7/24/2019 1_ IT Security Concept
1/41
IT Security Concepts
D. Chakravarty,
Advanced Level Telecom Training Centre, Ghaziabad
7/24/2019 1_ IT Security Concept
2/41
222 12/19/2013 Course Name / Topic Name
7/24/2019 1_ IT Security Concept
3/41
333
Times of India: 02 Oct, 2013
7/24/2019 1_ IT Security Concept
4/41
444
7/24/2019 1_ IT Security Concept
5/41
555ALTTC, Ghaziabad
7/24/2019 1_ IT Security Concept
6/41
666
Information Security
ISO /IEC: 27001:2013 defines this as the preservation of:
Confidentiality
Ensuring that information is accessible only to those authorized
to have access Integrity
Safeguarding the accuracy and completeness of information and
processing methods
Availability
Ensuring that authorized users have access to information and
associated assets when required
7/24/2019 1_ IT Security Concept
7/41
777 12/19/2013 Course Name / Topic Name
7/24/2019 1_ IT Security Concept
8/41
888 12/19/2013 Course Name / Topic Name
Confidentiality
Availability
Integrity
Very good
Difficult to maintain
Difficult to maintain
7/24/2019 1_ IT Security Concept
9/41
999
Information Security Threats
7/24/2019 1_ IT Security Concept
10/41
101010
Motives for attack
Intelligence
Financial Gain
Bragging Rights / trophies
Gaining Access
Thrill Political Hacktivism
Fun and Games
12/19/2013 Course Name / Topic Name
7/24/2019 1_ IT Security Concept
11/41
111111
Classification of Info Security Threats
Transmission Threats: Eavesdropping/Sniffers, Emanations, Dos, Covertchannel, Spoofing, Tunneling, Masquerading/man-in-the middle attacks
Malicious Code Threats: Virus, Worms , Trojans , Spyware/adware, LogicBombs, Backdoors
Password Threats: Password crackers
Social engineering: Dumpster diving, Impersonation, Shoulder surfing
Physical Threats: Physical access, Spying
Application Threats: Buffer overflows, SQL Injection, Cross-side Scripting,
Improper usage/Un-authorized access: Hackers: Greyhats, Whitehats, Blackhats, Internal intruders, Defacement , Open Proxy, Spam, Phishing
Other Threats : Data remanence, Mobile code
12/19/2013 Course Name / Topic Name
7/24/2019 1_ IT Security Concept
12/41
121212
How to Secure Information?
It involves
The security at all levels viz
Network
OS
Application
Data
7/24/2019 1_ IT Security Concept
13/41
131313
Hacking is not difficult
Attack tools are available
Ready made exploits
Attack Tools (e.g.)
Port Scanners (Fport, Hping2 ..)
Vulnerability Scanners (Retina) Password Crackers (John the Ripper..)
7/24/2019 1_ IT Security Concept
14/41
141414
Security Attacks
Gather Information :ping, dig, finger, tracert
Find vulnerabilities
Start with mild tools
7/24/2019 1_ IT Security Concept
15/41
151515
Security Incidents - Reasons
Malware (Malicious Codes) Known Vulnerabilities
Configuration Errors
7/24/2019 1_ IT Security Concept
16/41
161616
Various Malicious Codes
Virus
Worms
Trojan Horses Bots
Key Loggers
7/24/2019 1_ IT Security Concept
17/41
17 12/19/2013 Course Name / Topic Name17 12/19/2013 Course Name / Topic Name17 12/19/2013 Course Name / Topic Name
7/24/2019 1_ IT Security Concept
18/41
18 12/19/2013 Course Name / Topic Name18 12/19/2013 Course Name / Topic Name18 12/19/2013 Course Name / Topic NameALTTC, Ghaziabad
7/24/2019 1_ IT Security Concept
19/41
19 12/19/2013 Course Name / Topic Name19 12/19/2013 Course Name / Topic Name19 12/19/2013 Course Name / Topic NameALTTC, Ghaziabad
7/24/2019 1_ IT Security Concept
20/41
20 12/19/2013 Course Name / Topic Name20 12/19/2013 Course Name / Topic Name20 12/19/2013 Course Name / Topic Name
Some known Vulnerability
Window of time from patch availability to outbreak is shrinking
MSBlaster.A
Aug. 11, 2003
Patch: MS03-026
Jul. 16, 2003
Patch: MS02-039
Jul. 24, 2002
Slammer
Jan. 25, 2003
Window
26 days
185 days
336 daysNimda
Patch: MS00-078
Oct.17, 2000 Sept. 18, 2001
7/24/2019 1_ IT Security Concept
21/41
212121
Vulnerable Configurations
Default Accounts
Default Passwords Un-necessary Services
Remote Access
Logging and Audit Disabled
7/24/2019 1_ IT Security Concept
22/41
222222
IT Security Management
1. Start With a Focused Methodology
2. Evaluate the Organization's IT Infrastructure
3. Explore Departmental and IT Controls
4. Identify Gaps and Establish Controls
7/24/2019 1_ IT Security Concept
23/41
242424
Create Usage Policy Statements
Outline Users Roles and Responsibilities
Identify specific actions that can result in punitiveactions; Actions and methods to avoid them should
be articulated. Outline Partner Use Statement
Outline Administrator Use Statement
7/24/2019 1_ IT Security Concept
24/41
252525
Conduct A Risk Analysis
Identify Risk to Network, Network Resourcesand Data.
