KEMBAR78
ICT System Security Notes | PDF | Security | Computer Security
0% found this document useful (0 votes)
142 views62 pages

ICT System Security Notes

The document outlines a unit on ICT Security Threats, detailing competencies required for identifying and managing security threats in ICT systems. It includes learning outcomes such as establishing security measures, testing system vulnerabilities, and monitoring security systems, along with suggested assessment methods. The unit emphasizes the importance of computer security, categorizes security threats, and discusses various control measures against unauthorized access and computer viruses.

Uploaded by

marthawere90
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
142 views62 pages

ICT System Security Notes

The document outlines a unit on ICT Security Threats, detailing competencies required for identifying and managing security threats in ICT systems. It includes learning outcomes such as establishing security measures, testing system vulnerabilities, and monitoring security systems, along with suggested assessment methods. The unit emphasizes the importance of computer security, categorizes security threats, and discusses various control measures against unauthorized access and computer viruses.

Uploaded by

marthawere90
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 62

UNIT TITLE: ICT SECURITY THREATS

UNIT CODE: DIT/0612/ 554/ 14A & DBT 074

Lecturer Contact
Name: Martha Were
Cell Number: 0727911970
Email: marthawere@mmust.ac.ke
Date: Mondays 11:00-1:00PM
Venue: LBB 011

Relationship to Occupational Standards


This unit addresses the unit of competency: Control ICT security threats

Duration of Unit: 150hours

Unit Description
This unit covers the competencies required to provide ICT security. They include identification of security
threats, installation of security control measures, implementation of security measures, testing of system
vulnerability and monitoring of the security system.

Summary of Learning Outcomes


1. Identify security threats
2. Establish and Install security measures
3. Deploy security measures
4. Test system vulnerability
5. Monitor security system

Learning Outcomes, Content and Suggested Assessment Methods


Suggested Assessment
Learning Outcome Content
Methods
1. Identify security  Definition of security threats  Practical
threats  Categories of security threats  Oral questioning
 Internal  Written tests
 external
 Importance of Computer
Security to an Organization
 Identification of Common
threats
 Fraud and theft
 Employee sabotage
 Loss of physical and
infrastructure support
 Malicious hackers and code
 Industrial espionage
 Threats to personal privacy
 Natural Calamities
 Cyber crime
 Constraints to computer
security
 Cost
 User responsibility
 Integration challenges
 Inadequate
Assessment

2. Establish and Install  Definition of security risk  Written tests


security measures management  Observation
 Benefits of Risk management  Report writing
 Risk management procedures  Practical
 Risk assessment
 Risk mitigation Uncertainty
analysis
 interdependencies
 cost considerations
 Benefits of security measures
 Types of Security measures
 Firewalls
 User accounts control
 Security policies
 Antivirus
 Encryption
 Secure Socket Layer protocol
(SSL)
 Multi-factor authentication
 Malware detection
 Site monitoring
 Daily or weekly backups

 Application of security measures

3. Deploy security  Implement security measures  Practical


measures contained in the ICT security policy  Oral questioning
 Apply physical and logical risk  Short tests to assess
mitigation measures underpinning
 Take corrective action knowledge.
 Security audit to identify security
gaps
 Generate system audit report

4. Test system  Definition of vulnerability  Practical exercises


vulnerability  System testing schedule  Oral questioning
 Levels of system vulnerability
 Ethical penetration
 System vulnerability test report

5. Monitor security  Define monitoring criteria  Practical exercises


system  Evaluation of system security  Oral questioning
performance based on defined  Short tests to assess
criteria underpinned
 updating and overhauling of knowledge.
Security systems
 Generate monitoring report

Suggested Methods of Delivery


 Presentations and practical demonstrations by trainer;
 Guided learner activities and research to develop underpinning knowledge;
 Supervised activities and projects in a workshop;
The delivery may also be supplemented and enhanced by the following, if the opportunity allows:
 Visiting lecturer/trainer from the ICT sector;
 Industrial visits.

Recommended Resources for 25 students


Tools
1. Monitoring tools
2. 5 CCTV
3. Maintenance tools
4. firewalls
5. antivirus
6. anti-spy ware
7. password management software
8. 25 screw driver
9. sensors
10. Computer

Reference materials
Manufacturers manuals
TOPIC 1: IDENTIFY SECURITY THREATS
Content:
1.0 Definition of security threats
1.1 Categories of security threats
 Internal
 external
1.2 Importance of Computer Security to an Organization
1.3 Identification of Common threats
 Fraud and theft
 Employee sabotage
 Loss of physical and infrastructure support
 Malicious hackers and code
 Industrial espionage
 Threats to personal privacy
 Natural Calamities
 Cyber crime
1.4 Constraints to computer security
 Cost
 User responsibility
 Integration challenges
 Inadequate Assessment

1.0 Definition of security threats

Computer security is safety applied to computing devices such as computers and smartphones, as well as
computer networks such as private and public networks, including the whole Internet.
The field covers all the processes and mechanisms by which digital equipment, information and services are
protected from unintended or unauthorized access, change or destruction, and are of growing importance in line
with the increasing reliance on computer systems of most societies worldwide.
It includes physical security to prevent theft of equipment, and information security to protect the data on that
equipment.
Some important terms used in computer security are:
A security attack is the act or attempt to exploit vulnerability in a system.
Vulnerabilities are the gaps or weaknesses in a system that make threats possible and tempt
threat actors to exploit them.
Threats represent potential security harm to an asset when vulnerabilities are exploited.
Attacks are threats that have been carried out.
Security controls are the mechanisms used to control an attack.
Attacks can be classified into active and passive attacks.
Passive attacks – attacker observes information without interfering with information or flow of information.
He/she does not interfere with operation. Message content and message traffic is what is observed.
Active attacks – involves more than message or information observation. There is interference of traffic or
message flow and may involve modification, deletion or destruction. This may be
done through the attacker masquerading or impersonating as another user. There is denial or repudiation where
someone does something and denies later. This is a threat against authentication and to some extent integrity.
Data security is the protection of data & information from accidental or intentional disclosure to unauthorized
persons
Private data or information is that which belongs to an individual & must not be accessed by or disclosed to any
other person, without direct permission from the owner.
Confidential data or information – this is data or information held by a government or organization about
people. This data/information may be seen by authorized persons without the
knowledge of the owner. However, it should not be used for commercial gain or any other unofficial purpose
without the owner being informed.
Computer crime: Computer crime refers to any crime that involves a computer and a network.

Security goals
To retain a competitive advantage and to meet basic business requirements, organisations must endeavour to
achieve the following security goals
The Information Security Triad: Confidentiality, Integrity, Availability (CIA)

Confidentiality – protect information value and preserve the confidentiality of sensitive data. Information
should not be disclosed without authorization. Information the release of which is permitted to a certain section
of the public should be identified and protected against unauthorised disclosure.
Integrity – ensure the accuracy and reliability of the information stored on the computer systems. Information
has integrity if it reflects some real world situation or is consistent with real
world situation. Information should not be altered without authorisation. Hardware designed to perform some
functions has lost integrity if it does not perform those functions correctly. Software has lost integrity if it does
not perform according to its specifications. Communication channels should relay messages in a secure manner
to ensure that integrity. People should ensure the system functions according to the specifications.
Availability – ensure the continued availability of the information system and all its assets to legitimate users at
an acceptable level of service or quality of service. Any event that degrades
performance or quality of a system affects availability

Hazards (exposures) to information security.


An exposure is a form of possible loss or harm. Examples of exposures include:
Unauthorised access resulting in a loss of computing time.
Unauthorised disclosure – information revealed without authorisation.
Destruction, especially with respect to hardware and software.
Theft.
Interference with system operation.
Types of Computer Security.
1. Application security
Application security is the process of adding specific features to software that prevents a variety of cyber threats.
Examples include two-step authentication, high-level encryption, logging, firewalls, intrusion prevention
systems (IPS) and more.
2. Information security
Information security revolves around protecting company data assets from unauthorized use. Typically,
information security involves the CIA triad model, which focuses on protecting data confidentiality, integrity and
availability without impacting an organization’s productivity.
3. Network security
This type of computer security focuses on procedures network administrators implement to avoid unauthorized
access, modification, exploitation or denial of the networks and their resources. Conducted effectively, these
procedures block the majority of viruses, malware and other cyber threats from accessing or altering secure
information.
4. Endpoint security
Endpoint security is the practice of safeguarding individual network endpoints — individual devices that connect
to an organization’s network. This practice has become more important in recent years as many people use
personal computers, phones and other devices to access company information and networks while working from
home. Ensuring that these devices can access needed information without compromising an organization’s
security posture is a major concern in modern computer security.
Importance of Computer Security to an Organization
It’s important to keep your computer secure for several reasons.
First, you likely have sensitive information about yourself, your employer, and/or your customers that must be
protected and kept confidential.
Second, every computer, or “endpoint”, is a potential gateway into the rest of your home or company network. If
your computer is compromised, you jeopardize the security of all information stored across your entire network.
1.1 Categories of security threats
As ICT has developed, computer crime has increased. There are many threats to ICT systems and can be broken
into two categories; Internal and External threats.

Internal threats refer to risks that originate from within an organization.


Examples of Internal threats include:
 Hardware failure
 Faulty procedures
 Poorly-trained staff
 Use of wireless networks
 Dishonest employees
 Disclosure of passwords

External threats are risks that arise from outside the organization. They are often beyond the direct control of
the organization, making it essential to identify and prepare for them proactively.
Examples of External threats include:
 Hackers
 Viruses & Malware
 Software, Music or Film pirates
 Denial of Service Attacks
 Fraudulent traders
 Terrorists
 Organized criminals
 Money & Identity theft
 Natural disasters

Security threats to data & information


1. COMPUTER VIRUSES
A computer virus is a destructive program that attaches itself to other files when the files are opened for use, and
installs itself on the computer, without the knowledge of the user.
A computer virus is a program designed specifically to damage other programs or interfere with the proper
functioning of the computer system.
A virus is a computer code usually designed to carry out 2 tasks:
• To copy itself from one computer system to another.
• To locate itself within a computer system enabling it to amend/destroy program & data files, by interfering
with the normal processes of the operating system.
Types of computer viruses.
1. Boot sector viruses – they destroy the booting information on storage devices.
2. File viruses – they attach themselves to files either erasing or modifying them.
3. Hoax viruses – they come as e-mails with an attractive subject & activate themselves when the e-mail is
opened.
4. Trojans – they appear to perform necessary functions, but perform other undesirable activities in the
background without the knowledge of the user.
5. Worms – viruses that stick in the computer memory.
6. Backdoors – may be a Trojan or Worm that allows hidden access to a computer system.

Types of destructions/damages caused by a virus attack


• Delete or modify data, information & files on storage devices (disks) or memory during normal program
execution, e.g., may attack the format of a disk making any program or data on it impossible to recover.
• Systematically destroy all the data in the computer memory.
• Might lock the keyboard.
• Can change keystroke values or data from other I/O devices, e.g., change the effect of SHIFT key.
• Delete characters displayed on a visual display.
• Uses up computer memory/space, hence slowing down its performance or causing the system to crash.
• Changes colour of the display.
• Cause boot failure.

Sources of viruses.
1. Contact with contaminated systems:
If a diskette is used on a virus infected computer, it could become contaminated. If the same diskette is used on
another computer, then the virus will spread.
2. Use of pirated software:
Pirated software may be contaminated by a virus code or it may have been amended to perform some destructive
functions which may affect your computer.
3. Infected proprietary software:
A virus could be introduced when the software is being developed in laboratories, and then copied onto diskettes
containing the finished software product.
4. Fake games:
Some virus programs behave like games software. Since many people like playing games on computers, the
virus can spread very fast.
5.Freeware and Shareware:
Both freeware & shareware programs are commonly available in Bulletin board systems.
Such programs should first be used in controlled environment until it is clear that the program does not contain
either a virus or a destructive code.
6. Updates of software distributed via networks:
Viruses programs can be spread through software distributed via networks.
Symptoms of viruses in a computer system.
The following symptoms indicate the presence of a virus in your computer:
• Boot failure.
• Files & programs disappearing mysteriously.
• Unfamiliar graphics or messages appearing on the screen, e.g., the virus might flash a harmless message such
as “Merry Christmas” on the computer terminal.
• Slow booting.
• Gradual filing of the free space on the hard disk.
• Corruption of files and programs.
• Programs taking longer than usual to load.
• Disk access time seeming too long for simple tasks.
• Unusual error messages occurring more frequently.
• Frequent read/write errors.
• Disk access lights turning on for non-referenced devices.
• Computer hangs anytime when running a program.
• Less memory available than usual, e.g., Base memory may read less than 640KB.
• Size of executable files changing for no obvious reason
Control measures against viruses.
• Install up-to-date (or the latest) antivirus software on the computers.
• Restrict the movement of foreign storage media, e.g., diskettes in the computer room. If they have to be used,
they must be scanned for viruses.
• Avoid opening mail attachments before scanning them for viruses.
• Write-protect disks after using them.
• Disable floppy disk drives, if there is no need to use disks in the course of normal operation.
• Backup all software & data files at regular intervals.
• Do not boot your computer from disks which you are not sure are free from viruses.
• Avoid pirated software. If possible, use the software from the major software houses.
• Programs downloaded from Bulletin Boards & those obtained from computer clubs should be carefully
evaluated & examined for any destructive code.
2. UNAUTHORIZED ACCESS
Data & information is always under constant threat from people who may want to access it without permission.
Such persons will usually have a bad intention, either to commit fraud, steal the information & destroy or corrupt
the data. Unauthorized access may take the following forms:

• Eavesdropping:
This is tapping into communication channels to get information, e.g., Hackers mainly use eavesdropping to
obtain credit card numbers.
• Surveillance (monitoring):
This is where a person may monitor all computer activities done by another person or people.
The information gathered may be used for different purposes, e.g.,for spreading propaganda or sabotage.
• Industrial espionage:
Industrial espionage involves spying on a competitor so as to get or steal information that can be used to finish
the competitor or for commercial gain. The main aim of espionage is to get ideas on how to counter by
developing similar approach or sabotage.
• An employee who is not supposed to see some sensitive data gets it, either by mistake or design.
• Strangers who may stray into the computer room when nobody is using the computers.
• Forced entry into the computer room through weak access points.
• Network access in case the computers are networked & connected to the external world.

Control measures against unauthorized access.


• Enforce data & information access control policies on all employees to control access to data.
• Keep the computer room closed when nobody is using it.
• Reinforce weak access points, e.g., doors & windows with metallic grills & burglar alarms.
• Use file passwords to prevent any person from getting access to the electronic files.
• Enforce network security measures, e.g., use of firewalls.
• Encrypt the data & information during transmission.
• Perform frequent Audit trails to identify threats to data & information.

3. COMPUTER ERRORS & ACCIDENTAL ACCESS


Errors and accidental access to data & information may be as a result of:
• Mistakes made by people, e.g., one may print sensitive reports & unsuspectingly give them to unauthorized
persons.
• People experimenting with features they are not familiar with. g.,a person may innocently download a file
without knowing that it is self-installing or it may be dangerous to the system.

Control measures against computer errors & accidents.


• Restrict file access to the end-users and technical staff in the organization, i.e., deny access of certain files &
computers to certain groups of end-users.
This is because; accidental access mistakes occur if the end users have too much privilege that allows them to
access or change sensitive files on the computer.
• Set up a comprehensive error-recovery strategy in the organization.

4. THEFT
The threat of theft of data & information, hardware & software is real. Some information is so valuable such that
business competitors or some governments can decide to pay somebody a fortune so as to steal the information
for them to use.

