CIM 3562 Laws, Investigations & Ethical Issues in Security

CIM 3562 Laws, Investigations & Ethical Issues in Security
Chapter 3 : Information Security, Management & Incident Handling Major Source : infosec.gov.hk/

3.1 What is Information Security ?
Information is an asset to individuals and businesses. Information Security refers to the protection of these assets in order to achieve “C-I-A” Confidentiality (保密), Integrity (誠信), Availability (可用性)

Confidentiality – protecting information from being disclosed to unauthorized parties. E.g. : (Personal) When submitted to a website, your personal data should only be used or accessed exclusively by designated staff in that company for the purposes agreed. No one else should be allowed to use your data for illegal purposes, or view the data out of curiosity. (Business) Sensitive information, such as sales figures or client data should only be accessed by authorized persons such as senior management and the sales team, and not other operations or departments.

Integrity – protecting information from being changed by unauthorized parties. E.g. (Personal) When submitted to a website, your personal data should not be altered in any way during data transmission, or by the website company. E.g. (Business) Important documents or figures should not be changed or altered by unauthorized persons without prior notice.

Availability – to the availability of information to authorized parties only when requested. E.g. (Personal) You should be able to access and check your personal data kept on a website at any time. (Business) Authorized senior management personnel should be able to access sales figures when needed; or clients should be able to access any of their data kept by the company when they request it.

3.2 Why does Information Security concern me/ company ?
Information Security concerns everybody, because each one of us is exposed to information security risks every time we go online. Evaluate the followings for your company : My company is confident that our web server is located in a safe place and managed by well-trained people; My company has a clear policy on who is allowed to access to what kinds of information; My company has designated personnel for information security, upgrades, backups and maintenance

3.2 Why does Information security concern me/ company ?
Evaluate the followings for your company : My company uses security tools such as firewalls and encryption; My company has plans for emergency response and disaster recovery, and these plans are regularly reviewed. If you answered “no” to any of these questions, then information security in your company may have a number of security “holes” that may be vulnerable to threats.

3.2 Why does Information Security concern me/ company ?
Example of threats and related security concerns Denial of service attack – availability Power supply failure – availability Malicious code infection – confidentiality, integrity, availability Theft and fraud – confidentiality, availability Website intrusion – C, I, A Unauthorized data access – C, I

3.3 Information Security in Electronic Services
What are Electronic Services ? Electronic Services (e-Service) are the attainment and delivery of services through electronic media. E-commerce is also put under this category. It means using electronic communications to transact, without face to face meeting between the two parties of the transaction. Activities include : Registering for user identity, e.g. membership application; Updating user information, e.g. new address Updating user status, e.g. credit card account balance; Submitting application, e.g. driving license

Activities include : Placing order/ instruction, e.g. buying and selling of stocks and funds Doing payment transaction, e.g. card payment Searching for information, e.g. business matching Exchanging information, e.g. chat-room Receiving information and service, e.g. education program notes Making enquiry, e.g. shipping schedule Doing survey, etc…

Who are involved ? Individuals, including consumers and citizens Businesses, including public organizations Government How are they involved ? Business-to-consumer (B2C) Business-to-business (B2B) Government-to-citizen (G2C) Government-to-business (G2B)

Security tools for electronic services To protect the interests of businesses and consumers, it is of their own advantages that security tools are employed. Secure Socket Layer (SSL) - encrypting and authenticating every message in the transaction, thus preventing packet sniffing; Transport Layer Security; Open SSL; Network Security Services Secure Electronic Transaction (SET) - a method jointly developed by VISA and MasterCard to secure payment card transaction over open networks - it uses cryptography to ensure data confidentiality, payment integrity and authentication of merchants and cardholders.

Security tools for electronic services Public Key Infrastructure (PKI) and Digital Certificate - PKI provides a secured and trusted environment for conducting electronic transactions. It covers the use of public key cryptography in the authentication and access control of a user, guaranteeing the confidentiality, integrity and non-repudiation of data. - PKI provides a pair of keys for each user : a private key which is known only to the user himself, and a public key which is published by a Certificate Authority, by means of a digital certificate.

3.3 Information Security in Electronic Services : Concerns related to online payment
Participants Concerns Cardholders: the person who uses a credit card or debit card to purchase goods or services online That he is dealing with a legitimate merchant that he will not be charge for unauthorized goods and services that he will not be charged more than the agreed price for authorized transactions Merchant : the organization that sells goods or services That after accepting a transaction, he will be paid that the customer is authorized to pay the agreed price

3.3 Information Security in Electronic Services : Concerns related to online payment
Participants Concerns Issuing bank : the financial institution that established an account for the cardholder and issues the bankcard that a legitimate cardholder authorizes every transaction Acquiring bank : the financial institution that establishes an account with the merchant and processes bankcard authorizations and payments that a legitimate cardholder authorizes all payments made to legitimate merchants

