Civil disturbances
• Workplace violence resulting in bodily harm and trauma
Activity 2:
You can ask the students to make an emergency plan based on whatever they have learnt so
far. At the end of the discussion, you can share the following guidelines for developing an
emergency action plan
749
3.1. Emergency Situations
A workplace emergency is an unforeseen plan showing the location of hazardous

situation that threatens your employees, items.
customers, or the public; disrupts or shuts  If you have 25 tonnes or more of
down your operations; or causes physical dangerous substances, you must notify
or environmental damage. the fire and rescue service and put up
Emergencies may be natural, or warning signs.
man-made, and include the  Decide where to go to reach a place of
following: safety, or to get rescue equipment. You
 Floods must provide suitable forms of
 Hurricanes emergency lighting.
 Tornadoes  You must make sure there are enough
 Fires emergency exits for everyone to
escape quickly, and keep emergency
 Toxic gas releases
doors and escape routes unobstructed
 Chemical spills and clearly marked.
 Radiological accidents
 Nominate competent people to take
 Explosions control.
 Civil disturbances
 Decide which other key people you
 Workplace violence resulting need, such as a nominated incident
in bodily harm and trauma controller, someone who is able to
provide technical and other site-
An organisation’s emergency specific information if necessary, or
first-aiders.
procedures and their
 Plan essential actions such as
importance emergency plant shutdown, isolation
 The following are some guidelines for or making processes safe. Clearly
emergency procedures to be followed identify important items like shut-off
in case of any emergency related to valves and electrical isolators, etc.
health, safety and security at the  You must train everyone in emergency
workplace: procedures. Don’t forget the needs of
 Consider what might happen and how people with disabilities and vulnerable
the alarm will be raised. Don’t forget workers.
night and shift working, weekends and  Work should not resume after an
times when the premises are closed emergency if a serious danger remains.
like on holidays. If you have any doubts ask for
 Plan what to do, including how to call assistance from the emergency
the emergency services. Help them by services.
clearly marking your premises from the
road. Consider drawing up a simple
750
Constituents an emergency Evacuation procedures for

action plan: workers and visitors
 A preferred method for reporting fires  Define a clear chain of command and
and other emergencies. designation of the person in your
business authorized to order an
 An evacuation policy and procedure.
evacuation, or shutdown. You may
 Emergency escape procedures and want to designate an ‘evacuation
route assignments, such as floor plans, warden’ to assist others in an
workplace maps, and safe or refuge evacuation and to account for
areas. personnel.
 Names, titles, departments, and  Specific evacuation procedures,
telephone numbers of individuals both including routes and exits should be
within and outside your company to defined. Post these procedures where
contact for additional information, or they are easily accessible to all
perform other essential services that employees.
cannot be shut down for every
 Procedures for assisting people with
emergency alarm before evacuating.
disabilities, or who do not speak the
 Rescue and medical duties for any commonly used language, should be
workers designated to perform them. clearly defined.
 Designating an assembly location and  Designation of what, if any, employees
pro-cedures to account for all will continue, or shut down critical
employees after an evacuation. operations during an evacuation.
 Explanation of duties and These people must be capable of
responsibilities under the emergency recognizing when to abandon the
plan. operation and evacuate themselves.
 Procedures for employees who remain  A system for accounting for personnel
to perform, or shut down critical plant following an evacuation. Employees’
operations, operate fire extinguishers, transportation needs for community-
or perform other essential services that wide evacuations should also be
cannot be shut down for every considered
emergency alarm before evacuating.
 Rescue and medical duties for any How to summon medical
workers designated to perform them.
assistance and emergency
services
How and when to report these Here again, organisation’s policies and
The Information Security Analyst should procedures need to be kept in mind.
report any job hazards that he may come Usually, organisations have an in-house
across to his line manager, or the person first-aid kit, or medical team to assist in
assigned the responsibility in the company medical emergency situations. Employees
policy. This also means that he should keep can follow the emergency evacuation plan
an eye for potential hazards and report and take help from the designated
them before they cause any harm. personnel. The following are some
751
emergency numbers that can be used in How to use health, safety and
India:
accident reporting procedures
 Service Telephone
and their importance
 Ambulance 102
The Information Security Analyst should be
 Emergency response service for well conversant with the organisation’s
medical, police and fire emergencies. policy for emergency reporting
Available in Andhra Pradesh, Gujarat, procedures. Not only he should keep an
Uttarakhand, Goa, Tamil Nadu, eye for potential hazards, he should report
Rajasthan, Karnataka, Assam, them to the line manager, or any other
Meghalaya, Madhya Pradesh and Uttar person designated for the same. If he fails
Pradesh 108 to do so, big disasters can happen that can
cause harm to the employees and the
 Local police 100
company as a whole.
 Fire service 101
752
UNIT IV
Skills for maintaining Health and
Safety at Work
This Unit covers:
 Lesson Plan
3.1. Skills for maintaining Health and Safety at Work
753
LESSON PLAN

Ensuring training (Hrs) Environment /
Measures Lab Requirement
Writing Skills SA1. Online 30Min Standard
You need to know and understand how to: assessment. Quiz, classroom Environment
Document review by assessment
SA1. complete accurate, well written peer group and and 10Hrs
work with attention to detail Faculty. offline.
Reading Skills SA2. Quiz, 30Min
You need to know and understand how to: Document review classroom
SA2. read instructions, by peer group and assessment
guidelines/procedures Oral Faculty. and 10Hrs
Communication (Listening and SA3. Online offline.
Speaking assessment. 10Min per
skills) Strongly recommends student
You need to know and understand how to: Versant/SVAR
SA3. listen effectively and orally
communicate information accurately
Decision Making You need to know SB1. Document review 30Min Standard
and understand how to: by peer group and classroom Environment PLUS
SB1. make a decision on a Faculty. assessment MS-Projects
suitable course of action or response SB2. Document review and 10Hrs Standard
by peer group and offline. Environment PLUS
Plan and Organize You need to
know and understand how to: Faculty. Daily/weekly 1Hrs classroom MS-Projects
SCRUM. assessment Standard
SB2. plan and organize your work to and 10Hrs
achieve targets and deadlines SB3. Group and Environment.
Faculty evaluation offline.
Customer Centricity You need to Recommend to invite
for anticipated out SB3. industry experts like
know and understand how to: comes based on 1Hrs classroom Business Analysts/
SB3. build and maintain positive and the performance in assessment Delivery Heads for a
effective relationships with colleagues and the simulated and face–to-face
customers environment. 10Hrs offline interaction.
Problem Solving You need to know Reward points to be Research and
Learning Standard
and understand how to: allocated to groups.
activity. 1Hrs Environment
SB4. Group and Standard
classroom
Faculty evaluation Environment PLUS
assessment
based on anticipated Various publicly
and
out comes. available case
30Hrs offline
Evaluate approach Research and studies.
template and reward Learning www.kaggle.com
points. activity. 1Hrs www.coursera.org
classroom www.udacity.com
SB5. Assessment
assessment www.edx.org
based on use
case. Submit and and 10Hrs Standard
review the offline. Environment PLUS
document by 1Hrs classroom Various publicly
group/faculty. assessment available case
studies.
754
and 10Hrs
offline.
SB4. apply problem solving approaches in SB6. Assessment 1Hrs classroom Suggested online
different situations based on use case. assessment tools:
Analytical Thinking You need to Submit and review and 10Hrs WebEx
know and understand how to: the document by offline. GotoMeetings
group/faculty. 2Hrs classroom
SB5. analyse data and activities Lensoo
Validate real-time assessment AnyMeetings
Critical Thinking opinions given by the and 30Hrs OpenMeetings
You need to know and understand how to: students. Evaluate
offline. Standard
SB6. apply balanced judgements to approach of
student/groups Environment PLUS
different situations
towards the given case Seminars,
Attention to Detail study. workshops, panel
You need to know and understand how to: SB7, SB8. discussions etc.
SB7. check your work is complete and Assessment based Standard
free from errors QA standards. Environment PLUS
Submit and review Access to online
SB8. get your work checked by peers the document by forums.
Team Working group/faculty on QA
You need to know and understand how to: standards.
SB9. work effectively in a team SB9. Group and
environment Faculty evaluation
based on anticipated
out comes from a
group.
You need to know and understand: SC1 to SC3. 1Hrs classroom Standard
SC1. identify and refer anomalies Online assessment. assessment Environment
and 20Hrs PLUS Various
SC2. help reach agreements with Task based publicly available data
offline.
colleagues assessment. sets.
SC3. keep up to date with changes, Document comparison www.data.gov.in
procedures and practices in your role reports. Task
schedulers.
755

Activity 1:
You can throw open this question to the students. During the discussion, make
sure the following commonly occurring emergency situations get covered.
Emergencies may be natural, or man-made, and include the following:
• Floods
• Hurricanes
• Tornadoes
• Fires
• Toxic gas releases
• Chemical spills
• Radiological accidents
• Explosions
• Civil disturbances
• Workplace violence resulting in bodily harm and trauma
Activity 2:
You can ask the students to make an emergency plan based on whatever they
have learnt so far. At the end of the discussion, you can share the following
guidelines for developing an emergency action plan:
Activity 3:
SA1. Documentation preparation - follow the approach document. Technical
writing.
SA2. Learning and understanding various guidelines, procedures, rules and SLA
available Publicly in open data camps.
SA3. Listen, Interpret and communicate between groups and Faculties. SB1. Learn
concepts of SOW, Plan, do, check, act (PDCA), Work Breakdown Structure (WBS)
and Decision trees. Brain storming.
SB2. Learn concepts of SOW, Plan, do, check, act (PDCA), Work Breakdown
Structure (WBS) and Decision trees. Brain storming. Learn about Agile and
SCRUM methodologies. Suggested follow one of them.
SB3. Understanding the scope, defining the objectives. Identifying the
deliverables based on the time lines. Simulate Client and Company environment
in the campus and practice a business deal.
SB4. Understanding the scope, defining the objectives. Identifying deviations from the
expectations, solution to mitigate with the deviations, document into approach template.
SB5. Discuss with peers, groups, faculties and SME/industry SPOCs. Prepare a document to
build a safe & secure platform in an Analytics way.
756
SB6. Discuss with peers, groups, faculties and SME/industry SPOCs. Prepare a document to
build a safe & secure platform in an Analytics way. Use online meeting tools to share the
opinions in real-time.
SB7, SB8. Discuss with peers, groups, faculties and SME/industry SPOCs. Conduct review
meetings with peer group/faculty.
SB9. Define roles and responsibilities amongst the groups.
Activity 4:
• SC1 to SC3. Ask the learners to check for publicly available data sets by
exploration and research. Review and download data.
• Store data into data bases using various methods like SQL/programming
languages/scripting etc. Find out anomalies and prepare report. Recommend
to define roles to perform tasks. Groups must take different domains (data sets).
757
3.1. Skills for maintaining Health and Safety at Work
Skills is the ability to use information, or For example, each organisation has certain
knowledge acquired through education, or guidelines for maintaining a healthy and safe
experience, to accomplish a given task. environment. As an Information Security
Analyst, you should be aware of those. Only
Types of skills then can you install the appropriate systems.
 Technical Skills- The ability to do a Other than reading and writing, an Information
specific type of activity or work. Security Analyst should also have oral skills like
listening and speaking. For example, when
 Human Skills- The ability to work with
talking to your line manager, you need to listen
people.
to the instructions carefully. If at any stage, you
 Conceptual Skills- The ability to work do not understand the instructions, you should
with ideas, or concepts. be able to speak well and ask for clarifications.
Generic Skills- These are generic in nature that Professional Skills- During the course of any
are common to most white collar jobs like career, one needs to be adept at professional
reading, writing, listening and speaking. skills like problem solving, critical thinking,
Professional Skills- These skills make a person logical reasoning, etc. This is equally true for an
more employable by giving the person the Information Security Analyst.
ability to make logical decisions and the ability  Decision Making- Many times, as an
to solve problems judiciously. Some examples
Information Security Analyst, you would
of professional skills are decision making,
need to take decisions, and you should
planning and organising, customer centricity,
have the skills to be able to take the
problem solving, critical thinking, attention to
appropriate decisions. Also, you should
detail, and team work.
follow the company rules for the same. For
example, what safety systems to install?
How to test them?
Skills required to maintain a safe
 Planning and Organising- These are basic
and healthy work environment skill sets of any role. To be able to
Security Analysts need to be good at the accomplish any task, one needs to first
following skill-sets to be able to maintain a plan and then organise the sub-tasks. For
healthy, safe and secure working environment. example, making a Project Plan for
upgrading the safety and security systems.
Core/ Generic Skills- As an Information
Security Analyst, you should be able to  Customer Centricity- As explained in the
communicate well with colleagues, in writing. earlier chapter as well, here too you, the
You should be able to write accurately with Instructor, will have to explain that here
attention to detail. For example, making plans the term, ‘customer’ refers to internal
for the department for upgrading the safety customers, i.e., colleagues. You can tell the
and security systems requires writing skills. students that as an Information Analyst,
You should also be able to read instructions, they will need to work with colleagues
guidelines, procedures and service level from across the organisation, as has been
agreements laid down by your organisation. explained in the chapter on how to work
758
effectively with colleagues. When in mind while not compromising on the

designing and installing the security safety.
systems, they will have to make sure that
 Attention to Detail- Quality is a key
they meet the requirements of their
criterion for any job and that of an
colleagues. In other words, their needs
Information Security Analyst is no
have to be considered paramount. Not
different. One aspect of it is to pay
only should you strive to meet customer
attention to detail. For example,
requirements, you should try and exceed
emergency evacuation route of an
them.
organisation may be different for the
 Problem Solving- You can tell the students senior management as compared to that
that they would have to face many of the others. The Information Security
challenges as an Information Security Analyst would need to be aware of this
Analyst. They will have to develop while designing his policies. Also, he needs
problem solving skills to be able to handle to ensure that his plan is error-free and
them. For example, if you have developed complete. He can also take help from his
a system that mandates all employees to colleagues, if required.
not use the emergency evacuation doors
 Team Work- No job can be completed
under normal circumstances, and if you
without interacting with others, within and
notice certain anomalies, it would be your
outside the organisation. Thus the ability
responsibility to bring this to the notice of
to be able to work with others as a team is
your line manager.
a key requirement. For example, to be able
 Analytical Thinking- Another skill-set that is to test his data backup systems, an
associated with an Information Security Information Security Analyst would need
Analyst is that he will need to have an to coordinate with members of other
analytical bent of mind. He will have to teams. Hence, being able to work
analyse data across the organisation and effectively in a team environment is a
also monitor the activities of all, before must-have skill-set.
coming up with a security plan. He will
Technical Skills- Just like technical
have to ensure that the relevant
knowledge, technical skills too are equally
information reaches the concerned people
important for any Information Security Analyst
on time.
to perform his job. For example, the ability to
 Critical Thinking- This skill may be required use information technology efficiently; being
by an Information Security Analyst time able to input and extract safety data
and again as he may have to apply his accurately; being able to validate and update
judgments in a balanced manner in various safety data; being able to identify and refer
situations. For example, he may suggest a anomalies in safety data; being up to date with
particular networking system that requires changes, procedures and practices in your role;
least maintenance and has very less being able to reach agreements with
chances of getting fire-related shocks, but colleagues; etc.
the senior management may not agree due
it being too expensive. Thus, he may have
to apply his judgement to come up with a
plan that keeps the budgetary constraints
759
Performance evaluation criteria for  Communicates with colleagues clearly,

concisely and accurately.
an Information Security Analyst
By now the students should be comfortably  Integrates his work effectively with others.
placed to understand the nature of the job of  Shares essential information on time.
an Information Security Analyst and what
would help them perform this role well. You  Takes help from the appropriate people
can now move on to the last section of the when there are any problems in the
lesson which talks about the criteria that would information.
be used to evaluate the performance of an  Follows the company rules while analysing
Information Security Analyst vis-a-vis his ability data.
to maintain a healthy, safe and secure working
environment.  Keeps a track of the needs of the
organisation.
 Complies with his organisation’s current
health, safety and security policies and  Honours his commitments.
procedures.  If for some reason, he is unable to carry out
his promises, he informs in advance and
 Reports any identified breaches in health,
suggests alternatives.
safety and security policies and procedures
to the designated person.  Maintains good relationships with
colleagues.
 Identifies and corrects any hazards that he
can deal with safely, competently and o Sorts out problems with them, if
within the limits of your authority. any.
 Reports any hazards that he is not o Shows respect for others.

competent to deal with to the relevant
 Follows the policies, procedures and
people in line with organisational
culture of the organisation.
procedures.
 Keeps abreast with the technological
o Warns others who may be
developments.
affected.
 Takes care of quality issues.
 Follows the emergency procedures
promptly, calmly and efficiently.  Maintains the data in the required formats
 Identifies and recommends opportunities  Keeps data up-to-date

for improving health, safety and security to
 Provides accurate information
the designated person.
 Provides complete information
 Completes any health and safety records
legibly and accurately.  Takes logical and practical approach to
problems, keeping the constraints of the
 Coordinates with the appropriate people
organisation in mind.
for his information needs.
 Gives importance to the needs of the
 Is reliable; gets information from reliable
colleagues and responds to their feedback.
sources
760
SSC/ N 9004:
Provide data/information in standard formats
UNIT I: Information and Knowledge Management
UNIT II: How to manage data/ information effectively
UNIT III: Skills required to manage data and information effectively
UNIT IV: Performance Evaluation Criteria for an Information Security

Analyst
761
Unit Title (Task) Provide data/information in standard formats
Description This unit is about providing specified data/information related to your work in
templates or other standard formats.
Appropriate people:
 line manager
 members of your own work group
 people in other work groups in your organization
Data/information:
 quantitative
 qualitative
Sources:
 within your organization
 outside your organization
Formats:
 paper-based
 electronic

PC1. establish and agree with appropriate people the data/information you
need to provide, the formats in which you need to provide it, and when
you need to provide it
PC2. obtain the data/information from reliable sources
PC3. check that the data/information is accurate, complete and up-to-date
PC4. obtain advice or guidance from appropriate people where there are
problems with the data/information
PC5. carry out rule-based analysis of the data/information, if required
PC6. insert the data/information into the agreed formats
PC7. check the accuracy of your work, involving colleagues where required
PC8. report any unresolved anomalies in the data/information to appropriate
people
PC9. provide complete, accurate and up-to-date data/information to the
appropriate people in the required formats on time
762

al KA1. The organization’s procedures and guidelines for providing
Context data/information in standard formats and your role and responsibilities in
relation to this
(Knowledge
KA2. The knowledge management culture of the organization
of the
KA3. Your organization’s policies and procedures for recording and sharing
company / information and the importance of complying with these.
organization KA4. The importance of validating data/information before use and how to do
and its this
processes) KA5. Procedures for updating data in appropriate formats and with proper
validation
KA6. The purpose of the CRM database
KA7. How to use the CRM database to record and extract information
KA8. The importance of having your data/information reviewed by others
KA9. The scope of any data/information requirements including the level of
detail required
KA10. The importance of keeping within the scope of work and adhering to
timescales
KB1. data/information you may need to provide including the sources and how
Knowledge to do this
KB2. templates and formats used for data and information including their
purpose and how to use these
KB3. different techniques used to obtain data/information and how to apply
these
KB4. how to carry out rule-based analysis on the data/information
KB5. typical anomalies that may occur in data/information
KB6. who to go to in the event of inaccurate data/information and how to
report this
763
THE UNITS
UNIT I: Information and Knowledge Management
UNIT II: How to manage data/ information effectively
UNIT III: Skills required to manage data and information effectively
UNIT IV: Performance Evaluation Criteria for an Information Security Analyst
764
UNIT I
Information and Knowledge
Management
This Unit covers:

1.1. Information and Knowledge Management
765

Activity 1:
To set the tone of the session, you, the Instructor, can ask the students to enlist the
kind of data, or information that an Information Security Analyst is likely to deal with.
The objective of this exercise is to gauge the current level of understanding of the
students. At the end, they should be able to broadly classify their data into two
categories: quantitative (like facts and figures) and qualitative (like feedback).
Activity 2:
You can ask the students what type of people an Information Security Analyst is likely to
interact with, to manage data effectively. At the end of the discussion, you can help
them categorise the people into the following categories:
• Line manager
• Members of your own workgroup
• People of other workgroups
• Subject matter experts
766
1.1. Information and Knowledge Management
What is data? B. Technical Knowledge

Data is unprocessed facts, or figures Technical knowledge helps a person
without any added interpretation, or understand a field of work. This section
analysis. For example, Asha’s salary is Rs. would be the easiest to explain to the
10,000 per month. students as it would be obvious to them
that to perform any task, they would need
What is information? the technical know-how for the same. If
Information is data that has been the Information Security Analyst does not
know what a gateway is, or what a
interpreted, or analysed so as to give it
multiplexer is, or what a hub is, or how
some meaning. For example, Asha’s salary they function; how can one can be
is Rs. 10,000, which is 10% lesser than her expected to install them?
peers.
What is knowledge? Knowledge Management

Knowledge is the combination of
Knowledge management is the systematic
information, experience and insight that is
management of an organisation’s
useful for deciding a course of action. For knowledge assets for the purpose of
example, if Asha develops her writing creating value, and meeting tactical and
skills, her salary can reach at par with her strategic requirements.
peers. What kind of data, or information is
required by an Information Security
Knowledge required for the job Analyst?
of Information Security Analyst An Information Security Analyst usually has

to deal with the following type of data and
A. Knowledge of the Organisation information, to perform their job
effectively:
To be able to work in any organisation, an
employee, irrespective of the role they  Information about the current
have been assigned, needs to know about security systems, if any.
the organisation they are working with.  Computer hardware and software
This includes knowledge about the specifications
company’s policies, procedures, structure,  Information about the networking
culture, your role and responsibilities, systems
overview of other departments,  Information about the latest
information needs of other departments, security systems available in the
key contact points, etc. market
 Feedback of the users
 Problems faced by the users
767
UNIT II
How to manage data/
information effectively
This Unit covers:
 Lesson Plan
2.1. How to Manage Data/Information effectively
768
LESSON PLAN
Outcomes Performance Duration Work

Ensuring of Environment /
Measures training Lab
(Hrs) Requirement
PC1. establish and agree with appropriate people the Provide written 3 Hrs in Standard
data/information you need to provide, the formats in instructions to Class Environment plus
which you need to provide it, and when you need to the excel and word on
provide it participants for computers and
PC2. obtain the data/ collating data access to sourses
information from reliable sources relevant to any for data to be
of the sessions. collected
PC3. check that the data/ information is accurate, Prepare
complete and up-to-date
assessment
PC4. obtain advice or guidance from appropriate sheet for each
people where there are problems with the data/ individual to
information check if the
PC5. carry out rule-based analysis of the data/ demonstrated
information, if required all the
performance
PC6. insert the data/ information into the agreed
criteria
formats
mentioned.
PC7. check the accuracy of your work, involving
colleagues where required
PC8. report any unresolved anomalies in the data/
information to appropriate people
PC9. provide complete, accurate and up-to-date
data/information to the appropriate people in the
required formats on time
769
KA1. The organization’s procedures and guidelines Descriptive write assessment Environment PLUS
for providing data/ information in standard formats up on & access to online
and your role and responsibilities in relation to this understanding. 30Hrs forums, blogs etc.
Group offline
KA2. The knowledge management culture of the Research
organization presentation
and peer and
KA3. Your organization’s policies and procedures evaluation along Learning
for recording and sharing information and the activity
with Faculty.
importance of complying with these.
Performance
KA4. The importance of validating data/information
evaluation from
before use and how to do this
Faculty and
KA5. Procedures for updating data in appropriate Industry with
formats and with proper validation reward points.
KA6. The purpose of the CRM database Online exam and
KA7. How to use the CRM database to record and rewards points
extract information based on
reviews from the
KA8. The importance of having your data/
forums.
information reviewed by others
KA9. The scope of any data/information
requirements including the level of detail required
KA10. The importance of keeping within the scope of
work and adhering to timescales
You need to know and understand: QA session and 2Hr in class Standard
KB1. data/information you may need to provide a Descriptive assessment Environment
including the sources and how to do this write up on & PLUS Access to
understanding & 15Hrs online forums.
KB2. templates and formats used for data and reporting. offline
information including their purpose and how to use Research
these Group
presentation and and
KB3. different techniques used to obtain data/ peer evaluation Learning
information and how to apply these along with activity
KB4. how to carry out rulebased analysis on the data/ Faculty.
information Performance
KB5. typical anomalies that may occur in data/ evaluation of the
information report by Faculty
with reward
KB6. who to go to in the event of inaccurate data/
points.
information and how to report this
770
Activity 1:
• You can explain to the students that to be able to work in any organisation, an
employee, irrespective of the role he has been assigned, needs to know about
the organisation he is working with. This includes knowledge about the
company’s policies, procedures, structure, culture, your role and
responsibilities, overview of other departments, information needs of other
departments, key contact points, etc.
Activity 2:
• Going through various organizations websites and understand the policies and
guidelines. Identify various standard templates and reporting formats in practice.
(Research)
Activity 3:
• Understand, summarize and articulate policies and procedures and specify the
importance of complying policies and procedures.
Activity 4:
• Evaluate open source CRM database. Download public datasets and do a
validation check.
• Peer group, Faculty group and Industry experts.
• Peer review with faculty with appropriate feedback.
Activity 5:
• Going through various organizations websites and understand the scope of work
and adhering to time scales and guidelines. (Research)
Activity 6:
• Working in a Team (IM and chat applications) and group activities (online forums)
including templates to be prepared.
771
2.1. How to Manage Data/Information Effectively
What is a policy? 2. Understand, summarize and

