The Information Security Assurance Markup Language - Computer…

Eleven ExecCom Members, nine Special Invitees and one from the Secretariate attended the meeting.

Mr. Lalit K Sawhney, President, called the meeting to order. He welcomed Prof. K K Aggarwal, the incoming President, and his newly elected team, and all others present, to the fifth meeting of the ExecCom for the year 2006-07. He thanked all the outgoing members of the ExecCom and others concerned for their active cooperation and assistance in collectively carrying out the objectives of the Society during his tenure as President.

The items on the agenda were thereafter taken up for consideration.

President briefly gave some highlights of the efforts made during the year in different areas, especially in improving the infrastructure, focussed to enhance the visibility and image of a resurgent CSI. He mentioned that the situation has significantly changed in the country during the last few years and the Society need be fully geared to face the present and emerging challenges and expectations of the membership and that he was quite confident that Prof K K Aggarwal and his new team will accept the responsibilities with greater vigour.

President referred to the minutes of the last meeting of the ExecCom held on 8th January, 2007 at Hyderabad and invited comments if any from members. There being no comments from any member ExecCom approved and confirmed the minutes and took them on record.

CSI-2007 update : Prof Swarnalatha Rao gave a power point presentation on the CSI-2007 Annual National Convention proposed to be held at Bangalore.

HQ Budget Update: Mr. Satish Doshi, Hon Treasurer, apprised members the actual income and expenditure figures of various items for the period 1st April 2006 to 28th February 2007 vis-à-vis the budget and mentioned that though there were some items of concern, overall there has been considerable improvement in the performance and achievement compared to the same period of last year.

Extracts of the Minutes of Fifth ExecCom (2006-’07) held on 31st March, 2007 at Delhi

(Venue : Guru Gobind Singh Indraprastha University, Delhi)

President informed the ExecCom that DSIR, Delhi has recently granted recognition to CSI as a scientific and research organisation for the 3 year period 2006 to 2009 based on which CSI will seek to get approval of Director General of Income-Tax (Exemptions), Kolkata to avail of income-tax exemption as in the past.

Education Directorate Budget Update: Mr S Sudharssanam, Advisor, CSI Education Directorate, apprised members the actual performance and achievements of the CSI Education Directorate vis-à-vis the budget for the period 1st April 2006 to 28th March 2007 and mentioned that there was significant improvement compared to the same period of last year.

Membership status and new membership: Mr Satish Babu, Hon Secretary and Chairman, Membership Committee, informed that the new software for membership database is in place and the problems faced earlier have been overcome to quite an extent. Further improvements are expected barring unforeseen problems. He gave the figures of membership as on 22nd March 2007, which indicated that the total membership including students have increased at the end of 31st March, 2006.

Mr. Satish Babu also read out the membership status of those chapters whose membership had fallen below 75 when the ExecCom decided that:

Ujjain Chapter should be revoked.Hosur Chapter should be attached

to Bangalore Chapter and efforts made to reactivate the Chapter. Progress should be reviewed after a year.

MOU with Institution of Engineers (IEI) : Members were informed of the MOU signed with IEI the gist of which was read out by Mr Bipin Mehta and explained to them.

MOU with Microsoft : Mr. Bipin Mehta gave a gist of the MOU and explained the benefits arising out of the MOU to CSI, especially to the CSI Student Members.

ExecCom decided that Director (Education), the Chairman, Division-V (Education & Research) and the National Student Co-ordinator will be responsible for acting on the MOU and

take it forward

New CSI Student Branches : ExecCom approved formation

of the CSI Student Branches at the following institutions:i) AISSMS College of Engineering,

Pune ii) Anil Neerukonda Inst. of Tech. &

Sciences, Vishakapatnam iii) G H Raisoni College of Engineering,

Nagpur iv) K S R College of Engineering,

Coimbatore v) Valliammai Engg. College, Chennai

ExecCom also ratified formation of the CSI Student Branch at IIM, Indore with less than 75 student members approved by OBs earlier.

International Activities:IFIP : CSI bid to host World

Computer Congress-2010: Ms Prasoona, Manager, Conf. Mgmt. Services gave a presentation on CSI’s bid to IFIP to host the World Computer Congress-2010 in India and mentioned that a two-member Site Inspection Committee of IFIP will be coming on a two-day visit to India during 3rd week of May 2007 to see the sites offered by CSI and other infrastructure available. The final outcome of CSI’s bid will be known only after the committee completes its visits to all the bidding countries and IFIP takes a final decision.

SEARCC : President apprised the ExecCom efforts made by CSI to continue SEARCC in the back drop of suggestions made by some SEARCC members like Australia and New Zealand to dissolve the organisation. As a result of our efforts the whole focus has now turned to continue SEARCC and conduct its activities. A final decision on these issues will be taken at the next SEARCC Annual Convention scheduled in Bangkok in August 2007.

Status of AIC : President mentioned that as proposed by CSI it has been decided to dissolve AIC and disburse its funds to its members who will continue with SEARCC as both AIC and SEARCC are having similar objectives.

CSI Education Directorate :

Status of CSI’s Chennai BuildingMr S Sudharssanam informed that

(Contd. on pg.60)

C S I C o m m u n I C a t I o n S • a u G u S t 2 0 0 7 �

Special Theme iSSue : informaTion SecuriTy

Information Security – Transcending Technology… .....................................................4 Dr. Rama K Subramaniam

Establishing Secured HMAC Protocol to Enhance Broadcast Authentication in Wireless Sensor Networks ................................6 Mr. B Paramasivan, Dr. S RadhaKrishnan & Ms. S Athilakshmi

Cryptography-based Secure Authentication Watermarking for Binary Images ..............13 Mr. M Venkatesan, Mrs. P MeenakshiDevi, Dr. K.Duraiswamy & Dr. K Thyagarajah

Teganography – Art of Hiding Information ................................................................16 Kuldeep Singh

Information Security Issues in Wireless Networks ....................................................18 Kaleem A. Usmani & Dr. Nupur Prakash

Towards More Effective Virus Detectors ..................................................................21 Raghunathan Srinivasan & Partha Dasgupta

Captcha – A Case for Accessible Design of Information Security Systems ...................24 Sambhavi Chandrashekar & Harish Kumar Kotian

Information Security Auditing .................................................................................29 R Anusooya, S A V Satya Murty, S Athinarayanan, P Swaminathan

Information Assurance Markup Language – IAML .....................................................34 Vicente Aceituno Canal

Information Security- Normalized Risk Assessment and treatment methodology ..........36 S Velmourougan & Dr. S Muttan

Implementing Information Security Policies – the people perspective .........................40 P Prasannavadanan

Information and Network Security Aspects in e-Governance Framework .....................42 Dr. Durgesh Pant & M K Sharma

Managed Security Services – A Perspective ...........................................................47 M P Badrinath

Incident handling and Management .......................................................................50 Brian Honan

Cyber Crime : A Criminological and Victimological Paradigm ......................................56 Dr. R Thilagaraj & Dr. S Latha

DeparTmenTS

Community Talk .....................................................................................................2

President’s Desk ....................................................................................................3

cSi TopicS

Extracts of the Minutes of Fifth ExecCom (2006-’07) ................................... 2nd cover

Revised Schedule for Young Talent Search .............................................................41

CSI Calendar 2007 ..............................................................................................55

Extracts of the Minutes of First ExecCom (2007-’08) ..............................................60

CSI Chapter News ................................................................................................63

C o n t e n t s Vol. 31 no. 5august 2007

Executive Committee 2007-08/09

President Vice-President Prof. K K Aggarwal Mr. S Mahalingam [email protected] [email protected]

Hon.Secretary Hon.Treasurer Mr. Satish Babu Mr. Ajit Kumar Sahoo [email protected] [email protected]

Immd.PastPresident Mr. Lalit Sawhney [email protected]

RegionalVice-Presidents Mr. M P Goel (Region I) [email protected]

Mr. Rabindra Nath Lahiri (Region II) [email protected]

Prof. S G Shah (Region III) [email protected]

Dr. Himansu K Mohanty (Region IV) [email protected]

Ms. Sudha Raju (Region V) [email protected]

Mr. Milind Kshirsagar (Region VI) [email protected]

Dr. S Arumugam (Region VII) [email protected]

Ms. Lynette Saldanha (Region VIII) [email protected]

DivisionChairpersonsProf. Swarnalatha Rao Division-I (Hardware) [email protected]

Mr. H R Mohan Division-II (Software) [email protected]

Mr. Deepak Shikarpur Division-III (Sc. Appln.) [email protected]

Dr. C R Chakravarthy Division-IV [email protected] (Communications)

Prof. H R Vishwakarma Division-V [email protected] (Edu. & Research) NominationsCommitteeDr. R K Datta Chairman [email protected]

Mr. H S Sonawala Member [email protected]

Mr. Suresh Chandra Bhatia Member [email protected]

Chairman Publications Committee Mr.SSrinivasan,[email protected]

Dr.TVGopal- Chief Editor,[email protected]

Adviser, Education DirectorateMrSSudharssanam,[email protected]

Executive Secretary Ms.PriyalataPal,[email protected]

Published by Ms.PriyalataPal For ComputerSocietyofIndia

C S I C o m m u n I C a t I o n S • a u G u S t 2 0 0 7�

Comm

unity

Tal

kC o m m u n i t y t a l k

Comm

unity

Tal

k What is information?This is one of the big questions computer scientists are asking. The researchers

worldwide are studying several fundamental aspects of information such as its analysis and dynamics, semantics, intelligence, nature and values. Representing, transmitting and receiving information are proving to be relatively simpler problems. 'Philosophy of Information' is a new specialization that is examining the notion of information in its entirety. The disappearance of network boundaries is adding a new dimension to the way the information economy evolves. The socio-cultural aspects of information are becoming crucial in the global village. The strange facet of security is that 'everything appears secure until there is a breach'. 'Information Security' is thus a very intriguing theme.

Information security is simply defined as the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption. It is obviously connected to Computer Security and Network Security. Accessibility, Affordability and Assurance form the three major pillars of the process providing Information Security. The accessibility of information factors issues related to authentication, confidentiality and integrity. Risk management is an integral part of the Information Security process.

The ISO-17799:2005 Code of practice for information security management recommends the following be examined during a risk assesment: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management, and regulatory compliance.

Almost all businesses keep sensitive information in their files on their computers. A sound information security plan is built on five key principles:• Take Stock: Know what information is stored in the files of your computers• Scale Down : Categorize the information based on its importance• Lock it : Protect the important information• Pitch it : Dispose information that is not needed• Plan Ahead: Anticipate information security breaches and prevent them from

occuringIt is of little wonder therefore that the field of information security has grown and

evolved significantly in recent years. It has become a career choice with many ways of gaining entry into the field. Universities all over the world are offering specialised programmes in this area. National and International standards are evolving. However, it is always useful to have an appropriate 'Information Security Oversight' process defined to take care of incorrect classification of information.

The Information Security Breaches Survey 2006, managed by Pricewaterhouse Coopers on behalf of the UK Department of Trade and Industry (DTI) reveals that 62% of UK companies had a security incident during the year 2006. Three fifths of these companies do not have a security policy. The scenario is not likely to be different in other countries. In India, it may be worse.

There are many independent consultants and professional bodies that are extending help and advice to individuals and businesses. Information Security Forum [http://www.securityforum.org/html/frameset.htm] is one of the world's leading independent forums on information security.

Dr. Rama K Subramanian is one of the leading professionals in this area. I wish to place on record my sincere thanks to him for devoting quality time to compile the content for the theme section.

Gopal T V

Chief Editor [email protected]


From the President’s DeskFrom the President’s Desk

From : [email protected] : President’s DeskDate : 1st August, 2007

Dear Members,Through this issue of CSI Communications, I would like to compliment one and all IT enthusiasts who are associated with Computer Society of India which is a premier body of IT Professionals. Their dedicated efforts towards the fulfillment of CSI Vision: IT for Masses is very appreciable. As you are aware, the promotion of Information Technology as a profession is our top priority, our efforts towards this objective for conducting and organizing conventions, conferences, lectures, talks/tutorials, training programmes and workshops and various competitions etc. for the benefit of young IT Professionals, academicians and student members of CSI, must be reinforced from time to time.There is an urgent need to create a robust and continuous pipeline of talent for the IT Sector. There is also a need for transformation of a trainable workforce into an employable workforce for this growing sector. Taking into consideration the recent and rapid technological advances and innovative applications of the Internet, the ICT has impacted our daily life. As per the forecast (from NASSCOM, Wikipedia and other courses), sales of wireless multimedia enabled devices including personal computers, home networking gears, is expected to grow from 2.5 million units in 2006 to 5.2 million units by the year 2010. The Indian IT BPO Sector may also clock $60 billion in export revenue and $13-15 billion in domestic revenue by 2010. Consequently a large trained workforce of IT Professionals is required to meet the IT Industry challenges in India. CSI has a very vital role to play to meet this challenge.Over the period of several decades, CSI has grown to a formidable society, spreading its activities all over India with 65 chapters and number of student branches in all leading engineering colleges, besides an increasing organizational membership base. Our five divisions i.e. Hardware, Software, Applications, Communications, and Education & Research in association with CSI chapters, student branches and number of Special Information Groups (SIGs) and in collaboration with other engineering institutions / organizations and societies are coordinating various technical activities. Some of the Divisions, Regions, Chapters and the students branches are doing extremely well in organizing the national as well as regional level conventions, seminars, workshops and competitions with the active participation of large number of young IT professionals and student members. I am happily tracking the activities planned by various student branches, CSI chapters, CSI divisions in various regions and the SIGs. However, there is more felt need for collaborative and team activities involving several stake holders concurrently. More workshops may be planned, designed and organized by other Divisions / Regions for the benefit of IT professionals, practitioners and student members preferably conducted jointly in associations with other engineering societies / institutions. This will definitely help in understanding the current and urgent need of the IT professionals, academicians and IT / ITES industry to enable them to address some of the important problems related to Software Engineering, Hardware Engineering, Database, Enterprise System and Networking, Internet and Web Technologies, IT Security, VLSI design / embedded and real time systems etc. For the forthcoming National & Regional level conventions / conferences / workshops / seminars / technical talks on various themes which have already been planned and tutorials at the level of CSI student branches on various technical topics, I would suggest that ‘Divisional Chairpersons, Regional Vice Presidents, Chapter Chairmen and Student Coordinators to interact with Directors / Principals of various engineering colleges and senior representatives from the IT industry in the respective Region for the active and whole hearted support and participation of the members in these events. This will ensure participation of senior IT professionals / practitioners, computer science engineers, young IT professionals from industry, Govt institutions, academicians and student members of CSI as well as members of local societies / institutions to the full capacity. CSI Divisions / Regions, chapters and student branches, which have yet to plan the activities in their respective region, may accord top priority to this aspect. I feel some of the technical events on various themes already organized by other Divisions / Regions, Chapters and Student branches of CSI can even be repeated and organized by other chapters / student branches of CSI, depending upon the present and future needs of IT industry. By organizing such activities regularly and ensuring maximum active participation / audience in all the events, we can translate the vision of CSI : “IT for Masses” to Reality. Though, a lot has been discussed / debated and presented in the past National / Regional level conferences / seminars / conventions / workshops on the e-governance and IT security / Cyber security we may repeat these topics at other locations for the benefit of other IT professionals / members of CSI, who could not make it to attend and participate in the lectures / discussion by the experts on the subjects.

With warm regards,

Prof. K K Aggarwal


Guest editorial

Information Security – Transcending Technology…Dr. Rama K Subramaniam

Chief Executive Officer, Valiant Technologies [email protected]

shared their perceptions of information security in this issue.

Early 2000. I came back to India armed with a CISSP credential after writing my examination in Washington DC. My friends in the profession asked me why I wasted time and money on something that was 'management' and not 'technology' and volunteered their genuine advice that I should not have traveled to the US but should have spent time on understanding security technology by learning to configure firewalls and AV systems. Many then believed that security was uni-dimensional and it was all about technology.

Even today, a very small percentage in the profession insists on seeing the non-existent difference between technology and management when it comes to information security. These people are certain that you cannot manage security unless you know the syntax for, let us say, configuring a given router in a particular way. I often get amused when I meet people, who insist that security is directly proportional to the amount of investment in security products placed on different points in their information network. They also ask me to recommend candidates who are strong technically and not to worry about sending them people who know more of the management part of security! When I ask them what does the management part of security mean, most don't know how to articulate, being victims of pedagogues who themselves perhaps did not know how to see beyond technology; especially when it came to security.

Does such a dichotomy exist? I

When I was honored with the privilege of being the Guest Editor of this issue devoted to information security, I set for myself one simple objective. It was to make the contents of this issue demonstrative of the fact that information security is not just technology; that it is a combination of a number of factors including, of course, technology. The various contributors to this issue have more than made me feel that the objective is well met. Thank you, all contributors to this issue, for bringing out a strong message that information security is multi-dimensional and has multiple perspectives.

Almost ten years ago, a consular official of a EU nation was interviewing me to determine whether or not to give me a visa to visit his country and started by asking the customary ice breaker – What do you do? I told him that I was an information security professional. Unable to hide his amusement, he however demonstrated his knowledge of the subject and asked “Oh! You are the guys who do firewalls?” I responded rather hastily that firewalls were one of the things that we looked at. It looked very inappropriate to me to be told that security is all about a security product even though it was almost a decade ago when products clearly dominated the scene. That intrigued him and he wanted to know what “exactly” I was doing beyond firewalls. That was a time when anything to do with information security had to be technology driven and security was no exception to that. Have we gone beyond that? Let us see as we go along and read the contributions of experts who have

personally think not. Security today is a combination

of a number of attributes– products, processes, technology, people and attitudes. When famous bot-herds like 0x-80 say that they do not feel bad about attacking people who have no right to be on the Internet when they don't know how to put in basic defenses, we are talking of attitudes. A large number of security surveys including the one by FBI/CSI now in its eleventh year of publication talk of security infractions due to a variety of reasons; these clearly show us that security transcends technology.

The authors who have graciously contributed papers for publication in this issue have brought out the fact that you cannot secure an information system unless you take a holistic view of the need and the process covering what has come to be broadly referred to as security. Papers by Paramasivan et al and by Venkatesan et al bring out the hard technological dimensions of security. Both these papers have recommended harnessing the power of security technology to address some key issues that is attracting the attention of many researchers and practitioners in this area. Papers by Kuldeep Singh, Usmani and Prakash, and by Srinivasan and Dasgupta provide an excellent insight into some of the oft-discussed areas in the realm of information security. The contents of these papers clearly present the threat that surrounds our data and points to directions for relief.

Chandrasekar and Kotian, who have provided an eye-opener to many of us who have hardly considered the security implications when information technology is to be used by persons with visual impairment, bring out a unique and new dimension to security of information systems. Anusooya et al provide an insight into the process


About the Guest Editor

Dr. Rama Subramaniam is Chief Executive Officer of Valiant Technologies Pvt Ltd, an information security and cyber forensics consulting and educational services company. He holds a Masters Degree in Information Technology Management from University of Lincoln, UK and a doctorate in Cyber Crime Management from the University of Madras, India. He also has the FCA, CISSP, CISA, CISM, CSQP CEH, CHFI, Security+ and MCSE credentials. He was former Global Chair of Education and Awareness Expert Group of GAISP, a US based initiative and is currently Global Chair of Accreditation process of OISSG, UK. He is India's country representative to TC-11 of

International Federation of Information Processing. He is Chairman of ISCCRF, a not-for-profit trust devoted to research in the areas of information security and cyber crimes and Vice Chairman of Indian Society of Criminology.

of auditing information security while Vicente presents IAML as an alternative to conventional control framework assessment process. These two papers, along with a paper on risk assessment by Velmourougan and Muttan complete the E and C segments of the ECA [Evaluation-Certification-Accreditation] process. Prasannavadanan who has clearly argued for the people dimension in information security policies presents non-technology factors comprised in the A of the ECA process. The ECA process has supported successful implementation of many e-commerce models and the need to focus on trust while accrediting a system, especially when it involves e-governance, is articulated by Pant and Sharma

Should we get into this complex thing called security or do we outsource it? Badrinath has addressed the

concerns and benefits of outsourcing security processes; a hotly debated topic today. Well; our best efforts have failed and a security infraction has occurred. What is the response? Honan has presented a detailed step-by-step guide to what needs to be done when an incident has occurred and the paper by Thilagaraj and Latha examine security infraction from a refreshingly different angle – criminological and victimological.

Most of us in the security business today are convinced that the cycle of security operations and management does not end with an assurance report that a good ISMS is in place; it is adequately supported by best of breed technology, well trained staff and validated processes. Despite the best combination of people, process and technology, cyber infractions do take

place and the security cycle extends to collection of digital evidence and carrying out of a digital forensic investigation on any attempt to violate security. The need to make multi-perspective studies on cyber crime an integral part of information security study is a strong plea that I would like to make. I also want to use this forum to point to the absence of a comprehensive and verifiable national level survey on information security infractions in India; something on the lines of annual surveys carried out in the UK, the US, Australia and Scandinavian countries. If the contents of this theme issue will motivate one or more people to structure a study to determine the nature and extent of information security infractions in the country, this theme issue would have done a yeomen service to the information security segment of the IT industry.

“I believe in our free Society, as you seek rights and privileges in that Society, then we

have to know who you are. We’re going to need to establish the identity of who you are as

an individual. And then, for the greater good of Society, be able to determine whether or not

you should be extended that right or privilege.”

– Derek Smith, ChoicePoint CEO


1. IntroductionA Wireless Sensor Networks (WSN)

typically consists of a large number of resource constrained sensor nodes and possibly a few powerful control nodes (base stations). A sensor node usually has one or few sensing components, which sense physical phenomenon (e.g., temperature) from its immediate surroundings, and a processing and communication component, which performs simple computation on the

sensed data and communicates with base stations as well as other nodes through its immediate neighbor nodes. The control nodes may further process the data collected from sensor nodes, disseminate control commands to sensor nodes, and connect the network to a traditional wired network. Sensor nodes are expected to be deployed densely in a large scale and communicate with each other through wireless links

without any infrastructure support [1]. These features lead to many attractive applications like military and civilian operations. But these deployment natures are more prone to malicious attacks. So, security issues become one of the major concerns. Broadcast authentication enables a sender to broadcast critical data and/or commands to sensor nodes in an authenticated way such that an attacker is unable to forge any message from the sender. However, due to the resource constraints on sensor nodes, traditional broadcast authentication techniques such as public key based digital signatures are not desirable. Through compromised nodes, an adversary may launch security attacks against the sensor network ranging from the physical layer to the application layer. Due to the vast variety and novelty of attacks, we believe no single solution can address all the attacks. In our previous work [13] we developed an H-MAC protocol to address the security vulnerabilities of a denial of sleep attack against leading energy-efficient Medium Access Control (MAC) protocols, which uses the Hash-based cluster Head selection scheme rather than using a passive method of determining the next gateway by calculating an election contention backoff period based upon a node's available resources. Though it has been proven in terms of resilience towards denial of sleep attack, an issue like broadcast authentication is not properly addressed. We proposed a scheme Secured HMAC based on mTESLA that overcomes the difficulties arises in Broadcast Authentication.

Our scheme has two parts (i) a revocation tree based scheme and (ii) a proactive distribution scheme. The former constructs a Merkle hash tree to revoke compromised senders, while the latter proactively controls the distribution of broadcast authentication capability of each sender to allow the revocation of compromised senders. Simulation results indicate that the proposed techniques are efficient and practical, and can achieve better security.

The remainder of this paper is organized as follows. In Section 2 we discuss related works. In Section 3 we introduce the techniques for the establishment of broadcast

Establishing Secured HMAC Protocol to Enhance Broadcast Authentication in Wireless Sensor Networks Mr. B Paramasivan, M.E1, Dr. S RadhaKrishnan2, Ms. S Athilakshmi, M.E 3

1, 3 Dept of CSE, National Engineering College, Kovilpatti, Tamilnadu. 1Email id: [email protected], [email protected] 2 Dept of CSE, Arulmigu Kalasalingam College of Engineering, Srivilliputhur Email: [email protected]

With the progression of computer networks extending boundaries and joining distant locations, wireless sensor networks (WSN) emerge as the new frontier in developing opportunities to collect and process data from remote locations. Due to this deployment nature of Wireless Sensor Networks are more vulnerable to malicious attacks. The Security offered by the current software and hardware implementations of MAC protocols are insufficient to protect a WSN from a Denial of Service attack and against broadcast messages. Our current work focuses on enhancing security in broadcast messages using broadcast authentication as well makes use of hash-based scheme for cluster head selection. A revocation tree based scheme and a proactive distribution based scheme, are used to revoke the broadcast authentication capability from compromised senders. Simulation results prove that these techniques are efficient and achieve better Information security in Wireless Sensor Networks.

Index terms – Broadcast Authentication, Denial of Service, MAC, Revocation Tree.


authentication and for revocation of compromised nodes. In Section 4 we perform implementation and evaluation with leading sensor networks MAC protocols. In Section 5 we make our conclusions and future work.

2. Related WorkConfidentiality protects against

the improper disclosure of information; data integrity protects the information against improper modifications; and service availability prevents denial of system services. Perrig et al. proposed to use an earlier key chain to distribute the next key chain commitment [3]. Several multi-level mTESLA schemes were proposed in [3, 4] to distribute the key chain commitments. However, these techniques suffer from DOS attacks during the commitment distribution. A number of key pre-distribution techniques have been proposed to establish pair-wise keys in sensor networks [5, 6, 7, 8, 9]. Wood and Stankovic identified a number of DOS attacks in sensor networks [10]. Karlof and Wagner analyzed the vulnerabilities as well as the countermeasures for a number of existing routing protocols [11]. Hu et al. use Merkle tree to authenticate multiple key chains for authentication in routing protocols [12].

3. Proposed WorkIn this section, we develop a series

of techniques to revoke broadcast authentication capabilities from compromised senders. The proposed technique uses the mTESLA broadcast authentication protocol [2] as building blocks with the clocks of the sensor nodes loosely synchronized.

3.1 The Basic ApproachThe multi-level mTESLA technique

uses higher-level mTESLA instances to authenticate the parameters and thus inherits the authentication delay. The consequence of such authentication delay is that an attacker can launch Denial of Service attacks to disrupt the distribution of initial mTESLA parameters. Moreover, they cannot handle a large number of senders and due to the low bandwidth in sensor networks, the number of data packets buffered during d time intervals is usually small. Thus, in this paper, we only focus on the Denial of Service

attacks that target at disrupting the distribution of initial mTESLA parameters to the gateway node in the HMAC protocol to the functioning of broadcast authentication. And the gateway node is itself responsible to distribute parameters to its cluster nodes. In this section, we propose to authenticate and distribute these mTESLA parameters using a Merkle hash tree [12]. This method removes the authentication delay as well as the vulnerability to Denial of Service attacks during the distribution of mTESLA parameters because the packets are only sent to gateway node of HMAC.

Assume a sensor ne twork application requires m mTESLA instances, which may be used by different senders during different periods of time. For convenience, assume m = 2k, where k is an integer. Before deployment, the gateway node pre-computes m mTESLA instances, each of which is assigned a unique, integer-valued ID between 1 and m. For the sake of presentation, denote the parameters (i.e., the key chain commitment, starting time, duration of each mTESLA interval, etc.) of the i-th mTESLA instance as Si. Suppose the central server has a hash function H. The central server then computes Ki = H(Si) for all i ? {1, ...,m}, and constructs a Merkle tree using {K1, ...,Km} as leaf nodes. Specifically, K1, ..., Km are arranged as leaf nodes of a full binary tree, and each non-leaf node is computed by applying H to the concatenation of its two children nodes. We refer to such a Merkle tree as a parameter distribution tree of

Fig. 1 : Example of a parameter distribution tree

parameters {S1, ...,Sm} .Figure 1 shows a parameter distribution tree for eight mTESLA instances, where K1 = H(S1), K12 = H(K1|| K2), K14 = H(K12|| K34), etc.

The gateway node also constructs a parameter certificate for each mTESLA instance. The certificate for the mTESLA instance consists of the set Si of parameters and the values corresponding to the siblings of the nodes on the path from the i-th leaf node to the root in the parameter distribution tree. For example, the parameter certificate for the 3rd mTESLA instance in Figure 1 is ParaCert3 = {S3, K4, K12, K58}. For each sender that will use a given mTESLA instance, the gateway node distributes the mTESLA key chain and the corresponding parameter certificate to the node.

The gateway node also pre-distributes the root of the parameter distribution tree e.g., K18 in Figure 1) to regular sensor nodes, which are potentially receivers of broadcast messages. When a sender needs to establish an authenticated broadcast channel using the i-th mTESLA instance (during a predetermined period of time), it broadcasts a message containing the parameter certificate ParaCerti. Each receiver can immediately authenticate it with the predistributed root of the parameter distribution tree. For example, if ParaCert3 = {S3, K4, K12, K58} is used, a receiver can immediately authenticate it by verifying whether H(H(K12||H(H(S3)|| K4))|| K58) equals the pre-distributed root value K18. As a result, all the receivers can get the authenticated parameters of this


mTESLA instance, and the sender may use it for broadcast authentication.

3.2 SecurityAccording to the analysis an

attacker is not able to forge any message from any sender without compromising the sender itself. However, the attacker may launch Denial of Service attacks against the distribution of parameters for mTESLA instances. Fortunately, the parameter certificates in our technique can be authenticated immediately and are immune to the Denial of service attacks. When more senders are compromised, additional techniques are required to remove these compromised senders.

3.3 Overhead In this approach, each sensor

node (as a receiver) only needs to store one hash value, and remember the parameters for those senders that it may communicate with. This is particularly helpful for those applications where a node only needs to communicate with a few senders or there are only a few senders staying in the network at one time. Each sender needs to store a parameter certificate, the key chain, and other parameters (e.g., starting time) for each instance it has. To establish an authenticated broadcast channel with nodes using an instance j, a sender only needs to broadcast the corresponding pre-distributed parameter certificate, which consists of +logm+ hash values and the parameter set Sj . This is practical, since such distribution only needs to be done once for each instance. After receiving this parameter certificate, a sensor node only needs 1++logm+ hash functions to verify the related parameters.

3.4 ComparisonIn our Secured HMAC scheme,

unlike multi-level mTESLA schemes, a sender does not have to compete with malicious attackers, since it can immediately authenticate the parameter distribution message instead of keeping it in the buffer for future authentication. In other words, with the proposed approach, it is sufficient for a receiver to receive one copy of each parameter distribution message.