Control measures against theft of information, hardware, & software.


• Create backups & store them in locations away from the main computing centre.
• Reinforce weak access points, e.g., the windows, doors, & roofing with metallic grills and strong padlocks.
• Put burglar proofs in the computer room.
• Employ guards to keep watch over data & information centres and backups.

5.COMPUTER CRIMES
A computer crime is a deliberate theft or criminal destruction of computerized data.
• The use of computer hardware, software, or data for illegal activities, e.g., stealing, forgery, defrauding, etc.
• Committing of illegal acts using a computer or against a computer system.

Types of computer crimes.


The following are the major types of computer crimes:
• Fraud (Theft of money)
• Alteration of data.
• Theft of computer time / Theft of service.
• Theft of data, information or programs.
• Damage of software.

Trespass.
• Trespass refers to the illegal physical entry to restricted places where computer hardware, software & backed
up data is kept.
• It can also refer to the act of accessing information illegally on a local or remote computer over a network.
Trespass is not allowed and should be discouraged.
Hacking.
Hacking is an attempt to invade the privacy of a system, either by tapping messages being transmitted along a
public telephone line, or through breaking security codes & passwords to gain unauthorized entry to the system
data and information files in a computer.

Reasons for hacking.


• To copy or corrupt the information.
• As a hobby to test their expertise. Some people like the challenge & they feel great after successful hacking.
• Some do it for computer & software producing companies that want to secure their systems by reducing
weaknesses discovered after professional hacking.
Hacking is done by skilled programmers referred to as Hackers.
Hacker is a person who gains unauthorised access to a computer network for profit, criminal mischief, or
personal gain.
Such people are able to break through passwords or find weak access points in software. They are involved in
propagating computer viruses.
Tapping.
Tapping involves listening to a transmission line to gain a copy of the message being transmitted.
Tapping may take place through the following ways:
1. A person may send an intelligent program to a host computer that sends him/her information from the
computer.
2. Spying on a networked computer using special programs that are able to intercept messages being sent &
received by the unsuspecting computer.
Cracking.
Cracking is the use of guesswork by a person trying to look for a weakness in the security codes of a software in
order to get access to data & information.
These weak access points can only be sealed using sealed using special corrective programs called Patches,
which are prepared by the manufacturing company.
A program patch is a software update that when incorporated in the current software makes it better.
NB: Cracking is usually done by people who have some idea of passwords or user names of the authorized staff.

Piracy.
Piracy means making illegal copies of copyrighted software, data, or information either for personal use or for
re-sale.
Ways of reducing piracy:
Enact & enforce copyright laws that protect the owners of data & information against piracy.
Make software cheap enough to increase affordability.
Use licenses and certificates of authenticity to identify originals.
Set installation passwords that prevent illegal installation ofsoftware.

Fraud.
Fraud is the use of computers to conceal information or cheat other people with the intention of gaining money
or information. Fraud may take the following forms:
• Input manipulation:
Data input clerks can manipulate input transactions, e.g., they can create dummy (ghost) employees on the Salary
file or a ghost supplier on the Purchases file.
• Production & use of fake documents:
E.g., a person created an intelligent program in the Tax department that could credit his account with cents from
all the tax payers. He ended up becoming very rich before he was discovered. Fraudsters can either be employees
in the company or outsiders who are smart enough to defraud unsuspecting people.

Reasons that may lead to computer fraud.


• For economic gain (i.e., to gain money or information).
• To gain respect (self-worth)
Security measures to prevent fraud:
• Careful recruitment of staff.
• Set up a clear & form management policy on crimes & frauds.
• Restrict access to computer room or terminal.
• Use transaction & fill logs to monitor access to sensitive areas of the system.
• Monitor & investigate error logs and reports on regular basis.
• Carry out risk analysis to examine the exposure of the organization to possible fraud.

Sabotage.
Sabotage is the illegal or malicious destruction of the system, data or information by employees or other people
with grudges with the aim of crippling service delivery or causing great loss to an organization.
Sabotage is usually carried out by discontented employees or those sent by competitors to cause harm to the
organization.
The following are some acts of saboteurs which can result in great damage to the computer centres:
• Using Magnets to mix up (mess up) codes on tapes.
• Planting of bombs.
• Cutting of communication lines.

Alteration
Alteration is the illegal changing of stored data & information without permission with the aim of gaining or
misinforming the authorized users.
Alteration is usually done by those people who wish to hide the truth. It makes the data irrelevant and unreliable.
Alteration may take place through the following ways:
• Program alteration:
This is done by people with excellent programming skills. They do this out of malice or they may liaise with
others for selfish gains.
• Alteration of data in a database:
This is normally done by authorized database users, e.g., one can adjust prices on Invoices, increase prices on
selling products, etc, and then pocket the surplus amounts.

Security measures to prevent alteration:


1. Do not give data editing capabilities to anybody without vetting.
2. The person altering the data may be forced to sign in order for the system to accept altering the information.

Theft of computer time.


Employees may use the computers of an organization to do their own work, e.g., they may produce publications
for selling using the computers of the company.
Theft of data (i.e., commercial espionage).
Employees steal sensitive information or copy packages and sell them to outsiders or competitors for profit.
This may lead to a leakage of important information, e.g., information on marketing strategies used by the
organization, research information, or medical reports.

DETECTION & PROTECTION AGAINST COMPUTER CRIMES


The following measures can be taken to detect & prevent computer crimes, and also seal security loopholes.

Audit trails
This is a careful study of an information system by experts in order to establish (or, find out) all the weaknesses
in the system that could lead to security threats or act as weak access points for criminals.
An audit of the information system may seek to answer the following questions: –
1. Is the information system meeting all the design objectives as originally intended?
2. Have all the security measures been put in place to reduce the risk of computer crimes?
3. Are the computers secured in physically restricted areas?
4. Is there backup for data & information of the system that can ensure continuity of services even when
something serious happens to the current system?
6. What real risks face the system at present or in future?

Data encryption
Data being transmitted over a network faces the dangers of being tapped, listened to, or copied to unauthorized
destinations.
To protect such data, it is mixed up into a form that only the sender & the receiver can be able to understand by
reconstructing the original message from the mix. This is called Data encryption.
The flow diagram below shows how a message can be encrypted and decrypted to enhance security.

The message to be encrypted is called the Plain text document. After encryption using a particular order (or,
algorithm) called encryption key, it is sent as Cyphertext on the network. After the recipient receives the
message, he/she decrypts it using a reverse algorithm to the one used during encryption called decryption key
to get the original plain text document.
This means that, without the decryption key, it is not possible to reconstruct the original message

Log files.
These are special system files that keep a record (log) of events on the use of the computers and resources of
the information system.
Each user is usually assigned a username & password or account. The information system administrator can
therefore easily track who accessed the system, when and what they did on the system.
This information can help monitor & track people who are likely to violate system security policies.

Firewalls
A Firewall is a device or software system that filters the data & information exchanged between different
networks by enforcing the access control policy of the host network.
A firewall monitors & controls access to or from protected networks. People (remote users) who do not have
permission cannot access the network, and those within cannot access sites outside the network restricted by
firewalls.

LAWS GOVERNING PROTECTION OF INFORMATION


Laws have been developed that govern the handling of data & information in order to ensure that there is
‘right of privacy’ for all people.
The following rules must be observed in order to keep within the law when working with data and
information.
1. Data & information should be kept secure against loss or exposure.
2. Data & information should not be kept longer than necessary.
3. Data & information should be accurate and up-to-date.
4. Data & information should be collected, used & kept for specified lawful purposes (i.e., it should not be
used for unlawful gain).
5. The owner of the data has a right to know what data is held by the person or organization having it.
6. Data should not be transferred to other countries without the owner’s permission.
7. Do not collect irrelevant and overly too much information for a purpose.

COMPUTER SECURITY.
What is Computer security?
• Safeguarding the computer & the related equipment from the risk of damage or fraud.
• Protection of data & information against accidental or deliberate threats which might cause unauthorised
modification, disclosure, or destruction.
A computer system can only be claimed to be secure if precautions are taken to safeguard it against damage
or threats such as accidents, errors & omissions.
The security measures to be undertaken by the organization should be able to protect:
1. Computer hardware against damage.
2. Data, information & programs against accidental alteration or deletion.

• Data & information against hazards.


1. The computer against unauthorised use.
2. Data, information & programs against piracy or unauthorised copying.
3. Data & programs used by the computer system against illegal or unauthorised modification.
• Storage media, e.g., diskettes, tapes, etc against accidental destruction.

• Policies of the organization.


2. Accidental interruption of power supply or communication lines.
3. Disclosure of confidential data or information.
• Ensure that both hardware & software have longer life span.

Environmental threats to computers & Information systems.

Fire
Fire destroys data, information, software & hardware.
Security measures against fire:
• Use fire-proof cabinets & lockable metal boxes for floppy disks.
• Use of backups.
• Install firefighting equipment, e.g., fire extinguishers.
• Have some detectors.
• Training of fire-fighting officers.
• Observe safety procedures, e.g., avoid smoking in the computerrooms.
• Have well placed exit signs.
• Contingency plans

• Water, foods & moisture.


This causes rusting of the metallic components of the computer.
Security measures against water, floods & moisture:
• Set up computer rooms on higher grounds to avoid floods &humidity.
• Avoid installing computer components in the basement.
• There should be adequate drainage system.
• Use water-proof ceilings & floors.

• Lightening, electricity & electrical storms.


This causes power failure that can cause damage to data, which has not been transferred to permanent storage
devices.
Security measures:
• Install facilities to control power fluctuations, e.g., use of Uninterrupted power source (UPS)
• Use power stabilizers.
• Have standby power generators/sources.
• Have lightening arresters in the building.

• Excessive Heat or Temperature.


Excessive heat or temperature from the computer itself or from the surrounding environment can destroy
computer storage media or devices.
Security measures:
• There should be efficient ventilation system.
• Use a cooling system in the computer rooms, e.g., cooling fans & air conditioners.

• Computer virus attack.


A virus is a rogue software program that spreads rampantly through computer systems, destroying data or
causing the system to break down.
Security measures against computer virus:
• Make backup copies of software, and store the copies off-site.
• Restrict access to programs & data on a ‘need-to-use’ basis.
• Check all programs regularly for change of size, as this could be a sign of virus infiltration.
• Be careful with ‘Shareware’ and ‘Freeware’ programs, as they are the major entry points for viruses.
• Make sure all purchased software is in its original sealed-disk containers.

• Smoke and Dust.


Dust and Smoke particles settle on storage devices and may scratch them during Read/write operation.
Security measures:
• Have dust mats or carpets to prevent entry of dust.
• Fit the computer room with special Curtains to reduce entry of dust particles.
• Cover the devices with Dust covers when cleaning the room.
• Remove shoes before entering the room to prevent dust.

• Terrorist attack.
This includes activities such as:
• Political terrorists,
• Criminal type of activities,
• Individuals with grudges, or
• People intending to cause general destruction.
Security measures:
• Hiring of security guards to control physical access to the building housing the computer room.
• Activities that can cause terrorism should be avoided, e.g., exploitation of workers.
• Have double door & monitoring devices.
• Use of policies.
• System auditing / use of log files.
• Use of passwords.
• Punitive measures.
• Encryption of data.
• Use of firewalls.
• Consult & co-operate with the Police and Fire authorities on potential risks.
People threats include:
• Accidental deletion of data, information or programs.
• Vandalism, i.e., theft or destruction of data, information or programs & hardware.
• Piracy of copyrighted data & software.

Security measures against Carelessness & Clumsiness:


• Better selection of personnel.
• Have a good office layout.
• Improve employee training and education.
• Limit access to data and computers.
• Regular backups.
• Use of Undelete & Unformat utilities.
Security measures against Vandalism:
• Should have a sensitive attitude to office behaviour.
• Tighten security measures, e.g., install alarm systems, burglar-proof doors/windows, & roofs).
• Limit access to sensitive company information.
• Use Keyboard lock on terminals used by authorised users.
• Use of disk locks.
• Punitive measures

CAUSES OF DATA LOSS IN COMPUTERS


1. Power failure:
Momentary interruptions or fluctuations of electrical power may cause:
• Crashing of computers.
• Loss of data or information that had not been saved before the power disruption.
• Damage to computer’s secondary storage media. This may result to loss of data & Application software
stored on the media.
The main cause of power disruptions are:
• Amplitude fluctuations,
• Power line noise,
• Low voltage sages,
• High voltage surges,
• Voltage outages,
• Voltage spikes,
• Waveform distortions,
• Power frequency variations.
Precautions against data loss due to Power failure:
1. Regular saving of documents.
Frequent saving of documents ensures that minimum data is lost in case of any power failure.
Some application packages have an AutoSave feature, which should be activated to automatically save work
after a specified time interval.
1. Use of Uninterruptible Power Supply (UPS).
To eliminate any power quality defects or fluctuation, use power correction equipment such as a Stabilizer or
Uninterruptible Power Supply (UPS). These equipment ensure a steady flow of input power to the computer
system.

2. Computer viruses:
A computer virus destroys all the data files & programs in the computer memory by interfering with the
normal processes of the operating system.
Precautions against computer viruses:
1. Anti-virus software.
Use Antivirus software to detect & remove known viruses from infected files.
Some of the commonly used Antivirus software are: Dr. Solomon’s Toolkit, Norton Antivirus, AVG
Antivirus, PC-Cillin, etc
NB: The best way to prevent virus is to have a memory-resident antivirus software, which will detect the
virus before it can affect the system. This can be achieved by installing a GUARD program in the RAM
every time the computer boots up. Once in the RAM, the antivirus software will automatically check
diskettes inserted in the drives & warn the user immediately if a disk is found to have a virus.
• For an antivirus to be able to detect a virus, it must know its signature. Since virus writers keep writing new
viruses with new signatures all the time, it is recommended that you update your antivirus product regularly
so as to include the latest virus signatures in the industry.
• The Antivirus software installed in your computer should be enabled/activated at all times.
• You should also perform virus scans of your disks on a regular basis.
• Evaluate the security procedures to ensure that the risk of future virus attack is minimized.

Precautions against Accidental erasure:


1. Use of Undelete utilities.
Use the Undelete facilities in case you accidentally delete your files.
There are two Undelete facilities depending on the operating
system you are using.
• MS-DOS 6.0 Undelete facility:
To undelete at the DOS prompt, change to the drive & directory whose files were deleted, then type, e.g.,
C:\>UNDELETE <directory that contain the deleted �le>
A list of all deleted files will be displayed with the first letter missing. Type in the first letter and the file will
be recovered.
• Norton utilities & PC Tools:
Norton utilities & PC Tools also have an undelete facility, which is similar to the DOS Undelete facility.
• Windows Recycle Bin:
The Recycle Bin temporarily stores all deleted files & can be used to recover your files.
1. Double-click the Recycle Bin on the desktop.
2. Click on the files you want to undelete.
3. Click on File, choose Restore.
The Recycle Bin will restore all selected files to their original folders and disks.
NB: If you delete a file accidentally, don’t copy any files or install any applications to the disk that contains
the deleted file. If you write anything to the disk, you might destroy parts of the deleted file, making it
unrecoverable.
1. Use of Unformat utilities.
MS-DOS 6.0 has an Unformat facility which can be used to recover information stored on disks that have
been accidentally formatted.
1. Use of Backups.
All data must be backed up periodically either on diskettes, tapes or CDs so that in case of any accidental
loss, the backed up copy can be used to recover the data.
For small files, use the Copy command to make a copy of the data on a diskette. For larger amounts of data,
use the Backup command to copy the data to several diskettes or to a tape drive.
4. Crashing of hard disks:
When a hard disk crashes, the data or information on the disk cannot be accessed. The effect is the same as
formatting the hard disk.
Crashing of a hard disk can occur due to the following reasons:
1. Mishandling of the computer system, e.g.,
• Moving the system unit while the computer is on.
• Accumulation of dust.
1. Computer virus attack.
• Physical damage to the System unit caused by dropping or banging when being moved.