articulate policies and
A policy is a statement of agreed intent
procedures and specify the
that clearly sets out an organisation’s
importance of complying
views with respect to a particular matter .
policies and procedures.
What is a procedure? Not only does an Information Security
Analyst need to understand the
A procedure/practice is a clear step-by-
organisation’s policies and procedures for
step method for implementing an
the type of data and information that you
organisation’s policy, or responsibility.
can use, but also the procedures for how to
Why does an Information Security use them. Such policies clearly lay out the
Analyst need to understand the formats in which the data has to be stored,
organisation’s policies and when and where. Also, the way it has to be
shared. For example, an organisation could
procedures?
have a policy to record every system
 It gives a framework for actions to get testing data in an online format that can be
on with their job. accessed by the senior management any
 It helps understand the expectations time.
out of him/her. In other words, it Understanding the procedures for
helps one understand their role and
updating data in appropriate
responsibilities.
formats
 It helps comply with the legal
Just like organisations have policies and
requirements.
procedures for using, storing and sharing
 It helps understand the quality data, they have policies for updating data
standards set out by the organisation. in the appropriate formats. For example,
Understanding the organisation’s the Information Security Analyst may get
feedback in various forms like verbal,
policies for recording and sharing
written, through feedback forms, etc. but
information
the organisation policy could state that all
1. Going through various feedback should be up-to-date in a pre-
organizations websites and specified format.
understand the policies and
Understanding the knowledge
guidelines. Identify various
standard templates and
management culture of your
reporting formats in practice. organisation
(Research)
772
Each organisation has a culture of Understanding the importance of

managing its data and information, which getting data/ information reviewed
basically stems from its policies,
by others
procedures and of course, its people,
especially the senior management. For An Information Security Analyst cannot be
example, if your line manager gives expected to validate all information by
importance to maintaining data records in oneself, so one can take help from
specific formats, you too would take it colleagues. However, one has to be careful
seriously, and vice-versa. that one gets the data reviewed only by
authorized persons who have the domain
Identifying the appropriate people knowledge.
to take advice from and to report to
What is CRM?
with appropriate data/ information
Customer Relationship Management
The kind of data and information that an
(CRM) is an approach to managing a
Information Security Analyst deals with is
company's interaction with current and
sensitive in nature, so one needs to be
future customers. It often involves using
aware of the company policy about whom
technology to organize, automate, and
one can share the data with, and whom
synchronize sales, marketing, customer
one can take advice from. For example, the
service, and technical support.
R&D division of a company may not want
to share the details of its security systems What is a database?
with heads of other departments, so as an
A database is a collection of information
Information Security Analyst, you will have
that is organized so that it can easily be
to be careful about that.
accessed, managed, and updated.
Understanding the importance of Microsoft Excel is an example of a very
validating information before use basic database.
As an Information Security Analyst, you will An integral part of the job of an

be inundated with lots of data and Information Security Analyst is to
information. However, you need to understand the CRM database of an
validate that data for correctness and organisation to ensure that customer data
usefulness before using it. This is especially is stored and accessed securely.
true of information accessed from the Understanding the scope of work
Internet. For example, one of your and data requirements
colleagues may have told you about a
security system that your competitor is An organisation has unlimited amounts of
using. Instead of copying that, you should data. Therefore, an Information Security
validate that information and study Analyst needs to understand what the
whether it suits your organisation’s needs, scope of work is. For example, the
or not. organisation policy may require all
departments to give data to the
773
Information Security Analyst in a pre-  Problems faced by the users- The

determined format every month, for senior managers may want to
system updation. To save its workload, if understand the security systems from
some department tries to give raw data to the users’ perspective.
the Analyst, he/she should be able to raise
objection. This also means that the Understanding the templates/
Information Security Analyst should give formats
their data requirements to the As an Information Security Analyst, you
departments in advance and explain the should have an understanding of the
process for the same. various templates and formats that your
Understanding the data/ organisation uses for data storage and
sharing.
information that you may need to
provide The following example talks about data
security policy template and guidelines
As discussed earlier, the Information
that an Information Security Analyst
Security Analyst needs to be aware of the
should have an understanding about.
data and information that comes under
their purview. Time and again, one may  To what types of data the policy
need to share some data and information applies.
with peers, or senior managers. The  Who in the business is responsible
following are some examples of the same: for data protection?
 The main data risks faced by the
 Current security systems- The senior
company.
managers may want to check if their
 Key precautions to keep data
data is secure.
protected.
 Computer hardware and software
 How data should be stored and
specifications- This information may go
backed up.
to and fro between various sub-
 How the company ensures data is
departments of the IT department.
kept accurate.
 Networking systems- This information
 What to do if an individual asks to
may go to and fro between various sub-
see your data.
departments of the IT department.
 Under what circumstances the
 Information about the latest security
business discloses data, and to
systems available in the market- The
whom.
senior managers, or your line manager
 How the company keeps
may want to be apprised of this.
individuals informed about the
 Feedback of the users- The senior
data it holds.
managers may want to review the
current security systems and their user
friendliness.
774
Understanding the techniques for example, some organisations have front-end

forms where the user can select some drop-
obtaining data/ information
downs and get the data that they need.
The Information Security Analyst should have
You, the Instructor, can explain this with the
knowledge about the various data access
help of the following example of a form to
techniques that are available in the market,
input and access data.
and the company policy for the same. For
Ensuring the quality of data Understanding the process for data

The Information Security Analyst should analysis
always ensure that the data and Data analysis refers to the process of
information provided by him/her meets manipulating data to get meaningful
the quality standards set by the results. For example, the Marketing Head
organisation. The following are some may want to find out which customers
parameters to be taken care of: contribute most to the bottom line. He/she
 Error-free can access the sales records of all the
 Up-to-date customers and filter them according to
 In the specified format their sales value. The Information Security
 Easy to retrieve Analyst should be careful to carry out rule-
 During retrieval, data shouldn’t get based analysis on the data, or information.
altered
 Complete The following are some commonly used
 Consistent tools for data analysis:
 Timely availability  MS Excel
 Valid  SAS
 Relevant
775
 SPSS data properly, you need to identify the

 Minitab anomalies, and report them. For example,
if you find that data about your company’s
Understanding, identifying and
plans is being accessed by some IP address
reporting the anomalies outside your organisation at odd hours,
you should verify the information and
As an Information Security Analyst, not
report it to your seniors immediately.
only do you have to ensure that you store
776
UNIT III
Skills required to manage data
and information effectively
This Unit covers:
 Lesson Plan
3.1. Skills required to manage data and information effectively
777
LESSON PLAN
Outcomes Performance Ensuring Duration of Work Environment

Measures training (Hrs) / Lab Requirement
Writing Skills SA1. 30Min Standard
You need to know and understand how Online assessment. Quiz, classroom Environment
to: Document review by assessment
SA1. complete accurate, well written peer group and Faculty. and 10Hrs
work with attention to detail offline.
Reading Skills SA2. Quiz, Document
You need to know and understand how review by peer group 30Min
to: and Faculty. classroom
SA2. read instructions, assessment
guidelines/procedures SA3. Online assessment. and 10Hrs
Oral Communication (Listening and Strongly recommends offline.
Speaking skills) Versant/SVAR
You need to know and understand how 10Min per
to: student
SA3. listen effectively and orally
communicate information accurately
Decision Making SB1, SB2. 2Hrs Standard
You need to know and understand how Online assessment. classroom Environment PLUS
to: Technical assessment assessment Various publicly
SB1. follow rule-based decision- Case study and 20Hrs available data sets.
making processes Document evaluation. offline. www.data.gov.in
SB2. make a decision on a suitable
course of action Quiz 30Min
Plan and Organize Peer group evaluation classroom Standard
You need to know and understand how and faculty evaluation. assessment Environment
to: Plan document review and 10Hrs
SB3. plan and organize your work by faculty. offline.
to achieve targets and deadlines Standard
Customer Centricity SB4, SB5. Environment PLUS
You need to know and understand how Group and Faculty 30Min Access to online
to: evaluation based on classroom forums.
SB1. check that your own work anticipated out comes. assessment
meets customer requirements Reward points to be and 10Hrs Standard
SB2. meet and exceed customer allocated to groups. offline Environment PLUS
expectations Research and Various publicly
Problem Solving SB6. Learning available data sets.
You need to know and understand how Assessment based on activity. www.data.gov.in
to: use case. Submit and www.kaggle.com
SB3. apply problem solving review the document by 30Mins www.coursera.org
approaches in different situations group/faculty. classroom www.udacity.com
Analytical Thinking assessment www.edx.org
You need to know and understand how SB7. and 10Hrs
to: Assessment based on offline.
SB4. configure data and disseminate use case. Submit and Standard
relevant information to others review the document by 30Min Environment PLUS
Critical Thinking group/faculty. classroom Various publicly
You need to know and understand how assessment available data sets.
to: SB8. Assessment based and 10Hrs www.data.gov.in
SB1. apply balanced judgements to on use case. Submit and offline. www.kaggle.com
different situations review the document by www.coursera.org
778
Attention to Detail group/faculty. Logical 30Min www.udacity.com

You need to know and understand how thinking towards classroom www.edx.org
to: problem solving. assessment
SB1. check your work is complete and 10Hrs
and free from errors SB9, SB10. Assessment offline. Standard
SB2. get your work checked by peers based on use case. Environment PLUS
Team Working Submit and review the 30Min Seminars,
You need to know and understand how document by classroom workshops, panel
to: group/faculty assessment discussions etc.
SB3. work effectively in a team and 10Hrs
environment SB11. offline.
Group and Faculty Standard
evaluation based on 30Mins Environment PLUS
anticipated out comes.. classroom Seminars,
assessment workshops, panel
and 10Hrs discussions etc.
offline
Research and
Learning Standard
activity. Environment PLUS
Access to online
forums.
You need to know and understand: SC1 to SC5. 1Hrs Standard
SC1. use information technology Online assessment. classroom Environment
effectively, to input and/or extract data Task based assessment. assessment
PLUS Various
accurately and 20Hrs
Document comparison publicly available
SC2. validate and update data offline.
reports. Task schedulers. data sets.
SC3. identify and refer anomalies
SC4. store and retrieve information www.data.gov.in
SC5. keep up to date with changes,
procedures and practices in your role
779
Activity 1:
Have the students do the following tasks:
 For writing Skills: Documentation preparation as per specifications given.
Story writing, Handouts.
 For Reading Skills: Download instructions, procedures and guidelines from
internet and do a Peer & Faculty discussions.
 For Listening and speaking skills: Conduct a group discussion on a topic
selected by the faculty. Listen, Interpret and communicate between groups
and Faculties.
Activity 2:
 For decision making skills: Discover and review data from public websites.
Use various supervised and unsupervised learning methods. Build models and
find a decision making process. Recommend groups to take different
domains (data sets). Document entire exercise and circulate across all the
groups and publish in the forums.
Activity 3:
 For Planning and Organising skills: Assign task with a measurable target to be
achieved within a deadline. Divide the batch into groups. Share the steps
involved in planning and organising and them to perform the task in the given
time, making sure all the steps for planning and organising are done.
Activity 4:
 For Customer Centricity: Check all previous exercises. Create a traceability
matrix for requirements Vs Outcomes. Compare with the customer
expectation (faculty is the customer or an industry expert)
 Submit the expectation in a standard template.
Activity 5:
 For Problem solving: Discuss with peers, groups, faculties and SME/industry
SPOCs. Come up with a solution document/architecture for a use case.
Activity 6:
 For Analytical Ability and Critical thinking: Discuss with peers, groups,
faculties and SME/industry SPOCs.
 Come up with a plan document for various situations in business use cases.
Activity 7:
 For Attention to detail: Check and review the work of peers and share with
faculty
Activity 16:
 For Team Work: Define roles and responsibilities amongst the groups.
780
Activity 8:
 For Technical Skills: Check for publicly available data sets by exploration
and research. Review and download data.
 Store data into data bases using various methods like SQL/programming
languages/scripting etc. Find out anomalies and prepare report.
Recommend to define roles to perform tasks. Groups must take different
domains (data sets).
Activity 9:
 Ask the students to fill the following table based on whatever they have learnt so
far. You can share one example with them to explain what is expected out of them,
if required.
Tasks Sub Tasks Performance Evaluation

Criteria
Example: Improving Submits a proposal for Goes the extra mile to ensure
data analysis purchasing a new statistical he delivers up-to-date
tool solutions
Communicates with
colleagues effectively
Is conscious about the quality
of output
Keeps abreast with the latest
technological solutions
 Give the students 10 minutes to fill the table, post which you can discuss
some samples with them. You can keep enlisting the evaluation criteria, so
that the whole class can refer to them. At the end of the exercise, you can
ensure that the following evaluation criteria have been covered.
781
3.1. Skills required to manage data and information

effectively
What are Skills? writing skills. You should also be able to
read instructions, guidelines, procedures
Skills is the ability to use information, or and service level agreements laid down by
knowledge acquired through education, or your organisation. For example, each
experience, to accomplish a given task. organisation has certain guidelines for data
security. As an Information Security
Types of skills
Analyst, you should be aware of those.
 Technical Skills- The ability to do a Only then can you install the appropriate
specific type of activity or work. security systems. Other than reading and
 Human Skills- The ability to work with writing, an Information Security Analyst
people. should also have oral skills like listening
and speaking. For example, when talking to
 Conceptual Skills- The ability to work your line manager, you need to listen to
with ideas, or concepts. the instructions carefully. If at any stage,
 Generic Skills- These are generic in you do not understand the instructions,
nature that are common to most white you should be able to speak well and ask
collar jobs like reading, writing, for clarifications.
listening and speaking. Professional Skills- During the course of
 Professional Skills- These skills make a any career, one needs to be adept at
person more employable by giving the professional skills like problem solving,
person the ability to make logical critical thinking, logical reasoning, etc. This
decisions and the ability to solve is equally true for an Information Security
problems judiciously. Some examples Analyst.
of professional skills are decision  Decision Making- Many times, as an
making, planning and organising, Information Security Analyst, you
customer centricity, problem solving, would need to take decisions, and you
critical thinking, attention to detail, and should have the skills to be able to take
team work. the appropriate decisions. Also, you
Skills required to manage data should follow the company rules for
the same. For example, what security
and information effectively systems to install? How to test them?
Security Analysts need to be good at the  Planning and Organising- These are
following skill-sets if they want to make a basic skill sets of any role. To be able to
career as an Information Security Analyst, accomplish any task, one needs to first
and be able to manage data effectively. plan and then organise the sub-tasks.
Core/ Generic Skills- As an Information For example, making a Project Plan for
Security Analyst, you should be able to upgrading the data security systems.
communicate well with colleagues, in  Customer Centricity or focus- The
writing. You should be able to write term, ‘customer’ refers to not only
accurately with attention to detail. For external but internal customers, i.e.,
example, making plans for the department colleagues. As an Information Analyst,
for upgrading the security systems requires you will need to work with colleagues
782
from across the organisation, as has with a plan that keeps the user
been explained in the chapter on how friendliness in mind while not
to work effectively with colleagues. compromising on the security.
When designing and installing the  Attention to Detail- Quality is a key
security systems, you will have to make criterion for any job and that of an
sure that they meet the requirements Information Security Analyst is no
of their colleagues. In other words, different. One aspect of it is to pay
their needs have to be considered
attention to detail. For example, data
paramount. Not only should you strive usage policy of an organisation may be
to meet customer requirements, you different for the senior management as
should try and exceed them. compared to that of the others. The
 Problem Solving- You would have to Information Security Analyst would
face many challenges as an Information need to be aware of this while
Security Analyst. You will have to designing policies. Also, you need to
develop problem solving skills to be ensure that the data is error-free and
able to handle them. For example, if complete. You can also take help from
you have developed a system that does colleagues, if required.
not permit employees to access data  Team Work- No job can be completed
on Sundays, and if you notice certain without interacting with others, within
anomalies, it would be your
and outside the organisation. Thus the
responsibility to bring this to the notice ability to be able to work with others as
of your line manager.
a team is a key requirement. For
 Analytical Thinking- Another skill-set example, to be able to test database
that is associated with an Information systems, an Information Security
Security Analyst is that you will need to Analyst would need to coordinate with
have an analytical bent of mind. He/she members of other teams. Hence, being
will have to analyse data across the able to work effectively in a team
organisation and also monitor the environment is a must-have skill-set.
activities of all, before coming up with Technical Skills- Just like technical
a data security plan. You will have to knowledge, technical skills too are equally
ensure that the relevant information
important for any Information Security
reaches the concerned people on time. Analyst to perform their job. For example,
 Critical Thinking- This skill may be the ability to use information technology
required by an Information Security efficiently; being able to input and extract
Analyst time and again as you may have data accurately; being able to validate and
to apply your judgment in a balanced update data; being able to identify and
manner in various situations. For refer anomalies in data; being able to store
example, you may suggest a particular and share information in standard formats;
data security template, but the senior being up to date with changes, procedures
management may not agree due it and practices in your role; etc.
being too complex. Thus, you may have
to apply your judgement to come up
783
Performance Evaluation  Follows the company rules while

analysing data.
Criteria for an Information  Keeps a track of the needs of the
Security Analyst organisation.
 Honours commitments.
By now you should understand the nature
of the job of an Information Security o If for some reason, the analyst
is unable to carry out their
Analyst and what would help them
promises, they inform in
perform this role well. Now let us see the
advance and suggest
criteria that would be used to evaluate the
alternatives.
performance of an Information Security
 Maintains good relationships with
Analyst vis-a-vis his/her ability to manage
data effectively. colleagues.
o Sorts out problems with them,
 Coordinates with the appropriate if any.
people for data and information needs. o Shows respect for others.
 Is reliable; gets data from reliable  Follows the policies, procedures and
sources. culture of the organisation.
 Communicates with colleagues clearly,  Keeps abreast with the technological
concisely and accurately. developments.
 Integrates work effectively with that of  Reports any unresolved anomalies in
others. the data to the appropriate people.
 Shares essential information on time.  Takes care of quality issues.
 Takes help from the appropriate
people when there are any problems in
the data.
784
SSC/ N 9005:
Develop knowledge, skills & competence
UNIT I: Importance of Self Development

UNIT II: Knowledge and Skills Required for the Job
UNIT III: Avenues of Self Development
UNIT IV: Planning for Self-Development
785
Unit Title (Task) Develop your knowledge, skills and competence
Description This unit is about taking action to ensure you have the knowledge and skills you
need to perform competently in your current job role and to take on new
responsibilities, where required.
Competence is defined as: the application of knowledge and skills to perform to
the standards required.
Appropriate people may be:
 line manager
 human resources specialists
 learning and development specialists
 peers
Job role:
 current responsibilities as defined in your job description

 possible future responsibilities
Learning and development activities:
 formal education and training programs, leading to certification

 non-formal activities (such as private study, learning from colleagues,
project work), designed to meet learning and development objectives but
without certification
Appropriate action may be:
 undertaking further learning and development activities

 finding further opportunities to apply your knowledge and skills

PC1. obtain advice and guidance from appropriate people to develop your
knowledge, skills and competence
PC2. identify accurately the knowledge and skills you need for your job role
PC3. identify accurately your current level of knowledge, skills and competence
and any learning and development needs
PC4. agree with appropriate people a plan of learning and development
activities to address your learning needs
PC5. undertake learning and development activities in line with your plan
PC6. apply your new knowledge and skills in the workplace, under supervision
786
PC7.obtain feedback from appropriate people on your knowledge and skills

and how effectively you apply them
PC8. review your knowledge, skills and competence regularly and take
appropriate action

al KA1. the organization’s procedures and guidelines for developing your
Context knowledge, skills and competence and your role and responsibilities in
(Knowledge relation to this
KA2. the importance of developing your knowledge, skills and competence to
of the
you and the organization
company / KA3. methods used by the organization to review skills and knowledge and how
organization to use these methods to review your knowledge and skills against your job
and its role
processes) KA4. different types of learning and development activities available for your
job role and how to access these
KA5. how to produce a plan to address your learning and development needs ,
who to agree it with and the importance of undertaking the planned
activities
KA6. different types of support available to help you plan and undertake
learning and development activities and how to access these
KA7. why it is important to maintain records of your learning and development
KA8. the ways of obtaining and accepting feedback from appropriate people on
your knowledge skills and competence
KA9. how to use feedback to develop in your job role
KB1. the knowledge and skills required in your job role
Knowledge KB2. your current learning and development needs in relation to your job role
KB3. different types of learning styles and methods including those that help
you learn best
KB4. the importance of taking responsibility for your own learning and
development
787
THE UNITS
UNIT I: Importance of self-development

1.1. Importance of Developing competence
1.2. Being Responsible for own Development
UNIT II: Knowledge and Skills required for the job

2.1. Knowledge and Skills required for the job
UNIT III: Avenues for Self-Development

3.1. Formal Avenues of Self Development in an organisation
3.2. Different types of learning styles and methods
UNIT IV: Planning for Self-Development

4.1. Planning for Self-Development
788
UNIT I
Importance of Self Development
This Unit covers:

1.1. Importance of Developing competence
1.2. Being Responsible for own Development
789
LESSON PLAN
Performance Ensuring Duration of Work Environment

Outcomes Measures training (Hrs) / Lab Requirement
KB4. the importance of taking Descriptive write up assessment Environment
responsibility for your own learning and on understanding. & 30Hrs
development offline
KA2. the importance of developing your Group presentation
Research and
knowledge, skills and competence to and peer evaluation
Learning
you and the organization along with Faculty.
activity
790

Activity 1:
 Ask the students to write in a sheet that after they join their work, what all do they
need to do to ensure the following:
o They perform well at work
o They get the respect of their seniors, peers and users
o Grow to the next level
 Have them share and write the same on the board. Highlight the need for learning.
Activity 2:
 Ask the students to list all the reasons they feel continual learning on the job is
important.
 Have them research and see what professionals say about this.
 Ask them to pose that question in Security Analyst Networking forums and bring the
responses they got.
 After the research, discuss in the class
Activity 3:
 Ask students to go through various organizations websites (NASSCOM) and talk to

industry experts to understand, summarize and articulate need of trainings in
organizations and prepare a need and execution document for the same.
Activity 4:
Divide the participants in groups of 4-5. Distribute to each group the following topics, so that each
group has at least 1 topic to discuss and all the topics are covered. The topics are:
a) After they join work, who will be responsible for their learning?
b) What will happen if they get so involved in work that they are unable to learn
further?
c) What if the organization they join provides no opportunities for work?
d) What could be the obstacles that could hamper their learning. How to handle them?
After the discussion each group to present in front of the class and a class discussion to be
facilitated by the trainer to motivate everyone to commit to being responsible for their own
learning.
Activity 5:
 Have the class work together and develop a self-development charter, stating what they
all would like to commit to doing for their self-development in future
 The trainer can provide inputs.
 Have each student sign it and keep a soft and hard copy.
 Can have the original laminated and put up in the class.
791
1.1 Importance of developing competence
There is probably no more important skill  Can deliver a deeper understanding

in life than learning to learn. This skill is of what it means to be a
especially important IT professionals, professional, along with a greater
because the field of Information appreciation of the implications
technology changes more rapidly than any and impacts of your work.
other field.  Leads to increased self confidence
 Helps to stay interested and
“Change is so fast and frequent that it is interesting by stimulating the mind
almost impossible be a master of even to stay inspired and excited.
one particular framework or technology,  Opens you up to new possibilities,
let alone all the technology that a security new knowledge and new skill areas.
analyst needs to know. This is a feature of
the new normal that a security analyst  Ask the students to list all
will live and work in. If one’s doesn’t keep the reasons they feel
pace with the changes then he/she will continual learning on the job
get left behind.” is important.
 Have them research and see
what professionals say about
Thus in the field of Information technology, this.
if there is truly a skill that will propel one’s
 Ask them to pose that
career, then that is to learn how to teach
question in Security Analyst
yourself and quickly acquire the
Networking forums and
knowledge needed for the task at hand.
bring the responses they got.
Self-development is therefore, a continual
After the research, discuss in
process throughout one’s career.
the class
The benefits of continual learning and

self-development are also as follows:
 It helps to stay relevant and up to
date of the changing trends and
directions in one’s profession.
 It helps in becoming more effective
in the workplace
 Builds a knowledge base that helps
identify different types of problems
and generate solutions.
 This assists in advancing one’s
career and move into new positions
792
What is Competence? Types of Competencies

Competence can be defined as the Competencies can be broadly classified
application of knowledge and skills to into two categories:
perform to the standards required. In
other words, it is the ability of a person to Behavioural Competencies- These refer to
do a job properly. You can explain this to the soft skills that affect a person’s
the students with the help of the following performance. For example, customer
diagram. focus is a very popular behavioural
competency expected of an Information
Security Analyst. He is expected to keeps
the needs of his customers in mind and
ensure their satisfaction.
Technical Competencies- These refer to

technical skills that help a person
complete his job. For example, project
management is a very popular technical
competency expected of an Information
Security Analyst
818
1.2 Being responsible for own development
In a challenging business environment  what skills and attributes he or she

change is a fact of life. These new needs to develop?
challenges, and rapid changes, require new  where one’s interests lie?
skills, knowledge and attitudes, that is why  what one wants in the future and
personal development is so important. one’s vision of a bigger self?
Most organisations recognize this and
encourage their employees to It requires reflection, research and
continuously develop themselves by discussion.
providing various opportunities for
learning as well as time out from work to Personal performance depends on you
avail of the same. However, whether the and your motivation to succeed; no one
organisation provides an encouraging can make it happen for you, but you.
atmosphere or not, one’s own personal
development, growth, and continuing It’s about:
learning is not the organisation’s  Self-awareness
responsibility; it is one’s own  Setting objectives
responsibility.  Gaining support
 Most importantly, continually
To learn and perform at the highest level, reviewing how you are performing.
to obtain greater mastery, one has to own
the responsibility self-development. You need to understand the importance
of taking responsibility for your own
While the organisation would have the
learning and development. For example,
best interests of their employees at heart.
your manager may not have the time to
Even if they care deeply about their
ascertain areas where you may need
employees provide them with training and
training. However, if you yourself take up
educational opportunities, it isn’t at all the
same as the employees taking this assessment and go up to him, he may
responsibility for their own growth. consider your request. In other words,
you identified some sample/ potential
Each person is best equipped, more than problems and worked on their solutions
anyone else, to identify proactively.
819
UNIT II
Knowledge and Skills
Required for the Job
This Unit covers:
 Lesson Plan
 Suggested Learning activities
2.1. Knowledge and Skills Required for the Job
820
LESSON PLAN

PC2. identify accurately the Ask to list the various 2 hours Standard
knowledge and skills you need for Knowledge and Skills Environment
your job role required as per the QP-
NOS Copy of the QP for all
participants
KB1. the knowledge and skills KB1 to KB2. 1Hrs Standard
required in your job role classroom Environment PLUS
Quiz and descriptive assessment Access to online
KB2. your current learning and
exam. and 30Hrs forums.
development needs in relation to
your job role offline
Group and Faculty
Research
evaluation.
and Learning
Document review. activity.
821
Activity 6:
 Divide the learners into groups of 4-5.