3.5 Distributing Parameter CertificatesAs we mentioned earlier, the

proposed technique is resistant to

the DOS attacks if each parameter certificate is delivered in one packet, since a receiver can authenticate such a certificate immediately upon receiving it. However, due to the low bandwidth and small packet size in sensor networks, a certificate may be too large to be transmitted in a single packet. As a result, it is often necessary to fragment each certificate and deliver it in multiple packets. A straightforward approach is to simply split those values in a certificate into multiple packets. However, this simple idea suffers from Denial of Service attacks, where an attacker sends a large number of forged certificates and forces a sensor node to perform a lot of computations to identify the right one from those fragments. To deal with this problem, we fragment a parameter certificate in such a way that a sensor node can authenticate each fragment independently instead of trying every combination.

Assume a parameter certificate then consists of L values {h1, h2, …, hL}, and each packet can carry b values. As shown in Figure 2, in the first step of fragmentation, we put the first b-1 values in the first packet, the second b-1 values in the second packet, and so on, until there are no more values left. If the last packet only includes one value, we move it to the previous packet and remove the last packet. The previous packet then becomes the last packet, containing b values. In the second step, we append in every packet other than the last one the sibling (in the parameter distribution tree) of the last value in this packet. By doing this, the first fragment can be authenticated immediately once the sensor node receives an authentic fragment. After authenticating the first fragment, the second fragment can be also authenticated immediately using the values in the first fragment.

Fig. 2 : Example of Fragmentation

This process will continue until the sensor node receives all authentic fragments. For example, in Figure 1, ParaCert3 consists of 4 values, {K58,K12,K4,S3}. Assume each fragment can carry 3 hash values and S3 consists of 1 key chain commitment. Using the above technique, the first packet includes { K58, K12, K34}, and the second packet includes K4,S3. If a sensor node receives the first fragment, it can authenticate the fragment by verifying whether H(H(K12| K34)| K58) equals the pre-distributed root value. Once the first fragment is authenticated successfully, the second fragment can be authenticated by verifying if H(H(S3)| K4) equals the hash value K34, which is contained in the first fragment.

3.6 RevocationIn hostile environments, not only

sensor nodes but also broadcast senders may be captured and compromised by adversaries. Once a sender is compromised, the attacker can forge any broadcast message using the secrets stored on this sender and convince other sensor nodes to perform unnecessary or malicious operations. Thus, it is necessary to revoke the broadcast authentication capability from compromised senders. We use a revocation tree to take back the broadcast authentication capability from compromised senders, and a proactive refreshment to control the broadcast authentication capability of each sender.

(i) Revocation Tree :When a sender is detected to have

been compromised, the central server broadcasts a revocation message with the IDs of the sender. This message has to be authenticated; otherwise, an attacker may forge such messages to


revoke non-compromised senders. The main idea of this method is to construct a Merkle tree[12] similar to parameter a distribution tree, which is called a revocation tree, since its purpose is to revoke broadcast authentication capabilities from compromised senders. The revocation tree is built from sender IDs and random numbers. If the sender ID j and the corresponding random number is disclosed in an authenticated way, sender j is revoked.

Assume there are potentially m senders. For simplicity, we assume m = 2k for an integer k. The central server generates a random number r j for each sender with ID j, where 1 <= j< = m. The central server then constructs a Merkle tree where the j-th leaf node is the concatenation of ID j and r j. We refer to this Merkle tree as the revocation tree. The central server finally distributes the root of the revocation tree to all sensor nodes. We assume the central server is physically secure. Protection of the central server is an important but separate issue; we do not address it in this paper. When a sender j is detected to have been compromised, the central server broadcasts the ID j and the random number r j . To authenticate these values, the central server has to broadcast the sibling of each node on the path from “ j|| r j” (i.e., the leaf node for j in the revocation tree) to the root. This is exactly the same as the parameter certificate technique used to authenticate mTESLA parameters.

To distinguish from parameter certificate, we refer to the above set of values as a revocation certificate, denoted RevoCert j. With RevoCert j, any sensor node can recompute the root hash value, and verify it by checking if it leads to the predistributed root value. If a sensor node gets a positive result from this verification, it puts the corresponding sender into a revocation list, and stops accepting broadcast messages from the sender. To deal with message loss, the distribution of a revocation certificate may be repeated multiple times. The revocation tree approach cannot guarantee the revocation of all compromised senders in presence of communication failures, though traditional fault tolerant techniques can provide high confidence. However, it guarantees that

a non-compromised sender will not be revoked. This is because the revocation of a sender requires a revocation certificate, which is only known to the central server.

An attacker cannot forge any revocation certificate without access to the random numbers kept in the leaves of the revocation tree, due to one-way function used to generate the revocation tree [6]. In this approach, each sensor node needs to store an additional hash value, the root of the revocation tree. To revoke a sender, the central server distributes a revocation certificate, which consists of 1++logm+ values. To authenticate the revocation certificate, a sensor node needs to perform 1++logm+ hash functions. The revocation tree approach has several limitations. First, due to the unreliable wireless communication and possible malicious attacks (e.g., channel jamming); the revocation messages are not guaranteed to reach every sensor node. As a result, an attacker can convince those sensor nodes that missed the revocation messages to do unnecessary or malicious operations using the revoked mTESLA instances. Second, each sensor node needs to store a revocation list, which introduces additional storage overhead, especially when a large number of senders are revoked. Note that the above approach can also be used to tell sensor nodes that the corresponding sender has stopped broadcast so that they can erase its parameters to save memory space for other senders.

(ii) Proactive Refreshment of Authentication Keys To deal with the limitations of

the revocation tree approach, we present an alternative method to revoke the authentication capability from compromised senders. The basic idea is to distribute a fraction of authentication keys to each sender and have the gateway node to update the keys for each sender when it is necessary. A clear benefit is that if a sender is compromised, the gateway node only needs to stop distributing new authentication keys to this sender; there is no need to broadcast a revocation message and maintain a revocation list at each sensor node. In addition, this approach guarantees that once compromised senders are detected,

they will be revoked from the network after a certain period of time. The authentication keys for each sender can be distributed in a proactive way, since we can predetermine the time when a key will be used. Specifically, during the pre-distribution phase, the gateway node in HMAC protocol distributes the parameter certificates to each sender.

Before the current mTESLA instance expires, the gateway node in HMAC distributes the key used to derive the next mTESLA key chain to the sender through a key distribution message encrypted with a key shared between the gateway node and the sender, provided that the sender has not been detected to have been compromised. The sender may then generate the next mTESLA key chain accordingly. To increase the probability of successful distribution of authentication keys in presence of communication failures, the gateway node may send each key distribution message multiple times.

As mentioned earlier, the revocation of a compromised sender is guaranteed (with certain delay) in the proactive refreshment approach when it is detected to have been compromised. However, the broadcast authentication capability of a sender is not guaranteed if there are message losses. A sender may miss all key distribution messages that carry new authentication keys due to unreliable wireless communication and malicious attacks. Thus, a sender may have no keys to authenticate new data packets. Moreover, there may be a long delay between the detection and the revocation of a compromised sender, and the compromised sender may still have keys that can be used to forge broadcast messages.

In the proactive refreshment approach, instead of storing nj mTESLA instances, a sender j only needs to store a few of them. Thus, the storage overhead is reduced. However, the communication overhead between the gateway node and the senders is increased, since the central server has to distribute keys to each sender individually. There are no additional communication and computation overheads for sensor nodes.

In practice, these two options may be combined together to provide better performance and security. The

C S I C o m m u n I C a t I o n S • a u G u S t 2 0 0 7�0

revocation certificates from the gateway node can mitigate the problem of the delay between the detection and the revocation of a compromised sender, while the proactive refreshment technique guarantees the future revocation of a compromised sender if the compromise is detected.

4. Simulation and EvaluationWe have simulated the proposed

techniques on Network Simulator 2, to evaluate the performance. Our evaluation is focused on the broadcast of data packets and the distribution of mTESLA parameters. We adopt a setting similar to [5] the mTESLA

key disclosure delay is 2 mTESLA time intervals, the zduration of each mTESLA time interval is 100 ms, and each mTESLA key chain consists of 600 keys. Thus, the duration of each mTESLA instance is 60 seconds, with 200 mTESLA instances, which cover up to 200 minutes in time.

Fig. 3(a) : Successive Authentication Rate Fig. 3(b) : Rate of distribution of packets per minute

Fig. 4(a) : Average Failure Recovery Delay. Fig. 4(b) : Storage Overhead

Fig. 5 : Communication Overhead Fig. 6 : Throughput

C S I C o m m u n I C a t I o n S • a u G u S t 2 0 0 7 ��

Each parameter set Sj,i only contains a mTESLA key chain commitment. This means that each parameter certificate contains 9 hash values. And each hash value, cryptographic key or MAC value is 8 bytes long. The parameter certificate can be delivered with 4 packets, each of which contains a sender ID (2 bytes), a key chain index (2 bytes), a fragment index (1 byte), and three hash values (24 bytes). As a result, the packet payload size is 29 bytes.

To investigate the authentication rate and the distr ibution rate under Denial f Service attacks and communication failures, we assume the attacker sends 200 forged parameter distribution packets per minute and the channel loss rate is 0.2. Figure 3(a) illustrates the authentication rate for both schemes as the frequency of parameter distribution packets increases.

With 20 CDM buffers at each receiver end, we can see that our Secured HMAC scheme always has a higher authentication rate than the multi-level DOS-tolerant mTESLA scheme. The reason is that in the Secured HMAC scheme a sensor node is able to authenticate any buffered message once it receives a later disclosed key, since different key chains are linked together. Though in the multi-level DOS-tolerant scheme, lower-level key chains instances are also linked to the higher-level ones, a sensor node may have to wait for a long time to recover an authentication key from the higher-level key chain when the corresponding lower-level key chain commitment is lost due to severe Denial of service attacks. During this time period, most of previous buffered data packets are already dropped. Figure 3(b) shows the authentication rate for both schemes. We can see that the multi-level DOS-tolerant mTESLA scheme has to allocate a large buffer to achieve certain authentication rate when there are severe Denial of service attacks, while our Secured HMAC can achieve higher authentication rate without any additional buffer. The reason is that in our scheme, a sensor node can verify a parameter certificate immediately and thus there is no need to buffer certificates, while in the multi-level DOS-tolerant mTESLA scheme, a sensor node has to wait for a while before

authenticating CDM messages. Fig. 4(a) shows the average failure

recovery delay for both schemes. Result shows that the average failure recovery delay of the Secured HMAC Scheme increases with the channel loss rate. However, the recovery delay of the multilevel mTESLA scheme increases rapidly when there are severe Denial of service attacks. In contrast, our secured HMAC scheme is not affected by Denial of Service attacks if the attacker does not jam the channel completely. Since the channel loss rate is usually a small value, the tree-based scheme has shorter recovery delay than the multi-level mTESLA scheme in most cases.

Fig. 4(b) shows the impact of storage overhead on the average failure recovery delay. The average failure recovery delay of the multilevel mTESLA scheme increase quickly when the number of buffers for parameter distribution packets decreases, while the Secured HMAC scheme has shorter delay and is not affected by the number of buffers for parameter distribution packets. Figure5 illustrates the rate of communication overhead for those three schemes as the frequency of number of packets increases. Figure 6 shows the impact of throughput on the end-to-end packet delay. Figure 7 shows the comparison of the Lifetime of the Networks, which adopts different protocols. H-MAC with the broadcast authentication (Secured HMAC Scheme) proves that it has increased network lifetime than G-MAC & H-MAC.

5. Conclusion In this paper we have introduced

the efficient techniques that are

immune to the Denial of service attacks to enhance H-MAC protocol in terms of secured broadcast authentication. Several practical broadcast authentication techniques were developed to distribute parameters for mTESLA instances, and revoke the broadcast authentication capabilities of compromised senders in wireless sensor networks. Our analysis and experiment show that the proposed techniques are efficient and practical, and have better performance than previous approaches.

References[1] I . F. A ky i l d i z , W. S u , Y.

Sankarasubramaniam, & E . Cayirci,(2002).Wireless sensor networks: A survey, Computer Networks, vol. 38, no. 4, pp. 393–422.

[2] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and D. Tygar,(2001), “SPINS: Security protocols for sensor networks,” in Proceedings of Seventh Annual International Conference on Mobile Computing and Networks,.

[3] D. Liu and P. Ning,(2003), “Efficient distribution of key chain commitments for broadcast authentication in distributed sensor networks,” in Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS'03), pp. 263–276.

[4] D. Liu and P. Ning,(2004), “Multi-level mTESLA: Broadcast authentication for distributed sensor networks,” ACM Transactions in Embedded Computing Systems

Fig. 7 : Performance of Secured HMAC Protocol

0

200

400

600

800

Broadcast Authentication attack

G-MAC

H-MAC

H-MAC with broadcastauthentication

C S I C o m m u n I C a t I o n S • a u G u S t 2 0 0 7��

(TECS), vol. 3.[5] H. Chan, A. Perrig, and D.

Song (2003) , “Random key predistribution schemes for sensor networks,” in IEEE Symposium on Research in Security and Privacy, , pp. 197–213.

[6] W. Du, J. Deng, Y. S. Han, S. Chen, and P. Varshney,(2004), “A key management scheme for wireless sensor networks using deployment knowledge,” in Proceedings of IEEE INFOCOM' 04.

[7] W. Du, J. Deng, Y. S. Han, and P. Varshney,(2003) “A pairwise key pre-distribution scheme for wireless sensor networks,” in Proceedings of 10th ACM Conference on Computer and Communications Security (CCS'03), pp. 42– 51.

[8] L . Eschenauer and V. D . Gligor,(2002) “A key-management scheme for distributed sensor

networks,” in Proceedings of the 9th ACMConference on Computer and Communications Security, pp. 41–47.

[9] D. Liu and P. Ning (2003), “Establishing pairwise keys in distributed Sensor networks,” in Proceedings of 10th ACM Conference on Computer and Communications Security (CCS'03), pp. 52–61.

[10] A. D. Wood and J. A. Stankovic (2002), “Denial of service in sensor networks,” IEEE Computer, vol. 35, no. 10, pp. 54–62.

[11] C. Karlof and D.Wagner,(2003) “Secure routing in wireless sensor networks: Attacks and countermeasures,” in Proceedings of 1st IEEE International Workshop on Sensor Network Protocols and Applications.

[12] Y. Hu, A. Perrig, and D. V.

Johnson,(2003), “Efficient security mechanisms for routing protocols,” in Proceedings of the 10th Annual Network and Distributed System Security Symposium, pp. 57–73.

[13] Paramasivan.B, Athilakshmi. S, and Radhakrishnan.S,(2006) “Energy Efficient H-MAC Protocol to enhance Security & Lifetime of Wireless Sensor Networks” in proceedings of the second International Conference on WCSN'06, published by Macmillan India Ltd, pp 71-78

[14] Paramasivan.B, Radhakrishnan. S,(2006) “An Enhanced Reliability scheme for WSN using PSFQ”, in proceedings of International Symposium on Adhoc and Ubiquitous Computing, Published by IEEE Press, pp: 106-111.

ooo

About Authors

Prof. B. Paramasivan is working as Assistant Professor, Department of Computer Science & Engineering, National Engineering College, TamilNadu. He is currently pursuing his Ph.D in the area of Wireless Sensor Networks. He has published several research papers in various International and National Conferences. His area of interest and research includes the Security, Routing, Energy Efficiency issues in Wireless sensor Networks. He is an active member of CSI.

Dr. S RadhaKrishnan is working as Professor & Head of department of Computer Science & Engineering, Arulmigu Kalasalingam College of Engineering, Srivilliputhur. He is guiding several Ph.D scholars. His area of interest includes Network Engineering, and Adhoc Networks. He has published several research papers in International Journals. He is an active member of CSI.

Ms. S. Athilakshmi is working as a Lecturer in Department of Computer Science & Engineering, National Engineering College, TamilNadu. She is currently working towards, to constantly update the issues & trends in the area of Sensor Networks. Her research focuses on wireless networks, especially on the security issues in Wireless Sensor Networks and wireless Adhoc Networks.

IFIP TC-8 meetingIFIP TC-8 meeting held during June 18th – 19th, 2007 at BCS, London was attended by Steve Elliot (Australia), Josef Basl

(Czeeh Republic), Jan Pries-Heje (Denmark), Juhani Livari (Finland), David Avison (France), Maria Raffai (Hungary), Barbara Pernici (Italy), Tetsuya Uchiki (Japan), Maria-Ribera Sancho (Spain), Dewald Roode (South Africa), Marcus (Switzerland), Bill Olle (United Kindom), George M. Kasper (USA – ACM), Erich Neuhold (USA – IEEE), Lida Xu (WG 8.9 Chair USA), Nancy Russo (USA), Patrick Humphreys (UK) and Ashok Agarwal (India) 1. Barbara Pernici was elected as chair from July 2007 onwards and George M. Kasper as Vice Chair. 2. Proposals for possible funding for speakers / participants from developing countries to conferences ; contact Prof. D Y

Kim [email protected] 3. Next meeting scheduled on September 5th June 2008 at Milan.

Dr. Ashok AgarwalCSI IFIP TC-8 Rep.


Cryptography-based Secure Authentication Watermarking for Binary Images Mr. M Venkatesan1, Mrs. P MeenakshiDevi2, Dr. K.Duraiswamy3 & Dr. K Thyagarajah4

1Asst. Prof., Dept. of Computer Applns., K S Rangasamy College of Tech., E-mail : [email protected] 2Asst. Prof., Dept of Information Tech., K S Rangasamy College of Tech., E-mail : [email protected] 3Dean (Academic), K S Rangasamy College of Technology,Tiruchengode, E-mail : [email protected] 4 Principal, PSNA College of Engg. & Technology, Dindical, E-mail : [email protected]

In image authentication watermarking, hidden data is inserted into an image to detect any accidental or malicious image alteration. In the literature, quite a small number of cryptography based secure authentication methods are available for binary images. In a cryptography based authentication watermarking, a message authentication code (or digital signature) of the whole image is computed and the resulting code is inserted into the image itself. However, inserting the code alters the image and consequently its authentication code, invalidating the watermark. This paper proposes a new authentication watermarking method for binary images. It can detect any alteration while maintaining good visual quality for all types of binary images. The security of

1. IntroductionData hiding represents a class of

processes used to embed data, such as copyright information into various forms of media such as image, audio, or text with a minimum amount of perceivable degradation to the “host” signal; its goal is not to restrict or regulate access to the host signal, but rather to ensure that embedded data remains inviolate and recoverable.

A watermarking technique makes use of a data-hiding scheme to insert some information in the host image, in order to make an assertion about the image later. In this paper, data hiding scheme simply means the technique to embed a sequence of bits in a still image and to extract it afterwards.

Watermarking techniques can be classified as either “robust” or “fragile.” Robust watermarks are useful for copyright and ownership assertion

purposes. They cannot be easily removed and should resist common image-manipulation procedures. On the other hand, fragile watermarks (or authentication watermarks) are easily corrupted by any image processing procedure. However, watermarks for checking the image integrity and authenticity can be fragile because if the watermark is removed, the watermark detection algorithm will correctly report the corruption of the image.

I n a c r y p t o g r a p h y b a s e d authentication watermarking, an authentication signature (AS) is computed from the whole image and inserted into the image itself. In cryptography, an AS is called message authentication code (MAC) using a secret-key cipher or digital signature (DS) using a public/private-key cipher.

An AS contains information about the host image content that may be checked to verify its integrity. However, inserting the MAC/DS alters the image and consequently alters its MAC/DS, invalidating the watermarking. To avoid this problem, for continuous-tone images, many authentication techniques compute the AS from the image clearing the least significant bits (LSBs) and insert the AS in LSBs. In other words, those bits where the watermark is to be inserted are not taken into account when computing MAC/DS.

A possible use of this technique is to send faxes and documents over networks and the Internet. In this case, the receiver of a document can verify its integrity for a given originator.

2. Data Hiding and Authentication WatermarkingIn the literature, there are many

authentication-watermarking techniques for continuous-tone images [1-5]. Also, there are many techniques for data hiding in binary and halftone images [6-10]. However, quite a small number of secure authentication watermarking techniques are available for binary and halftone images.

T h e p r o p o s e d p a p e r i s c r y p t o g r a p h y - b a s e d s e c u r e authentication watermarking technique (CSAWT) to insert MAC/DS of a binary image. The original image is partitioned into m x n sub blocks. The AS is generated for the whole image represented as F. But, before calculating the hash value (AS) of the image, the sub blocks used for inserting the AS are made to be zeros. The hash value is calculated for the new image. In the original image, the AS is not inserted consecutively in one area. Instead, The AS is divided into segments and is stored in a scattered way. A secret key shared by the two parties identifies the positions of each segment.

3. The CSAWTI n s e c u r e a u t h e n t i c a t i o n

watermarking using some data hiding technique for binary image, one must compute a hashing function of the binary image F, obtaining the hash value H = H(F). After encryption, it becomes MAC/DS. This MAC/DS must be inserted into F itself, obtaining the marked image F2 . The problem is that, with the insertion of watermark, the


image F changes and consequently its hash value also changes. That is, H(F) ‘“ H(F2 ).

In CSAWT, only a few bits are modified and the positions of sub blocks containing those bits are known both in the insertion and extraction phases. Consequently, these sub blocks can be cleared before computing the hashing function, just like clearing LSBs for grayscale image.

3.1 Image DivisionLet k be the length of the adopted

AS. Before insertion, the AS is split into segments of size h. To insert k bits of AS, it needs k, mxn blocks in the image.

The image is divided into two regions based on a secret key shared between the sender and receiver. One region (IZR – Image with Zeros inserted at AS Region) is used to calculate the AS and the other (ASR- AS Region) is used to insert the AS. Actually, we are not dividing the image into two exactly at one point; instead we use the secret key to identify the positions in the image for inserting each segment (h bits) of AS. The secret key contains a sequence of positions in the image where the segments of AS are to be inserted. So that, the ASR consists of k/h segments of each having at least h, mxn blocks in the original image; the IZR is actually the whole image with zeros in ASR. Now, the hash value is calculated for IZR, encrypted using the secret- or public key ks, obtaining the MAC/DS and is inserted in ASR. For insertion, the forth-mentioning technique is followed.

At the receiving side, the receiver uses the same secret key to divide

the image received. ASR is separated, encrypted AS inserted in that are retrieved and decrypted using the secret- or public key ks, obtaining the AS. Then in the original image, ASR is made zero. It is the expected IZR. Compute H(IZR) and if H(IZR)=AS, then image integrity is verified. Otherwise, image has been modified or a wrong key was used.

In Fig. 1, the image division is shown. Each box represents an m x n sub block. Sequences of sub blocks are reserved for inserting segments of AS. Here the value of h is 5.

3.2 Block Data Hiding Method This technique ensures that for

any bit that is modified in the host image, the bit must be adjacent to another bit that has the same value as the formers new value. Thus, the existence of secret information in the host image is difficult to detect. Then parity of each m × n block is calculated and it is compared with the data to be embedded. Based on the parity and data, either one bit is modified or none of the bits are modified to store one bit information. Specifically, for each m × n block of host image one bit information is stored.

3.2.1 Controlling the Image Quality after Data HidingA completely black or blank host

block will not be used to hide data. Also, if a bit has to be changed, it is expected that its location be very close to a bit which shares the same value as the formers new value. Otherwise changing any bit in the image may easily be detectable. Consider an image F represented by a matrix, which is modified into two images F2 and F3,

as follows:

Fig. 1 Image division

Both F2 and F3 differ from F in one bit. It is clear that F’ looks similar to F than F3 does. Because F2 differs from F in a location which is adjacent to an area of 1s. The modified 1 in F3 is more visible.

To formulate the above observation, given an image F, Neighbour matrix Neighbour (F), is defined. It is an integer matrix of the same size as F. Each bit in the image matrix has eight Neighbours. For each bit (i,j) the Neighbour values are found. The elements of Neighbour matrix are calculated as follows:1. Complement the bit Fi,j in image

matrix F,say it as C.2. Count the Neighbours of Fi,j, which

are same as C.3. Step2 will give [Neighbour(F)]i,j.

The matrix will later be used to reflect the priority in choosing a bit to be modified. For example, for the above image F, we have the following Neighbour(F) matrix.

From the above Neighbour matrix, the location to hide can be easily found. The element which has the highest value reflects that when the corresponding bit in Fi,j is complemented, it has the same value as many of its Neighbours.

3.2.2 The Data Hiding SchemeStep 1: If Fi is completely black or

blank, simply keep Fi intact (not hidden with data) and skip the following steps.


Otherwise, perform the following:Step 2: Find the parity of Fi by

computing (SUM(Fi ) mod 2), Where SUM means sum of all elements in the matrix.

Step 3: If (SUM(Fi) mod 2 = 0), it is even parity.

If (SUM(Fi) mod 2 = 1), it is odd parity.

One bit is complemented if the following condition is met:

[(SUM(Fi)mod2= 0) and Dj=1] or [(SUM(Fi)mod2 = 1) and Dj=0]For the other two cases no change is

made to the image block Fi, but still one bit information is hidden in that.

Step 4: The following steps are used to find the suitable position:(i) Find the Neighbour matrix,

Neighbour(Fi).(ii) F i n d i n d e x , ( i , j ) o f

MAX(Neighbour(Fi)), where MAX returns the maximum value in the Neighbour(Fi) matrix. If more than one maximum value is there, first occurrence is selected.

(iii) (i,j) is the suitable location to hide the information. The corresponding Fi,j is complemented. Step 5: In some cases, after

embedding, the block might become completely black or blank. To avoid this, the complemented bit is changed to its original value and to maintain parity, any one of its neighbours is complemented.

Step 6: On receiving the block Fi, the receiver computes the parity of Fi. If he/she gets even parity, the data embedded is bit 0, and if he/she gets odd parity the data embedded is bit 1.

3.3 Authentication Watermarking The CSAWT insertion algorithm is:1. Let F be a binary image to be

watermarked, k be the length of AS and h be the size of each segment of AS.

2. Partition the image F into mxn size sub blocks. To insert k bits of AS, it needs k, mxn blocks in the image.

3. Use the secret key shared between

the two parties to identify the sequences of sub blocks within the image F.It is named as ASR –AS Region.

4. Clear all the sub blocks that belongs to ASR, obtaining IZR.

5. Compute the hash vale H=H(IZR).6. Encrypt H using the secret- or

public key ks, obtaining the digital signature S (MAC/DS).

7. Insert S into ASR as per the above said data hiding scheme.The CSAWT extraction algorithm

is:1. Let F* be the watermarked image

received. 2. Partition the image F into mxn size

sub blocks. .3. Use the same secret key shared

between the two parties to identify the sequences of sub blocks within the image F*. It is named as ASR*.

4. Extract the watermark from F* by locating ASR* and decrypt the result using the secret- or public key ks, obtaining the digital signature S*

5. Clear all the sub blocks that belong to ASR*, obtaining IZR*.

6. C o m p u t e t h e h a s h v a l e H*=H(IZR*).

7. If S* and H* are equal the watermark is verified. Otherwise, the marked image F* has been modified.

4. Conclusion This pape r has p roposed

a c r y p t o g r a p h y- b a s e d s e c u r e authentication watermarking for binary images (CSAWT). The proposed technique is suitable to watermark most binary images with excellent visual quality without causing a noticeable loss of quality. It can be applied to provide basic proof of copyrights ownership and to electronically sign binary documents.

5. References1] P. S. L. M. Barreto, H. Y. Kim and V.

Rijmen, “Toward a Secure Public-Key Block wise Fragile Authentication Watermarking,” IEE Proc. Vision, Image and Signal Processing, vol. 149, no. 2, pp. 57-62, 2002.

2] C. T. Li, D. C. Lou and T. H. Chen, “Image Authentication and Integrity Verification via Content-Based Watermarks and a Public Key Cryptosystem,” IEEE Int. Conf. Image Processing, 2000, vol. 3, pp. 694-697.

3] R. de Queiroz and P. Fleckenstein,

“Object Modif icat ion for Data Embedding through Template Ranking,” Xerox Invention Proposal, 1999.

4] Y.-C. Tseng, Y.-Y. Chen and H.-K. Pan, “A Secure Data Hiding Scheme for Binary Images,” IEEE Trans. on Communications, Vol. 50, No. 8, Aug. 2002, pp. 1227-1231.

5] M. U. Celik, G. Sharma, E. Saber and A. M. Tekalp, “Hierarchical Watermarking for Secure Image Authentication with Localization,” IEEE Trans. Image Processing, vol. 11, no. 6, pp. 585-595, 2002.

6] G.Pass, Y.J.Wu and Z..h Wu, “ A Novel Data Hiding Method for Two – color Images “ , Lecture Notes in Computer Science Information and Communications Security, Springer-Verlag, Nov. 2001, PP. 261-270.

7] Min Wu, Member, IEEE, and Bede Liu, Fellow, IEEE, “Data Hiding in Binary Image for Authentication and Annotation”, IEEE Transactions On Multimedia, Vol. 6, No. 4, August 2004.

8] M. Wu, E. Tang, and B. Liu, “Data hiding in digital binary image,” IEEE Int. Conf. Multimedia & Expo (ICME’00), New York, 2000.

9] Wen-Yuan Chen and Chen-Chung Liu, “Robust watermarking scheme for binary images using a slice-based large-cluster algorithm with a Hamming Code”, Optical Engineering – January 2006-Volume 45, Issue 1, 017005 (10 pages)

10] Hae Yong Kim, Amir Afif, “A Secure Au t h e n t i c a t i o n Wa t e r m a r k i n g for Halftone and Binary Images”, International Journal of Imaging Systems and Technology, Volume 14, Issue 4, Pages 147-152.

11] Jeanne chan, Tung-shan chen, Meng-wen cheng “A New Data Hiding Method in Binary Image”, Proc. IEEE Fifth International Symposium on Multimedia Software Engineering (ISMSE ’03). 2003.

12] M S Fu and O C Au, “Data Hiding by Smart Pair Toggling for Halftone Images,” IEEE Int. Conf. Acoustics, Speech and Signal Processing, vol. 4, pp. 2318-2321, 2000.

13] M S Fu and O. C. Au, “Data Hiding Watermarking for Halftone Images,” IEEE Trans. Image Processing, vol. 11, no. 4, pp. 477-484, 2002.

14] S C Pei and J M. Guo, “Hybrid Pixel-Based Data Hiding and Block-Based Watermarking for Error-Diffused Halftone Images,” IEEE Trans. on Circuits and Systems for Video Technology, vol.13, no.8, pp.867-884, 2003.

15] P W Wong, “A Public Key Watermark for Image Verification and Authentication,” IEEE Int. Conf. Image Processing, 1998, vol. 1, pp. 455-459, (MA11.07).


IntroductionSteganography is the art of sending

information in a manner that the very existence of the message is unknown. Steganography plays a vital role in security. It supplements cryptography. This article will offer a brief introductory discussion of steganography; what it is, the impact on information security and future trends.

BackgroundThe study of Steganography dates

back to 440 BC by Hetrodotus a great Historian. Steganography has been around since the times of ancient Rome.

