Académique Documents
Professionnel Documents
Culture Documents
SECURITY THREAT TO IT
SECTOR:
ISSUES TO BE ADDRESSED
[2009]
A Report on
Security Threat to IT Sector:
Issues to be Addressed
To,
Mr. Mizanur Rahman, Lecturer
Mr. XXXXX YYYYY, abcdef
From,
0805001_________________
0805002_________________
0805003_________________
0805004_________________
0805005_________________
0805006_________________
Level-1 Term-II
Section-A1
Computer Science and Engineering Department
Forwarding letter
December 12, 2009
To
Mr. Mizanur Rahman,
Mr. Xxxxxx Yyyyyyy
Dear Sir,
We feel much delight in putting forward this report on “Security Threat to IT Sector : Issues to
be Addressed”. We believe this is one of the most important and necessary topic in the recent
times in the sector of Information Technology. This report can play a significant role in
managing security problems in the increasing IT region of our country.
Since the topic is very much related to our educational preference, it generates lots of enjoyment
to prepare this report. Though the data collection and the necessary information assortment have
not been too easy to do, we have tried our best to make this statement helpful and public-
friendly.
As this is our first authorized report, we believe you will pardon all of our mistakes in this
testimony due to time constraint. We also express regret for any unwilling fault.
At last, we would like to thank you and BUET authority to provide us such an excellent
experience which can be very useful in our practical life. If anyone can find this report helpful,
our hard work will be successful.
0805001,_________
0805002,_________
0805003,_________
0805004,_________
TABLE OF CONTENTS
Forwarding letter ii
Table of contents iii
List of illustration iv
Summary v
1. Introduction
1.1 Authority
1.2 Purpose
1.3 Objective
2. Discussion
2.1 Information Technology Overview
2.2 Security Threats Synopsis
2.2.1 Outsider Threats
2.2.2 Insider Threats
2.2.3 Accidental Threats
2.3 IT Security Principles
2.4 Key to Threat Supervision
3. Conclusion
4. Recommendations
5. Annexure
6. List of References
7. Glossary
6. LIST OF ILLUSTRATIONS
Summary
Now, more than ever, IT security is a critical element in the system life-cycle. Security must be
incorporated and addressed from the initial planning and design phases to disposal of the system.
Without proper attention to security, an organization’s information technology can become a
source of significant mission risks. With careful planning from the earliest stages, however,
security becomes an enabler, supporting and helping to achieve the organization’s mission.
As security awareness becomes a way of life within an organization, people at all levels, and
roles in the system life-cycle, should have access to easily understood guidance. From users to
system administrators and program managers, everyone should have a basic understanding of the
security principles governing the system they are using, maintaining, or designing and
developing.
This document provides a starting point. The principles contained herein are derived from a
number of national and international documents, as well as from the experience of the scientists
at BUET. It is hoped that these principles will contribute to improved IT security in any
organization.
1. INTRODUCTION
Every organization has a mission. In this digital era, as organizations use automated information
technology (IT) systems1 to process their information for better support of their missions, risk
management plays a critical role in protecting an organization’s information assets, and therefore
its mission, from IT-related threat.
An effective threat management process is an important component of a successful IT security
program. The principal goal of an organization’s threat supervision process should be to protect
the organization and its ability to perform their mission, not just its IT assets. Therefore, the
threat management process should not be treated primarily as a technical function carried out by
the IT experts who operate and manage the IT system, but as an essential management function
of the organization.
1.1 AUTHORITY
These guidelines are for use by any human being who wants to work within any field of IT sector
and can be proved helpful for any workgroup acting upon IT related jobs. Though the report is
finalized for maintaining perfection ,the guidelines herein are not mandatory and binding
standards. This document may be used by non-governmental organizations on a voluntary basis.
1.2 PURPOSE
Risk is the net negative impact of the exercise of susceptibility, considering both the probability
and the impact of occurrence. Risk management is the process of identifying risk, assessing risk,
and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the
development of an effective risk management program, containing both the definitions and the
practical guidance necessary for assessing and mitigating risks identified within IT systems. The
ultimate goal is to help organizations to better manage IT-related mission threats.
In addition, this guide provides information on the selection of cost-effective security controls.2
These controls can be used to mitigate risk for the better protection of mission-critical
information and the IT systems that process, store, and carry this information.
Organizations may choose to expand or abbreviate the comprehensive processes and steps
suggested in this guide and tailor them to their environment in managing IT-related mission
risks.
1.3 OBJECTIVE
The objective of performing risk management is to enable the organization to accomplish its
mission(s) (1) by better securing the IT systems that store, process, or transmit organizational
information; (2) by enabling management to make well-informed risk management decisions to
justify the expenditures that are part of an IT budget; and (3) by assisting management in
authorizing (or accrediting) the IT systems3 on the basis of the supporting documentation
resulting from the performance of risk management.