 Provide each group a soft copy of the QP-NOS and online access
 Ask them to identify that after they join work what all do they think they will
need to develop themselves on.
 After they have finished the list, ask them to use excel and segregate the areas
of development under the following heads:
o Knowledge of the organization
o Technical knowledge
o Human skills
o Conceptual skills
o Core/Generic skills
o Professional skills
o Others
822
2.1 Skills and knowledge required for the job
Knowledge required to perform the

job of an Information Security These may include things causing
Analyst effectively distractions, time delays, wastage, change
of environmental conditions and
Knowledge refers to information, or assumptions, resource availability, etc.
concepts learned through books, or
training, or other sources of learning. It is Skills required to perform the job of an
the awareness, or understanding of facts Information Security Analyst effectively
and information, which are acquired
through education, or learning. Skills is the ability to use information, or
knowledge acquired through education, or
Knowledge of the Organisation experience, to accomplish a given task.
You can explain to the students that to be Human Skills- The ability to work with
able to work in any organisation, an people.
employee, irrespective of the role he has Conceptual Skills- The ability to work with
been assigned, needs to know about the ideas, or concepts.
organisation he is working with. This
Core/ Generic Skills- These are generic in
includes knowledge about the company’s
nature that are common to most white
policies, procedures, structure, culture,
collar jobs like reading, writing, listening
your role and responsibilities, overview of
and speaking.
other departments, information needs of
other departments, key contact points,  As an Information Security Analyst, you
etc. should be able to communicate well
with colleagues, in writing. For
Technical Knowledge example, making plans for the
department for upgrading the security
Technical knowledge helps a person systems required writing skills.
understand a field of work. This section  You should also be able to read
would be the easiest to explain to the instructions, guidelines and procedures
students as it would be obvious to them laid down by your organisation. For
that to perform any task, they would need example, each organisation has certain
the technical know-how for the same. If guidelines for data security.
the Information Security Analyst does not
know what a gateway is, or what a  As an Information Security Analyst, you
multiplexer is, or what a hub is, or how should be aware of those. Only then
they function; how can he be expected to can you install the appropriate security
install them? systems.
 Other than reading and writing, an
One also has to plan for foreseen and Information Security Analyst should
unforeseen events or occurrences that also have oral skills like listening and
may impact the work and ensure to factor speaking. For example, when talking to
these in for timelines, costs, material and your line manager, you need to listen to
human resource requirements, etc. the instructions carefully. If at any
823
stage, you do not understand the to meet customer requirements, you

instructions, you should be able to should try and exceed them.
speak well and ask for clarifications.  Problem Solving- You would have to
Professional Skills- These skills make a face many challenges as an
person more employable by giving the Information Security Analyst. You will
person the ability to make logical decisions have to develop problem solving skills
and the ability to solve problems to be able to handle them. For
judiciously. Some examples of professional example, if you have developed a
skills are decision making, planning and system that does not permit
organising, customer centricity, problem employees to access data on Sundays,
solving, critical thinking, attention to and if you notice certain anomalies, it
detail, and team work. During the course of would be your responsibility to bring
any career, one needs to be adept at this to the notice of your line manager.
professional skills like problem solving,  Analytical Thinking- Another skill-set
critical thinking, logical reasoning, etc. This that is associated with an Information
is equally true for an Information Security Security Analyst is that you will need to
Analyst.
have an analytical bent of mind.
 Decision Making- Many times, as an He/she will have to analyse data across
Information Security Analyst, you the organisation and also monitor the
would need to take decisions, and you activities of all, before coming up with
should have the skills to be able to take a data security plan. You will have to
the appropriate decisions. Also, you ensure that the relevant information
should follow the company rules for reaches the concerned people on time.
the same. For example, what security  Critical Thinking- This skill may be
systems to install? How to test them? required by an Information Security
 Planning and Organising- These are Analyst time and again as you may
basic skill sets of any role. To be able to have to apply your judgment in a
accomplish any task, one needs to first balanced manner in various situations.
plan and then organise the sub-tasks. For example, you may suggest a
For example, making a Project Plan for particular data security template, but
upgrading the data security systems. the senior management may not agree
due it being too complex. Thus, you
 Customer Centricity or focus- The
may have to apply your judgement to
term, ‘customer’ refers to not only
external but internal customers, i.e., come up with a plan that keeps the
user friendliness in mind while not
colleagues. As an Information Analyst,
compromising on the security.
you will need to work with colleagues
from across the organisation, as has  Attention to Detail- Quality is a key
been explained in the chapter on how criterion for any job and that of an
to work effectively with colleagues. Information Security Analyst is no
When designing and installing the different. One aspect of it is to pay
security systems, you will have to make attention to detail. For example, data
sure that they meet the requirements usage policy of an organisation may be
of their colleagues. In other words, different for the senior management as
their needs have to be considered compared to that of the others. The
paramount. Not only should you strive Information Security Analyst would
need to be aware of this while
824
designing policies. Also, you need to able to work effectively in a team

ensure that the data is error-free and environment is a must-have skill-set.
complete. You can also take help from Technical Skills- The ability to do a specific
colleagues, if required. type of activity or work. Just like technical
 Team Work- No job can be completed knowledge, technical skills too are equally
without interacting with others, within important for any Information Security
and outside the organisation. Thus the Analyst to perform his job. For example,
ability to be able to work with others as the ability to use information technology
a team is a key requirement. For efficiently; being up-to-date with changes,
example, to be able to test database procedures and practices in your role; and
systems, an Information Security agreeing to objectives and work
Analyst would need to coordinate with requirements.
members of other teams. Hence, being
825
UNIT III
Avenues for Self-Development
This Unit covers:
 Lesson Plan
3.1. Formal Avenues of Self Development in an organisation
3.2. Different types of learning styles and methods
826
LESSON PLAN

PC1. obtain advice and Share the training 1Hrs classroom Standard
guidance from appropriate organisations policy and assessment and 2 Environment
people to develop your procedures for learning and hours preparation
knowledge, skills and development and have all of report and sign 2 copies of the
competence learners sign the same. off from seniors training organisations
in Industry policy and
PC7. obtain feedback from Ask learner prepare list of procedures for
appropriate people on your knowledge and skills learning and
knowledge and skills and how required for the job and development
effectively you apply them take a sign off from at least
Industry connect
2 seniors in the industry
You need to know and KA1 to KA10. 2Hr in class Standard

understand: assessment & Environment
QA session and a
KA1. the organization’s 30Hrs offline
Descriptive write up on
procedures and guidelines for Research and
developing your knowledge, understanding.
Learning activity
skills and competence and your
role and responsibilities in
relation to this Group presentation and
KA3. methods used by the
organization to review skills and
peer evaluation along
knowledge and how to use with Faculty.
these methods to review your
knowledge and skills against
your job role Performance evaluation
KA4. different types of learning
and development activities from Faculty and Industry
available for your job role and with reward points.
how to access these
KA8. the ways of obtaining and
accepting feedback from
appropriate people on your
knowledge skills and
competence
KA9. how to use feedback to
develop in your job role
KB3. different types of learning
styles and methods including
those that help you learn best
827
Activity 1:
Ask the learners to work in groups or 4-5 and make a list of all the various
modes of learning they have used in this course.
Ask them to further add other avenues to training that they think will be
available to them on the job.
Then discuss the various options. Ask the participants to expand the list after the
discussion if they learnt any new avenue during the discussion.
Activity 2:
Ask the learners to take out the list of Knowledge and skills for self development, that they
had compiled in the earlier unit. Ask them to assign against each the avenues that they could
use to develop in each area.
Activity 3:
First share with the learners the three learning styles and their clues.
1) Visual
2) Auditory
3) Kinesthetic
Then ask each learner to identify with style(s) do the prefer more than the others.
Ask them to make a note of their preferred learning methods.
Do the same with the Honey and Mumford learning styles:
1) Activist
2) Reflector
3) Theorist
4) Pragmatist
Activity 4:
Ask the learners to search the internet for questionnaires on Kolbs as well as Honey
and Mumford learning styles. Ask them to use those questionnaires to find out their
preferred learning styles.
828
3.1 Formal avenues of self-development in an

organisation
Knowledge, skills and attitudes can be Life-long learning is very important for
developed through a range of developing a successful and sustainable
methodologies career. There are many professionals who
got comfortable with their current level of
1) Education or professional
performance and stopped learning and in
qualifications,
some time found themselves without a
2) Training by employers, job, or stuck at a particular level without
3) On-the-job experience, any growth. These people then get
frustrated with their professional lives and
4) Informal learning from peers,
either resort to blaming employers or fate
seniors and others.
for their own lack of hard work and lack of
5) Self-study and practice desire to keep learning. Successful
Many employers invest large amount of professionals commit to a life of learning
resources (time, effort and money) to (life-long learning).
make employees work ready and for them It is important that one constantly finds
to grow in their jobs and improve their out what avenues are available for one’s
knowledge, skills and attitudes. Employees development in terms of professional
should realise that this is an opportunity development courses, further education,
for them to develop not only for delivering professional books and programs, etc. Also
a better performance for employers but one must make the most of knowledge and
for the employee’s own career experience available within the job
development. environment from seniors, training
A professional should think of career manuals and programs, peers, trade and
development not just in the short term but professional journals, suppliers and
also from a longer term perspective. vendors, etc.
Knowledge and skills required for a job Some more Avenues for Learning
changes over time and therefore a  Develop Your Own Pet Projects: If
professional need to ensure his or her there is some technology that you
employability over one’s working life, and really want to learn and if you do not
needs to keep learning. High achievers in have the opportunity to apply this
any field and people who are recognised technology at work, then you should
for their professionalism work very hard to invent your own project to use it and
keep abreast of developments in their field develop this project during your free
and are life-long learners. time.
829
 Learn from Online Courses: Today technology or platform, and if you do

there is a great diversity of free online not have much time to invest on it,
courses. Sites such as Coursera, then finding introductory slides is an
Udacity and edX offer many interesting easy and fast solution. Sites such as
courses organized by known professors SlideShare have a huge quantity of
of some of the best Universities in the such professional slides.
world. These courses are completely  Watch Videos: It is easy to find videos
free, and besides material such as on YouTube or Vimeo on most popular
videos and slides they may include real
subjects. These may be recorded
home works and assignments. lectures in Universities, presentations
 Go to Technical Meetings: in conferences or talks in group
Programmers like to meet to discuss meetings. For example, TED talks are
new technologies and share their known for their ability to provide
experiences. You can search for inspiration and make watchers think.
meetings in sites such as Meetup and
 Use Question-and-Answer
Eventbrite. Communities: If you have a technical
 Participate in Online Forums: Online problem, then it’s very probable that
Forums are a great way to someone before you already had the
communicate with other professionals same problem. Thus, you should try
that may be located very far from you, Q&A Communities such as
but even so they share exactly the StackOverflow to search for a solution.
same interests. If you cannot find an existing question
that fits your needs, you can always ask
 Read Technical Blogs: follow software
a new question yourself.
development gurus on Twitter, as well
as enthusiastic programmers that like
to share their favourite posts.
 See Presentation Slides: If you want to
get some initial idea about a
830
3.2 Different types of learning styles and methods

Everyone processes and learns new understand how you learn and what
information in different ways. There are methods of learning best fits you.
three main cognitive learning styles: Understanding how you learn can help
 visual, maximize time you spend studying by
 auditory, and incorporating different techniques to
 kinesthetic. custom fit various subjects, concepts, and
learning objectives. Each preferred
The common characteristics of each learning style has methods that fit the
learning style listed below can help you different ways an individual may learn
best.
Visual Learners
CLUES LEARNING METHODS
 Needs to see it to know it.  Use graphics to reinforce learning -
 Strong sense of color. films, slides, illustrations, diagrams.
 May have artistic ability.  Color coding to organize notes and
 Difficulty with spoken directions. possessions.
 Overreaction to sounds.  Write out directions.
 Trouble following lectures.  Use flow charts / diagrams for note
 Misinterpretation of words taking.
 Visualizing spelling of words or
facts to be memorized.
Auditory Learners
 Prefers to get information by listening and  Use tapes for reading and for
needs to hear it to know it. class and lecture notes.
 Difficulty following written directions.  Learn by interviewing/participating
 Difficulty with reading. in discussions.
 Problems with writing.  Have test questions or directions
 Inability to read body language and read aloud or put on tape.
facial expressions
Kinesthetic Learners
 Prefers hands-on learning.  Experimental learning (making
 Can assemble parts without reading models, doing lab work, and role
directions. playing)
 Difficulty sitting still.  Frequent breaks in study periods.
 Learns better when physical activity is  Trace letters and words to learn
involved. spelling and remember facts.
 May be very well coordinated and have ath  Use computer to reinforce learning
letic ability. through sense of touch.
 Memorize or drill while walking or
exercising.
 Express abilities through dance,
drama, or gymnastics
831
The most used and researched models were developed by Kolb (1984) and Honey and Mumford
(1986), As per Honey and Mumford (1986), learners displayed the following learning styles:
Honey and Mumford Characteristics Learning Methods

Learning Styles
Activist Learn by doing and  brainstorming
participation  problem solving
 group discussion
 puzzles
 competitions
 role-play
Reflector Learn by watching  models
others and think  statistics
before you act  stories
 quotes
 background information
 applying theories
Theorist Learn by  time to think about how to apply learning
understanding in reality
theory very clearly  case studies
 problem solving
 discussion
Pragmatist Learn through  paired discussions
practical tips and  self-analysis questionnaires
techniques from  personality questionnaires
experienced person
 time out
 observing activities
 feedback from others
 coaching
 interviews
832
UNIT IV
Planning for Self-Development
This Unit covers:
 Lesson Plan
4.1. Planning for Self-Development
833
LESSON PLAN

Outcomes Measures Lab Requirement
PC3. identify accurately your current level of All learners to self-evaluate Standard Environment
knowledge, skills and competence and any themselves on the skills
learning and development needs required and prepare a self-
development plan with
PC4. agree with appropriate people a plan of goals and milestones.
learning and development activities to address
your learning needs Get it evaluated by Faculty
and Peer review
PC5. undertake learning and development
activities in line with your plan
PC6. apply your new knowledge and skills in the
workplace, under supervision
PC8. review your knowledge, skills and

competence regularly and take appropriate
action
You need to know and understand: KA1 to KA10. Standard Environment
KA5. how to produce a plan to address your QA session and a Descriptive Online access for research
learning and development needs , who to agree write up on understanding. work
it with and the importance of undertaking the
planned activities
KA6. different types of support available to help Group presentation and
you plan and undertake learning and peer evaluation along with
development activities and how to access these Faculty.
KA7. why it is important to maintain records of
your learning and development
KB3. different types of learning styles and Performance evaluation
methods including those that help you learn from Faculty and Industry
best with reward points.
834
Activity 1:
Ask the learners to download samples of organization’s policies and procedures for
Learning and development and share with the class.
Activity 2:
Have the learners apply all the 10 steps on themselves as they learning to create a self
– development plan that they could follow as soon as they finish the course.
Activity 3:
Have the learners research each step further on their own.
835
4.1 Planning for self-development

Steps to be taken to upgrade your current that you can participate in various
level of knowledge, skills and technical discussions, and you do not
competence. know how to use Twitter, it will go
Each organisation has a set of guidelines against you. For this, if you enrol for
for developing the skill-sets of its some training, your career prospects
employees. Given the nature of the job of will brighten up.
an Information Security Analyst, it is
3) Apprise yourself of the different
important for him to keep himself abreast
methods used by your organisation to
with the latest technological
review skills and knowledge. Some
developments.
such methods are:
He can follow the following 10 steps to
4) Training Need Analysis- This is a
ascertain his current level of knowledge,
process to discover the development
skills and competence.
needs of employees so that they can
1) Understand your organisation’s perform their job effectively. The
procedures and guidelines for following tools are used frequently for
developing your knowledge, skills and assessing the training needs:
competence, and your role and
o Questionnaires
responsibilities in relationship to this.
o Direct observation
For example, some organisations
o Review of relevant literature
mandate its employees to enrol
o Interviews
themselves for self-learning tutorials
o Records and report studies
on the company’s Intranet. If you have
o Consultation with persons in
a team reporting to you, then it would
key positions, and/or with
become your responsibility to ensure
specific knowledge
that your team members also enrol for
o Focus groups
these mandatory trainings.
o Assessments
2) Understand why you need to develop o Surveys
your knowledge, skills and competence o Work samples
and how it will help your organisation.
5) Skills Need Analysis- This process is
Also, understand why learning new
similar to the Training Need Analysis
concepts is important and how they
with a focus on the development needs
can be applied in the work
of skills like the following:
environment.
o Planning
As has already been explained several
o Analytical skills
times earlier, the role of an Information
o Action orientation
Security Analyst requires him to be up-
o Business knowledge/acumen
to-date. For example, if your company
o Communication
tells you to have a Twitter handle so
o Customer focus
836
o Adaptability o Blackboard, or whiteboard

o Decision making o Overhead projector
o Fiscal management o Videos
o Global perspective o PowerPoint presentation
o Innovation o Storytelling
o Interpersonal skills o Interactive methods
o Leadership o Quizzes
o Establishing objectives o Group discussions
o Risk management o Case studies
o Persuasion and influence o Q&A sessions
o Teamwork o Role playing
o Problem solving o Hand-on training
o Project management o Coaching
o Results orientation o Mentorship
o Technology o Apprenticeship
o Self-management o Demonstrations
o Computer Based Training
Performance Appraisals - One
o CD-ROM
technique of identifying the training
needs of employees is through o Multimedia
o Virtual reality
performance appraisals. Mangers are
o E-Learning
interviewed and performance data is
analysed. Some commonly used o Web-based training
o Webinars
sources of performance data are:
o Video conferencing
o Absenteeism o Blended learning- A
o Performance appraisals combination of two, or more of
o Turnover the techniques given above.
o Quality parameters 7) Making a plan- Like with any activity,
o Losses this too requires planning. The
o Accidents following are some major steps:
o Safety incidents
o Identify the people who would
o Grievances
help you make the plan, and
o Returns
those would approve it- for
o Customer complaints
example, your managers
6) Understand the different types of
o Understand what is at stake- for
learning and development activities
example, who would take care
available for your role and the process
of your job in your absence
of availing those. The following are
some commonly used techniques in o Study the different types of
organisations: tools available
o Instructor-led training
837
o Study the documentation  Face-to-face interaction

required and understand why it
 Peer assessment
is important- for example,
would you need to make a 8) Understand how and what future
report on what you have learnt, avenues would open up post the
after the training? Can this training. For example, if you undergo
report be of help to your peers, social media training, you can add that
who can probably learn from it? as an additional skill-set in your resume
that would give you an edge over your
o Identify whom to take feedback
peers.
from and how to follow-up on
it- for example, would your 9) Implement the plan, apply your new
managers review the changes knowledge and skills in the workplace
in your work processes after and take feedback. For example, if you
the training? Also, you would have taken training about a new data
need to understand the various security system, you can make a
methods of obtaining feedback, proposal to get it installed; after
and how to use it. Some installation, you can use it and
commonly used methods are: demonstrate the benefits to your peers
and managers.
 Surveys
10) You need to make sure that you make
 Feedback boxes this a process continuous.
838
Annexures
• Security Assessment Template

• Case Studies
• JNTUH Syllabus mapped to the Students Guide
• Assessment Criteria
Annexure 1
Security Assessment Template

This work is licensed under the Creative Commons Attribution-NonCommercial License. To
view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Created by Keith A. Watson, CISSP on March 1, 2005
{CLIENT ORGANIZATION}
Security Assessment Report
January 30, 2016
Report Prepared by:

{YOUR NAME}, {YOUR CREDENTIALS}
{YOUR EMAIL ADDRESS}
{YOUR PHONE NUMBER}
{YOUR ORGANIZATION}
{YOUR MAILING ADDRESS}
The information contained within this report is considered

proprietary and confidential to the {CLIENT ORGANIZATION}.
Inappropriate and unauthorized disclosure of this report or portions
of it could result in significant damage or loss to the {CLIENT
ORGANIZATION}. This report should be distributed to
individuals on a Need-to-Know basis only. Paper copies should be
locked up when not in use. Electronic copies should be stored
offline and protected appropriately.
Confidential and Proprietary Information: Need to Know

EXECUTIVE SUMMARY 5
Top-Ten List 5
1. Information Security Policy 5
2. {Security Issue #2} 5
INTRODUCTION 7
Scope 7
Project Scope 7
In Scope 7
Out of Scope 7
Site Activities Schedule 7

First Day 7
Second Day 7
Third Day 7
BACKGROUND INFORMATION 8
{CLIENT ORGANIZATION} 8
ASSET IDENTIFICATION 9
Assets of the {CLIENT ORGANIZATION} 9
THREAT ASSESSMENT 9
Threats to the {CLIENT ORGANIZATION} 9
LAWS, REGULATIONS AND POLICY 10
Federal Law and Regulation 10
{CLIENT ORGANIZATION} Policy 10
Vulnerabilities 10
The {CLIENT ORGANIZATION} has no information security policy 10
{State the Vulnerability} 10

Page 2
PERSONNEL 11
Management 11
Operations 11
Development 11
Vulnerabilities 11
There is no information security officer 11
NETWORK SECURITY 12
Vulnerabilities 12
The {CLIENT ORGANIZATION} systems are not protected by a network firewall 12
SYSTEM SECURITY 13
Vulnerabilities 13
Users can install unsafe software 13
APPLICATION SECURITY 14
Vulnerabilities 14
Sensitive information within the database is not encrypted 14
OPERATIONAL SECURITY 15
Vulnerabilities 15
There is no standard for security management 15
PHYSICAL SECURITY 15
Vulnerabilities 16
Building Vulnerabilities 16
Several key doors within the building are unlocked or can be forced open 16
Security Perimeter Vulnerabilities 17
There is no entryway access control system 17
Server Area Vulnerabilities 17
The backup media are not protected from fire, theft, or damage 17
SUMMARY 18

Page 3
Action Plan 18
REFERENCES 18

Page 4
Executive Summary
Briefly describe the activities of the assessment.
Talk about the importance of information security at the client organization.
Discuss security efforts that the organization has under taken.
Highlight three major security issues discovered that could significantly impact the operations of
the organization.
Top-Ten List
A top-ten list is used to highlight the ten most urgent issues discovered during an assessment.
Clients unfamiliar with security may be overwhelmed by a long list of problems. Putting the
major issues together may allow the client to easily focus efforts on these problems first.
The list below contains the “top ten” findings, weaknesses, or vulnerabilities discovered during
the site security assessment. Some of the issues listed here are coalesced from more than one
section of the assessment report findings. Additional information about each is provided
elsewhere in the report.
It is recommended that these be evaluated and addressed as soon as possible. These should be
considered significant and may impact the operations of the {CLIENT ORGANIZATION}.
1. Information Security Policy

An information security policy is the primary guide for the implementation of all security
measures. There is no formal policy specific to the {CLIENT ORGANIZATION}.
Recommendation: Develop an information security policy that specifically addresses the needs
of the {CLIENT ORGANIZATION} and its mission. Use that policy as a basis for an effective
security program.
2. {Security Issue #2}

{Brief description of Security Issue #2}
Recommendation: {Brief list of recommendations for Security Issue #2}




Page 5






Page 6
Introduction
Provide an overview of the report.
Scope
The scope is the boundaries of the project. It is used to describe the on-site activities.
Project Scope
In Scope
The following activities are within the scope of this project:
 Interviews with key staff members in charge of policy, administration, day-to-
day operations, system administration, network management, and facilities
management.
 A Visual Walk Through of the facilities with administrative and facilities
personnel to assess physical security.
 A series of Network Scans to enumerate addressable devices and to assess each
systems available network services. (These Scans will be conducted from within
each center’s network and from the outside.)
 A configuration and security assessment of at most ten key systems at each
center.
Out of Scope
The following activities are NOT part of this security assessment:
 Penetration Testing of systems, networks, buildings, laboratories or facilities.
 Social Engineering to acquire sensitive information from staff members.
 Testing Disaster Recovery Plans, Business Continuity Plans, or Emergency
Response Plans.
Site Activities Schedule

List the site activities.
First Day
Second Day
Third Day

Page 7
Background Information
Use this section to talk about any relevant background information.
Describe the client organization.

Page 8
Asset Identification
Describe the process of asset identification.
Assets of the {CLIENT ORGANIZATION}

The following lists document some of the {CLIENT ORGANIZATION} tangible and intangible
assets. It should not be considered a complete and detailed list but should be used as a basis for
further thought and discussion to identify assets.
Tangible Assets
 {List tangible assets.}
Intangible Assets
 {List intangible assets.}
Each item on these lists also has value associated with it. Each item’s relative value changes over
time. In order to determine the current value, it is often best to think in terms of recovery costs.
What would it cost to restore or replace this asset in terms of time, effort, and money?
Threat Assessment
Describe the process of threat assessment.
Threats to the {CLIENT ORGANIZATION}

The following lists document some of the known threats to the {CLIENT ORGANIZAT ION}. It
should not be considered a complete and detailed list but should be used to as a basis for further
thought and discussion to identify threats.
Natural Threats
 {List Natural Threats.}
Intentional Threats
 {List Intentional Threats.}
Unintentional Threats
 {List Unintentional Threats.}

Page 9
Laws, Regulations and Policy

Talk about the role of laws, regulation, and policy on the client organization.
Federal Law and Regulation

Outline federal laws and regulation that impact the client organization.
{CLIENT ORGANIZATION} Policy

Talk about the current policy at the client organization. Describe what policy they currently have.
Vulnerabilities
Listed below are the vulnerabilities discovered during the assessment relating to law, regulation,
and policy. These are considered significant and steps should be taken to address them.
The {CLIENT ORGANIZATION} has no information security policy

Explanation
The {CLIENT ORGANIZATION} has no information security policy that is specific to
its needs and goals.
Risk
There are several risks in not having an information security policy.
 Mistakes can be made in strategic planning without a guideline for security.
 Resources may be wasted in protecting low value assets, while high value assets
go unprotected.
 Without a policy, all security measures are merely ad hoc in nature and may be
misguided.
Recommendations
 Create a policy that is in compliance with {CLIENT ORGANIZAION} security
goals.
 Periodically review and update the policy.
{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations

Page 10
 {Provide a list of recommendations}.
Personnel
Describe the personnel at the client organization. Organize them into related groups.
In this example, we have Management, Operations, and Development.
Management
Describe the management group.
Operations
Describe the operations team.
Development
Describe the development team.
Vulnerabilities
Listed below are the staff vulnerabilities discovered during the interviews with the {CLIENT
ORGANIZATION} staff. These are considered significant and steps should be taken to address
them.
There is no information security officer

Explanation
An information security officer is responsible for the overall security for an organization.
He or she must help create security policy, enforce it, and act as the primary security
contact.
Risk
Without an information security officer, important security issues may not receive the
proper attention. The overall security of the {CLIENT ORGANIZATION} may suffer.
Recommendations
 Designate an existing employee to fill the role of information security officer, or
hire a qualified candidate for the position.
 Provide training opportunities to the information security officer.
 Encourage and support the acquisition of security certification(s).