Romans used invisible inks, which were based on natural substance such as fruit juices and milk. This was accomplished by heating the hidden text, thus revealing its contents. During the 15th and 16th century, many writers including Gaspari Schotti wrote on steganographic techniques such as coding techniques for text, invisible ink, incorporating hidden messages in music.

Between 1883-1907 further development can be attributed to the publications of Charles Briquet (author of less filigranes). The book was mostly about cryptography but can be attributed to the foundation of steganographic systems.

In the digital world of today Steganography is being used all over the world on computer systems. Many tools and techniques have been created that take advantage of old steganographic techniques such as Null Cipher, coding in images, audio, video and microdot. With research this topic will now see a lot of great applications, in the near future.

Main Focus of the ArticleSteganography is derived from the

Steganography – Art of Hiding InformationKuldeep Singh

Sun Microsystems, Email: [email protected]

Greek word steganos, which means secret or concealed, and graphy, which means writing or drawing. Steganography is known to be more abused than used.

Steganography is defined by “Markus Kahn” as follows:

“Steganography is the art and science of communicating in a way which hides the existence of the communication. In contrast to cryptography where the enemy is allowed to detect, intercept and modify messages without being able to violate certain security premises guaranteed by a cryptosystem, the goal of steganography is to hide messages inside other harmless messages in a way that does not allow any enemy to even detect that there is a second message present.”

For example, in ancient Rome and Greece, text was traditionally written on wax that was poured on top of stone tablets. If the sender of the information wanted to obscure the message - for purposes of military intelligence, for instance-they would use steganography; the wax would be scraped off and the message would be inscribed or written directly on the tablet, wax would then be poured on top of the message, thereby obscuring not just its meaning but its very existence.

Steganography is used for legitimate and illegitimate reasons.

Legitimate reasons are l ike watermarking images for copyright protection. Digital watermarking also known as fingerprinting used specially in copyrighting material is similar to steganography in a way that information is overlaid in files which appear to be a part of the original file and which is not easily detectable by an average person to avoid sabotage, theft or unauthorized viewing.

Illegitimate reasons could be

thieving of confidential information by concealing them in files and transferring through a normal email. For terrorist purposes, Steganography can be used for covert communication.

Steganography is best used with other information hiding methods as a part of layered security approach. The other methods could be Encryption, Hidden directories (windows), Hiding Directories (Unix), Covert channels (eg., LOKI).r Encryption - Encryption is the

process of passing data or plaintext through a series of mathematical operations that generate an alternate form of the original data known as ciphertext. The encrypted data can only be read by parties who have been given the necessary key to decrypt the ciphertext back into its original plaintext form. Encryption doesn’t hide data, but it does make it hard to read!

r Hidden directories (Windows) - Windows offers this feature, which allows users to hide files. Using this feature is as easy as changing the properties of a directory to “hidden”, and hoping that no one displays all types of files in their explorer.

r Hiding directories (Unix) - in existing directories that have a lot of files, such as in the /dev directory on a Unix implementation, or making a directory that starts with three dots (...) versus the normal single or double dot.

r Covert channels - Some tools can be used to transmit valuable data in seemingly normal network traffic. One such tool is Loki. Loki is a tool that hides data in ICMP traffic (like ping)There are various tools and

methods of detecting Steganography. These include Stegdetect, Stegbreak and Steganography Analyzer Real-time Scanner (StegAlyzerRTS).

Stegdetect is a host-based intrusion detection system deployed on computers to help identify anomalous storage of image and/or video files.

Stegbreak, a companion to stegdetect decrypts messages encoded in a suspected steganographic file once the stego has been detected.

StegAlyzerRTS detects insiders downloading digital steganography


applications widely available as freeware on the Internet as well as commercially licensed steganography applications. StegAlyzerRTS also detects attempts by insiders to use steganography applications that may have been installed on the network prior to deployment of StegAlyzerRTS. The exclusive signature scanning approach allows StegAlyzerRTS to detect insider attempts to upload carrier files containing hidden information onto external websites, send files containing hidden information as an e-mail attachment, and even detects use of a technique known as spam mimicry to conceal information by converting it into a form that appears to be spam.

As per the excerpt from “The Hindu Business Line” of Sep 17, 2002, terrorist attacks have overtaken traditional wars. Most countries are now equipping themselves with technologies to combat terrorism. Intelligence, without any doubt, is the most important weapon to combat terrorism, especially external terrorism. Intelligence obtained by tracing the wireless communication of the terrorists has proved most useful. The US Air force has a `Detection and Recovery Tool Kit’ developed at the Air force Research Laboratory, New York. This can detect covert messages. Hence, the days of Indian agencies piecing together information gathered from cellular conversations of terrorists are past; combating terrorism will require more modern tools and a continuous updating to at least keep pace with the terrorists. India is, unfortunately, in a situation where it will have to protect itself against different types of terrorism for many years.

Future TrendsAn important distinction that

should be made among the tools available today is the difference between tools that do steganography, and tools that do steganalysis, which is the method of detecting steganography and destroying the original message. Steganalysis focuses on this aspect, as opposed to simply discovering and decrypting the message, because this can be difficult to do unless the encryption keys are known. The goal of steganalysis is to identify suspected information streams, determine whether or not they have hidden messages

encoded into them, and, if possible, recover the hidden information.

The challenge of steganalysis is that the suspect information stream, such as a signal or a file, may or may not have hidden data encoded into them. The hidden data, if any, may have been encrypted before being inserted into the signal or file. Some of the suspect signal or file may have noise or irrelevant data encoded into them, which can make analysis very time consuming.

Unless it is possible to fully recover, decrypt and inspect the hidden data, often one has only a suspect information stream and cannot be sure that it is being used for transporting secret information.

Unlike cryptanalysis, where it is evident that intercepted encrypted data contains a message, steganalysis generally starts with several suspect informat ion s t reams but wi th uncertainty whether any of these contain hidden message. The steganalyst starts by reducing the set of suspect information streams to a subset of most likely altered information streams. This is usually done with statistical analysis using advanced statistics techniques.

ConclusionSteganography is a fascinating and

effective method of hiding data that has been used throughout history. Many methods can be employed to uncover such devious tactics, but the first step is the awareness that such methods even exist. There are many good reasons as well to use this type of data hiding, including watermarking or a more secure central storage method for such things as passwords, or key processes. This technology is easy to use and difficult to detect. The more you know about its features and functionality, the more ahead you will be in the game.

Acknowledgements : The Author thanks his family–

his mom Monika & sister kavita with unhesitating support and encouragement to pursue his passion for writing . During his writing he has been disruptive to them in terms of time and absence from home , and he is forever grateful for their love and support .

References1. Wikipedia - The Free Encyclopedia.

Steganography. [online] . Available

at ht tp: / /en.wikipedia.org/wiki /Steganography; Accessed on 11 June 2007.

2. Johnson, N. F., Jajodia, S. Exploring Steganography: Seeing the Unseen. [online] . Available at http://www.jjtc.com/pub/r2026.pdf; Accessed on 13 June 2007.

3. Rude, T. J. Steganography - Disappearing Cryptography. [online] CRAZYTRAIN.COM . Available at http://www.crazytrain.com/rudedude.pps; Accessed on 14 June 2007.

4. Hyperdictionary. Discrete cosine transform. [online] 2007. Available at http://www.hyperdictionary.com/computing/discrete+cosine+ transform; Accessed on 14 June 2007

5. Johnson, N. F., Jajodia, S. Steganalysis of Images Created Using Current Steganography Software. [online] . Available at http://www.jjtc.com/ihws98/jjgmu.html; Accessed on 01 June 2007.

6. Ke s s l e r, G . A n O v e r v i e w o f Steganography for the Computer Forensics Examiner. [online]. Available at http://www.garykessler.net/library/fsc_stego.html; Accessed on 10 May 2007.

7. Computerworld. Steganography: Hidden Data. Quickstudy by Deborah Radcliff. [online]. Available at http://www.computerworld.com/securitytopics/security/story/0,10801,71726,00.html; Accessed on 02 June 2007.

8. Wired . Bin Laden : Steganography Master [online]. Available at http://w w w. w i r e d . c o m / p o l i t i c s / l a w /news/2001/02/41658 Accessed on 04 June 2007.

9. USA Today : Terror groups hide behind Web encryption : [online]. Available at http://www.usatoday. com/tech/news/2001-02-05-binladen.htm Accessed on 09 June 2007.

10. Wired : Secret Messages Come in . Wavs [online]. Available at http://www. wired.com/politics/law/news/2001/02/41861 Accessed on 10 June 2007.

11. R & D t o c o m b a t t e r r o r i s m [Online] . Available at http: / /www.blonnet . com/2002/09 /17 /stories/2002091702470900. htm Accessed on 20 June 2007.

About the Author :

Kuldeep Singh is an Enterprise IT Architect & Security Ambassador APAC and currently works in Sun Microsystems India Pvt. Ltd. He can be reached at [email protected]. Blogs: http://blogs.sun.com/ks/


Information Security Issues in Wireless Networks Kaleem A. Usmani* & Dr. Nupur Prakash**

*Lecturer, CDAC School of Advanced Computing, University of Mauritius, Mauritius, [email protected] **Professor & Dean, University School of IT, GGS Indraprastha University-Delhi, India, [email protected]

The wireless networking which was once a rarity is now very popular in the midst of large number of Internet users. This popularity has led to an increase in the availability of a large number of wireless networking products and protocols for home and business use. However the wireless technology is not limited to authorized users only, as unauthorized users also can take undue advantage of the wireless transmissions. The IEEE802.11 standard offers a reasonable level of protection known as the Wired Equivalent Privacy (WEP) protocol. WEP was designed to give wireless networks the equivalent level of privacy protection as a comparable wired network. However, it did not take long to discover that the WEP protocol has many inherent flaws. This paper highlights the security issues related to WEP protocol and also enumerates some of the available solutions to overcome the WEP vulnerability.

IntroductionWEP was designed to offer

high degree of security by offering impregnable resistance to eavesdroppers/ hackers. According to Borisov, Goldberg and Wagner, WEP was intended to enforce three security goals, which are Confidentiality, Access Control and Data Integrity [1]. However, as the wireless networks began to grow in popularity, many flaws were discovered in the original WEP design. Despite these flaws WEP is still more effective than no security at all. The main goal of this paper is to highlight the security threats to WLAN using WEP protocol and the possible solutions to overcome the WEP vulnerability.

2. The WEP AlgorithmWEP is an algorithm that is used

to secure wireless communications from eavesdropping and modification. A secondary function of WEP is to prevent unauthorized access to a

wireless network. It relies on a secret key that is shared between a wireless station and an access point. The secret key is used to encrypt packets before they are transmitted and an integrity check is used to ensure the packets are not modified in transit. The 802.11 standard does not state how the shared key is established. In practice, most installations use a key that is shared between all stations and access points [2]. WEP uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity.

3. Limitations of WEP This section briefly describes the

limitations of wired equivalent privacy protocol and the security attacks it can be subjected to

a) Static Key WEP relies on a secret key

shared between the communicating

parties to protect the body of a

transmitted frame of data. [2] This increases the probability that a user might leak the key ac-cidentally or intentionally.b) Brute Force Attack

Brute Force attack is the most basic attack used to decrypt packets sent on an encrypted network. This attack is initiated by intercepting the communications occurring on the network. It is possible to intercept the data because wireless data is broadcast to everyone within range of the access point. Once the data has been intercepted, it is a matter of guessing keys until the attack finds the right one. This is the process of trying all possible combinations of values until the correct key is found. With a 40-bit secret key, there are a total of 2 40 = 1,099,511,627,776 possible secret keys. If a computer could check 50,000 different secret keys per second, it would take over 250 days to find the correct key [4]. The time required to brute force a 40-bit secret key can be brought down to under a minute due to a flaw in the random WEP key generation programs that was discovered by Tim Newsham . It can be deduced that the feasibility of this attack depend on the length of key used. A 104 bit key would take a single computer about 1019 years to crack doing 60,000 guesses per second [5].

c) Weak IV (Initial Vector) AttackWhen an IV is reused, it is called

a collision. When collision occurs, the combination of the shared secret and the repeated IV results in a key stream that has been used before. Since the IV is sent in clear text, an attacker who keeps track of all the traffic can identify when collisions occur. A number of attacks become possible upon the discovery of IV collisions. An example is a key stream attack, which is a method of deriving the key stream by analyzing two packets derived from the same IV. However, XORing the two cipher texts together will equal XORing the two plain texts together.

d) The FMS AttackThe FMS attack is the most well

known attack on WEP. It has been named after Scott Fluhrer, Itsik Mantin,


and Adi Shamir [6]. The basis for this attack is a weakness in the way RC4 generates the keystream. Specifically:1. The Initialization Vector (IV) that is

always attached to the key prior to the generation of the keystream by the RC4 algorithm is transmitted in cleartext.

2. The IV is relatively small (three bytes) which results in a lot of repetitions as the relatively small number of unique IVs is re-used to encrypt packets.

3. Some of the IVs are “weak” in the sense that they may be used to betray information about the key. The key scheduling algorithm

in WEP uses either a concatenation of the 40-bit shared key and the 24-bit IV making a 64-bit packet key or a concatenation of the 104-bit shared key and the 24-bit IV making a 128-bit key to set up the RC4 state array S. This array state S, which is a permutation of {0….255}, is used by the output generator (PRGA) to create a pseudorandom sequence. The attack utilizes only the first word of output from this pseudorandom sequence. The attack is based on the fact that there is a strong probabilistic correlation between some bits of the shared key and some bits of the output stream for a large class of weak keys [7, 10].

e) Shared Key Authentication FlawThe current protocol for shared

key authentication is easily exploited through a passive attack by the eavesdropping of one leg of a mutual authentication. The attack works because of the fixed structure of the protocol (the only difference between different authentication messages is the random challenge), and the previously reported weaknesses in WEP [3,8]. The attacker first captures the second and third management messages from an authentication exchange. The second message contains the random challenge in the clear, and the third message contains the challenge encrypted with the shared authentication key.

The size of the recovered pseudo-random stream will be the size of the authentication frame because all elements of the frame are known: algorithm number, sequence number, status code, element id, length, and the challenge text. Furthermore, all but the challenge text will remain the same

for ALL authentication responses. The attacker now has all of the elements to successfully authenticate to the target network without knowing the shared secret K. The attacker requests authentication of the access point it wishes to associate / join. The access point responds with an authentication challenge in the clear.

Now, the attacker responds with a valid authentication response message, and he associates with the AP and joins the network. .

4. Solutions to WEP SecuritySeveral solutions are suggested to

strengthen the WEP Securitya) Changing encryption keys for every

packet Hashing the concatenation of the

initialization vector (IV) and the shared key before feeding it to a RC4 stream generator would prevent the IV from revealing any useful information about the shared key [9].

b) Dropping the initial bytes from the RC4 output

The probabilistic correlation between some bits of the shared key and some bits of the output cipherstream (for a large class of weak keys) is one of prime vulnerabi l i t ies of the RC4 implementation in WEP. This can be easily countered by dropping some initial bytes (say 128 or 256) of the RC4 stream cipher since this will mitigate any such correlation between the bits of the shared key and the output cipherstream [7,9].

c) Firmware modifications The firmware for the 802.11b based

wireless cards can be modified so that the “weak” IVs (all of which have been identified by now) are skipped and no longer sent out as part of a WEP encrypted packet. Though its actual implementation is a non-trivial issue on account of the large installed base of the current cards, this approach would easily mitigate any attack based on the RC4 based vulnerability [7, 9].

d) Modifying the CRC algorithm The currently used 32-bit CRC

algorithm is linear and is easily determined by any attacker thereby making it very vulnerable to bit-flipping attacks. Modifying the CRC

algorithm so that it is no longer linear will help mitigate such attacks [7, 9].

e) Dynamic key management techniques

In most setups using WEP, the shared key is not changed for long periods of time thereby increasing the vulnerability factor. Moreover, there is mechanism to change the keys dynamically. Adding a dynamic key management scheme via the use of temporal keys, as specified in the TKIP (Temporal Key Integrity Protocol), wherein the encryption keys are changed after transmitting every 10,000 packets, could help prevent the currently known attacks against WEP [7,9].

f) Changing the Initialization Vector (IV)

The size of the IV can be increased by using a flag in the current header to indicate that additional IV bits are there in the data frame. Not only will this increase the range of currently available IV values (which is capped at 16 million because of the current 24-bit size) but also make it impossible for an attacker to determine the entire initialization vector without knowing the shared key since a part of it would be encrypted as part of the payload [7,9].

4. ConclusionsIn this paper, the security holes

in wired equivalent privacy protocol are reviewed and the security flaws are discussed. Several solutions to overcome these flaws are presented. Organizations that choose or already have chosen to deploy WLAN should consider the current existing problems of WEP protocol and secure their network accordingly.

References:[1] Craiger J. Philip (June 2002),

802.11, 802.1x, and Wireless Security. Retrieved June 15, 2007, from SANS Website: http://www.sans.org

[2] Borisov, N. Goldberg & Wagner D ( J u l y 2 0 0 1 ) . I n t e r c e p t i n g M o b i l e C o m m u n i c a t i o n s : Insecurity of 802.11, Published in the proceedings of 7th Annual International Conference on Mobile Computing & Networking,


Pages:180-189, Rome, Italy.[3] Technical Report. Part 11, Wireless

LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Computer Society.LAN MAN Standards Committee,1999.Retrieved on July 3,2007.Website:http:// www.csse.uwa.edu.au

[4] Michael Sthultz , Jacob Uecker & Hal Berghel (Access from September 2005). Wireless Insecurities, Center for Cybermedia Research , University of Nevada , Las Vegas. Retrieved on June 16,2007.Website:http://www.berghel.net/publications/wifi_vul/wifi_vul.php#5

[5] Technical Report. Sam Guarnieri, Willow Noonan, Dave Paci_co, and Ben Taitelbaum (Nov,2005).

WEP Encryption and the Cavalier Wireless Network .Retrieved on July 1,2007.

We b s i t e : h t t p : / / a b s t r a c t . c s . washington.edu/~sammyg/UVa/CS551/paper.pdf

[6] Scott Fluhrer, Itsik Mantin, & Adi Shamir(August 2001). Weaknesses in the key scheduling alogirthm of RC4. In Eighth Annual Workshop on Selected Areas in Cryptography, pages 1-24, Toronto, Canada.

[7] William A. Arbaugh, Narendar Shankar, and Y.C. Justin Wan(2002). Your 802.11 wireless network has no clothes. IEEE Wireless Communications, 9(6):44-51.

[8] J. Walker(March 2000).Unsafe at any key size: an analysis of the WEP encapsulation,” Technical Report 03628E, IEEE 802.11 committee,

Retrieved on July 3, 2007.Website: h t t p : / / g r o u p e r . i e e e . o r g /

g r o u p s / 8 0 2 / 1 1 / D o c u m e n t s /DocumentHolder/0-362.zip.

[9] Madhur Joshi, Sawhney Nimit (2002), A Tool to Demonstrate Weaknesses in Wired Equivalent Privacy, Technical Report-18-849 Security and Cryptography Project, Carnegie Mellon University.

[10] Adam Stubblefield, John Ioannidis, & Aviel D. Rubin(2002). Using the fluhrer, mantin, and Shamir attack to break wep. Symposium on Network and Distributed System Security.

[11] Hao Yang, Fabio Ricciato, Songwu Lu and Lixia Zhang(Feb 2006).Securing a Wireless World, proceedings of the IEEE, Vol.94, No.2.

ooo

Mr. Kaleem Usmani is working as Lecturer in CDAC School of Advanced Computing (CSAC), University of Mauritius, Mauritius since 2003. He is current enrolled at GGS Indraprastha University for his PhD. in ‘Secure Wireless Networks’. Prior to joining CSAC he worked as Analyst Programmer at Leisure Garments Limited [ESQUEL Group-Hong Kong], Malaysia and Mauritius. He has also served Net4india, New Delhi as Software Engineer for two years and extensively worked in Server Side Programming.

He obtained his Bachelor of Science & Engineering (Mechanical) degree in 1997 and MCA (Masters in Computer Applications) in 2000 from Aligarh Muslim University, Aligarh (UP). His areas of interest are Information Security, wireless Networks and Network Programing.

Dr. Nupur Prakash, Dean and Professor, School of IT, University School of IT, GGS Indraprastha University, Delhi, India. Email:[email protected]

Dr. Nupur Prakash holds a PhD degree in Engg. and Technology from Punjab University, Chandigarh in 1998. She received her M.E in Computer Science and Technology in 1986 and B.E in Electronics and Communication in 1981 from University of Roorkee. She has worked as scientist in a CSIR lab called Central Scientific Research Organisation (CSIO), Chandigarh on microprocessor based cross correlation flowmeter. She has also headed the department of Computer Science and Engineering at Punjab Engineering College, Chandigarh. She has been the Principal

of Indira Gandhi Institute of Technology, Delhi for 4 Years. Presently, She is Dean, USIT,GGSIPU. Her research interest is Wireless Comm, Mobile Computing, Network Security and cryptography. She has authored 50 research papers at various National & International journals and conferences.

Forthcoming Special Theme IssuesMonth Theme GuestEditor

Sept 07 EmbeddedSystems Dr.Rajkamal,India

Oct 07 SystemsThinking Dr.KSNarendra,USA

Nov 07 InternetGovernance Mr.NitinDesai,India

Dec 07 StorageTechnologies Mr.SudhakarRao,India

Note : The content of the theme section will be finalized by the 20th of the preceding month.


Towards More Effective Virus DetectorsRaghunathan Srinivasan* & Partha Dasgupta**

Arizona State University *[email protected] **[email protected]

1. IntroductionViruses (or malware) are a scourge,

with potentially unlimited fraudulent uses. Smart viruses can hide, mutate and disable detection methods. Computers are an important part of everyday life to many people across the world. The Internet has revolutionized everyday life. The Internet has also brought an ugly side of computers: a plethora of malware. Home computers are most vulnerable to attacks by malicious programs and hackers. This is because many home users are less equipped to prevent or counter an infection. Even if the user possesses the required skills, a smart virus that appropriately hooks onto the system can hide its presence on the machine, and remain undetected. These compromised machines are vulnerable to hackers who steal secret data or even install additional software that enables the use of the machine as part of a botnet to launch Denial of Service attacks on servers, or to intrude on government agencies.

Virus writers use a variety of techniques to attack a machine. They can be enumerated as follows:n Social engineering n Spamming n Exploitation of software

vulnerabilitiesn Code Injectionn Cross Site Scriptingn Pharming

E l i m i n a t i o n o f s o f t w a r e v u l n e r a b i l i t i e s r e q u i r e s t h e implementation of secure OS and secure coding. Both the issues have been researched heavily but have been ineffective in practice, mainly due to the abundance of legacy code. The OS kernel consists of millions of lines of code, and writing a secure OS would require that the entire kernel is bug free. Writing bug free code is a very complex problem. Creation of a

completely secure OS is unlikely (Basili & Perricone, 1984). The problem of preventing infections is made difficult by the fact that most hackers rely on human error (social engineering) to compromise systems. It can be inferred from above that it is hard to prevent an infection since it is difficult to foresee the exact error a user may commit. Hence, security software rely on detection instead of prevention.

Software such as Anti-Virus (AV) solutions, and firewalls offer some protection against computer attacks; however, they are not completely effective. Virus detection is surprisingly hard, it has been shown that there is no algorithm that can perfectly detect the presence of malicious code (Cohen, 1993). Since the AV relies on definitions or known behavioural patterns of malicious programs, a code that is new in design can effectively use the zero day exploit (Schneier, 2003).

The AV and other security software suffer from several shortcomings. The AV is a user level application that can be killed by any process with administrator privileges, or it can be infected by viruses, due to which the detection engine is rendered useless. Like a virus, the AV software may attempt to hide itself, but such attempts to hide can also be detected.

Software in most machines is identical (genetic uniformity). Due to this, an attacker can use one machine to carry out experiments and find out ways to exploit vulnerabilities, and use the information to carry out the same attack on other machines. By making programs dissimilar on every machine the complexity and cost of an attack can be increased.

Motivations behind malwares have changed constantly over time. Early viruses were designed to cause

disruptions by wiping out hard drives and deleting files. Recent malwares are aimed at stealing information such as bank account numbers, credit card information. The payload of a malware has also undergone changes. It may contain a virus, rootkit and a password logger. Malwares are a big threat in today’s computing world.

AV s o f t w a r e h a s e v o l v e d c o n t i n u o u s l y w i t h m a l w a r e (Nachenberg, 1997; Sanok, 2005). AV products have made it tougher for viruses to escape detection. The virus writers have responded by creating a new trend. Malicious programs disable the AV and other security related processes in the system.

The SpamThru Trojan gets installed on a host system by social engineering. It patches the running AV to block updates and prevent its detection. It installs a pirated and patched copy of a popular AV to scan the system to remove other malwares. This is done to ensure that there are no competitors for system resources. It runs a root kit to conceal its own files from the scanner and system (Naraine, 2006). Beast is a backdoor Trojan horse; it works as a Remote Administration Tool. It injects its DLL’s into explorer and winlogon. Once it infects a system, it shuts off the AV, Firewall, and the attacker obtains control of the system (The Beast, (n.d.)).

This list is not limited to only these two; Klez, Bugbear and Lirva are other examples of viruses that disable AV programs. This is known as Armoring (Chen, 2003). Armoring marks a significant change in virus behaviour. Till now any infection could be contained and cleaned by the AV after the arrival of an update, however, the latest trend of killing the AV process threatens to make their presence inconsequential. This means that there is an urgent necessity to protect the AV from rogue programs.

This paper presents a software based solution to prevent malware from disabling security software. This problem is similar to that of preventing infections and also similar to the problems faced by virus writers in hiding their programs from the AV. It is not possible to provide a solution that will hide the AV from a malware completely; however, this paper aims to make the process of locating and killing


the AV difficult.

2. Related WorkHiding information is used for

malicious and benevolent purposes. The benevolent uses are to hide passwords, credit card information and code obfuscation for DRM. Malicious uses are typically to hide the presence of malware. To achieve this, the malware monitors and intercepts the state and actions of the compromised system. A Rootkit is a popular tool used by hackers to hide the presence of malicious entities in the system. Shadow Walker (Sparks & Butler, 2005) is a rootkit designed to deceive in memory signature scanners. It hooks on to the page fault handler and the page table entries in the system. It detects the read requests made by the scanners and provides fake values for the corrupted section of memory to remain hidden. SubVirt (King & Chen, 2006) and Bluepill (Rutkowska, 2006) are Virtual Machine (VM) based rootkits that take advantage of the fact that the lower layers in a system can effectively control the upper layers. SubVirt and Bluepill install themselves between the hardware and the operating system to control the machine. These rootkits cannot be detected by processes running within the system. The exact sequence of events in the installation process for the rootkits is beyond the scope of this paper.

It can be seen that use of a rootkit ensures that a process remains hidden in the system from other system programs, hence may be used to hide the AV in the system. However, the problem with this approach is that if in any eventuality a virus patches on to the AV software then the virus can never be removed, also the aim of this paper is to hide the AV from malicious code, and not the system administrator.

Another reason for not using any approach similar to rootkits is that it would involve placing the AV inside the kernel of the OS. The AV requires frequent updates. Updating the kernel or a VM is a tedious process; hence, the AV process must remain as an application in the user space.

Code Injection is a technique used to introduce code into a process from an outside source during execution. These techniques are very popular in system hacking and cracking. Kc, Keromytis and Prevelakis (2003) describe code injection methodologies for various languages and platforms. Benevolent

use of code injection occurs when a user changes the behaviour of a program to meet system requirements. This is done when the cost of modifying the software is a costly process and it is cheaper and convenient to inject code in the program to achieve the desired functionality. In this paper, code injection is used as one of the means to hide the AV process in the system.

3. Threat ModelAll security related problems cannot

have a single universal solution. Each solution lives up to a threat model. A threat model describes the assumptions and factors considered while making a solution. It also describes the problems that are addressed by the solution. The assumptions made in this paper are: The AV will get installed on a clean machine. The virus will not attempt to kill all processes, or delete all files in the system. The virus will allow some application to upgrade to newer versions. Rootkits are not installed on the system. This solution works effectively against malware that attempt to identify the AV by scanning the system registry, process table entries and file system for the presence of known AV software solutions. This solution also works effectively against programs that identify the AV by the files and libraries used by it.

4. DesignTo evade detection by malicious

programs, the AV should remain hidden from all processes in the system. The reason for this is that any program on the machine may be infected. To effectively hide a program, its file structure, registry entries and process table entries have to be hidden. These issues are addressed by a two fold process. The first step involves installing the program as a different program on the machine. This serves to hide the file structure and registry entries, and also ensures each copy of the AV looks different. The next step involves using code injection to migrate the program code and library into other processes. Migration of code serves to hide process table entries from all other system components. By performing code injection and the subsequent migration after certain time intervals, another threat is addressed. It becomes difficult for malware to locate where the AV resides currently even if it finds where the AV resided previously.

The design of the solution is illustrated in Figure 1; this solution was

implemented on the Windows 2000 platform.

a) Installing the Program Viruses are known to insert sections

of their code in other programs to hide their presence. A similar trick can be used to hide the AV. Writing part of the AV code on an executable is not a good solution as it would be too much virus like. Instead, the AV is installed as a different program. This involves replicating the directory structure and file names of the software being replicated. The installation suite contains the list of commonly used software in consumer computers. During installation, the suite finds out the software in the list have not been installed on the machine. The suite then provides the truncated list to the user to choose the software in whose name and structure the AV should be installed. On obtaining the response, the suite proceeds to replicate the directory, file structure and registry entries of the chosen software. By obtaining user response, the solution ensures that the name and directory structure of the AV is different in every user machine. This provides the genetic diversity that helps in cloaking the AV system.

b) Starting the ProcessThe first step in hiding the AV is to

cloak the point from where the process loads. Malware search registry entries to find values that match the names of popular AV software. The registry entry containing information about the location of start up items is vulnerable to attacks; hence this entry has to be cloaked or removed. This is achieved by forcing another process to start the AV. The best choices for the starter process are system programs that load on boot.

This part of the solution was implemented by inserting a call to load the AV program inside the code of msgina.dll, a library used by the system process winlogon. If this process is different in every machine, then it would be very difficult for a malware to detect where the start up information of the AV is stored.

c) Execution of the ProcessIn the previous two sections, it has

been made fairly difficult for malware to identify and disable the AV; however, there exists a threat that a program may identify the AV by taking the snapshot of the system at any given time and analyse the result to identify the AV. To make it tougher for the malware to


disable the AV, code injection is used to move the AV code and libraries from one process space to another.