Precautions against crashing of Hard disks:

1. Use of Backups.

All data must be backed up regularly. In addition, all application programs & operating system software
should also be kept safely so that in case of a complete system crash, everything can be reinstalled/restored.
1. Use of Recovery tools.
System tools such as Norton Utilities, PC Tools, QAPlus, etc can be used to revive a disk that has crashed.

Unauthorised access:
Unauthorised access refers to access to data & information without permission.
Computer criminals can do the following harms:
• Steal large amounts of funds belonging to various companies by transferring them out of their computer
accounts illegally.
• Steal or destroy data & information from companies, bringing their operations to a standstill.
• Spread destruction from one computer to another using virus programs. This can cripple the entire system of
computer networks.
• Spread computer worm programs. Worm programs are less harmful in the beginning, but render the computer
almost useless in the long-run.

Precautions against Unauthorised access:


1. Restrict physical access.
Physical access to computer systems should be restricted to ensure that no unauthorised person gets access to the
system. Some of the ways of restricting physical access include:
• Locking of doors.
• Use of personal identification cards.
• Use of fingerprint identification.
• Use of special voice-recorders. They analyse the voice of a trespasser & checks against the database containing
the voice patterns of valid users.
Password protection.
Install a password to restrict access to the computer system. A Password is a secret code that can be used to
prevent unauthorised access of data in a computer. Passwords can be put in at various levels:
• At the point of switching on the computer – to restrict access to the computer
• On folders/directories – to restrict access to entire folders/directories.
• On files – to restrict access to individual files within a directory.
• On database systems – to restrict access to individual data elements.
When a valid password is entered, the user gets access to the computer system. Usually, the user is allowed three
(3) attempts to get the password correct. If an invalid password is entered, access is denied after the 3 attempts.
Some computer security systems may generate an alarm if someone tries to use a fake password.
NB: You should never use passwords that can easily be linked to you, e.g., your name, birth date, or names of
people close to you.

Introduction to Cyber Security


What is cyber security?
"Cyber security is primarily about people, processes, and technologies working together to
encompass the full range of threat reduction, vulnerability reduction, deterrence, international
engagement, incident response, resiliency, and recovery policies and activities, including
computer network operations, information assurance, law enforcement, etc."
OR
Cyber security is the body of technologies, processes, and practices designed to protect
networks, computers, programs and data from attack, damage or unauthorized access
OR
Cyber security is the protection of Internet-connected systems, including hardware, software,
and data from cyber attacks.

Types of Cyber Attacks


A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to
alter computer code, logic or data and lead to cybercrimes, such as information and identity
theft.
Cyber-attacks can be classified into the following categories:
1) Web-based attacks
2) System-based attacks
Web-based attacks
These are the attacks which occur on a website or web applications. Some of the important
web-based attacks are as follows-
1. Injection attacks
It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.
Example- SQL Injection, code Injection, log Injection, XML Injection etc.
2. DNS Spoofing
DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a
DNS resolver's cache causing the name server to return an incorrect IP address, diverting
traffic to the attackers computer or any other computer. The DNS spoofing attacks can go on
for a long period of time without being detected and can cause serious security issues.
3. Session Hijacking
It is a security attack on a user session over a protected network. Web applications create
cookies to store the state and user sessions. By stealing the cookies, an attacker can have
access to all of the user data.
4. Phishing
Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number. It occurs when an attacker is masquerading as a
trustworthy entity in electronic communication.
5. Brute force
It is a type of attack which uses a trial and error method. This attack generates a large number
of guesses and validates them to obtain actual data like user password and personal
identification number. This attack may be used by criminals to crack encrypted data, or by
security, analysts to test an organization's network security.
6. Denial of Service
It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a
crash. It uses the single system and single internet connection to attack a server. It can be
classified into the following
Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is
measured in bit per second.
Protocol attacks- It consumes actual server resources, and is measured in a packet.
Application layer attacks- Its goal is to crash the web server and is measured in request per
second.
7. Dictionary attacks
This type of attack stored the list of a commonly used password and validated them to get
original password.
8. URL Interpretation
It is a type of attack where we can change the certain parts of a URL, and one can make a
web server to deliver web pages for which he is not authorized to browse.
9. File Inclusion attacks
It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of
the include functionality.
10. Man in the middle attacks
It is a type of attack that allows an attacker to intercepts the connection between client and
server and acts as a bridge between them. Due to this, an attacker will be able to read, insert
and modify the data in the intercepted connection.
System-based attacks
These are the attacks which are intended to compromise a computer or a computer network.
Some of the important system-based attacks are as follows-
1. Virus
It is a type of malicious software program that spread throughout the computer files without
the knowledge of a user. It is a self-replicating malicious computer program that replicates by
inserting copies of itself into other computer programs when executed. It can also execute
instructions that cause harm to the system.
2. Worm
It is a type of malware whose primary function is to replicate itself to spread to uninfected
computers. It works same as the computer virus. Worms often originate from email
attachments that appear to be from trusted senders.
3. Trojan horse
It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It
appears to be a normal application but when opened/executed some malicious code will run
in the background.
4. Backdoors
It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or
other purposes.
5. Bots
A bot (short for "robot") is an automated process that interacts with other network services.
Some bots program run automatically, while others only execute commands when they
receive specific input. Common examples of bots program are the crawler, chatroom bots,
and malicious bots.

The 7 layers of cyber security should centre on the mission critical assets you are seeking to
protect.
1: Mission Critical Assets – This is the data you need to protect
2: Data Security – Data security controls protect the storage and transfer of data.
3: Application Security – Applications security controls protect access to an application, an
application’s access to your mission critical assets, and the internal security of the
application.
4: Endpoint Security – Endpoint security controls protect the connection between devices and
the network.
5: Network Security – Network security controls protect an organization’s network and
prevent unauthorized access of the network.
6: Perimeter Security – Perimeter security controls include both the physical and digital
security methodologies that protect the business overall.
7: The Human Layer – Humans are the weakest link in any cyber security posture. Human
security controls include phishing simulations and access management controls that protect
mission critical assets from a wide variety of human threats, including cyber criminals,
malicious insiders, and negligent users.

Constraints to computer security


Security constraints are the additional restrictions placed upon the system operating conditions that either
simplify or complicate the fulfilment of security objectives. They represent challenges or limitations that
organizations may face when trying to establish and maintain a secure computing environment.
1. Cost
Explanation:
Implementing robust cybersecurity measures often involves significant financial investments. This includes
expenses related to acquiring and maintaining security software, hardware, conducting regular security audits,
and employing skilled personnel to manage and monitor security systems.
Small and medium-sized enterprises (SMEs) or organizations with limited budgets may find it challenging to
allocate sufficient funds for comprehensive cybersecurity measures.
Impact:
Limited financial resources may result in the adoption of less effective security solutions, outdated software, or
inadequate training for personnel. This, in turn, increases the organization's vulnerability to security breaches.
Mitigation:
 Prioritize security investments based on risk assessments and critical assets.
 Explore cost-effective security solutions and open-source alternatives.
 Consider cybersecurity insurance to manage potential financial losses.

2. User responsibility

Explanation:
Users play a critical role in maintaining security by following best practices, such as creating strong passwords,
not sharing credentials, and being cautious about phishing attempts. However, user negligence or lack of
awareness can pose significant security risks.
Users may unintentionally compromise security through actions like clicking on malicious links, downloading
infected files, or using weak passwords.
Impact:
Even with advanced security measures in place, a single careless or uninformed user action can lead to security
breaches. Education and training programs are essential to improve user awareness and responsibility.
Mitigation:
 Conduct regular security awareness training for users.
 Implement strong authentication mechanisms and enforce password policies.
 Foster a security-conscious culture within the organization.

3. Integration challenges
Explanation:
Many organizations use a variety of hardware, software, and services from different vendors. Ensuring seamless
integration and compatibility among these diverse components can be challenging.
Integration difficulties may arise when trying to implement a unified security framework that covers various
platforms and technologies.
Impact:
Incomplete integration may result in security gaps or blind spots. It could hinder the organization's ability to
detect and respond to security incidents across its entire technology landscape.
Mitigation:
 Choose security solutions that are designed for interoperability.
 Implement a comprehensive security architecture that can adapt to diverse technologies.
 Regularly update and patch systems to ensure compatibility.

4. Inadequate Assessment
Explanation:
Regular assessments and audits are crucial for identifying vulnerabilities and weaknesses in an organization's
security infrastructure. Inadequate or infrequent assessments can result in a lack of awareness about potential
risks.
Organizations may underestimate the evolving nature of cyber threats and fail to keep their security measures up
to date.
Impact:
Without proper assessments, organizations may not be aware of vulnerabilities until after a security incident
occurs. This can lead to unauthorized access, data breaches, or disruptions to services.
Mitigation:
 Conduct regular security assessments and penetration testing.
 Stay informed about the latest cybersecurity threats and vulnerabilities.
 Implement a continuous monitoring and incident response program.

TOPIC 2: ESTABLISH AND INSTALL SECURITY MEASURES


CONTENT:
 Definition of security risk management
 Benefits of Risk management
 Risk management procedures
 Risk assessment
 Risk mitigation Uncertainty analysis
 interdependencies
 cost considerations
 Benefits of security measures
 Types of Security measures
 Firewalls
 User accounts control
 Security policies
 Antivirus
 Encryption
 Secure Socket Layer protocol (SSL)
 Multi-factor authentication
 Malware detection
 Site monitoring
 Daily or weekly backups

 Application of security measures

Definition of security risk management


Risk is the possibility of something adverse happening.
Security risk management is any process of identifying, measuring, and mitigating potential loss of
information security to reduce the expectation of such loss to a level acceptable to the organization
Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact
they have on valuable assets.

Benefits of Risk management


1: Improved compliance
It helps organizations meet regulatory requirements and avoid fines and penalties.
Many industries have specific security regulations that organizations must follow, and an effective security risk
management strategy ensures that these regulations are being met.
2: Reduced risk of data breaches and cyber attacks
Cyber threats are an ever-present risk for businesses, and an effective security risk management strategy helps
protect against these threats.
This includes measures such as regular security assessments, employee training on cybersecurity best practices,
and the implementation of strong password policies and two-factor authentication.
3: Improved customer trust and confidence
Customers are more likely to trust and do business with organizations that have a strong security risk
management strategy in place. By demonstrating a commitment to security, businesses can build trust with their
customers and reduce the risk of losing them due to security concerns.
4: Improved reputation
A security breach can have a devastating impact on an organization’s reputation. By implementing an effective
security risk management strategy, businesses can minimize the risk of a breach and protect their reputation.
5: Increased efficiency
A well-designed security risk management strategy can streamline processes and improve efficiency within an
organization. By identifying and eliminating potential security risks, businesses can reduce the amount of time
and resources spent on addressing these issues.
6: Improved risk assessment and decision-making
An effective security risk management strategy helps organizations assess and prioritize risks, allowing them to
make more informed decisions about which risks to address first. This helps organizations allocate their
resources more effectively and ensure that they are addressing the most pressing security risks.
7: Improved ability to adapt and respond to change
A dynamic security risk management strategy helps organizations be more agile and responsive to changing
threats and circumstances.

Risk management procedures


Security risk management procedures are essential for organizations to identify, assess, and mitigate potential
risks to their assets, operations, and reputation. These procedures involve a systematic approach to understanding
and addressing security threats effectively.
1. Risk Assessment:
Risk assessment is a systematic process of identifying hazards and evaluating any associated risks within a
workplace, then implementing reasonable control measures to remove or reduce them
 Identification of Risks: This involves systematically identifying potential risks that could impact the
organization's objectives, projects, or operations. It includes analyzing internal and external factors that
may contribute to risk.
 Risk Analysis: Once risks are identified, they need to be analyzed to understand their potential impact
and likelihood of occurrence. This may involve qualitative or quantitative methods or a combination of
both.
 Prioritization of Risks: Not all risks are equally significant. Prioritizing risks based on their potential
impact and likelihood allows organizations to focus resources on addressing the most critical threats first.
2. Risk Mitigation:
Risk mitigation is the practice of reducing the impact of potential risks by developing a plan to manage,
eliminate, or limit setbacks as much as possible.
 Risk Reduction Strategies: After identifying and assessing risks, organizations implement measures to
reduce the likelihood or impact of identified risks. This may involve implementing controls, procedures,
or safeguards to mitigate the risk.
 Risk Transfer: In some cases, organizations may transfer the risk to third parties through insurance or
contractual agreements. This shifts the financial burden of the risk to another party.
 Risk Acceptance: Some risks may be deemed acceptable if the cost of mitigation outweighs the potential
impact of the risk. In such cases, organizations may choose to accept the risk and monitor it over time.
3. Uncertainty Analysis:
 Scenario Planning: Uncertainty analysis involves exploring different scenarios and their potential
outcomes. This allows organizations to better understand the range of possible outcomes and prepare
accordingly.
 Sensitivity Analysis: Sensitivity analysis helps identify how changes in certain variables or assumptions
may impact the overall risk profile. This allows organizations to focus on the most critical factors
affecting risk.
 Monte Carlo Simulation: Monte Carlo simulation is a technique used to model the uncertainty in risk
analysis. It involves running multiple simulations to estimate the range of possible outcomes and their
probabilities.
4. Interdependencies:
 Identifying Interdependencies: Organizations need to identify and understand the interdependencies
between different risks and activities. This includes understanding how changes in one area may impact
other areas of the organization.
 Managing Interdependencies: Managing interdependencies involves coordinating efforts across
different departments or functions to address interconnected risks effectively. This may require
collaboration and communication between various stakeholders.
5. Cost Considerations:
 Cost-Benefit Analysis: Cost considerations are essential in risk management to ensure that resources are
allocated efficiently. Organizations conduct cost-benefit analysis to evaluate the costs of risk mitigation
measures against the potential benefits.
 Budgeting and Resource Allocation: Organizations need to allocate sufficient resources to manage risks
effectively. This includes budgeting for risk management activities and ensuring that resources are
available to implement mitigation strategies.
 Return on Investment (ROI): Assessing the ROI of risk management activities helps organizations
prioritize investments and demonstrate the value of risk management to stakeholders.

Key components of security risk management procedures:


Risk Identification: This involves identifying potential threats, vulnerabilities, and assets within the
organization. It includes conducting thorough assessments of physical assets, information systems, data,
personnel, and processes to pinpoint potential risks.
Risk Assessment: Once risks are identified, they need to be assessed to determine their potential impact and
likelihood of occurrence. This step often involves qualitative and quantitative analysis to prioritize risks based on
their severity and potential consequences.
Risk Mitigation: After assessing risks, strategies and controls are implemented to reduce or eliminate the
identified risks. This may involve implementing security measures such as encryption, access controls, firewalls,
and physical security protocols.
Risk Monitoring and Review: Risk management is an ongoing process that requires constant monitoring and
review. Organizations need to continuously monitor their systems and processes for new risks, as well as assess
the effectiveness of existing controls. Regular audits and reviews help ensure that risk management procedures
remain up to date and effective.
Incident Response Planning: Despite preventive measures, security incidents may still occur. Therefore,
organizations should have robust incident response plans in place to address and mitigate the impact of security
breaches promptly. These plans outline procedures for detecting, responding to, and recovering from security
incidents.
Compliance and Regulations: Organizations must ensure that their security risk management procedures
comply with relevant laws, regulations, and industry standards. This includes regulations such as GDPR,
HIPAA, PCI DSS, and others, depending on the industry and geographical location of the organization.
Employee Training and Awareness: Employees are often the weakest link in an organization's security
posture. Comprehensive training programs should be implemented to educate employees about security risks,
best practices, and their roles and responsibilities in maintaining a secure environment.
Vendor Risk Management: Many organizations rely on third-party vendors and suppliers for various products
and services. It's essential to assess the security posture of these vendors and ensure that they adhere to similar
security standards and practices to mitigate third-party risks.
Business Continuity Planning: Security incidents can disrupt operations and have significant financial and
reputational consequences. Therefore, organizations should have business continuity plans in place to ensure the
continuity of critical operations during and after a security incident.
Executive Oversight and Governance: Senior management should provide oversight and support for security
risk management initiatives. This includes allocating resources, setting priorities, and ensuring that security risk
management aligns with the organization's overall business objectives.