3.3 Information Security in Electronic Services :
There are existing laws and guidelines that govern the services and businesses conducted on the Internet. Both users and service providers of Electronic Services should observe and take notices of. Users -- understanding one’s own right is the first step to protect oneself in e-Service activities :

3.3 Information Security in Electronic Services : (Users)
Consumer protection principles in e-Commerce – a checklist of how to select safe website by the Consumer Council Privacy – information on privacy law and individuals’ rights from the Office of the Privacy Commissioner for Personal Data Telecommunications Consumer Interest – the Office of the Telecommunications Authority provides information on telecommunication consumer rights, such as spam Internet Banking – keeping your money safe leaflet Other available public services

3.3 Information Security in Electronic Services : (Service Provider)
Service providers must observe and follow ordinances and guidelines relevant to their own industry sector : General, banking, financial services, insurance, telecommunications. General Electronic Transactions Ordinance Major principles in OECD Guidelines for Consumer Protection in the Context of Electronic Commerce A Guide to Personal Data Privacy and Consumer Protection on the Internet E-Privacy : A Policy Approach to building trust and confidence in e-Business Preparing On-line Personal Information Collection Statements and Privacy Policy Statements

Banking The Hong Kong Monetary Authority provides clear guidelines on e-banking : Guidelines & Circulars - No Electronic Banking (Jul 1997) - No Security of Banking Transactions over the Internet - No Basic Committee on Banking Supervision’s Paper on “Risk Management for E-banking & electronic money activities” - No Public Key Infrastructure and Legal Environment for Development of Internet Banking - Chapter 9 of Guide to Authorization - Guideline Note on Management of security risks in Electronic Banking services - Guideline Note on Independent Assessment of Security Aspects of Transactional E-banking Services

Financial Services The Securities & Futures Commission offers guidelines on using the Internet for financial services - Guidance Note on Internet Regulations - Circular on Provision of Financial Information on the Internet – Licensing Requirement - Guidance Note on the Application of the Electronic Transactions Ordinance to Contract Notes - General Circular to All Registered and Licensed Firms on Internet Trading and Advising Guidance Note on Internet Regulations Guidelines for Registered Persons Using the Internet to Collect Applications for Securities in an Initial public offering.

Insurance Guidance Note on the Use of Internet for Insurance Activities in Hong Kong - concerning various issues regarding the use of the Internet for insurance activities such as system security, data integrity, privacy of client information and online sales of insurance products Telecommunications Code of Practice on Protection of Consumer Information for Fixed and Mobile Service Operators - To ensure data relating to customers are properly protected from misuse.

3. 4. Information Security for IT Professionals 3. 4. 1
3.4 Information Security for IT Professionals Web Application Security Today’s traditional network security measures may not be sufficient to safeguard web applications from new threats, since attacks are now specifically targeting security flaws in the design of web applications. Common Vulnerabilities in Web Applications Behavior of Web Attacks Best practices in Corporate Deployment of Wireless Network Administrative measures for securing Web applications Technical measures for securing web applications

3.4.1 Web Application Security
Common Vulnerabilities in Web Applications The Open Web Application Security Project (OWASP) is a worldwide volunteer community aimed at making web application security “visible”, so that people and organizations can make informed decisions about application security risks. OWASP has listed 10 most critical web application security flaws : Cross site scripting (XSS) The potential threat of XSS is allowing the execution of scripts in the victim’s browser that could hijack user sessions, deface web sites, and possibly introduce worms, etc. This flaw is caused by the improper validation of user supplied data when an application takes that data and sends it to a web browser without first validating or encrypting the content.

2. Injection Flaws The potential threat from this flaw is that an attacker could trick the application into executing un-intended commands or into changing system data. Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Malicious File Execution The potential threat to code vulnerable to remote file inclusion (RFI) is that it could allow attackers the opportunity to include hostile code and data, resulting in devastating attacks, such as a total compromise of the server. Malicious file execution attacks can affect PHP, XML and any framework that accepts filenames or files users.

4. Insecure Direct Object Reference The potential threat here is that attackers could manipulate those reference to access other objects without authorization. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. 5. Cross Site Request Forgery (CSRF) The potential threat from this flaw is that it might force a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.

6. Information Leakage and Improper Error Handling The potential threat from this flaw is that attackers can use this weakness to steal sensitive data or conduct more serious attacks. Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. 7. Broken Authentication and Session Management The potential threat here is that attackers might compromise passwords, keys, or authentication tokens in order to assume the identity of other users. This flaw is caused when account credentials and session tokens are not properly protected.

8. Insecure Crytographic Storage This potential threat comes when attackers use poorly protected data to conduct identity theft and other crimes, such as credit card fraud. This flaw is due to web applications not making proper user of crytographic functions to protect data and credentials. 9. Insecure Communications This flaw comes from the possible leakage of sensitive information over the network communication infrastructure. This is caused by a failure to encrypt network traffic when necessary to protect sensitive communications.