To achieve this, the scheme described by Kuster, R (2003) to inject code and library into another process. The user is requested to enter a random sequence every time the machine boots. The AV process chooses a target process running in the system using the entered value after time period ‘x’. Once this process is chosen, the libraries and code are injected into it. This process occurs after every ‘x’ period of time, it must be noted that ‘x’ is a value that can be set by the system administrator on every system.

d) Watch ProcessesMalicious programs run a system

query to identify the AV process. The same technique is used to monitor whether the Anti virus is running on the system or not. A standalone process can monitor whether the AV is disabled, or for better results, ‘N’ different processes can monitor the AV. Each of these monitors the AV process by receiving the name of the AV and the random sequence provided by the user as a start up parameter. These processes locate the AV program in the injected processes with the aid of the random sequence, and restart the program with human supervision in case the AV is disabled. In addition, each process also receives the name of the other ‘N-1’ processes so that every watch process can be monitored. The watch processes also compute and store the hash values of the known good copy of the installed AV software and the modified system library files. Prior to shutdown, the watch processes check if any files have been modified, if so, the user is notified to perform a re-installation of the AV.

This was implemented by using 3 processes to monitor the AV. Each process calls the system API GetProcessId to find whether the AV and the other watch processes are executing. If a watch process is disabled, then it is started immediately. If the AV is disabled, then the user is prompted to start the AV. If the user declines to start the program, the answer is stored in memory to avoid prompting at a later time.

It can be argued that a malware may store the integrity values of all known software, binaries and libraries, and compare these values with the files in a target system to identify the possible presence of the AV. However,

the size of such a database would be very large and computing results would require extremely high storage and computational complexity. A malware is typically a light-weight program that is designed to work without catching the user’s attention; hence, this technique would be infeasible. This issue is also partially solved by making the watch threads perform integrity check during system shut-down.

5. Conclusion and Future WorkThis paper highlighted the growing

problem of malicious programs disabling the security software and the need to tackle it. A software based solution was presented to hide the AV program in the system from malware. The solution provided protection from malware that scan the registry entries, file structure, and process table entries for the presence of the AV by installing it as a different program and cloaking its start up information. The solution also provided migration of code to counter malware that may attack the AV program by taking a system snapshot and computing offline results. Finally, multiple watch processes were introduced to monitor the AV and perform some shut down events that are critical to maintaining the integrity of the AV.

As seen in section 1, most malware successfully use the zero day exploit. The reason for this is that AV uses Blacklists to identify malicious code. If AV solutions migrate to using a list of known good programs (White-list), then the zero day exploit can be countered and many viral infections can be prevented. The only argument against usage of white-lists is that there are too many good programs around. However, all of them are not likely to reside on every system. The AV program can scan the system on installation to store a white-list. Every time a new

Fig. : Design for hiding the Anti-virus from malware

program is detected on the machine, the user can be prompted to identify it. If the user cannot identify the program, it can be discarded or quarantined. A combination of white-lists and blacklists can serve to make consumer computing secure, and should be incorporated in Anti-virus solutions.

References• Basili, V.R. and Perricone, B.T. (1984).

Software errors and complexity: an empirical investigation 0. Communications of the ACM. 27, 42-52.

• Cohen, F.B. (1993). Operating system protection through program evolution. Computers and Security, 12. 565 – 584 Schneier, B. (2003). Attack trends: 2004 and 2005. Q focus: security, 3(5). 52 - 53.

• Nachenberg, C. (1997). Computer virus-antivirus coevolution, Communications of the ACM, 40. 46-51

• Sanok. Jr, D.J. (2005), An analysis of how antivirus methodologies are utilized in protecting computers from malicious code. InfoSecCD ’05, 142-144

• Naraine, R. (2006). Spam Trojan Installs Own Anti-Virus Scanner. Retrieved Oct. 20, 2006. Website:http://www.eweek.com/article2/0,1895,2034680, 00.asp

• The Beast. (n.d.). Retrieved October 13, 2005. Website:http://lists.virus.org/dshield-0310/msg00337.html

• Chen, T.M. (2003). Trends in Viruses and Worms. The Internet Protocol Journal, 6(3). 23-33

• Sparks, S., & Butler, J. (2005). Shadow Walker: Raising the bar for windows rootkit detection. Black Hat.

• King, S.T., & Chen, P.M. (2006). SubVirt: implementing malware with virtual machines. Security and Privacy, IEEE, pp 14-28.

• Rutkowska, J. (2006). Subverting Vista Kernel for Fun and Profit. Black Hat.

• Kc, G S, Keromytis, A.D., and Prevelakis, V. (2003). Countering Code-Injection Attacks With Instruction-Set Randomization. ACM CCS, 272-280.

• Kuster, R. (2003). Three ways to inject your code into another process. www.codeproject.com


Captcha – A Case for Accessible Design of Information Security SystemsSambhavi Chandrashekar* & Harish Kumar Kotian**

*60, Harbord Street, #512C, Toronto (ON) M5S 3L1. CANADA. Email: [email protected] Reserve Bank of India, Hyderabad. Email: [email protected] ** Reserve Bank of India, 6-1-56, Secretariat Road, Saifabad, Hyderabad-500004, India.

The need to protect resources on the Web from undesirable access through malicious Web robot programs cannot be overemphasized. A popular genre of security solutions is based on tests that try to determine whether the request for resource was initiated by a computer or a human being. CAPTCHA (Completely Automated Turing Test To Tell Computers and Humans Apart) is one such solution. CAPTCHA implementations based on visual recognition of distorted text in an image are easy to deploy and are therefore becoming ubiquitous. However, they pose access barriers to a sizeable population who cannot see due to vision impairment but who can actively access the Web using assistive technology solutions that read out the Web content to them. This paper provides a description of available CAPTCHA solutions, explains how popular implementations based on visual recognition are not universally accessible, suggests available alternatives that are more accessible and finally presents a paradigm of multimodal design as a key to universally accessible

IntroductionWeb robots (or bots) are malicious

computer programs that attempt to exploit online services intended for human users. They consume resources, harass users, make attempts to guess passwords, steal and re-purpose copyrighted content, and invade privacy by reconstructing sensitive data from public views. Therefore, there is a need for automatic methods to tell whether the entity attempting to access a service is a human or a machine. This is accomplished through a Reverse Turing Test (RTT).

In 1950 Alan Turing raised the question, “Can machines think?” Since then, the Turing’s test [16] for artificial intelligence has inspired many

algorithms for security solutions. The concept of RTT, first suggested by Naor in 1996 [9], differs from the original Turing test in two respects. First, the test is automatically generated and graded by a computer instead of a human being. Second, the goal of the test is the reverse of the original Turing test, i.e., to differentiate bots from humans, instead of proving that a bot is as intelligent as humans. In other words, humans should be able to pass it with ease, but machines should have a low probability of passing. This has given rise to a new research area called Human Interactive Proofs (HIP), whose goal is to defend services from malicious attacks by differentiating bots from human users.

HIP protocols operate successfully over a network without requiring passwords, biometrics, special mechanical aids, or special training [3].

CAPTCHA (Completely Automated Turing Test To Tell Computers and Humans Apart) is an RTT security solution to counter bots, which uses HIP protocols. Luis von Ahn and his group at the Carnegie Mellon University (CMU) [1] coined this term in 2000. They developed the first CAPTCHA to be used by Yahoo, based on images of text distorted randomly. Concurrent with the CAPTCHA project at CMU, a group at the Georgia Institute of Technology proposed a similar authentication scheme called Mandatory Human Participation (MHP) using a character-morphing algorithm to generate character recognition tests [21]. The term CAPTCHA, however, is used more commonly for such tests. Currently, about 60 million CAPTCHAs are being solved around the world every day [14].

Authentication through CAPTCHA The four steps to authentication

using CAPTCHA are:(i) Initialization: user expresses

interest to be authenticated by the server,

(ii) CAPTCHA Challenge: server generates a challenge and issues it to user,

(iii) User Response: user keys in the right answer and returns it to server,

(iv) Verification: server verifies user response. If it matches the right answer it grants access to user; else it rejects the transaction.In this authentication scheme,

the server asks the question “Are you human?” instead of “Who are you?” and, upon receiving the correct answer to this question, concludes the user to be a human being instead of a computer program. In the case of a visual CAPTCHA, the challenge issued by the server is an image of a morphed character string created through a character morphing algorithm in such a way that a human being won’t have any problem recognizing the original string, while a computer program (such as an Optical Character Recognition program) will not be able to decipher it or make a correct guess with significant probability. Character


recognition has been a grand challenge problem that provides an excellent RTT solution readily satisfying security and system requirements. Unfortunately such systems mandate recognition to be done visually, which may not be possible for persons with severe vision impairments.

Given below is a screen shot of a website demanding CAPTCHA authentication.

The website belongs to VFS Global [17], the primary office in India for obtaining visa for travel to the United States. Since it authenticates prospective visa applicants using visual-only CAPTCHA, people who cannot see are prevented from independently applying for a US visa. The theme for this paper, in fact, emerged from a recent personal experience of the second author with this website while making an unsuccessful attempt to complete the US visa application procedure independently. It is interesting to note here that in the United States, all Federal agencies are mandated under Section 508 (29 U.S.C. ‘ 794d) of the Rehabilitation Act “to provide disabled employees and members of the public access to information that is comparable to the access available to others” [21].

Accessibility of CAPTCHA Accessibility, in the context of

human-computer interaction, is an

attribute of the interface that denotes to what extent it facilitates the interaction for persons with disabilities. The World Wide Web Consortium (W3C), through its Web Accessibility Initiative (WAI) [19], has provided guidelines for design of Web content in an accessible manner. These guidelines form the basis of regulations in several countries under which it would be a legal offence to have non-conforming content on one’s website. Although it is equally important to make resources on the Web accessible to all people regardless of the type of disability, there is greater discussion about visual disability in the context of Web access. This is because interaction with the Web is predominantly visual and vision impairment results in a significant reduction in ability in this context. Disability, unlike impairment, is not associated with a person but arises when the interaction between a person and the environment results in the inability to do something. Using a wheel chair, for example, may not pose the same degree of disability for Web access as being blind does.

While deploying security solutions on the Web, it would be helpful to consider that people with certain forms of impairment use assistive technologies to enable computer access. A screen reader is an assistive technology used by persons with severe vision impairment

to interact with the computer and other technological devices, such as mobile phones. It is a software program that mediates between the user and the operating system/applications and assists in interpreting the user interface. A screen reader can read aloud the content displayed on the screen using a voice synthesizer, or it can provide output to the user through a refreshable Braille display. This way, the program converts the information from visual modality to audio or tactile modality.

Using a screen reader, persons with severe vision impairment are able to access digital material through a computer, including content on the Web. Thus, this way they have independent and easy access to more information today than during the times without a computer when they had to depend on print material to be read out to them or provided to them in Braille format. However, a screen reader can only read text because it is designed to convert the text on the screen into synthesized speech. It can process images only if, while coding the page, the programmer had provided alternative text describing the image to make it accessible. In the case of a visual CAPTCHA, since the screen reader cannot make sense of the image, and since providing alternative text for it will defeat the very purpose of CAPTCHA, persons with vision impairments are practically denied all resources (including services) that are protected using CAPTCHAs, be it visa application, online banking or personal blogs.

It is understandable for Web sites with resources that are too valuable to be compromised to ensure that they can offer their service to individual users without having their content harvested or otherwise exploited by Web robots. These days, however, even smaller sites use technologies such as CAPTCHA. In many cases, these systems make it impossible for some users to create accounts, write comments, or make purchases on these sites because the CAPTCHA fails to recognize them as human. CAPTCHA is now in frequent use in the comment areas of message boards and personal weblogs; any other more accessible method of comment spam control might serve the purpose for smaller Web sites [18].

Accessible systems ensure that


all users can use them. Security solutions using CAPTCHA are based on the ability to respond to computing questions. However, all human beings may not be able to respond in a standard manner to a computing question. It is possible that some people are devoid of some physical, sensory or cognitive functionality due to impairment or due to environmental factors in a manner that restricts their computing capability. Information security solutions are s o m e t i m e s d e s i g n e d w i t h o u t consideration for such restrictions possibly because most designers are capable of unrestricted computing capability and, in the absence of other inputs, designers can be expected to design only for themselves.

According to the W3C report on “Inaccessibility of CAPTCHAs” [18], banking site ING Direct’s “PIN Guard” uses a visual keypad to associate letters on the keyboard with numbers in a user’s pass code. Users who cannot see the code, or understand the juxtaposition of letters and numbers, would be unable to access their own financial data on this site. Even though such problems appear to be insurmountable, designing to accommodate differing abilities may not always be difficult or impossible. As an example, if we consider the popular security measure of automatic transaction session expiry after a given short period of time, this might not afford the required time to complete the transaction for a person with motor difficulties. However, if data relating to special needs are also accepted at the time of creating the login profile, it may not be technically unfeasible to provide a longer session time based on the individual’s login profile and it will make the system more accessible.

Alternatives to visual CAPTCHAThe W3C Note on “Inaccessibility

of CAPTCHA” [18] examines several potential solutions to test in a way that is accessible to all people that the users are human and not bots. But not all of them may be commercially feasible. The CMU CAPTCHA website offers another Web-based service called reCAPTCHA [15], which provides an alternative test based on sound recognition. Audio CAPTCHAs ask users to type back a sequence of characters that is read

over a noisy background. The PayPal and Google websites, for example, enable audio as well as visual testing. While Paypal provides the same set of characters both for visual and audio testing, Google provides a set of characters for the visual test and a set of numbers for the audio test.

However, going by the large number of websites using visual CAPTCHA, the awareness about, or inclination to use, audio-visual CAPTCHA appears to be minimal among those who implement CAPTCHA on their websites although the CMU CAPTCHA website [14] has the following posting recommending implementa t ion o f access ib le CAPTCHAs:

“CAPTCHAs must be accessible. CAPTCHAs based solely on reading text-or other visual-perception tasks- prevent visually impaired users from accessing the protected resource. Such CAPTCHAs may make a site incompatible with Section 508 in the United States. Any implementation of a CAPTCHA should allow blind users to get around the barrier, for example, by permitting users to opt for an audio CAPTCHA”.

In the context of audio CAPTCHA, Kochanski, Lopresti, & Shih [7] have proposed an RTT based on speech. This uses a test that depends on the fact that human recognition of distorted speech is far more robust than automatic speech recognition techniques. This system uses text-to-speech synthesis

Fig 2. Paypal audio-visual CAPTCHA

Fig 2. Paypal audio-visual CAPTCHA

(TTS) to generate tests, and exploits the limitations of state-of-the art automatic speech recognition (ASR) technology. Human perception of speech in noisy environments is fairly robust. Normal-hearing listeners need a signal-to-noise ratio (SNR) of approximately 1.5 dB to recognize speech [13], while ASR systems require a much more favorable SNR of 5 to 15 dB [21].

Researchers on RTTs have reported other solutions based on facial features and handwriting, both of which are based on visual recognition. ARTiFACIAL (Automated Reverse Turing test using FACIAL features) [11] is based on recognition of facial features in an image and clicking on different points on the face. The Handwritten CAPTCHA system by Rusu and Govindaraju [12] provides snippets of handwritten words in image form and exploits the differential in the proficiency between humans and computers in reading handwritten word images.

Another alternative, though futuristic, is based on collaborative filtering. While the CAPTCHAs deployed currently are based on objective questions such as text recognition or image recognition, this new class of CAPTCHAs proposed by Chew and Tygar [6] work through collaborative filtering. They ask questions that have no absolute answer and are graded by comparison to other people’s answers. Collaborative filters, or recommender systems, use a


database of user preferences to predict items or topics a new user might like or find useful, such as how Amazon makes recommendations. Here the user is correct so long as enough known humans agree. Collaborative filtering is a way to aggregate data from many different human users so that new data can be easily compared.

Designing universally accessible information technology solutions

The aim of universal accessibility is to produce systems that can be used by anyone, irrespective of their physical, sensory and cognitive abilities and disabilities. During the design of universally accessible information technology solutions, the special computing needs of various user groups have to be taken into consideration. These needs are associated with various factors, including speech, motor, hearing, and vision impairments, cognitive limitations, emotional and learning disabilities, as well as aging. Environmental factors could also cause similar special needs. A person working on a computer that has no sound card would need captions on videos as much as a person with profound hearing loss would. Likewise, a person accessing directions from a GPS system while driving would need speech output as much as a person with vision impairment would.

Thus, special needs with reference to information technology arise out of the inability to interact with the computer through certain modalities and they manifest as the need for interaction through alternative modalities. The three modalities currently used to interact with computers are visual, audio and tactile and these can be mapped to the input and output devices of a computer as given in Table 1.

Again, special needs result due to restrictions in computing capability because of the effect of some impairment

(or environmental condition) [5]. The relationship between impairments, the resulting restrictions in computing capability and the special needs that derive therefrom are summarized in Table 2.

This information can provide a basis for design decisions involving human-computer interaction. It could be included in user login profiles or even used as metadata about user interfaces. A system could accommodate different disabilities by enabling interaction through any chosen modality. Affording interaction in alternative modalities essentially means adopting a multimodal design paradigm.

ConclusionIt is widely accepted that the

problems of spam and bots have become a nuisance and must be defended against. Whereas individual anti-spam preventive measures and email address filtering may be used as short-term solutions, there is a definite need for more effective solutions such as CAPTCHAs. While this paper recognizes the importance of existing security solutions, it attempts to provide a perspective about the implications of some current designs with reference to disabilities and emphasize the importance of multimodal design in this context. Viewing disabilities in terms of restrictions to computing capability could help designers to work with a set of rules to create more accessible information technologies. Technologists have a social responsibility to design universally accessible solutions.

Designing and deploying multimodal solutions for systems involving human-computer interaction will go a long way in meeting this responsibility because multimodal design promotes universal accessibility [10].

The Web is for all. In the words of Tim Berners-Lee, the father of the World Wide Web, “As we move towards a highly connected world, it is critical that the Web be usable by anyone, regardless of individual capabilities and disabilities”.

AcknowledgementsThe authors wish to place on

record their sincere thanks to the Guest Editor for providing an opportunity to present a point of view from the human angle about information security solutions involving human-computer interaction.

References [1] Ahn, L.V., Blum, M.,& Langford,

J. (2002). Telling Humans and Computers Apart (automatically) or How Lazy Cryptographers do AI. Technical Report TR CMU-CS-02-117, February 2002.

[2] Amedi A, Raz N, Pianka P, Malach R, Zohary E. Early ‘visual’ cortex activation correlates with superior verbal memory performance in the blind. Nature Neuroscience, July, 6(7), 758-66. 2003.

[3] Baird, H., & Popat, K. Human interactive proofs and document image analysis. Proceedings of the IAPR 2002 Workshop on Document Analysis Systems, 2002

[4] Chan, N. “Abstract of sound oriented CAPTCHA,” in Proc. of the Workshop on Human Interactive Proofs, Palo Alto, CA, January 2002, p. 35.

[5] Chandrashekar, S. Accessibility vs. Usability - where is the dividing line? MSc Thesis. University College London, London, United Kingdom. (Unpublished), 2005.

[6] Chew, M. & Tygar, J.D. Collaborative Filtering CAPTCHAs, Lecture Notes

Modality Input to computer Output from computer

Visual Mouse monitor

Audio microphone speakers

Tactile Keyboard refreshable Braille displays

Table 1 : Modalities associated with computer input/outputs

Modality Inputtocomputer Outputfromcomputer

Visual Mouse monitor

Audio microphone speakers

Tactile Keyboard refreshable Braille displays

Table 1. Modalities associated with computer input/outputs


in Computer Science, Springer: Berlin / Heidelberg, 2005.

[7] Kochanski, G., Lopresti, D., & Shih, C. A reverse turing test using speech. Proceedings of the International Conference on Spoken Language Processing, September 2002.

[8] Lopresti, D., Shih, C., & Kochanski, G. “Human interactive proofs for spoken language interfaces,” in Proc. of the Workshop on Human Interactive Proofs, Palo Alto, CA, January 2002, pp. 30–34.

9] Naor, M. “Verification of a human in the loop or Identification via the Turing Test”, unpublished manuscript (1996). Online version available at: http://www.wisdom.weizmann.ac.il/<“naor/PAPERS/human.ps

10] Obrenovic, Z., Abascal, J. & Starcevic, D. Universal access as a multimodal design issue, Communications of the ACM,Volume 50, Issue 5 (May 2007), 83 – 88, 2007.

11] Rui, Y., & Liu, Z. Artifacial:

Automated Reverse Turing Test Using Facial Features. Proceeding of the 11th ACM international conference on Mul t imedia , November 2003.

12] Rusu, A. , Govindara ju , V. Handwritten CAPTCHA: using the difference in the abilities of humans and machines in reading handwritten words. Proceedings of the 9th Int’l Workshop on Frontiers in Handwriting Recognition (IWFHR-9 2004), 226- 231, 2004.

13] Stuart, A. & Phillips, D. P. “Word recognition in continuous and interrupted broadband noise by young normal-hearing, older normal-hearing, and presbyacusic listeners,” Ear & Hearing, vol. 17, pp. 478–489, 1996.

14] The CAPTCHA project http://www.captcha.net/ (last accessed on June

30, 2007).15] The reCAPTCHA project http://

recaptcha.net/ (last accessed on June 30, 2007).

16] Turing, A. Computing machinery and intelligence. Mind, pp. 433–

460, 195017] VFS Global India website https://

www.vfs-usa.co.in/Home.aspx (last accessed on June 30, 2007).

18] W3C report on “Inaccessibility of CAPTCHA”, http://www.w3.org/TR/turingtest/ (last accessed on June 30, 2007).

19] Web Accessibility Initiative (WAI) http://www.w3c.org/WAI (last accessed on June 30, 2007).

20] Woudenberg, E., F. K. Soong, and J. E. West, “Acoustic echo cancellation for hands-free ASR applications in noise,” in Proc. of the Workshop on Acoustic Echo and Noise Control, 1999, pp. 160–163.

21] http://www.section508.gov/ (last accessed on June 30, 2007).

22] Xu,J., Lipton, R., Essa, I., Sung, M.&Ahu, Y. Mandatory Human Participation: A New Authentication Scheme for Building Secure Systems. Proceedings of the 12th International C o n f e r e n c e o n C o m p u t e r Communications and Networks, 2003. ICCCN 2003, 547- 552, 2003.

About the authors

Sambhavi Chandrashekar is a Deputy General Manager with the Reserve Bank of India, currently on study leave and pursuing Ph.D. program with the Faculty of Information Studies, University of Toronto, Canada. She has a Masters degree in Chemistry from the Indian Institute of Technology, Madras and a second Masters degree in Human-Computer Interaction and Physical Ergonomics from University College London, U.K. Her research interests focus on inclusive design of information technologies. She also works with the Adaptive Technology Resource Centre associated with the University of Toronto on projects aimed at making the World Wide Web a more inclusive domain. She has presented several research papers at conferences in the United States, Canada, Europe and the United Kingdom.

Harish Kumar Kotian is a Manager with the Department of Information Technology, Reserve Bank of India in Hyderabad. Commencing his work with computers in 1983, when assistive technology was not available locally, he became the first blind programmer in the country. In 2005, he received the Helen Keller award from the President of India. He is Ex-president of Blind Graduates Forum of India and a member of the syllabus committee on computer training for the National Institute for Visually Handicapped. In March 2007, he presented a paper at the 22nd Annual CSUN Technology and Disabilities Conference in Los Angeles, CA, on technology use in India by persons with vision impairments

CSI Elections-2007CSI Elections for the various elected offices for 2007-08 are scheduled to be conducted in November/December 2007 by

Electronic Ballots as in past 2 years.To ensure successful conduct of these online elections, all voting members of CSI are requested to communicate their

current email address to CSI HQ ([email protected]) latest by 30th September, 2007.


and validate that systems are operating according to the organization’s security policies and system security requirements. The primary reason for auditing is to identify potential vulnerabilities and subsequently correct them. Auditing allows an Organization to view its Network the same way an attacker does as well as allows an organization to accurately assess their systems security position. There are many Commercial and Freeware Security Auditing Tools available for measuring the effectiveness of the Security.

2.2 Key Elements of Security StrategiesEvery Organization would frame

its own security policies according to the needs of the Organization. To meet its requirements and to protect its resources from any threats it should follow security strategies. There are five key elements for a robust security strategy. They are1. Policies – Clear Security Policies

that should be consistent with the business objective of the organization. According to the goals of the Organization, Security Policy should be drafted and it should be disseminated to all the employees of the Organization. The security policy should be followed by all without any exception.

2. Plans – After making the security policy, the methodology to implement it should be clearly worked out. Security infrastructure should be designed in order to protect and support all resources in the network including wireless LAN devices.

3. Products – Key technologies, products and services required to execute the plan and meet

Information Security AuditingR Anusooya, S A V Satya Murty, S Athinarayanan, P Swaminathan

Indira Gandhi Centre for Atomic Research, Kalpakkam E-Mail:[email protected]

1. IntroductionThe last three decades have seen a

phenomenal growth in the utilization of computers in various important services and information handling. With the increase in number of computers, their networking has become a necessity for access to servers and for the dissemination of information. During the same period the internet had grown beyond everybody’s forecast, and is being used beyond everybody’s imagination. Though the technological progress is widely appreciated, the misuse of internet in gaining access to unauthorized information is assuming alarming proportions.

This necessitates a comprehensive methodology to secure the information for confidentiality, integrity and availability. Towards this many security mechanisms in Router, through Firewall, Intrusion Detection system, Host level security are implemented. However new security vulnerabilities are found on a regular basis like in kernel, services, protocols, application packages etc., These vulnerabilities have to be plugged at the earliest to continue to be secure. To ensure the security of the various servers and systems, the security has to be assessed through proper audit tools. Hence security auditing plays as important role for security implementation to ensure information security.

2. Security Auditing

2.1 Measuring Security Security Auditing is a process of

ensuring the Confidentiality, Integrity and Availability of an organization’s information. Network Securi ty Auditing should be integrated into an organization’s security program to evaluate system security mechanisms

the security objective of the organization should be identified. It should be deployed in such a way that it should provide the appropriate levels of security, performance, scalability and quality of service.

4. Processes – Deployment of security technologies must be supported by continuous monitoring, testing and adaptation of the network.

5. Peop le – Sk i l l ed secur i ty administrators should manage these continuous Plans, Products, Processes.By considering the above Security

Strategies, Security Auditing has to be done periodically to ensure the effectiveness of the Enterprise Network Security. It is a continuous process and should be done without fail. If any new changes are made to the network setup or at the host level, security auditing should be done before placing it on the network. In the following sections we will see briefly about the Security Auditing Methodologies, Technologies used by Security Auditors for auditing a system, Security Audit Tools and its usage.

3. Audit MethodologyAuditing encompasses a wide

variety of different activities, which includes executing audit programs, recording of event data, examination of data, the use of event alarm triggers, and log analysis. After identifying any events or occurrences in the system, Alarm or Triggers should be sent to the Administrators for further testing and verification. A report can be generated after analyzing these events and necessary actions should be taken according to that report. The following picture shows the Audit Methodology.

System Identification and data gathering

Testing and Verification

Report Generation and Analysis


4. How do we do Security Auditing?Security Auditing should always

be done with the latest version of Security Audit Tools. These tools may be commercially available or freeware as free download from Internet. Before an Auditor begins Security Auditing, he should have a thorough knowledge about the Policies of the Organization, Organization’s network setup and about the application packages running in the servers.

After making thorough study of all the above things, Auditor should decide whether he is going to conduct In-house Auditing or Penetration test Auditing. These techniques will be discussed in the following section.

5. Security Auditing TechniquesSecurity Auditing Techniques are

classified as 1. In-House Auditing2. Penetration Testing

5.1 In-house Auditing: Administrator initiated and conducted This kind of Auditing is initiated

by the Auditor in compliance with the security policies of the Organization. This should be done from inside the campus network in any of the LANs and doing whole network auditing. There are numerous Security Audit Tools available for doing this kind of auditing. If any security violations are found during auditing it will be intimated to the System Administrator for further action. This kind of actions will improve the Network and Information security of the Organization.

5.2 Penetration TestingIf the system is highly complex,

critical Penetration testing can be planned to evaluate the security. This is done by initiating the whole network auditing from outside the campus network. The purpose of penetration testing is to identify the methods of gaining access to a system by using tools and techniques developed by hackers.

Penetration testing is done in two ways1 Overt - Blue teaming2 Covert - Red teaming

5.2.1 Blue TeamingBlue teaming is the team which

will give prior information about the Security Auditing. Reports of this team will be sent to the System

Administrators for further improvement of the network information security.

5.2.2 Red TeamingReports of this team will also be

sent to the System administrator but they will conduct the security auditing without any prior intimation to the Organization. They will have their own security Audit tools for doing this kind of Auditing.

5.3 Phases of Penetration testingThere are three phases involved

during penetration testing. They are, 1. Reconnaissance, 2. Scanning, 3. Vulnerability Testing.

5.3.1 ReconnaissanceThe art of gaining preliminary

information about the target host or network is known as reconnaissance. This can be accomplished by visiting the target web sites or using any other public resources of an organization. There are various tools used for gaining this kind of information, some of them are mentioned here a) nslookup / digb) whois c) Target Web Site

5.3.2 ScanningAfter gaining enough information

about the target host(s) or network, the next step in penetration testing is to scan the entire Network or hosts. This scanning process can give important information such as open ports of the servers, available services and applications on hosts or network appliances and the version of the operating system or application. Some of the common tools used for scanning are mentioned below:a) Telnet (Can report information

about an application or service; i.e., version, platform)

b) Nmap (powerful tool available for Unix that finds ports and services available via IP)

c) Hping2 (powerful Unix based tool used to gain important information about a network)

d) Netcat (others have quoted this application as the “Swiss Army knife” of network utilities)

e) Ping (Available on all most every platform and operating system to test for IP connectivity)

f) Traceroute (maps out the hops of

the network to the target device or system)

g) Queso (can be used for operating system fingerprinting)

5.3.3 Vulnerability testingVulnerability testing is used to

determine the security holes and vulnerabilities in the target network or host(s). The Security Auditor will identify machines within the target network of all open ports as well as running applications, including the operating system, patch level, and service pack applied.

After successful scanning via nmap or other scanning tools, the vulnerability testing phase is started. Nmap, a scanning tool, will identify whether the host is alive or not and what ports and services are open and running, even if ICMP is completely disabled on the target network. Vulnerability scanners will identify if any security holes are found in the target host(s) or Network and also the solutions to rectify them.

Some of the best vulnerability scanners like Nessus and SARA are available as a free download from the Internet and ISS is a commercial product for vulnerability testing. We will see the detailed description of some of these tools in the coming sections.

6. Security Audit ToolsThere are wide varieties of security

tools available in the market and Internet for conducting a Security Audit. Classification of those tools is shown below

Types of Security Audit Tools

6.1 Network Mapping Tools Network mapping involves a test

using a port scanner. This scanner identifies all active hosts connected to an organization’s network, Network service operating on those hosts, specific applications running on that hosts etc., Some commonly used tools are mentioned below. They are freeware products, available as downloads from the internet or it may be a commercial one.

