Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CYBER SECUITY[AUC002]
Unit-3 contents
1. Security of assets and its need : AN INTRODUCTION
2. System Development life Cycle [SDLC] and its benefits.
3. Secure Information system Development
Integrating Security at INITIAL phase.
Integrating Security at DEVELOPMENT phase.
Unit-3 Integrating Security at IMPLEMENTATION phase.
Integrating Security at MAINTENANCE phase.
Introduction to 4.
Integrating Security at DISPOSAL phase.
Application Development Security
Security measures 5.
Information Security Governance and risk management
Risk Management process
6. Secure Architecture & design
Secure System Design.
Secure Hardware system architecture
Secure Operating system and software architecture.
7. Security issues :-
with Hardware.
With Data storage.
With Downloadable devices( peripheral device).
8. Physical security of IT assets.
9. Backup security measures.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 2
THETOPPERSWAY.COM
Security of Assets and its need:AN INTRODUCTION System Development Life Cycle [SDLC]
Definition of Asset Definition of SDLC
An Asset is resource, process, product, and computing infrastructure & so on , or something that an The multistep process that starts with the initiation, analysis, design, and implementation, and
organization considers important so as to be protected. continues through the maintenance and disposal of the system, is called the System Development Life
Need of Security of assets Cycle (SDLC).
For any SDLC model that is used, information security must be integrated into the SDLC to ensure
Every organization has resources ,hardware ,software ,people & information . So security of all
appropriate protection for the information that the system will transmit, process, and store.
these assets is required.
Applying the risk management process to system development enables organizations to balance
It is shown in survey that organizations those have better security measure ,generate more revenue requirements for the protection of agency information and assets with the cost of security controls and
& profit than other less secured organization. mitigation strategies throughout the SDLC.
If the backup get destroyed ,recovery of data will not happen.
Conclusion
It require proper planning & monitoring .
Secure Systems are developed by integrating risk analysis & management activities at
each level of SDLC.
So security measures are integrated at each level involving planning, development,
building & deployment of the system.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 3 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 4
1
14-04-2015
System Development Life Cycle [SDLC]…… System Development Life Cycle [SDLC]……
Brief Explanation of each step of SDLC Brief Explanation of each step of SDLC
Step-1. Initiation Phase:- Step-4. Maintenance/Operations Phase:-
During this phase, the organization establishes the need for a system and documents its purpose. During this phase, systems and products are in place and operating, enhancements and/or
Security planning should begin in the initiation phase with the identification of key security roles to modifications to the system are developed and tested, and hardware and software components are
be carried out in the development of the system. added or replaced.
Requirements for the confidentiality, integrity, and availability of information should be assessed at
this stage. The organization should continuously monitor performance of the system to ensure that it is
consistent with pre-established user and security requirements, and that needed system modifications
Step-2. Development/Acquisition Phase:- are incorporated.
During this phase, the system is designed, purchased, programmed, developed, or otherwise
constructed. Step-5. Disposal Phase:-
A key security activity in this phase is conducting a risk assessment and using the results to During this phase, plans are developed for discarding system information, hardware, and software
supplement the baseline security controls. and making the transition to a new system.
The risk assessment enables the organization to determine the risk to operations, assets, and
individuals resulting from the operation of information systems, and the processing, storage, or The information, hardware, and software may be moved to another system, archived, discarded, or
transmission of information. destroyed.
Step-3. Implementation Phase:- If performed improperly, the disposal phase can result in the unauthorized disclosure of sensitive
During this phase, the organization configures and enables system security features, tests the data.
functionality of these features, installs or implements the system, and obtains a formal authorization to
operate the system. When archiving information, organizations should consider the need for and the methods for future
Design reviews and system tests should be performed before placing the system into operation to retrieval..
ensure that it meets all required security specifications.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 5 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 6
THETOPPERSWAY.COM
We need to integrate the security in following five phases. Activity boxes:-It define primary security activities to be included in individual phases. It
further includes following four specifications:-
1. Integrating Security at INITIAL phase. i. Description:->>It gives detailed overview of activity.
2. Integrating Security at DEVELOPMENT phase.
>>Represented by rectangular box .
3. Integrating Security at IMPLEMENTATION phase. ii. Output:- >>It describes what will be delivered after completion of task.
>>Represented by boxes labeled as “outputs”.
Output
4. Integrating Security at MAINTENANCE phase.
iii. Synchronization >>It include feedbacks.
5. Integrating Security at DISPOSAL phase. >> Represented by “ arrowed circles”.
iv. Interdependencies. >>Define relationships among tasks
>> Represented by “ arrow connecting boxes and loops”.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 7 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 8
2
14-04-2015
Security considerations
It includes 1. Risk analysis conducted to help basic security controls to be applied.
1. Initiating project security planning activity include review docs ,initial project schedule . 2. Requirement analysis for application of security risk countermeasures.
2. Categorizing the information system activity and evaluate their CIA properties. 3. Test for ensuring that the functionality and security of the system are managed properly.
3. Accessing business impact activity which includes impact of vulnerabilities on business. 4. Initial document preparation for certifying and accrediting the system.
4. Accessing privacy impact activity. 5. Security architecture design preparation. (security plan)
5. Involves description about how the info. System would be developed securely.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 9 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 10
THETOPPERSWAY.COM
Security considerations
Security considerations 1. Ensuring that system is upto date.