10. Failure to Restrict URL Access This flaw gives attackers the opportunity to access and perform unauthorized operations by accessing those URLs directly. This flaw is caused by applications that only protect sensitive functionality when preventing the display of links or URLs to unauthorized users.

3.4.2 Behavior of Web Attacks
Web applications are vulnerable to attacks from the moment they go live online. Over the past few years a number of web attacks have successfully exploited vulnerabilities in web servers and programming flaws in web applications. Web attacks roughly follow this pattern : The attacker locates a web server with a vulnerability that he can leverage to launch a cross-site scripting (XSS) or code injection attack.

3.4.2 Behavior of Web Attacks
2. The attacker performs either of the following : They succeed in inserting code (e.g. JavaScript code) in the vulnerable web server that allows a cross-site scripting attack to take place against client users connecting to the victim’s web server or They create a URL embedded with malicious script in website with an XSS vulnerability. By enticing a target user to click on this URL, an embedded script runs on the user’s browser causing more malignant attacks, such as downloading a Trojan horse or sending cookie information to the attacker.

3.4.3 Securing Your Web Applications
Administrative Measures for Securing Web Applications Put in place key guidelines to provide direction on the development and maintenance of websites and/or online applications. Put in place key guidelines on coding and development practices for web applications. Software development teams should follow a set of secure web application coding practices, designed to combat common web application security vulnerabilities. Collect and manage sensitive information and user data in compliance with policy and regulations.

Administrative Measures for Securing Web Applications Prepare a security and quality assurance plan, and adopt quality assurance methods such as code review, penetration testing, user acceptance tests, and so on. Perform a complete IT security audit before the final production launch of a web application, and after any major changes or upgrades to the system.

Technical Measures for Securing Web Applications New security risks come with the benefits of deploying web applications. To tackle these risks effectively, various security controls should be considered throughout the entire development lifecycle of the project. To help understand at what point in the lifecycle a recommended security control might be relevant, this section goes through the lifecycle phase and points out key security concerns that require special attention. 1. The Requirement Stage; 2. The Design Stage; 3. The Development Stage; 4. The Testing and Quality Assurance Stage; 5. The Pre-production Stage; 6. The Maintenance and Support Stage

3.4.4 Patch Management Solution
As more and more software vulnerabilities are discovered and therefore need updates and patches, it is essential that system administrators manage the patching process in a systematic and controlled way. Successful patch management requires a robust and systematic process. This process, the Patch Management Lifecycle, involves a number of key steps : preparation, vulnerability identification and patch acquisition, risk assessment and prioritization, patch testing, patch deployment and verification. When deploying a patch management solution, there are also a number of security issues that should also be considered.

3.4.5 Security Certifications
There are numerous studies available in the field that focus on information security as a professional qualification. Product neutral certifications DRI International’s Business Continuity Professional Certifications (BCP) - this program offers four levels of certification for business continuity planners. They are : the Certified Business Continuity Professional (CBCP), the Associate Business Continuity Planner (ABCP), Certified Functional Continuity Professional (CFCP) and the Master Business Continuity Professional (MBCP).

3.4.5 .1 Product Neutral Certifications
SANS Global Information Security Assurance Certifications (GIAC) - GIAC currently offers certifications for over 20 job-specific responsibilities instead of general purpose information security knowledge. It covers four IT / IT Security job disciplines : Security Administration, Management, Audit and Software Security, and offers three levels of certifications : Silver, Gold and Platinum for each job discipline. Certifications are based on 5-6 full day courses while certifications are based on 1 or 2 day courses. Some examples :

GIAC Certified Firewall Analyst (GCFW) GIAC Certified Intrusion Analyst (GCIA) GIAC Certified Incident Handler (GCIH) GIAC Certified Security Consultant (GCSC) GIAC Business Law and Computer Security (GBLC) GIAC Security Audit Essentials (GSAE)

(ISC)2 Information Security Certifications (ISC)2 offers several information security certifications and concentrations related to specific certifications. CISSP – Certified Information Systems Security Professional CISSP Concentrations : ISSAP – Information Systems Security Architecture Professional; ISSEP – Information Systems Security Engineering Professional; ISSMP – Information Systems Security Management Professional CSSLP – Certified Secure Software Lifecycle Professional SSCP – Systems Security Certified Practitioner

(ISC)2 Information Security Certifications CAPCM – Certification and Accreditation Professional Associate of (ISC)2 Designation Fellow of (ISC)2 These are vendor-neutral programs. CISSP is targeted at executives, while CISSP Concentrations are targeted for experienced information security professionals and SSCP is appropriate for security specialists in the field CAP credential is to measure the professionals’ knowledge, skills and abilities involved in the process of certifying and accrediting the security of information systems. There are also Associate Programs for CISSP and SSCP for those who pass these exams but without the experience required.