Identify Portions of the Network, Assign a threatrating to each portion and apply appropriatelevel of security.
Assign each network resourceLow, Medium orHigh Risk Level
Identify the types of Users for each resource
7/24/2019 1_ IT Security Concept
25/41
262626
Monitoring Security of Network
Monitor for any changes in Configuration of High
risk Devices
Monitor Failed Login Attempts
Unusual Traffic
Changes to the Firewall Configuration
Connection setups through Firewalls
Monitor Server Logs
7/24/2019 1_ IT Security Concept
26/41
27272727
Approach to Info Security: Defense in Depth
7/24/2019 1_ IT Security Concept
27/41
282828
Security at Network Level
Firewalls, IDS and IPS are usedfor Perimeter Defense
Access Control Policy is Implemented.
Control all internal and external traffic.
7/24/2019 1_ IT Security Concept
28/41
292929
Security at OS Level
Keep up-to-date Security Patches and update
releases for OS
Install up-to-date Antivirus Software
Harden OS by turning off unnecessary clients,Services and features
S i A li i L l
7/24/2019 1_ IT Security Concept
29/41
303030
Security at Application Level
Keep up-to-date Security Patches and update releasesfor Application Package
Dont Install Programs of unknown origin
Precautions with Emails
Protection from Phishing attacks
Securing Web Browsers
7/24/2019 1_ IT Security Concept
30/41
313131
Security at Database Level
User Management Password Management
Managing Allocation of Resources to Users
Backup and Recovery Auditing
7/24/2019 1_ IT Security Concept
31/41
323232
User
Password
expiration
and aging
Password
verification
Password
history
Account
locking
Setting up
profiles
Password Management
7/24/2019 1_ IT Security Concept
32/41
333333
Setting Resource Limits
Number of Concurrent Sessions
Elapsed Connect Time Period of Inactive Time
7/24/2019 1_ IT Security Concept
33/41
343434
Backup and Recovery Issues
Protect the database from numerous types offailures
Increase Mean-Time-Between-Failures (MTBF)
Decrease Mean-Time-To-Recover (MTTR) Minimize Data Loss
7/24/2019 1_ IT Security Concept
34/41
353535
Auditing
Auditing is the monitoring of selected user data
base actions and is used to :-
Investigate suspicious database activity
Manage your audit trail
Monitor the growth of the audit trail
Protect the audit trail from unauthorizedaccess
7/24/2019 1_ IT Security Concept
35/41
363636
Audit vs. Assessment vs. Pen Test
12/19/2013 Course Name / Topic Name
AuditsAuditing compares current practices against a set of standards.
Industry groups or security institutions may create those standards.Organizational management is responsible for demonstrating that the
standards they adopt are appropriate for their organization
AssessmentsAn assessment is a study to locate security vulnerabilities and identifycorrective actions.An assessment differs from an audit by not having a set of standards to testagainst.It differs from a penetration test by providing the tester with full access to thesystems being tested.
Penetration Testing
A set of procedures designed to bypass the security controls of a system ororganization
Real life test of the organizations exposure to known security threats
Performed to uncover the security weakness of a system
Focuses on exploiting network and systems vulnerabilities that an
unauthorized user would exploit
f i l
7/24/2019 1_ IT Security Concept
36/41
373737
Summary of Action Plan
Secure Physical Access
Remove Unnecessary Services Antivirus Software
Secure Perimeter
Apply Patches in Time
Data Backup
Encrypt Sensitive Data
Install IDS
Proper Network Administration
Proper Monitoring
BSNL I f ti S it P li
7/24/2019 1_ IT Security Concept
37/41
383838
BSNL Information Security Policy
BSNL has formulated its Information Security
Policy and circulated for its implementation duringDecember 2008. The BISP consists of two sections:
Section A:
This provides the directives and policies thatwould be followed in ICT facilities within BSNL to
provide secure computing environment for BSNL
employees and business to run. The policies areformulated around 11 domains of security. These
are
BSNL I f ti S it P li
7/24/2019 1_ IT Security Concept
38/41
393939
BSNL Information Security Policy
Section A1. Information Classification and Control
2. Physical and Environmental Security3. Personnel Security
4. Logical Access Control
5. Computing Environment Management6. Network Security
7. Internet Security
8. System Development and Maintenance
9. Business Continuity Planning
10. Compliance
11. Third Party and Outsourcing Services
BSNL I f ti S it P li
7/24/2019 1_ IT Security Concept
39/41
404040
This provides the technical solution support tothe policies mentioned within the policydocument. It is intended to allow policy makersand architects within BSNL to prepare solutionsaround the various security requirements asproposed in Section A.
BSNL Information Security Policy
Section B
7/24/2019 1_ IT Security Concept
40/41
41 12/19/2013 Course Name / Topic Name41 12/19/2013 Course Name / Topic Name41 12/19/2013 Course Name / Topic Name
7/24/2019 1_ IT Security Concept
41/41
THANK YOU!THANK YOU!THANK YOU!