1. Integration of the information system into the operational environment.(inspection and
2. Conducting a review to check the operational accuracy of the system.
acceptance).
3. Managing the system configuration .
2. Planning activities for certification of the system, conducting these activities & testing
4. Establishing processes and procedures in order to ensure the system is up and running .
security controls at the same time.
5. Performing the reauthorization according to the requirement.
3. Completion of activities for accreditation of the system( certified)
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 11 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 12
3
14-04-2015
Security considerations To avoid loss of information assets ,organizations must follow a secure application
1. Building and executing a plan for the disposal or transition of obsolete systems. development strategy.
2. Archiving of the important info.
3. Cleaning the storage media and other supporting components. With advancement of technology, we need highly trained developers for secure
4. Disposing the software media and other supporting documents. application development.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 13 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 14
THETOPPERSWAY.COM
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 15 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 16
4
14-04-2015
Security governance and risk management should be a part of the overall organizational 2. Assessing
goals rather than a single, highly overlooked discipline. To analyze the level of risks and level of security
provided with our organization .
To assess the possible damages from risks.
Key Elements required for Information security governance(organizational security)
Third Party Governance.(E.g.outsourced to call-centers) 3. Monitoring
It involves continuously checking the IS and keep
Security roles and responsibilities (Senior managers being assigned the
on eye on threats and vulnerabilities.
responsibility of managing risks).
Define guidelines for maintain security.
Separation of duties (Ensures that no single individual has complete authority or 4. Responding
control over a critical system or process ) To take preventive or corrective measures to
Job rotation (Reduces dependence on individuals, and monotony) protect systems from threats.
Organization-wide risk tolerance level being established.
Risk management programs being implemented throughout the organization. From Fig., the flow of information starts by framing and it communicates the information
throughout the other process ,i.e. assessing ,monitoring and responding .
These activities execute sequentially .
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 17 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 18
THETOPPERSWAY.COM
5
14-04-2015
5. Open-Closed System Memory:-It is a series of on-off switches representing bits: 0s (off) and 1s (on). Memory
Uses open hardware and standards, using standard components may be chip-based, disk-based, or use other media such as tape. Different types of memory
An IBM-compatible PC is an open system, using a standard motherboard, memory, is RAM(Random access memory) ,ROM & Cache memory . RAM is Random Access
BIOS, CPU, etc. You may build an IBM-compatible PC by purchasing components from Memory: “random” means the CPU may randomly access (jump to) any location in
a multitude of vendors. A closed system uses proprietary hardware or software memory.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 21 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 22
THETOPPERSWAY.COM
The kernel:- Works as a heart of OS. Any organization having asset includes various :-
1. Hardware
Users & file permissions:-To restrict access to specific information only to set of 2. Data Storage devices
users. 3. Downloadable (peripheral) Devices.
Virtualization:-An interface between computer hardware and the operating system, These Assets are need to be secured.
allowing multiple guest operating systems to run on one host computer. It helps in
reducing the infrastructure an hardware costs. Each asset Is subjected to set of different vulnerabilities .
There is a need to control your computer system so that the information assets can be
protected.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 23 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 24
6
14-04-2015
It includes the processor, chips , hard drive and monitor , which are need to be secured . Some device are USBs, CD ,DVD( Digital versatile Disks), memory cards, flash drives ,optical
media ,PDAs,etc.
Hardware also includes the portable things like smart card, Credit/Debit cards ,proximity
cards,Laptops, etc. Threat for your IT assets leads to threats to other process in organization.
Issues /Threats in Hardware security Issues /Threats to storage devices
Stealing. 1. Internal threat 2. External threat
Unauthenticated users get access to device. Modification by UNSEEN External attacker.
Destruction. Loss and Theft of data. Since they are small in size(like USB), so can
Disposal. be easily hidden after theft.
Unauthorized access. Denial of data.. Malware by intruders.
Access control mechnism (eg Biometric access control, finger scan ,RFIDs etc). Use of Advanced surveillance and monitoring technology.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 25 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 26
THETOPPERSWAY.COM
7
14-04-2015
Preventive mechanisms to Physical Security of IT assets Preventive mechanisms to Physical Security of IT assets…
THREE Preventive mechanism to provide Physical security to IT assets Mechanism-3:- Intrusion Detection System[ IDS]
Already discussed in detail in UNIT-2.
Mechanism-1:- Physical Access control. It is a software or hardware designed to detect unwanted attempts at accessing
Locks. ,manipulating and disabling of computer systems through the network such as
Biometric identification internet.
Photo IDs Designed to detect actual or attempted unauthorized entry ,identify in location
Magnetic locks using electronic keycard. and signal a response with an alarm.
Computer terminal locks.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 29 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 30
THETOPPERSWAY.COM
After developing strategies for data backup, the processes need to be communicated to End of Discussion.
other level of organization for proper organization of security.
After the process for data backup is communicated ,it is needed to execute and test the
processes properly.
Secure your backup data from failures and any kind of causality or disaster.
Advantages of data-backup security
Increased security.
Multiple Levels of Redundancy.
Close personal protection .
Alarm responses.
Ease of Use .