Information Systems Audit and Control Association (ISACA) Certifications The program is designed for IS audit, control and security professionals. It offers three certifications : Certified Information Systems Auditor (CISA), Certified Information System Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) ProfSoft Training’s Certified Internet Webmaster (CIW) Security Analyst : CIW Exams and CIW Certifications – this program recognizes those who implement security policy, identify security threats, and develop countermeasures using firewalls and attack-recognition technologies.

Certified Wireless Security Professional (CWSP) This program recognizes advanced knowledge of securing wireless LANs including hardware, software, protocols, procedures and design techniques used in reducing wireless LAN security risks. It builds on the foundation program “CWNA” (Certified Wireless Network Administrator).

The Security Certified Program (SCP) This includes three levels of certifications, the Security Certified Network Specialist (SCNS), the Security Certified Network Professional (SCNP) and Security Certified Network Architect (SCNA). The SCNS focuses on the critical defensive technologies that are the foundation of securing network perimeters. SCNP focuses on defense, using technologies such as firewalls, intrusion detection and VPNs. SCNA looks at trusted communication and emerging security technologies like public-key infrastructure, biometrics, and smart cards.

3.4.5 .2 Product Oriented Certifications
Symantec Certifications – Symantec offers training programs for its products. Check Point Certified Security Administrator (CCSA) & Check Point Certified Security Expert (CCSE) A CCSA possesses the skills to define and configure security policies that enable secure access to information across corporate networks. The CCSE certification is recognized as the industry standard for Internet security certifications as CCSEs possess expertise to configure VPN=1/Firewall-1 as an Internet security solution and virtual private network (VPN) that securely connects corporate offices and remote workers, protecting information exchange and granting access to network resources.

3.4.5 .2 Product Oriented Certifications
The Cisco Certified Security Professional (CCSP) and Cisco Certified Internetwork Expert (CCIE) Security CCSP requires a Cisco Certified Network Associate designation and proficiency with Cisco firewalls, intrusion detection systems and VPNs; whereas Cisco Certified Internetwork Expert (CCIE) covers IP, IP routing, and specific security components.

3.4.6 Wireless Network Security
Low deployment costs make wireless networks attractive to both organizations and end users. However, the easy availability of inexpensive equipment also gives attackers the tools to launch attacks on the network. New security risks come with the benefits of adopting wireless networks. An Introduction to Wireless Network Wireless Internet access technology is being increasingly deployed in both office and public environments, as well as by internet users at home. Some of the basic technologies of wireless network systems are outlined :

3.4.6 .1 An Introduction to wireless Network
Wireless Local Area Network (WLAN) A WLAN is a type of local area network that uses high frequency radio waves than wires to communicate between network-enabled devices. Access Point (AP) A wireless AP is a hardware device that allows wireless communication devices, such as PDAs and mobile computers, to connect to a wireless network. Usually, an AP connects into to a wired network, and provides a bridge for data communication between wireless and wired devices.

Service Set Identifier (SSID) A Service Set Identifier (SSID) is a configurable identification that allows wireless clients to communicate with an appropriate access point. With proper configuration, only clients with correct SSID can communicate with the access points. In effect, the SSID acts as a single shared password between access points and clients. Open System Authentication Open System Authentication is the default authentication protocol for the wireless standard. It consists of a simple authentication request containing the station ID and an authentication response containing success or failure data. Upon successful authentication, both stations are considered mutually authenticated.

Open System Authentication (cont’) It can be used with WEP (Wire Equivalent Privacy) protocol to provide better communication security, however it is important to note that the authentication management frames are still sent in clear text during authentication process. WEP is used only for encrypting data once the client is authenticated and associated. Any client can send its station ID in an attempt to associate with the AP. In effect, no authentication is actually done. Shared Key Authentication It is a standard challenge and response mechanism that makes use of WEP and a shared secret key to provide authentication. Upon encrypting the challenge text with WEP using the shared secret key, the authenticating client will return the encrypted challenge text to the AP for verification. Authentication succeeds if the AP decrypts to the same challenge text.

Ad-Hoc Mode Ad-hoc mode is one of the networking topologies provided in the standard. It consists of at least two wireless stations where no access point is involved in their communication. Ad-hoc mode WLANs are normally less expensive to run, as no APs are needed for their communication. However, this topology cannot scale for larger networks and lack of some security features like MAC filtering and access control. Infrastructure Mode Infrastructure mode is another networking topology in the standard. It consists of a number of wireless stations and APs. The APs usually connect to a larger wired network. This network topology can scale to form large-scale networks with arbitrary coverage and complexity.