Benefits of security measures


 Protection of Assets: Security measures safeguard valuable assets such as physical property, data,
intellectual property, and financial resources from theft, damage, or unauthorized access.
 Risk Reduction: By identifying and addressing potential security threats, organizations can reduce the
likelihood and impact of security incidents, minimizing financial losses, legal liabilities, and damage to
reputation.
 Compliance with Regulations: Many industries have regulatory requirements for security and privacy,
such as GDPR, HIPAA, PCI DSS, etc. Implementing security measures ensures compliance with these
regulations, avoiding penalties and legal consequences.
 Customer Trust and Confidence: Strong security measures demonstrate a commitment to protecting
customer data and privacy. This fosters trust and confidence among customers, leading to increased
loyalty and positive brand reputation.
 Business Continuity: Security measures help ensure the continuity of business operations by preventing
or minimizing disruptions caused by security incidents, natural disasters, or other emergencies.
 Competitive Advantage: A reputation for robust security practices can give organizations a competitive
edge in the marketplace. Customers and partners are more likely to choose a business they trust with their
sensitive information.
 Employee Productivity and Morale: A secure work environment promotes employee productivity by
minimizing distractions and concerns about security threats. It also boosts morale by demonstrating a
commitment to employee safety and well-being.
 Detection and Response to Incidents: Security measures include monitoring systems and incident
response plans, enabling organizations to detect security breaches quickly and respond effectively to
mitigate damage.
 Cost Savings: While implementing security measures incurs initial investment, it can lead to long-term
cost savings by preventing costly security breaches, regulatory fines, legal fees, and damage control
expenses.
 Protection Against Reputation Damage: Security incidents, such as data breaches or cyberattacks, can
severely damage an organization's reputation. Strong security measures help protect against these risks,
preserving trust and credibility with stakeholders.
 Adaptability and Resilience: In today's rapidly evolving threat landscape, organizations need to
continuously adapt their security measures to address emerging risks. Implementing flexible and scalable
security solutions ensures resilience against evolving threats.
 Strategic Decision-Making: Security measures provide valuable insights into potential risks and
vulnerabilities within an organization. This information enables informed decision-making and strategic
planning to mitigate risks effectively.
Types of Security measures
1. Use strong passwords
Strong passwords are vital to good online security. Make your password difficult to guess by:
 using a combination of capital and lower-case letters, numbers and symbols
 making it between eight and 12 characters long
 avoiding the use of personal data
 changing it regularly
 never using it for multiple accounts
 using two-factor authentication
Create a password policy for your business to help staff follow security best practices. Look into different
technology solutions to enforce your password policy, eg scheduled password reset.
2. Firewalls:
 Network Firewalls: Network firewalls monitor and control incoming and outgoing network traffic based
on predetermined security rules. They act as a barrier between trusted internal networks and untrusted
external networks, such as the internet.
 Host-based Firewalls: Host-based firewalls operate at the individual device level, filtering traffic based
on rules specific to that device. They provide an additional layer of protection against unauthorized
access and malicious activities.
3. User Accounts Control:
 Access Control Lists (ACLs): ACLs limit access to resources based on user identities, roles, or
permissions. They ensure that only authorized users can access sensitive information or perform specific
actions.
 User Authentication: User authentication mechanisms such as passwords, biometrics, or security tokens
verify the identity of users before granting access to systems or data.
4. Security Policies:
 Acceptable Use Policies (AUP): AUPs define acceptable behaviors and actions regarding the use of
organization's resources, systems, and networks.
 Data Protection Policies: Data protection policies outline rules and procedures for handling and
safeguarding sensitive information, including data classification, encryption requirements, and data
retention policies.
5. Antivirus:
 Signature-Based Antivirus: Signature-based antivirus software detects and blocks known malware by
comparing file signatures against a database of known threats.
 Behavior-Based Antivirus: Behavior-based antivirus monitors system behavior for suspicious activities
or patterns indicative of malware, providing proactive protection against zero-day threats.
6. Encryption:
 Data Encryption: Data encryption scrambles data into unreadable ciphertext, which can only be decrypted
with the appropriate encryption key. It protects sensitive information from unauthorized access during
storage, transmission, and processing.
 Disk Encryption: Disk encryption encrypts entire disks or partitions, ensuring that data remains protected
even if physical storage devices are lost or stolen.
7. Secure Socket Layer Protocol (SSL):
 SSL/TLS Certificates: SSL/TLS certificates authenticate the identity of websites and encrypt data
transmitted between web servers and clients, ensuring secure communication over the internet.
 HTTPS: HTTPS (Hypertext Transfer Protocol Secure) uses SSL/TLS encryption to secure web browsing
sessions, protecting sensitive information such as login credentials, credit card numbers, and personal
data.
8. Multi-Factor Authentication (MFA):
 Two-Factor Authentication (2FA): 2FA requires users to provide two different authentication factors,
such as a password and a one-time code sent to a mobile device, before granting access.
 Biometric Authentication: Biometric authentication uses unique biological traits such as fingerprints,
facial recognition, or iris scans to verify the identity of users.
9. Malware Detection:
 Antimalware Software: Antimalware software detects, blocks, and removes various types of malicious
software, including viruses, worms, Trojans, and ransomware.
 Heuristic Analysis: Heuristic analysis identifies potentially malicious behavior or characteristics of files
or processes that may indicate the presence of previously unknown malware.
10. Site Monitoring:
 Intrusion Detection Systems (IDS): IDS monitor network traffic for signs of suspicious activity or
security breaches, generating alerts or taking automated actions to mitigate threats.
 Security Information and Event Management (SIEM): SIEM solutions aggregate and analyze security
event data from various sources to detect and respond to security incidents in real-time.
11. Daily or Weekly Backups:
 Data Backup: Regular data backups ensure that critical data is copied and stored in a separate location,
protecting against data loss due to hardware failures, accidental deletions, or security breaches.
 Offsite Backup: Offsite backups are stored in geographically separate locations from the primary data
center, providing redundancy and resilience against natural disasters or physical damage.

Application of security measures


Security measures are crucial across various domains and applications to protect assets, data, and individuals
from various threats and vulnerabilities.
Common applications of security measures:
Information Technology (IT) and Cybersecurity:
 Network Security: Implementing firewalls, intrusion detection systems, and encryption protocols to
protect networks from unauthorized access, data breaches, and cyberattacks.
 Endpoint Security: Deploying antivirus software, host-based firewalls, and endpoint detection and
response (EDR) solutions to secure individual devices such as computers, laptops, smartphones, and
tablets.
 Cloud Security: Utilizing cloud security solutions and best practices to protect data, applications, and
infrastructure hosted in cloud environments from unauthorized access, data leaks, and service disruptions.
 Web Application Security: Implementing secure coding practices, web application firewalls (WAFs), and
vulnerability scanning tools to protect web applications from common security threats such as SQL
injection, cross-site scripting (XSS), and CSRF attacks.
 Identity and Access Management (IAM): Implementing multi-factor authentication (MFA), single sign-
on (SSO), and identity governance solutions to manage user access and permissions across IT systems
and applications.
Physical Security:
 Access Control: Installing access control systems, such as keycards, biometric scanners, and turnstiles, to
regulate entry to buildings, rooms, and restricted areas.
 Surveillance Systems: Deploying video surveillance cameras, motion sensors, and alarms to monitor and
deter unauthorized activities, vandalism, and theft.
 Perimeter Security: Erecting barriers, fences, and bollards to secure the perimeter of facilities and prevent
unauthorized access.
 Intrusion Detection and Alarm Systems: Installing intrusion detection systems (IDS) and alarm systems
to detect and alert security personnel to unauthorized entry or security breaches.
Data Security and Privacy:
 Data Encryption: Encrypting sensitive data at rest, in transit, and during processing to protect it from
unauthorized access and interception.
 Data Loss Prevention (DLP): Implementing DLP solutions to monitor, detect, and prevent the
unauthorized transmission or sharing of sensitive data.
 Privacy Controls: Implementing privacy-enhancing technologies and practices to comply with data
protection regulations and safeguard individuals' personal information.
 Business Continuity and Disaster Recovery:
 Backup and Recovery: Regularly backing up critical data and systems and implementing disaster
recovery plans to ensure business continuity in the event of natural disasters, cyberattacks, or other
emergencies.
 Redundancy and Failover: Deploying redundant systems, failover mechanisms, and high availability
architectures to minimize downtime and maintain service continuity during disruptions.
Industrial Control Systems (ICS) and Operational Technology (OT):
 SCADA Security: Securing supervisory control and data acquisition (SCADA) systems and industrial
control networks from cyber threats to prevent disruptions to critical infrastructure and industrial
processes.
 ICS Security: Implementing security controls and best practices to protect operational technology (OT)
assets such as manufacturing equipment, utilities, and transportation systems from cyberattacks and
unauthorized access.

TOPIC 3: DEPLOY SECURITY MEASURES


Topic content:
 Implement security measures contained in the ICT security policy
 Apply physical and logical risk mitigation measures
 Take corrective action
 Security audit to identify security gaps
 Generate system audit report

Implement security measures contained in the ICT security policy


ICT security policy and how to implement the security measures contained in the policies:
Implementing Security Measures:
Implementing security measures contained in an ICT (Information and Communications Technology) security
policy involves a series of steps to ensure that the policies are effectively put into practice to protect an
organization's digital assets.
General guideline on how to implement security measures outlined in an ICT security policy:
 Review the Policy: Start by thoroughly reviewing the ICT security policy to understand its objectives,
scope, and specific security measures recommended or mandated.
 Risk Assessment: Conduct a comprehensive risk assessment to identify potential threats, vulnerabilities,
and risks to the organization's ICT infrastructure and assets. This will help prioritize security measures
based on the level of risk they mitigate.
 Security Controls Selection: Based on the risk assessment, select appropriate security controls or
measures from the ICT security policy that address identified risks effectively.
 Security Awareness Training: Educate all employees and relevant stakeholders about the ICT security
policy, their roles and responsibilities in maintaining security, and the importance of adhering to security
measures.
 Access Control: Implement access controls such as user authentication mechanisms, role-based access
controls (RBAC), and least privilege principles to ensure that only authorized personnel have access to
sensitive information and systems.
 Data Encryption: Implement encryption mechanisms to protect data both in transit and at rest. This
includes using secure protocols for communication and encrypting stored data using strong encryption
algorithms.
 Patch Management: Establish procedures for timely patch management to ensure that all software and
systems are up-to-date with the latest security patches and updates, reducing the risk of exploitation of
known vulnerabilities.
 Incident Response Plan: Develop and implement an incident response plan that outlines procedures for
detecting, responding to, and recovering from security incidents such as breaches or cyberattacks.
 Monitoring and Logging: Deploy monitoring tools and establish logging mechanisms to continuously
monitor ICT infrastructure for suspicious activities, unauthorized access attempts, or security policy
violations.
 Regular Audits and Assessments: Conduct regular security audits and assessments to evaluate the
effectiveness of implemented security measures, identify any gaps or weaknesses, and make necessary
improvements.
 Vendor Management: Ensure that third-party vendors and service providers adhere to the organization's
ICT security policies and standards through contractual agreements and regular security assessments.
 Continuous Improvement: Establish a culture of continuous improvement by regularly reviewing and
updating the ICT security policy and implementing lessons learned from security incidents or emerging
threats.
 Compliance: Ensure compliance with relevant laws, regulations, and industry standards related to ICT
security, such as GDPR, HIPAA, ISO 27001, etc.
 Executive Support and Oversight: Obtain support and commitment from senior management to allocate
resources, prioritize security initiatives, and provide oversight to ensure the successful implementation of
security measures.
 Documentation and Reporting: Maintain thorough documentation of implemented security measures,
incidents, and compliance efforts. Report regularly to management and stakeholders on the status of ICT
security and any significant developments.

Administering Security planning:


A security plan identifies and organizes the security activities for a computing system. The plan is both a
description of the current situation and a plan for improvement.
Contents of security planning:
Every security plan must address seven issues.
1. Policy, indicating the goals of a computer security effort and the willingness of the people involved to
work to achieve those goals
2. Current state, describing the status of security at the time of the plan
3. Requirements, recommending ways to meet the security goals
4. Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements
5. Accountability, describing who is responsible for each security activity
6. Timetable, identifying when different security functions are to be done
7. Continuing attention, specifying a structure for periodically updating the security plan

Policy:
The policy statement should specify the following:
 The organization's goals on security. For example, should the system protect data from leakage to
outsiders, protect against loss of data due to physical disaster, protect the data's integrity, or protect
against loss of business when computing resources fail? What is the higher priority: serving customers or
securing data?
 Where the responsibility for security lies. For example, should the responsibility rest with a small
computer security group, with each employee, or with relevant managers?
 The organization's commitment to security. For example, who provides security support for staff, and
where does security fit into the organization's structure?

Current Security Status:


To be able to plan for security, an organization must understand the vulnerabilities to which it may be exposed.
The organization can determine the vulnerabilities by performing a risk analysis: a careful investigation of the
system, its environment, and the things that might go wrong. The risk analysis forms the basis for describing the
current status of security.
The status can be expressed as a listing of organizational assets, the security threats to the assets, and the controls
in place to protect the assets. The status portion of the plan also defines the limits of responsibility for security. It
describes not only which assets are to be protected but also who is responsible for protecting them. The plan may
note that some groups may be excluded from responsibility; for example, joint ventures with other organizations
may designate one organization to provide security for all member organizations. The plan also defines the
boundaries of responsibility, especially when networks are involved. For instance, the plan should clarify who
provides the security for a network router or for a leased line to a remote site.
Even though the security plan should be thorough, there will necessarily be vulnerabilities that are not
considered. These vulnerabilities are not always the result of ignorance rather, they can arise from the addition of
new equipment or data as the system evolves. They can also result from new situations, such as when a system is
used in ways not anticipated by its designers. The security plan should detail the process to be followed when
someone identifies a new vulnerability. In particular, instructions should explain how to integrate controls for
that vulnerability into the existing security procedures
Requirements:
The heart of the security plan is its set of security requirements: functional or performance demands placed on a
system to ensure a desired level of security. The requirements are usually derived from organizational needs.
Sometimes these needs include the need to conform to specific security requirements imposed from outside, such
as by a government agency or a commercial standard.
Recommended Controls:
The security requirements lay out the system's needs in terms of what should be protected. The security plan
must also recommend what controls should be incorporated into the system to meet those requirements.
Throughout this book you have seen many examples of controls, so we need not review them here. As we see
later in this chapter, we can use risk analysis to create a map from vulnerabilities to controls. The mapping tells
us how the system will meet the security requirements. That is, the recommended controls address
implementation issues: how the system will be designed and developed to meet stated security requirements
Responsibility for Implementation:
A section of the security plan should identify which people are responsible for implementing the security
requirements. This documentation assists those who must coordinate their individual responsibilities with those
of other developers. At the same time, the plan makes explicit who is accountable should some requirement not
be met or some vulnerability not be addressed. That is, the plan notes who is responsible for implementing
controls when a new vulnerability is discovered or a new kind of asset is introduced. People building, using, and
maintaining the system play many roles. Each role can take some responsibility for one or more aspects of
security. Consider, for example, the groups listed here.
� Personal computer users may be responsible for the security of their own machines. Alternatively, the
security plan may designate one person or group to be coordinator of personal computer security.
� Project leaders may be responsible for the security of data and computations.

