14-04-2015

CYBER SECUITY[AUC002]
Unit-3 contents
1. Security of assets and its need : AN INTRODUCTION
2. System Development life Cycle [SDLC] and its benefits.
3. Secure Information system Development
 Integrating Security at INITIAL phase.
 Integrating Security at DEVELOPMENT phase.
Unit-3  Integrating Security at IMPLEMENTATION phase.
 Integrating Security at MAINTENANCE phase.
Introduction to 4.
 Integrating Security at DISPOSAL phase.
Application Development Security

Security measures 5.

Information Security Governance and risk management
Risk Management process
6. Secure Architecture & design
 Secure System Design.
 Secure Hardware system architecture
 Secure Operating system and software architecture.
7. Security issues :-
 with Hardware.
 With Data storage.
 With Downloadable devices( peripheral device).
8. Physical security of IT assets.
9. Backup security measures.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 2

THETOPPERSWAY.COM

Security of Assets and its need:AN INTRODUCTION System Development Life Cycle [SDLC]
Definition of Asset Definition of SDLC
An Asset is resource, process, product, and computing infrastructure & so on , or something that an The multistep process that starts with the initiation, analysis, design, and implementation, and
organization considers important so as to be protected. continues through the maintenance and disposal of the system, is called the System Development Life
Need of Security of assets Cycle (SDLC).
For any SDLC model that is used, information security must be integrated into the SDLC to ensure
Every organization has resources ,hardware ,software ,people & information . So security of all
appropriate protection for the information that the system will transmit, process, and store.
these assets is required.
Applying the risk management process to system development enables organizations to balance
It is shown in survey that organizations those have better security measure ,generate more revenue requirements for the protection of agency information and assets with the cost of security controls and
& profit than other less secured organization. mitigation strategies throughout the SDLC.

Backup is also an useful asset ,which is also need to be secured.

If the backup get destroyed ,recovery of data will not happen.

Conclusion
It require proper planning & monitoring .

Secure Systems are developed by integrating risk analysis & management activities at
each level of SDLC.

So security measures are integrated at each level involving planning, development,
building & deployment of the system.

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 3 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 4

1
 14-04-2015

System Development Life Cycle [SDLC]…… System Development Life Cycle [SDLC]……
Brief Explanation of each step of SDLC Brief Explanation of each step of SDLC
Step-1. Initiation Phase:- Step-4. Maintenance/Operations Phase:-
During this phase, the organization establishes the need for a system and documents its purpose. During this phase, systems and products are in place and operating, enhancements and/or
Security planning should begin in the initiation phase with the identification of key security roles to modifications to the system are developed and tested, and hardware and software components are
be carried out in the development of the system. added or replaced.
Requirements for the confidentiality, integrity, and availability of information should be assessed at
this stage. The organization should continuously monitor performance of the system to ensure that it is
consistent with pre-established user and security requirements, and that needed system modifications
Step-2. Development/Acquisition Phase:- are incorporated.
 During this phase, the system is designed, purchased, programmed, developed, or otherwise
constructed. Step-5. Disposal Phase:-
 A key security activity in this phase is conducting a risk assessment and using the results to  During this phase, plans are developed for discarding system information, hardware, and software
supplement the baseline security controls. and making the transition to a new system.
The risk assessment enables the organization to determine the risk to operations, assets, and
individuals resulting from the operation of information systems, and the processing, storage, or The information, hardware, and software may be moved to another system, archived, discarded, or
transmission of information. destroyed.

Step-3. Implementation Phase:-
 During this phase, the organization configures and enables system security features, tests the
functionality of these features, installs or implements the system, and obtains a formal authorization to
operate the system.
Design reviews and system tests should be performed before placing the system into operation to
ensure that it meets all required security specifications.
If performed improperly, the disposal phase can result in the unauthorized disclosure of sensitive
data.
When archiving information, organizations should consider the need for and the methods for future
retrieval..

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 5 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 6

THETOPPERSWAY.COM

Before starting integrating security in different phases…

Secure Information System Development
Secure information systems are developed by integrating risk analysis and management
activities at the start of SDLC and continuing throughout which means the security
measures will be integrated into the system development operations involving planning
building and deployment of security of the system.
Some conventions
Each phase is represented by figure which include following:-
Starting point:-Gives brief idea about individual phase.
Control gate boxes:-It identifies points at which system evaluation will take place and
the management will decide to continue the development process change direction or
completely stop the development.

We need to integrate the security in following five phases. Activity boxes:-It define primary security activities to be included in individual phases. It
further includes following four specifications:-
1. Integrating Security at INITIAL phase. i. Description:->>It gives detailed overview of activity.
2. Integrating Security at DEVELOPMENT phase.
>>Represented by rectangular box .

3. Integrating Security at IMPLEMENTATION phase. ii. Output:- >>It describes what will be delivered after completion of task.
>>Represented by boxes labeled as “outputs”.
Output
4. Integrating Security at MAINTENANCE phase.
iii. Synchronization >>It include feedbacks.
5. Integrating Security at DISPOSAL phase. >> Represented by “ arrowed circles”.
iv. Interdependencies. >>Define relationships among tasks
>> Represented by “ arrow connecting boxes and loops”.