Wired Equivalent Privacy Protocol (WEP) WEP protocol is a basic security feature in the IEEE standard, intended to provide confidentiality over a wireless network by encrypting information sent over the network. A key-scheduling flaw has been discovered in WEP, so it is now considered as unsecured because a WEP key can be cracked in a few minutes with the aid of automated tools. Therefore, WEP should not be used unless a more secure method is not available. Wi-Fi Protected Access (WPA) & Wi-Fi Protected Access 2 WPA is a wireless security protocol designed to address and fix the known security issues in WEP. WPA provides users with a higher level of assurance that their data will remain protected by using Temporal Key Integrity Protocol (TKIP) for data encryption x authentication has been introduced in this protocol to improve user authentication

Wi-Fi Protected Access 2 (WPA2) WPA2, based on IEEE i, is a new wireless security protocol in which only authorized users can access a wireless device, with features supporting stronger cryptography (e.g. Advanced Encryption Standard or AES), stronger authentication control (e.g. Extensible Authentication Protocol or EAP), key management, replay attack protection and data integrity. TKIP was designed to use with WPA while the stronger algorithm AES was designed to use with WPA2. Some devices may allow WPA to work with AES while some others may allow WPA2 to work with TKIP. But since Nov. 2008, vulnerability in TKIP was uncovered where attacker may be able to decrypt small packets and inject arbitrary data into wireless network. Thus, TKIP encryption is no longer considered as a secure implementation. New deployments should consider using the stronger combination of WPA2 with AES encryption.

3.4.6 .2 Best Practice in Corporate Deployment of Wireless Network
In terms of cost effectiveness and convenience, wireless networks have gained in popularity among organizations. But new security risks come with the benefits of adopting wireless networks in an organization. To tackle these risks effectively, various security best practices need to be considered throughout the entire deployment lifecycle. We outline here a five phase lifecycle model for network deployment and point out security issues that need special attention. Initialization phase Design/Procurement phase Implementation phase Operations and Maintenance phase Disposition phase

3.4.6 .3 Security Threats and Risks Associated with Wireless Networks
Low deployment costs make wireless networks attractive to users. However, the easy availability of inexpensive equipment also gives attackers the tools to launch attacks on the network. The design flaws in the security mechanisms of the standard also give rise to a number of potential attacks, both passive and active. These attacks enable intruders to eavesdrop on, or tamper with, wireless transmissions. “Parking Lot” Attack Access points emit radio signals in a circular pattern, and the signals almost always extend beyond the physical boundaries of the area they intend to cover. Signals can be intercepted outside buildings, or even through the floors in multi-storey buildings. As a result, attackers can implement a “parking lot” attack, where they actually sit in the organization’s parking lot and try to access internal hosts via the wireless network.

“Parking Lot” Attack (cont’) If a network is compromised, attacker has achieved a high level of penetration into the network. They are now through the firewall, and have the same level of network access as trusted employees within the corporation. An attacker may also fool legitimate wireless clients into connecting to the attacker’s own network by placing an unauthorized access point with a stronger signal in close proximity to wireless clients. The aim is to capture end-user passwords or other sensitive data when users attempt to log on these rogue servers.

Shared Key Authentication Flaw Shared key authentication can easily be exploited through a passive attack by eavesdropping on both the challenge and the response between the access point and the authenticating client. Such an attack is possible because the attacker can capture both the plaintext (the challenge) and the cipher-text (the response). WEP uses the RC4 stream cipher as its encryption algorithm. A stream cipher works by generating a key-stream, i.e. a sequence of pseudo-random bits, based on the shared secret key, together with an initialization vector (IV). The key-stream is then XORed against the plaintext to produce the cipher-text.

Shared Key Authentication Flaw (cont’) An important property of a stream cipher is that if both the plaintext and the cipher-text are known, the key-stream can be recovered by simply XORing the plaintext and the cipher-text together, in this case the challenge and the response. The recovered key-stream can then be used by the attacker to encrypt any subsequent challenge text generated by the access point to produce a valid authentication response by XORing the two values together. As a result, the attacker can be authenticated to the access point.

Service Set Identifier Flaw Access points come with default SSIDs. If the default SSID is not changed, these units can easily be compromised. In addition, SSIDs are sent over the air as clear text if WEP is disabled, allowing the SSID to be captured by monitoring network traffic. For some products, even when WEP is enabled, management messages containing the SSID will still be broadcasted in clear text by access points and clients, making it possible for an attacker to sniff SSIDs and gain access to the wireless LAN. The Vulnerability of Wired Equivalent Privacy Protocol Data passing through a wireless LAN with WEP disabled (which is the default setting for most products) is susceptible to eavesdropping and data modification attacks.

The Vulnerability of Wired Equivalent Privacy Protocol However, even when WEP is enabled, the confidentiality and integrity of wireless traffic is still at risk because a number of flaws in WEP have been revealed which seriously undermine its claims to security. In particular, the following attacks on WEP are possible : Passive attacks to decrypt traffic based on known plaintext and chosen cipher-text attacks; Passive attacks to decrypt traffic based on statistical analysis on cipher-text; Active attacks to inject new traffic from unauthorized mobile stations; Active attacks to modify data; or Active attacks to decrypt traffic, based on tricking the access point into redirecting wireless traffic to an attacker’s machine.