Timetable:
A comprehensive security plan cannot be executed instantly. The security plan includes a timetable that shows
how and when the elements of the plan will be performed. These dates also give milestones so that management
can track the progress of implementation.
Continuing Attention:
Good intentions are not enough when it comes to security. We must not only take care in defining requirements
and controls, but we must also find ways for evaluating a system's security to be sure that the system is as secure
as we intend it to be. Thus, the security plan must call for reviewing the security situation periodically. As users,
data, and equipment change, new exposures may develop. In addition, the current means of control may become
obsolete or ineffective (such as when faster processor times enable attackers to break an encryption algorithm).
The inventory of objects and the list of controls should periodically be scrutinized and updated, and risk analysis
performed anew.
Security Planning Team Members:
The membership of a computer security planning team must somehow relate to the different aspects of computer
security described in this book. Security in operating systems and networks requires the cooperation of the
systems administration staff. Program security measures can be understood and recommended by applications
programmers. Physical security controls are implemented by those responsible for general physical security, both
against human attacks and natural disasters. Finally, because controls affect system users, the plan should
incorporate users' views, especially with regard to usability and the general desirability of controls. Thus, no
matter how it is organized, a security planning team should represent each of the following groups.
 Computer hardware group
 System administrators
 Systems programmers
 Applications programmers
 Data entry personnel
 Physical security personnel
 Representative users
In some cases, a group can be adequately represented by someone who is consulted at appropriate times, rather
than a committee member from each possible constituency being enlisted.
Assuring Commitment To a security plan:
After the plan is written, it must be accepted and its recommendations carried out. Acceptance by the
organization is key; a plan that has no organizational commitment is simply a plan that collects dust on the shelf.
Commitment to the plan means that security functions will be implemented and security activities carried out.
Three groups of people must contribute to making the plan a success.
 The planning team must be sensitive to the needs of each group affected by the plan.
 Those affected by the security recommendations must understand what the plan means for the way they
will use the system and perform their business activities. In particular, they must see how what they do
can affect other users and other systems.
 Management must be committed to using and enforcing the security aspects of the system
Management commitment is obtained through understanding. But this understanding is not just a function of
what makes sense technologically; it also involves knowing the cause and the potential effects of lack of
security. Managers must also weigh trade-offs in terms of convenience and cost. The plan must present a picture
of how cost effective the controls are, especially when compared to potential losses if security is breached
without the controls. Thus, proper presentation of the plan is essential, in terms that relate to management as well
as technical concerns.
Management is often reticent to allocate funds for controls until the value of those controls is explained. As we
note in the next section, the results of a risk analysis can help communicate the financial tradeoffs and benefits of
implementing controls. By describing vulnerabilities in financial terms and in the context of ordinary business
activities (such as leaking data to a competitor or an outsider), security planners can help managers understand
the need for controls.
The plans we have just discussed are part of normal business. They address how a business handles computer
security needs. Similar plans might address how to increase sales or improve product quality, so these planning
activities should be a natural part of management. Next we turn to two particular kinds of business plans that
address specific security problems: coping with and controlling activity during security incidents.
Business Continuity Plan:
A business continuity plan documents how a business will continue to function during a computer security
incident. An ordinary security plan covers computer security during normal times and deals with protecting
against a wide range of vulnerabilities from the usual sources.
A business continuity plan deals with situations having two characteristics:
 Catastrophic situations, in which all or a major part of a computing capability is suddenly unavailable
 Long duration, in which the outage is expected to last for so long that business will suffer. There are
many situations in which a business continuity plan would be helpful. Here are some examples that typify
what you might find in reading your daily newspaper:
 A fire destroys a company's entire network.
 A seemingly permanent failure of a critical software component renders the computing system
unusable.
 A business must deal with the abrupt failure of its supplier of electricity, telecommunications,
network access, or other critical service.
 A flood prevents the essential network support staff from getting to the operations center.
The key to coping with such disasters is advance planning and preparation, identifying activities that will keep a
business viable when the computing technology is disabled.
The steps in business continuity planning are these:
 Assess the business impact of a crisis.
 Develop a strategy to control impact. Develop and implement a plan for the strategy
 Incident response plan: Incident response Plan should be
 define what constitutes an incident
 identify who is responsible for taking charge of the situation
 describe the plan of action

Organizational Security Policies:


A security policy is a high-level management document to inform all users of the goals of and constraints on
using a system. A policy document is written in broad enough terms that it does not change frequently. The
information security policy is the foundation upon which all protection efforts are built. It should be a visible
representation of priorities of the entire organization, definitively stating underlying assumptions that drive
security activities. The policy should articulate senior management's decisions regarding security as well as
asserting management's commitment to security. To be effective, the policy must be understood by everyone as
the product of a directive from an authoritative and influential person at the top of the organization.
Purpose:
Security policies are used for several purposes, including the following:
 recognizing sensitive information assets
 clarifying security responsibilities
 promoting awareness for existing employees
 guiding new employees
Audience:
A security policy addresses several different audiences with different expectations. That is, each group users,
owners, and beneficiaries uses the security policy in important but different ways.
Users
Users legitimately expect a certain degree of confidentiality, integrity, and continuous availability in the
computing resources provided to them. Although the degree varies with the situation, a security policy should
reaffirm a commitment to this requirement for service. Users also need to know and appreciate what is
considered acceptable use of their computers, data, and programs. For users, a security policy should define
acceptable use.
Owners
Each piece of computing equipment is owned by someone, and the owner may not be a system user. An owner
provides the equipment to users for a purpose, such as to further education, support commerce, or enhance
productivity. A security policy should also reflect the expectations and needs of owners.
Beneficiaries
A business has paying customers or clients; they are beneficiaries of the products and services offered by that
business. At the same time, the general public may benefit in several ways: as a source of employment or by
provision of infrastructure.
Contents:
A security policy must identify its audiences: the beneficiaries, users, and owners. The policy should describe the
nature of each audience and their security goals. Several other sections are required, including the purpose of the
computing system, the resources needing protection, and the nature of the protection to be supplied.
 Purpose
 Protected resources
 Nature of protection
Characteristics of a Good Security Policy:
If a security policy is written poorly, it cannot guide the developers and users in providing appropriate security
mechanisms to protect important assets. Certain characteristics make a security policy a good one.
 Durability
 Realism
 Usefulness

Applying Physical and Logical Risk Mitigation Measures:


Physical Security:
 Control access to physical infrastructure (e.g., server rooms, data centers).
 Implement biometric or access card systems.
 Use surveillance cameras and alarms.
Logical Security:
 Employ encryption techniques to protect data in transit and at rest.
 Implement strong authentication mechanisms (e.g., multi-factor authentication).
 Use firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to safeguard
against cyber threats.
Take corrective action
An effective corrective action plan identifies the root cause of problems and prevents their recurrence with
rigorous documentation. It aims to resolve the root cause of the issue rather than just address the surface signs.
7 Steps of a Corrective Action Process

Step 1: Define the Problem


The first step toward taking corrective actions concerning any noncompliance issue is identifying and defining
the problem. You can use several methods to identify nonconformities depending on the circumstances. For
example, you can identify regulatory compliance or risk controls issues through an internal audit. The other
option is using incident investigation to determine the problem behind an accident or error.

While defining the problem, research areas that will help confirm its business impact. Describe the who, what,
when, where, and why of the issue. Clearly outline the expected outcome, often called a "should be" statement.
For example, in a corrective action request form, if you receive the wrong batch of parts from a supplier, the
comparable statements might be: "We received steel parts," and "the parts should be made of copper."
If you find it hard to define the expected outcome, it may not be worthy of a corrective action plan.

Step 2: Establish the Scope of the Problem


The next step is to understand the severity of the problem and how it affects your essential business operations.
Examine the issue within the context of its occurrence.

For example, suppose it impacts your organization's entire supply chain or happens every day, like a hazardous
leak in a pipeline. It might be more crucial to address this than if the issue occasionally occurs or impacts just
one particular transaction.

Address every problem, but prioritize it based on its scope to give you an idea of whether it requires immediate
attention.

Step 3: Take Containment Actions


While corrective actions aim to find the root cause of the problem and prevent it from occurring again, this
process takes time. Ongoing issues can't be left unresolved while performing risk assessment and strategy.

Implement containment actions to take care of the most pressing symptoms. Perform checks and measures to
catch and fix the surface-level issues while your team addresses the source of the problem.

Step 4: Find the Root Cause of the Problem


Finding the underlying issue is the trickiest part of the process. Sometimes, it may seem like you have found the
root cause of the problem, but you have only identified a surface-level issue.

So, it's essential to be cautious and use established root cause analysis techniques to ensure that you have
correctly identified the underlying issue.

Popular techniques include the "5 Whys" method, which involves asking "why" five times, and the more
complex Ishikawa or fishbone diagram.
Step 5: Plan Corrective Actions to Fix the Root Cause
Once you have detected the root cause of the problem, it is time to create a plan to address it.

Create SMART (specific, measurable, achievable, realistic, and time-bound) goals and allot feasible deadlines.
Make sure these goals or solutions are centered around the root cause, detailing every step necessary to eliminate
the underlying cause of a problem.

Depending on the extent of the problem, you may also need to provide a cost and return on investment analysis
and get formal management approval for funding before you start the corrective action procedure.

Make your corrective action plan more manageable by providing a list of who will be responsible, how they
should report their progress, and to whom. Also, note anticipated due dates and time frames that they should
keep in mind while reporting.

Step 6: Implement the Corrective Action Plan


The next step is to implement the new process.

Corrective actions may be as simple as replacing a faulty piece of equipment or updating old software. The CAP
can also involve more complex processes like hiring and training outside consultants to manage risks.

Be thorough with every aspect of your corrective action plan and regularly communicate your progress with all
the relevant stakeholders.

Step 7: Follow Up to Ensure That Your Plan Worked


After executing the corrective action plan, close out the process with a well-documented corrective action report.
Schedule a final debrief to inform your team about any changes to operations or workflows.

Follow up after an appropriate time to check that the corrective action plan resolved the problem. If not, dig
deeper and repeat the process until you address all the underlying causes of the problem. Continue documenting
any lessons learned to help address similar issues in the future.

Fields you would include in a Corrective Action Form


 Report Title: Briefly captures what the report is all about
 Report Number: Unique number to identify the specific report
 Date: The date the report was compiled
 Department/ Team: The department or team where the issue occurred or who is responsible for
the correction
 Reported by: Name of the person who observed the non-conformance and reported it
 Issue Description: A detailed description of the problem or issue that occurred
 Root Cause Analysis: Explanation of the cause of the issue
 Corrective Action Taken: Detailed description of the actions taken to correct the issue
 Responsibility: Name of the person or team who corrected the issue
 Completion Date: The date when the corrective action was completed
 Verification of Effectiveness: Assessment of how effective the corrective action was in
addressing the issue
 Management Review: Notes from the management regarding the issue and the corrective action
 Supporting Documentation: Any documents, photographs, or other types of evidence related to
the issue and corrective action
 Follow-Up Actions: Plans or actions to prevent recurrence of the same problem in the future
 Report Approval: Signature approval
Security audit to identify security gaps
A security audit is a systematic evaluation of the security of a company's information system by measuring how
well it conforms to an established set of criteria.
A comprehensive security audit will assess an organization’s security controls relating to the following:

 Physical components of your information system and the environment in which the information system
is housed.
 Applications and software, including security patches your systems administrators, have already
implemented.
 Network vulnerabilities, including public and private access and firewall configurations.
 The human dimension, including how employees collect, share, and store highly sensitive information.
 The organization’s overall security strategy, including security policies, organization charts, and risk
assessments.

Why are security audits important?

There are several reasons to do a security audit.

 Identify security problems and gaps, as well as system weaknesses.


 Establish a security baseline that future audits can be compared with.
 Comply with internal organization security policies.
 Comply with external regulatory requirements.
 Determine if security training is adequate.
 Identify unnecessary resources.

Types of security audits

Security audits come in two forms, internal and external audits that involve the following procedures:

 Internal audits. In these audits, a business uses its own resources and internal audit department. Internal
audits are used when an organization wants to validate business systems for policy and procedure
compliance.

 External audits. With these audits, an outside organization is brought in to conduct an audit. External audits
are also conducted when an organization needs to confirm it is conforming to industry standards or
government regulations.

Security Audits VS. Penetration Testing and Vulnerability Assessments

Security audits measure an information system's performance against a list of criteria.


A vulnerability assessment is a comprehensive study of an information system, seeking potential security
weaknesses.
Penetration testing is a covert approach in which a security expert tests to see if a system can withstand a
specific attack. Each approach has inherent strengths and using two or more in conjunction may be the most
effective approach.

5 Common IT Security Audit Standards


1. ISO 27001
ISO 27001 is the International Standard for Information Technology – Security techniques – Information
security management systems – Requirements. ISO 27001 is an information security management standard that
enables an organization to improve its security posture.

There are many ways to improve your information security posture. Still, this standard provides a framework of
best practices that can make it easier for your organization to identify, analyze, and manage the risks of your
information assets.

2. PCI DSS Compliance


PCI DSS is a set of 12 requirements that specifically target how organizations store, process, and transmit
cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) developed the PCI DSS to
protect against credit card fraud.

The PCI Security Standards Council (PCI SSC) maintains the PCI DSS, the de facto global standard for
organizations that handle credit card information. The PCI DSS also applies to organizations that store, process,
or transmit any cardholder data, which includes the following: Name, address, and Social Security number
(SSN).

3. NIST Cyber-Security Framework


The NIST Cyber-Security Framework (NIST CSF) defines a set of best practices that enables IT organizations to
more effectively manage cybersecurity risks. The NIST CSF promotes the use of risk management as a means to
achieve organizational objectives for cybersecurity.

The NIST CSF is a voluntary, risk-based approach to cybersecurity and offers flexible and repeatable processes
and controls tailored to an organization’s needs. The NIST CSF is a set of standards and guidelines that federal
agencies can use to comply with the Federal Information Security Modernization Act (FISMA).

4. SOC2
SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the
interests of your organization and the privacy of its clients. This compliance is necessary to meet the standards of
your organization’s clients and to stay compliant with the industry standards.

SOC 2 compliance ensures the security of your company’s information assets and protects the interests of your
organization. It is a certification of trust, which says that your company protects the type of information that is
considered personal and private. SOC 2 is one of the most widely used standards for third-party service
providers, and is an absolute must for any organization that is looking to be compliant with the industry
standards.

5. HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires covered entities
to protect the confidentiality, integrity, and availability of electronic health information that they create, receive,
maintain, or transmit.

HIPAA protects the privacy and security of health information and sets national standards for how health care
providers, health plans, and health care clearinghouses and their business associates must work together and with
covered entities to ensure the safety and privacy of personal health information.
How to perform a Security audit to identify security gaps
Performing a security audit is essential to identify security gaps and vulnerabilities within an organization's
systems, processes, and policies.