Explanation

Page 11
Risk
Recommendations
Network Security
Describe the state of network security at the client organization.
List public network resources and sites.
List partner connections and extranets.
Vulnerabilities
Listed below are the network security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.
The {CLIENT ORGANIZATION} systems are not protected by a

network firewall
Explanation
A firewall is a network gatekeeper. Based on a configurable set of rules, the firewall
determines which network connections to allow or deny. There are generally three types
of attacks that can be prevented (or at least slowed) using properly configured firewalls:
intrusion, denial-of-service, and information theft.
There are two types of firewalls. One type is incorporated into operating systems
(software-based). The other type consists of a networking hardware platform that protects
a group of networked systems (hardware-based).
The {CLIENT ORGANIZATION} systems are inconsistently protected by software-
based firewalls. Most of the workstations have firewall software installed and configured.
Some do not.
Risk
There are several risks in running network services without a firewall.
 Incoming network-based scans and attacks are not easily detected or prevented.
 Attackers target vulnerable network services.
 Attacks are not isolated and damage cannot be contained.
 Network probing for vulnerabilities slows system and network performance.
Recommendations
 Enable operating system firewalls where available.
 Install a hardware-based firewall.

Page 12
 Configure firewall rule sets to be very restrictive.

Explanation
Risk
Recommendations
System Security
Describe the state of system security at the client organization.
Vulnerabilities
Listed below are the system security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.
Users can install unsafe software

Explanation
Since users have privileged access to their workstations, they are free to install software
that can impact the operations at the {CLIENT ORGANIZATION}. Most of this
software is freely available from the Internet. Unsafe software is any software that
impedes the productivity of the staff, collects information on the user or the {CLIENT
ORGANIZATION} network environment, launches attacks or probes internal systems.
Risk
There are several risks in allowing users to install unsafe software.
 The software may contain a virus, worm, or some other dangerous electronic
threat.
 The software may be a “Trojan Horse” to fool users.
 The software may capture, disclose, delete, or modify sensitive data.
 The software may impact system performance and user productivity.
 Significant time may be wasted attempting to remove software.
Recommendations
The operations team should
 Remove user privileges to install software.
 Remove unsafe software from workstations. Reinstall systems as needed.

Page 13
 Establish a process for the evaluation and installation of new software.

Explanation
Risk
Recommendations
Application Security
Describe the state of application security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.
Sensitive information within the database is not encrypted

Explanation
Sensitive information in databases can be encrypted to protect confidentiality. If an
attacker gets unauthorized access to the database, sensitive information still cannot be
read.
Risk
If an attacker gains access to the database, sensitive information stored in the database
can be viewed and modified.
Recommendations
 Examine changes required to support encrypted database tables.
 Modify web and database software to work with encrypted data.
 Safely store and protect the encryption keys.

Explanation
Risk

Page 14
Recommendations
Operational Security
Describe the state of operational security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.
There is no standard for security management

Explanation
A security standard is a document that defines and describes the process of security
management for an organization.
Risk
Without a guideline for security practices, those responsible for security may not apply
adequate controls consistently throughout the {CLIENT ORGANIZATION}.
Recommendations
 Evaluate existing security standards such as ISO 17799.
 Modify an existing standard for use within the {CLIENT ORGANIZATION}.
 Inform and train personnel on use of the standard.
 Audit information systems and procedures to ensure compliance.

Explanation
Risk
Recommendations
Physical Security
Describe the state of operational security at the client organization.
Specifically, list the building, security perimeter, and server room vulnerabilities.

Page 15
Vulnerabilities
Listed below are the physical security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them. The list is divided into a list of
vulnerabilities that relate to the building, the security perimeter, and the server rooms. The
building group contains vulnerabilities within the {CLIENT ORGANIZATION} office. The
security perimeter group includes the exterior office windows, doors, alarm system, and the
surrounding area. The server room are specific to rooms containing server equipment.
Building Vulnerabilities
Several key doors within the building are unlocked or can be forced
open
Explanation
There are several important doors in the interior {CLIENT ORGANIZATION} office
area that are normally unlocked or can be forced open even when locked. The door to the
utility room is a hollow core wooden door with no lock. The utility room contains the
wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system
box. The room containing the modem pool is normally open and unlocked. The system
administrator’s office containing the office file and web server is usually unlocked and
open.
Risk
These doors protect valuable assets of the {CLIENT ORGANIZATION}. A determined
attacker, thief, or disgruntled employee could get through these important doors with
minimal effort to steal and/or destroy.
Recommendations
 Replace current doors with stronger fire doors.
 Replace existing door hardware with high security locks.
 Weld exterior hinge pins in place.

Explanation
Risk
Recommendations

Page 16
Security Perimeter Vulnerabilities
There is no entryway access control system

Explanation
An entryway access control system limits physical access to a secure area to authorized
personnel with the correct PIN number or access card. These systems have either a
control panel where a correct PIN number must be entered before entry is allowed or a
unique access card (contact or contactless) for each person to enter. Advanced systems
provide log information each time personnel enter the secure area.
Risk
There are several risks in not having an entryway access control system.
 Unauthorized people can enter secure areas unescorted.
 There is no record of personnel entries into secure areas.
 It is not possible to disable access for a specific person.
Recommendations
 Evaluate available and suitable entryway access systems.
 Develop appropriate procedures for assigning and removing access.
 Install an appropriate system and assign access rights.

Explanation
Risk
Recommendations
Server Area Vulnerabilities
The backup media are not protected from fire, theft, or damage
Explanation
The backup media are stored near the backup system on an open shelf in the server area.
The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a
fire. If a system or data must be recovered, the media may not be available or functional
when needed.
Risk
The operation of the {CLIENT ORGANIZATION} can be impacted if the backup media
are not available due to theft, damage, or fire.
Page 17
Recommendations
 Purchase and install a lockable, fireproof media safe. Secure it to the floor and/or
wall.

Explanation
Risk
Recommendations
Summary
Summarize the report findings.
Action Plan
Provide an action plan that lists steps to be taken to improve security at the client organization.
References
Anderson, R. Security Engineering: A Guide to Building Dependable Distributed Systems.
Indianapolis: John Wiley & Sons, 2001.
Archer, Tom and Whitechapel. Andrew. Inside C#. Redmond: Microsoft Press, 2002.
Deraison, Renaud. The Nessus Security Scanner. http://www.nessus.com/
Garfinkel, Simson, Spafford, Eugene H., and Schwartz Alan. Practical Unix & Internet Security,
3rd Edition. Sebastapol: O’Reilly, 2003.
Gordon, Lawrence, Loeb, Martin, Lucyshyn, William and Richardson, Robert. “2004 CSI/FBI
Computer Crime and Security Survey,” San Francisco: Computer Security Institute, 2004.
International Standards Organization, International Electrotechnical Commission. Information
technology — Code of practice for information security management. ISO/IEC 17799:2000(E).
Switzerland: ISO/IEC, 2001.
Open Web Application Security Project. “The Ten Most Critical Web Application Security
Vulnerabilities – 2004 Update.” OWASP, 2004. http://www.wasp.org/documentation/topten.html
Peltier, Thomas R. Information Security Risk Analysis. Boca Raton: CRC Press, 2001.
Public Law No. 100-235. The Computer Security Act of 1987.
Stoneburner, Gary, Goguen, Alice, and Feringa, Alexis. “Risk Management Guide for
Information Technology Systems.” NIST Special Publication 800-30. National Institute of
Standards and Technology, 2001.
Page 18
Stoneburner, Gary, Hayden, Clark, and Feringa, Alexis. “Engineering Principles for Information
Technology Security (A Baseline for Achieving Security).” NIST Special Publication 800-27 Rev
A. National Institute of Standards and Technology, 2004.
Swiderski, Frank and Snyder, Window. Threat Modeling. Redmond: Microsoft Press, 2004.
United States Department of Agriculture. “USDA Information Systems Security Policy.” USDA
3140-001. Washington: USDA, 1996.
Viega, John and McGraw, Gary. Building Secure Software. Indianapolis: Addison-Wesley, 2002.
Wood, Charles C., Banks, William W., Guarro, Sergio B., Garcia, Abel A., Hampel, Victor E.,
and Sartorio, Henry P. Computer Security. New York: Wiley, 1987.
Zwicky, Elizabeth D., Cooper, Simon, and Chapman, D. Brent. Building Internet Firewalls, 2nd
Edition. Sebastapol: O’Reilly, 2000.

Page 19
Annexure 2
Case Studies
Common Cyber Attacks:
Reducing The Impact
Contents
Introduction ....................................................................................................................................................................... 3
Part 1: The Threat Landscape .......................................................................................................................................... 4

Commodity vs bespoke capabilities ................................................................................................................................. 4
Un-targeted attacks ............................................................................................................................................................. 5
Targeted attacks .................................................................................................................................................................. 5
Every organisation is a potential victim ........................................................................................................................... 6
Part 2: Understanding Vulnerabilities .............................................................................................................................. 7

Flaws ...................................................................................................................................................................................... 7
Features ................................................................................................................................................................................ 7
User error .............................................................................................................................................................................. 7
Part 3: Common Cyber Attacks - Stages and Patterns .................................................................................................. 8

Stages of an attack ............................................................................................................................................................. 8
Survey ............................................................................................................................................................................... 8
Delivery ............................................................................................................................................................................. 9
Breach .............................................................................................................................................................................. 9
Affect ................................................................................................................................................................................ 9
Part 4: Reducing Your Exposure to Cyber Attack ........................................................................................................ 10

Breaking the attack pattern ............................................................................................................................................. 10
Reducing your exposure using essential security controls ......................................................................................... 10
Mitigating the stages of an attack .................................................................................................................................. 11
Mitigating the survey stage ......................................................................................................................................... 11
Mitigating the delivery stage ...................................................................................................................................... 11
Mitigating the breach stage ........................................................................................................................................ 12
Mitigating the affect stage .......................................................................................................................................... 12
I’ve been attacked, what do I do? ................................................................................................................................... 12
Closing word: raising your cyber defences ..................................................................................................................... 12
Case Studies ................................................................................................................................................................... 13

Case study 1: Espionage campaign against the UK energy sector ............................................................................ 13
Case study 2: Hundreds of computers infected by remote access malware ........................................................... 14
Case study 3: Spear-phishing attack targets system administrator ......................................................................... 15
Common Cyber Attacks: Reducing The Impact Page 2 of 17

Introduction
Your organisation’s computer systems - and the information they hold - can be compromised in many ways.
It may be through malicious or accidental actions, or simply through the failure of software or electronic
components. And whilst you need to consider all of these potential risks, it is malicious attack from the
Internet that is hitting the headlines and damaging organisations.
“In GCHQ we continue to see
The 2014 Information Security Breaches Survey1 found that 81% of real threats to the UK on a
large companies had reported some form of security breach, daily basis, and I’m afraid the
costing each organisation on average between £600,000 and scale and rate of these
£1.5m. These findings are supported by almost daily stories of large attacks shows little sign of
scale cyber incidents, such as the Gameover ZeuS botnet. As the abating.”
Director of GCHQ says in his 2015 foreword to the republished 10 Robert Hannigan
Steps to Cyber Security, “In GCHQ we continue to see real threats to Director GCHQ
the UK on a daily basis, and I’m afraid the scale and rate of these
attacks shows little sign of abating.”
As the National Technical Authority for Information Assurance, GCHQ believe that understanding the
capabilities behind these attacks, the vulnerabilities they exploit, and how they are exploited is central to
your organisation’s ability to defend itself against them. Security professionals often focus on the security
mechanisms or controls employed without explaining why they are needed, and what they mitigate.
Understanding these details can help you make conscious risk management judgements to ensure that the
required controls are pragmatic, cost effective and appropriate - and actually protect your business.
Common Cyber Attacks: Reducing The Impact has been produced by CESG (the Information Security Arm of
GCHQ) with CERT-UK, and is aimed at all organisations who are vulnerable to attack from the Internet. The
paper helps CEOs, boards, business owners and managers to understand what a common cyber attack looks
like. Using real case studies where the attackers used readily available off-the-shelf tools and techniques, it
provides a rationale for establishing basic security controls and processes (such as those set out in the Cyber
Essentials Scheme2). Understanding these attacks can help you manage the most common cyber risks faced
by your organisation.
More specifically, this paper covers:
 the threat landscape - the types of attackers, their motivations and their technical capabilities
 vulnerabilities - what are they, and how are they exploited?
 cyber attacks, stages and patterns - what is the ‘typical’ structure of a cyber attack?
 reducing the impact of an attack - what controls are needed to reduce the impact of common cyber
attacks?
 case studies - real world examples that demonstrate how cyber attacks have caused financial and
reputational damage to major UK businesses
Note: There are far more comprehensive case studies and more detailed technical information openly
available on the Internet; the case studies in this paper have been simplified to demonstrate where and how
basic controls could have reduced the extent or the impact of the attack. That is, this paper is not intended
to be a comprehensive review of sophisticated or persistent attacks.
1 www.gov.uk/government/publications/information-security-breaches-survey-2014
2 www.gov.uk/government/publications/cyber-essentials-scheme-overview

Part 1: The Threat Landscape
Although computer systems can be compromised through a variety of means, GCHQ looks to understand
malicious actions and the attackers that carry them out.
TECHNICAL FOCUS: RISK
The risk to information and computer assets comes from a broad
In cyber security terms, risk is the
spectrum of threats with a broad range of capabilities. The impact potential for a threat (a person or
(and therefore the harm) on your business will depend on the thing that is likely to cause
opportunities you present to an attacker (in terms of the damage) to exploit a vulnerability
vulnerabilities within your systems), the capabilities of the attackers (a flaw, feature or user error) that
to exploit them, and ultimately their motivation for attacking you. may result in some form of
negative impact.
WHO MIGHT BE ATTACKING YOU? For example, an easily
Cyber criminals interested in guessed password to an online account takes very little technical
making money through fraud or capability to exploit. With a little more technical knowledge, attackers
from the sale of valuable can also use tools that are readily available on the internet. They can
information. also bring resources (people or money) to bear in order to discover
Industrial competitors and foreign new vulnerabilities. These attackers will go on to develop bespoke
intelligence services, interested in tools and techniques to exploit them; such vulnerabilities enable
gaining an economic advantage for
them to bypass the basic controls provided by schemes like Cyber
their companies or countries.
Essentials. To protect against these bespoke attacks will require you
Hackers who find interfering with
computer systems an enjoyable to invest in a more holistic approach to security, such as that outlined
challenge. in the 10 Steps to Cyber Security.
Hacktivists who wish to attack The motivation of an attacker can vary from demonstrating their
companies for political or technical prowess for personal kudos, financial gain, commercial
ideological motives.
advantage, political protest; through to economic or diplomatic
Employees, or those who have
legitimate access, either by
advantage for their country. You have no control over their
accidental or deliberate misuse. Whilst attackers may have capabilities and motivations,
the capability and the but you can make it harder
motivation, they still need an opportunity to deliver a successful for attackers by reducing your
vulnerabilities.
attack. You have no control over their capabilities and motivations,
but you can make it harder for attackers by reducing your vulnerabilities.
Commodity vs bespoke capabilities

In this paper, we are using the terms ‘commodity’ and ‘bespoke’ to characterise the capabilities attackers
can employ.
Commodity capability involves tools and techniques openly available on the Internet (off-the-shelf) that are
relatively simple to use. This includes tools designed for security specialists (such as system penetration
testers) that can also be used by attackers as they are specifically designed to scan for publicly known
vulnerabilities in operating systems and applications. Poison Ivy is a good example of a commodity tool; it is a
readily available Remote Access Tool (RAT) that has been widely used for a number of years.
Bespoke capability involves tools and techniques that are developed and used for specific purposes, and thus
require more specialist knowledge. This could include malicious code (‘exploits’) that take advantage of
software vulnerabilities (or bugs) that are not yet known to vendors or anti-malware companies, often
known as ‘zero-day’ exploits. It could also include undocumented software features, or poorly designed
applications. Bespoke capabilities usually become commodity capabilities once their use has been
discovered, sometimes within a few days3. By their very nature, the availability of bespoke tools is not
advertised as once released they become a commodity.
3
‘When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities’, Tim Rains, 17 June 2014,
http://blogs.microsoft.com/cybertrust/2014/06/17/when-vulnerabilities-are-exploited-the-timing-of-first-known-exploits-for-remote-code-execution-vulnerabilities
‘Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World’, Leyla Bilge and Tudor Dumitras, CCS ’12, 16-18 October 2012,
http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf

Openly available commodity capabilities are effective because basic
Openly available commodity
cyber security principles, such as those described in Cyber Essentials
capabilities are effective
because basic cyber security and 10 Steps to Cyber Security, are not properly followed. Regardless
principles, such as those of their technical capability and motivation, commodity tools and
described in Cyber Essentials techniques are frequently what attackers turn to first.
and 10 Steps to Cyber In section 2 we will look in more detail at the vulnerabilities that
Security, are not properly
attackers exploit using both commodity and bespoke capabilities.
followed.
Un-targeted attacks THE INSIDER THREAT

In un-targeted attacks, attackers indiscriminately target as many Although this paper is focussed on
threats from the Internet, insiders
devices, services or users as possible. They do not care about who (anyone who has legitimate access
the victim is as there will be a number of machines or services with to your systems as an employee or
vulnerabilities. To do this, they use techniques that take advantage a contractor) should also be
of the openness of the Internet, which include: considered as part of a holistic
security regime. They may be
 phishing - sending emails to large numbers of people asking motivated by personal gain or
for sensitive information (such as bank details) or redress against grievances.
encouraging them to visit a fake website An insider could simply use their
normal access to compromise your
 water holing - setting up a fake website or compromising a
information, take advantage of
legitimate one in order to exploit visiting users unlocked computers or guessable
 ransomware - which could include disseminating disk passwords. They could use social
encrypting extortion malware engineering techniques (fooling
people in to breaking normal
 scanning - attacking wide swathes of the Internet at random security procedures) to gain further
accesses. They may even have the
technical skills to use commodity
Targeted attacks tools and techniques to become a
‘hacker within the system’, with
In a targeted attack, your organisation is singled out because the
the opportunity to cause greater
attacker has a specific interest in your business, or has been paid to damage and steal information at
target you. The groundwork for the attack could take months so will. In the worst case scenario, an
that they can find the best route to deliver their exploit directly to insider could be working for an
your systems (or users). A targeted attack is often more damaging adversary who can develop
than an un-targeted one because it has been specifically tailored to bespoke tools, and introduce these
deep within your organisation.
attack your systems, processes or personnel, in the office and Assessing which (if any) of these
sometimes at home. Targeted attacks may include: scenarios is likely should be a
critical part of your risk
 spear-phishing - sending emails to targeted individuals that
assessment process.
could contain an attachment with malicious software, or a
Without appropriate training,
link that downloads malicious software insiders can also accidentally
 deploying a botnet - to deliver a DDOS (Distributed Denial of compromise a system or the
Service) attack information it holds. So make sure
that particular care is taken when
 subverting the supply chain - to attack equipment or evaluating all aspects of the
software being delivered to the organisation insider threat as part of your
organisation’s overall assessment
In general attackers will, in the first instance, use commodity tools of cyber risks, referring to external
and techniques to probe your systems for an exploitable guidance where required.
vulnerability.

Every organisation is a potential victim
Before investing in defences, many organisations often want concrete evidence that they are, or will be
targeted, by specific threats. Unfortunately, in cyberspace it is often difficult to provide an accurate
assessment of the threats that specific organisations face.
However, every organisation is a potential victim. All organisations
have something of value that is worth something to others. If you If you openly demonstrate
weaknesses in your
openly demonstrate weaknesses in your approach to cyber security
approach to cyber security
by failing to do the basics, you will experience some form of cyber by failing to do the basics,
attack. you will experience some
As part of your risk management processes, you should be assessing form of cyber attack.
whether you are likely to be the victim of a targeted or un-targeted
attack; every organisation connected to the Internet should assume they will be a victim of the latter. Either
way, you should implement basic security controls consistently across your organisation, and where you may
be specifically targeted, ensure you have a more in-depth, holistic approach to cyber security.

Part 2: Understanding Vulnerabilities
Vulnerabilities provide the opportunities for attackers to gain access to your systems. They can occur
through flaws, features or user error, and attackers will look to exploit any of them, often combining one or
more, to achieve their end goal.
In the context of this paper, a vulnerability is a weakness in an IT system that can be exploited by an attacker
to deliver a successful attack.
Flaws TECHNICAL FOCUS:

A flaw is unintended functionality. This may either be a result of VULNERABILITIES
poor design or through mistakes made during implementation. Vulnerabilities are actively pursued
Flaws may go undetected for a significant period of time. The and exploited by the full range of
attackers. Consequently, a market
majority of common attacks we see today exploit these types of has grown in software flaws, with
vulnerabilities. In the last twelve months nearly 8,000 unique and ‘zero-day’ vulnerabilities (that is
verified software vulnerabilities were disclosed in the US National recently discovered vulnerabilities
Vulnerability Database (NVD).4 that are not yet publically known)
fetching hundreds of thousands of
pounds.
Features Zero-days are frequently used in
bespoke attacks by the more
A feature is intended functionality which can be misused by an capable and resourced attackers.
attacker to breach a system. Features may improve the user’s Once the zero-days become
experience, help diagnose problems or improve management, but publically known, reusable attacks
they can also be exploited by an attacker. are developed and they quickly
become a commodity capability.
When Microsoft introduced macros into their Office suite in the late This poses a risk to any computer
1990s, macros soon became the vulnerability of choice with the or system that has not had the
Melissa worm in 1999 being a prime example. Macros are still relevant patch applied, or updated
its antivirus software.
exploited today; the Dridex banking Trojan that was spreading in
late 2014 relies on spam to deliver Microsoft Word documents The ability for an attacker to find
and attack software flaws or
containing malicious macro code, which then downloads Dridex subvert features depends on the
onto the affected system. nature of the software and their
technical capabilities. Some target
JavaScript, widely used in dynamic web content, continues to be
platforms are relatively simple to
used by attackers. This includes diverting the user’s browser to a access, for example web
malicious website and silently downloading malware, and hiding applications could, by design, be
malicious code to pass through basic web filtering. capable of interacting with the
Internet and may provide an
opportunity for an attacker.
User error
A computer or system that has been carefully designed and implemented can minimise the vulnerabilities of
exposure to the Internet. Unfortunately, such efforts can be easily undone (for example by an inexperienced
system administrator who enables vulnerable features, fails to fix a known flaw5, or leaves default passwords
unchanged).
More generally, users can be a significant source of vulnerabilities. They make mistakes, such as choosing a
common or easily guessed password, or leave their laptop or mobile phone unattended. Even the most
cyber aware users can be fooled into giving away their password, installing malware, or divulging information
that may be useful to an attacker (such as who holds a particular role within an organisation, and their
schedule). These details would allow an attacker to target and time an attack appropriately.
4 https://nvd.nist.gov/
5
Fixes such as applying software patches, removing detected malware and updating device configuration to address issues detected through vulnerability scanning

Part 3: Common Cyber Attacks - Stages and Patterns
Regardless of whether an attack is targeted or un-targeted, or the attacker is using commodity or bespoke
tools, cyber attacks have a number of stages in common. Some of these will meet their goal whilst others
may be blocked. An attack, particularly if it is carried out by a persistent adversary, may consist of repeated
stages. The attacker is effectively probing your defences for weaknesses that, if exploitable, will take them
closer to their ultimate goal. Understanding these stages will help you to better defend yourself.
Stages of an attack
A number of attack models describe the stages of a cyber attack (the Cyber Kill Chain® produced by
Lockheed Martin is a popular example6). We have adopted a simplified model in this paper that describes the
four main stages present in most cyber attacks:
 Survey - investigating and analysing available information about the target in order to identify
potential vulnerabilities
 Delivery - getting to the point in a system where a vulnerability can be exploited
 Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access
 Affect - carrying out activities within a system that achieve the attacker’s goal
Survey TECHNICAL FOCUS:

SURVEY
Attackers will use any means available to find technical, procedural The default settings of computer
or physical vulnerabilities which they can attempt to exploit. systems can reveal a lot of useful
information about the software
They will use open source information such as LinkedIn and running on them, and how they are
Facebook, domain name management/search services, and social configured. They can broadcast a
media. They will employ commodity toolkits and techniques, and range of network protocols and
standard network scanning tools to collect and assess any communications channels that
information about your organisation’s computers, security systems can be exploited if they aren’t
removed.
and personnel.
The attacker will point network
User error can also reveal information that can be used in attacks. scanning tools at your network to
Common errors include: try and identify any of the
following:
 releasing information about the organisation’s network on a  open ports
technical support forum
 open services
 neglecting to remove hidden properties from documents  default settings
such as author, software version and file save locations
 vulnerable applications and
Attackers will also use social engineering (often via social media) to operating systems
exploit user naivety and goodwill to elicit further, less openly  the makes and models of your
available information. network equipment
6 The Lockheed Martin Cyber Kill Chain® can be found at www.lockheedmartin.co.uk/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html

Delivery
During the delivery stage, the attacker will look to get into a position where they can exploit a vulnerability
that they have identified, or they think could potentially exist. Examples include:
 attempting to access an organisation’s online services
 sending an email containing a link to a malicious website or an attachment which contains malicious
code
 giving an infected USB stick away at a trade fair
 creating a false website in the hope that a user will visit
The crucial decision for the attacker is to select the best delivery path for the malicious software or
commands that will enable them to breach your defences. In the case of a DDOS attack, it may be sufficient
for them to make multiple connections to a computer in order to prevent others from accessing it.
TECHNICAL FOCUS: Breach

BREACH
With the great variety of potential The harm to your business will depend on the nature of the
vulnerabilities in any IT system, vulnerability and the exploitation method. It may allow them to:
there is a similar diversity in the
often highly technical and  make changes that affect the system’s operation
innovative mechanisms used to  gain access to online accounts
exploit them. Although attackers
 achieve full control of a user’s computer, tablet or
continue to develop novel
techniques to exploit smartphone
vulnerabilities, attackers are Having done this, the attacker could pretend to be the victim and use
ultimately successful due to an
unfixed flaw, misused feature or their legitimate access rights to gain access to other systems and
user error. information.
Some types of attack are much
more obvious or easier to detect Affect
than others. DDOS attacks are
often quickly noticed by system Depending on their motivation, the attacker may seek to explore your
users, as they struggle to access or systems, expand their access and establish a persistent presence (a
simply cannot use the targeted process sometimes called ‘consolidation’). Taking over a user’s
service. On the other hand, most
malware is designed to be
account usually guarantees a persistent presence. Taking over an
stealthy, hiding from users and administrator’s account is an attacker’s Holy Grail. With administration
detection mechanisms alike. access to just one system, they can try to install automated scanning
tools to discover more about your networks and take control of more
systems. When doing this they will take great care not to trigger the system’s monitoring processes and they
may even disable them for a time.
Determined and undetected attackers continue until they have achieved their end goals. Depending on their
objectives, the activities they aim to carry out on your systems will differ, but they can include:
 retrieving information they would otherwise not be able to access, such as intellectual property or
commercially sensitive information
 making changes for their own benefit, such as creating payments into a bank account they control
 disrupting normal business operation, such as overloading the organisation’s internet connection so
they cannot communicate externally, or deleting the whole operating system from users’ computers
After achieving their objectives, the more capable attacker will exit, carefully removing any evidence of their
presence. Or they could create an access route for future visits by them, or for others they have sold the
access to. Equally, some attackers will want to seriously damage your system or make as much ‘noise’ as
possible to advertise their success.