Attack on Temporal Key Integrity Protocol (TKIP) The TKIP attack uses a mechanism similar to the WEP attack that trying to decode one byte at a time by using multiple replays and observing the response over the air. Using this mechanism, an attacker can decode small packets like ARP frames in about 15 minutes. If Quality of Service (QoS) is enabled in the network, attacker can further inject up to 15 arbitrary frames for every decrypted packet. Potential attacks include ARP poisoning, DNS manipulation and denial of services. Although this is not a key recovery attack and it does not lead to compromise of TKIP keys or decryption of all subsequent frames, it is still a serious attack and poses risks to all TKIP implementations on both WPA and WPA2 network.

3.4.7 Public Key Infrastructure
Public Key Infrastructure Technology Public Key Infrastructure (PKI) is a widely accepted IT security framework based on “Public Key Cryptography”. The Hong Kong Government has laid a solid foundation for deployment of PKI through the Electronic Transactions Ordinance (ETO) and the establishment of a public Certification Authority (CA) through the Hong Kong Post. Certification Authorities and Digital Certificates The effective operation of PKI very much depends on the support of a CA. The main role of a CA is to act as a trusted third party to verify the identity of digital certificates subscribers. The subscriber can generate the public/ private key pair using an application, for example, or a browser running on a workstation. The browser then automatically sends the public key, together with a certificate request, to the CA server.

3.4.7 Public Key Infrastructure
Certification Authorities and Digital Certificates The CA server then creates and digitally signs the subscriber’s certificate, subject to positive verification of the subscriber’s identity; and sends one copy of the certificate to a Directory Server, while another copy goes to the subscriber. Upon receiving a copy of the certificate, the subscriber can export it together with generated keys to a token, such as floppy diskette or a smart card, for portability among PKI-enabled applications on various platforms. The Hongkong Post is the first publically recognized CA under the ETO (Cap.553). Any organization and member of the public can buy digital certificates in Hong Kong from Hongkong Post, and they issue different types of digital certificate such as e-Certs and Mobile e-Certs. There are also a number of other recognized Cas under the ETO.

3.5 Security Management 3.5.1 Security Management Cycle Information is one of the most valuable in your business. The use of proper preventive measures and safeguards can reduce the risk of potentially devastating security attacks, which could cost you the future of your business. Some losses might be irrcoverable, such as the loss of a business deal due to leaks of confidential data to your competitor. With an effective information security management policy in place, you will be able to provide your company with a strong security strategy, and a cost-effective solution for the overall protection of valuable information. The advantage is that information control becomes easier to manage and you can minimize the risk of attacks, ultimately saving costs. You want to safeguard your assets as best as you can, so making a security budget a mandatory part of your company budget would be important.

3.5 Security Management 3.5.1 Security Management Cycle Information security management involves a combination of prevention, detection and reaction processes. It is a cycle of iterative activities and processes that require ongoing monitoring and control. While this management cycle is mostly applied at the overall organization level, it can also be applied to different functions or units in a business to prevent financial loss, e.g. the sales department, the customer service unit, and so on. In order to make security management work, involvement, understanding and support from all members in your organization is a crucial factor in the effectiveness of any program. Do not be fooled into thinking it is an isolated task just for the security or IT department.

3.5.1 Security Management Cycle

3.5.2 Assessing Security Risks
The security management cycle starts with an assessment of the security risks. Security Risk Assessment is done to identify what security measures are required. It is initial step in evaluating and identifying the risks and consequences associated with vulnerabilities, and provides a basis for management to establish a cost-effective security program. Based on the assessment results, appropriate security protection and safeguards should be implemented to maintain a secure protection framework. This includes developing security policies and guidelines, assigning security responsibilities and implementing technical security precautions and systems.

This step is followed by a cycle compliance review and re-assessment, designed to provide assurance that security controls are put into place properly in order to meet users’ security requirements, and to cope with rapid technological and environmental changes. This relies on continuous feedback and monitoring. The review can be undertaken through periodic security audits to identify what enhancements may be necessary. By evaluating a list of considerations, you can identify what assets to protect, their relative importance, and each asset’s priority ranking for urgency and required level of protection. The flow chart shows the major steps in Security Risk Assessment.