Some of the Freeware products used for network mapping area) NMAP b) Superscan

Some of the Commercial products used for network mapping area) Solarwinds


b) GFI LAN GUARD

6.1.1 NMAPNmap is a Powerful, flexible, free,

open-source port scanner available for both UNIX and Windows. Nmap is used to find out what services are listening on each specific port, fingerprinting, which gives an idea on what operating system the machine is running. It has a graphical front-end, NmapFE, and supports a wide variety of scan types. The following section shows how to install Nmap and some of the scan types used by Security Auditor.

Nmap software can be downloaded freely from the following site http://insecure.org/nmap/download.html. Nmap and NmapFE (front-end) are available in the following formats: Tar ball format, in Gunzip format or in RPM format.

In UNIX platforms install the RPM file using the following command: # rpm –ivh nmap-4.20-1.i386.rpm# rpm –ivh nmap-frontend-4.20-1.i386.rpmThe two basic scan types used most in Nmap are:1. TCP connect() scanning [-sT] and 2. SYN scanning (also known as half-

open, or stealth scanning) [-sS]. Other Scan types commonly used

are FIN, Null, Xmas Tree Scans, Ping Scan, UDP Scan [-sF, -sN, -sX, -sP, -sU]. The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scan sets the FIN, URG and PUSH flags and the Null scan sends a packet with no flags switched on. Ping scan lists the hosts within the specified range that is responding to a ping. UDP Scanning is used for finding out the open UDP ports.

Example for how to do a SYN Scan:[root@Auditpc root] # nmap -sS 192.168.1.10

The above run of Nmap (Fig-1) shows that the machine is having open ports of ftp, ssh, telnet, http, https etc. It means all the services are running in the machine. Other scanning types can also be done using their respective options.

6.2 Perimeter Security ToolsRouters are devices designed

to provide connectivity between organization’s networks to service provider through proper routing. Since the router represents an entry point into the network, it is important to implement security mechanisms in the router. For measuring the security level of the router, many Router Audit Tools are available in the market. One of the freely available tools is Router IOS Benchmark tool from Center for Internet security.

6.2.1 CIS Router IOS Benchmarking ToolCenter for Internet Security

provides free benchmark, scoring tools to improve the security mechanisms in the Router. This Benchmark and related scoring are intended to be tools to assist in risk analysis and mitigation. The recommendations and tool should be properly applied after thorough understanding of organization goals and how technologies are applied to meet the goals. It is a good tool for analyzing router configuration. It is a passive test tool.

The following are the important p o i n t s t h a t C I S Ro u t e r I O S Benchmarking tool provides,1. Analyzes Router Policy of the

organization2. Identifies the OS version3 . E n s u r e s t h a t a n y k n o w n

vulnerabilities or patches posted by the vendor are applied

4. Ensures that adequate filtering is configured using ACL

5. Verifies that the Password for all Interfaces are set with strong passwords encrypted

6. Also ensures that unnecessary network services and interfaces are disabled

6.3 Vulnerability Scanning ToolsVulnerability Assessment Scanners

help in identifying out of-date software versions, Vulnerabilities, Applicable

patches or System upgrades etc., It utilizes the database of known vulnerabilities.

Vulnerability Assessment Scanners are either a) Host Based b) Network based

Some of the common Vulnerability Assessment Scanner Tools are mentioned belowa) ISSb) SARA c) NESSUS

6.3.1 Internet Security System (ISS) – Internet Scanner SoftwareInternet Security System provides

the Internet Scanner Software which minimizes the risk by identifying the security holes, or vulnerabilities, in the network when plugged. It allows auditors to customize policy based scanning of the Network.

6.3.2 SARA – Security Auditor’s Research AssistantSARA is a freeware, vulnerability

assessment tool which finds the security holes in the hosts. It is available for both UNIX and Windows platforms. The CVE (Common Vulnerabilities and Exposures) standard support of SARA is very useful in identifying the security holes of the host and remedies to rectify them.

6.3.3 NessusNessus is a freely downloadable

vulnerability assessment scanning tool available in the Internet. It’s a Client/Server based program. Server process does the scanning and vulnerability assessment testing. Client user interface retrieves the data from server and generates reports. The Nessus is most frequently used tool. The detailed installation and testing procedure is given below.

Generated Report will contain the detailed Information of discovered vulnerabilities and guidance to rectify those vulnerabilities. Scanners can have a high false positive error rate. So only a qualified person like Security Engineer or Security Auditor can assess as well as interpret the results.

Nessus Server InstallationOne of the features of Nessus is its

client server technology. Servers can be placed at different locations in a network and allowed to perform various Fig. 1


tests. Single Client or multiple clients at different locations can have control on all the servers. Server portion is available only for the flavors of Unix but Client portion is available for both Unix and windows flavors. The Nessus server performs the actual testing while the client provides configuration and reporting functionality.

Before upgrading the package, stop the nessusd service by using the following command:

killall nessusd This command will kill all nessusd

services and will stop any on-going scans

Then, install Nessus with the following command depending on the version of the OS:rpm –ivh Nessus-3.0.3-es3.i386.rpmOnce the upgrade is complete, restart the nessusd service with the following command:/opt/nessus/sbin/nessusd -D

Nessus Client InstallationIn the Nessus client installation, a new user can be added by the nessus-adduser command. Authentication of the user is performed simply by using the password given for the user. Restriction of user account queries should be configured or leave it blank. A certificate also needs to be generated as well to be used to encrypt the traffic between the client and server. The nessus-mkcert command accomplishes this.The following command shows how to add a new user and to make certificate:/opt/nessus/sbin/nessus-add-first-userAdd a new nessusd user

Login : adminPassword : ***********DN :Rules :Is that ok ? (y/n) [y] yuser added.Now start Nessus by typing :/opt/nessus//sbin/nessusd –D

The following command is used for creating the Client certificate/opt/nessus/bin/nessus-mkcert-client

Starting a Nessus ScanAfter connecting the Nessus client

to the server check the different plugins available in the Plugins tab.

Use the Filter button to search for specific plugin scripts. For example, it is possible to search for vulnerability checks that have a certain word in their description or by the CVE name of a specific vulnerability. And click “Enable all plug-ins” or just “Enable all but dangerous plug-ins” tab. There are instances where the plug-in causes a Denial of Service but it is not listed as dangerous, so be cautious in selecting the plug-ins tab.

The typical Nessus Client Window while connecting to the Nessus Server is shown in Fig-2

After connecting to the server, Scanning will start. Fig-3 shows the scanning screen of the Nessus Client.

Generating ReportsAfter scanning is finished, reports

can be saved in variety of formats like HTML (with or without graphics), XML, LaTeX, ASCII, and NBE (Nessus BackEnd). In order to improve the security of the hosts or network the items with a light bulb next to them will give the notes or tips. The items with an exclamation next to them suggest a

security warning when a mild flaw is detected. Items that have the no-entry symbol next to them suggest a severe security hole. According to the severity of the warning or security holes, necessary steps should be taken against the hosts or network.

The Fig.4 shows the Nessus Report of a host:

6.4 System Benchmarking Tools Benchmarks are designed to make

it possible to compute an overall score for security for each system. This can be done manually or with the aid of a scoring tool. The Center for Internet security provides scoring tools which are available from the Internet at free of cost. It evaluates all types of OS like AIX, LINUX, WINDOWS etc.,

6.4.1 CIS Benchmarking Tools – For Linux, Windows etcIt is a Passive tool executed at

the host level for identifying the vulnerabilities and improving the security of the system when the vulnerabilities are plugged. It shows the loop holes in OS Configuration and gives recommendations. Using those

Fig. 2

Fig. 2


recommendations we need to securely configure our systems. It has a scoring value ranges upto 10. The higher the scoring value, higher the security.

6.5 Password cracking ToolsPassword cracking programs are

useful for identifying weak passwords. Weak passwords are the common entry for the attackers. So a strong password should be used in all the systems used in the Network. One time password, Encrypted password, Finger print authentication should be used in the Network for improving the security.

Password cracking can be done in two ways:1. By getting password hashes or2. An automated password cracker

rapidly generates hashes until a match is found.The following are the two possible

ways to generate the Hashes,a) Dictionary Attack - It uses all words in a dictionary or

text file. This is the fastest way of generating hashes

b) Hybrid Attack - This builds on the dictionary

method by adding numeric symbol character to dictionary words

The following are the commonly used password cracking tools:a) L0pht Crack b) John the Ripper

6.5.1 John the RipperJohn the Ripper is a fast password

cracker. It is available for many flavors of Unix, DOS, and Windows. Its primary purpose is to detect weak Unix passwords.

Compilation of John the Ripper:Compi l e the source code

distribution of John using the make command. This will obtain the list of operating system for which specific

support exists. If the system is not listed, the following command is used:

make clean genericThis will create the executables for

John and its related utilities under the “run” directory. John the Ripper can be started using the following command:

cd ../run./john --testRunning the John the Ripper:For running John the Ripper, some

password files must be supplied and cracking mode should be specified. For Example, if “passwd” is the copy of password file then the following command is used for running the password file:

john passwdCracked passwords will be printed

to the terminal and saved in the file called $JOHN/john.pot ($JOHN is the home directory of JOHN)

To retrieve the cracked passwords, run:

john – show passwdLike this all the weak passwords

can be found out easily.

6.6 Trojan / Backdoor/Root-kit Analysis ToolThese tools are used for analyzing

any Trojans or Backdoor activities found in the system. Some of the commonly available tools are mentioned below.a) Chkrootkitb) Anti-trojan

6.6.1 ChkrootkitChkrootkit is a tool to locally

check for signs of a rootkit. It is freely downloadable from the following site http://www.chkrootkit.org. It contains shell script that checks system binaries for rootkit modification. This kit is carrying out various tests. It checks whether the interface is in promiscuous

mode or not, checks for lastlog deletions, checks for wtmp deletions, checks for signs of LKM Trojans, checks for signs of LKM Trojans, quick and dirty strings replacement.

Download the tar file from the above site and Install using the following command

tar -zxvf chkrootkit.tar.gz make sense8./chkrootkit | more When executed the report will

be generated. Ensure that there are no errors. If there is any error, make corrections and run until no errors displayed in the report generated.

6.7 Dial-up Vulnerability Analysis Tools

To ensure that no dial up modems are connected in the network without the knowledge of System Administrator, for uploading information, these tools help in finding out whether any dial up modem is connected at that point of time. The following are some of the commonly used Dial-up Vulnerability Analysis tools:

v PhoneSweepv TeleSweepv ToneLoc

7 ConclusionWith the increased popularity of

PC’s, networks and internet, users are able to get the benefits of easy access to information and faster information dissemination. However, the network security also has become a big challenge for the Administrators. There are many security mechanisms to protect the valuable information resources. The effectiveness of the security mechanisms has to be tested periodically with various vulnerability testing tools. Hence security auditing plays a vital role in identifying the vulnerabilities and the administrator has to take the corrective action immediately to secure the systems. It is a continuous process and with proper administration, the network and systems can be made fairly secure.

Referenceshttp://www.nmap-tutorial.comhttp://www.nessus.orghttp://www-arc.comhttp://www.sans.org/readingroomhttp://www.openwall.com/john/http://www.chkrootkit.org

ooo


Information Assurance Markup Language – IAMLVicente Aceituno Canal

Calle Olimpico Fco Fdez Ochoa 9 esc B segundo B, 28923 Alcorcon (Madrid), Spain Email: [email protected]

Copyright with author. This paper is reprinted by special permission

IntroductionInformation security is complex,

isn’t it? Confidentiality, Integrity, Availabi l i ty, Non Repudiat ion, Compliance, Reliability, Access Control, Authentication, Identification, Authorization, Privacy, Anonymity, Data Quality and Business Continuity are some concepts that are often used. The ISM3 Consortium has developed the Information Assurance Markup Language to help companies to cut trough this complexity.

The ISM3 Consortium understands security not as a mix of all the concepts mentioned above, but as the consistent accomplishment of the mission of the organization. For example a yogurt maker delivers with quality when customer expectations are met or exceeded for the price; it delivers with security when despite of accidents, disaster, attacks and errors, yogurts are delivered with the same quality.

Using this point o f v iew, a definition of an incident is not company-independent. While for a company trade secrets will be key for their success, other company will have no secrets at all. While a company won’t survive for three days without their information systems, it will take only eight hours for other company to go out of business.

The following is a list of generic or implicit security objectives that are common to many organisations:1. Use of services and physical and

logical access to repositories and systems should be restricted to authorized users;a. Intellectual property (licensed,

copyrighted, patented and

t rademarks ) should be accessible to authorized users only;

b. Personal information of clients and employees should be accessible for a valid purpose to authorized users only, should preserve their anonymity if necessary, and should not be held for longer than required;

c. Secrets (industrial, trade) should be accessible to authorized users only;

d. Third party services and repos i to r i es should be appropriately licensed and be accessible only to authorized users;

2. Users should be accountable for the repositories and messages they create or modify;

3. Users should be accountable for their acceptance of contracts and agreements.

4. Users should be accountable for their use of services.

5. Accurate time and date should be reflected in all records;

6. Availability of repositories, services and channels should exceed Customer needs;

7. Reliability and performance of services and channels should be exceed Customer needs;

8. Volatility of services and channels should be within Customer needs;

9. Repositories should be retained at least as long as Customer requirements;

10. Expired or end of life-cycle repositories should be permanently destroyed;

11. Precision, relevance (up-to-date), completeness and consistency of repositories should exceed Customer needs;Are the old and these new

concepts compatible? Can you think in terms of Confidentiality, Integrity, Availabi l i ty, Non Repudiat ion, Compliance, Reliability, Access Control, Authentication, Identification, Authorization, Privacy, Anonymity, Data Quality and Business Continuity and this list? You can, and IAML can help you to get there. Security objectives fall in three categories; Business Needs and Limitations, Compliance Needs and Limitations and Technical Needs and Limitations. We will describe them presently.

Businesses Needs and Limitations are objectives directly linked to business needs. • Security Objectives 1 to 6 are

achieved using Access Control techniques. The Access Control paradigm represents users in information systems using user accounts or certificates and implements digital equivalents to guarded doors, records and signatures. For Access Control to be effective, User Registration, Authentication, Authorization and Recording need to be implemented in a as robust and non tamperable manner as possible.

• Security Objectives 6 to 8 are n o r m a l l y a c h i e v e d u s i n g backup and enhanced reliability techniques. Protected services, interfaces and channels can be classified according to security objectives for priority. In a multi-tiered information system, the priority of higher level services is propagated to the lower level services they depend on.

• Security Objectives 9 and 10 are normally achieved using archival and clearing techniques. The durability of a repository is the length of its planned life-cycle. Retention periods are often determined by business purpose or by legal and fiscal requirements. Retention of repositories implies either keeping available the systems used to access them or copying the data to newer repositories and format that are accessible by


available systems.• Security Objective 11 is normally

achieved using quality control techniques. The information quality of a repository is a measure of how fit the repository is to fulfil security objectives.

Compliance Needs and Limitations are obligations set by laws or regulations and certifications sought by the organization on contractual, ethical and fair use grounds, for example:

• Third party services and repositories need to be appropriately licensed.

• Personal information completeness must be proportional to its use.

• Personal information can’t be kept for longer than needed.

• Tax records must be kept for a minimum number of years.

• Personal information must be protected using certain security measures depending on the type of personal information.

• The owner of Personal information must agree for it to be collected and he has the right to check it, fix it and approve how it will be used if ceded.

• Reposi tor ies with Personal information have to be registered with a Data Protection agency.

• Encryption must be used under legal limitations.

• Secrets must be kept according to the terms of agreed Non Disclosure Agreements.

• The owner of Personal information will be given notice when his data is being collected, including who is collecting the data.

• Personal information must be used for the purpose agreed with the information owner.

• Personal information must not be disclosed without the agreement of the information owner.

• Personal information owners will have means to make data collectors accountable for their use of his personal information.

The same techniques used to control information quality can be used to control compliance, but business related and compliance related security objectives don’t necessarily match.

Technical Needs and Limitations are related to weaknesses and requirements of using information systems based on the Von-Neumann architecture. Most weaknesses in modern systems are related to the following facts:

• A byte can be data, an address or a machine instruction. This is exploited, for example by buffer overflow attacks;

• Most user systems consider by default that all code sitting in their repositories, or even remotely is legitimate. This is exploited by malware;

• Mobile repositories are essentially passive and can be read without any access control from any system;

• Once a repository is written, the information remains for long after it stopped being used.

Technical limitations (rather than needs) are not directly linked to businesses objectives, but are a fact of life of the use of information systems. Information systems need electricity and certain temperature and humidity conditions to work properly. New weaknesses are discovered all the time, and

patches are released to fix those weaknesses. For these reasons there are security objectives related to keeping information systems as free as possible of visible weaknesses to potential attackers, and within proper environmental conditions:

• Systems should be as free of weaknesses as possible.

• Systems should be visible to trusted systems only.

• Systems that need to be visible to not trusted systems should be the least visible possible.

• Systems should run trusted services only.

• The electricity, temperature and humidity where systems operate should exceed the systems needs.You can express security objectives

using IAML, but what is IAM good for, really? If a security professional focuses information security as the set of security processes and controls in place, he will wonder what to make of IAML. IAML doesn’t say what controls you should implement, it doesn’t perform a risk assessment, and doesn’t by itself reveal what are the vulnerabilities in your systems. What IAML does is to express the security objectives of the organization, at the business unit, network environment, application or system level. Only when you know what your objectives are (instead of using a predefined set like confidentiality, availability, and integrity) you can design and protect your information systems in a cost effective manner, and explain WHY you are choosing that design and that protection. IAML can be downloaded fromhttp:/ /www.ism3.com/index.php? option=com_docman&task=cat_view&gid=1&Itemid=9

© Vicente Aceituno Canal 2007 – ISM3 Consortium, Ingeniero Técnico en Telecomunicaciones (Universidad Politécnica de Madrid) is the Vice-President of ISSA in Spain, has 15 years experience in IT and security consulting (http://en.wikipedia.org/wiki/User:Vaceituno), leads the F.I.S.T information security conferences in Spain (www.fistconference.org), authored the ISM3 (Information Security Management Maturity Model www.isecom.org/ISM3), published his first book “Seguridad de la Información”, ISBN: 84-933336-7-0 last year, and maintains a Web site on personal computer’s security (www.seguridaddelainformacion.com)


1. IntroductionInformation systems need to be

secure if they are to be dependable and reliable. Since many businesses are cri t ical ly rel iant on their information systems for key business processes (e.g. webs sites, production scheduling, transaction processing, privacy information storage), security can be seen to be a very important area for management to get it right. Information security management is a vital activity to be carried out in the modern IT world. The information is available in the form of hardware and software. The attention paid to these information is based on who is allowed to use the information, when they are allowed to use it, what they are allowed to do (different groups may be granted different levels of access), procedures for granting access to the information, procedures for revoking access to the information (e.g. when an employee leaves) and what constitutes acceptable use of the information. Appropriate security controls are required to ensure its confidentiality, Integrity and Availability (CIA). CIA plays a major role in assessing the risk of the asset to determine the level of security to be provided to the specific asset holding the information. This paper presents the introduction to information security management systems and a methodology to carry out risk assessment and risk treatment to select appropriate controls to ensure the level of security required for the

Information Security- Normalized Risk Assessment and treatment methodologyS Velmourougan* & Dr. S Muttan**

*Scientist, CFR, MCIT, Chennai-India [email protected] **Assistant Professor, Anna University, Chennai-India [email protected]

information asset.

2. Information Security management system (ISMS)Information security management

system (ISMS) being the hot topic is not only restricted to the IT industries but is also applicable to any industry/ firm / organization required to secure their vital information; for example, organizations like defense, space, telecommunication, railways, medical or chemical industries etc,. Similar to ISO 9000 which deals with quality management system, ISO/IEC 27001 deals with the Information security management system (ISMS). ISO/IEC 27001 is a risk based management system covering various aspects of exhaustive security controls to assure information security. Widely it is covered with 10 different domains

and 133 security controls as listed in the figure 1.0 (Refer ISO/IEC 27001 standard for more detail). It covers all aspects of information security like Security policy, Organizational security, asset classification, Personnel security, Physical and environmental security, Communications and operations management, Access control, Systems development & maintenance, Business continuity management, incident management, Compliance etc.,

3. Key activities of ISMS (General)1. Define scope and policy2. Undertake risk assessment and

risk treatment to select appropriate control

3. Undertake Business impact analysis and prepare Business continuity plan

4. Define policy/procedure to establish and maintain the security controls

5. Periodically audit the management process for corrective actionFrom the above, the activity listed

as sl.no 2 is the most technical and critical activity to be performed to establish the ISMS 1. Identification of all the assets

covered in scope 2. Asset valuation based on CIA

ratings3. Rating of threats and vulnerabilities

associated to the assets 4. Calculating the risk of the asset5. Determination of acceptable risk6. Treating of risk upon the selection

of appropriate security controls listed in ISO/IEC 27001

7. Preparation of RA/RTP report and Statement of applicability (SOA)

Fig. 1 : Structure of ISO/IEC 27001, ISMS Standard


4. Normalized Risk Assessment and treatment methodologyStep 1. Identification of Assets &

Owners All department/functional heads

will identify and prepare a list of all important information assets within their spheres of activities.

The information assets fall under any one of these categories:• Physical Assets• Information Assets• Software Assets• Services

Step 2. Asset valuation based on CIA ratings

The assets are assigned a value on a qualitative scale of 1 to 5, where 1 is low and 5 is high, based on its potential impact to organization / business, in the event of breach of: • Confidentiality• Integrity• Availability

Assets of similar type having same sensitivity/criticality level and having same threats and vulnerability can be grouped to simplify valuation of assets. The values assigned form the basis for risk value calculation

Asset Value = N (Confidentiality * Integrity * Availability ( C*I*A))

Normalization of Asset ValueIf C*I* A = 1 then Asset Value = 1If 1<C*I*A>8 then Asset Value=2If 9<C*I*A>27 then Asset Value = 3If 27<C*I*A>64 then Asset Value=4If 65<C*I*A>125 then Asset Value=5

Step 3. Rating of threats and vulnerabilities associated to the assets

Threat Value AssessmentThreats exploit the vulnerabilities

associated with the assets so as to cause damage/interruption. For each asset, identify threats that could exploit its vulnerabilities. (Actually this is a threat/vulnerability pair.) For each threat identified, estimate a threat value on a scale of 1 to 5 as shown in Table.4

Vulnerability Value Assessment Vulnerabilities are weaknesses

associated with assets. These weakness are exploited by threats causing loss or damage or harm to the assets. Vulnerability in itself does not cause harm until exploited.

Table 1 : Asset Valuation in terms of confidentially:

Asset Value Class Description

1 Publicly available Non-sensitive, available to public

2 For internal use only

Non-sensitive information restricted to internal use

3 Restricted use only Varying restrictions within the organization

4 In-Confidence Available only on need to know basis

5 Strictly Confidential

Available only to top management and strictly on need to know basis

Table 2 : Asset Valuation in terms of Integrity:


1 Very Low Integrity Business Impact is negligible

2 Low Integrity Business Impact is minor

3 Medium Integrity Business Impact is significant

4 High Integrity Business Impact is Major

5 Very High Integrity Business Impact could lead to serious or total failure of business process

Table 3 : Asset Valuation in Terms of Availability:


1 Very Low Availability

Availability is required for about 25 % of business hours

2 Low Availability Availability is required for about 50-60 % of business hours

3 Medium Availability

Availability is required for about 75-80 % of business hours

4 High Availability Availability is required every day at least 95 % of the time

5 Very High Availability

Availability is required every day at least 99.5 % of the time

Table 4. Threat Valuation


1 Very Low Threat represents very low probability of occurrenceT<50

2 Low Threat represents low probability of occurrence 50<T>60

3 Medium Threat represents medium probability of occurrence 60<T>80

4 High Threat represents high probability of occurrence 80>T<95

5 Very High Threat Represents very high probability of occurrence T>95


Table 5 : Vulnerability Valuation


1 Very Low Vulnerability

represents very secure environment

2 Low Vulnerability represents secure environment

3 Medium Vulnerability

represents presence of security but needs improvements

4 High Vulnerability Inadequacy or absence of security and needs to improve

5 Very High Vulnerability

Highly inadequate or absence of security and needs to improve strongly.

Step 4 Calculating the risk of the assetThe risk value is a function of

the Asset Value, Threat Value and Vulnerability Value and is calculated as a sum of these three (Asset Value + Threat Value + Vulnerability Value)

Risk = Asset Value + Threat Value + Vulnerability Value

Step 5 Determination of acceptable level of risk:

To start with, the acceptable level of risk value can be taken as ‘7 and below’. The reason being that the highest value of asset is 5 and with appropriate controls in place the threat and vulnerability values are 1 each and the risk value is 7. Any risk value above this value needs to have treatment, which means implementation of additional controls to mitigate the risk value to 7 or below. The risk, which remains after treatment is referred to as residual risk. Note that the management should be aware of the acceptable level of risk as well as residual risk. Hence these require the approval of security forum. The advantage of normalizing the asset value is to determine the acceptable level of risk; else it leads to the confusion on what is the appropriate acceptable level of risk. Someone say 125 and the other claims 85 which leads to confusion and ambiguity. Since the product of CIA is likely to vary from 1 to 125 and the assessors do not have any option to modify the asset value once it is decided, it is easy task to determine 7 as the acceptable level of risk.

Step 6 Treating of risk upon the selection of appropriate security controls listed in the ISO/IEC 27001

The options available for risk treatment are

• Reduce the risk by applying appropriate controls

• Risk Avoidanceo By not performing the activityo Moving assets away from an

area of risko Deferring a decision until more

information is obtained• Risk Transfer

o By Outsourcing o By Insurance

• Risk Acceptanceo Accept the risko Situation is unavoidableo Risk is tolerable

• Ignore the Risk where the impact is minimalThe objective of the Risk Treatment

Plan is to implement controls to achieve the degree of assurance required by the Management.

Fig. 2. : Risk treatment cycle

Selection of control objectives and controls:

After the risk values are calculated, appropriate controls are identified for those assets whose risk value is ‘8 or above’. The implementation of the controls so selected will reduce the risk value to an acceptable level of risk.

5. ConclusionThe ISMS standard do not specify

any hard and fast rule to carryout the risk assessment and treatment but this paper discusses the best practices to be followed to effectively estimate the risk pertaining to the specific or group of information assets. Moreover there are many handholding tools, which can ease out the risk assessment process. Different tools adopt different methodology to estimate the risk and similarly to optimize the risk.

References (1) Zella G. Ruthberg, “Handbook of

Information Security Management” Harold F. Tipton, CISSP, Editors, 1993Auerbach

(2) Hal B. Becker, “Information Integrity: A Structure for Its Definition and Management” 1983,McGraw-Hill,ISBN 0-07-004191-1

(3) Phillip E. Fites and Martin P.J. Kratz. “Information Systems Security: A Practitioner’s Reference ” 1996, International Thomson Computer Press ISBN 1-85032-828-5


(4) Micki Krause, CISSP, Harold F. Tipton, CISSP, Editors, “Handbook

About the Authors

S. Velmourougan is presently working as Scientist at Centre For Reliability (CFR-Chennai), STQC Directorate, Ministry of Information Technology, Govt. of India.

He is working in the field of Information security and application security assessment, Software Reliability Estimation, Reliability allocation, System Reliability Analysis, Failure Analysis, and Reliability development/Growth testing. He has developed various Windows based user-friendly software packages that are being used by over 200 major organizations in India. He is a “Certified Ethical Hacker (CEH)” certified by Eccouncil, USA, Qweb Lead assessor, IQNET, ISMS-Lead Auditor, IRCA-UK also he is a “Certified Reliability Professional (CRP)” and “Certified Software Test Manager (CSTM)”, He has presented various technical papers in conferences, journals and Magazines.

Dr. S Muttan, Asst. Professor, School of ECE, Anna University, Joint secretary of Indian Association of Biomedical Scientists and also a Life member of Biomedical society of India, Life Member in ISTE. He has been guiding UG and PG students and research scholars on various fields in Electronics communications and Information Technology. He has published many research papers in both National and International conferences and Journals. He completed his PhD. in Evolution and Design of Integrated Cardiac Information system in Multimedia.

of Information Security Management”1999,Auerbach,ISBN 1-8493-

9974-2(5) ISO/IEC 27001 standard

Last week (from 21st July 2007) the following was happening at my PC at home. It is worth telling you for your or your colleagues benefit.

I noticed that Norton Antivirus Corporate edition was opening very slowly. Slowly this time started increasing. For 12 hours I have to put on the computer after starting the anti virus. In 12 hours it found 1700 viruses, quarantined and backup these. After this, I ran antivirus again. It found none after 4 hour run.

After this Outlook Express 5 started getting autoshut down after few seconds.I looked into Microsoft site for the trouble shooting. All suggested methods applied none worked. After that I thought of reinstalling OE5 using mail client of IE5. The OE5 started working, started downloading mails and sending mails. But the downloaded attachments were showing error during opening.

After some time, I found I am unable to read pdf files including the ones sent by you. So wrote a mail to send your pdf files again. You sent these again. But these were also not opening. I tried to download Acrobat Reader again. It downloaded but with errors. All pdf attachments I have to read in my office and could not read at PC in home.

After that Word manuscripts were sometimes saving on the disk and I got some times ‘disk full error and delete

Information Security – Case Studytmp files’ error messages. I deleted ~w*.doc files, the word started behaving nicely. But the downloaded word files by OE5, I was still unable to read.

This was enough to frustrate me, make my BP high and feeling so sad as if some relation caught Cancer.

I called the Company Engineer. Engineer said I have to format my disk. I said I will try, save my files on CDs and get it formatted on July 31, 2007.

Today morning at 3 AM I thought and got the solution. I deleted all quarantined and backup files in Norton Antivirus Corporate edition. Each of the above problem magically solved.

The case study presented is an example of how a security system blocked files in temp folders that choked the running of the system itself.

