BUET

SECURITY THREAT TO IT
SECTOR:
ISSUES TO BE ADDRESSED

[2009]

[GROUP-1 CSE A1]

Bangladesh University of Engineering & Technology

A Report on
Security Threat to IT Sector:
Issues to be Addressed

To,
Mr. Mizanur Rahman, Lecturer
Mr. XXXXX YYYYY, abcdef

From,
0805001_________________
0805002_________________
0805003_________________
0805004_________________
0805005_________________
0805006_________________

Level-1 Term-II
Section-A1
Computer Science and Engineering Department
 Forwarding letter
December 12, 2009
To
Mr. Mizanur Rahman,
Mr. Xxxxxx Yyyyyyy

Dear Sir,

We feel much delight in putting forward this report on “Security Threat to IT Sector : Issues to
be Addressed”. We believe this is one of the most important and necessary topic in the recent
times in the sector of Information Technology. This report can play a significant role in
managing security problems in the increasing IT region of our country.

Since the topic is very much related to our educational preference, it generates lots of enjoyment
to prepare this report. Though the data collection and the necessary information assortment have
not been too easy to do, we have tried our best to make this statement helpful and public-
friendly.

As this is our first authorized report, we believe you will pardon all of our mistakes in this
testimony due to time constraint. We also express regret for any unwilling fault.

At last, we would like to thank you and BUET authority to provide us such an excellent
experience which can be very useful in our practical life. If anyone can find this report helpful,
our hard work will be successful.

0805001,_________
0805002,_________
0805003,_________
0805004,_________
 TABLE OF CONTENTS

Forwarding letter ii
Table of contents iii
List of illustration iv
Summary v
1. Introduction
1.1 Authority
1.2 Purpose
1.3 Objective
2. Discussion
2.1 Information Technology Overview
2.2 Security Threats Synopsis
2.2.1 Outsider Threats
2.2.2 Insider Threats
2.2.3 Accidental Threats
2.3 IT Security Principles
2.4 Key to Threat Supervision
3. Conclusion
4. Recommendations
5. Annexure
6. List of References
7. Glossary
6. LIST OF ILLUSTRATIONS
Summary

Now, more than ever, IT security is a critical element in the system life-cycle. Security must be
incorporated and addressed from the initial planning and design phases to disposal of the system.
Without proper attention to security, an organization’s information technology can become a
source of significant mission risks. With careful planning from the earliest stages, however,
security becomes an enabler, supporting and helping to achieve the organization’s mission.
As security awareness becomes a way of life within an organization, people at all levels, and
roles in the system life-cycle, should have access to easily understood guidance. From users to
system administrators and program managers, everyone should have a basic understanding of the
security principles governing the system they are using, maintaining, or designing and
developing.
This document provides a starting point. The principles contained herein are derived from a
number of national and international documents, as well as from the experience of the scientists
at BUET. It is hoped that these principles will contribute to improved IT security in any
organization.
1. INTRODUCTION

Every organization has a mission. In this digital era, as organizations use automated information
technology (IT) systems1 to process their information for better support of their missions, risk
management plays a critical role in protecting an organization’s information assets, and therefore
its mission, from IT-related threat.
An effective threat management process is an important component of a successful IT security
program. The principal goal of an organization’s threat supervision process should be to protect
the organization and its ability to perform their mission, not just its IT assets. Therefore, the
threat management process should not be treated primarily as a technical function carried out by
the IT experts who operate and manage the IT system, but as an essential management function
of the organization.

1.1 AUTHORITY

These guidelines are for use by any human being who wants to work within any field of IT sector
and can be proved helpful for any workgroup acting upon IT related jobs. Though the report is
finalized for maintaining perfection ,the guidelines herein are not mandatory and binding
standards. This document may be used by non-governmental organizations on a voluntary basis.

1.2 PURPOSE

Risk is the net negative impact of the exercise of susceptibility, considering both the probability
and the impact of occurrence. Risk management is the process of identifying risk, assessing risk,
and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the
development of an effective risk management program, containing both the definitions and the
practical guidance necessary for assessing and mitigating risks identified within IT systems. The
ultimate goal is to help organizations to better manage IT-related mission threats.

In addition, this guide provides information on the selection of cost-effective security controls.2
These controls can be used to mitigate risk for the better protection of mission-critical
information and the IT systems that process, store, and carry this information.
Organizations may choose to expand or abbreviate the comprehensive processes and steps
suggested in this guide and tailor them to their environment in managing IT-related mission
risks.