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 7 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 8

2
 14-04-2015

1. Integrating Security at INITIAL phase. 2. Integrating Security at DEVELOPMENT phase.

Security considerations
It includes 1. Risk analysis conducted to help basic security controls to be applied.
1. Initiating project security planning activity include review docs ,initial project schedule . 2. Requirement analysis for application of security risk countermeasures.
2. Categorizing the information system activity and evaluate their CIA properties. 3. Test for ensuring that the functionality and security of the system are managed properly.
3. Accessing business impact activity which includes impact of vulnerabilities on business. 4. Initial document preparation for certifying and accrediting the system.
4. Accessing privacy impact activity. 5. Security architecture design preparation. (security plan)
5. Involves description about how the info. System would be developed securely.

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 9 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 10

THETOPPERSWAY.COM

3. Integrating Security at Implementation phase. 4. Integrating Security at Maintenance phase.

POA&M:- Plan of Action & Milestones

CCB:- Change control board

Security considerations
Security considerations 1. Ensuring that system is upto date.
1. Integration of the information system into the operational environment.(inspection and
2. Conducting a review to check the operational accuracy of the system.
acceptance).
3. Managing the system configuration .
2. Planning activities for certification of the system, conducting these activities & testing
4. Establishing processes and procedures in order to ensure the system is up and running .
security controls at the same time.
5. Performing the reauthorization according to the requirement.
3. Completion of activities for accreditation of the system( certified)

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 11 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 12

3
 14-04-2015

5. Integrating Security at Disposal phase.

Application Development Security

Sharing of information assets in organizations is handled by computing services and

applications that are mostly custom-developed for specific uses of the organization.

Interconnected nature of these applications provides growth opportunities for the

organization ,but also tends to be vulnerable for threats and attacks.

Security considerations To avoid loss of information assets ,organizations must follow a secure application
1. Building and executing a plan for the disposal or transition of obsolete systems. development strategy.
2. Archiving of the important info.
3. Cleaning the storage media and other supporting components. With advancement of technology, we need highly trained developers for secure
4. Disposing the software media and other supporting documents. application development.

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 13 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 14

THETOPPERSWAY.COM

Application Development Security Information Security Governance

Issues /problems related to secure development of application. And


Less trained /skilled developers for application.
Less educational focus on secure development.
Risk management
 Difficulty in finding the right information related to specific security measures for application.
 Less CIA.
 Security is usually done at last phase of lifecycle. Information security needs to be governed and managed properly because information
 Theft of proprietary information causing financial losses. has become one of the most crucial business drivers in recent years.
Solution to Issues /problems related to secure development of application.
Security governance and risk management should be a part of the overall organizational
Secure applications can be developed by following certain specifications mentioned in the framework
goals rather than a single, highly overlooked discipline.
.We need to employ a common framework that satisfies certain basic requirements to information
security. The framework includes following factors:-
a) Foundation:- It is basic knowledge of development practice and security issues to consider Key Elements required for Information security governance(organizational security)
before starting to develop the application.
 Third Party Governance.(E.g.outsourced to call-centers)
b) Principles:- These are basic rules to be followed during the development process.
c) Design guidelines:- It include the best code implementation methods that are tested and  Security roles and responsibilities (Senior managers being assigned the
have been proven successful over time. responsibility of managing risks).
Design guidelines that must be followed ito integrate security in design phase of application development.
 Separation of duties (Ensures that no single individual has complete authority or
control over a critical system or process )
 Validating Inputs.  Job rotation (Reduces dependence on individuals, and monotony)
 Handling Exceptions.  Organization-wide risk tolerance level being established.
 Applying cryptography.
 Risk management programs being implemented throughout the organization.
 Using Random numbers .

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 15 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 16

4
 14-04-2015

Information Security Governance Risk management

And Risk management is the process of identifying the vulnerabilities in an organization
information systems and taking carefully reasoned steps to assure CIA .
Risk management Risk management involves following Four activities:-
1. Framing
 To sense a threat and inform all the related
Information security needs to be governed and managed properly because information activities that execute in a sequentially manner .
has become one of the most crucial business drivers in recent years.  Analyze the possible risks and defining measures.

Security governance and risk management should be a part of the overall organizational 2. Assessing
goals rather than a single, highly overlooked discipline.  To analyze the level of risks and level of security
provided with our organization .
 To assess the possible damages from risks.
Key Elements required for Information security governance(organizational security)
 Third Party Governance.(E.g.outsourced to call-centers) 3. Monitoring
 It involves continuously checking the IS and keep
 Security roles and responsibilities (Senior managers being assigned the
on eye on threats and vulnerabilities.
responsibility of managing risks).
 Define guidelines for maintain security.
 Separation of duties (Ensures that no single individual has complete authority or 4. Responding
control over a critical system or process )  To take preventive or corrective measures to
 Job rotation (Reduces dependence on individuals, and monotony) protect systems from threats.
 Organization-wide risk tolerance level being established.
 Risk management programs being implemented throughout the organization. From Fig., the flow of information starts by framing and it communicates the information
throughout the other process ,i.e. assessing ,monitoring and responding .
These activities execute sequentially .
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 17 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 18