Dr. Raj KamalEx-Vice Chancellor & Senior Professor and Faculty at

Computer Science and Electronics Devi Ahilya Vishwavidyalya, Khandwa Road Campus

Indore 452001,MP, India web:www.rajkamal.org

e-mail: [email protected]; [email protected]


Implementing Information Security Policies – the people perspectiveP Prasannavadanan

Vice President - Banking Products Division i-flex solutions limited. [email protected]

Enterprise Information Security threats can originate in people, processes or technologies – in majority of the cases, the biggest and the most serious threats are just basic and from within. Many organizations consider technology itself as a means of defense and that is where problems start. They consider technology as the fortress that could guard their systems and provide them “a sense of confidence, safety and freedom from fear or anxiety, particularly with respect to fulfilling one’s present (and future) needs.” In fact the truth is that the biggest security threats/hazards originate from within people and processes and how one uses technology and not necessarily technology per se.The focus therefore shifts to framing and implementing security policies, which have the following dimensions:

1. Monitoring of possible threats2. Assessment of available Defense

Systems/Mechanisms3. Balancing of Risks Vs Costs4. Risk Evaluation and Assessment of

Security Maturity Models / LevelsInformation Security Policies are

simply the complete set of rules to be followed, which addresses all aspects of enterprise’s information security. It is basically a plan, which takes stock of an enterprise’s assets and spells out how they could be secured or protected. They are expected to be comprehensive and cover the entire gamut of security issues. They may sometimes even contain very complex control requirements expressing the

need of a given business unit. They are not just rules to be simply framed and archived – they need to be read and understood and of course implemented in true letter and spirit. Here we are not just looking at the appropriateness of Security Policies but how it becomes ineffective if people do not understand them and put them in their daily (business) systems and workflows as much as they can.

People are the weakest links in the enterprise security infrastructure; people create security processes, frameworks and policies and they also implement the same. One is concerned here about people’s attitudes to security and security triggers. Few will subscribe to the view that a certain employee’s skill set or lack of it can put the organization at a certain competitive disadvantage – but his negative attitudes and insensitivities to security policies and practices can often put the entire organization at great risks.

In order to understand, validate and implement security policy, the users need to be aware of the consequences of violating the guidelines and thus exposing critical systems to serious hazards. Here it is more important to advise the user how he is getting insecure rather than telling how and why he should be punished for violating the guidelines. The emphasis should be in getting him acquainted with the policy in such a detailed manner and also letting him validate the policy as well as his ingrained role in implementing the same. So the

focus should be on awareness and involvement rather than on finger-pointing, punishment or retribution.

This author’s experiences in managing and delivering information systems and applications in most of the African and South Asian countries in the last two decades have revealed that people do obey rules so long as they are made to understand and validate the same. It is just a question of how he is trained to own up his responsibilities. There should be ample freedom to go to the basics and really get the person embrace security as a part of his daily workflow. Unfortunately security policies are seldom implemented that way and the users rarely realize how their work and career are so dependent on enterprise information security.

Information Security Policy guidelines should be down-to-earth and should clearly articulate the security dimensions for each of the organizational roles. Most of the time, these documents are more legal and clinically logical than granular or practical. Few people like to read lengthy and boring documents. So it is very important to design the most appropriate method of writing various security policy guidelines. There is always need for carefully and strategically masking information which could be irrelevant for a given target audience. It is important therefore that the presentation style and formats should be in such a way that it is appealing and coherent to an audience of varying degrees of knowledge and understanding.

Designing appropriate role-sensitive security awareness programs is the key enabler for successful security policy implementation. These programs should at least be two-pronged; one should provide a better insight into the information security templates vis-à-vis one’s respective and defined (organizational) roles and the other should train them hands-on how to play each one’s role in the overall security framework. The message to be clearly communicated here is that “information security is everybody’s business”.

Enterprise level awareness should not just end up just with a few training programs. It should be an ongoing episode with considerable homework necessary on the feedback received


during such trainings. One should also evaluate a user’s understanding of his security responsibilities. In the light of frequent user-triggered security breaches, these ongoing education and validations should become an integral part of the core business processes. To quote National Institute of Standards & Technology (NIST) description, “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT Security concerns and respond accordingly”. The cardinal objective of awareness is to “change the behavior of a user, administrator, or owner of a system to that of a more secure behavior”. Here the focus is on adequately improving and improvising people’s attitude to preserving information security by encouraging them to behave more

responsibly. The main objective of training on the other hand is “to give the user, administrator, or owner of a system the necessary skills to securely use that system”.

Last but not the least; the organization should create the right environment for getting the best out of people in the matter of enterprise information security. While too much of organizational compulsions on security norms may not really help, the punch line should be on how an ordinary employee can be made to take security as part of his daily business routine. It all depends on how best he is motivated to do his role. A system of organizational reward and recognition should evolve which would identify such employees who excel in adopting best practices in information security and decorate them periodically.

To conclude, while designing and

implementing security policies one should categorically remember that an enterprise’s greatest strength as well as weakness is its people. The Critical Success Factor in managing people in the information security context is to make them aware and also own up their security responsibilities by directing them to the right track. The challenge is in imbibing and maintaining the right attitude in people and continuously helping them to achieve organizational excellence through a system of information security awareness and training campaigns and incentives. Bridging employee knowledge gaps on information security should be an ongoing exercise. It finally boils down to creating the right information security culture in the organization and the epicenter of this exercise is people and people alone.

ooo

Revised Schedule for Young Talent Search in Computer Programming–2007

& SEARCC International Student Software Competition - 2007 Every year the Education Directorate has been conducting of SEARCC International Student Software Competition.

Last year the teams from India bagged the `first’ and `third’ prize. The SEARCC-2007 International Competition is to be held in Bangkok-Thailand between 17.11.2007 to 20.11.2007. We have already despatched necessary communications to about 3000 High Schools/Higher Secondary Schools in the Country. Individual communications also have been sent to all CSI Chapters requesting to give adequate publicity among potential High Schools/Higher Secondary Schools in their geographical area. The complete details about the SEARCC International Student Software Competition has been uploaded in CSI Website (www.csi-india.org).

It is hoped that the spirit of competition will cause lot of schools to register for the Contest, so that the Winners in the National level Competition can be sponsored by CSI for the International Contest.

Revised ScheduleYoung Talent Search in Computer Programming 2007 (India)

First Level Regional Competition in various centres across the country – 26th August 2007 - SundayFinal Level Competition in Chennai – 30th September 2007 - Sunday

SEARCC International Student Software Competition 2007 (Bangkok, Thailand)Registration deadline for SEARCC 2007 – 1st October 2007 - MondayArrival of participants (Bangkok, Thailand) – 17th November 2007 - SaturdayTrial Competition – 18th November 2007 - SundayMain Competition – 19th November 2007 - MondayDeparture of participants – 20th November 2007 - Tuesday

S. SudharssanamAdviser, CSI Education Directorate


Information and Network Security Aspects in e-Governance FrameworkDr. Durgesh Pant* & M K Sharma**

*Reader & Head, Department of Computer Science, Kumoun University, Nainitaal (Uttarakhand) Email: [email protected] ** Senior Lecturer, Amrapali Institute, Haldwani (Uttarakhand) Email: [email protected]

The role of ICT in the public sector has changed dramatically over the past decade. The evolution of e-governance started with governments putting information into portals. e-governance strategies has changed in last 10 years with the new trends like some governments adopting Private Public Partnership (PPP) arrangements as is the case of Hong Kong ESDlife. e-governance has evolved to the point where governments are not only providing information directly to citizens, businesses and other governments; they are also interacting with citizens in terms of understanding licensing applications, taxes etc. Trust is a key factor for e-government projects. Any ICT infrastructure must be secure because citizen and business transactions contain significant confidential information. Secure network and identity authentication and verification technology must be in place together with privacy laws and governance to ensure privacy and confidentiality is protected. Finally, the ICT infrastructure must be reliable. The network, applications and processes must be reliable to ensure availability and integrity of the e-government services.

Network and Information security is a major concern involved in implementing e-governance projects. Problems in ICT like hacking, virus, spamming, invasion, privacy issues can evolve from lack of security measures. Governments need to provide secure access to information, applications and services via networks.

In this paper we will discuss various security needs of electronic systems like e-governance and e-commerce. We would discuss in detail various security mechanisms to address various threats. In this tutorial we will discuss about some intelligent security system based on mobile agents and forecasting mechanism. We will also discuss a few products existing in the market.

There are many security related issues when we talk about e-governance. E-governance projects handle sensitive and important data. In e-governance there is a trade off between security and availability. Security rules are too harsh or too soft and tuning it as per the demand is necessary. We will also consider various options that can lead to better and secured e-governance. In this paper we will cover need and tools of forecasting security needs and dynamic rule setting for the same and how it can contribute in resolving security issues in e-governance.

Keywordse-governance Secure network Information security Security threats Mobile Agents


1. IntroductionICT is a significant enabler of

successful e-governance projects, and can be a new approach for touching the lives of the common man anywhere, any time. We need the technology and strategies for better e-governance initiatives that are benefiting the masses. The Indian central and various state governments are no strangers to the benefits of using ICT for e-governance. Many state governments and government based agencies have realized that ICT can add substantial value by surmounting the usual challenges of distance, slow speed of operations, and lack of accuracy of information.

The Department of Revenue (Karnataka), National Crime Records Bureau, National Highways Authority of India, Konkan Railways, IRCTC and the governments of West Bengal, Punjab, Haryana and Uttarakhand have been using ICT to empower their activities.

India has 600,000 villages. 70 percent of Indians live in villages, and 95 percent do not speak English. Therefore, e-governance models which do not support the rural delivery system will not contribute much for a good governance. Therefore the goal of e-governance should be in a direction, which can benefit rural India and should act as bridge to fill the gap of urban and rural India.

1.1 What is e-governance Ravi Kant, Special Secretary, IT,

Government of West Bengal, likes to describe e-governance as the use of information and communication technology (ICT) to enhance information access and the delivery of government services for the benefit of citizens, business partners, organizations and government functionaries.

“e-governance, however, is not really the use of IT in governance but as a tool to ensure good governance. e-governance does not mean proliferation of computers and accessories; it is basically a political decision which calls for discipline, attitudinal change in officers and employees, and massive government process re-engineering,”

The Indian Government has about 60 departments such as Agriculture, Industries, Health, Education, Social Welfare, Employment, Taxation, Finance, Pensions, etc. Thus, we

can see that applying ICT processes, to improve the efficiency, speed and transparency, ease of use and lowering of the costs providing anywhere, any time services to the citizens and the businesses is very much essential but not an easy task. e-governance therefore is a very complex mission.[csrprabhu]

1.2 e-governance models Some popular e-governance models

are:a) Broadcasting/Wider Dissemination

modelb) Critical Flow modelc) Comparative Analysis modeld) Mobilization and Lobbying model,

ande) Interactive Services model

2. Why Securing e-GovernanceAs India adopts e-governance with

a vengeance, the need for Network and Information security measures to protect vital data will be a major part of e-governance framework .

To design an e-governance framework, security has become a key issue that needs to be addressed. Like any other on-line project, an e-governance project needs a network to execute, but the major difference is that in an e-governance project considerable amount of critical information could be involved. Hence the need for securing such information is must.

Security is critical in e-governance to safeguard the confidentiality of transactions and information on the network. Government documents and other important material such as birth and death registration, motor vehicle license, land records, all of which have legal and legislative nuances have to be protected from unauthorized users in case of e-governance projects. Hence, security is critical for their successful implementation. [3]

2.1 Where Securing e-GovernanceSecurity measures are required

wherever ‘authenticity,’ ‘validity,’ and ‘legal rights’ of digital content have to be protected from repudiation. All digital content in form of applications that need protection from tampering, vandalism, decay and accident need security .

The role of network or information security is vital in every application, which collects or stores data, interacts with an outsider, carries

some confidential information and other applications online and the best example of having most of such qualities and requirements are e-governance projects.

In some online application we need transition of money, such as banking, shopping, gambling and gaming. In e-governance framework central government can transfer a huge fund to state government online. With the Information Technology (IT) Act, 2000 coming into effect from October 18, 2000, transactions on the Internet have got legal validity in India. This allows users to pay their bills for utilities on the Web, at least on paper. All these applications handle money transactions whether it is transferring money through the online bank or using credit cards. Either way, they’re interesting targets for criminals. It may be either through phishing scams, trying to fool the users to give away financial and personal information or it may be through Distributed Denial of Service (DoS) attacks. Either way, online transactions and their users are at a higher risk of getting targeted by digital attacks.

3. Security Threats The complex network and large

size e-governance framework make it most vulnerable for the virus, spam and Trojan attacks. A lot of intrusion attempts can be there to crack the security, in that network and information security is a greater challenge. With out having a proper security architecture the e-governance framework will face many security threats of a diverse nature.

In such a complex environment like e-governance project we need complete information security architecture. The architecture need to be further complemented with proper tools and solutions to keep itself away from any threat both at the network level and at the host level.

Once a virus attack is detected, everything comes to a standstill. Until the entire thing is cleaned up, work doesn’t move further. “When there was an intrusion at network or host level, it took a long time to cure and a huge loss of money can be there. There were some inherent vulnerabilities like Web defacements, stealing of information etc.


Gathering data on citizens, businesses and other entities.

2. Storage Gathered data is stored for

processing.3. Processing Processing takes place at many

servers level.4. Communication Data collection and processing

require a lot of Government to Citizen (G2C) and Government to Business (G2B) communication to happen.

In this life cycle, each stage above carries security risks and on each stage we need a security of network as well as of information.

4.3 e-governance Service Attacks and Threats• Unknown Outsider Attack• User Fraud• Insider Attack• Privileged Insider Attack• False Identity• Impersonation• Unauthorized Disclosure• Revoked rights• Theft of Access Tokens• Duplication of Access Tokens• Denial of Service Attacks• M i s i n f o r m a t i o n a n d

Propaganda• Breach of Anonymity• Breach of Accountability• Failure to Recover Business

Information• Theft on Monetary value

5. Security solutions marketAnti-virus (AV) and firewalls

occupied the largest market share in the security appliances business. However, the concept of a self-defending and self-

Industry Application Averagecostperhourofdowntime(US$)

Financial Brokerage operations $7,840,000

Financial Credit card sales $3,160,000

Retail Home shopping (TV) $137,000

Transportation Airline reservations $108,000

Entertainment Tele-ticket sales $83,000

Shipping Package shipping $34,000

Financial ATM fees $18,000

Table 1: Financial cost of downtime of network because of security threats per hour

Source : Contingency Planning Research, 2002

Fig. 1 : Comparison curves for cost paid for security measures Vs Loss

4. e-governance framework One of the pillars of the e-

governance framework is a set of shared services that allow agencies to share key parts of their infrastructure, applications and business processes within the agency, with other branches of government and with citizens. Shared services may include improved security features for e-mail, geographical information systems, electronic funds transfers, government directories, citizen databases, disaster databases, business databases and large data centers.

4.1 Information management life cycle in e-governance framework We can offer and deliver many

services using a e-governance framework, some of them are:1. Single and Multiple department

Transactions

Fig. 2 : e-governance Framework

2. Pr iva te cor respondence o f documents to Government

3. Change of Personal status4. Employment Application5. Information Search6. Electronic voting7. Interdepartmental requests8. Granting permission to access

services9. Enro l lment / Revocat ion o f

Government employees10. Fraud Investigation11. Access to e-Government services

under delegated 12. Government to citizen services

Before start to offer all that service we need to collect and process lot of information. For that a predefined system is required.

4.2 Information management life cycle 1. Collection


Leading Security Product Vendors ( 2004-05)

ProductCategory Keyvendors

Anti-virus Trend Micro, Symantec, Network Associates, MacAfee

Firewalls Cisco, Checkpoint, Juniper, Nokia

Intrusion detection and prevention ISS, Cisco, Symantec, MacAfee

Authentication RSA

Multifunctional appliances WatchGuard, Sonicwall, Fortinet, CyberGuard

*Other includes e-mail management, content filtering, etc

V&D estimates Source : CyberMedia Research

Table 2 : Security product vendors

Top market leaders in network security

Rank Players Revenue (Rs crore) Growth 2004-05 2003-04 (%age)

1 HCL Comnet 16 8.5 88

2 Datacraft 12.5 8.4 49

3 Wipro Infotech 8.4 6.5 29

4 GTL 5 2.4 108

5 Secure Synergy 4 — —

6 Ramco 2 — —

7 Network Solutions 1.5 — —

Others 10.6 9.6 —

Total 60 35.4 69

*Others includes Fortinet, Artek, Gemini, Vintron Communications, Sify, 3D Networks etc.

V&D estimates Source : CyberMedia Research

Table 3 : Top market leaders in network security

healing network increasingly brought intrusion detection and protection (IDP) solutions to the forefront. While anti-virus and firewalls are seen more as reactive security mechanisms, IDP solutions are more proactive and get activated as soon as any abnormal behavior is detected. Next table will help us to find the name of some vendors, from which we can get security solutions.

5.1 Security monitoring tools If we look at the e-governance

projects and the networks that are being rolled out for these, network or information security seems to be paramount. In an e-governance project, a substantial amount of documentation is being done like maintenance of land records, police records, court judgments and so on. Each department functions independently and has its own set of transactions to undertake. Hence having security measures in each department is critical so that only authorized people get into the network and access the information.

The importance of security is high among industry and government, but the awareness is low. An understanding of the security technology and the need for its implementation is required for a safer and more secure IT environment in the country. Securing public data and ensuring security of the government Web sites are some applications where security solutions or monitoring tools are required. Some common processes of those tools are:

5.1.1 Vulnerability AssessmentNetwork and information security

assessment services review all aspects of the data and voice networks and provide recommendations to maximize security, reliability, and availability. Following can be deliverables:• Identification of vulnerabilities that

need to be immediately addressed• Verification of security products

and features already in place• Prioritize security projects for

future implementation• Assess the real-world threat to

network assets

5.1.2 Security Policy DevelopmentAny secur i ty po l icy must

satisfy working objectives as well as the technical aspects of securing

e-governance information. Part of developing a secure network is crafting a set of organizational security policies. These policies establish the rules and guidelines that system and network engineers can use when deploying solutions. This policy would then guide how network engineers install and configure firewalls, intrusion detection systems and other network equipment. Developing a useful, practical, and feasible network security policy document can be very time consuming, especially if you are unsure about all the possible technical and practical implications of certain decisions. Some automated tools like Coleman Technologies, Inc. Managed Services tools can help any organization to

develop and deploy a comprehensive security policy.

5.1.3 Wireless Network AnalysisWireless networks are inexpensive,

simple to deploy and very attractive for an increasingly mobile workforce and can be helpful to provide e-governance service in rural or remote areas. Unfortunately, wireless access points are designed for ease of use, not security. A thorough risk analysis provides an option for prioritizing and justifying future security expenditures. Depending on the scope of the risk analysis, the project may involve assessing sensitivity, criticality, threat, vulnerability, and susceptibility to penetration.


5.1.4 Successful Identity AuthenticationProtecting access to electronic

resources is not a simple process. Internet is a standard medium for conducting operations in e-governance framework, within and without organizations. At present, there is a need for secured identity authentication, verification, and protection technology within all industries. Tools like NIPP Secure ID™ consists of a comprehensive set of proven biometrics technology compatible with various applications. This solution allows authentication and validation of any type of transaction in Government Agencies, Companies, Medical and Financial Institutions, Banks, and Judicial Levels of any other companies.

6. Case Studies

6.1 E-voting The ultimate test of e-governance

security and privacy may be electronic voting. In contrast to the obstacles of paper-based elections, e-voting allows citizens to vote via mobile device or electronically at a polling station. In Madrid, HP and Scytl teamed up for two electronic referendums in 2004. Approximately 135,000 citizens of Madrid voted on local issues via the Internet and mobile phones in an event that became Europe’s largest e-participation experience to date.

6.2 MyKadSince 1999, the Malaysian

government has begun gradually phasing in a multi-purpose national ID smart card, that it intends all Malaysians to adopt by 2005. The card, known as “MyKad,” incorporates both photo identification and fingerprint biometric technology and is designed with six main functions: identification, driver’s license, passport information (although a passport is still required for travel overseas), health information (blood

type, allergies, chronic diseases, etc.), and an e-cash function. The card can also function as an ATM card, although it is MyKad’s least attractive feature and banks have discouraged customers from using the card for such purpose. There are plans for adding additional applications for digital signatures for e-commerce transactions.

7. Conclusion Many citizen who have facility

or infrastructure to access online information, want the convenience of interacting with governments online, but they also need reassurance that the personal information they share can be safely guarded. The viability of e-governance projects ultimately depends on trust.

The information systems security research should be one of the visions of e-governance to concentrate in the next few years to develop security techniques, security technologies and products to be used for facing new challenges using open media for transactions pertaining to Government, Industry and Business covering commercial, financial and administrative aspects. The security requirements are of dynamic phenomena and not a static phenomenon. The security management is no longer technology oriented but management oriented for effective implementation as well as, ascertaining information and systems as an asset of the organization. The information assurance involves people, processes and technology. It has to be customized for every organization based on various requirements which are static and dynamic and depending upon the risk and challenges they are facing is conducting, managing and transacting businesses within the country and

Fig. 3 : MyKad

across the globe.

References 1. Security Aspects of e-Governance

and Intelligent Security System, Dr. Parag Kulkarni, Capsilon Research Labs, India

2. Progress of e-Governance – an overview, C. S. R. Prabhu,, Sr. Technical Director, National Informatics Centre

3. MCA 21 (a project by the Ministry of Company Affairs)

4. Securing e-Governance, digitally, Express computer , www.expresscomputeronline.com

5. Network and Information Security Standards for e-Governance- An Approach Paper-by: T.M.Rao, Senior Technical Director, NIC

6. ‘20 mil l ion M’sians to get smartcards ’ ZDNet Asia , 6 September 2001

7. ‘PKI International Scan - April 2003’ Public Works and Government Services, Canada, April 2003

8. ‘Malaysia’s national smart card underused: Report’, ZDNet Asia, 11 July 2003

9. ‘MyKad with 8 applications, but its full potential has yet to be explored’ Jaring Internet Magazine, Malaysia, August 2003

10. ‘Malaysia to fingerprint all new-born children’ The Register, 4 May 2005

11. “Privacy of MyKad Holders to Be Protected by Law,” New Straits Times, May 19, 2004, at 6.

12. “Wise Up to Role of Smart Card,” The Star, December 15, 2002.

13. “Privacy of MyKad Holders to Be Protected by Law,” supra. See also “Free Upgrade of MyKad to 64K,” New Straits Times, June 16, 2004, at 5.

Dr. Durgesh Pant is working as Reader and Head, Department of Computer Science, Kumoun University, Nainitaal (Uttarakhand). He has guided several Ph.D students .He has published several research papers. He is convener, Computer science courses of Kumoun University as well as member of Board of studies of several Indian universities. His area of interest and research includes Data compression, Algorithm analysis , Data warehouse & mining etc.

Mahesh K. Sharma (M.Tech, pursuing his Ph.D) is working as Senior Lecturer, in Department of Computer Science, Amrapali Institute Haldwani (Uttarakhand). He has 10 years experience of academics and industry. He is coauthor of 5 books and published international and national research papers. He is content author for Chaudhary Devi Lal University, Sirsa and Uttarakhand Open University Uttarakhand. He is active member of Computer Society of India and Special Interest Group for e-Governance.

About Authors


IntroductionTe c h n o l o g y h a s e n a b l e d

connectivity and facilitated ease of communication. This has in some way contributed to diminishing ability of organizations to protect their assets from undesirable elements from within and outside the perimeter. Facing a shortage of resources with requisite skills and a desperate need to prevent or detect and correct from an attack, organizations are looking for creative and effective ways to protect the information and networks on which their survivability depends. This article focuses on the reasons for security outsourcing, impact of such outsourcing, and the components that can be outsourced.

BackgroundOutsourcing is an arrangement

whereby one business hires another to perform tasks it cannot or does not want to perform by itself. In the context of information security, outsourcing means that the organization turns over responsibility for its information security to professional security service providers. This possibility is embodied in a new segment of the information security market called Managed System Security Providers (MSSPs), which has arisen to provide organizations with an alternative to investing in their own systems security.

Classification of Security Service Providers

The security services market can be segmented in a number of different ways. These services include performance of short-term or one-

time tasks (such as risk assessments, policy development, and architecture planning); mid-term (including integration of functions into an existing security program); and long-range (such as ongoing management and monitoring of security devices or incidents). The majority of MSSPs fall into the third category and look to establish ongoing and perhaps long-term relationships with their customers.

The other type of segmentation is based on the type of information protected or on the target customer base. Some security services focus on particular vertical markets such as the financial (including banking) industry, the government, or the defense industry. Others focus on particular security devices and technologies, such as virtual private networks, or Intrusion Detection Systems, or firewalls, and provide implementation and ongoing support/ maintenance services or a combination of these services.

Reasons for Outsourcing Information Security

The reasons for outsourcing the information security services are varied and includes:• Free up resources to be used for

other mission-critical purposes.• Maintain flexibility of operations

by allowing peak requirements to be met while avoiding the cost of hiring new staff.

• Accelerate process improvement by bringing in subject matter expertise to train corporate staff or to teach by example.

• Obtain current technology or capability that would otherwise have to be hired or acquired by retraining, both at a potentially high cost.

• Remain abreast on the technical front

• Third-party views bring in objectivity and facilitate internal acceptance

• Control operating costs or turn fixed costs into variable ones through the use of predictable fees,.

• E n h a n c e o r g a n i z a t i o n a l effectiveness by focusing on core competency

• Acquire innovative ideas from experts in the field.

• Reduce response times when dealing with security incidents.

• Improve customer service to those being supported.

• Allow IT staff to focus on day-to-day or routine support work.

• Avoid an extensive capital outlay by obviating the need to invest in new equipment such as firewalls, servers, or intrusion detection devices, depending on the type of service chosen.

Benefits of Outsourcing Information Security to MSSPs

The benfits can be broadly classified into the following areas:• Lower Cost of Ownership: The cost

of engaging a MSSP is typically less than hiring in-house, full-time security experts.

• Leveraging Expertise: Qualified professionals with the appropriate skill set and experience are not available easily, hence the company needs to recruit, train, compensate and retain professionals. However, while outsourcing the MSSP, providing top-notch personnel becomes the responsibility of the service provider. This is one major reason that will drive this market.

• Ensuring high level of Service: When an organization outsources from MSSP’s it receives near real time results 24 hours a day, 7 days a week and 365 days a year. Since MSSP’s have strict contractual agreement and must maintain their reputation in the market, their control measures are very stringent in terms of documentation and

Managed Security Services – A PerspectiveM P Badrinath

Senior Manager, Risk and Business Solutions, Ernst & Young Pvt Ltd [email protected]


careful implementation.

Impact of Outsourcing Information Security to MSSPs

The benefits as briefly discussed above of a Managed service provider could be very attractive. For every potential benefit, there is a potential pitfall as well. They are:• Exceeding Costs - either because the

vendor failed to disclose them in advance (hidden costs) or because the organization did not anticipate them

• Contract issues - lead to difficulties in managing the service unless driven by a well drafted Service Level Agreements (SLA).

• Degradation of service • Losing control of basic business

resources and processes that now belong to someone else

• Failing to maintain mechanisms for effective provider management

• Losing in-house expertise over a period of time

• Discovering conflicts of interest between the organization and the outsourcer

• Disclosing confidential data to an outside entity that may not have a strong incentive to protect it

• Experiencing decline in productivity and morale of staff

• Becoming dependent on inadequate technology if the vendor does not maintain technical currency

• Becoming a “hostage” to the provider who now controls key resources

Components of Information Security that can be Outsourced

Information security outsourcing can be broadly divided into the following domains:• Development of Security Policies

and their maintenance• Training and Awareness• Security Administration• Security Operations• Network Operations• Incident Response

Development of Security PoliciesThe development of security

policies for an organization requires unique skill set which is possessed by the MSSP. This is the major reason why many organizations employ MSSPs to develop and maintain their security

policies. However, development of such policies requires in-depth knowledge of the organization as these policies define the philosophy of the organization.

Training and AwarenessTraining and awareness programs

are often outsourced by organizations to security service providers.

The outsourcing of this component starts right from preparation of course material to delivering the training. The training material range from standard course material (one for all) to custom material to target specific security needs of the users and different categories of users within the organization. The most common topics covered during the training session include: Information Classification and Labeling, Acceptable Use procedures, and General Security Awareness. Sometimes the security service provider also provides training on technical specifics. Awareness is a good defense against social engineering.

The outsourced security service provider leverages the knowledge and exposure obtained by providing various training programs across industries and delivers the topics to the users in a well organized manner. The topics of security awareness are provided in an informative and entertaining manner by the security services provider and thereby catching the attention of the attendees. Organizations usually provide such training and awareness programs on an annual or semi-annual basis to its employees and new employees are provided with induction trainings and also refresher training. Usually the organization’s role in this outsourcing of security education function is to: Schedule the events; monitor the participation level; and evaluate the service provider by obtaining feedback from the attendees.

Security AdministrationDevelopment of security policies

and training users on security awareness provides the foundation for information security in an organization. The security administration component forms part of the ongoing security function of the organization. The outsourced security service provider creates, modifies, or removes the user accounts on behalf of the outsourcing organization and also performs the following activities:

• Account management including account unlock, password reset, and token replacement

• Assigning privileges based on request

• Documentation of the activities performed such as backup logs and incident reports

• Providing an overview to the customers of the organization and explain the security posture

Security OperationsRecent growth in managed security

services included physical security (to manage and protect tangible assets) along with the security of information assets. Managed security service providers have started to mix data and operational end of security so that physical security is vastly enhanced and even tightly coupled with security technology. Examples include monitoring and tracking the employees using access cards and operating CCTVs. It is also extended to facilities management.

Network OperationsManaged Security Service providers

supervise, monitor and maintain the network of the outsourcing organization. The network operations specialty focuses on:• Network troubleshooting, • So f tware d i s t r ibu t ion and

updating, • Network Devices management, • Performance monitoring, and • Co-ordination with affiliated

networks.• Review of various logs

Incident ResponseThe incidence response component

performed by the MSSP for the organization contains the following:• Intrusion detection – Identification

of intrusion attempt• Employee misuse – Monitoring

of employee misuse, evidence collection, and escalation of the same.

• Crime and fraud – Identification of crime or fraud using the organization’s systems.

• Disaster recovery – Providing disaster recovery services for the outsourcing organization.

Future TrendsThe first category of industries


most likely to outsource security is represented by those companies whose key assets are the access to reliable data or information service. Financial institutions, especially banks, securities brokers, and insurance, health, or property claims operations, are traditional buyers of security services. Recent developments in privacy have added healthcare providers, financial institutions/ services and associated industries to that list.

Hospitals, medical care providers, pharmaceuticals, and health-centered industries have a new need for protecting the privacy of personal health information and so also the customer information of banks and financial institutions. HIPAA and GLBA compliance enhances the need for security (privacy) compliance providers.

The third category of industry that frequently requires outsourced security is the set of industries that cannot suffer any downtime or show any compromise of security are those providing logistics. Railroads, cargo ships, and air traffic control are obvious examples of the types of industries where downtime cannot be tolerated and continuous availability is a crucial element for success.

The final category of industry that may need security services are those industries that have as a basis of their success an extraordinary level of trust in the confidentiality of their data. This includes scientific, medical and

defense research organizations. Taken to the extreme, this can include military or national defense organizations. Routinely, this would include technology research, legal, marketing, and other industries that would suffer severe reputation loss if their security was found wanting.