Planning Information Gathering Risk Analysis Vulnerability Scanners Identifying & Selecting Safeguards Implementation Monitoring

3.5.3 Implementing & Maintaining a Secure Framework
Following the results obtained from your security risk assessment, the security management cycle enters a phase of implementation and maintenance, where appropriate security protection measures and safeguards are implemented in a way that builds a secure protection framework. This includes developing security policies and guidelines, assigning security responsibilities and implementing technical and administrative security measures. All these steps are crucial in contributing to the safeguards of your business assets. Set up and implement a security policy Set up and implement management and administrative processes Select and implement technological measures

3.5.3.1 Set up and Implement Security Policy
A good security policy sets out the basic rules for information security within your organization. These rules are mandatory and must be observed throughout the organization. Since security requirements vary from one organization to another, so should the security policy. Therefore, it is of the utmost importance that the security policy be in accordance with the requirements and the organization’s business goals and policies such that it is supported by all employees, and is enforceable. There are three basic types of policies : Program level policy Issue specific policy System specific policy

The System specific policy focuses on policy issues which management has decided for a specific system. It addresses only one system. The program level policy and issue specific policy both address policy from a broad level, usually encompassing the entire organization. The choice to develop a particular type of policy depends on your organization’s requirements. However, the most important thing is that policy sets the direction, and that it can be used as the basis for making other lower level decisions. A Bird-eye View of the Development Cycle of a Security Policy is shown.

Defining project scope and planning Information collection Constructing security policy framework Developing policy statements Implementing, promoting and enforcing security policy Periodic review and evaluation

An IT security policy should cover the company’s expectations of the proper use of its computer and network resources as well as the procedures to prevent and respond to security incidents. During the drafting of the policy, the company’s own requirements on security should be considered. The drafting of the policy should consider the following aspects : Goals and direction of the company Existing policies, rules, regulations and laws of the HKSAR Company’s own requirements and needs Implementation, distribution and enforcement issues

IT Security Guidelines You may refer to this government document that introduces general concepts relating to IT Security and provides the readers some guidelines and considerations in defining security requirements and policy. Sample Policies University of Pennsylvania - Australian Computer Security Response Team ftp://ftp.auscert.org.au/pub/auscert/papers/Site.Security.Policy.Development.txt Policy Guides -- NIST Internet Security Policy

3.5.3.2 Set up and Implement Management & Administrative Processes
Depending on the direction and parameters set out in the Security Policy, management and administration processes will need to be set up to support policy implementation. Assign roles and responsibilities Guidelines and standards Enforcement On-going involvement of all parties

Assign roles and responsibilities Development of an IT security policy requires active support and ongoing participation of individuals from multiple ranks and functional units. Thus, clear definitions and proper assignment of accountability and responsibility for securing the company’s information and system assets is necessary and may involve the following roles depending on the business needs and environment : IT Security Officer Senior Management Information Owners Users of Information Systems

Guidelines and Standards Guidelines and standards are tools used to implement the security policy may be written at a broad level, it is essential to develop standards, guidelines and procedures to offer users, administrators, computer personnel and top management a clearer approach with regards to implementing the security policy and meeting their departmental goals. Security Awareness and Training Security Awareness is crucial to ensuring that all related parties understand the risks, and accept and adopt the good security practices. Training and education can provide users, developers, system administrators, security administrators and other related parties with the necessary skills and knowledge for implementation of security measures.

Security Awareness and Training (cont’) No policy is considered to have been implemented unless users or related parties have commitment and communication. This means users and related parties : Are informed about the policy through briefings or orientations Are invited to participate in developing policy proposals Are trained in the skills needed to follow the policy Feel that security measures are created for their own benefit Are periodically reminded and refreshed about new issues Have signed an acknowledgement, and Are provided with policy guidance in manageable units.

Enforcement This refers to the task of enforcement of rights arising from implementation of the policy and redress for violations of those rights. The company should set up procedures to provide prompt assistance in investigative matters relating to breaches of security. Establishing a company incident management team and setting up a security incident handling procedure can improve the effectiveness of any enforcement policy.

On-going Involvement of All Parties An effective security policy also refers on continuous exchange of information, consultation, co-ordination and co-operation among users and companies. Injection of knowledge on standards, methods, codes of practice and other experience on IT security from all parties involved will also help to keep the security policy up-to-date and relevant.

3.5.3.3 Set up and Implement Technical Measures
Besides management and administrative processes, the implementation of a Security Policy might involve technological measures through selection and implementation of appropriate technologies and products. These technological measures should undergo proper testing before entering operation. Anti-virus software Access control systems Firewalls Intrusion Detection Systems Encryption Key management and Key Distribution Systems Network Management Systems and Security Management Systems

3.6 Handling Security Incidents
A well-defined plan for handling security incidents is vital for the effective operation of an information system. It helps you systematically tackle problems arising from a security incident, minimizes losses and resolves the problem in the most effective manner. 3.6.1 What is an Information Security Incident ? An information security incident is an adverse event in an information system and/or a network that poses a threat to computer or network security in respect of availability, integrity and confidentiality. Examples are : Theft and burglary Natural disaster, e.g. floods, typhoons, rainstorms Possible hazards from the surroundings Data line failure

3.6 Handling Security Incidents
3.6.1 What is an Information Security Incident ? (Examples) System crashes Packet flooding Unauthorized access or use of system resources Unauthorized use of another user’s account Unauthorized use of system privileges Web defacement System penetration / intrusion Massive virus attacks

3.6.2 Objectives of a Security Incident Response
Minimize business losses and subsequent liabilities to the company; Minimize the possible impact of the incident in terms of information leakage, corruption and system disruption, etc.; Ensure that the response is systematic and efficient and that there is prompt recovery for the compromised system; Ensure that the required resources are available to deal with incidents, including manpower, technology, etc.; Ensure that all responsible parties have a clear understanding regarding the tasks they need to perform during an incident by following predefined procedures; Ensure that all response activities are recognized and co-ordinated; Prevent further attacks and damage, and Deal with related legal issues.

