7/24/2019 1_ IT Security Concept

1/41

IT Security Concepts

D. Chakravarty,

d_chakravarty@bsnl.co.in

Advanced Level Telecom Training Centre, Ghaziabad

7/24/2019 1_ IT Security Concept

2/41

222 12/19/2013 Course Name / Topic Name

7/24/2019 1_ IT Security Concept

3/41

333

Times of India: 02 Oct, 2013

7/24/2019 1_ IT Security Concept

4/41

444

7/24/2019 1_ IT Security Concept

5/41

555ALTTC, Ghaziabad

7/24/2019 1_ IT Security Concept

6/41

666

Information Security

ISO /IEC: 27001:2013 defines this as the preservation of:

Confidentiality

Ensuring that information is accessible only to those authorized

to have access Integrity

Safeguarding the accuracy and completeness of information and

processing methods

Availability

Ensuring that authorized users have access to information and

associated assets when required

7/24/2019 1_ IT Security Concept

7/41

777 12/19/2013 Course Name / Topic Name

7/24/2019 1_ IT Security Concept

8/41

888 12/19/2013 Course Name / Topic Name

Confidentiality

Availability

Integrity

Very good

Difficult to maintain

Difficult to maintain

7/24/2019 1_ IT Security Concept

9/41

999

Information Security Threats

7/24/2019 1_ IT Security Concept

10/41

101010

Motives for attack

Intelligence

Financial Gain

Bragging Rights / trophies

Gaining Access

Thrill Political Hacktivism

Fun and Games

12/19/2013 Course Name / Topic Name

7/24/2019 1_ IT Security Concept

11/41

111111

Classification of Info Security Threats

Transmission Threats: Eavesdropping/Sniffers, Emanations, Dos, Covertchannel, Spoofing, Tunneling, Masquerading/man-in-the middle attacks

Malicious Code Threats: Virus, Worms , Trojans , Spyware/adware, LogicBombs, Backdoors

Password Threats: Password crackers

Social engineering: Dumpster diving, Impersonation, Shoulder surfing

Physical Threats: Physical access, Spying

Application Threats: Buffer overflows, SQL Injection, Cross-side Scripting,

Improper usage/Un-authorized access: Hackers: Greyhats, Whitehats, Blackhats, Internal intruders, Defacement , Open Proxy, Spam, Phishing

Other Threats : Data remanence, Mobile code

12/19/2013 Course Name / Topic Name

7/24/2019 1_ IT Security Concept

12/41

121212

How to Secure Information?

It involves

The security at all levels viz

Network

OS

Application

Data

7/24/2019 1_ IT Security Concept

13/41

131313

Hacking is not difficult

Attack tools are available

Ready made exploits

Attack Tools (e.g.)

Port Scanners (Fport, Hping2 ..)

Vulnerability Scanners (Retina) Password Crackers (John the Ripper..)

7/24/2019 1_ IT Security Concept

14/41

141414

Security Attacks

Gather Information :ping, dig, finger, tracert

Find vulnerabilities

Start with mild tools

7/24/2019 1_ IT Security Concept

15/41

151515

Security Incidents - Reasons

Malware (Malicious Codes) Known Vulnerabilities

Configuration Errors

7/24/2019 1_ IT Security Concept

16/41

161616

Various Malicious Codes

Virus

Worms

Trojan Horses Bots

Key Loggers

7/24/2019 1_ IT Security Concept

17/41

17 12/19/2013 Course Name / Topic Name17 12/19/2013 Course Name / Topic Name17 12/19/2013 Course Name / Topic Name

7/24/2019 1_ IT Security Concept

18/41

18 12/19/2013 Course Name / Topic Name18 12/19/2013 Course Name / Topic Name18 12/19/2013 Course Name / Topic NameALTTC, Ghaziabad

7/24/2019 1_ IT Security Concept

19/41

19 12/19/2013 Course Name / Topic Name19 12/19/2013 Course Name / Topic Name19 12/19/2013 Course Name / Topic NameALTTC, Ghaziabad

7/24/2019 1_ IT Security Concept

20/41

20 12/19/2013 Course Name / Topic Name20 12/19/2013 Course Name / Topic Name20 12/19/2013 Course Name / Topic Name

Some known Vulnerability

Window of time from patch availability to outbreak is shrinking

MSBlaster.A

Aug. 11, 2003

Patch: MS03-026

Jul. 16, 2003

Patch: MS02-039

Jul. 24, 2002

Slammer

Jan. 25, 2003

Window

26 days

185 days

336 daysNimda

Patch: MS00-078

Oct.17, 2000 Sept. 18, 2001

7/24/2019 1_ IT Security Concept

21/41

212121

Vulnerable Configurations

Default Accounts

Default Passwords Un-necessary Services

Remote Access

Logging and Audit Disabled

7/24/2019 1_ IT Security Concept

22/41

222222

IT Security Management

1. Start With a Focused Methodology

2. Evaluate the Organization's IT Infrastructure

3. Explore Departmental and IT Controls

4. Identify Gaps and Establish Controls

7/24/2019 1_ IT Security Concept

23/41

242424

Create Usage Policy Statements

Outline Users Roles and Responsibilities

Identify specific actions that can result in punitiveactions; Actions and methods to avoid them should

be articulated. Outline Partner Use Statement

Outline Administrator Use Statement

7/24/2019 1_ IT Security Concept

24/41

252525

Conduct A Risk Analysis

Identify Risk to Network, Network Resourcesand Data.