Step-by-step guide on how to conduct a security audit effectively:

1. Define Scope and Objectives: Determine the scope of the security audit, including the systems, networks,
applications, and policies that will be assessed. Clearly define the objectives of the audit, such as identifying
vulnerabilities, assessing compliance with security standards, or evaluating the effectiveness of security controls.
2. Gather Information: Collect relevant documentation, including security policies, procedures, network
diagrams, system configurations, and previous audit reports. Obtain information about the organization's IT
infrastructure, including hardware and software assets, network architecture, and data flow.
3. Risk Assessment: Conduct a comprehensive risk assessment to identify potential threats, vulnerabilities, and
risks to the organization's assets. Evaluate the likelihood and impact of security incidents and prioritize areas for
further investigation based on the level of risk.
4. Compliance Check: Assess compliance with relevant laws, regulations, and industry standards (such as GDPR,
HIPAA, PCI DSS, ISO 27001, etc.) to ensure that the organization's security practices meet legal and regulatory
requirements.
5. Technical Testing: Perform technical testing to identify vulnerabilities and weaknesses in the organization's
systems and networks. This may include vulnerability scanning, penetration testing, configuration audits, and
web application security testing.
6. Physical Security Assessment: Evaluate physical security measures such as access controls, surveillance
systems, and environmental controls (e.g., temperature, humidity) to prevent unauthorized access to sensitive
areas and assets.
7. Policy and Procedure Review: Review security policies, procedures, and guidelines to ensure they are
comprehensive, up-to-date, and effectively enforced. Evaluate adherence to security best practices and assess the
effectiveness of security awareness training programs.
8. Interviews and Observations: Conduct interviews with key stakeholders, system administrators, and end-users
to gather insights into security practices, challenges, and concerns. Observe security practices in action to
identify potential weaknesses or areas for improvement.
9. Documentation Review: Review documentation related to incident response procedures, security incident logs,
change management records, and audit trails to assess the organization's ability to detect, respond to, and recover
from security incidents.
10. Analysis and Reporting: Analyze the findings from the security audit, including identified vulnerabilities,
compliance issues, and security gaps. Prepare a comprehensive audit report that outlines the findings,
recommendations for remediation, and an action plan for addressing identified security issues.
11. Remediation Planning: Develop a remediation plan that prioritizes security issues based on their severity and
potential impact on the organization. Assign responsibilities for implementing remediation actions and establish
timelines for completion.
12. Follow-Up and Verification: Monitor the implementation of remediation actions and verify that security issues
are effectively addressed. Conduct follow-up assessments and periodic reviews to ensure ongoing compliance
with security standards and continuous improvement of security posture.

Key Components of Security Audit Report


1. Title
Title of the security audit report.

2. Table of Contents
The table of contents is an essential part of the audit reports. They provide a quick and convenient way to view
the most important information in the report.
The table of contents is especially useful in large and detailed audit reports. It helps to quickly locate any
detailed information, such as the auditor’s name, the scope of the audit, the date of the audit, and the number of
pages in the audit report.

3. Scope of Audit
Scope of audit refers to a broad description of what is included in a project or the scope of a contract. In the
scope of work, the project manager and other stakeholders identify the work needed to accomplish the project
purpose.

4. Description
The description section in the security audit report is the detailed technical description of the security risk. The
description contains:

 All relevant details about the issue


 How to reproduce the issue
 How easily can a hacker exploit it
 The severity of the issue
 CVSS Score of the vulnerability

5. Recommendations
The recommendation section contains details about the fix or patch that needs to be done to mitigate the security
risk. Here, the fix depends on the type of security vulnerability.

For Example, Developers can mitigate an XSS by escaping or encoding characters and using a WAF. But, the
XSS can be prevented by not using the outdated version of jQuery.

6. References
 Cite sources of information, including regulations, standards, guidelines, and industry best practices
referenced in the audit report.

TOPIC 4: TEST SYSTEM VULNERABILITY

Topic content:
 Definition of vulnerability
 System testing schedule
 Levels of system vulnerability
 Ethical penetration
 System vulnerability test report

Definition of vulnerability
Vulnerability in security refers to a weakness or opportunity in an information system that cybercriminals can
exploit and gain unauthorized access to a computer system. Vulnerabilities weaken systems and open the door to
malicious attacks.
What Is the Difference Between Vulnerability and Risk?
Vulnerabilities and risks differ in that vulnerabilities are known weaknesses. They’re the identified gaps that
undermine the security efforts of an organization’s IT systems.
Risks, on the other hand, are potentials for loss or damage when a threat exploits vulnerability.

Examples and Common Types of Vulnerabilities in Security


The four main types of vulnerabilities in information security are network vulnerabilities, operating system
vulnerabilities, process (or procedural) vulnerabilities, and human vulnerabilities.

1. Network vulnerabilities are weaknesses within an organization’s hardware or software infrastructure that
allow cyberattackers to gain access and cause harm. These areas of exposure can range from poorly-protected
wireless access all the way to misconfigured firewalls that don’t guard the network at large.

2. Operating system (OS) vulnerabilities are exposures within an OS that allow cyberattackers to cause
damage on any device where the OS is installed. An example of an attack that takes advantage of OS
vulnerabilities is a Denial of Service (DoS) attack, where repeated fake requests clog a system so it becomes
overloaded. Unpatched and outdated software also creates OS vulnerabilities, because the system running the
application is exposed, sometimes endangering the entire network.

3. Process vulnerabilities are created when procedures that are supposed to act as security measures are
insufficient. One of the most common process vulnerabilities is an authentication weakness, where users, and
even IT administrators, use weak passwords.

4. Human vulnerabilities are created by user errors that can expose networks, hardware, and sensitive data to
malicious actors. They arguably pose the most significant threat, particularly because of the increase in
remote and mobile workers. Examples of human vulnerability in security are opening an email attachment
infected with malware, or not installing software updates on mobile devices.

What Causes Vulnerabilities?

1. Human error – When end users fall victim to phishing and other social engineering tactics, they become one
of the biggest causes of vulnerabilities in security.

2. Software bugs – These are flaws in a code that cybercriminals can use to gain unauthorized access to
hardware, software, data, or other assets in an organization’s network. sensitive data and perform
unauthorized actions, which are considered unethical or illegal.

3. System complexity – When a system is too complex, it causes vulnerability because there’s an increased
likelihood of misconfigurations, flaws, or unwanted network access.

4. Increased connectivity – Having so many remote devices connected to a network creates new access points
for attacks.

5. Poor access control – improperly managing user roles, like providing some users more access than they need
to data and systems or not closing accounts for old employees, makes networks vulnerable from both inside
and outside breaches.
Vulnerability Testing
Vulnerability testing is a process of evaluating and identifying security weaknesses in a computer system,
network, or software application. It involves systematically scanning, probing, and analyzing systems and
applications to uncover potential vulnerabilities, such as coding errors, configuration flaws, or outdated software
components.

Importance of Vulnerability Testing


 Comprehensive understanding of the attack surface: Vulnerability testing enables organizations to
have a better understanding of their systems, networks, and applications. This comprehensive view helps
to identify potential weak points and entry points that attackers might exploit.
 Adapting to evolving threats: Cyber threats are constantly changing and evolving, with new
vulnerabilities and attack vectors emerging regularly. Vulnerability testing helps organizations stay up-to-
date with the latest security threats and take proactive measures to address them.
 Reducing attack vectors: By identifying and addressing vulnerabilities, organizations can reduce the
number of potential attack vectors available to cybercriminals. This decreases the likelihood of a
successful cyberattack and helps safeguard critical systems and data.
 Enhanced security measures: Vulnerability testing provides valuable information that can be used to
improve security measures. This may include implementing new security controls, updating policies and
procedures, or providing employee training on security best practices.
 Continuous improvement: Vulnerability testing is an ongoing process, which allows organizations to
continuously monitor their systems and applications for new vulnerabilities. This iterative approach
enables organizations to make necessary adjustments and improvements, ensuring their security posture
remains strong over time.
 Risk management: Conducting vulnerability testing helps organizations understand and manage their
security risks more effectively. By quantifying and prioritizing vulnerabilities based on their potential
impact, organizations can make informed decisions about allocating resources and addressing risks.

Vulnerability Testing Methods


Vulnerability testing methods can be broadly categorized based on the approach taken to identify vulnerabilities.
Here’s an overview of active testing, passive testing, network testing, and distributed testing:

1. Active Testing
Active testing is a vulnerability testing method in which testers interact directly with the target system, network,
or application to identify potential security weaknesses. It typically involves sending inputs, requests, or packets
to the target and analyzing the responses to discover vulnerabilities.

Active testing can be intrusive and may cause disruptions or performance issues in the target system, but it is
usually more effective in finding vulnerabilities than passive testing. Examples of active testing include:
 Port scanning to identify open ports and services running on a network.
 Fuzz testing, which involves sending malformed or unexpected inputs to applications to discover
vulnerabilities related to input validation and error handling.
2. Passive Testing
Passive testing is a non-intrusive vulnerability testing method that involves observing and analyzing the target
system, network, or application without directly interacting with it. Passive testing focuses on gathering
information about the target, such as network traffic, configuration settings, or application behavior, to identify
potential vulnerabilities.

This method is less likely to cause disruptions or performance issues but may be less effective in finding
vulnerabilities compared to active testing. Examples of passive testing include:
 Traffic monitoring to identify patterns or anomalies that may indicate security weaknesses.
 Configuration reviews to assess security settings and identify misconfigurations.

3. Network Testing
Network testing is a vulnerability testing method focused on identifying security weaknesses in network
infrastructure, including devices, protocols, and configurations. It aims to discover vulnerabilities that could
allow unauthorized access, eavesdropping, or Denial of Service (DoS) attacks on the network.

Network testing typically involves both active and passive testing techniques to evaluate the network’s security
posture comprehensively. Examples of network testing include:

 Scanning for open ports and services on network devices.


 Analyzing network protocols and configurations for security flaws.

4. Distributed Testing
Distributed testing is a vulnerability testing method that involves using multiple testing tools or systems, often
deployed across different locations, to scan and analyze the target system, network, or application for
vulnerabilities.

This approach can help provide a more comprehensive view of the target’s security posture, as it helps identify
vulnerabilities that may be visible only from specific locations or under specific conditions. Distributed testing
can also help distribute the load of vulnerability testing, reducing the impact on the target system and increasing
the efficiency of the testing process.

Examples of distributed testing include:


 Using multiple vulnerability scanners from different locations to scan a web application for potential
security flaws.
 Coordinating a team of testers in different geographical locations to perform simultaneous network
vulnerability testing.

Vulnerability Testing Tools

Vulnerability testing tools are software applications or services designed to help organizations identify and
assess security weaknesses in their systems, networks, or applications. These tools automate the process of
vulnerability testing, making it more efficient, accurate, and consistent.

There are several types of vulnerability testing tools, including:

 Network vulnerability scanners: These tools scan networks for open ports, misconfigurations, and other
security weaknesses.
 Web application vulnerability scanners: These tools are specifically designed to identify vulnerabilities
in web applications, such as SQL injection, cross-site scripting (XSS), and broken authentication.
 Static application security testing (SAST) tools: Designed to analyze source code or compiled code to
identify potential security vulnerabilities without executing the application.
 Dynamic application security testing (DAST) tools: Built to interact with running applications to
identify security weaknesses during runtime.
 Fuzz testing tools: Generate and send malformed or unexpected inputs to applications to identify
vulnerabilities related to input validation and error handling.
 Configuration management and compliance tools: These tools assess system and application
configurations against established security best practices or compliance standards, such as CIS
Benchmarks or PCI DSS.
 Container and cloud security tools: These tools focus on identifying vulnerabilities and
misconfigurations in cloud-based environments and containerized applications.

10 Vulnerability Testing Best Practices


Following best practices in vulnerability testing is essential for achieving effective results and improving the
overall security posture of an organization. Here are some key best practices to consider:

1. Develop a clear scope and plan: Clearly define the scope of the vulnerability testing, including the
systems, applications, and network segments that will be tested. Create a well-documented plan outlining
the testing process, tools, and methodologies to be used.
2. Conduct regular vulnerability assessments: Schedule vulnerability testing on a regular basis, as new
vulnerabilities and threats emerge constantly. Regular assessments help ensure that your organization
stays up-to-date with the latest security patches and configuration changes.
3. Use a combination of tools and techniques: Employ a combination of automated vulnerability scanners
and manual testing techniques, such as penetration testing, to achieve a comprehensive assessment.
Automated tools can quickly identify known vulnerabilities, while manual techniques can help uncover
more complex issues that may not be detected by automated scanners.
4. Prioritize vulnerabilities: Evaluate and prioritize identified vulnerabilities based on their severity,
potential impact, and ease of exploitation. Focus on addressing high-priority vulnerabilities first to
minimize the risk of a breach.
5. Patch management: Establish a robust patch management process that ensures timely application of
security patches and updates to mitigate identified vulnerabilities. This process should include monitoring
for new patches, testing them for compatibility, and deploying them across the organization.
6. Remediation and verification: Remediate identified vulnerabilities and verify that the applied fixes
have been effective in addressing the issues. This may require re-testing systems or applications to ensure
that no new vulnerabilities have been introduced.
7. Encourage cross-functional collaboration: Foster collaboration between IT, security, and other relevant
teams to ensure effective communication, coordination, and remediation efforts.
8. Educate and train staff: Raise security awareness among employees through regular training and
education programs. This helps create a security-conscious culture within the organization and reduces
the likelihood of human errors leading to security incidents.
9. Monitor and adapt: Continuously monitor the threat landscape and adapt your vulnerability testing
practices accordingly. Stay informed about emerging threats, new vulnerabilities, and best practices in
security testing.
10. Document and review: Maintain detailed documentation of vulnerability testing processes, results, and
remediation efforts. Regularly review and update these documents to ensure they remain relevant and
effective in addressing the organization’s security needs.

Vulnerability assessment

A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates


if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and
recommends remediation or mitigation, if and whenever needed.
Examples of threats that can be prevented by vulnerability assessment include:

1. SQL injection, XSS and other code injection attacks.


2. Escalation of privileges due to faulty authentication mechanisms.
3. Insecure defaults – software that ships with insecure settings, such as a guessable admin passwords.
Types of vulnerability assessments.

1. Host assessment – The assessment of critical servers, which may be vulnerable to attacks if not
adequately tested or not generated from a tested machine image.
2. Network and wireless assessment – The assessment of policies and practices to prevent unauthorized
access to private or public networks and network-accessible resources.
3. Database assessment – The assessment of databases or big data systems for vulnerabilities and
misconfigurations, identifying rogue databases or insecure dev/test environments, and classifying
sensitive data across an organization’s infrastructure.
4. Application scans – The identifying of security vulnerabilities in web applications and their source code
by automated scans on the front-end or static/dynamic analysis of source code.

Vulnerability assessment: Security scanning process

The security scanning process consists of four steps: testing, analysis, assessment and remediation.

1. Vulnerability identification (testing)

The objective of this step is to draft a comprehensive list of an application’s vulnerabilities. Security analysts test
the security health of applications, servers or other systems by scanning them with automated tools, or testing
and evaluating them manually. Analysts also rely on vulnerability databases, vendor vulnerability
announcements, asset management systems and threat intelligence feeds to identify security weaknesses.

2. Vulnerability analysis

The objective of this step is to identify the source and root cause of the vulnerabilities identified in step one.

It involves the identification of system components responsible for each vulnerability, and the root cause of the
vulnerability. For example, the root cause of a vulnerability could be an old version of an open source library.
This provides a clear path for remediation – upgrading the library.