2. DISCUSSION
This synopsis includes all kinds of modern threats emerged in this era. Threats can be both
physical and environmental. Security threats arise almost on a daily basis and an aware
administrator needs to be able to understand the types of risks and be able to respond quickly and
appropriately. This paper discusses the basics of different security and network threats and
discusses new ways to mitigate changing threats against today’s networks.
Hackers:
- cracker, who accesses a computer system by circumventing its security system.
- who shares an anti-authoritarian approach to software development now associated with
the free software movement.
- who makes innovative customizations or combinations of retail electronic and computer
equipment
Script kiddies:
- is a derogatory term used to describe those who use scripts or programs developed by
others to attack computer systems and networks
- juveniles who lack the ability to write sophisticated hacking programs or exploits on
their own, and that their objective is to try to impress their friends or gain credit in
computer-enthusiast communities
Malicious codes:
- is software designed to infiltrate or damage a computer system without the owner's informed
Consent.
Hacktivists:
- the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political
ends. These tools include web site defacements, redirects, denial-of-service attacks,
information theft, web site parodies, virtual sit-ins, virtual sabotage, and software
development.
Disgruntled employee:
-displeased one who was not satisfied by his IT firm and consequently do sabotage to his
computer unit creating security threats.
Subverted employee:
-one worker who joined his workplace to cause sabotage because of commercial fight
between two financial giants.
Natural:
Misconfiguration:
To aid in designing a secure information system, BUET compiled a set of engineering principles
for system security. These principles provide a foundation upon which a more consistent and
can be constructed.
Principle 3 Clearly delineate the physical and logical security boundaries governed
by associated security policies.
Principle 6 Identify potential trade-offs between reducing risk and increased costs
and decrease in other aspects of operational effectiveness.
Figure:
• Steps to IT Governance
Develop the information security strategy in support of business strategy and direction.
Ensure that definitions of roles and responsibilities throughout the enterprise include
information security governance activities.
Establish and maintain information security policies that support business goals and
objectives.
Ensure the development of procedures and guidelines that support information security
policies.
Develop business case and enterprise value analysis that support information security
program investments.
• Incident management
Incident/event response
Impact analysis
Vulnerability remediation
• Security architecture
Countermeasure selection
It's much more effective to address security with a sound proactive strategy as opposed to a
reactive and uncoordinated approach. A strategic methodology allows anyone to control security
at the business level and at every area of vulnerability. This layers of security implementation
provides a technique for each area of security in IT sector. That is why IT security team can pick
and choose which layers to concentrate on for particular production needs. One can effectively
prioritize specific areas for immediate action, and then easily add security mechanisms at any
layer at any time as his demand changes and his security assessment dictates.
In this Chapter we set out our recommendations in full. Here we discuss under some special
cover.
The IT industry has not historically made security a priority. This is gradually changing—but
more radical and rapid change is needed if the industry is to keep pace with the ingenuity of
criminals and avoid a disastrous loss of confidence in the Internet.
The steps currently being taken by many businesses trading over the Internet to protect their
customer’s personal information are inadequate. The refusal of the financial services sector in
particular to accept responsibility for the security of personal information is disturbing, and is
compounded by apparent indifference at Government level. Governments and legislators are
not in position to prescribe the security precautions that should be taken; however, they do have
a responsibility to ensure that the right incentives are in place to persuade businesses to take the
necessary steps to act proportionately to protect personal data. We therefore recommend that the
Government introduce legislation, consistent with the principles enshrined in common law and,
with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks
should be held liable for losses incurred as a result of electronic fraud.
Policing the Internet
We recommend that the Government introduce amendments to the criminal law, explicitly to
criminalize the sale or purchase of the services of a botnet, regardless of the use to which it is
put.
5. ANNEXURE
6. LIST OF REFERENCES
7. GLOSSARY
Access control: Enable authorized use of a resource while preventing unauthorized use or
use in an unauthorized manner.
Confidentiality: The security goal that generates the requirement for protection from intentional
or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage,
during processing, and while in transit.
Data integrity: The property that data has not been altered in an unauthorized manner. Data
integrity covers data in storage, during processing, and while in transit.
IT security architecture: A description of security principles and an overall approach for
complying with the principles that drive the system design; i.e., guidelines on the placement and
implementation of specific security services within various distributed computing environments.
Security domain: A set of subjects, their information objects, and a common security policy.
Threat: Any circumstance or event with the potential to harm an information system through
unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
Threats arise from human actions and natural events.
Threat source: Either (1) intent and method targeted at the intentional exploitation of a
vulnerability or (2) the situation and method that may accidentally trigger a vulnerability.
Threat analysis: The examination of threat sources against system vulnerabilities to determine
the threats for a particular system in a particular operational environment.
Vulnerability: A weakness in system security requirements, design, implementation, or
operation, that could be accidentally triggered or intentionally exploited and result in a violation
of the system’s security policy.