3. 6. 3. Legal and Contractual Considerations of a
Legal and Contractual Considerations of a Security Incident Response Some information security incidents may involve criminal offenses and some may not. E.g. defacing a website, compromising a vulnerable server, spamming and stealing information on a compromised server are offenses under Hong Kong law, while port scanning is not an offense in Hong Kong. You should also note that different countries have different laws regarding cyber crime. If the incident is an offense, it should be reported to any relevant law enforcement agency. If you are not sure, you should consult the law enforcement agencies in that country. The dilemma in prosecuting an attacker Considerations in the collection of evidence Considerations in tracking a hacking source

3.6.3.1 The dilemma in prosecuting an attacker
Do you want to prosecute an attacker ? If so, should you leave the network connection on to track an attacker’s activity ? But will this allow the attacker to do more harm ? What should you do if there is a conflict between resumption of business and tracking and prosecuting the attacker ? No matter what your answer is. You should : Involve senior management in any final decision Follow pre-defined priorities and criteria stipulated in the incident response plan and act accordingly Identify the command structure of the decision-making process, and notify the relevant law enforcement authorities.

3.6.3.2 Considerations in the collection of evidence
Incident response team (or IRT) staff are in contact with first-hand evidence, such as log files and system status information (e.g. system time, current running processes and connecting machines). It is essential to know how to handle this evidence. Here are some guidelines : A piece of evidence is considered fact and the truth Electronic evidence must be captured as soon as possible A proper chain of custody for the evidence should be maintained. A chain of custody is a history that shows how the evidence was collected, analyzed, transported and preserved in order to present it as evidence in court. A clearly defined chain of custody demonstrates that the evidence is trustworthy Evidence should be collected with proper (un-contaminated) tools under pre-defined procedures

3.6.3.2 Considerations in the collection of evidence
Evidence should be protected from unauthorized access and from modification or damage. Transfer or copies of evidence should be approved and witnessed. Incident response team staff should take good note of the Actions and Results. Applying the guidelines of evidence collection : Log down events clearly and tidily in chronological order with a time stamp for each event. Use a preprint form if possible to keep the format consistent. Use other effective media like audio and video taping when necessary Put down facts, not speculation or unsure interpretation. Ambiguous and careless statements might damage any subsequent legal case Correct mistakes if found and record the cause of mistakes

3.6.3.3 Considerations in tracking a hacking source
Malicious attacks can provoke strong reactions among technical staff. Do not let emotion drive you towards catching an attacker become a priority over minimizing the impact. Follow the advice Should you strike back ? Do Not consider this strategy. The system being used for the attack might just be another victim whose system has fallen under control of the attacker. Secondly, spoofing can cause mis-interpretation of the source of the attacker. Last of all, there are no legal grounds for an attack carried out for revenge. Keep a low profile. Be careful not to act in a way that makes the attacker aware of your action. The attacker might react by erasing their footprints or causing more damage to your whole system. Be familiar with the technical processes and tools available that can make tracking efficient and discreet.

3.6.3.4 Six steps for a security incident response
The six step model is generalized process cycle for security incident response. The best tip for success is being prepared. Proper and advanced planning ensures that all response procedures are known, coordinated and systematically carried out. It also facilitates management in making appropriate and effective decisions when tackling security incidents, and in turn minimizes any possible damage. The plan includes strengthening security protection, taking an appropriate response to address the incident, recovery of the system and other follow up activities.

3.6.3.4 Six steps for a security incident response
Preparation Detection & Identification Containment Eradication Recovery Aftermath

3.6.5 Useful Links for Security Incident Response
CERT/CC Incident Response FAQ (URL:// Collecting Electronic Evidence After a System Compromise (URL:// Steps for Recovering from a UNIX or NT System Compromise (URL:// SANS Reading Room – Incident Handling (URL://

CIM 3562 Laws, Investigations & Ethical Issues in Security

Similar presentations

Presentation on theme: "CIM 3562 Laws, Investigations & Ethical Issues in Security"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

CIM 3562 Laws, Investigations & Ethical Issues in Security

Similar presentations

Presentation on theme: "CIM 3562 Laws, Investigations & Ethical Issues in Security"— Presentation transcript:

Similar presentations

About project

Feedback