3. Risk assessment

The objective of this step is the prioritizing of vulnerabilities. It involves security analysts assigning a rank or
severity score to each vulnerability, based on such factors as:
1. Which systems are affected.
2. What data is at risk.
3. Which business functions are at risk.
4. Ease of attack or compromise.
5. Severity of an attack.
6. Potential damage as a result of the vulnerability.

4. Remediation

The objective of this step is the closing of security gaps. It’s typically a joint effort by security staff,
development and operations teams, who determine the most effective path for remediation or mitigation of each
vulnerability.

Specific remediation steps might include:

1. Introduction of new security procedures, measures or tools.


2. The updating of operational or configuration changes.
3. Development and implementation of a vulnerability patch.

Vulnerability assessment tools

Vulnerability assessment tools are designed to automatically scan for new and existing threats that can target
your application. Types of tools include:

1. Web application scanners that test for and simulate known attack patterns.
2. Protocol scanners that search for vulnerable protocols, ports and network services.
3. Network scanners that help visualize networks and discover warning signals like stray IP addresses,
spoofed packets and suspicious packet generation from a single IP address.

How to choose a vulnerability scanner?


When choosing your ideal scanner, you should consider:

 Features
 Checks performed
 Industry certifications
 Pricing
 Reporting

system testing schedule for vulnerabilities as used in computer security


Steps to generate a system security audit report

Creating a system security audit report involves compiling information gathered during the audit process into a
comprehensive document that highlights findings, vulnerabilities, and recommendations for improvement.

1. Executive Summary: Begin the report with an executive summary that provides an overview of the audit
process, objectives, methodologies used, and key findings. Summarize the most critical vulnerabilities and
recommendations for management's attention.
2. Introduction: Provide background information on the organization, including its industry, size, and any relevant
regulatory requirements. Explain the purpose of the security audit and the scope of the assessment.
3. Audit Methodology: Describe the methods and techniques used during the audit, such as vulnerability scanning,
penetration testing, policy review, interviews, and documentation analysis. Explain how the assessment was
conducted and any limitations encountered.
4. Findings and Observations: Present the findings of the security audit in detail. Organize the findings by
category (e.g., technical vulnerabilities, policy deficiencies, compliance issues) and provide a description of each
issue discovered.
5. Risk Assessment: Evaluate the severity and potential impact of each identified vulnerability or security gap. Use
a risk rating or scoring system to prioritize findings based on their likelihood and potential consequences.
6. Recommendations: Provide actionable recommendations for addressing each identified vulnerability or security
gap. Include specific steps that the organization should take to remediate the issues, along with suggested
timelines and responsible parties.
7. Supporting Evidence: Include evidence to support the findings and recommendations, such as screenshots, logs,
or documentation excerpts. This helps to validate the audit results and provide context for stakeholders.
8. Conclusions: Summarize the overall findings of the audit and reiterate the importance of addressing security
vulnerabilities to mitigate risks effectively. Highlight any overarching trends or patterns observed during the
assessment.
9. Appendices: Include additional supplementary information, such as detailed vulnerability scan reports, interview
transcripts, audit checklists, or regulatory compliance matrices. This allows readers to delve deeper into specific
aspects of the audit if needed.
10. Action Plan: Develop a comprehensive action plan that outlines steps for implementing the recommendations
and addressing the identified vulnerabilities. Include timelines, resource requirements, and accountability
mechanisms for each action item.
11. Executive Summary of Technical Findings: Provide a high-level summary of the technical vulnerabilities
discovered during the audit, along with their potential impact on the organization's security posture.
12. Management Response: Include a section for management to respond to the audit findings and
recommendations. Management should acknowledge the findings, indicate their commitment to addressing them,
and outline any additional steps they plan to take.
13. Distribution and Review: Distribute the audit report to relevant stakeholders, including senior management, IT
personnel, and any regulatory authorities if required. Schedule a review meeting to discuss the findings and
action plan with key stakeholders.
14. Follow-Up: Monitor the implementation of the action plan and track progress towards addressing the identified
vulnerabilities. Conduct follow-up assessments as needed to ensure that security improvements are effectively
implemented.

Levels of system vulnerability applied in computer security


In computer security, vulnerabilities can exist at various levels within a system. Understanding these levels helps
in identifying, assessing, and mitigating potential security risks effectively.

1. Physical Level Vulnerabilities:


 Physical vulnerabilities pertain to weaknesses in the physical components of a system, including
hardware, facilities, and environmental controls.
 Examples include:
 Unauthorized physical access to servers or network equipment.
 Lack of physical security measures such as locked server rooms, access control systems, and
surveillance cameras.
 Exposure to environmental hazards like fire, flood, or temperature fluctuations.
2. Network Level Vulnerabilities:
 Network vulnerabilities refer to weaknesses in network infrastructure, protocols, and configurations that
can be exploited to compromise data confidentiality, integrity, or availability.
 Examples include:
 Insecure network protocols susceptible to eavesdropping or interception (e.g., unencrypted
communication).
 Vulnerable network devices such as routers, switches, and firewalls with outdated firmware or
default configurations.
 Misconfigured network services or open ports that expose systems to unauthorized access or
attacks.
3. Operating System Level Vulnerabilities:
 Operating system vulnerabilities involve weaknesses in the software components and configurations of
operating systems (OS) used in computing devices.
 Examples include:
 Unpatched OS vulnerabilities that can be exploited to execute arbitrary code, escalate privileges,
or perform denial-of-service attacks.
 Insecure default configurations or unnecessary services enabled on the OS.
 Lack of security controls such as access control lists (ACLs), file system permissions, and
security patches.
4. Application Level Vulnerabilities:
 Application vulnerabilities refer to weaknesses in software applications, including web applications,
desktop applications, and mobile apps.
 Examples include:
 Input validation vulnerabilities (e.g., SQL injection, cross-site scripting) that can lead to data
manipulation or unauthorized access.
 Insecure authentication mechanisms, such as weak passwords, insecure storage of credentials, or
lack of multi-factor authentication.
 Flaws in application logic, authorization checks, or session management that can be exploited to
gain unauthorized access or perform unauthorized actions.
5. Data Level Vulnerabilities:
 Data vulnerabilities involve weaknesses related to the handling, storage, and transmission of sensitive
data within a system.
 Examples include:
 Lack of encryption for sensitive data at rest or in transit.
 Inadequate data backup and recovery procedures.
 Data leakage or exposure due to insufficient access controls, data breaches, or insider threats.
6. Human Factor Vulnerabilities:
 Human factor vulnerabilities stem from human errors, negligence, or malicious activities that can
compromise system security.
 Examples include:
 Poor security awareness and training among users, leading to susceptibility to social engineering
attacks or inadvertent security breaches.
 Insider threats such as disgruntled employees, careless contractors, or unintentional data
disclosure.
 Inadequate user access controls, password hygiene, or monitoring of user activities.

System vulnerability test report


A vulnerability assessment report details the security weaknesses discovered in a vulnerability assessment. It
is your roadmap to a better state of security preparedness, laying out the unique risks you face due to the
technology that underpins your organization.
Six Critical Elements of a Vulnerability Assessment Report
Because your client and their security team usually won’t have the time to read long explanations, it’s important
to keep your report clear and concise—without omitting crucial information. Remember that you can link to
quality sources to help others better understand the contents of the report while avoiding long segments of
unnecessary text.
The below table outlines the six key elements of a vulnerability assessment report

Element Description
 Date range of the assessment
 Purpose and scope of the assessment
Executive summary  General status of the assessment and summary of your findings regarding risk to the
client
 Disclaimer
 Explanation of the scan results, such as how you’ve categorized and ordered
Scan results vulnerabilities
 Overview of the types of reports provided
 Tools and tests you used for vulnerability scanning, such as penetration testing or
cloud-based scans
Methodology
 Specific purpose of each scan, tool, and test
 Testing environments for each tool used in the assessment
 Which systems identified by the client you successfully scanned and which you did not
Findings
 Whether any systems were not scanned and, if so, the reasons why
 Index of all vulnerabilities identified, categorized as critical, high, medium, or low
severity
Risk assessment  Explanation of the above risk categories
 List of all vulnerabilities with details on the plugin name, description, solution, and
count information
 Full list of actions the client should take
 Recommendations of other security tools the client can use to assess the network’s
Recommendations
security posture
 Security policy and configuration recommendations

TOPIC 5: MONITOR SECURITY SYSTEM


Topic content
 Define monitoring criteria
 Evaluation of system security performance based on defined criteria
 updating and overhauling of Security systems
 Generate monitoring report

Define monitoring criteria


Monitoring criteria refer to the specific metrics, parameters, or indicators used to assess and measure the
performance, health, and security of computer systems and networks
Security monitoring is a process that involves audit logs, network security monitoring, and environmental data.

Requirements of security monitoring


Its requirements include:
 being highly available and hardened,
 generating alerts based on automated recognition of critical security events,
 delivering critical alerts via various means,
 providing means for security personnel to investigate and prosecute an unfolding incident, implementing
a cloud-wide intrusion and anomaly detection capability,
 allowing customers to implement intrusion/anomaly detection,
 ensuring reliability and correctness even under circumstances of failure,
 Retaining security logs in a compliant manner.

The purpose of security monitoring is to


 Threat Detection: Some exploits may not be preventable and some threats may not be anticipated, and in
this sense monitoring is the last line of defense. But there is a difference between detecting a security
situation and doing something about it.
 Verification of Security Controls: Although most security controls are oriented toward enforcing
security policy, monitoring is used to verify the correct operation of other security controls. If events
which indicate actions prohibited by policy appear in the security event stream, this would indicate that
policy is not being correctly enforced by security controls.
 Exposure of Bugs: Security monitoring has identified vulnerabilities or security bugs that were
previously unknown. This can take several forms, including the triggering of monitoring rules, which
when they are subsequently reviewed against the monitoring record simply does not make sense.
 A Legal Record of Activity: Security event data can form a legal record of actions that users or
processes performed. To be used in a legal proceeding, this data must have verifiable integrity (records
have not been altered and they comprise a complete record) and the organization must be able to
demonstrate chain of custody over the data.
 Enabling Forensics: Security event data has great value in gaining an understanding of the steps
involved in an exploit along with discerning the scope of any resulting damage.

How to monitor and secure your computer systems

 Monitoring tools
 Monitoring metrics
 Security policies
 Security tools
 Security audits
 Security training

1. Security Monitoring tools

One of the first steps to monitor your computer systems is to choose the right tools for your needs. There are
many tools available for different purposes, such as system performance, network traffic, log analysis, security
alerts, and more.
Some of the popular tools are Nagios, Zabbix, Splunk, Snort, and OSSEC. These tools can help you collect,
analyze, and visualize data from your systems, and notify you of any issues or anomalies. You should also
configure your tools to generate regular reports and backups, and to integrate with other tools or platforms.
o system performance Monitoring tools
Sguil for Monitoring Post and Real-time Events
Sguil is a security monitoring tool based on TCL/TK that like Squert allows you to see events from multiple data
sources and sensors into a central repository. The main user interface of Sguil will characterize traffic and allow
you to see packet information, from here you can cross reference, categorize, and drill into events by pivoting
your views

Intrusion detection or intrusion prevention; mandated by PCI Requirement 11.4 “Use intrusion-detection and/or
intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the
perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and
alert personnel to suspected compromises.”

File integrity monitoring; mandated by PCI Requirement 11.5 “Deploy a change-detection mechanism (for
example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system
files, configuration files, or content files; and configure the software to perform critical file comparisons at least
weekly.

o network traffic
o log analysis
o security alerts

Monitoring metrics

Another important step to monitor your computer systems is to define the metrics that you want to track and
measure. Metrics are quantitative indicators that reflect the status or performance of your systems, such as CPU
usage, memory usage, disk space, network latency, response time, error rate, and more. You should also set
thresholds or baselines for your metrics, so that you can compare them with the actual values and detect any
deviations or problems. You should also prioritize your metrics according to their impact and relevance, and
focus on the ones that are most critical for your systems.

3Security policies

To secure your computer systems, you need to establish and enforce security policies that define the rules and
standards for your systems, such as who can access them, what they can do, how they should be configured, and
how they should be updated. Security policies can help you prevent unauthorized or malicious access, maintain
compliance with regulations or best practices, and reduce the risk of data breaches or system failures. You
should also document your security policies and communicate them to your users and stakeholders, and review
them regularly to ensure they are up to date and effective.

4Security tools

In addition to security policies, you also need to use security tools that can help you protect your computer
systems from various threats, such as malware, hackers, or denial-of-service attacks. Some of the common
security tools are antivirus software, firewalls, encryption software, VPNs, and password managers. These tools
can help you scan, block, encrypt, or authenticate your systems, and alert you of any suspicious or malicious
activity. You should also update your security tools regularly to keep them current and effective.
5Security audits

Another way to secure your computer systems is to conduct security audits that can help you assess the current
state of your systems, identify any vulnerabilities or weaknesses, and recommend any improvements or fixes.
Security audits can be performed by internal or external experts, using various methods, such as penetration
testing, vulnerability scanning, code review, or checklist review. Security audits can help you validate your
security policies and tools, comply with regulations or standards, and improve your security posture and
awareness.

6Security training

The last but not least step to secure your computer systems is to provide security training to your users and staff,
who are often the weakest link in your security chain. Security training can help you educate your users and staff
about the importance of security, the common threats and risks, and the best practices and behaviors to follow.
Security training can also help you foster a security culture and mindset, and increase the trust and confidence of
your users and stakeholders. You should also update your security training regularly to keep it relevant and
engaging.

Evaluation Criteria of Systems Security Controls

The evaluation of information systems security is a process in which the evidence for assurance is identified,
gathered, and analysed against criteria for security functionality and assurance level. This can result in a measure
of trust that indicates how well the system meets particular security target.
Evaluation criteria provide a standard for quantifying the security of a computer system or network. These
criteria include the
 Trusted Computer System Evaluation Criteria (TCSEC),
 Trusted Network Interpretation (TNI),
 European Information Technology Security Evaluation Criteria (ITSEC),
 and the Common Criteria.

Trusted Computer System Evaluation Criteria (TCSEC)

The Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, is part of
the Rainbow Series developed for the U.S. DoD by the National Computer Security Center (NCSC). It’s the
formal implementation of the Bell-LaPadula model. The evaluation criteria were developed to achieve the
following objectives:

 Measurement: Provides a metric for assessing comparative levels of trust between different computer systems.
 Guidance: Identifies standard security requirements that vendors must build into systems to achieve a given
trust level.
 Acquisition: Provides customers a standard for specifying acquisition requirements and identifying systems that
meet those requirements.
The four basic control requirements identified in the Orange Book are
 Security policy: The rules and procedures by which a trusted system operates. Specific TCSEC requirements
include
o Discretionary access control (DAC): Owners of objects are able to assign permissions to other subjects.
o Mandatory access control (MAC): Permissions to objects are managed centrally by an administrator.
o Object reuse: Protects confidentiality of objects that are reassigned after initial use. For example, a deleted file
still exists on storage media; only the file allocation table (FAT) and first character of the file have been
modified. Thus residual data may be restored, which describes the problem of data remanence. Object-reuse
requirements define procedures for actually erasing the data.
o Labels: Sensitivity labels are required in MAC-based systems. Specific TCSEC labeling requirements include
integrity, export, and subject/object labels.
 Assurance: Guarantees that a security policy is correctly implemented. Specific TCSEC requirements (listed
here) are classified as operational assurance requirements:
o System architecture: TCSEC requires features and principles of system design that implement specific security
features.
o System integrity: Hardware and firmware operate properly and are tested to verify proper operation.
o Covert channel analysis: TCSEC requires covert channel analysis that detects unintended communication paths
not protected by a system’s normal security mechanisms. A covert storage channel conveys information by
altering stored system data. A covert timing channel conveys information by altering a system resource’s
performance or timing.
º Trusted facility management: The assignment of a specific individual to administer the security-related
functions of a system. Closely related to the concepts of least privilege, separation of duties, and need-to-know.

