Information

Assurance and
Security
LECTURE – 2 : INTRODUCTION TO INFORMATION
SECURITY PART II
Security Controls

IT3070 - INFORMATION ASSURANCE AND SECURITY 2

Security Controls
Computer/information security controls are often divided into three
distinct categories
• Physical controls
• Technical/Logical controls
• Administrative controls

IT3070 - INFORMATION ASSURANCE AND SECURITY 3

Physical Controls
The Physical control is the implementation of security measures in a
defined structure used to deter or prevent unauthorized access to
sensitive material.
• Surveillance cameras
• Motion or thermal alarm systems
• Security guards
• Picture IDs
• Locked and dead-bolted steel doors
• Network segregation
• Work area separation

IT3070 - INFORMATION ASSURANCE AND SECURITY 4

Technical Controls
The Technical control uses technology as a basis for controlling the
access and usage of sensitive data throughout a physical structure and
over a network.
• Encryption
• Smart cards
• Network authentication
• Access control lists (ACLs)
• File integrity auditing software

IT3070 - INFORMATION ASSURANCE AND SECURITY 5

Administrative Controls
Administrative controls define the human factors of security. It involves
all levels of personnel within an organization and determines which
users have access to what resources and information by such means as:
• Training and awareness
• Disaster preparedness and recovery plans
• Personnel recruitment and separation strategies
• Personnel registration and accounting
• Policy and procedures

IT3070 - INFORMATION ASSURANCE AND SECURITY 6

Controls categorized by their functionality
• Preventive Controls
• Detective Controls
• Deterrent Controls
• Corrective Controls
• Recovery Controls
• Compensating Controls

IT3070 - INFORMATION ASSURANCE AND SECURITY 7

Preventive Controls
Designed to discourage errors or irregularities from occurring. They are
proactive controls that help to ensure departmental objectives are being
met.
• Separation of duties
• Security of Assets (Preventive and Detective)
• Planning/testing
• Proper hiring practices
• Proper processing of terminations
• Approvals, Authorizations, and Verifications

IT3070 - INFORMATION ASSURANCE AND SECURITY 8

Detective Controls
Designed to find errors or irregularities after they have occurred.
• Monitoring Systems
• Log reviews
• Bugler Alarm
• File Integrity checkers
• Security reviews and audits
• Performance evaluations

IT3070 - INFORMATION ASSURANCE AND SECURITY 9

Deterrent Controls
Intended to discourage potential attackers and send the message that it
is better not to attack, but even if you decide to attack we are able to
defend ourselves.
• Notices of monitoring logging
• Visible practice of sound information security management.

IT3070 - INFORMATION ASSURANCE AND SECURITY 10

Corrective Controls
Designed to correct the situation after a security violation has occurred.
Although a violation occurred, not all is lost, so it makes sense to try and
fix the situation.
• Procedure to clean a virus from an infected system
• A guard checking and locking a door left unlocked by a careless
employee
• Updating firewall rules to block an attacking IP address

IT3070 - INFORMATION ASSURANCE AND SECURITY 11

Recovery Controls
Somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information
and information processing resources.
• Disaster recovery and business continuity mechanisms
• Backup systems and data
• Emergency key management arrangements and similar controls.

IT3070 - INFORMATION ASSURANCE AND SECURITY 12

Compensating Controls
Intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used.
When a second set of controls addresses the same threats that are
addressed by another set of controls, the second set of controls are
referred to ad compensating controls.

IT3070 - INFORMATION ASSURANCE AND SECURITY 13

Risk Management
What is risk?
• Life is full of risk. We all manage risk consciously or automatically in
life.
• Risk is the possibility of damage happening, and the ramifications of
such damage should it occur.
Information Risk Management (IRM) is the process of identifying and
assessing risk, reducing it to an acceptable level, and implementing the
right mechanisms to maintain that level.
• Risk can be mitigated, but cannot be eliminated (which is usually not
an option in the commercial world, where controlled (managed) risk
enables profits)

IT3070 - INFORMATION ASSURANCE AND SECURITY 14

Risk Management Terms
• Vulnerability – a system, network or device weakness
• Threat – potential danger posed by a vulnerability
• Threat agent – the entity that identifies a vulnerability and uses it to
attack the victim
• Risk – likelihood of a threat agent taking advantage of a vulnerability
and the corresponding business impact
• Exposure – potential to experience losses from a threat agent
• Countermeasure – put into place to mitigate the potential risk

IT3070 - INFORMATION ASSURANCE AND SECURITY 15

Understanding Risk

A threat agent gives rise to a

threat that exploits a
vulnerability and can lead to a
security risk that can damage
your assets and cause an
exposure. This can be counter-
measured by a safeguard that
directly affects the threat agent.