Part 4: Reducing Your Exposure to Cyber Attack
Preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the
potential for reputational damage. Once the attacker has consolidated their presence they will be more
difficult to find and remove.
Even though it’s normally the
most motivated attackers
Breaking the attack pattern who have the persistence to
Even though it’s normally the most motivated attackers who have carry out multiple stage
the persistence to carry out multiple stage attacks, they will attacks, they will frequently
do this using commodity
frequently do this using commodity tools and techniques, which are
tools and techniques.
cheaper and easier for them to use. So putting in place security
controls and processes that can mitigate these will go some way to making your business a hard target.
Equally, adopting a defence-in-depth7 approach to mitigate risks through the full range of potential attacks
will give your business more resilience to cope with attacks that use more bespoke tools and techniques.
Reducing your exposure using essential security controls

Fortunately, there are effective and affordable ways to reduce your organisation’s exposure to the more
common types of cyber attack on systems that are exposed to the Internet. The following controls are
contained in the Cyber Essentials, together with more information
about how to implement them: TECHNICAL FOCUS:
SECURE CONFIGURATION
 boundary firewalls and internet gateways - establish network For broader guidance on a range
perimeter defences, particularly web proxy, web filtering, specific technologies (such as
content checking, and firewall policies to detect and block Bring Your Own Device, Cloud
executable downloads, block access to known malicious Security, and End User Device
Security & Configuration), please
domains and prevent users’ computers from
visit the following site:
communicating directly with the Internet https://www.gov.uk/government/
 malware protection - establish and maintain malware organisations/cesg
defences to detect and respond to known attack code
 patch management - patch known vulnerabilities with the latest version of the software, to prevent
attacks which exploit software bugs
 whitelisting and execution control - prevent unknown software from being able to run or install itself,
including AutoRun on USB and CD drives
 secure configuration - restrict the functionality of every device, operating system and application to
the minimum needed for business to function8
 password policy - ensure that an appropriate password policy is in place and followed
 user access control - include limiting normal users’ execution permissions and enforcing the principle
of least privilege9
If your organisation is likely to be targeted by a more technically capable attacker, give yourself greater
confidence by putting in place these additional controls set out in the 10 Steps to Cyber Security:
 security monitoring - to identify any unexpected or suspicious activity
 user training education and awareness - staff should understand their role in keeping your
organisation secure and report any unusual activity
7 Strengthened security achieved by establishing multiple layers of security mechanisms

8 For broader guidance on secure configuration see the following publications:
Cloud Security Principles, www.gov.uk/government/collections/cloud-security-guidance
End user devices security and configuration guidance, www.gov.uk/government/collections/end-user-devices-security-guidance
Bring Your Own Device Guidance, www.gov.uk/government/collections/bring-your-own-device-guidance
9 Applying only those privileges to a user account that are essential to that user's work

 security incident management - put plans in place to deal with an attack as an effective response will
reduce the impact on your business
The 10 Steps to Cyber Security sets out the features of a complete cyber risk management regime. There are
many effective and comprehensive schemes and open standards that your organisation can apply to support
a defence-in-depth strategy, if this approach isn’t already implemented.
Mitigating the stages of an attack

We’ll look at each stage of an attack in turn, and highlight where the basic security controls mitigate the
activities that take place.
Mitigating the survey stage

Any information which is published for open consumption should be systematically filtered before it is
released to ensure that anything of value to an attacker (such as software and configuration details, the
names/roles/titles of individuals and any hidden data10) is removed.
TECHNICAL FOCUS:
User training, education and awareness is important. All your users CiSP
should understand how published information about your systems The Cyber-security Information
and operation can reveal potential vulnerabilities. They need to be Sharing Partnership (CiSP), part of
aware of the risks of discussing work-related topics on social media, CERT-UK, is a joint industry-
and the potential for them to be targeted by phishing attacks. They government initiative to share
should also understand the risks to the business of releasing cyber threat and vulnerability
information. It does this in order to
sensitive information in general conversations, unsolicited
increase overall situational
telephone calls and email recipients. The Centre for the Protection awareness of the cyber threat, and
of the National Infrastructure (CPNI) have published a guide to therefore reduce the impact of
online reconnaissance to help put into place the most effective cyber threat on UK businesses.
social engineering mitigations11.
Secure Configuration can minimise the information that Internet-facing devices disclose about their
configuration and software versions, and ensures they cannot be probed for any vulnerabilities.
Mitigating the delivery stage

The delivery options available to an attacker can be significantly diminished by applying and maintaining a
small number of security controls, which are even more effective when applied in combination.
Up-to-date malware protection may block malicious emails and prevent malware being downloaded from
websites. Firewalls and proxy servers can block unsecure or unnecessary services and can also maintain a list
of known bad websites. Equally, subscribing to a website reputation service to generate a blacklist of
websites could also provide additional protection.
A technically enforced password policy will prevent users from selecting easily guessed passwords and lock
accounts after a specified number of failed attempts. Additional authentication measures for access to
particularly sensitive corporate or personal information should also be in place.
Secure configuration limits system functionality to the minimum needed for business operation and should
be systematically applied to every device that is used to conduct business.
10
‘Metadata’ many programs automatically add metadata to files, including author, their username and the file save location
11
‘Online reconnaissance’, CPNI, May 2013, www.cpni.gov.uk/documents/publications/2013/2013007-online_reconnaissance.pdf?epslanguage=en-gb

Mitigating the breach stage
As with the delivery stage, the ability to successfully exploit known vulnerabilities can be effectively
mitigated with just a few controls, which are again best deployed together.
All commodity malware depends on known and predominately patchable software flaws. Effective patch
management of vulnerabilities ensures that patches are applied at the earliest opportunity, limiting the time
your organisation is exposed to known software vulnerabilities.
Malware protection within the internet gateway can detect known malicious code in an imported item, such
as an email. These measures should be supplemented by malware protection at key points on the internal
network and on the users’ computers where available. Devices within the internet gateway should be used to
prevent unauthorised access to critical services or inherently unsecure services that may be required
internally by your organisation. Equally, the gateway should be able to detect any unauthorised inbound or
outbound connections.
Well-implemented and maintained user access controls will restrict the applications, privileges and data that
users can access. Secure configuration can remove unnecessary software and default user accounts. It can
also ensure that default passwords are changed, and any automatic features that could immediately activate
malware (such as AutoRun for media drives) are turned off.
User training, education and awareness are extremely valuable to reduce the likelihood of ‘social engineering’
being successful. However, with the pressures of work and the sheer volume of communications, you cannot
rely on this as a control to mitigate even a commodity attack.
Finally, critical to actually detecting a breach is the capability to monitor all network activity and to analyse it
to identify any malicious or unusual activity.
Mitigating the affect stage

If all the measures for the survey, delivery and breach stages are consistently in place, the majority of attacks
using commodity capability are likely to be unsuccessful. However, if your adversary is able to use bespoke
capabilities then you have to assume that they will evade them and get into your systems. Ideally, you should
have a good understanding of what constitutes ‘normal’ activity on your network, and effective security
monitoring should be capable of identifying any unusual activity.
Once a technically capable and motivated attacker has achieved full access to your systems it can be much
harder to detect their actions and eradicate their presence. This is where a full defence-in-depth strategy can
be beneficial.
I’ve been attacked, what do I do?

There is no such thing as 100% security and your organisation will probably experience some form of cyber
attack at some time. Having an effective security incident response plan can help to reduce the impact of the
attack, clean up the affected systems and get the business back up and running within a short time. Where
relevant, you should also consider the Cyber Security Incident Response services provided by CESG, CPNI and
CERT-UK.
Closing word: raising your cyber defences

Doing nothing is no longer an
The Internet can be a hostile environment. The threat of attack is option; protect your
ever present as new vulnerabilities are released and commodity tools organisation and your
are produced to exploit them. Doing nothing is no longer an option; reputation by establishing
protect your organisation and your reputation by establishing some some basic cyber defences.
basic cyber defences to ensure that your name is not added to the
growing list of victims.

Case Studies
On a daily basis, GCHQ and CERT-UK see computer systems and the information on them being
compromised by malicious attackers. Although the motivations may vary, they nearly always use commodity
tools and techniques at some point.
The following three case studies demonstrate how effective these attacks can be to gain access to
organisations and, conversely, how widely accepted and cost-effective cyber security controls can disrupt
the different stages in the attack model we discussed earlier.
 In the first two case studies, the attackers added malicious code to legitimate websites that staff
from the target companies regularly visited. This code compromised their computers, giving the
attackers access to the companies’ systems.
 The final case study is an example of a single-staged attack that compromised the computer of a
system administrator.
All of the mitigations listed in these case studies are covered in detail in the Cyber Essentials Scheme and the
10 Steps to Cyber Security. To reduce the risk of commodity and bespoke attacks on your business, fully
implement a comprehensive suite of cyber security controls.
Case study 1: Espionage campaign against the UK energy sector

Attackers used a technique known as a ‘watering hole’ attack to distribute malware into businesses working
in the UK energy sector. The attackers added scripts to legitimate websites frequented by energy sector
staff. Many of the websites were managed by the same web design company. Visitors’ browsers were
automatically and surreptitiously redirected to download malware from an attacker-owned server.
The malware targeted known and patchable vulnerabilities in Java, older internet browsers, and all but the
most recent versions of Microsoft Windows. The malware harvested visitors’ credentials and computer
system information, and sent this information back to the controllers via attacker-owned domains.
How it happened: the technical details

In the survey stage, the attackers discovered that a single web design company hosted a number of energy
sector businesses’ websites. Although we can’t say for sure how the attacker delivered the attack to breach
the site, they may have infiltrated the web design company’s networks by masquerading as a legitimate user
with credentials stolen through successful spear-phishing, or by exploiting an unpatched vulnerability on the
web server.
The attacker compromised the web server and then added code12 which caused their own website to be
loaded whenever the legitimate website was visited. The delivery stage then involved the attacker’s website
delivering the malicious code to the victims’ computers. The unpatched browsers were breached through
known software flaws in Java and common internet browsers.
The attacker’s website installed a Remote Access Tool (RAT) on the visitor’s computer, disguised as a
common type of web application script. The malware then started communicating with the attacker-owned
domains by sending ‘beacons’ to show it was active and to request commands from the attackers. The
malware was designed to capture system information, user keystrokes and clipboard contents to enable the
attackers to consolidate their position as they moved towards affecting their target. However, security
monitoring of network activity detected command and control messages from malware on the infected
computers, and in this case the attack was broken before it could affect the targeted businesses.
12
An ‘iframe’ was inserted to point to malicious content

We believe that these ‘watering hole’ attacks were part of a continuing espionage campaign against the UK
energy sector.
Capabilities, vulnerabilities and mitigations

The attackers used a number of commodity techniques to compromise their targets within the energy
sector. They probably gained access to the legitimate websites using automated scanning tools and exploit
kits to identify and exploit unpatched vulnerabilities, or used social engineering to take advantage of poor
user training and awareness. The script hosted on the attacker’s website exploited applications with known
software vulnerabilities to install a RAT.
Whilst the attack was spotted by security monitoring, this control is not 100% effective, as it depends heavily
on technology and skills. If the appropriate essential controls had been in place, this attack would not have
been successful. However, that's not to say they wouldn't have kept on trying by using different techniques.
The most effective mitigations against this attack (both at the website and within the victim organisation)
would have been:
 network perimeter defences - deploying a web proxy, web filtering, content checking, and firewall
policies could have prevented executable downloads and access to known malicious domains on the
Internet
 malware protection defences - might have detected the commodity attack code used to exploit the
victims browser
 patching the known software flaws - would have prevented the script from being successful and the
malware from running
 whitelisting and execution control - would have prevented any unknown software from being able to
run or install itself
 user access control - could have restricted the malware’s capabilities
 security monitoring - in this case did identify the suspicious activity
Case study 2: Hundreds of computers infected by remote access malware

This widespread compromise of a large UK company’s internal network originated from an exploit hosted on
their externally-managed corporate website. This was achieved as a result of poor security practices by the
website provider. The attackers used a commonly available RAT to gain information about the internal
network and control a number of computers. The widespread malware infection took extensive effort to
eradicate and remediate.

As part of their survey of the victim’s network and services, attackers discovered that the corporate website
was hosted by a service provider, and it contained a known vulnerability. In the survey stage of the attack on
the service provider, the attackers exploited this vulnerability to add a specialised exploit delivery script to
the corporate website.
The script compared the IP addresses of the website’s visitors against the IP range used by the company. It
then infected a number of computers within the company, taking advantage of a known software flaw, to
download malware to the visitor’s computer within a directory that allowed file execution.
Over 300 computers were infected during the delivery stage with remote access malware. The malware then
beaconed and delivered network information to attacker-owned domains. The attackers were eventually
detected early in the affect stage. By this time they had installed further tools and were consolidating their
position, carrying out network enumeration and identifying high value users.

Whilst the compromise was successful, it was detected through network security monitoring, and a well-
defined incident response plan made it possible to investigate the incident using system and network logs,
plus forensic examinations of many computers.
To eradicate the discovered infection it was necessary, at great cost, to return the computers to a known
good state. Further investigation was also required to identify any further malware that could be used to
retain network access. To prevent further attacks through the same route, the contract terms with the
website provider needed to be renegotiated, to ensure they had similar security standards to the targeted
organisation.

The attackers used a combination of automated scanning tools, exploit kits and technology-specific attacks
to compromise the organisation. They took advantage of a known software flaw and the trust relationship
between the company and its supplier.
The intensive and costly investigation and remediation of the compromise could have been averted by more
effective implementation of the following cyber security controls:
 patching - the corporate website would have not been compromised, nor would the malware
download script have succeeded, had patching on both the web server and users’ computers been
up to date
 network perimeter defences - the malware could have been prevented from being downloaded and
the command and control might not have succeeded with the use of two-way web filtering, content
checking and firewall policies (as part of the internet gateway structure)
 whitelisting and execution control - unauthorised executables such as the exploration tools would
have been unable to run if the company’s corporate computers were subject to whitelisting and
execution control (this could also prevent applications from being able to run from the temporary or
personal profile folders)
 security monitoring - may have detected the compromise at an earlier stage
Case study 3: Spear-phishing attack targets system administrator

A system administrator within a high profile UK organisation was successfully spear-phished and
unknowingly installed a RAT. Taking advantage of the user’s privileged permissions, the attackers were able
to exfiltrate13 information about the network and details for multiple business-critical systems.
Fortunately, the compromise was restricted to one computer, and it was detected and effectively
investigated as appropriate security monitoring and logging were in place. Identifying and mitigating the lost
information impacted the availability of the system to the business and required extensive support from
external forensic and technical architecture specialists.

The attackers identified the system administrator and their personal subjects of interest. They crafted and
delivered a socially-engineered email to the administrator’s personal email address. Accessing personal
webmail from the admin computer, the administrator read the phishing email and downloaded a Trojanised
document from a file sharing service containing the first stage malware.
13 The unauthorised transfer of data from a computer

When the Trojanised file was opened, the user was prompted to run an executable which then breached the
defences and installed the first stage malware onto the system. The attacker exploited poor security
awareness by repeatedly requesting approval to run until the administrator finally clicked ‘OK’. Unpacking
itself silently into a temporary folder, this first stage malware hid itself as a legitimate file and changed the
system to ensure it continued to run between reboots of the computer. Once installed, it started
communicating with attacker-controlled domains.
After a number of days, the initial malware downloaded a second stage executable (the RAT) and a
configuration file. To discover more about the victim organisation, the attackers configured the malware to
exfiltrate captured screenshots. Data was covertly delivered for nearly a week until the transfers were
detected. The domains were then blocked and the machine was disconnected from the network for forensic
analysis.
The compromise was detected before any significant damage could be done. However, the investigation and
clean-up operation required the assistance of industry experts and disrupted the day-to-day operation of the
organisation.

The information to identify the system administrator and topics of interest to socially engineer the spear-
phish was likely to have been derived from surveying publically available information. The clean-up operation
could have been averted by more effective implementation of the following cyber security controls:
 user training education and awareness - would have ensured staff understood how personal
information can be openly accessed, and made them suspicious of unsolicited email with
unexpected attachments and being asked to run executable files
 user access controls - enforcing these on the basis of least privilege, for high risk activities (such as
web browsing), could help to protect privileged accounts; allowing completely open browsing from
the admin computer was the critical security weakness
 network perimeter defences - the Trojan and the delivery stage executable should have been
detected and blocked by firewall policies, a filtering web proxy or corporate malware protection
software, none of which were implemented on the system administration computer
 secure configuration - would have prevented such malware from being able to run

Disclaimer
This document has been produced jointly by GCHQ and Cert-UK. It is not intended to be an exhaustive guide
to potential cyber threats, is not tailored to individual needs and is not a replacement for specialist advice.
Users should ensure they take appropriate specialist advice where necessary.
This document is provided without any warranty or representation of any kind whether express or implied.
The government departments involved in the production of this document cannot therefore accept any
liability whatsoever for any loss or damage suffered or costs incurred by any person arising from the use of
this document.
Findings and recommendations in this document have not been provided with the intention of avoiding all
risks and following the recommendations will not remove all such risks. Ownership of information risks
remains with the relevant system owner at all times.
Crown Copyright 2015

International
Case Report On
Cyber Security
Incidents
Reflections on three cyber incidents in
the Netherlands, Germany and Sweden
Preface
As cyber incidents are increasing worldwide, the protection of the functionality of IT
systems, particularly if they are critical or vital to our societies, is high on the political
agenda. Enhancing cybersecurity – both in the public and in the private sector – is of
crucial importance for the future.
It has become a well cited truis, that these increasing threats do not stop at state borders.
On the other hand, international co-operation in fighting against cyber-attacks and
cyber-incidents appears to be in its infancy, compared to law enforcement efforts against
physical crime.
Frequently, both the actual perception of IT or cyber incident and the initial response to it
take place at a national level, either by private stakeholders or by state authorities. Hence,
the editors of this study consider it worthwhile to share with our readers reflections and
lessons learned of three cases from the Netherlands, Germany, and Sweden, which were
dealt with mainly, but not exclusively, within these countries.The cyber incidents
described, differ in scope, in the damage caused, and in many other aspects, but they
have in common that their impact on society was considerable. Even though, on a
technical level, these incidents were not very complex. Also, as a consequence of
networks, these incidents escalated quickly, which put great emphasis on incident
response. In two of the cases, the identities of the (possible) attackers have not as yet
been revealed (in the Tieto case there was no attack) .
Hence, one lesson to be learned, as it were a priori, is that coping with cyber-attacks and
cyber incidents always involves some degree of uncertainty. The publication of this case
study, therefore, aims at providing transparency of past events as a starting point for
preventive measures against future cyber threats. The report is a joint effort of three
authorities: the National Cyber Security Centre (NCSC) in the Netherlands, the Bundesamt
für Sicherheit in der Informationstechnik (BSI) in Germany, and the Swedish Civil
Contingencies Agency (Myndigheten för samhällsskydd och beredskap, MSB).
Wilma van Dijk, Director Cyber Security, Ministry of Security and Justice.
Andreas Könen, Vicepresident, Federal Office for Information Security.
Nils Svartz, Deputy Director-General, Swedish Civil Contingencies Agency.
International Case Report On Cyber Security Incidents | 3

4 | International Case Report On Cyber Security Incidents
Introduction
If we have learned one thing during the past decade, it is that cyber security is a complex
affair. During this decade, we have seen many things go wrong in the digital domain.
These incidents have left us much more experienced, but also a little confused. Where
do we go from here? In this International Trend Report, three European national CERTs
(Computer Emergency Response Teams) share some of their experiences of recent years
by means of three case studies. The central theme for all cases is ‘Trust’: the need for
it, and possibly the lack of it in the digital world. The Swedish national CERT, MSB, has
contributed a case involving an availability disruption at IT operations provider Tieto.
BSI, the German national CERT, describes the events during a DoS amplification attack
on a major telecommunications provider in Germany. The contribution of the NCSC, the
national CERT of the Netherlands, is a case on the DigiNotar crisis, which also had far-
reaching international repercussions.
All three cases share certain characteristics. They all focus on the vital infrastructure
of their country. They all affected not just one, but a whole network of organisations
in their country. In each case, trust was lacking or was lowered after the incident. The
Swedish case stands out because it focuses on non-intentional disturbance of vital
infrastructure. The German case is about a deliberate attack to deny the availability of a
telecommunications provider and the consequences of such an attack. The Dutch case,
the hack of DigiNotar, was a deliberate act, but it probably was not the ultimatel goal of
the attacker to hack into DigiNotar. The attacker used forged certificates from DigiNotar
to eavesdrop on other citizens in different countries.
It is hard to reach an effective level of trust in the digital domain. By moving so many
aspects of our lives to the digital realm, we automatically become potential victims of
extensive data breaches at digital service providers. Assurance reports, Service Level
Agreements and legal action can only do so much to reflect what is required from a digital
service provider: that they perform at a level which deserves the trust their clients place in
them.
We hope you will find benefit in reading this international publication which is the joint
effort of the national CERTs of the participating countries. Let it be a reminder of known
risks, and the medium for a message: that trust in the digital domain is not only hard to
come by, but also crucial to its success.

The system of trust in security
certificates based on the integrity of
certificate authorities has shown to
be flawed.

The DigiNotar case
Background
Even though the DigiNotar crisis was a cyber incident with an unprecedented impact
on the Netherlands, it was not the first incident where the trust which organisations
place in their providers was undermined by a security breach at one of these providers.
Two examples:On 17 March 2011, RSA, a security company and provider of security
tokens, announced that unknown parties had gained access to the company’s network.
Based on the limited information that RSA released, security researcher Steve Gibson
concluded that it was clear that, at a minimum, a portion of the SecurID product (a
two factor security token) was compromised. At the end of May 2011, three potentially
related incidents were reported: at Lockheed Martin, at L2 and at Northrup Grumman,
all American defence contractors. Although the reliability of the information available
is difficult to assess, a link between these three incidents and the first attack against RSA
seems extremely plausible.
A second incident took place at a business partner of Comodo, a provider of security

certificates used for secure web communication. The hacker was able to obtain several
fraudulent certificates and the corresponding keys from a Comodo partner. The
certificates which were issued, included rogue certificates for Google, Microsoft, Yahoo
and Mozilla web services. After some time, responsibility for the attack was claimed by
an anonymous individual who claimed to have acted alone. Because these certificates
allowed secure internet traffic for those web sites to be intercepted, the login data of
millions of users of these services was at risk until the certificates were revoked.
In these examples, the security breach at a provider was a first step in successfully
attacking targets which depended on this provider for their security.
The DigiNotar crisis

On 27 August 2011, an Iranian internet user received an invalid certificate warning from
his browser when he visited the Gmail website. He reported this incident to Google. The
certificate was generated on 10 July 2011. During the following weeks, it became clear that
the fraudulent certificate was issued by DigiNotar, a Dutch security certificate provider,
after a successful break-in into their servers.
The important role which DigiNotar fulfils in the Netherlands is threefold. First, DigiNotar
is one of the security certificate providers for the Dutch government. Second, DigiNotar
is an issuer of certificates for the Dutch national PKI (PKIoverheid). Third, DigiNotar

issues certificates for qualified signatures. The framework for qualified signatures is an
endeavour by the European Union to attach greater legal value to digital signatures. It
gradually became clear that all three of these systems had been compromised during
the break-in. This implied that trust could no longer be placed in the confidentiality or
integrity of data or communications which had been secured with a DigiNotar certificate.
Response
When DigiNotar initially noticed the break-in into their systems, they decided to keep
it a secret from the general public and the authorities. In the Netherlands, there was no
explicit legal provision which required them to report such an incident. However, judging
from the consequences of keeping this incident secret, this course of action was probably
not in the publics best interest.
The Dutch government communicated extensively about the events at DigiNotar.