1.3 OBJECTIVE

The objective of performing risk management is to enable the organization to accomplish its
mission(s) (1) by better securing the IT systems that store, process, or transmit organizational
information; (2) by enabling management to make well-informed risk management decisions to
justify the expenditures that are part of an IT budget; and (3) by assisting management in
authorizing (or accrediting) the IT systems3 on the basis of the supporting documentation
resulting from the performance of risk management.
2. DISCUSSION

Before starting description about Information Technology security threats, Information

Technology should be defined carefully. That is why, this definition is given as well as the real
condition of emerging threats to security order of IT sector.

2.1 Information Technology Overview

Information Technology (IT), as defined by the Information Technology Association of

America (ITAA), is "the study, design, development, implementation, support or
management of computer-based information systems, particularly software applications
and computer hardware."IT deals with the use of electronic computers and computer software
to convert, store, protect process, transmit, and securely retrieve information. Today, the term
information has ballooned to encompass many aspects of computing and technology, and the
term has become very recognizable. IT professionals perform a variety of duties that range from
installing applications to designing complex computer networks and information databases. A
few of the duties that IT professionals perform may include data management, networking,
engineering computer hardware, database and software design, as well as the management and
administration of entire systems. When computer and communications technologies are
combined, the result is information technology, or "InfoTech". Information technology is a
general term that describes any technology that helps to produce, manipulate, store,
communicate, and/or disseminate information. Presumably, when speaking of Information
Technology (IT) as a whole, it is noted that the use of computers and information are associated.
 Information technology spreading in 2008

2.2 Security Threats Synopsis

This synopsis includes all kinds of modern threats emerged in this era. Threats can be both
physical and environmental. Security threats arise almost on a daily basis and an aware
administrator needs to be able to understand the types of risks and be able to respond quickly and
appropriately. This paper discusses the basics of different security and network threats and
discusses new ways to mitigate changing threats against today’s networks.

2.2.1 Outsider Threats

Hackers:
- cracker, who accesses a computer system by circumventing its security system.
- who shares an anti-authoritarian approach to software development now associated with
the free software movement.
- who makes innovative customizations or combinations of retail electronic and computer
equipment
Script kiddies:
- is a derogatory term used to describe those who use scripts or programs developed by
others to attack computer systems and networks
- juveniles who lack the ability to write sophisticated hacking programs or exploits on
their own, and that their objective is to try to impress their friends or gain credit in
computer-enthusiast communities
Malicious codes:
- is software designed to infiltrate or damage a computer system without the owner's informed
Consent.
Hacktivists:
- the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political
ends. These tools include web site defacements, redirects, denial-of-service attacks,
 information theft, web site parodies, virtual sit-ins, virtual sabotage, and software
development.

2.2.2 Insider Threats

Disgruntled employee:
-displeased one who was not satisfied by his IT firm and consequently do sabotage to his
computer unit creating security threats.
Subverted employee:
-one worker who joined his workplace to cause sabotage because of commercial fight
between two financial giants.

2.2.3 Accidental Threats

Natural:

-because of sudden natural catastrophe reasoning IT threats.

Misconfiguration:

-consequence of misunderstanding among IT associates resulting in a big problem to IT

sector.
 2.3 IT Security Principles

To aid in designing a secure information system, BUET compiled a set of engineering principles

for system security. These principles provide a foundation upon which a more consistent and

structured approach to the design, development, and implementation of IT security capabilities

can be constructed.

Principle 1 Establish a sound security policy as the “foundation” for design.

Principle 2 Treat security as an integral part of the overall system design.

Principle 3 Clearly delineate the physical and logical security boundaries governed
by associated security policies.

Principle 4 Reduce risk to an acceptable level.

Principle 5 Assume that external systems are insecure.

Principle 6 Identify potential trade-offs between reducing risk and increased costs
and decrease in other aspects of operational effectiveness.

Principle 7 Implement layered security (Ensure no single point of vulnerability).

Principle 8 Implement tailored system security measures to meet organizational

security goals.

Principle 9 Strive for simplicity.

Principle 10 Design and operate an IT system to limit vulnerability and to be resilient

in response.
 2.4 Key to Threat Supervision

• Information Security Governance

Establish and maintain a framework to provide assurance that information security

strategies are aligned with business objectives and consistent with applicable laws and
regulations.