IT3070 - INFORMATION ASSURANCE AND SECURITY 16

Managing Risks

IT3070 - INFORMATION ASSURANCE AND SECURITY 17

Comprehensive Security Model

IT3070 - INFORMATION ASSURANCE AND SECURITY 18

Data Loss
Data loss or data exfiltration is when data is intentionally or
unintentionally lost, stolen, or leaked to the outside world.
Data is likely to be an organization’s most valuable asset.
Organizational data can include
 Research and development data
 Sales data
 Financial data
 Human resource and legal data
 Employee data
 Contractor data
 Customer data.

IT3070 - INFORMATION ASSURANCE AND SECURITY 19

Data Loss can result in:
• Brand damage and loss of reputation
• Loss of competitive advantage
• Loss of customers
• Loss of revenue
• Litigation/legal action resulting in fines and civil penalties
• Significant cost and effort to notify affected parties and recover from
the breach

IT3070 - INFORMATION ASSURANCE AND SECURITY 20

Vectors of Data Loss
• Unencrypted Devices
• Cloud Storage Devices
• Removable Media
• Hard Copy
• Improper Access Control
• Email
• Social Networking

IT3070 - INFORMATION ASSURANCE AND SECURITY 21

BYOD (Bring Your Own Device)
• BYOD is the emerging trend of employees using their personal devices,
like smartphones, tablets, laptops etc, to remotely access any
organizational network to carry out office work.
• Employees can thus access official mail on their smartphone, connect
to office and work using their laptop even while they are traveling and
use tablets to be part of conferences that happen at their office when
they are away.
• BYOD is important today since employees would want to deliver their
best in today's competitive world and companies too would want to
make the most of the manpower they have at hand.

IT3070 - INFORMATION ASSURANCE AND SECURITY 22

BYOD Benefits
• Boosts productivity. Employees can always work by accessing work
using their personal devices and they can even check emails and
update presentations while on vacation or while traveling back home.
• Employees work with devices that they are more comfortable with and
are hence happier when they work in places where BYOD is
encouraged.
• The money that needs to be invested on buying hardware, software
etc can be utilized for other things even as employees use their own
personal devices for work. Thus SMBs can benefit out of BYOD in a
very direct manner.
• BYOD helps companies stay abreast of changing technology as
employees using personal devices for work would stay up-to-date as
regards technology and would use the same for the company as well.

IT3070 - INFORMATION ASSURANCE AND SECURITY 23

BYOD Drawbacks
• The security threats arise due to the increased number of people who
would be accessing a company's data using other devices and also due
to the fact that malware could get in through any BYOD device that
isn't properly secured.
• Company files and data, which are free to be accessed by employees
using their personal devices, could also end up in wrong hands. Such
data can be easily seen or stolen by outsiders with malicious
intentions.
• BYOD devices might also get stolen or they may get lost, which would
also cause data breaches.
• The IT departments in companies where BYOD is practiced would have
to undergo tremendous pressure support, managing and securing all
BYOD devices.

IT3070 - INFORMATION ASSURANCE AND SECURITY 24

COPE (corporate-owned, personally enable)
• COPE is a business model in which an organization provides its
employees with mobile computing devices and allows the employees
to use them as if they were personally-owned notebook
computers, tablets or smartphones.
• The COPE model provide the organization with greater power to
protect the organization's data both technically and legally.
• Corporate-owned device policies provide several benefits, such as:
• The ability to actively manage and control if and when a device can
access particular apps, sites, services, networks and solutions.
• The opportunity to wipe a device of any corporate data when an
employee loses his or her device or parts ways with the organization.
• The chance to incorporate controls on the device that determine how
applications, networks and IT systems can be utilized remotely, and
whether specific information can be retrieved in certain scenarios.
IT3070 - INFORMATION ASSURANCE AND SECURITY 25
Security measures for COPE/BYOD
Mobile Device Management (MDM) features secure, monitor, and
manage mobile devices, including corporate-owned devices and
employee-owned devices.
• Data Encryption
• PIN enforcement / Strong Authentications Mechnisams
• Remote Date Wipe of stolen/misplaced devices
• Data Loss Prevention (DLP) options
• Jailbreak/Root detection
• Remotely locating devices
• Security assessments (Vulnerability assessments/ Pen testing/ Audits)