However, the message varied greatly over time as more information about the break-
in became clear. The PKIoverheid certificates serve as an example: as there was no
initial indication that the certificate signing process for these certificates had been
Timeline of events (2011)

17 June 22 July
Initial breach of DigiNotar systems. After discovering the attack, DigiNotar
initiates an investigation into the events.
17 June – 1 July They decide to keep silent about the break-in.
Attackers use their access to the
demilitarised zone (DMZ) to break through 27 July – 27 August
to the internal network. Rogue certificates signed by DigiNotar are
used in man-in-the-middle attacks in Iran.
10 July Such an attack is used in order to listen in
First rogue certificate is signed with the on and possibly modify the communications
access gained. of users of Google services such as Gmail.
For Google services alone, at least 300,000
10 – 22 July distinct users were confronted with
Attackers gain access to all certificate fraudulent certificates.
signing systems of DigiNotar and sign at
least 531 rogue certificates for at least 53 27 August
different internet domains. An Iranian internet user who attempts to
access Gmail notices that a rogue certificate
has been provided. He notifies Google.

compromised, the government organisation Logius published a statement which declared
that PKIoverheid certificates could still be trusted.
Once GovCERT1 had been notified, they were in charge of handling the incident. When it
became clear, a week later, that PKIoverheid certificates could also not be trusted, a full
crisis management plan was initiated. The Dutch crisis management structure (‘national
crisis structure’) was activated in accordance with existing procedures. The IRB (ICT
Response Board)2 is an advisor to the crisis organisation in case of a crisis involving an
IT component. The IRB convened twice, which helped to gain a quick insight into the
impact of revoking trust in DigiNotar certificates. Many parties cooperated in the crisis
management. Some examples are the Dutch national police, public prosecutor, ministry
of the interior, ministry of security and justice and IT security company Fox-IT.
Internally, the Dutch government investigated which processes depended on DigiNotar

certificates for security or confidentiality of their communications. The filing system for
tax returns was but one of these processes.
Since January 2012 GovCERT has been included within the National Cyber Security Centre (NCSC).
1
The IRB is a private public advisory board, which advises the national crisis structure about the situation and
2
about the measures to be taken (including the impact).
29 August 6 September
Mozilla also discovers attack. GovCERT, the At the explicit request of the Dutch
Dutch national computer emergency government, Microsoft decides to postpone
response team is notified of the attack by – only in the Netherlands – the update
CERT-BUND, their German equivalent. which will remove all support for DigiNotar
DigiNotar publicly admits having been certificates.
hacked.
14 September
1 September Dutch telecommunications authority OPTA
Dutch governmental organisation Logius announces that it revokes the licence of
circulates an email message in which it asks DigiNotar to issue certificates for qualified
other government bodies what the impact signatures. 300 Dutch government websites
would be of revoking DigiNotar certificates. still use DigiNotar certificates to encrypt
communications.
3 September
Dutch government officially renounces
DigiNotar as a trustworthy certificate
provider.

Revoking all DigiNotar certificates would disrupt many critical services which the
government provides, as well as disrupting many interdepartmental communication
channels. Also, it was unclear exactly what the impact would be of revoking DigiNotar
certificates: there was only very limited knowledge about where DigiNotar certificates
were being used. Even organisations which knew that they were using DigiNotar
certificates could not say what the impact of revoking them would be on their business
processes. A Dutch newspaper noted that abruptly revoking DigiNotar certificates would
lead to a ‘government blackout’. Microsoft agreed to postpone their update which would
revoke these certificates in order to allow for one more week of repairs.
Final remarks
After the DigiNotar crisis, two measures were proposed:
• A legal obligation to notify a central authority of any significant data leaks or break-
ins within an organisation. For providers of qualified certificates, such an obligation
has since been introduced. In the case of DigiNotar, this would have led to an earlier
awareness and understanding of the extent of the problems.
• The creation of a department of digital firefighters, which could act on behalf of
the Dutch government in order to resolve a cybersecurity incident or crisis. Many
proposed formats for this closely matched the role which GovCERT already had within
the government. A discussion point within this concept was whether the government
should have the power to take over IT operations and exercise it in case of a cyber crisis
in order to protect the public interest.
Six days after the OPTA revoked DigiNotar’s licence to issue qualified certificates, the
company went bankrupt. Most of its property was auctioned off, but the hardware used to
protect the private keys of the revoked certificates is still kept locked away. The original
expiry date of the root certificates has not yet passed, which means it is possible some
software still accepts certificates issued by DigiNotar. After this expiry date, the DigiNotar
incident will be over.
The DigiNotar case has been evaluated extensively within all levels of the Dutch
government. Some important conclusions can be made:
• Apparently, the certificate authority/PKI system is part of the critical infrastructure of a
country. The DigiNotar case motivates one to re-evaluate whether his or her perception
of what constitutes the ‘critical infrastructure’ of a country is both correct and
complete. Also, in what way does any compromise involving such trust providers have a
significant impact on the physical world?
• In cybersecurity, the effectiveness of the measures taken by a provider greatly affect the
security stance of its clients. On the other hand, the insight and influence clients have
over the security measures taken by their provider is very limited. This means that there
will always be a residual risk associated with cooperating with providers of any kind.

Any lack of security at a provider which is responsible for trust-related services has an
even higher impact. The security measures taken at DigiNotar were regularly evaluated
by an external auditor. It is possible that if this audit had been performed differently
or more in-depth, either the actual breach, or the vulnerabilities which allowed for it,
would have been noticed. This leads one to ask whether the depth at which these audits
are currently performed is suitable for a system where the integrity of every component
is of such great significance.
• The system of trust in security certificates based on the integrity of certificate
authorities (CAs) has been shown to be flawed. Every CA can testify to the authenticity
of certificates for every domain. As such, a breach at a minor CA in the Netherlands can
compromise the communications of Iranian citizens with US-based corporations such
as Google. Several improvements to the CA system which have been proposed are:
– using a web of trust-like structures (as is used in PGP);
– including SSL key information in DNSSEC records (DANE);
– convergence (an external authority which attests to the validity of certificates based
on observations around the world).
It is unclear who has the power to initiate such a transition to a new and more secure
system. Until such a transition occurs, we will see similar attacks occur regularly.

Since the internet is a worldwide
network, it is necessary to establish
national and international contacts
and well-defined contact points
between ISPs, but also between
governmental agencies.

A Cyber-Attack on
Deutsche Telekom
Background
A denial-of-service (DoS) attack is an attempt to make a machine or network resource
unavailable to its intended users. There are different types of DoS attacks. One common
method of attack on the internet involves saturating the target machine with external
communications requests, so much so that it cannot respond to legitimate traffic or
responds so slowly as to be rendered essentially unavailable. When multiple systems flood
the bandwidth or resources of a targeted system the attack is called distributed denial-of-
service (DDoS).3
DDoS attacks are very common on the internet. BSI is aware of about 1,800 DDoS attacks
in Germany during the first half of 2013. It means that on average at least ten DDoS
attacks are carried out daily. The real figure is probably much higher. Worldwide, several
companies report that they observe thousands of DDoS attacks per day. On average,
an attack lasts less than one hour. But in some cases it can last for several days or even
months.
Statistics show that the main targets of DoS attacks are governments, banks, and
e-commerce companies. Often adversaries attack a victim’s web-server to disrupt its
internet presence. But in some cases, other services, such as the Domain Name System4
(DNS), are targeted as well.
There are different motivations for DoS attacks, e.g. political and ideological motives,
competition, extortion. Adversaries can be government agencies, state-sponsored or
patriotic hackers, hacktivists, or criminals. Some examples for adversaries and their DDoS
attacks in the recent past are:
For more information, see e.g. http://en.wikipedia.org/wiki/Denial-of-service_attack

3
The DNS is a distributed system for computers, services, or any resource connected to the Internet or a private
4
network. It associates a variety of information with domain names assigned to each of the participating entities.
Most prominently, it translates easily memorised domain names to the numerical IP addresses needed for the
purpose of locating computer services and devices worldwide. An oft-used analogy to explain the Domain Name
System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames
into IP addresses. For more information, see e.g. http://en.wikipedia.org/wiki/Dns

• The international network of activists called Anonymous which has carried out many
DDoS attacks against various entities (governments, organisations, companies) in order
to protest against their activities.
• Patriotic hackers who attack organisations and companies of a foreign state during
political conflicts. This was seen, for example, in conflicts between China and Japan,
Israel and Palestine, Russia and Georgia, and so on.
• Criminals who have carried out a massive DDoS attack against an anti-spam
organisation: The Spamhaus Project. During this attack, up to 300 gigabits per second
of DoS traffic were experienced.
In some cases, however, as in an attack against Deutsche Telekom, neither the adversaries
nor their motivation for an attack are known.
DoS attacks lead to direct and indirect costs for the victim. They cause costs for DDoS
mitigation, direct revenue losses for e-commerce companies, reputational and brand
damage, and customer turnover. Studies and surveys suggest that an hour of DDoS attack
can cost a victim tens of thousands of euros. Attacks against critical infrastructure of a
state can even disrupt its supply of essential goods and services to its population.

03.09 12: 16:00 03.09.12: 18:30
Attack started, outage of Deutsche Attack mitigated by reconfiguration of
Telekom’s reverse DNS DDoS Defence tooling, reverse DNS up
and running
03.09.12: 17:30
Attack mitigated by facilitation of DDoS 04.09.12: 00:00
Defence tooling, reverse DNS again up and Attack traffic stopped
running
05.09.12
03.09.12: 18:00 Deutsche Telekom informs BSI about attacks
Attackers modify packet structure to adapt
to Deutsche Telekom’s countermeasures. 05.09.12: 14:15
Reverse DNS down again. New attack against reverse DNS, no DNS
outages because DDoS Defence Tools still
engaged

Incident
In September 2012 Deutsche Telekom AG, a large German internet service provider (ISP),
was attacked by unknown adversaries. The Denial-of-Service attack was an attempt to
block the Domain Name System of the provider. From a practical viewpoint, an outage
of the DNS would cause an outage of the internet for most customers of that provider.
The telecommunication and internet belongs to the critical infrastructure of a country.
Its outage could have significant adverse effects on that country.
3rd Party Victim

IP: y.y.y.y IP: z.z.z.z
From: y.y.y.y
To: z.z.z.z
Message: Requested Information: …
Fr o: Sen bou
M orm d
om y.y d t
es a om
in
T
: z .y me you
f
sa tio a
.z.
ge n in
z.z
:
. y
a
al r
l
Attacker
IP: x.x.x.x
DNS reflection / DNS amplification attack
05:09.12: 16:00 07.09.12

Contact to web hosting provider with take Contact to German Federal Crime Office
down request for the attacking system IP
addresses 13.09.12
Deutsche Telekom files formal criminal
05.09.12: 17:00 complaint to Public Prosecution Service
Deutsche Telekom asks BSI for emergency
point of contact at web hosting provider 17.09.12
DDoS Defence mitigation measures closed
05.09.12: 22:00 down.
New attacks against reverse DNS, no DNS
outages because DDoS Defence Tools still
engaged

For this attack, the adversary used the server infrastructure of another web hosting
provider. Although the attack vector is not completely clear, most probably the attacker
used a technique known as DNS reflection or DNS amplification. It involves sending
short queries with a spoofed source IP address – in this case the addresses of DNS
servers of the ISP – to the DNS servers of a third party – in this case the web hosting
provider – in order to trigger long responses to be sent by those servers to the victim’s IP
address within a short time window. The DNS protocol allows an amplification factor up
to 100.
The motivation for the attack is unclear. The attacker made no demands to Deutsche
Telekom. No information claiming responsibility for the attack was published. A possible
explanation could be a “proof of concept” or test by which the attackers try out their
capabilities, infrastructure and tools to carry out that kind of attack.
Response
Abuse messages sent to the web hosting provider to stop the attack were unsuccessful.
After a short delay the ISP was able to mitigate the attack by redirecting the malicious
traffic (see Timeline of events, above). The mitigation was possible, since the ISP
possessed the necessary equipment and skills to monitor and mitigate such attacks and
its network capacity was high enough not to collapse under the heavy traffic.
CERT-Bund was informed by Deutsche Telekom about the attack and helped it with the
analysis. While the attack against a provider’s infrastructure which provides services to
the broad population was new, the attack method itself was already known. Since benign
DNS queries need to be answered only once, repeated DNS queries were blocked by the
mitigation systems of Deutsche Telekom.
Also, the Federal Criminal Police Office was involved in the investigation of the attack
infrastructure. However, at first, it was not clear whether it was responsible in this case.
It started to act after the Telekom provided additional information about the attack and it
was recognised that the attack was targeting a critical infrastructure.
Final Remarks
For providers of Domain Name Services there are different technical advisories for
strengthening their own DNS servers in such a way that they cannot be misused for this
kind of attack. The DNS provider should be made aware of the threat and be forced to
implement the necessary counter measures. The problem here is that this should be
done by every single provider worldwide.

Possible victims should implement the necessary processes for detecting and mitigating
such attacks in advance. The mitigation can be done directly by the victim using
appropriate anti-DoS appliances offered by various manufacturers. Alternatively, the DoS
mitigation can be used as a service offered by different providers.
Since the internet is a worldwide network, it is necessary to establish national and

international contacts and well-defined contact points between ISPs, but also between
governmental agencies (law enforcement, governmental CERT’s) which can help to
stop an ongoing attack in case the attacker does not respond to direct requests. In a
federal state – such as Germany – it should also be clarified what agency (federal, state,
communal...) is responsible if an attacker needs to be stopped.
The internet is a critical infrastructure. Its availability is essential for the functioning of a
society and economy. Its outage can cause serious negative effects on almost all areas of
life and can even inflict real damage in the physical world. Therefore, its protection should
be an important goal for governments in every country.
Although the attack technique has been known for quite some time, its recent use for
launching DoS attacks of unprecedented scale has brought renewed interest in it. Similar
attacks are carried out against victims worldwide. A recent attack which made it into the
headlines was a DoS attack on the anti-spam organisation, The Spamhaus Project, in
March 2013.
The usage of internet servers – here DNS servers, in other cases also web, email, etc.
servers – instead of home PCs enables the attacker to generate higher network traffic,
since the internet connection of any such server is much faster than the connection of
a typical private PC. This threat changes the general situation and demands immediate
action for implementing appropriate counter measures.

The analysis that followed the event
was able to establish that several of
the affected parties did not have
enough knowledge about their own
dependencies.

The disruption at the IT
service provider Tieto
Background
New technology and new business solutions have allowed a concentration of information,
services, communication and IT operations in society. In the Swedish public sector, the
trend towards concentration and integration has been strengthened through a number
of initiatives such as the eGovernment Delegation, National eHealth, the Government
service authority, as well as the framework agreements that the Legal, Financial and
Administrative Services Agency has signed with major partners. The change in forms of
delivery of IT services is seen as a way to both increase quality and reduce business costs.
An account of the disruption at the IT service provider Tieto in late 2011 is given below.
The disruption affected both public and private organisations, and was debated both in
the specialist press and in the general media. A similar event occurred in Sweden on New
Year’s Eve (January 1, 2014) as a fire in the server room of one of the Stockholm facilities of
the IT service provider Evry caused considerable problems for the Stockholm metro, for
railway traffic, and for postal and logistic services, among others. The fire extinguishing
system was empty due to a human error. No one had restored (re-loaded) the system after
a minor incident the day before. The fire resulted in a loss of power, and data storage
systems had to be re-started. During the re-start, a software failure complicated matters,
and Evry was not able to re-deploy several IT services. This incident started a chain
reaction with implications for the whole society.
The disruptions at Tieto and Evry emphasise an already known circumstance, namely that
increased concentration and integration create a new category of vulnerability where
technical and human errors can shut down a number of societal functions over vast
geographical areas in a short period of time. A disruption at a large IT service supplier
can affect an entire society and the consequences can be considerable. Modern society is
becoming more and more vulnerable when IT systems become unavailable.
The Tieto incident

On Friday, 25 November 2011, a hardware error occurred at IT service provider Tieto. A
central part of a large data storage system at a facility in Stockholm suffered an emergency
shutdown. First, an important key component of the system was lost. At that moment, it
would still have been possible to fall back on a backup system that was on stand-by and

ready to take over. However, after a short while the backup system malfunctioned as well,
thereby rendering data storage for the connected server systems non-functional.
The exact details of what happened have not been made public by Tieto, but data storage
for a large number of servers was suspended in a very short period of time. The disruption
affected about 50 of Tieto’s customers, including companies, governmental agencies and
municipalities. Exactly which clients were affected by the disruption has still not been
made public by Tieto. For some organisations, IT support nearly came to a complete
halt, while other organisations experienced disruptions of specific services. In addition,
several service suppliers seem to have been connected to the storage system, including
companies that deliver web-based tools for administration, travel management and
similar services. There were reports from several municipalities across the country about
malfunctioning administration of financial services and pension services following the
disruption at Tieto.

25 November technical equipment because the hardware
A hardware error occurs at IT operations problem causes a chain reaction of
provider Tieto on Friday afternoon. A incidents that result in a complex and
central part of a large data storage system time-consuming restoration process.
at a facility in Stockholm suffers an Therefore, it takes a considerably longer
emergency shutdown. For some of the time for customers to restore saved data
approximate 50 affected organisations to the same state as before the disruption.
(Tieto’s customers), IT support comes
to a near-complete halt, while other 28 November
organisations experience disruptions Early Monday morning, the mass media
to specific services. and the public have started to understand
the widespread impact of the disruption.
26-27 November The disruptions are not limited to the
Tieto does not publicly acknowledge that capital Stockholm and the municipalities in
it is experiencing operational problems the surrounding area. There are reports of
caused by a hardware malfunction until problems caused by the disruption from
Sunday afternoon, 27 November. The several municipalities around the country.
actual hardware error takes two days to
correct. However, the customers’ 29 November
information, i.e. the data stored in the Media attention is growing and additional
storage system, cannot be restored simply reports on affected organisations are made
by replacing a single component of the public.

It is difficult to provide an exact account of the direct impact of the breakdown, such as
the number of IT services or servers that went down. However, it is possible to get an
approximate idea of the extent based on the outsourcing contracts between Tieto and
some of the affected organisations. The storage system crash resulted in the malfunction
of a large number of servers, or virtual servers, over a short period of time. Moreover,
the effects were not limited to the systems operated by Tieto. The company also sold
automated operational monitoring of customer servers. As a result, several Tieto
customers quickly noticed that they no longer had any control over the status of their own
servers. This meant that they had to move quickly to manual monitoring, which resulted
in a significant amount of extra work.
30 November once again have IT support. Bilprovningen

Tieto has managed to restore operations at inspects around 20,000 vehicles per day
all of the 350 affected pharmacies across across the country, and the loss of IT
the country (about 50 % of the pharmacies services slows down the inspection
are back in operation on Monday evening). process and leads to extra costs. One
The pharmacies lost contact with their IT notable consequence is that the automatic
systems and were unable to dispense reporting of all approved inspections
prescribed medicines in accordance with normally made to the Swedish Transport
normal procedures. Prescriptions were Agency is halted. This, in turn, triggers a
administered manually, and in some cases driving ban on many vehicles.
older IT systems were re-installed. The
loan operations of the Government-owned 4 January, 2012
mortgage lender SBAB are also fully Nacka Municipality is able to announce
restored. that all computer systems are up and
running again. However, there is still a lot
1 December of catching up to do and the municipality
The City of Stockholm concludes that there has identified lost data.
are no lingering effects of the disruption.
5 December
The 180 control stations of the motor-
vehicle inspection company Bilprovningen

Response
The Tieto company solved the technical error in about two days. The major challenge
for the company, however, was to restore the data and re-deploy IT services. This was a
complex problem that took several weeks in some cases.
This section focuses on responses related to the consequences of the disruption. Many
of the affected organisations had to resort to manual routines while Tieto was working
on restoring their IT services. This halted some processes, and slowed down others
considerably, due mainly to lack of personnel. Some organisations had frameworks and
plans for dealing with the loss of IT services; others had to solve the problems as they
emerged. A few organisations resorted to using old IT systems – systems that still existed,
or could be re-installed. There was also an example of a public organisation that used
Twitter and Facebook to communicate with people when their website and email systems
were down.
The Swedish Civil Contingencies Agency (MSB) started working on the event, formally,
on the morning of the 28th of November 2011. Regular meetings were held through the
Agency’s National Cybersecurity Coordination Function. Obtaining situational awareness
was the most important part of that work. In addition to this, MSB published information
on the Agency’s websites, including the national crisis portal which is the responsibility of
the Agency. On Tuesday, November 29, MSB completed an impact analysis and concluded
that no critical societal functions were affected in such a way that would seriously
threaten the functioning of society. This was followed by a status report to the Swedish
Ministry of Defence. MSB followed the progression of events through open sources,
its own contact networks, and contacts with affected parties as well as with Tieto. The
Agency quickly contacted Tieto, as well as many of the affected organisations. However,
it was difficult to gain a complete understanding of the situation through these channels
from the perspective of societal considerations as regards the widespread effects of the
disruption. Therefore, a request was drawn up on 6 December for the majority of agencies
specifically indicated in the Emergency Management and Heightened Alert Ordinance
(2006:942) to submit a situation report to the MSB regarding the disruption at Tieto. In
summary, however, it can be concluded that the MSB had difficulty in quickly forming a
comprehensive picture of how the event was affecting Swedish society. There is still no
single party with a complete picture of the societal impact. In February 2012, the Agency
submitted a formal report on the event to the Swedish Ministry of Defence.
Final remarks
It is difficult to assess fully the negative societal consequences of the disruption at Tieto.
For some organisations, IT services were unavailable for weeks, while others only suffered
minor problems. Apart from IT services becoming unavailable, there were also some
cases of data losses. In terms of financial cost, it is even more difficult to estimate the

consequences. It has not been possible to analyse the total cost, but, as an example, one of
the affected municipalities (with approximately 100,000 inhabitants) estimated that their
direct costs caused by the shutdown were at least SEK 7.5 million (circa EUR 850,000). It is
very difficult to assess the costs that are related to loss of reputation. For the public sector
organisations, it is also important to notice that even if an organisation has outsourced its
IT operations, the organisation is still accountable to the public.
The Swedish Civil Contingencies Agency (MSB) did not activate the national IT response
plan during the Tieto disruption. The consequences of the disruption at Tieto cannot
be considered a social emergency. However, the disruption clearly had serious negative
consequences for individuals and organisations, meaning that the event was very serious.
The analysis that followed the event was able to establish that several of the affected
parties did not have enough knowledge about their own dependencies, nor about their
need for cooperation. Had the disruption led to more extensive social problems, the
MSB would have had trouble coordinating the relief work and alleviating the effects
of the incident, as well as creating a satisfactory basis for collaboration. The affected
organisations (Tieto’s customers), have a great responsibility in terms of informing
their users and other stakeholders themselves. The event shows that this responsibility
is difficult for many organisations to comply with. Emergency preparedness and
contingency planning for long disruptions are requirements for most organisations, but
special needs arise when an organisation outsources IT operations or uses cloud services
for vital parts of the operation. The impression after the disruption at Tieto is that the
organisations’ contingency planning was of varying quality. Further, only a small number
of organisations had applied information classification or performed a risk analysis
before their procurement and outsourcing of services.
In the event of cyber incidents, warnings come at short-notice or not at all, the pace is
rapid and the incident is usually geographically independent. In order to prevent and
handle cyber incidents, an increased capability of all organisations in society at all levels
of responsibility and in all sectors is required. To this end, the MSB has identified four
areas in which further work is required:
• Strengthening preventive initiatives for cyber security (information security) throughout society.
• Procurement as a tool for better security: There is a great deal of potential in public
procurement, and all organisations need to develop further their competency in using
procurement as a means of controlling their cyber security (information security).
• Special focus on risk analysis and contingency planning: The disruption at Tieto shows that
there are shortcomings in the contingency planning and emergency preparedness
among several of the affected organisations.
• National and regional cyber security situational awareness: The increased concentration of
IT operations and other IT related services means that a large number of stakeholders

might be affected simultaneously by a cyber incident. The disruption at Tieto shows
that the affected parties need to develop better processes for gathering and sharing
information in order to create situational awareness. This should also include being
able to communicate information to the public, and it assumes that the information
is coordinated.

By stepping out of our own closed
communities, opportunities to work
together will show themselves
everywhere. By recognising these
opportunities and acting upon
them, we ensure that we will be able
to meet tomorrow’s threats today.

Lessons learned
Three case studies have been presented. Each one presents lessons learned from the
events described and the role of their authoring organisation during these events.
Two features are evident in each of these cases:
On a technical level, the incidents were not very complex, but the impact on society
was great. The Swedish case describes a relatively simple system failure; the German
story about the denial-of-service attack involves somewhat advanced but well-known
techniques; and the hack at DigiNotar was mostly possible because of the lack of proper
controls in place at DigiNotar.
In each case, the impact was large because of the role the target played in each country:
a national telecommunications provider, a signer of the national PKI infrastructure, and
an IT operations provider. All had many parties who depended on their cyber security.
Through network effects, these incidents escalated quickly.
The lessons learned show many parallels as well. A few highlights:
1 New technology has created new opportunities as well as new risks in our society. New
technology and new business solutions have allowed a concentration of information,
services, communication and IT operations in society. This increased concentration,
along with new forms of operation and increased integration, can lead to a
vulnerability where small technical errors can shut down a number of societal functions
in a short period of time.
2 Since the internet is a worldwide network, it is necessary to establish national and

international contacts and well-defined contact points between ISPs, but also between
governmental agencies (law enforcement, governmental CERTs), which can help to
stop an attack. Incident response is an entirely different matter if the incident has taken
place within infrastructures which may be halfway across the globe. International
cooperation is essential in approaching this challenge. Special needs arise when an
organisation outsources IT operations or uses cloud services for vital parts of the
operation. Cloud services and service providers form an additional challenge for
CERTs and their activities.
3 The internet is a critical infrastructure. Its availability is essential for the functioning
of a society and economy. Therefore, its protection should be an important goal for

governments in every country. Governments should re-evaluate whether the perception
of what constitutes the ‘critical infrastructure’ of a country is both correct and
complete.
4 The incidents in this report show that a large cyber incident can have an effect on an
entire society and that the impact can be considerable. In order to prevent and handle
major IT incidents, an increased capability of all participants in society at all levels
of responsibility and in all sectors is required. In this regard, the following areas are
particularly important:
a Procurement as a tool for better control of cyber security
b Special focus on risk analysis and contingency planning
c Implementation of the necessary processes for early detection and mitigation of IT
attacks
d National and regional situation status reports on cyber security.
5 In each of these cases, incident response plays a central role. Cooperation and
coordination around a major cyber security incident are crucial. The timing and
the quality of the initial response are both crucial in order to deal effectively with
all aspects of an incident or with a crisis at a later stage. The examples in this report
show that all participants must be able to act together and collaborate on decision-
making and operations in the event of an emergency. It is important that the affected
parties have developed processes for gathering and sharing information. This should
also include being able to communicate information to the public and to other
stakeholders. And finally the information should be coordinated.
6 During an incident or crisis it is important to have access to current and relevant

information from different stakeholders. Each of these cases describes how more and
more information became available during the crisis and how it was dispersed among
trusted partners. Such trust relations are not built during a crisis, but rather in the
relatively calm period beforehand. In order to respond adequately during a crisis, it is
important to establish channels for communication and the conditions under which
communication takes place.
7 Internet Service Providers (ISPs) are an important party in preventing cyber attacks.
The effectiveness of the measures taken by a provider greatly affects the security stance
of its clients. Any lack of security at a provider which is responsible for trust-related
services has a great impact.