ConclusionOutsourcing the security of an

organization’s information assets may be the antithesis of the ancient “security through obscurity” model. However, in today’s networked world, with solid planning in advance, a sound rationale, and good due diligence and management and an excellent Service Level Agreement (SLA) , any organization can outsource its security. Outsourced security, or managed security services (MSS), will continue to gain popularity and grow. Providers of these services will be successful if they can translate technology into real business metrics. Buyers of that service will be successful if they focus on the measurement of the defined objectives that managed services can provide. A regulatory oversight to this type of industry ,if and when feasible, will provide comfort to the users of the service.

References1. Gary Kaiser, quoted by John

Makulowich, in Government outsourcing, in Washington Technol., 05/13/97; Vol. 12, No. 3, http://www.washingtontechnology.com/news/12_3/news/12940-

1.html.2. George Hulme, Security’s best

friend, Information Week, July 16, 2001, http://www.informationweek.com/story/IWK20010713S0009.

3. Jaikumar Vijayan, Outsources rush to meet security demand, ComputerWorld, February 26, 2001,

h t tp : / /www.compute rwor ld .com/cwi/story/0, 1199, NAV47_STO57980,00.html.

4. Chris King, META report: are managed security services ready for prime time? Datamation, July 13, 2002, http://itmanagement.earthweb.com/secu/article/0,11953_801181,00.html.

5. Bruce, Glen and Dempsey, Rob 1997. Security in Distributed Computing, Hewlett-Packard Professional Books, Saddle River, NJ.

6. Govindarajan, V. and Anthony, R. N. 1995. Management Control Systems, Irwin, Chicago.

7. Forrester Research, cited in When Outsourcing the Information Security Program is an Appropriate Strategy, at http://www.hyperon.com/outsourcing.htm.

8. Corby, Michael J.,Considerations for Outsourcing Security Tipton,Harold F., & Krause, Micki., Auerbach Publications

9. McQuillan, Laurie H., How to work with a Managed Service Provider, Tipton,Harold F., & Krause, Micki., Auerbach Publications

The views expressed in this paper are the personal views of the author and does not reflect the views of his employers.

Call For Papers

IHN’071st Home Networking Conference 2007

IFIP TC6 ConferenceIEEE (Under request)

Paris - France – December 10-12, 2007

Important Deadlines : September 5, 2007 Papers due

September 30, 2007 Authors notified of acceptanceOctober 15, 2007 Final papers due

For more information please visit the web site at www.home-networking2007.orgInformation: [email protected]


Incident handling and ManagementBrian Honan

Senior Consultant, BH Consulting, PO BOX 10995, Dublin 15, Ireland [email protected]

Copyright with author. This paper is reprinted by special permission

Security is only as effective as the response it generates. A structured response ensures that an Incident is recognised early and dealt with in the most appropriate manner. An incident that is not responded to in a timely manner can expose an organisation to many issues including, but not necessarily limited to:o D isc losure o f conf ident ia l

information.o Prolonged recovery times due to

more extensive damage as a result of the ongoing incident.

o The inability to proceed with a criminal or civil case due to lack of evidence or inadequate evidence gathered.

o N e g a t i v e i m p a c t t o t h e organisation’s image in the eyes of shareholders, customers and/or partner organisations.

o The organisation may face potential legal and/or compliance issues depending on the regulatory and legal requirements.

o Exposure to legal cases from third party organisations impacted as result of the incident.

o Exposure to legal/libel cases from employees/individuals who may have been dealt with unfairly by an inappropriate and/or cumbersome response.An organisation that has a

structured and formalised response in place to internal and external IT security incidents demonstrates that it is taking its corporate and legal responsibilities seriously and has a positive security posture. This security posture ensures that the organisation can deal with

security incidents quickly, efficiently and effectively. This will result in:o The rapid and accurate assessment

of security incidents and the most appropriate response.

o Shortened recovery times to incidents and minimised business disruption.

o The confidence to proceed with a disciplinary, legal or civil case as a result of using proper procedures and processes to gather evidence in response to an incident.

o Ensures that the company complies with local legal, regulatory and industry requirements.

o A potential reduction in incidents as the organisation is not considered a “soft target”.

o Provides accurate reporting and statistics to continuously improve the security of the organisation

Incident Notification/identificationThe notification or identification

that an incident is occurring can happen in many different ways. Notification of an incident can happen:o Automatically from specific security

devices such as an alert from a firewall.

o Automatically from non security devices such as a network monitoring systems that observes unusual network activity.

o From the manual review of system and security log files on network and/or security devices.

o Staff noticing unusual or suspicious activity on the computer system, or staff noticing content in breach of the company’s security policy on a colleague’s computer.

o From customers or the public who may have noticed corruption to their data, receiving a phishing email or noticed defacement on the company’s website.A process should be in place to

notify the relevant personnel that the incident has occurred and a response is required. This process should ensure that the following information is passed onto the response team:o The date and time the incident

occurred.o The date and time the incident was

detected.o Who/what reported the incident.o Details of the incident including:

o A description of the incidento Deta i l s o f the sys tems

involvedo Corroborating information

such as error messages, log files, etc.

Prior awareness to the possibility that an increase in the occurrence of certain incidents may happen can be improved as a result of known intelligence. Alerts from computer virus companies of a new computer virus will increase the awareness that an incident as a result of that virus could occur, alternatively hacking attempts are known to increase at the start of each autumn as students start University and try their new skills online.

Incident ClassificationIn order to ensure that incidents are

responded to in a structured manner it is essential that incidents are classified into different levels so that high priority incidents can be responded to quicker than incidents of a lower nature. For example excessive traffic on port 80 on a firewall may indicate the start of a Denial of Service attack and would require a quick response to ensure minimal disruption to the network and therefore would be classified higher than, say a rejected access attempt to the personal directory of an employee.

The severity of the incident does not alone impact the classification. The potential target also impacts the classification. A rejected access attempt to the organisation’s sensitive information will have a higher event classification than a rejected access attempt to unclassified information.

Classifying incidents will depend


on many factors such as;o The nature of the incident.o The criticality of the systems being

impacted.o The number of systems impacted by

the incident.o The impact the incident can have

on organisation from a legal and/or public relations point of view.

o Legal and regulatory requirements for disclosure.

Incident ResponseIn order to implement an

appropriate incident response, the proper people and processes need to be involved and the most appropriate response subsequently developed. Some incidents will simply require no response, others will require only an automated response, e.g. drop a connection to a blocked port on a firewall, whereas others will require a more complicated response involving personnel from various parts of the organisation and different levels of management.

It is important to establish the appropriate levels of responses to an incident and also that the incident response has the necessary levels of authorisation and autonomy. There is no point having senior management involved in a response to an incident that has minimal business impact.

Al l personnel involved in responding to an incident must be properly trained and versed in their responsibilities. If the skills are not available in-house then they should be sourced elsewhere. In addition all policies and procedures should be properly tested and reviewed on a regular basis to ensure their effectiveness and applicability. A review process should also be put in place to ensure that lessons are learnt from any incidents that require a response. Failure to take these steps could adversely impact business operations leading to loss of revenue or mission effectiveness, legal ramifications or a loss of public trust.

The incident response methodology will be dependant on the incident classification. The response team will also need to confirm that the incident has occurred and if so what the most appropriate response to the incident is. Once an incident has been confirmed

and has initiated the appropriate incident response process, all care must be taken to preserve and record all information and potential evidence in the incident a legal or civil case ensues.

What response is required to an incident will depend on a mixture of business and technical drivers as the type of response can impact on employee, customer, and public relations and may even have legal ramifications. It is therefore essential that clear, concise and accurate processes and procedures that have been approved by senior management are in place for all personnel to follow.

As a large majority of incidents may happen outside office hours or when key personnel are not immediately available, all staff must be given clear guidelines in how they report and respond to incidents.

Many incidents may simply require an automated response. For example a known computer virus detected in a file could be automatically deleted by the Anti-Virus software and not require a further response. However an attack on the firewall will require a more measured response and may require the involvement of senior management to decide whether to shut the firewall down to minimise the damage to the firewall or allow the attack to continue so further evidence may be gathered in the incident a legal case may be required.

An Incident Response Log should be kept where all actions and results of those actions are recorded accurately. Details as to who completed the actions, the time of the action and the outcome need to be maintained. This is to ensure that an accurate record of all action is taken in the event that the incident leads to a civil or criminal court case, or indeed these logs can be used to determine the effectiveness of the incident response procedures.

Incident Response TeamThe Incident Response Team

is responsible for managing the organisation’s response to an incident and how the organisation interacts with third parties such as law enforcement agencies, regulatory bodies, customers, employees and the media.

The team should be made up of

a number of people with knowledge and skills in different areas. It may be necessary to source certain skills externally to the organisation. For example, forensic gathering skills are not commonplace and are often better sourced from vendors who specialise in this area. If this is the case then a formulated process should be in place to ensure that resource is available when required.

The Incident Response Team should also have the full backing and support of Senior Management. This should include giving the Incident Response Team the autonomy and authority to make decisions and carry out actions in the absence senior management during a critical incident.

Typically an Incident Response team will be made up of representatives of the following:o IT Security

The core team members will be those from the IT Security team as they are the most knowledgeable with regards to managing and dealing with computer security incidents.

o IT Operations As the operations team is very

often the first line of defence/detection of incidents either via monitoring tools or from reports to the support desk, it is essential that representation from this team is on the Incident Response Team.

o Physical Security While IT Security is arguably

still in its infancy, the world of physical security has been around for a much longer time. A lot of experience and knowledge gained in the physical world can be applied to the virtual world. In addition, it may be necessary to involve the physical security team in the response to an incident where there has been physical access to compromised systems.

o Human Resources It is essential that a representative

from the Human Resource team is involved in the Incident Response Team to ensure that processes and procedures comply with good Human Resource practice and do not impinge on industrial relations. The result of an incident response may be to discipline a


staff member for breach of the organisation’s acceptable usage policy and this will require the Human Resource team’s input to ensure due process.

o Legal Department As with the Human Resource

department, it is imperative that legal advise is taken both during the development of the processes and procedures and in the response to serious incidents.

o Public Relations How information is communicated

to the public, customers, partners, shareholders and press is a unique skill and one that is necessary to ensure the correct amount of information is disclosed at the right time to the right people.

o External Expertise There will be times due to the

nature of the information security incident external expertise will be required. For example you may need external expertise in computer forensics or criminal investigations if those skills are not available in-house.Note, depending on the seriousness

and impact of an information security incident it may be necessary to mobilise all or only part of the Information Security Incident Response Team.

Once the Incident Response Team in place it should:o Develop/review the processes and

procedures that must be followed in response to an incident.

o Develop/review guidelines for incident classification. This should not be solely the responsibility of the Incident Response Team but must involve the business owners responsible for the systems and data being protected.

o Manage the response to an incident and ensure that all procedures are followed correctly.

o Review incidents to determine what lessons can be learnt and what process improvements may

be required.o Review changes in legal and

regulatory requirements to ensure that all processes and procedures are valid.

o Review intelligence data such as information from log files, results from automated incident responses, third party websites and industry seminars to determine trends and changes in the IT security landscape and where future incidents could originate.

o R e v i e w a n d r e c o m m e n d technologies to manage and counteract incidents

o Establish relationships with the local Law Enforcement Agency and the appropriate government agencies.

o Relationships with the Incident Response Teams within key partners and key suppliers, such as the company’s ISP, need also be established.

The Incident Response ProcessWhen an incident is reported the

steps below should be followed;

Incident RecordingDetails of the incident should be

recorded accurately. The information gathered should include;o The date and time the incident

occurred.o The date and time the incident was

detected.o Who/what reported the incident.o Details of the incident including:

o A description of the incidento Deta i l s o f the sys tems

involvedo Corroborating information

such as error messages, log files, etc.

Incident NotificationIn order to ensure an effective and

appropriate response to a potential information security incident the Information Security Manager should be contacted immediately and given the

details of the incident. The Information Security Manager

should then evaluate the incident and determine whether it should be treated as an Information Security incident or whether it should be referred to the support desk and handled as a normal service incident.

The Information Security Manager should then escalate and notify the appropriate members of the team according to the classification of the incident.

Incident ClassificationIn order to ensure that incidents

are responded to in a structured manner it is essential the Information Security Manager classifies incidents into the appropriate levels so that high priority incidents can be responded to quicker than incidents of a lower nature. It should be noted that based on additional information gathered during the response to an information security incident the classification of an incident can be changed appropriately.

The severity of the incident does not alone impact the classification. The potential target also impacts the classification. A rejected access attempt to sensitive data will have a higher event classification than a rejected access attempt to non-sensitive systems, for example unauthorised access to a staff member’s home directory may be classified with a lower priority than unauthorised access to the payroll system.

Classifying information security incidents will depend on a number of factors such as;o The nature of the incident.o The criticality of the systems being

impacted.o The number of systems impacted

by the incident.o The impact the incident can have

on the organisation from a legal and/or public relations point of view.

o Legal and regulatory requirements.


Classification Explanation Example

High An incident poses an immediate threat to all systems, • Network wide Virus/Worm outbreak the exposure of critical or sensitive systems, may • Active External/Internal unauthorised access to systems result in criminal charges, regulatory fines or may • Compromise of information resulting in serious data result in undue bad publicity for the organisation. disclosure • Serious breaches of the organisation’s Acceptable Usage Policy

Medium An incident poses a threat to a limited number of systems, • In-active External/Internal unauthorised access to systems. may compromise non-critical or non-sensitive systems or • Localised Virus/Worm outbreak. involved time critical investigation into a staff member’s • Breach of the organisation’s Acceptable Usage Policy activities.

Low An incident poses no immediate threat to systems. • Failure to download anti-virus signatures. • Request to review security logs. • Minor breaches of the organisation’s Acceptable Usage Policy

Incident TrackingThroughout the lifetime of the

information security incident it is important that accurate records are taken of each action taken and the consequences of each action. This is important from a number of points of view;o To a i d i n t h e o n g o i n g

troubleshooting and diagnosis of the issue.

o In the event the incident results in a criminal or civil case, the accurate recording of events may be submitted as evidence regarding the investigation.

o In the event the incident results in a staff disciplinary case the accurate recording of events may be submitted as evidence regarding the investigation.

o For post-mortem diagnosis of the incident to determine potential areas of improvement within the processes and procedures relating to information security incident response.Once the information security

incident has been classified the method of tracking the issue needs to be carefully considered. If the network has been compromised it is likely that the attacker may have access to all systems within the organisation and therefore could be alerted that a response is underway and take evasive, elusive and/or destructive action. Therefore thought should be given as to whether or not information security incidents classified as “High” should be recorded within the normal helpdesk system or

be tracked using alternative methods such as manual recording or using a standalone system not connected to the network.

During the information security incident all actions should be documented, time recorded and signed. If not already notified, notify the Support Desk with details of the information security incident.

Depending on the scale, impact and duration of the information security incident consideration should be given as to whether additional resources may be required on the organisation’s support desk to deal with client queries. For example a prolonged incident may result in the loss of business critical services which may result in a higher volume of calls to the support desk.

ResponseThe type of information security

incident will determine the way that the information security response team will handle the incident. Standard operating procedures should be developed and tested by the Incident Response Team. These standard operating procedures should cover incidents such as,o Malware/Computer Virus infectiono External Unauthorised access to

systemso Internal Unauthorised access to

systemso Theft of computer equipment and

related data.o Discovery of illegal content on

the organisation’s information processing systems.

o Serious Breach of the organisations Acceptable Usage Policy.

o Minor Breach of the organisations Acceptable Usage Policy.

o Defacement of the organisation’s website.

o Denial of Service Attack on the organisation’s information processing systems, e.g. Internet connection.

o Email Flood Attack on the o rgan i sa t i on’ s in fo rma t ion processing systems.

o Compromise of information processing services belonging to third party partners, e.g. ISP, supplier, hosting provider.

o Disc losure o f conf ident ia l information.The above procedures should be

constantly reviewed and tested for their efficiency and new standard operating procedures implemented when and where required. It should be noted that from time to time information security incidents may occur that fall outside the scope of the above standard operating procedures and as a result they will need to be managed in an adhoc fashion.

Regardless as to whether an information security incident falls within the scope of existing standard operating procedures or not, the following are the main steps within the process;

ContainmentContainment involves limiting the

scope and impact of the information


security incident. This is particularly applicable when responding to information security incidents as a result of malware, such as a virus, due to the ability of such software to spread rapidly.

The Information Security Manager and/or the incident response team should decide on how best to contain an incident. This decision will need to be taken with the objectives of preventing further systems compromise, allowing adequate time and resources for investigating the incident, while at the same time restoring the systems to operational status as soon as possible.

The team should also have full authority to conduct whatever actions they deem necessary to contain the incident up to and including putting critical services and applications offline.

Eradication. Eradicating an incident entails

identifying and removing the root cause of the information security incident. Simply restoring a system to operational status without identifying the root cause of the compromise may result in the information security incident re-occurring again at a later stage.

It is important to gather whatever evidence available in a forensically sound manner. This means ensuring all steps and actions are clearly documented with original media and log files digitally signed and stored securely to prevent tampering. All investigations should be conducted on verified copies of the original media and log files. It may be necessary to engage with external expertise to conduct the forensic investigation.

RecoveryRecovery means r e s to r ing

a system(s) back to their normal operational status. This may require restoring system(s) from backups or reinstalling from known and certified original media. Part of the recovery process should ensure that the integrity of the backup being used for the restore operation has been thoroughly verified and that the restore operation was successful.

CommunicationsThroughout the information

security incident it is essential

that appropriate communications are maintained. This includes communicating to the appropriate IT and business management levels on the impact and progress of the incident.

D u r i n g a n i n f o r m a t i o n security incident it is essential that confidentiality is maintained throughout the incident’s lifecycle. In the event of a high priority incident no communication should occur over existing information systems, such as email, as they may be compromised and alert the attacker to the investigation.

In addition, the nature of the incident may require confidentiality is maintained as it may involve a criminal case, the disciplining of a staff member or be publicly embarrassing to the organisation.

Where possible, information on information security incidents should be shared on a strict need to know basis only. Ideally all updates from the Incident Response Team to those outside the team should come only from the Information Security Officer.

From time to time it may be necessary to communicate with external parties during or as a result of an information security incident. The following are the main contact points and how they should be handled;

Press enquiriesAll press and media enquiries

should be strictly handled by the organisation’s PR department. No other member of staff should comment to media or press enquiries regarding any information security incident.

Law EnforcementIt may be necessary to instigate

criminal proceedings as a result of an information security incident. This could be due to criminal activity conducted by users within the organisation or the requirement to prosecute an external unauthorised attacker. The decision to proceed with a criminal case should be made by the Senior Management in consultation with the legal department.Third Party Partners

Depending on the nature of the information security incident it may be necessary to contact third party partners and suppliers to alert them of the incident. This may be as a result of the investigations into the incident

identifying the source of the incident being from one of those companies or requiring assistance from those companies to investigate or eradicate the incident.

For example an attack on the organisation’s Internet connections may require the assistance of the providing ISP in dealing with the attack. In the main, these types of communications should be at an operational level and ideally relationships should be established previous to any incidents to ensure an effective response.

PublicSimilar to press enquires all public

enquiries regarding an information security incident should be dealt with by the Press Officer.

D e p e n d i n g o n w h e r e t h e organisation conducts business, legal and/or regulatory requirements may require that affected customers are notified of the breach. The decision to contact customers should be made by the Senior Management in consultation with the legal department.

StaffIt is important that appropriate

levels of communication are maintained with staff during an incident not withstanding the requirements for maintaining confidentiality. This is particularly important when the incident involves the investigation of a staff member. In such a case it is extremely important that the suspected staff member’s privacy and rights are maintained at all times. The Human Resource department will play a key role in this regard.

Information security incidents that impact directly on the availability of production systems will need to be managed in such a way to keep impacted staff updated as to when the systems may be likely to be restored while at the same time maintain any necessary confidentiality.

ManagementDepending on the severity and

the impact of the information security incident senior management may need to be made aware and kept updated on the progress of the issue. Where possible the escalation tree for the Information Security incident should be the same as that used for all service issues.


LegalDepending on the nature of the

incident and whether it will involve a criminal prosecution or staff disciplinary proceedings, regular contact should be maintained with the legal expertise within the Incident Response Team to ensure that the most appropriate steps are taken.

Integration with Other ProcessesDue to its nature, the Information

Security Incident Response Process should be tightly integrated with other existing processes such as;o Change Management Process

o Service Incident Management Process

o Disaster Recovery Management Process

Post Information Security Incident ReviewSubsequent to any information

security incident a thorough review of the incident should occur. The purpose of this review is to ensure that the steps taken during the incident were appropriate and to identify any areas that may need to be improved. Any recommended changes to policies and/or procedures should be documented and implemented as soon as possible.

ReportingIn order to improve the Information

Security Incident Response Process it is essential that accurate records are kept of the change requests and reviewed accordingly. Monthly reports reflecting the following should be produced;o Number of information security

incidents submitted, broken down by priority.

o Number of information security incidents submitted, broken down by type.

o Number of information security incidents resulting in service requests

ooo

CSI Calendar 2007CSI-National EventsAugust2007NationalConferenceonRecentTrendsinIT(NCRTIT)Division-II & CSI Chennai Chapter & IEEE CS, Madras ChapterHost : B.S.A. Crescent Engg. College, ChennaiDate : August 22, 2007For details contact: Ms. Latha TamilselvanPhone: (044) 22571374-50 Email: [email protected]

October2007NationalConferenceonServiceOrintedArchitectureSOA-2007Region-V & Division-IIHost : Sriji Collge, Maddiralapadu, Ongole, APDate : 14th October, 2007For details contact: Dr. T Lakshmi, Chairperson, Sriji-OngoleEmail: [email protected]

NationalConferenceonComputerVision,AI&Robotics(NCCVAIR-07)SIGAI,Div-II,CSIChennaiChapter&IEEECS,MadrasChapterHost : School of CSE, SRM University, ChennaiDate : 3-6 October, 2007For details contact: Prof. S S Sridhar, Tel.: 98405 17356Email: [email protected]

November2007Telemedcon072-3, Nov 2007, ChennaiFor details contact: Prof. K Ganapathy, Chairman, OC, Telemedcon 07Tele Fax: 91-44-2829 5447Email: [email protected] R Mohan, Chairman, Div-II, CSI, [email protected]. C R Chakravarthy. Chairman, Div-IV, CSI, [email protected]

CSI-2007AnnualConventionHost: Bangalore Theme: GenNext India- Harnessing the Power of ITDate: 28th Nov.-1st Dec., 2007 Venue: BangaloreFor details contact: Mr. Iqbal Ahmed, Organizing Committee ChairPhone: 91-80-22860461 Email: [email protected]

CSINationalStudentsConventionHost : CSI, Bangalore Chapter during CSI-2007 Theme : “GenNext India - Future Minds”Date : 29th November, 2007. For details contact : Prof. Shantharam Nayak, Event (NSC), Co-chair Email: [email protected], [email protected] Phone: 91-80-22860461

December2007CSI-SIGeGovannouncesthe5thInternationalConferenceonE-GovernanceHost : CSI-Special Interest Group on E-governance (CSI-SIGeGOV)Date : 28-30 December 2007, Hyderabad, IndiaFor details contact : Dr. Ashok K. Agarwal. Email: [email protected]

SMahalingamVice President & Chair, Conference Committee, CSI

CSI-Regional Students ConventionAugust2007CSIRegionVIIStudentsConventionOrganised by: CSI Thanjavur Chapter and Periyar Maniammai College of Technology for Women, Vallam, Thanjavur.Theme: “Multi Media and Internet Technologies”Date: 2nd & 3rd August, 2007For details contact: Prof. D. Kumar, Organizing Chair, E-mail: [email protected]. K Ramar, RSC-VII, Phone: 04632222502 E-mail: [email protected]

February2008CSIRegionalStudentsConventionOrganised by CSI, Ahmedabad Chapter and Changa Institute of Technology, Changa, Distt. Anand, Gujarat Date : 8th and 9th February,2008 For details contact: Prof. S G Shah, RVP Region 3, CSI Email: [email protected], [email protected] Phone : 91-2697-247500, 91-079-2656 8076

BipinMehta SMahalingamNational Student Coordinator, CSI Vice President, CSI and Chairman, Conference Committee


Cyber crime has various definitions, which are discussed all over the world. Crimes against the computer system or accessing, denying, destroying or manipulating the information in the system, crimes committed with the use and abuse of computers are categorized as a few aspects of cyber crime. Abuse of internet for criminal activities either by the white collar criminals, professional criminals, organized criminals or terrorist groups, committing crime through internet also come under the purview of the definition of cyber crime. When legally defined, any violation of criminal law that involves knowledge of computer technology for their perpetration, investigation or prosecution is also a cyber crime. Finally crime committed using a computer and the Internet to steal or sell personal identity or sell contraband or stalk victims or disrupt operations and malevolent programmes could all form part of a comprehensive definition of cyber crime.

Whatever be the definitions said and wrote, cyber crime or computer crime involves modern technology. When it is discussed from the perspective of criminal justice, it is essential to understand the difference between the conventional type of crimes

Cyber Crime : A Criminological and Victimological ParadigmDr. R Thilagaraj* & Dr. S Latha **

*Professor & Head, Department of Criminology, University of Madras, Chennai 600 005. Email: [email protected] **Faculty, Department of Criminology, University of Madras, Chennai and Secretary, Indian Society of Criminology Email: [email protected]

and crimes using modern technology. Strictly speaking the major differences are the ‘modus operandi’ to commit a crime and the ‘type of criminals’ who are involved in committing such a crime. The table below could give a generic idea about the same.

Almost all the forms of conventional crimes are committed using computers instead of conventional modus operandi. In conventional types of crimes, studies have proved that the criminals are from poor socio economic background with little educational level. But the cyber criminals are often elite, educated, employed persons with technological background. Recent reports reveal that engineers with strong motivation are involved in terrorist activities. This paper attempts to understand cyber crime from criminological and victimological perspectives.

A Criminological Paradigm of Cyber Crime:

Emi le Durkhe im (1893) a French Criminologist stated that the conventional laws are unable to cope with modern crimes and hence there exists a situation known as ‘anomie’. Despite efforts by UNICTRAL at international level and the Information Technology Act at the national level, the criminal justice system is unable

CyberCrimeTerminology ConventionalCrimeTechnology

Pornography Child Abuse / Pedophiles

Intellectual Property Crimes Plagiarism

Impairing the security of a computer Break-in / Burglary

Credit Card Frauds Frauds in Banks

Crimes Against Individual Identity Impersonation

to control and prevent cyber crimes. Incidences of cyber crime are increasing day by day. The cyber crime cells in the metro cities report that there is a sudden spurt of cyber crime reporting, compared to previous years. But how many of them are investigated, detected, charge sheeted and finally convicted in the trial court remains a question. There is a big gap between the policy on the cyber crime and social reality on cyber crime.

Sutherland in his Differential Association Theory (1934) has given nine postulates on how a criminal behavior is learned. Probably all of them may apply to cyber criminals but one of them viz., the need for strong drive and motivation to learn crime applies strongly to cyber criminals.

The Opportunity Structure theory by Cloward and Ohlin (1960) states that it is not just the opportunity that motivates an individual to commit a crime but it is more of a situational opportunity that triggers the urge to commit a crime. In the case of cyber criminals too, both the opportunity to commit a crime and the motivation to do so is quite strong. But as far as the cyber crimes are concerned opportunities for criminals to escape from the clutches of law are due to a number of factors; the main being the fact that the offence is committed in one corner of the world and the victim is in another location. Hence it is easy to commit a cyber crime as there would be no witness to provide evidence in the court of law; at least in the traditional sense. When there was a bomb blast threat through e-mail to the Parliament of India and US Consulate in India (2005) the top brass of investigating police officers along with a team of cyber crime investigating experts from the Central Forensic Science Laboratory had traced the computer system from which the e-mail was sent through the IP address and visited Tirunelveli, in the Southern part of Tamil Nadu. They traced the system in the net café through which the criminal committed his offence, but it was difficult for them to trace the person who had committed the same as there is no foolproof mechanism to identify the exact user who committed the crime. Such limitations always motivate the cyber criminals and provide the opportunity to commit the


crime. An early work in the area of

opportunities as a variable influencing crime comes from the work of Cloward and Ohlin (1959) who proposed opportunity theory through development of an opportunity structure that is attributable to such crimes. On a similar line, Clarke and Cornish (2000) in their rational choice theory synthesized and developed the rational choice theory with a main focus on the rationalization of pros and cons of any crime. Before committing a crime, the offender completely studies the target i.e. the victim and his vulnerable situations and the opportunities not only to commit a crime but also for escaping from the criminal justice process including preventing a probable witness. The strongly motivated offender as pointed out by Sutherland is brought back in this theory of rational choice. The vulnerable situation of the victim coupled with the opportunity to commit the crime with reduced risk of being monitored and caught is often the main cause of any crime. As long as there is a weak target, absence of guardian, a motivated offender and clear opportunities to commit an offence with minimum risk of being caught, the probability of committing a crime is quite high. This applies to cyber crimes also.

The opportunity to commit crimes can be seen in a number of forms. It could take the form of attacking an information system and gaining advantage out of such an attack. The absence of adequate security and controls by themselves would provide an opportunity to be exploited with relative ease; other opportunities could include using an cyber attack as part of learning curve for launching attacks on more complex networks; the sense of social acceptance among peers and so on. As brought out by Subramaniam (2006), the differentiation as to whether the cyber attack was perpetrated by an outsider or an insider has a clear bearing on the kind of opportunity that has influenced the crime process. In the case of an insider perpetrating a cyber crime, it is fair to assume that the perpetrator’s proximity to the systems and a relatively better understanding of the system security parameter provides a better opportunity for committing the

crime in comparison to the outsider who may not have ready access to system security parameter settings.

The availability of large numbers of free ware tools to launch a cyber attack on an information system from outside the network has resulted in the fading of any distinction between the insider and the outsider perpetrating an attack from an opportunity view point. A google search in April 2007 for free hacking tools yielded 23.7 million websites as a result. This clearly reveals that enormous opportunities are available for perpetrators of cyber crimes to learn new and sophisticated methodologies.

The work of Hitchings (1995) establishes how the presence of an opportunity acts as a motivational factor for a person considering committing a crime. Forestor and Morison (1994) state that ‘experts on computer fraud attest to the fact that the opportunity; more than anything else; seems to generate this kind of behaviour’ while referring to the motivational impact of opportunity to commit cyber crimes.

If a target can be completely removed instead of simply being protected even more effective results are possible. Where valuable targets like computers cannot actually be removed, an alternative strategy lies in reducing their attraction to thieves. For example cheque books were more attractive to thieves before the growth of

the credit card systems. Proponents of the effectiveness of formal surveillance argue that the potential offenders will be deterred by the threat of being seen and caught by police and private security agencies. In the case of cyber crimes, the perpetrator commits a crime either at his home or in his office or in a net cafe where formal surveillance is more or less absent. In other words, there is an absence of guardian to prevent a cyber crime.

