!

!

!

!

!

! !

!

LEXCODE

Information security sphere

(c) 2013 LEXCODE Regulatory Compliance Technologies Pvt. Ltd. This document may be reproduced and distributed freely. Attribution to the copyright holder is mandatory.

www.lexcode.in

End Point Security

Network Security

Application Security

Cyber Incident

Response

Regulatory Compliance

Data Protection

Cyber Security Testing

Cyber Security Training

Contingency Planning

!

!

Segments(of(the(Lexcode(Information(Security(Sphere(

! ! !

1. End-point Security

End point security requires that each computing device on the network comply with certain standards before network access is granted.!

2. Network Security

Network security relates to the cyber security aspects of computer networks and network-accessible resources.!

!

3. Application Security

Application security relates to the cyber security aspects of applications and the underlying systems.!

Endpoints include laptops, desktops computers, smart phones and other communication devices, tablets, specialized equipment such as bar code readers, point of sale (POS) terminals etc.

End-point security encompasses -

1. Host-based firewalls, intrusion detection systems and intrusion prevention systems,

2. Host-based anti-virus systems, anti-malware systems, anti-spyware systems, anti-rootkit systems, anti-phishing systems, pop-up blockers, spam detection systems, unified threat management systems.

3. SSL Virtual Private Networks,

4. Host Patch and Vulnerability Management,

5. Memory protection programs,

6. Control over memory devices,!Bluetooth Security,

7. Password Management,

8. Security for Full Virtualization Technologies,

9. Media Sanitization,

10. Securing Radio Frequency Identification (RFID) Systems.!

Network Security encompasses -

1. Secure authentication and identification of network users, hosts, applications, services and resources

2. Network based firewalls, intrusion detection systems and intrusion prevention systems,

3. Network based anti-virus systems, anti-malware systems, anti-spyware systems, anti-rootkit systems, unified threat management systems,

4. Network Patch and Vulnerability Management,

5. Virtual Private Networks

6. Securing Wireless Networks

7. Computer Security Log Management

8. Enterprise Telework and Remote Access Security

9. Securing WiMAX Wireless Communications

10. Network Monitoring

11. Network Policy Management

!

Application attacks include - !

1. Input Validation attacks such as buffer overflow, cross-site scripting, SQL injection, canonicalization,

2. Authentication attacks such as network eavesdropping, brute force attacks, dictionary attacks, cookie replay, credential theft,

3. Authorization attacks such as elevation of privilege, disclosure of confidential data, data tampering, luring attacks,

4. Configuration management attacks such as unauthorized access to administration interfaces / configuration stores, retrieval of clear text configuration data, lack of individual accountability, over-privileged process & service accounts,

5. Sensitive information attacks such as access to sensitive data in storage, network eavesdropping,

6. Session management attacks such as session hijacking, session replay, man in the middle,

7. Cryptography attacks due to poor key generation or key management and weak or custom encryption,

8. Parameter manipulation attacks e.g. query string manipulation, form field / cookie / HTTP header manipulation,

9. Exception management attacks such as denial of service,

10. Auditing and logging attacks

!

4. Cyber Incident Response

Incident Response relates to the plans, policies, and procedures for handling cyber security incidents.

5. Regulatory Compliance

Regulatory Compliance relates to measures undertaken to ensure compliance with applicable laws and mandatory cyber security standards.

6. Data Protection

Data Protection relates to the cyber security aspects of protecting the confidentiality, integrity and availability of data.

Broadly speaking, Cyber Incident Response covers -

1. Organizing an Incident Response Capability

2. Preparing for and preventing Incidents

3. Detection and analysis of Incidents

4. Containment, Eradication and Recovery

5. Post Incident Activity

Specifically, Cyber Incident Response encompasses -

1. Forensic Imaging & Cloning,

2. Recovering Digital Evidence in Computer Devices,

3. Mathematical Authentication of Digital Evidence,

4. Using Data from Data Files, Operating Systems, Network Traffic, Applications and Multiple Sources,

5. Analyzing Active Data, Latent Data and Archival Data,

6. Wireless, Network, Database, Password, Facebook, Google, Malware, Memory, Browser, and Cell Phone Forensics,

Web Investigation, Investigating Emails, Investigating Server Logs,

Cyber Investigation & Forensics Documentation,

Windows Forensics, Linux Forensics and Mac Forensics,

Failure to meet regulatory compliance requirements can result in civil and criminal action and even imprisonment for organization heads.