All in all, this report provides one with much to think about, but much to do as well. The
opportunities presented by international cooperation are large indeed. We can no longer
model the cyber security stance of an organisation on a fort, by assessing the thickness
of the virtual wall built around it. Rather, we must secure the information within and
between organisations. By stepping out of our own closed communities, opportunities to
work together will show themselves everywhere. By recognising these opportunities and
acting upon them, we ensure that we will be able to meet tomorrow’s threats today.

Ministry of Security and Justice, The Netherlands
Federal Office for Information Security, Germany
Swedish Civil Contingencies Agency, Sweden
November 2014
Cyber Case Studies:
The Traditional Security Nexus
Blu3
Product of the Research & Information Support Center (RISC)
The following report is based on open-source reporting.
November 18, 2014
Introduction
As the lives of individuals and the daily operations of organizations increasingly use and depend upon
online networks and resources, the line between security incidents in the cyber and physical worlds has
become blurred. Traditional security definitions and boundaries no longer apply uniformly. While many
security professionals may still consider cyber security a technical problem, today’s reality is an
intertwined cyber-physical world wherein cyber security issues often affect and cross over into the
physical realm (and vice versa) with direct, tangible impact. Billions of people worldwide are now online; it
has become another, if not the primary, domain that individuals and organizations depend upon to
communicate, increase efficiency, engage in commerce, store and publish information, and reduce costs.
Criminals, spies, terrorists, and hacktivists (hacker activists) also take advantage of these same benefits.
The proliferation of intersections between cyber and physical is increasing as a function of computing
device connectivity. People use numerous communications protocols to connect multiple devices to
various networks at work, at home, and on the go. An organization’s sensitive and proprietary systems,
once closed-off networks, are now accessible or controllable via remote or Internet access. Furthermore,
low-cost “smart” technology has been introduced into departments not traditionally overseen by technical
staff. According to Gartner, 26 billion devices will be part of the “Internet of Things” (IoT) by 2020. IoT is
the interconnection of atypical, non-computing devices – everything from smart thermostats and alarm
systems to medical monitoring devices and automobiles – to the Internet using a myriad of wireless
technologies. This wave of ubiquitous automation will likely create a surge of security implications in both
the cyber and physical realms, especially considering security has historically lagged behind technology.
Defenders must cover all points of attack, while attackers only have to identify the weakest point. An
increasing number of traditional security incidents have occurred because of weak links that existed in the
cyber realm; the converse is also true. Through the examination of security incidents, including the
highlighted examples in Table 1, this white paper will demonstrate the interwoven nature of the two
realms, reveal who has been affected, and provide best practices and countermeasures.
Facility Security • Chinese military hackers compromise facility access systems
Personal Protection • Online information sharing facilitates kidnapping of billionaire's son
Information Security • Syrian spy cameras and microphones surveil activists and journalists
Financial Security • Credit card breaches will continue after chip and PIN adoption
Personnel Security • Terrorist-linked software developers hired for critical infrastructure work
Public Safety • Hackers can cause traffic jams and misdirection
National Security • Cyber warfare becomes a component of international conflict

Table 1: Examples of examined security incidents with a cyber-traditional security nexus
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Agreement on the categorization of traditional security disciplines is difficult because there is much
overlap among them; cyber security is no different. Several other security sub-categories could fall under
one or more security disciplines in Table 1, such as operations security (OPSEC). Facility security,
personal protection, and information security are all common sub-categories of physical security.
Physical Security Case Studies
Physical security (defined as the physical protection of sensitive or proprietary information, people,
facilities, installations, or other sensitive materials, resources, or processes) is broad and multi-faceted. Its
key areas involve the physical protection of facilities, people, and information.
Facility Security
U.S. Steel
In May, a federal grand jury indicted five military officers in China’s People Liberation Army (PLA) Unit
61398 for computer hacking, economic espionage, identity theft, and other related offenses directed at six
U.S. private-sector organizations in the nuclear power, metals, and solar energy industries. This was the
first time the U.S. Government successfully brought criminal charges against nation-state actors for this
type of computer hacking. Most of the alleged criminal conduct involved information that was stolen while
the companies were in negotiations, partnerships, or trade litigations with Chinese state-owned
enterprises (SOEs).
One of the affected organizations, United States Steel Corporation (U.S. Steel), was involved in trade
cases with Chinese steel companies between 2009 and 2012. Shortly before the anticipated decision in
one of the cases, an indicted military hacker allegedly sent spear-phishing emails to U.S. Steel
employees – including those associated with the litigation. Some of the emails, which appeared to come
from the CEO, successfully tricked employees into clicking on malicious links, resulting in the installation
of malware and backdoor access on corporate computers. The hackers used more spear-phishing
emails, with the subject line “US Steel Industry Outlook,” to steal a list of about 1,700 company
computers, including servers that controlled physical access to the company’s facilities and emergency
response.
Although the indictment stated that vulnerable servers on that list were identified and exploited, it does
not confirm which ones were hacked or detail the extent of exploitation. Compromised facility access
systems could have enabled a Chinese competitor to target U.S. Steel’s business operations from a
physical security angle. However, most of the alleged activity conducted by the PLA 61398 hackers
resulted in intellectual property (IP) and trade secret theft.
Countermeasures
 The U.S. Steel case study underscores the need for Spear-phishing is used
segmentation or compartmentalization of critical systems in over 90 percent of
from public-facing networks via physical and/or logical advanced economic
(software) means. espionage attacks by
nation-state or nation-
 The case study also stresses the importance of cyber state-sponsored actors.
security education, especially to protect against spear-
phishing tactics.
o Spear-phishing is used in over 90 percent of
advanced economic espionage attacks by nation-state or nation-state-sponsored actors.
o Spear-phishing was the predominant method allegedly used by the PLA 61398 hackers.
 Segmentation and compartmentalization will likely become more important as the Internet of
Things expands, where thermostats, refrigerators, alarm systems, and security cameras could all
exist on the same network.
o A vulnerability in just one device could disclose the credentials to the entire network.
o Not only could an attacker turn off an alarm or security camera, but a threat actor could
use the cameras or smart meter readings to determine when a building is vacant in order
to break in.
o Manipulation of a thermostat to prompt a building evacuation could be the first step in a
plot to attack an organization’s physical security.
o In addition, networks that communicate without encryption, or with IoT devices that lack
physical protection, are exposed and vulnerable to attack.
Personal Protection
Social networking sites and social media sites have made collecting information on people and
organizations for social engineering, blackmail, and conducting traditional, economic, or industrial
espionage – in both the cyber and physical domains – much easier. However, information published on
these sites can also affect the physical security of people in an organization.
Mexican Drug Cartels and a Diverted Flight
Mexican drug cartels and organized crime groups (OCG) often glean personally identifiable information
(PII) from social networking and media sites to add legitimacy to extortion and kidnapping threats. They
regularly monitor social media target individuals, such as journalists disseminating “unfavorable”
information about illicit OCG activities. OCGs may also search for secure communication channels to
avoid detection by government and security authorities, and they are likely trying to diversify revenue
streams through hacking, counterfeiting, and ATM skimming activities. As such, there have been media
reports of kidnappings, enslavements, bribes, and coercions of computer programmers, engineers, and
telecommunications experts since at least 2009.
A hacking group called the Lizard Squad attacked Sony Online Entertainment in August 2014, causing
denial-of-service disruptions to Sony’s PlayStation Network servers and tweeting a hoax to American
Airlines about “receiving reports that [Sony Online Entertainment CEO]’s plane #362 from DFW to SAN
has explosives on-board.” The hackers were a previously-unknown group who claimed links to terrorism
to add credence to the hoax; therefore, American Airlines diverted the flight and security authorities
checked for explosives. The Lizard Squad had obtained the CEO’s flight information from cross-
referencing flight schedules with travel information he had posted on Twitter (see Figure 2).
Figure 2: Hacking group Lizard Squad devised a hoax using information gleaned from
Sony Online Entertainment CEO’s tweets
Private Celebrity Photos
Information found on social networking and media sites can be used to defeat security questions used to
reset passwords on online sites and services. This, in addition to the use of weak passwords, use of
repeated passwords across multiple sites, a lack of two-factor authentication, and the allowance of
unlimited password guesses on a cloud back-up service, contributed to the highly-publicized leaks of
private celebrity photos in 2014. Using information on the Internet to humiliate, blackmail, bully, stalk,
surveil, and/or kidnap a person may be the most frightening ways someone’s personal safety can be
compromised by cyber-related means.
Kaspersky Kidnapping
The highest-profile cyber surveillance, stalking, and abduction case involved Ivan Kaspersky, son of the
chairman and CEO of Russia-based Kaspersky Lab, one of the most prominent cyber security firms in the
world. Ivan Kaspersky was kidnapped for ransom in 2011 while walking to work from his Moscow
apartment. According to Russian media sources, amateurs – an older indebted couple – orchestrated the
plot and enlisted their son and two of his friends as “muscle” for the plot. The abductors stalked
Kaspersky and his girlfriend for several months prior to the kidnapping, determining his behavioral
patterns and discovering that he did not have a protective security detail. The kidnappers reportedly
obtained all the needed information from Kaspersky’s user profile on Vkontakte, a popular Russian social
networking site. His profile contained publicly-posted personal information, such as his real name, photo,
current school and area of study, girlfriend, work location, and the addresses of his last two apartments.
With this information, even amateurs could track and abduct the son of a prominent billionaire.
Kaspersky was forced to call his father to relay the ransom demands. Fortunately, the cellphone he used
was tracked within six days, although there is conflicting reporting as to whether its location was tracked
by Russian security authorities or someone working directly for Kaspersky. The Russian System for
Operative Investigative Activities (SORM) lawfully enables authorities to monitor, record, analyze, and
retain all data that traverses Russian telephone and Internet networks, including all emails, telephone
calls, Internet browsing sessions, text messages, and fax transmissions. The abductors may have used
the same cellphone to make food deliveries, or had geolocation services enabled.
Countermeasures
 The common thread in these personal safety attacks is the lack of operations security (OPSEC)
used in online interactions.
o Limiting the amount of publicly-available personal information online and turning off
geolocation services on social networking and media sites can go a long way in
preventing targeted attacks.
o Even in cases where permissions are set to limit the audience to online “friends,” it is
easy for the Internet savvy to use fake social networking site accounts to socially
engineer their way in.
o Potential targets should be made aware of what information about them is publicly
available online (or for a few dollars), to understand the ways they could be targeted.
o Posting information from wearable IoT devices with geolocation capabilities (GPS), like
fitness activity-monitoring devices, could also reveal regular routes or residential
addresses.
 Only trusted third-party sites and services with stringent security measures should be used for
any off-site or cloud storage of sensitive files.
 Other best practices to help counter attacks include separating work and personal accounts and
using fabricated information in password reset security questions.
Information Security
In addition to facilities and people, physical security protects sensitive or proprietary information from
sabotage or theft. Using cyber methods to destroy or steal information stored electronically is obvious, but
using cyber methods to obtain information that is not located on computer networks or electronic media is
less so. Stringent physical security measures and systems used in facilities to prevent adversaries from
overhearing information, gaining access to printed information, or discovering what physical security
systems or methods are in place, can be defeated by one compromised cellphone or computer.
Computers and cellphones contain cameras, microphones, and often tracking devices – the same
components that make up high-tech eavesdropping devices.
Syria: Non-Governmental Organizations, Journalists, and Activists
Violence from Syria’s civil war continues both on the ground and in the cyber realm. Pro-government
forces are circulating spyware to infiltrate, track, and gather intelligence against the opposition, which
often winds up in the hands of the Assad regime and results in arrests, raids, and attacks. In some cases,
suspected rebels have been rounded up and interrogated about activities they conducted on their
computers, without the interrogators needing to have physical access to the machines.
Pro-Assad hackers deploy malware that is usually in the form of a remote access toolkit (RAT), which
grants nearly full access to victim computers. Not only do the attackers have access to computer files, but
they can record everything that is typed or displayed on the screen, such as online communications,
emails, video calls, and chats on social networking sites. The spyware is able to obtain information not
normally in the cyber domain – it can turn on cameras to collect intelligence on locations, record sensitive
information posted within view, attribute online activities to specific users’ faces, and turn on microphones
to eavesdrop on conversations in the room.
The attackers use well-informed social engineering that is tailored to the interests, needs, and fears of the
opposition. For example, they have hidden malware in fake security tools, fake versions of privacy or
encryption software [such as virtual private network (VPN) clients and Skype encryption tools], bait
documents, and malicious links. One email promised documents and maps showing the movements of
fighting groups. Further, they compromised legitimate Facebook accounts, such as one belonging to the
head of the Transnational Syrian Opposition, to recommend the installation of malicious software.
When diplomatic efforts appeared to replace the possibility of U.S. military action in Syria, NGOs and
journalists working on the conflict were included as targets in the attackers’ phishing, social media, and
spear-phishing campaigns. In one instance, an NGO administrator received an email purporting to
contain video evidence of Syrian military abuses. The file played a video of a graphic execution while it
installed RAT malware.
Pro-government hacking campaigns followed similar methods until late last year, when security
researchers began to see attacks that they believed were “false flags.” The new campaigns seemed to
implicate pro-Assad hackers deliberately, but did not fit their techniques and tactics. For example, new
malware of unknown origin claimed to be from the Syrian Electronic Army, but specifically attacked
Mac computers, which are uncommon in the region. Mac computers are more popular with activists
and journalists covering Syrian issues from outside the country. Kaspersky Lab has attributed the
locations of attackers in recent Syria-related cyber attack campaigns to operations coming from Syria,
Lebanon, and Russia. This may indicate that Syrian government allies with significant hacking
capabilities, such as Hizballah, are secretly assisting in the attacks. Figure 3 shows the geographical
distribution of those targeted by recent cyber attacks.
Activists, journalists, and NGOs working on the Syrian conflict have become more knowledgeable of
the risks posed by these kinds of attacks. However, the attackers’ malware campaigns have become
increasingly innovative and sophisticated in 2014, with higher levels of social engineering. Analysis of
the cyber attacks, especially correlating new or resurging attack campaigns with current events, is
difficult.
Figure 3: Recent Syria-related cyber attacks mostly affected victims in Syria and nearby countries
(Source: Kaspersky Lab)
Countermeasures
 In addition to education on spear-phishing techniques and social networking/media site

compromise methods, organizations can prevent malware installation by keeping all software
up to date with upgrades and patches, and only downloading or obtaining trusted software
from authorized, authentic websites and stores.
 Organizations should also be aware that there is a risk of surveillance or eavesdropping when
using computers and mobile electronic devices.
o Microphones can be physically switched off (not using software) or disconnected from
systems in sensitive areas.
o Covers or removable tape can be used to cover camera lenses when not in use.
o Cellphones can be left outside, or batteries can be temporarily removed, during
sensitive conversations in secure areas.
o Other best practices for safely using electronic devices abroad can be found in the
OSAC report on economic espionage trends.
Reverse Case: Physical Security Affecting Cyber Security
An exploited vulnerability in cyber security does not always defeat physical security, but physical access
to computing devices nearly always defeats cyber security. Lack of access control, locks, temperature
control, and backup power for high-value networks or server rooms could easily result in data loss or
compromise.
Additionally, most attacks against cellphones and mobile electronic devices require one or more of the
following:
 An unencrypted connection to an unsecure or Wi-Fi network;
 Falling prey to a malicious link or attachment in an email, social networking or media site, or text
message;
 Software that is unpatched or out of date; or
 Having physical access to the device.
Physical access is the easiest way to compromise laptops and mobile electronic devices. Abroad,
especially in locations with aggressive technical collectors, most security experts assume devices that are
out of direct physical control are compromised.
Financial Security Case Studies
Perhaps the greatest confluence of traditional and cyber security occurs in the finance industry, where
international commerce and financial services operate largely on a cashless framework. “Cyber” is losing
its place as a term in the finance industry vernacular. Excluding cash-only economies, monetary
exchanges and transactions are done electronically. Brazil was a pioneer in the adoption of electronic and
online financial systems 30 years ago and today has a large, robust banking community and e-commerce
sector. Even in several African countries, such as Kenya, mobile network penetration preceded that of
broadband Internet, and financial transactions by phone have become commonplace. With rapid
technological growth comes a general lag in implementing and enforcing cyber security legislations and
practices, usually creating lucrative environments for cyber criminals. As such, Brazil is a worldwide
hotspot for cyber crime, and in Africa, fraud conducted over mobile networks is prolific.
Major Credit Card Breaches of 2014
Especially in the United States, major data breaches seem to make the news headlines regularly,
contributing to the “Age of the Data Breach.” In 2014 alone, hackers have stolen over 500 million financial
records from the U.S. private sector. Of these, point-of-sale (POS) terminal malware exposed the financial
information of over 100 million credit cardholders, stealing the information while it was unencrypted in
memory or elsewhere in the transaction chain. EMV “chip and PIN” credit cards, wherein cards contain an
embedded microchip and are authenticated to bank servers using a personal identification number (PIN),
may be an answer. However, without end-to-end encryption of credit card data in a financial transaction
(including memory and storage), these breaches could still occur. Furthermore, stolen card information
still can be used fraudulently in online transactions, which cannot access the chip.
Credit card skimming, when criminals insert a rogue device into an ATM or POS terminal that copies
information stored on the magnetic strip, will likely decrease in countries that migrate fully to EMV chip
technology. However, chip and PIN cards are not immune to software flaws, incorrect implementation, or
more advanced skimming attacks that clone the chip or harvest the PIN.
As countries migrate to the EMV standard, payment networks have implemented liability shifts. In the
U.S., the card issuer is liable for fraudulent transactions, but in countries that have adopted EMV, liability
for fraudulent transactions has shifted to retailers and ATM owners who do not support it.
Countermeasures
Large credit card breaches will likely continue to occur because of the time required for a country to
completely adopt EMV technology, and as long as there are end-to-end encryption issues. However,
examination of the major credit card breaches in 2014 reveals other vulnerabilities that were involved in
the attacks.
 Computers on the same network as those in the POS transaction chain (without physical or
logical separation):
o Were open to Internet access;
o Had remote administration software installed;
o Had user accounts with access to email and Internet browsing (susceptible to spear-phishing
and drive-by downloads that install malware); and/or
o Were connected to third-party vendors or services, such as payment processor companies or
HVAC companies, that employ less stringent security measures.
 Even organizations that employed stringent security software and response teams missed alerts
and warnings. This can happen when multiple offices are responsible for an organization’s overall
security, but there is no standard operating procedure to delineate individual responsibilities, and
when no formal breach response plan exists.
Compliance with new PCI-DSS 3.0 security standards will help address some of the vulnerabilities
affecting credit card transactions.
Personnel Security Case Studies
Personnel security assures the loyalty, reliability, suitability, and trustworthiness of employees and others
who work with or have access to sensitive information and material. It is often concerned with insider
threat. Economic (nation state) and industrial (corporate) espionage threat actors use social engineering
techniques, both cyber and traditional, to specifically target employees who have any access to sensitive
or IP-related information. Some insiders may be state-sponsored threat actors already embedded in U.S.
private-sector organizations, but many are coerced with promises of financial reward. Both economic and
industrial espionage actors lure employees with lucrative job opportunities at either state-owned
enterprises or competitors. Employees can also be coerced by nation-state governments to help their
home countries out of patriotism or loyalty.
Disgruntled employees are prime targets for economic and industrial espionage actors, wherein as many
as 75 percent of departing employees are disgruntled. According to client statistics compiled by cyber
security firm Websense, 65 percent of malicious insiders have already accepted a new job, and 25
percent of them hand over proprietary information to a foreign company or government (see Figure 4).
Figure 4: Threat profile of malicious insiders (Source: Websense)
Jerome Kerviel and Societe General
For Jerome Kerviel, no encouragement or lure was needed in what became the biggest rogue trading
scandal in history. Kerviel, a trader for French multinational banking and financial services company
Societe Generale, was convicted in 2008 for breach of trust, forgery, and unauthorized use of the bank’s
computers. As an insider, he subverted controls and used an accumulation of privilege to go on a
gambling spree that resulted in a $7 billion loss for his employer. Since his release from prison in
September 2014, he was hired as an information systems and computer security consultant by Lemaire
Consultants and Associates.
Aum Shinrikyo
Aum Shinrikyo, a Japanese doomsday terrorist group, was responsible for many assassinations and the
1995 sarin gas nerve agent attacks on the Tokyo subway system that killed 12 people. Five years later,
security authorities realized that more than 80 Japanese companies and government organizations had
contracted computer companies affiliated with Aum Shinrikyo for software development. The Japanese
companies affected were major players in the electronics, food, banking, transportation, and metal
manufacturing fields, while some of the government agencies were responsible for construction,
education, postal services, and telecommunications.
Computer software development was a major source of revenue for Aum Shinrikyo. Many affected
organizations did not know they had ordered software from firms affiliated with the terrorist group because
their main suppliers had subcontracted the work. Additionally, most affiliates concealed their relationship
with Aum Shinrikyo. They developed about 100 different types of software, including customer
management, airline route management, and mainframe computer systems. The most prominent
corporate customer was Nippon Telegraph and Telephone (NTT), Japan’s main telephone and Internet
service provider, and the Defense Ministry of Japan. The concern that the terrorist group had inside
access to sensitive government and corporate computer systems became a widespread fear, as many
worried about acts of cyber terrorism and sabotage of vital communications and networks. Many affected
government agencies and companies were forced to suspend the use of purchased systems until they
could assure they were secure.
Countermeasures
 The most effective countermeasure for insider threat is user education, especially as part of a
formalized insider threat program.
o The average employee is not aware that foreign governments, in addition to competitors,
attempt to recruit insiders.
o Coworkers have the best chance at identifying insider threat behavior in an organization.
o The CERT Insider Threat Center has published best practices for mitigating IP theft,
information systems sabotage, and fraud. Additionally, the FBI Counterintelligence
Division’s Insider Threat Program offers an extensive list of possible insider behavior and
risk indicators.
 A great number of insiders are also unintentional.

o Although usually not as costly, many losses occur from negligent or uninformed
employees, who do not realize that they are not complying with cyber security best
practices.
o It often requires only one instance of human error, such as falling for a spear-phishing
scheme, for a major data breach or loss to occur in an organization.
 The Aum Shinrikyo case stresses the importance of personnel security measures not only for
employees in the workplace, but also for all those who work with or have access to sensitive
information or systems in the entire supply chain.
Public Safety Case Studies
Public safety involves the prevention of and protection from events that could endanger or cause injury,
harm, or damage to the general public. The Aum Shinrikyo case highlights a cyber-related incident that
overlaps multiple security disciplines; it could have had long-reaching effects on the public safety in
Japan. Other examples of cyber incidents that could impact public safety involve event security and
terrorism.
Major Event Disruption
Hacktivists (hacker activists) have threatened mass disruptions at major events to publicize or bring
attention to their causes. Days before the opening ceremony at the London 2012 Summer Olympic
Games, British security services warned Olympics authorities about the threat of a cyber attack on the
stadium’s power supply. According to government investigations, the threat came from hacktivists that
were not credible. However, the threat led to checks on a back-up power system, including tests to
ensure functionality despite the strain from the stadium’s lighting and communications networks.
Traffic Light Hacks
Hacktivists have also threatened to hack into traffic control systems at major events, such as the 2014
FIFA World Cup, using vulnerabilities in traffic control systems that were recently published in two
separate studies. The studies revealed that traffic control systems could be disrupted or rendered
inoperable. One researcher used a remote-control drone and cheap programmable hardware to launch
an attack on a traffic system and sent fake data to sensors – small wireless vehicle detection devices
embedded in the ground that transmit information about automobile location and movement. Traffic could
be impacted if the sensors were wirelessly linked to traffic lights. The other research team showed that it
was possible to break into the wireless communications of another system’s traffic controllers because
there were no passwords in use and no encryption used in the transmissions.
Terrorists could exploit traffic control system vulnerabilities to direct traffic toward (or restrict it to) a
planned attack location. While the products detailed in the studies are deployed primarily in the U.S.,
about 200,000 of the sensors in one system are in use worldwide – such as the UK, France, and
Australia. Experts believe that many traffic infrastructure devices created by various vendors have similar
security properties due to a lack of security consciousness in the traffic control systems field.
Countermeasures
 There are several practical ways that transportation departments, traffic light operators, and
equipment manufacturers can increase the security of their infrastructure:
o Enabling encryption on wireless networks,
o Blocking non-essential traffic from being sent on the network, and
o Updating device firmware regularly.
 The simplest solutions with the greatest impact are to enable passwords and not rely on
default login credentials.
 The vulnerabilities in the traffic sensor system have been patched, with planned upgrades for
older models. However, the identity of the other vendor has not been disclosed, and their
vulnerabilities are still exploitable.
National Security Case Studies
National security refers to the protection of a nation through the use of economic power, political power,
military might, and diplomacy to ensure its survival. Accordingly, national security is dependent upon
military as well as non-military facets such as economic security, energy security, and environmental
security.
One of the most concerning national security issues with or without a cyber security nexus is the scale of
trade secret theft conducted against U.S. economic interests, especially those with foreign operations. In
addition, host country national security can affect the operations and welfare of U.S. private sector
organizations abroad. There are many possible attack vectors that could impact a country’s critical
infrastructure and therefore the operations of OSAC constituents. Furthermore, international and
intranational conflicts more frequently include cyber components.
Economic Damage by Espionage
Intellectual property theft, especially in the cyber domain, has been one of the most serious economic and
national security challenges the U.S. has faced over the past several years. The Commission on the Theft
of American Intellectual Property, in their 2013 IP Commission Report, estimated that the U.S. economy
is experiencing annual losses of over $300 billion a year to international trade secret theft. The report
concluded that better protection for IP, especially overseas, would add millions of jobs to the U.S.
economy, significantly bolster economic growth, encourage investment in research and development, and
improve innovation.
Critical Infrastructure Attacks
Threats to a host nation’s critical infrastructure include those against the financial services industry,
energy sector, water supply, transportation systems, public health services, and telecommunications
networks. Nation states have infiltrated or attacked critical infrastructures, often controlled and monitored
by industrial control systems (ICS), since at least 2003. Patching and updating ICS equipment can be
difficult because it is often old, sensitive, proprietary, or no longer supports software upgrades. Many
systems require continuous operation and cannot be rebooted after an update, especially if it takes
several hours to do so or there is a risk that the system may not work properly afterward.
Critical infrastructures that are accessible via the Internet are most vulnerable to attack. However, those
that isolate, or “air gap” their systems from the Internet are not impenetrable. Advanced nation-state
attacks on air-gapped systems have succeeded, e.g., the Stuxnet and Agent.btz campaigns, where
employees may have inserted malicious USB flash drives – planted outside targeted facilities – into
computers that were connected (or later connected) to the sensitive, isolated networks. The Stuxnet virus
destroyed nuclear centrifuges in Iran, and Agent.btz infiltrated both classified and unclassified U.S.
military networks. Other research suggests that the Stuxnet virus may have entered via hacked suppliers
of nuclear facility components. Additionally, the Shamoon virus, introduced by a disgruntled insider with
full systems access, destroyed 75 percent of the corporate data at Saudi Arabia’s national oil and natural
gas company.
Actors based in China, Russia, and Iran have allegedly conducted cyber probes of U.S. grid systems;
cyber attacks have occurred against critical infrastructure in several other countries as well. In 2013, a
senior Israeli official revealed a foiled hacking attempt to break into the computers of the water system in
Haifa and stated that critical infrastructures in Israel undergo hundreds of cyber attacks every minute. In
2013 and 2014, private security researchers set up fake industrial control systems (“honeypots”) on the
Internet that emulated water pumping stations. Analysis of one decoy system revealed intrusion and
system modification attempts originating from several countries, as shown in Figure 5. Further, targeted
attacks to obtain statistics, diagnostics, and protocol information included a spear-phishing attack from
China, a commonly-known malware attack from Vietnam, and an unknown malware attack from Russia.
Figure 5: Water pumping station “honeypot” attacks by originating country with