ALL THE TIME!

EVERYWHERE IN THE ORGANIZATION!

Figure:

• Steps to IT Governance

Develop the information security strategy in support of business strategy and direction.

Obtain senior management commitment and support for information security

throughout the enterprise.

Ensure that definitions of roles and responsibilities throughout the enterprise include
information security governance activities.

Establish reporting and communication channels that support information security

governance activities.
 Identify current and potential legal and regulatory issues affecting information security
and assess their impact on the enterprise.

Establish and maintain information security policies that support business goals and
objectives.

Ensure the development of procedures and guidelines that support information security
policies.

Develop business case and enterprise value analysis that support information security
program investments.

• Incident management

Incident/event response

Reporting and tracking

Impact analysis

Vulnerability remediation

• Security architecture

Countermeasure selection

Security technology and process improvement

Secure requirements allocation

Test, evaluation, and piloting

3. CONCLUTION

It's much more effective to address security with a sound proactive strategy as opposed to a
reactive and uncoordinated approach. A strategic methodology allows anyone to control security
at the business level and at every area of vulnerability. This layers of security implementation
provides a technique for each area of security in IT sector. That is why IT security team can pick
and choose which layers to concentrate on for particular production needs. One can effectively
prioritize specific areas for immediate action, and then easily add security mechanisms at any
layer at any time as his demand changes and his security assessment dictates.

At last we should say

that, it is still possible for us to defend the emerging threats by being a little aware. Just like the
above picture, evil are still quite far away from us.
4. RECOMMENDATIONS

In this Chapter we set out our recommendations in full. Here we discuss under some special
cover.

The Internet and Personal Security

We recommend that the Government should establish a cross-departmental group bringing in
experts from industry and academia, to develop a more coordinated approach to data collection
in future. This should include a classification scheme for recording the incidence of all forms of
e-crime. Research into IT security in the present world is high in quality but limited in quantity.
More support for research is needed—above all, from industry.

Appliances and applications

The IT industry has not historically made security a priority. This is gradually changing—but
more radical and rapid change is needed if the industry is to keep pace with the ingenuity of
criminals and avoid a disastrous loss of confidence in the Internet.

Using the Internet: businesses

The steps currently being taken by many businesses trading over the Internet to protect their
customer’s personal information are inadequate. The refusal of the financial services sector in
particular to accept responsibility for the security of personal information is disturbing, and is
compounded by apparent indifference at Government level. Governments and legislators are

not in position to prescribe the security precautions that should be taken; however, they do have
a responsibility to ensure that the right incentives are in place to persuade businesses to take the
necessary steps to act proportionately to protect personal data. We therefore recommend that the
Government introduce legislation, consistent with the principles enshrined in common law and,
with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks
should be held liable for losses incurred as a result of electronic fraud.
 Policing the Internet

We recommend that the Government introduce amendments to the criminal law, explicitly to
criminalize the sale or purchase of the services of a botnet, regardless of the use to which it is
put.
5. ANNEXURE
6. LIST OF REFERENCES
7. GLOSSARY
Access control: Enable authorized use of a resource while preventing unauthorized use or
use in an unauthorized manner.

Authentication Verifying the identity of a user, process, or device, often as a prerequisite

to allowing access to resources in a system.

Confidentiality: The security goal that generates the requirement for protection from intentional
or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage,
during processing, and while in transit.
Data integrity: The property that data has not been altered in an unauthorized manner. Data
integrity covers data in storage, during processing, and while in transit.
IT security architecture: A description of security principles and an overall approach for
complying with the principles that drive the system design; i.e., guidelines on the placement and
implementation of specific security services within various distributed computing environments.
Security domain: A set of subjects, their information objects, and a common security policy.

Threat: Any circumstance or event with the potential to harm an information system through
unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
Threats arise from human actions and natural events.
Threat source: Either (1) intent and method targeted at the intentional exploitation of a
vulnerability or (2) the situation and method that may accidentally trigger a vulnerability.
Threat analysis: The examination of threat sources against system vulnerabilities to determine
the threats for a particular system in a particular operational environment.
Vulnerability: A weakness in system security requirements, design, implementation, or
operation, that could be accidentally triggered or intentionally exploited and result in a violation
of the system’s security policy.