Identify Portions of the Network, Assign a threatrating to each portion and apply appropriatelevel of security.

Assign each network resourceLow, Medium orHigh Risk Level

Identify the types of Users for each resource

7/24/2019 1_ IT Security Concept

25/41

262626

Monitoring Security of Network

Monitor for any changes in Configuration of High

risk Devices

Monitor Failed Login Attempts

Unusual Traffic

Changes to the Firewall Configuration

Connection setups through Firewalls

Monitor Server Logs

7/24/2019 1_ IT Security Concept

26/41

27272727

Approach to Info Security: Defense in Depth

7/24/2019 1_ IT Security Concept

27/41

282828

Security at Network Level

Firewalls, IDS and IPS are usedfor Perimeter Defense

Access Control Policy is Implemented.

Control all internal and external traffic.

7/24/2019 1_ IT Security Concept

28/41

292929

Security at OS Level

Keep up-to-date Security Patches and update

releases for OS

Install up-to-date Antivirus Software

Harden OS by turning off unnecessary clients,Services and features

S i A li i L l

7/24/2019 1_ IT Security Concept

29/41

303030

Security at Application Level

Keep up-to-date Security Patches and update releasesfor Application Package

Dont Install Programs of unknown origin

Precautions with Emails

Protection from Phishing attacks

Securing Web Browsers

7/24/2019 1_ IT Security Concept

30/41

313131

Security at Database Level

User Management Password Management

Managing Allocation of Resources to Users

Backup and Recovery Auditing

7/24/2019 1_ IT Security Concept

31/41

323232

User

Password

expiration

and aging

Password

verification

Password

history

Account

locking

Setting up

profiles

Password Management

7/24/2019 1_ IT Security Concept

32/41

333333

Setting Resource Limits

Number of Concurrent Sessions

Elapsed Connect Time Period of Inactive Time

7/24/2019 1_ IT Security Concept

33/41

343434

Backup and Recovery Issues

Protect the database from numerous types offailures

Increase Mean-Time-Between-Failures (MTBF)

Decrease Mean-Time-To-Recover (MTTR) Minimize Data Loss

7/24/2019 1_ IT Security Concept

34/41

353535

Auditing

Auditing is the monitoring of selected user data

base actions and is used to :-

Investigate suspicious database activity

Manage your audit trail

Monitor the growth of the audit trail

Protect the audit trail from unauthorizedaccess

7/24/2019 1_ IT Security Concept

35/41

363636

Audit vs. Assessment vs. Pen Test

12/19/2013 Course Name / Topic Name

AuditsAuditing compares current practices against a set of standards.

Industry groups or security institutions may create those standards.Organizational management is responsible for demonstrating that the

standards they adopt are appropriate for their organization

AssessmentsAn assessment is a study to locate security vulnerabilities and identifycorrective actions.An assessment differs from an audit by not having a set of standards to testagainst.It differs from a penetration test by providing the tester with full access to thesystems being tested.

Penetration Testing

A set of procedures designed to bypass the security controls of a system ororganization

Real life test of the organizations exposure to known security threats

Performed to uncover the security weakness of a system

Focuses on exploiting network and systems vulnerabilities that an

unauthorized user would exploit

f i l

7/24/2019 1_ IT Security Concept

36/41

373737

Summary of Action Plan

Secure Physical Access

Remove Unnecessary Services Antivirus Software

Secure Perimeter

Apply Patches in Time

Data Backup

Encrypt Sensitive Data

Install IDS

Proper Network Administration

Proper Monitoring

BSNL I f ti S it P li

7/24/2019 1_ IT Security Concept

37/41

383838

BSNL Information Security Policy

BSNL has formulated its Information Security

Policy and circulated for its implementation duringDecember 2008. The BISP consists of two sections:

Section A:

This provides the directives and policies thatwould be followed in ICT facilities within BSNL to

provide secure computing environment for BSNL

employees and business to run. The policies areformulated around 11 domains of security. These

are

BSNL I f ti S it P li

7/24/2019 1_ IT Security Concept

38/41

393939

BSNL Information Security Policy

Section A1. Information Classification and Control

2. Physical and Environmental Security3. Personnel Security

4. Logical Access Control

5. Computing Environment Management6. Network Security

7. Internet Security

8. System Development and Maintenance

9. Business Continuity Planning

10. Compliance

11. Third Party and Outsourcing Services

BSNL I f ti S it P li

7/24/2019 1_ IT Security Concept

39/41

404040

This provides the technical solution support tothe policies mentioned within the policydocument. It is intended to allow policy makersand architects within BSNL to prepare solutionsaround the various security requirements asproposed in Section A.

BSNL Information Security Policy

Section B

7/24/2019 1_ IT Security Concept

40/41

41 12/19/2013 Course Name / Topic Name41 12/19/2013 Course Name / Topic Name41 12/19/2013 Course Name / Topic Name

7/24/2019 1_ IT Security Concept

41/41

THANK YOU!THANK YOU!THANK YOU!