highlighted exploitation methods (Source: Trend Micro)
Despite the vulnerabilities and reported intrusions of industrial control systems, it is rare for threat actors
to carry out significantly damaging or full-scale attacks. Many critical infrastructure systems in
technologically-advanced countries are air-gapping their most important systems from the Internet. Some
experts argue that a mass takeover of critical infrastructure is not likely because it is sufficiently
segmented, where only one component, area, or section could be affected at one time. Regardless, the
pervasiveness of cyber attacks on critical infrastructures and “cold war” tactics indicate that the definition
of national security has expanded to include a nation’s offensive and defensive cyber capabilities.
Cyber Component in International Conflicts
National governments use cyber tactics to help fight rebellions, oppositions, and terrorists internally (see
previous section on the Syrian civil war). However, they have also used cyber tactics as a component in
international conflicts. Cyber researchers have noted major spikes in malware traffic on corporate and
government networks preceding the Russia-Ukraine and Israel-Gaza conflicts, suggesting that conflict
occurring in the cyber realm could be used as a threat indicator or even a tripwire for kinetic attacks. Over
an 18-month period, as tensions rose between each pair of countries, so did the frequency of cyber
attacks between them. Attribution of the attacks becomes crucial, however, as a false flag or the
misidentification of a state-led cyber attack could lead to physical, armed conflict.
Russian Conflicts
Open-source reporting and private industry security research have accused Russia of conducting attacks
on telecommunications networks in its engagements with Estonia in 2007, Georgia in 2008, and Ukraine
in 2014. In a dispute that erupted over the Estonian removal of a Soviet war memorial in Tallinn, Russia
allegedly conducted a three-week cyber attack that took down Estonian systems that relied on Internet
technology – disabling voting, security, telephony, and 95 percent of banking operations. US-CERT
attributed the takedowns to distributed denial-of-service (DDoS) attacks. In 2008, the Russian invasion of
Georgia included disruption attacks that blocked Georgia’s banking, media, and government websites.
Internet connectivity within Georgia and to the outside world was impacted, and there were widespread
propaganda and website defacement campaigns against Georgian websites. In 2014, armed men raided
Ukrainian telecommunications facilities in Crimea, severing Internet and telephone services between the
region and the rest of Ukraine. However, this was accomplished by physically cutting telecommunications
lines, a military tactic that predates the Internet by decades. Russia also allegedly installed equipment
that blocked the mobile phones of Ukrainian members of parliament. Some Ukrainian government
agencies, including the Prime Minister’s office and at least 10 Ukrainian embassies abroad, were infected
with a Russian-linked cyber espionage campaign called the Snake malware, also referred to as
“Uroboros.” At least nine other countries’ embassies in Eastern Europe were also infected with the
malware, resulting in leaks of sensitive diplomatic information. And in September, the broadband network
of a major telecommunications provider in New Zealand ground to a halt for 36 hours when user
connections were co-opted to conduct a DDoS attack against websites in Ukraine and several large
international banks enforcing sanctions against Russia.
Predictably, the Russian government has denied state involvement in these attacks. Nonetheless,
investigations by private cyber security firms have determined that these attacks originated inside
Russia's borders. State-sponsored or Russian nationalist hackers could have been responsible for at
least some of the cyber campaigns. Cyber Berkut, a nationalist hacking group that emerged after the
dissolution of the “Berkut” Ukrainian special police force, took credit for the hacking of Ukraine’s electronic
election system prior to the 2014 presidential election. They took down the system via DDoS,
manipulated and destroyed data, and defaced the website to display fake election results.
Israel-Gaza Conflict
While Israel likely included a cyber component in its conflict with

Gaza, media reporting focused more on attacks that pro-Gaza
hackers conducted against Israel. Pro-Gaza hackers took control of A constituent called
an Israeli satellite TV station to display propaganda, hacked into the OSAC emergency
emergency messaging systems to send false and threatening SMS duty phone to confirm
text messages to millions of Israeli civilians, and hacked the Israeli whether a rocket had
Defense Forces’ Twitter account to report falsely that two rockets hit the Tel Aviv airport.
from Gaza had hit the Dimona nuclear reactor and caused a leak. Their security vendor in
While media reporting attributed the cyber attacks to Hamas, Israeli Israel likely received a
security officials revealed that Iran may have also been involved. false SMS text alert
One of the false emergency SMS text messages was an alert that from the hacked
the airport in Tel Aviv had been hit by a rocket. Later that evening, emergency messaging
an OSAC constituent called the OSAC emergency duty phone to system.
confirm the attack after receiving a report from their security vendor
on the ground. However, the vendor was likely one of the many
who had received the hoax on their smartphones.
Terrorist Groups
The Islamic State of Iraq and the Levant (ISIL or ISIS) and Al-Qa’ida have not exhibited the ability to
conduct sophisticated cyber attacks, thus far only using social media networks and other online resources
to communicate, post propaganda, and recruit. Just as governments, militant groups, and terrorists may
receive physical assistance and arms support from their allies, they may also receive offensive cyber
training. Based on open-source reporting and past attack attribution, Iran, Syria, Hamas, Hizballah, and to
a lesser extent, pro-Islamic hacktivists, are the only adversaries in the Middle East and North Africa
region that have exhibited offensive cyber capabilities.
Countermeasures
 Critical infrastructures should isolate their most important systems from public networks. Many ICS
devices are not only Internet-facing, but do not have security mechanisms to prevent unauthorized
access.
o Web-based ICS equipment that cannot be isolated from the Internet should use encrypted
communications.
o System administrators should set appropriately secure and non-default log-in credentials,
implement two-factor authentication, and disable insecure or unnecessary remote access
communications protocols.
o Organizations with aging, fragile, or sensitive industrial control systems can employ real-time
network monitoring and incident response. Otherwise, administrators should keep ICS
equipment up to date with software patches and fixes.
o Physical and logical (software-based) access control can prevent unauthorized employees or
contractors from accessing important equipment.
 Air-gapped systems may still be vulnerable to attack by advanced nation-state threat actors.
o Education and training is the best way to protect against both insider threat and the
connection of unauthorized devices or external electronic media.
o Disabling or restricting computer ports that accept external electronic devices or media can
prevent the introduction of malware.
o Suppliers are usually much easier for hackers to exploit than the corporations or government
agencies using them.
 Shodan is an online search engine that allows users to search for publicly-accessible devices and
computer systems that are connected to the Internet.
o Shodan users can locate systems including security cameras; heating and security control
systems for banks, universities, and large corporations; medical devices; and industrial
control systems (see Figure 6) for water plants, power grids, and nuclear power facilities.
o Users are primarily cyber security professionals, researchers, and law enforcement agencies,
and it is a useful tool for conducting penetration tests on, or “red teaming,” network resources
and systems.
o While cyber criminals can use the website, they have other effective methods to accomplish
the same task without detection. One recent honeypot study revealed intrusion attempts from
China-based attackers within two hours of connecting the decoy ICS equipment to the
Internet, before the system appeared on Shodan.
Figure 6: A map of industrial control systems that are directly connected to the Internet (Source: Shodan)
Outlook and Conclusion
Out of convenience, people and organizations have adopted technology into nearly every aspect of their
daily lives and operations. Physical devices are linking or connecting to the cyber realm at an exponential
rate. As atypical devices with “smart” functionalities and Internet capabilities become connected to the
Internet of Things, they also become hackable. Sharing or storing information on external networks also
relinquishes control of the data to third-party vendors and services. Even worse, technology adoption is
surpassing the ability to secure it. This is especially concerning as cyber security has become a
component of an organization’s overall security posture.
Supply chains today are large, complex, and often networked. It is

increasingly difficult to map all the systems, devices, and services
that support an organization’s operations, especially how they link Suppliers – or even
together. Security breaches occur when attackers probe and map
suppliers of suppliers –
targeted networks before an organization can, seeking to exploit
are usually much
the weakest spots and leveraging trusted third-party connections.
easier to break into
For example, hackers often compromise the email accounts of third
parties to send spear-phishing emails to higher-value targets with
than the corporations
stronger security postures. Suppliers – or even suppliers of using them.
suppliers – are usually much easier to break into than the
corporations using them.
The convergence of traditional and cyber threats has created the need for integration of the security
disciplines. Adversaries have become more sophisticated in their exploits, often involving both traditional
and cyber attack vectors. Traditional security organizations and jobs are more frequently including cyber
security responsibilities as the line between cyber and real-world security incidents becomes indistinct.
Information security – traditionally the protection of sensitive or proprietary information – and financial
security have almost become synonymous with cyber security because most information and financial
data is now transmitted and stored on computer networks.
According to former DHS Secretary Michael Chertoff, “one of the biggest misconceptions is that cyber
security is a hardware or software problem; the reality is that it is a people problem.” Understanding
adversaries and addressing both technical and human vulnerabilities is critical. A strong security posture
depends upon a culture where security is everyone’s responsibility, especially when the actions of one
person, or one weak link, can compromise the entire enterprise.
Examination of the case studies presented in this white paper reveals countermeasures that OSAC
constituents could incorporate into their security strategies to prevent or lessen the impact of security
incidents with a cyber nexus:
 Segmenting, compartmentalizing, or isolating sensitive information and systems from public-

facing networks and unauthorized access;
 Separating work and personal accounts and/or information;
 Enforcing separation of duties and least privilege for employee, contractor, and vendor user
accounts;
 Educating and training employees and third parties, including social engineering techniques
used by threat actors, and holding third parties accountable with service-level agreements;
 Keeping software, including anti-virus and anti-malware software, up to date with security
patches and upgrades;
 Incorporating security into technology development, maintenance, and the overall system
development life cycle process;
 Only downloading or obtaining trusted software from authorized, authentic websites and
stores;
 Practicing good operations security (OPSEC) in online interactions;
 Encrypting sensitive information in transit and storage whenever possible;
 Employing two-factor authentication, especially for remote access to internal networks and
external storage of sensitive files;
 Employing and enforcing strong password strategies;
 Disabling microphones and cameras in sensitive areas to prevent surveillance or
eavesdropping;
 Remembering that physical access to unencrypted computing devices nearly always defeats
cyber security; and
 Integrating cyber security into crisis management, disaster recovery, and incident response
plans and exercises.
Contact Information
For further information or inquiries, please contact OSAC’s Coordinator for Information Security & Cyber
Threats.
OSAC constituents can confidentially report traditional or cyber security incidents abroad on the OSAC
website at https://www.osac.gov/Pages/IncidentSubmission.aspx or by directly contacting the OSAC
Research and Analysis Unit (RAU).
Referenced OSAC Reports:
 Trade Secret Theft: Trends in State-Sponsored Economic Espionage

 OSAC Assessment: Sochi 2014 Winter Olympics (Information Security and Cyber Threats
section)
 OSAC Assessment: 2014 FIFA World Cup (Information Security and Cyber Threats section)
Annexure 3
Assessment Criteria
Criteria for Assessment of Trainees
Job Role Security Analyst

Qualification Pack SSC/Q0901
Sector Skill Council IT-ITeS
Guidelines for Assessment:

1. Criteria for assessment for each Qualification Pack (QP) will be created by the Sector Skill Council (SSC). Each
performance criteria (PC) will be assigned Theory and Skill/Practical marks proportional to its importance in
NOS.
2. The assessment will be conducted online through assessment providers authorised by SSC.
3. Format of questions will include a variety of styles suitable to the PC being tested such as multiple choice
questions, fill in the blanks, situational judgment test, simulation and programming test.
4. To pass a QP, a trainee should pass each individual NOS. Standard passing criteria for each NOS is 70%.
5. For latest details on the assessment criteria, please visit www.sscnasscom.com.
Marks Allocation
Skills
Total Mark Out of Theory Practical
1.SSC/N0901 (Contribute
to managing information PC1. establish your role and responsibilities in 12.5 12.5 0
security) contributing to managing information security
PC2. monitor systems and apply controls in line
with information security policies, procedures 12.5 0 12.5
and guidelines
PC3. carry out security assessment of
information security systems using automated 12.5 0 12.5
tools
PC4. carry out configuration reviews of
information security systems using automated 12.5 0 12.5
tools, where required
PC5. carry out backups of security devices and 100
applications in line with information security
12.5 0 12.5
policies, procedures and guidelines, where
required
PC6. maintain accurate daily records/logs of
information security performance parameters 6.25 0 6.25
PC7. analyze information security performance
metrics to highlight variances and issues for 6.25 6.25 0
action by appropriate people
PC8. provide inputs to root cause analysis and
the resolution of information security issues, 6.25 0 6.25
where required
63
PC9. update your organization’s knowledge
base promptly and accurately with information 6.25 0 6.25
security issues and their resolution
information security issues from appropriate 6.25 6.25 0
people, where required
PC11. comply with your organization’s policies,

standards, procedures and guidelines when 6.25 0 6.25
contributing to managing information security
Total 100 25 75
2.SSC/N0902 (Co-
ordinate responses to PC1. establish your role and responsibilities in
6.25 6.25 0
information security co-ordinating responses to information security
incidents) incidents
PC2. record, classify and prioritize information
security incidents using standard templates and 12.5 0 12.5
tools
PC3. access your organization’s knowledge base
for information on previous information 6.25 0 6.25
security incidents and how these were managed
PC4. assign information security incidents
promptly to appropriate people for 6.25 0 6.25
investigation/action
PC5. liaise with stakeholders to gather, validate
and provide information related to information 6.25 6.25 0
PC6. track progress of investigations into
information security incidents and escalate to
appropriate people where progress does not 12.5 0 12.5
comply with standards or service level 100
agreements (SLAs)
PC7. prepare accurate preliminary reports on
information security incidents using standard 12.5 0 12.5
templates and tools
PC8. submit preliminary reports promptly to
6.25 6.25 0
appropriate people for action
PC9. update the status of information security
incidents following investigation/action using 12.5 0 12.5
PC10. obtain advice and guidance on co-
ordinating information security incidents from 6.25 6.25 0
appropriate people, where required
PC11. update your organization’s knowledge
base promptly and accurately with information 6.25 0 6.25
security incidents and how they were managed
standards, procedures, guidelines and service
6.25 0 6.25
level agreements (SLAs) when co-ordinating
responses to information security incidents
64
Total 100 25 75
3.SSC/N0903 (Install,
configure and PC1. identify the information security devices
troubleshoot you are required to install/ 12.5 6.25 6.25
information security configure/troubleshoot and source relevant
devices) instructions and guidelines
PC2. identify any issues with instructions and
guidelines for installing/configuring
12.5 0 12.5
information security devices and clarify these
with appropriate people
PC3. liaise with stakeholders clearly and
promptly regarding the installation/ 12.5 12.5 0
configuration of information security devices
PC4. install/configure information security
12.5 0 12.5
devices as per instructions and guidelines
PC5. test installed/configured information
security devices, following instructions and 12.5 0 12.5
guidelines
PC6. resolve problems with security devices, 100
12.5 0 12.5
following instructions and guidelines
installing/configuring/testing/troubleshooting
6.25 6.25 0
information security devices from appropriate
people, where required
PC8. record the
installation/configuration/testing/troubleshooti
6.25 0 6.25
ng of information security devices promptly
PC9. provide reports for troubleshooting,
configurations and deployment using standard 6.25 0 6.25
templates and tools
standards, procedures, guidelines and service
level agreements (SLAs) when 6.25 0 6.25
installing/configuring/troubleshooting
information security devices
Total 100 25 75
4. SSC/N0904
(Contribute to PC1. establish the nature and scope of
12.5 12.5 0
information security information security audits and your role and
audits) responsibilities within them
PC2. identify the
procedures/guidelines/checklists for the audit 12.5 0 12.5
tasks you are required to carry out 100
PC3. identify any issues with
procedures/guidelines/checklists for carrying
12.5 0 12.5
out audit tasks and clarify these with
appropriate people
PC4. collate information, evidence and artifacts 6.25 0 6.25
65
when carrying out audits
PC5. carry out required audit tasks using
standard tools and following established 12.5 0 12.5
procedures/guidelines/checklists
PC6. refer to appropriate people where audit
tasks are beyond your levels of knowledge, skills 12.5 12.5 0
and competence
PC7. record and document audit tasks and audit
12.5 0 12.5
results using standard tools and templates
PC8. review results of audit tasks with
12.5 0 12.5
appropriate people and incorporate their inputs
PC9. comply with you organization’s policies,
standards, procedures, guidelines and checklists
6.25 0 6.25
when contributing to information security
audits
Total 100 25 75
5. SSC/N0905 Support
teams to prepare for and PC1. establish the nature and scope of
6.25 6.25 0
undergo information information security audits and your role and
security audits responsibilities in preparing for them
PC2. identify the
procedures/guidelines/checklists that will be 12.5 0 12.5
used for information security audits
PC3. identify the requirements of information
security audits and prepare for audits in 25 12.5 12.5
advance
PC4. liaise with appropriate people to gather
data/information required for information 12.5 0 12.5
security audits
PC5. organize data/information required for
information security audits using standard 12.5 6.25 6.25
templates and tools
PC6. provide immediate support to auditors to
12.5 0 12.5
carry out audit tasks
PC7. participate in audit reviews, as required 6.25 0 6.25
PC8. comply with you organization’s policies,
standards, procedures, guidelines and checklists
12.5 0 12.5
when supporting teams to prepare for and
undergo information security audits
Total 100 25 75
6.SSC/N9001 (Manage PC1. establish and agree your work 6.25 0 6.25
your work to meet requirements with appropriate people
requirements)
PC2. keep your immediate work area clean 12.5 6.25 6.25
and tidy 100
PC3. utilize your time effectively 12.5 6.25 6.25
PC4. use resources correctly and efficiently 18.75 6.25 12.5
PC5. treat confidential information correctly 6.25 0 6.25
66
PC6. work in line with your organization’s 12.5 0 12.5
policies and procedures
PC7. work within the limits of your job role 6.25 0 6.25
PC8. obtain guidance from appropriate 6.25 0 6.25
people, where necessary
PC9. ensure your work meets the agreed 18.75 6.25 12.5
requirements
Total 100 25 75
7.SSC/N9002 (Work PC1. communicate with colleagues clearly, 20 0 20
effectively with concisely and accurately
colleagues)
PC2. work with colleagues to integrate your 10 0 10
work effectively with theirs
PC3. pass on essential information to colleagues 10 10 0
in line with organizational requirements
PC4. work in ways that show respect for 20 0 20
colleagues
PC5. carry out commitments you have made to 100 10 0 10
colleagues
PC6. let colleagues know in good time if you 10 10 0
cannot carry out your commitments, explaining
the reasons
PC7. identify any problems you have working 10 0 10
with colleagues and take the initiative to solve
these problems
PC8. follow the organization’s policies and 10 0 10
Total 100 20 80
8.SSC/N9003 (Maintain a PC1. comply with your organization’s current
healthy, safe and secure health, safety and security policies and
working environment) procedures 20 10 10
PC2. report any identified breaches in health,
safety, and security policies and procedures to
the designated person 10 0 10
PC3. identify and correct any hazards that
you can deal with safely, competently and
within the limits of your authority 20 10 10
PC4. report any hazards that you are not
100
competent to deal with to the relevant person
in line with organizational procedures and warn
other people who may be affected 10 0 10
PC5. follow your organization’s emergency
procedures promptly, calmly, and efficiently 20 10 10
PC6. identify and recommend opportunities
for improving health, safety, and security to the
designated person 10 0 10
PC7. complete any health and safety records
legibly and accurately 10 0 10
67
Total 100 30 70
PC1. establish and agree with appropriate
9.SSC/N9004 (Provide
people the data/information you need to
data/information in
provide, the formats in which you need to
standard formats)
provide it, and when you need to provide it 12.5 12.5 0
PC2. obtain the data/information from reliable
sources 12.5 0 12.5
PC3. check that the data/information is
accurate, complete and up-to-date 12.5 6.25 6.25
PC4. obtain advice or guidance from
appropriate people where there are problems
with the data/information 6.25 0 6.25
100
PC5. carry out rule-based analysis of the
data/information, if required 25 0 25
PC6. insert the data/information into the
agreed formats 12.5 0 12.5
PC7. check the accuracy of your work, involving
colleagues where required 6.25 0 6.25
PC8. report any unresolved anomalies in the
data/information to appropriate people 6.25 6.25 0
PC9. provide complete, accurate and up-to-date
data/information to the appropriate people in
the required formats on time 6.25 0 6.25
Total 100 25 75
10.SSC/N9005 (Develop PC1. obtain advice and guidance from
your knowledge, skills appropriate people to develop your knowledge,
and competence) skills and competence 10 0 10
PC2. identify accurately the knowledge and
skills you need for your job role 10 0 10
PC3. identify accurately your current level of
knowledge, skills and competence and any
learning and development needs 20 10 10
PC4. agree with appropriate people a plan of
learning and development activities to address
your learning needs 100 10 0 10
PC5. undertake learning and development
activities in line with your plan 20 10 10
PC6. apply your new knowledge and skills in the
workplace, under supervision 10 0 10
PC7. obtain feedback from appropriate people
on your knowledge and skills and how
effectively you apply them 10 0 10
PC8. review your knowledge, skills and
competence regularly and take appropriate
action 10 0 10
Total 100 20 80
68

Security Analyst PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Security Analyst PDF

Transféré par

Droits d'auteur :

Formats disponibles

Trainer’s Handbook – Security Analyst

Copyright (c) 2015

Executive Director – Sector Skill Council

About the Qualification Pack

OCCUPATION: Information Security

Note: All the Horizontals - Occupations, Tracks Security Analyst is

Qualifications Pack Code SSC/ Q 0901

Occupation Information Security Next review date 30/06/14

JNTUH Syllabus for Security Analyst

Information Security Management (Security Analyst – I)

Key Elements of Networks, Logical Elements of Network, Critical Information Characteristics,

Information Security Policies-necessity-key elements & characteristics, Security Policy

Information Security Assessments & Audits ( Security Analyst – II)

Information Security Vulnerabilities – Threats and Vulnerabilities, Human-based Social Engineering,

Unit IV : Information Security Assessments

Unit V : Configuration Reviews

Introduction to Configuration Management, Configuration Management Requirements-Plan-Control,

Information Security Incident Response & Management (Security Analyst –

Unit II : Troubleshooting Network Devices and Services

Introcution& Methodology of Troubleshooting, Troubleshooting of Network Communication-

Information Security Incident Management overview-Handling-Response, Incident Response Roles

Unit IV : Log Correlation

Unit V : Handling Network Security Incidents

Incident Handling Preparation, Incident Prevention, Detection of Malicious Code, Containment

Classroom and Lab Requirements:

An Introduction: The industry, sub-sector, occupation and career …37

1. SSC/ N 0901: Contribute to managing information security …49

i. Information Security and Threats

2. SSC/N 0902: Coordinate responses to information security incidents …231

i. Incident response overview

i. Configuring Network Devices

i. Information Security Audit

vi. Information Security Audit Tasks

5. SSC/ N 9001: Contribute to managing information security …637

i. Understanding scope of work and working within limits of authority

6. SSC/ N 9002: Work effectively with colleagues …667

i. Need For Health and Safety at Work

8. SSC/ N 9004: Provide data/information in standard formats …761

i. Information and Knowledge Management

9. SSC/ N 9005: Develop knowledge, skills & competence …785

Facilitator- Knowledge and Skills

Some important instructions for Trainers

FACILITATOR – KNOWLEDGE AND SKILLS

Assessment is the process of diagnose learning needs and adjust

same group of trainees or  Is there evidence of appropriate critical

A Sample Student Presentations Assessment Sheet

Key development areas:

Assessing tutor: Signature: Dept:

Sensitive feedback helps trainees correct 3. encourage individual creativity and

1. Lecturing and Explaining Managing a planned discussion

4. Individual work (self  Provide swift and accurate feedback

5. Group work (cooperative throughout the groups and, avoid

o Stay in control of the assembled  Ensure a thorough de-brief of the role-

of mental operations: “Do I considerably with cases. Some contain

SOME IMPORTANT INSTRUCTIONS FOR TRAINERS

UNIT I: An Overview of the IT-BPM Industry

This Unit covers:

Performance Ensuring Work Environment / Lab

SUGGESTED LEARNING ACTIVITIES

 Divide the class in groups of 4 or 5 students each.

 Divide the class in groups of 4 or 5 students each.

Training Resource Material

1.1. An Overview of the IT-BPM Industry