º Trusted recovery: Ensures that security isn’t compromised in the event of a system crash or failure. This
process involves two primary activities: failure preparation and system recovery.

º Security testing: Specifies required testing by the developer and the National Computer Security Center
(NCSC).

º Design specification and verification: Requires a mathematical and automated proof that the design description
is consistent with the security policy.

º Configuration management: Identifying, controlling, accounting for, and auditing all changes made to the
Trusted Computing Base (TCB) during the design, development, and maintenance phases of a system’s lifecycle.

º Trusted distribution: Protects a system during transport from a vendor to a customer.

 Accountability: The ability to associate users and processes with their actions. Specific TCSEC requirements
include
o Identification and authentication (I&A): Systems need to track who performs what activities.
o Trusted Path: A direct communications path between the user and the Trusted Computing Base (TCB) that
doesn’t require interaction with untrusted applications or operating-system layers.
o Audit: Recording, examining, analyzing, and reviewing security-related activities in a trusted system.
 Documentation: Specific TCSEC requirements include
o Security Features User’s Guide (SFUG): User’s manual for the system.
o Trusted Facility Manual (TFM): System administrator’s and/or security administrator’s manual.
o Test documentation: According to the TCSEC manual, this documentation must be in a position to “show how
the security mechanisms were tested, and results of the security mechanisms’ functional testing.”
o Design documentation: Defines system boundaries and internal components, such as the Trusted Computing
Base (TCB).

The Orange Book defines four major hierarchical classes of security protection and numbered subclasses (higher
numbers indicate higher security):

 D: Minimal protection
 C: Discretionary protection (C1 and C2)
 B: Mandatory protection (B1, B2, and B3)
 A: Verified protection (A1)
These classes are further defined in this table.

TCSEC Classes

Class Name Sample Requirements


D Minimal Reserved for systems that fail evaluation.
protection
C1 Discretionary System doesn’t need to distinguish between individual users
protection and types of access.
(DAC)
C2 Controlled System must distinguish between individual users and types
access of access; object reuse security features required.
protection
(DAC)
B1 Labeled Sensitivity labels required for all subjects and storage objects.
security
protection
(MAC)
B2 Structured Sensitivity labels required for all subjects and objects; trusted
protection path requirements.
(MAC)
B3 Security Access control lists (ACLs) are specifically required; system
domains must protect against covert channels.
(MAC)
A1 Verified design Formal Top-Level Specification (FTLS) required;
Class Name Sample Requirements
(MAC) configuration management procedures must be enforced
throughout entire system lifecycle.
Beyond A1 Self-protection and reference monitors are implemented in
the Trusted Computing Base (TCB). TCB verified to source-
code level.

Major limitations of the Orange Book include that


 It addresses only confidentiality issues. It doesn’t include integrity and availability.
 It isn’t applicable to most commercial systems.
 It emphasizes protection from unauthorized access, despite statistical evidence that many security violations
involve insiders.
 It doesn’t address networking issues.

Trusted Network Interpretation (TNI)

Part of the Rainbow Series, like TCSEC (discussed in the preceding section), Trusted Network Interpretation
(TNI) addresses confidentiality and integrity in trusted computer/communications network systems. Within the
Rainbow Series, it’s known as the Red Book.
Part I of the TNI is a guideline for extending the system protection standards defined in the TCSEC (the Orange
Book) to networks. Part II of the TNI describes additional security features such as communications integrity,
protection from denial of service, and transmission security.

European Information Technology Security Evaluation Criteria (ITSEC)

Unlike TCSEC, the European Information Technology Security Evaluation Criteria (ITSEC) addresses
confidentiality, integrity, and availability, as well as evaluating an entire system, defined as a Target of
Evaluation (TOE), rather than a single computing platform.
ITSEC evaluates functionality (security objectives, or why; security-enforcing functions, or what; and security
mechanisms, or how) and assurance (effectiveness and correctness) separately. The ten functionality (F) classes
and seven evaluation (E) (assurance) levels are listed in the following table.

ITSEC Functionality (F) Classes and Evaluation (E) Levels mapped to TCSEC levels

(F) Class (E) Level Description


NA E0 Equivalent to TCSEC level D
F-C1 E1 Equivalent to TCSEC level C1
F-C2 E2 Equivalent to TCSEC level C2
(F) Class (E) Level Description
F-B1 E3 Equivalent to TCSEC level B1
F-B2 E4 Equivalent to TCSEC level B2
F-B3 E5 Equivalent to TCSEC level B3
F-B3 E6 Equivalent to TCSEC level A1
F-IN NA TOEs with high integrity requirements
F-AV NA TOEs with high availability requirements
F-DI NA TOEs with high integrity requirements during data
communication
F-DC NA TOEs with high confidentiality requirements during data
communication
F-DX NA Networks with high confidentiality and integrity requirements

Common Criteria

The Common Criteria for Information Technology Security Evaluation (usually just called Common Criteria) is
an international effort to standardize and improve existing European and North American evaluation criteria. The
Common Criteria has been adopted as an international standard in ISO 15408. The Common Criteria defines
eight evaluation assurance levels (EALs), which are listed in the following table.
The Common Criteria

TCSEC ITSEC
Level Description
Equivalent Equivalent
EAL0 N/A N/A Inadequate assurance
EAL1 N/A N/A Functionally tested
EAL2 C1 E1 Structurally tested
EAL3 C2 E2 Methodically tested and checked
EAL4 B1 E3 Methodically designed, tested, and reviewed
EAL5 B2 E4 Semi-formally designed and tested
EAL6 B3 E5 Semi-formally verified design and tested
EAL7 A1 E6 Formally verified design and tested

Monitoring criteria
Monitoring criteria refer to the specific metrics, parameters, or indicators used to assess and measure the
performance, health, and security of computer systems and networks. These criteria help organizations
effectively monitor and evaluate their system security posture, detect potential security incidents, and ensure
compliance with security policies and standards. Here are some common monitoring criteria for computer
system security:
1. Availability: Measures the accessibility and uptime of critical systems and services. Availability monitoring
criteria include:
 System uptime percentage
 Downtime duration
 Mean time to repair (MTTR)
 Service-level agreements (SLAs) compliance
2. Integrity: Ensures the accuracy, consistency, and reliability of data and resources. Integrity monitoring criteria
include:
 File integrity checks (e.g., checksum verification)
 Database integrity checks
 Configuration file integrity
 Digital signatures verification
3. Confidentiality: Protects sensitive information from unauthorized access, disclosure, or theft. Confidentiality
monitoring criteria include:
 Access control logs
 User authentication attempts
 Encryption status (e.g., SSL/TLS usage)
 Data leakage prevention (DLP) alerts
4. Authentication and Authorization: Verifies the identity of users and controls their access to resources.
Monitoring criteria for authentication and authorization include:
 Successful and failed login attempts
 User account lockouts
 Privileged access usage
 Role-based access control (RBAC) violations
5. Security Events: Monitors for security-related events and anomalies that may indicate potential security
incidents. Security event monitoring criteria include:
 Intrusion detection system (IDS) alerts
 Firewall logs
 Antivirus/anti-malware detections
 Anomalous network traffic patterns
6. Compliance: Ensures adherence to security policies, regulations, and industry standards. Compliance monitoring
criteria include:
 Regulatory compliance status (e.g., GDPR, HIPAA, PCI DSS)
 Security policy violations
 Audit trail reviews
 Vulnerability assessment and remediation status
7. Performance: Evaluates the performance impact of security controls and measures on system resources.
Performance monitoring criteria include:
 CPU and memory utilization
 Network bandwidth usage
 Disk I/O rates
 Application response times
8. Incident Response: Tracks the effectiveness and efficiency of incident detection, response, and resolution
processes. Incident response monitoring criteria include:
 Incident response times
 Mean time to detect (MTTD)
 Mean time to respond (MTTR)
 Incident closure rates

updating and overhauling of Security systems


Updating and overhauling security systems is a critical process that involves enhancing and modernizing existing
security measures to address emerging threats, vulnerabilities, and technological advancements. Here's a detailed
discussion on updating and overhauling security systems:
1. Assessment of Current Security Systems:
 Begin by conducting a comprehensive assessment of the organization's current security systems,
including hardware, software, policies, and procedures.
 Identify strengths, weaknesses, gaps, and areas for improvement in the existing security infrastructure.
 Evaluate the effectiveness of current security controls in mitigating risks and protecting assets.
2. Identifying Security Requirements and Objectives:
 Define security requirements and objectives based on business needs, regulatory compliance, industry
standards, and emerging threats.
 Determine the level of security needed to protect sensitive data, critical systems, and intellectual
property.
 Establish clear goals and priorities for updating and overhauling security systems.
3. Incorporating Emerging Technologies:
 Stay abreast of emerging technologies and security trends to leverage innovative solutions for enhancing
security posture.
 Consider implementing advanced technologies such as artificial intelligence (AI), machine learning
(ML), blockchain, and biometrics to augment existing security measures.
 Evaluate the feasibility and suitability of new technologies based on organizational requirements and
budget constraints.
4. Updating Security Policies and Procedures:
 Review and update security policies, procedures, and guidelines to reflect changes in technology,
regulations, and business operations.
 Ensure that security policies are comprehensive, enforceable, and aligned with organizational objectives.
 Communicate updated policies and provide training to employees to promote awareness and compliance.
5. Enhancing Access Controls and Authentication Mechanisms:
 Strengthen access controls and authentication mechanisms to prevent unauthorized access to systems and
sensitive data.
 Implement multifactor authentication (MFA), biometric authentication, and role-based access control
(RBAC) to enhance identity verification and authorization.
 Regularly review user access privileges and enforce the principle of least privilege to minimize the risk of
insider threats.
6. Upgrading Security Hardware and Software:
 Upgrade security hardware such as firewalls, intrusion detection/prevention systems (IDS/IPS),
antivirus/antimalware solutions, and encryption devices to the latest versions.
 Patch and update software applications, operating systems, and firmware to address known vulnerabilities
and security flaws.
 Consider migrating to cloud-based security solutions for scalability, flexibility, and centralized
management.
7. Implementing Security Monitoring and Incident Response Capabilities:
 Deploy robust security monitoring tools and technologies to continuously monitor network traffic, system
logs, and user activities for signs of security incidents.
 Establish incident response procedures and workflows to detect, analyze, respond to, and recover from
security breaches and cyberattacks.
 Conduct regular security drills and simulations to test incident response capabilities and improve incident
handling processes.
8. Collaborating with External Partners and Vendors:
 Collaborate with external partners, vendors, and security experts to leverage their expertise and resources
for updating and overhauling security systems.
 Engage with industry forums, information sharing groups, and government agencies to stay informed
about emerging threats and best practices in cybersecurity.
 Consider outsourcing certain security functions, such as managed security services, penetration testing,
and threat intelligence, to specialized providers.
9. Compliance and Governance:
 Ensure that security updates and overhauls comply with relevant laws, regulations, and industry standards
governing data protection and cybersecurity.
 Establish a governance framework to oversee the implementation of security updates, assess compliance
with security policies, and monitor security performance.
 Conduct regular audits, assessments, and reviews to evaluate the effectiveness of updated security
systems and address any compliance gaps or deficiencies.
10. User Education and Awareness:
 Educate employees, contractors, and stakeholders about the importance of security updates and overhauls
in safeguarding organizational assets and data.
 Provide training on cybersecurity best practices, phishing awareness, password hygiene, and social
engineering tactics to promote a security-conscious culture.
 Encourage employees to report security incidents, suspicious activities, and compliance violations
promptly.
11. Continuous Improvement and Adaptation:
 Embrace a culture of continuous improvement and adaptation to stay ahead of evolving threats and
security challenges.
 Monitor security trends, threat intelligence feeds, and incident reports to identify emerging risks and
vulnerabilities.
 Regularly reassess security requirements, update security strategies, and adjust security controls to
address changing business needs and threat landscapes.

Generate monitoring report


Generating a monitoring report involves compiling and analyzing data collected from various monitoring tools
and sources to provide insights into the performance, health, and security of systems, networks, and applications.
Here's a step-by-step guide on how to generate a monitoring report effectively:

1. Define Report Objectives: Clarify the purpose and objectives of the monitoring report. Determine the key
metrics, parameters, and indicators to be included in the report based on organizational requirements, stakeholder
needs, and monitoring goals.
2. Select Data Sources: Identify the sources of data to be included in the monitoring report. This may include logs,
event records, performance metrics, security alerts, and other relevant data collected from monitoring tools,
systems, and devices.
3. Gather Data: Collect data from the selected sources using monitoring tools, scripts, APIs, and manual
observations. Ensure that data collection methods are accurate, reliable, and representative of the monitored
environment.
4. Data Aggregation and Consolidation: Aggregate and consolidate collected data to create a unified dataset for
analysis. Normalize data formats, timestamps, and units of measurement to facilitate comparisons and trend
analysis across different sources.
5. Data Analysis: Analyze the collected data to identify trends, patterns, anomalies, and insights related to system
performance, health, and security. Use statistical analysis, visualization techniques, and trend analysis to
interpret the data effectively.
6. Report Structure:
 Title Page: Include a title that clearly identifies the report as a monitoring report. Add the organization's
name, date of the report, and the names of individuals involved in the monitoring process.
 Executive Summary: Provide a brief overview of key findings, trends, and observations highlighted in
the report. Summarize the main insights and implications for stakeholders.
 Introduction: Introduce the scope, objectives, and methodology of the monitoring report. Describe the
systems, networks, and applications monitored and the period covered by the report.
 Key Metrics and Performance Indicators: Present key performance metrics and indicators relevant to the
monitoring objectives. Include graphs, charts, and tables to visualize trends and comparisons over time.
 Health Status: Assess the overall health status of monitored systems, networks, and applications based on
performance metrics, availability, uptime, and incident reports.
 Security Analysis: Analyze security-related data, such as security events, alerts, vulnerabilities, and
compliance status. Highlight significant security incidents, breaches, and potential risks identified during
the monitoring period.
 Recommendations: Provide actionable recommendations for improving system performance, health, and
security based on the findings of the monitoring report. Prioritize recommendations based on severity,
impact, and feasibility of implementation.
 Conclusion: Summarize the main findings, insights, and recommendations of the monitoring report.
Emphasize the importance of continuous monitoring and proactive management to maintain a robust and
secure IT environment.
 Appendices: Include additional information, supporting data, methodology details, glossary of terms, and
references as needed.
7. Review and Validation: Review the monitoring report for accuracy, completeness, and clarity. Validate findings
and conclusions with subject matter experts, stakeholders, and relevant teams to ensure the integrity of the
report.
8. Presentation and Distribution: Present the monitoring report to key stakeholders, including IT management,
security teams, and business leaders. Distribute the report electronically or in print format and facilitate
discussions to address questions, concerns, and action items identified in the report.
9. Follow-Up and Action Planning: Follow up on the recommendations and action items outlined in the monitoring
report. Develop an action plan with timelines, responsibilities, and milestones for implementing recommended
changes and improvements.
10. Continuous Monitoring and Reporting: Establish a process for ongoing monitoring and reporting to track
progress, measure outcomes, and adapt to changing conditions. Regularly update and iterate the monitoring
report to reflect new insights, trends, and developments over time.

You might also like