Gary Becker (1968) proposed that the potential offender calculates the opportunities of earning legitimate income, the amount of reward they offer, the amounts offered by illegitimate methods, the probability of arrest and the likely punishment. The basic principle behind the punishment laid by the classical school of criminology is well brought out by Jeremy Bentham, who had stressed that the punishment should be sure, swift, effective and should outweigh the benefit obtained by the offence. In the case of cyber crimes in addition to the opportunity, motivated offender and a suitable target, the certainty of getting caught and punished is very less, as the laws to prevent and punish are not quite stringent. In addition, law enforcement agencies in many countries are not equipped to detect and punish the criminals mainly due to the technical intricacies involved in it.

Suitable Target(Victim)

Motivated Offender

Absence of Guardian(security)


Victimologists have held that in all crimes, the role of a victim in the crime process is clear and it is a contributory factor. To quote Hentig (1948) who propounded the concept of penal couple viz., the victim and the offender, the victim is always a cause of crime even if the crime is motivated for abstract reasons such as intellectual integrity, freedom of religion, public health, the safety of a nation. Going by Schafer (1997) all crimes necessarily have victims and where the victim creates the possibility of a crime to be committed, it is referred to as ‘victim precipitated crime’. The actions of the victims of cyber crimes have contributed significantly to the motivation to commit this crime but in many cases, the victim is unaware of its entire consequences.

These theoretical underpinnings help us to understand cyber crime from a new paradigm and to evolve an effective, modern and need based crime prevention process.

To conclude, cyber crime should be analysed and prevented not only from a technological perspective but should consider the following based on various theoretical explanations of criminology

and victimology:• Offender Characteristics (Causes–

p s y c h o l o g i c a l , s o c i a l a n d economical and motive etc)

• Victim Characteristics• Target Hardening• E f f e c t i v e n e s s o f t h e l a w

enforcement agencies or private security agencies in preventing, detecting, presenting evidence before the Court of Law and punishing the offender.

References:• Becker, Gary S., (1968) “Crime

and Punishment: An Economic Approach,“ Journal. of Political Economy 76: 169-2 17.

• Clarke and Cornosh (2000), “Rational Choice”, in R. Paternoster and R. Bechman (eds.), “Explaining Crime and Criminals: Essays in Contemporary Criminological Theory”, Roxbury Publishing Company, Los Angles, CA.

• Cloward, R. (1959). Illegitimate means, anomie, and deviant behavior. American Sociological Review, 24(2), 164-176.

• Cloward, R. & Ohlin, L. (1960). Delinquency and opportunity:

A theory of delinquent gangs. Glencoe, IL: Free Press.

• Durkheim, Emile (1893), ‘The Division of Labour in Society”, (Translated by George Simpson (1947), New York: The Free Press.

• Forestor, T. & Morrison, P. (1994), “Computer Ethics: Cauthionary Tales and Ethical Dilemmas in Computing”, MIT Press, Cambridge, MA.

• Hentig, Hans Von (1948), “The Criminal and His Victim”, New Haven: Yale U. Press

• Hitchings, J. (1995), “Deficiencies of the Traditional approach to Information Security and the Re q u i r e m e n t s f o r a N e w Methodology”, Computers & Security 14 (5): 377 - 383

• Subramaniam, Rama K (2006), “Cyber Crime: A Criminological, Vi c t i m o l o g i c a l a n d L e g a l Perspetive”, Unpublished PhD dissertation, University of Madras, Chennai.

• Schafer, S. (1977), “Victimology: The Victim and his Criminal”, Reston, VA: Reston Publishing Co.

ooo

The five aspects of Information Security- Information Security Forum [http://www.isfsecuritystandard.com/index_ie.htm]



the construction work for the extension building started on 13th September, 2006 is currently in progress and expected to be completed by July / August 2007. Immediately after the extension building is ready the existing building will be vacated for carrying out major repairs.

Renewal of Lease of CSI’s plot at Taramani, Chennai : The 30 year lease agreement with the Tamilnadu Govt., is due for renewal in 2008 and preliminary steps have been initiated for renewal of the agreement.

Research Activity : ExecCom had approved on 22-

11-2006 a scheme of R&D funding to help carry out minor research projects by Academicians / PG Students (Engineering Colleges and Technological

Institutions) during 2006-’07. Details of the scheme were uploaded in CSI Website. Of the 9 applications received, 6 projects have been approved for funding

CSI Website: Mr Satish Babu briefed the ExecCom on the new CSI website project currently under implementation by M/s Sakshay, Delhi who have already completed 90% of the coding with the balance 10% involving interaction with HQ staff expected to be completed soon. In the new website all RVPs and Divisional Chairmen will have a page of their own which they can maintain individually. Also there is a prominent page linked to Education Directorate. The basic difference between the existing and new websites is that in the existing, any changes in the pages can be made only by an

external vendor whereas in the new website pages can be changed by CSI in house.

Dr. Ravi Chamria of M/s Sakshay gave a presentation on the new website project and gave clarifications to members’ queries.

Presentation of Certificates : President thanked all the outgoing members of the ExecCom for their unstinted support and cooperation during the year and presented them Certificates of Appreciation for their contributions.

President thanked Prof. K K Aggarwal for the excellent arrangements for the meeting. The meeting ended with a vote of thanks to the chair

Priyalata PalExecutive Secretary

Fifteen ExecCom Members, seven Special Invitees and one from the Secretariate attended the meeting.

Prof K K Agarwal, President, called the meeting to order He welcomed the ExecCom members and others present to the meeting.

President in his inaugural address touched upon various aspects of the Society, and in particular emphasised the need to increase membership and suggested that :

There are over 4000 institutions in the country imparting technical education and we should target them for enrolment of their students and faculty. Initiate new measures to increase value addition to members.

As we have an MOU with Institution of Engineers which is having a large membership we should endeavour to enrol their members as CSI members.

Target large companies especially those in the IT field to enrol as institution members of CSI. Also enlist the support of some seniors in those companies to enrol their employees as

individual members of CSI.President stressed the need for

RVPs to be more proactive and involve themselves fully in the activities of their Chapters since they are more familiar with the ground realities of their regions.

Formation of Statutory Committees: ExecCom discussed the formation of Statutory Committees and observed that most of the members are already defined in the bye-laws. ExecCom then authorised the President to notify the composition of these Committees after obtaining the concurrence of the persons nominated.

President has since finalized these Committees (see page 62).

Adhoc Committees: For acquisition of premises for Chapter offices, as hitherto the Local Building Committee and the National Building Committee will be formed whenever needed, on the following basis.

Local Building Committeei) Chapter Treasurerii) Chapter Secretaryiii) Regional Vice-President

Extracts of the Minutes of First ExecCom (2007-’08) held on 1st April, 2007 at Delhi

(Venue : Guru Gobind Singh Indraprastha University, Delhi)

iv) Chapter Chairman or Vice-Chairman

v) Co -opt any local ExecCom member

vi) Co-opt any other local experts

National Building Committee(i) Hon. Treasurer, CSI(ii) Any one of the other OBs of CSI

(mainly on locational advantage)(iii) Regional Vice-President (common

link between two committees)(iv) Co-opt a common ExecCom

The Local Building Committee to forward the complete proposal/ options for the premises identified for acquisition, to the National Building Committee which will forward its recommendations to the CSI Office Bearers who in turn will take a decision to be ratified further by the ExecCom.

ExecCom also decided that the following core committee appointed earlier for planning and construction of the extension building of CSI at Taramani, Chennai will continue as the building construction is currently under way.

...Contd. from 2nd cover


Core CommitteeMr. Lalit SawhneyProf. C R MuthukrishnanDr. S ArumugamMr. P R RangaswamiMr. S Ram MohanMr. G RamchandranMr. H R MohanMr. P UnnikrishananMr. S Sudharssanam

The core committee will also have the responsibility to ensure renewal of the thirty-year land lease agreement with Tamilnadu govt, for the CSI plot at Taramani, Chennai. The lease agreement is due for renewal in 2008.

ExecCom nominated Mr Bipin V Mehta, Immediate Past Vice-President as the new CSI National Student Co-ordinator.

Based on the recommendations of the Regional Vice-Presidents concerned ExecCom nominated the fo llowing as the Regional Student Co-ordinators.Region – I : Mr. Shiv Kumar, New

DelhiRegion – II : Mr. Sushantha Sinha,

Kolkata Region – III : Dr. Ashok Patel, Patan

GujaratRegion – IV : Mr. Sree Kumar,

Rourkela Region – V : Mr. P S Basavaraju,

Bangalore Region – VI : Prof. Manoj Bharat

Jhade, Nashik Region – VII : Dr. K Ramar, Kovilpatti

Plans for the year : a) Focus on increasing Associate and

Student membership significantly.b) Work on enhancing value addition

to the membership as that will help in attracting new members also.

c) Every RVP should target to conduct at least 4 regional events.

d) Every Divisional Chair should target to conduct at least 4 Divisional events.

e) Increase student activities and encourage formation of new Student Branches.

f) Increase Education and Research activities

SIG Activities : SIG-SE : Prof Pankaj Jalote, SIG-

SE Chair, gave a presentation to the ExecCom on the status and plans of SIG-SE formed a few months back. He mentioned that the SIG-SE committee

will have 8 members, one of them from CSI (secy, or area head). Currently, the committee consists of the following well known researchers :Prof Pankaj Jalote, IIT Delhi – ChairDr Gautam Shroff, TCSProf. Sanjeev Kumar, IIT KanpurProf T V Prabhakar, IIT KanpurDr Sriram Rajamani, Microsoft Research, Bangalore.

The focus of SIG-SE will be to promote research in Software Engineer ing in India through conferences, workshops, newsletters, tutorials etc

The committee will consist of people who are / have been researchers (generally PhD with some research papers published), who are also willing to work and contribute to this activity which is really a professional contribution to SE in India.

CONSEG will be revived. The near term goal of SIG-SE is to organise one yearly conference, the first one of which will be tentatively in Feb. 2008.

Another objective is to get at least one good international conference a year to India, which SIG-SE will co-sponsor / host .

ExecCom appreciated the efforts of Prof. Jalote and his committee members

SIG-eGOV : ExecCom considered infrastructure and other requirements of Dr Ashok Agarwal, SIG-eGOV Chair,

President requested that all RVPs should hold Regional Meetings of their Chapters to discuss and chalk out plan of activities for the year and communicate the same to CSI HQs at the earliest. As part of their commitments they should initiate membership drive in their respective regions and strive to significantly increase CSI membership.

Plans for Student Activities during 2007-’08 :

Mr. Bipin Mehta mentioned that Some of the Student Branches are dormant and efforts will be made during the year to reactivate them.

A Student Branch Manual will be prepared soon and sent to all Student Branches.

Brochures and membership enrolment forms will be sent to educational institutions to enrol student members so as to increase the number of student members and Student

Branches.More effective use of our MOU

with Microsoft will be made to benefit the students. Also, efforts will be made to collaborate with organisations like IBM, CSI etc for conducting student activities.

Prof. H R Vishwakarma has proposed a portal for CSI Adhyayan. Once the portal is ready CSI Adhyayan, without printing, can be brought out on quarterly basis for the benefit of students.

ExecCom decided that Mr. Bipin Mehta and Prof. H R Vishwakarma should function in close co-ordination and increase student activities. Also, the proposal for the portal for CSI Adhyanan was approved in principle. President requested members to send their suggestions on value addition to students so that a concept paper can be prepared for further discussion and consideration.

Plans for Educational Activities during 2007-’08 : Mr. S Sudharssanam briefly gave details of plans for the educational activities and mentioned that the National Standard Examinations on new modules approved by the Academic Committee, will be held during the year. Also SQTC examinations and other examinations will continue to be conducted and steps will be initiated to increase the response to these examinations.

Plans for Research Activities : It was agreed that the Society’s research activities need to be increased further and higher financial allocations be made for the purpose. ExecCom decided to form a Research Committee and authorised the President to identify and nominate suitable members.

Approval of Resolutions for new signatories for CSI bank accounts:

ExecCom approved the relevant resolutions authorising new signatories to operate the bank accounts of CSI.

Other items : CSI Certification : President briefed

members on the discussions he had with Nasscom which showed interest in CSI being a certifying agency for Nasscom. While on this, Mr Lalit Sawhney mentioned about the proposal mooted by the CSI Academic Committee about one and half years ago to start CSI certification of professionals. The


certification will be on the lines of those being conducted by other societies like Singapore Computer Society, Australian Computer Society etc, but with some modifications to suit our requirements.

Mr. S Mahalingam expressed the view that certification involves serious issues which need be considered and solutions found. Hence, he suggested formation of a committee at the earliest to consider the proposal and give recommendations.b) CSI Elections for 2008-’09 / 10:

Dr. Rattan K Datta, Chairman, Nominations Committee put forward to the ExecCom the following plan of action :1. Elections for the following

elective posts for 2008-‘09/10

will be held through 100% electronic voting .

• President• Vice-President cum President

elect• Secretary (N C proposed for

one year for 2008-’09)• Treasurer (NC proposal, 2008-

’10)• RVPs II, IV, VI & VIII (2008-

10)• Divisional Chairpersons II &

IV for the period (2008-10)• Nominations Committee for

the period (2008-’09)Call for nominations to appear

in CSI Communications as well as on website. Last date to receive nomination by 15th October, 2007.

Nominations Committee will meet on 1st November, 2007 and prepare the slate and present to ExecCom.

Process for election to be completed and the results communicated by December 31st, 2007.

Dr Datta suggested that Chapter elections for 2008-’09 / 10 should also be held electronically simultaneously with the national elections.

Members thanked the President for the excellent arrangements for the meeting and the hospitality extended. The meeting ended with a vote of thanks to the Chair.

Priyalata PalExecutive Secretary

1. Awards Committeei) Mr. Lalit K. Sawhney Chairmanii) Mr. R.N. Lahiri RVP-IIiii) Mr. H.R. Mohan Div. Chair-IIiv) Dr. C.R. Chakravarthy Div. Chair-IV

2. Academic Committeei) Mr. Lalit K. Sawhney Chairmanii) Prof. K K Aggarwal Presidentiii) Mr. S. Mahalingam Vice Presidentiv) Prof. H.R. Vishwakarma Div. Chair-Vv) Prof. R K Aroravi) Prof. P Trimurthyvii) Dr. S.S. Aggarwal

3. Finance Committeei) Mr. Ajit Kumar Sahoo Chairmanii) Prof. K K Aggarwal Presidentiii) Mr. S Mahalingam Vice Presidentiv) Mr. Satish Babu Hon. Secretaryv) Mr. Satish Doshi Immd. Past Treasurer

4. Membership Committeei) Mr. Satish Babu Chairmanii) Mr. M P Goel RVP-Iiii) Prof. S.G. Shah RVP-IIIiv) Ms. Sudha Raju RVP-Vv) Dr. S. Arumugam RVP-VIIvi) Prof. Swarnalatha Rao Div. Chair-Ivii) Mr. Deepak Shikarpur Div. Chair-IIIviii) Prof. H.R. Vishwakarma Div. Chair-Vix) Mr. S.R. Karode Past Secretary

Statutory Committees of CSI for 2007-2008

5. Publication Committeei) Mr. S. Srinivasan Chairman Membersii) Prof. P.V.S. Raoiii) Dr. T.V. Gopaliv) Prof. P S Groverv) Mr. H.R. Mohanvi) Mr. Deepak Shikarpurvii) Mr. P.R. Rangaswamiviii)Dr. Ashok Aggarwalix) Dr. M. Chandwani

7. Conference Committeei) Mr. S. Mahalingam Chairmanii) Mr. Ajit Kumar Sahoo Treasurer iii) Dr. C R Chakravarthy Div. Chair-IViv) Mr. Deepak Shikarpur Div. Chair-IIIv) Mr. H.R. Mohan Div. Chair-IIvi) Ms. Sudha Raju RVP-V

8. Disciplinary Committee i) Mr. P.R. Rangaswamy Chairmanii) Mr. Satish Babu Secretaryiii) Prof. Nupur Prakash

9. External Affairs Committeei) Mr. H S Sonawala Chairmanii) Dr. Rattan Datta Vice Chairmaniii) Dr. L M Patnaikiv) Dr. S Ramaniv) Dr. C R Muthukrishnan vi) Mr. R K Guptavii) Dr. Yogesh Singh

10. Research Committeei) Prof. A K Pathak Chairmanii) Prof. Swarnalatha Rao iii) Prof. H R Vishwakarma


From CSI Chapters

AllahabaDLecture programme on “Free/ Open

Source Software (FOSS)” was organized by the Chapter on July 28, 2007 at UPTEC Library Hall. Mr. D K Dwivedi, Chapter Chairman, welcomed the Chief Guest, Speaker and other participants. Dr. K K Bhutani, Fellow, CSI gave a brief introduction about the CSI and its aims & objectives.

Dr. Srinivasan of National Resource Centre, Anna University- Knowledge Based Computing Research Centre, Chennai delivered a presentation about the Free/ Open Source Software, Open Source foundation, Case studies about Open Source initiatives by developing countries, FOSS systems, tools and applications, some common commercial softwares and their equivalent FOSS option & activities of NRCFOSS.

Hon’ble Justice Dilip Gupta speaking as Chief Guest on the occasion

Programme was attended by large number of participants from academia, industry including office bearers and managing committee members, other professional and student members of the Chapter. Mrs. Shailaja Gupta, Vice Chairman conducted the programme and vote of thanks was given Mr. S D Chaubey, Chapter Secretary.

BanGalOrEAn evening talk on “Risks in

the Digital Age” was held at the Chapter premises on 4th June 2007. About 35 members attended this talk. Mr.T.S.Sabapathy, immediate Past Chairman, CSI-BC welcomed the speaker and the members present and also introduced the speaker. Dr. Partha Dasgupta, Dept. of Computer Science, School of Computing informatics, Arizona State University. Dr. Partha Dasgupta’s core areas of expertise are in Computer Security, Operating Systems and Distributed Computing. His current research focus is the use of cryptography and secure software systems to provide security and dependability of consumer computing.

Dr. Partha mentioned that the Internet for the masses was deployed about 9 years ago. Internet security measures have been phased in over the next 3-4 years and today consist of a plethora of measures from SSL/IPSec to firewalls and antivirus software. Yet the e-commerce infrastructure is totally insecure from viruses, phishing attacks, scams, pharming, rootkits and a variety of insidious methods. Identity theft and financial embezzlement are increasing at an alarming rate.

The talk was well received and the audience appreciated the same. Dr. Sateesh Kannegala thanked the speaker and the audience for attending the talk.

ChanDIGarhThe Chapter organized its Annual

General Body Meeting on July 14, 2007 in CSIO Sector 30 campus. Around 20 corporate members attended the meeting. Director Pawan Kumar was also present at the AGM. A lecture on “Free/open source software: An Innovative Model” by Dr. Anu Gupta, Sr. Lecturer Deptt. of Computer Science & Applications Punjab University was

expressed that Indian Judiciary is in urgent need of re-engineering its processes, optimize the use of its human resources, and bring about change management by harnessing the potentiality of the availability Information and Communication Technology to its fullest extent. The objective of this exercise is to enhance judicial productivity both qualitatively and quantitatively as also make the justice delivery system affordable, accessible, cost effective, transparent and accountable. Similar objectives have been achieved in other parts of the world by use of technology but in India though its manpower is known for its technology expertise, the Information and Communication Technology benefits could not be fully explored and utilized in public service sectors like judiciary and other organs of the State.

Allahabad : (L-R) Mr. D K Dwivedi, Chapter Chairman, welcoming Chief Guest and other participants on the ocassion, Mr. A K Mehrotra, Mr. Anil Kumar Gupta and Mr. Rajeev Saxena


also organized on this occasion.A new student branch at UIET,

Punjab University has taken shape with a strength of nearly 150 students.

HarIDwarOn 17th May 2007, the Chapter

organized a seminar on ‘Role Of Computers in Tool Engineering’ in New Engineering Building Conference Hall, BHEL Haridwar.

Welcome address was delivered by Chapter Chairperson, Mrs. Geeta Bhatnagar.

Seminar was presented by guest speaker Mr. R K Goyal, Sr. Manager, Tool Engineering, BHEL, Haridwar. In his presentation he mentioned about different kinds of tools and also how computerization in tool engineering has provided access to more information and more advanced decision aids.

The Seminar was attended by around 125 participants from different departments of BHEL.

The chapter also organized a one day lecture series for vocational trainees of various Institutes of India on June 26, 2007.

The lecture series was inaugurated by Mrs Geeta Bhatnagar. In the inaugural address she gave emphasis of using computers in Industry and its importance in increasing the overall excellence.

In this lecture Mr. Ajit Srivastava, BHEL Informat ion Technology Department delivered lectures on VPN, New and Immersing Technologies,

Networking and How to convert Ideas into project and systems. All the Vocational Trainees expressed the view that these lectures were excellent and useful for them.

LuCknOwThe Chapter organized a visit to

U.P. Irrigation Department (UPID)Data Centre, Kanpur Road, Lucknow to appraise the CSI members regarding the working and need of Data Center in their departments. Mr. Amitabh Tewari, Member MC coordinated this event.

Mr. Anoop Misra, Asst. Engg. and Mr. M.A.Siddiqui, Admn. Officer welcomed the CSI members. Mr. Misra explained the need of such data centre in U.P. Irrigation Department. He told that UPID has approx 70000 employees and 550 offices in the U.P. The department computerization started in year 1999 at EinC. For connecting the Data Center 11 zonal offices has been connected with 2Mbps leased line and remaining with 64kbps leased lines. ISDN lines are used as backup lines. Comprehensive software is being developed which is having 26 modules.

Mr. Ashesh K. Agarwal, Hon. Secretary of the Chapter thanked the UPID Data Centre team and members. Mr. Anil Srivastava, Mr. Harish Gupta were also present.

PunEMr Suresh Katta CEO Saama

Technologies was the chief guest for

the CSI organized lecture meeting on ‘Trends in Business Intelligence”. This event was co-organised with Seed Infotech ltd. The event was attended by over 100 IT professionals.

The main points discussed by Mr. Suresh Katta were : For all the business managers, data compilation, analysis and reporting remains the most important result area per quarter. The data compiled for Sales, Investments, Resource Cost, Maintenance charges and expenses, gives the guidelines for planning, forecasting and taking corrective actions.

These days a number of tools and software are being used to analyze and report, based on the collated data, and the tools have to perform functions ranging from - Business activity monitoring to Supply Chain Management; from Finance & Budgeting to Decision Support Systems (DSS) and forecasting, to be precise, the entire set of functions that come under Business Intelligence.

This has therefore led to the increase in the demand for niche companies that could provide software and services for Business Intelligence; this has therefore resulted in the increase in the requirement for trained professionals in this area.

The market dynamics have created a demand for the much required industry – academia association to generate professionals in the Business Intelligence arena.

There was a concern expressed at different forums in CSI and SEAP about the gap between Academics and Industry. Discussions were held with many academicians and industry experts to know their views and suggestions about bridging this gap. Many suggestions and ideas came out as part of these discussions but one common concern which was expressed by all the colleges was – Faculty do not have industry exposure and it will help if some interaction between faculty and industry experts is started. With this in mind, the chapter thought of focusing on Faculty Training Program conducted by the Industry Experts.

Discussions were held with Board of Studies members of Pune University and we identified “Software Architecture” as the subject in which

Chandigarh : Dr. Pawan Kapur Director CSIO chairing the AGM of CSI Chandigarh Chapter.

immediate inputs were required as this was the new subject introduced by the University. Dr. Anand Deshpande of Persistent Systems who is also our Past Chairman and Patron came forward to support this training.

The annual event of the Chapter was InCSights-2007 conducted on 15th and 16th of June 2007.

A half day workshop – XP boot camp was organized on the 15th at NIA. It was an extremely participative workshop on extreme programming and Agile methodology.

About 45 professionals registered and participated in this event.

The main program was on the 16th. This was a full day program conducted at Le Meridian. About 120 people registered for the event spanning across 25 IT companies.

The sponsors for the event were Persistent Systems Pvt. Ltd., KPIT Cummins, Verisoft, Bladelogic and I2IT.

tIruChIraPPallIThe Chapter organized a Lecture

Programme on “Biometric for Personal Identification” in association with The Institution of Engineers (INDIA), Trichirapalli Local Centre (IEI-TLC)

The Speaker expla ined the importance of “Biometric for Personal Ident i f icat ion” wit h Releva nt Exambles.

Biometric is found to be one of the important research domains of computer Science and Engineering and fetching huge attention from academia and industry. The biometric is effectively used in Personal Authentication System (PAS), which uniquely identify an individual. The application areas of biometric based authentication system are entry into protected area, baggage management system in airport, attendance audit system, etc.

Conventionally, textual and alpha numeric strings have been used for authorizing users and such strings are called Password. However, passwords are easy to break, since a typical pattern of characters used as passwords can be inferred easily. In addition, there are lot chances that passwords can be easily stolen from dairies or any other similar documents. Further, if one user needs to maintain large number of passwords, there is a possibility of cross firing. Thus, biometric can be effectively used in personal authentication systems, which is found to be robust, invariant with time and identification factor is high.

About 45 Participants attended & got benefitted from the Lecture.

Mr. R Selvaraj, Secretary, CSI Trichy Chapter Welcomed the gathering.

The Chapter organized a Lecture Programme on “Career Guidance for Engineering Aspirants” in association with The Institution of Engineers Local Centre (IEI-TLC)

The Speaker explained the importance of core branches of Engineering namely Civil, Mechanical and Electrical. The other Branches like Electronics & Instrumentation, E lec t ronics & Communica t ion Engineering, Computer Science, Production, Bio-Technology etc are all the offshoots of the core branches.

The session was followed by inputs from Dr. K Palanisamy, Prof. & Head, Dept of Civil Engg, NIT, Trichy and Dr. G Swaminathan, Professor, Dept. of Civil Engineering,NIT, Trichy

About 45 participants attended & got benefitted from the Lecture.

trIVanDruMOn 19th July 2007 the Chapter in

association with Software Technology

Parks of India Thruvananthapuram organised a workshop on “The Role of Institutional Involvement in Human Resource Readiness:The current scenario and new trends” at Mascot Hotel, Trivandrum.

This one-day workshop had Prof. Tharappan as a key resource person. The workshop was attended by Placement Co-ordinators from IT related academia, industry and training schools.

On 23 June as part of the initiative to increase academic – industry interaction, the chapter conducted a project presentation on “e3ware - An Academic Governance Tool” by Vijay P. Sankar & Syam Madhav, B.Tech. Final Year Students, College of Engineering, Trivandrum at Symphony, Computer Society of India, Trivandrum.

On 27th June the chapter organized two programmes in association with IEI Kerala State Centre at The Institution of Engineers Hall, on “Systems Design for Space” by Mr. Sagar Vidyasagar, Senior Engineering Manager at Lockheed-Martin Co., USA and on “Science & Technology Education - India at Cross Roads” by Dr. T.R.G. Nair, Trivandrum. Both talks attracted good audience from

Tiruchirapalli : Dr A Vadivel, Assistant Professor, Dept. of Computer Applications, National Institute of Technology, Trichy is delivering the lecture & a section of Audience look on the same.

Trivandrum: Inauguration of the workshop on “Good programming: Skills & Practices” at Trivandrum

the respective industry. On 30th June, the chapter in

Association with TechnoPark, IEEE, Kerala Section and PMI, Trivandrum Chapter organised a workshop on “Stress Management in IT Industry” at Travancore Hall, Technopark, Trivandrum which was sponsored by Microsoft.

On 11th July, the Chapter in association with IEI Kerala State Centre organized a talk on “Good Programming: Skills & Practices” by Mr. Abbas K. Sutarwala, Former Senior Faculty, T.C.S. Corporate Learning Center and Consultant, at Institution of Engineers Hall.

On 12th July, One-day Workshop on “Good Programming: Skills and Practices” was held at Hotel Residency Tower was organized by the Chapter in association with IEEE Computer Society.

The workshop drew heavily on the rich experience of the instructor, Mr. Abbas K. Sutarwala, Life Member of CSI.

Student Branches

Dr. MahalInGaM COllEGE OF EnGG., POllaChI

The MCET student branch invited the Country Manager of HP, Mr. Rajnikanth, to address the

students on Upcoming Technologies in Networking.

Prof. Gowrishankar, HOD-Dept. of Information technology gave the welcome address and introduced the guest to the gathering.

Mr. Rajnikant emphasized on the changing challenges in the field of Networking. and the new technologies HP is focusing which include Virus Throttling technique, The provision ASIC chip and future NLAN architecture with coordinated wireless deployment. And he addressed on the various emerging technologies in networking.

NEC, kOVIlPaTTIThe Student Branch organized

an Application Development Contest

on 11.07.07 exclusively for final year B.E, B.Tech, and M.C.A at the college premises.

Ms. R Leena Sri, Student Counselor explained the semantics of Application Development Contest. 10 student teams were selected for the final demos.

The students showed their innovation and creativeness through their developed package and inspired the audience. The Juries panels were formed by the experienced Teaching faculty members headed by Mr. K G Srinivasagan, AP/CSE. He gave a valuable sujjestion to the participants as well as audience.

thIaGarajar COllEGE OF EnGG., MaDuraI

The CSI Student branch organized a Paper Presentation Contest with the Theme Area “Information Security”. Ten papers were selected to be presented from the total abstracts received.

Mr. T Chandirasekar & Mr. N G Karthikeyan of III year CSE who presented a paper on “An Analysis of cryptography and implementation of an encryption algorithm based on the results” won the First Prize. Ms. R.Vimala and Ms. S Suganya of III Year CSE won the second prize and Ms. S.Meenu and Ms.S.Priyadarshini of III Year CSE won the third prize. This Contest was helpful in identifying student’s creativity and hidden talents.

ooo

Pollachi : (L to R) Ms. Sathyapriya, Mr. Rajinikanth, Prof. A Rathinavelu, Mr. Shankar

Thiagarajar College of Engg., Madurai : Judges at the Paper Presentation contest.

Published by Priyalata Pal for Computer Society of India at 122, TV Industrial Estate, S K Ahire Marg, Worli, Mumbai-400 030 and Website: www.csi-india.org and printed by her at GP Offset Pvt. Ltd., Mumbai 059. Tel. : 2850 7766 • Email: [email protected]

Licenced to Registered with Registrar of News Papers If undelivered return to : Post Without Prepayment for India - RNI 31668/78 CSI, 122, TV Indl. Estate, WEST-42 /2006-2008 Regd. No. MH/MR/WEST-76-2006-08 Mumbai - 400 030

Date post:	18-Nov-2014
Category:	Documents
Upload:	vicente-aceituno
View:	5,761 times
Download:	6 times

The Information Security Assurance Markup Language - Computer…

Documents