IT3070 - INFORMATION ASSURANCE AND SECURITY 26

The Hacker
Hacker is a common term used to describe a network attacker.
However, the term “hacker” has a variety of meanings:
• A clever programmer capable of developing new programs and coding
changes to existing programs to make them more efficient.
• A network professional that uses sophisticated programming skills to
ensure that networks are not vulnerable to attack.
• A person who tries to gain unauthorized access to devices on the
Internet.
• Individuals who run programs to prevent or slow network access to a
large number of users, or corrupt or wipe out data on servers.

IT3070 - INFORMATION ASSURANCE AND SECURITY 27

White Hat Hackers
• Ethical Hackers Who use their hacking skills for good,
ethical and legal purposes
• May perform Security assessments such as vulnerability
assessment penetration tests to discover vulnerabilities.
• Security vulnerabilities are reported to developers for
them to fix before the vulnerabilities can be exploited.
• Some organizations award prizes or bounties to white hat
hackers when they report vulnerabilities

IT3070 - INFORMATION ASSURANCE AND SECURITY 28

Gray Hat Hackers
These are the individuals who commit crimes and do
arguably unethical things, but not for personal gain or cause
serious damage.

Example:
Someone who compromise a system without permission and
then disclose the vulnerabilities publically.
However, by publicizing a vulnerability, the gray hat hacker
may give other hackers the opportunity to exploit it.

IT3070 - INFORMATION ASSURANCE AND SECURITY 29

Black Hat Hackers
These are unethical criminals who violate computer and
network security for personal gain or for malicious reasons.
Black hat hackers exploit vulnerabilities to compromise
computer and network systems.

IT3070 - INFORMATION ASSURANCE AND SECURITY 30

Modern Hacking Titles
• Script Kiddies
• Vulnerability Brokers
• Cyber Criminals
• Hacktivists
• State-Sponsored Hackers

IT3070 - INFORMATION ASSURANCE AND SECURITY 31

Script Kiddies
• Inexperienced hackers running existing scripts, tools and exploits
developed by skillful hackers to cause harm but typically not for profit.
• It is generally assumed that most script kiddies are juveniles who lack
the ability to write sophisticated programs or exploits on their own
• Their objective is to try to impress their friends or gain credit in
computer-enthusiast communities.
• However, the term does not relate to the actual age of the participant.

IT3070 - INFORMATION ASSURANCE AND SECURITY 32

Vulnerability Brokers
They are usually gray hat hackers who attempt to discover exploits and
report them to vendors, sometime for prize or rewards.

IT3070 - INFORMATION ASSURANCE AND SECURITY 33

Cyber Criminals
• Cyber criminals are black hat hackers with the motive to make money
using any means necessary.
• Self employed (working independently) or working for criminal
organizations.
• It is estimated that globally, cyber criminals steal billions of dollars
from consumers and businesses.
• Cyber criminals operate in an underground economy where they buy,
sell, and trade attack toolkits, zero day exploit code, botnet services,
banking Trojans, keyloggers, and much more.
• They also buy and sell the private information and intellectual
property they steal from victims.
• Cyber criminals target small businesses and consumers, as well as
large enterprises and industry verticals.

IT3070 - INFORMATION ASSURANCE AND SECURITY 34

Hacktivists
• Grey hat hackers who rally and protest against different social and
political ideas.
• Hacktivists do not hack for profit, they hack for attention.
• Hacktivists publically protest against organization or governments by
posting articles, videos. Leaking sensitive information and performing
distributed denial of service attacks.

Examples of hacktivist groups

• Anonymous Hackers
• Syrian Electronic Army.

IT3070 - INFORMATION ASSURANCE AND SECURITY 35

State-Sponsored Hackers
• These are government-funded and guided attackers.
• State-sponsored hackers create advanced and customized attack code,
often using previously undiscovered software vulnerabilities, Steal
government secrets , gather intelligence and sabotage networks and
systems.
• Their targets are foreign governments, terrorist groups and
corporations.
• Most countries in the world participate to some degree in state-
sponsored hacking.
• Nations hire the best talent to create the most advanced and stealthy
threats.
• An example : Stuxnet malware that was created to damage Iran’s
nuclear enrichment capabilities.

IT3070 - INFORMATION ASSURANCE AND SECURITY 36