Usage of consolidated and harmonized compliance controls ensures regulatory compliance without unnecessary duplication of effort and activity.

Once such control system is the "Effective Compliance and Ethics Program" contained in Chapter 8B2.1 of the Federal Sentencing Guidelines Manual issued by the United States Sentencing Commission.

Another control is the "AS 3806-2006" issued by Standards Australia. This provides guidance on-

1. the principles of effective management of an organization's compliance with its legal obligations, as well as any other relevant obligations such as industry and organizational standards,

2. principles of good governance and accepted community and ethical norms.

The principles cover -

1. commitment to achieving compliance,

2. implementation of a compliance program,

3. monitoring and measuring of compliance, and

4. continual improvement.

From a Data Protection perspective, data can be classified into 3 types - data at rest, data in motion and data under use.

Critical and confidential data includes source code, product design documents, process documentation, internal price lists, financial documents, strategic planning documents, due diligence research for mergers and acquisitions, employee information, customer data such as credit card numbers, medical records, financial statements etc.

Data Loss Prevention solutions -

1. identify confidential data,

2. track that data as it moves through and out of enterprise and

3. prevent unauthorized disclosure of data by creating and enforcing disclosure policies.

Various encryption technologies such as symmetric encryption, public key encryption and full disk encryption can be used for data protection.

A data protection policy involves -

1. Instituting good security and privacy policies for collecting, using and storing sensitive information.

2. Using strong encryption for data storage.

3. Limiting access to sensitive data.

4. Safely purging old or outdated sensitive information.

7. Cyber Security Training

Cyber Security Training is a formal process for educating personnel about cyber security and building relevant skills and competencies.

8. Cyber Security Testing

Cyber Security Testing is the process of ascertaining how effectively the entity meets specific cyber security objectives.

9. Contingency Planning

Contingency planning revolves around preparing for unexpected and potentially unfavourable events that are likely to have an adverse impact.

Cyber Security Training ensures that relevant personnel understand their cyber security responsibilities. This enables them to properly use and protect the information and resources entrusted to them.

Effective cyber security training must include -

1. Real-world training on systems that emulate the live environment,

2. Continual training capability for routine training,

3. Timely exposure to new threat scenarios,

4. Exposure to updated scenarios reflecting the current threat environment,

5. Coverage of basic day-to-day practices required by the users

Cyber Security Testing encompasses -

1. Review Techniques, which include Documentation Review, Log Review, Ruleset Review, System Configuration Review, Network Sniffing and File Integrity Checking,

2. Target Identification and Analysis Techniques, which include Network Discovery, Network Port and Service Identification, Vulnerability Scanning, Active & Passive Wireless Scanning, Wireless Device Location Tracking and Bluetooth Scanning,

3. Target Vulnerability Validation Techniques which include Password Cracking, Penetration Testing, Penetration Testing and Social Engineering,

4. Security Assessment Planning which includes Developing a Security Assessment Policy, Prioritizing and Scheduling Assessments, Selecting and Customizing Techniques, Assessment Logistics, Assessor Selection and Skills, Location Selection, Technical Tools and Resources Selection, Assessment Plan Development and Legal Considerations,

5. Security Assessment Execution which includes Coordination, Assessing, Analysis, Data Handling, Data Collection, Data Storage, Data Transmission and Data Destruction,

6. Post Testing Activities which includes Mitigation Recommendations, Reporting and Remediation/Mitigation

Types of Contingency Plans are -

1. Business Continuity Plan

2. Continuity of Operations Plan

3. Crisis Communications Plan

4. Critical Infrastructure Protection Plan

5. Cyber Incident Response Plan

6. Disaster Recovery Plan

7. Information System Contingency Plan

8. Occupant Emergency Plan

Stages in the Information System Contingency Planning Process are -

1. Developing the Contingency Planning Policy Statement

2. Conducting the Business Impact Analysis

3. Identifying Preventive Controls

4. Creating Contingency Strategies

5. Plan Testing, Training, and Exercises

6. Plan Maintenance

LEXCODE Regulatory Compliance Technologies Pvt. Ltd.

Incubated by Science & Technology Park

promoted by Department of Science and Technology Government of India

!!!!

Contact us at: Science and Technology Park, University of Pune, Pune 411007

www.lexcode.in