THETOPPERSWAY.COM

Secure System design

Secure system design includes following practices:-
1. Layering :-
 It separates hardware and software functionality into modular tiers.
 The complexity of an issue such as reading a sector from a disk drive is contained to
Security Architecture and design one layer (the hardware layer in this case). One layer (such as the application layer) is
not directly affected by a change to another.
 A generic list of security architecture layers is as follows:
1. Hardware 2. Kernel and device drivers 3. Operating System 4. Applications
2. Abstraction:-
 It provides a way to manage that complexity.
Security Architecture and Design describes fundamental logical hardware, operating system,  It hides unnecessary details from the user. Complexity is the enemy of security: the
and software security components, and how to use those components to design, architect, more complex a process is, the less secure it is.
and evaluate secure computer systems.  For eg. A user double-clicks on an MP3 file containing music, & the music plays via the
Understanding these fundamental issues is critical for an information security professional. computer speakers. Behind the scenes, tremendously complex actions are taking place: the
operating system opens the MP3 file, looks up the application associated with it, and sends the
It includes securing the following components :- bits to a media player. The bits are decoded by a media player, which converts the information
Hardware To Design secure system into a digital stream, and sends the stream to the computer’s sound card. The sound card
Software converts the stream into sound, sent to the speaker output device. Finally, the speakers play
And Operating System (To Maintain secure system) sound. Millions of calculations are occurring as the sound plays, while low-level devices are
accessed. Abstraction means the user simply presses play and hears music.
It also includes a description of designing , architecting and evaluating the system to 3. Security Domain-
provide security.  It is the list/group of objects a subject is allowed to access.
 For eg, Kernal mode and User mode in computer
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 19 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 20

5
 14-04-2015

Secure System design… Secure Hardware design

4. The Ring Model:- Secure Hardware Architecture focuses on the
Ring model is a layering of CPU hardware in physical computer hardware required to have a
four levels.Protection rings support the CIA secure system.
requirements of OS.  The hardware must provide confidentiality,
The ring determines the access level to integrity, and availability for processes, data, and
sensitive system resources. users. does so, and reports the file is saved.
Most commonly used architecture provides The Hardware includes not only the mother
four protection rings:- board ,CPU and memory, but also system buses and
memory protection.
 Ring 0:- OS kernel
 Ring 1:-Remaining part of OS. Computer BUS :-It is the primary communication channel on a computer system.
 Ring 2:- I/o drivers and utilities Communication between the CPU, memory, and input/output devices such as keyboard,
 Ring 3:-Application and user activity mouse, display, etc., occur via the bus. They carry address and data.
A user running a word processor in ring 3
presses “save”: a system call is made into ring CPU (Central Procesing Unit):- is the “brains” of the computer, capable of controlling and
0, asking the kernel to save the file. The kernel performing mathematical calculations. It consist of ALU (arithmetic logic Unit) and CU
does so, and reports the file is saved. (control Unit) .They support multitasking and multiprocessing.

5. Open-Closed System
 Uses open hardware and standards, using standard components
 An IBM-compatible PC is an open system, using a standard motherboard, memory,
BIOS, CPU, etc. You may build an IBM-compatible PC by purchasing components from
a multitude of vendors. A closed system uses proprietary hardware or software
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 21
Memory:-It is a series of on-off switches representing bits: 0s (off) and 1s (on). Memory
may be chip-based, disk-based, or use other media such as tape. Different types of memory
is RAM(Random access memory) ,ROM & Cache memory . RAM is Random Access
Memory: “random” means the CPU may randomly access (jump to) any location in
memory.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 22

THETOPPERSWAY.COM

Secure Operating system & software architecture

The architecture of the software and OS is built on the secure hardware base.
Security Issues in Hardware ,
Providing a secure interface between hardware and the applications (and users) which
Data Storage device ,
access the hardware. &
 Operating systems provide memory, resource, and process management. Downloadable(peripheral) Devices.
 Secure operating system and software part includes:-

 The kernel:- Works as a heart of OS. Any organization having asset includes various :-
1. Hardware
 Users & file permissions:-To restrict access to specific information only to set of 2. Data Storage devices
users. 3. Downloadable (peripheral) Devices.

 Virtualization:-An interface between computer hardware and the operating system, These Assets are need to be secured.
allowing multiple guest operating systems to run on one host computer. It helps in
reducing the infrastructure an hardware costs. Each asset Is subjected to set of different vulnerabilities .

There is a need to control your computer system so that the information assets can be
protected.

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 23 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 24

6
 14-04-2015

1. Security issues in Hardware.. 2. Security issues in Data Storage device ..

What is Hardware ? What is Data Storage device?
Hardware is the component on which entire computer system is based. Data storage device are used to store /save /archive the data.

It includes the processor, chips , hard drive and monitor , which are need to be secured . Some device are USBs, CD ,DVD( Digital versatile Disks), memory cards, flash drives ,optical
media ,PDAs,etc.
Hardware also includes the portable things like smart card, Credit/Debit cards ,proximity
cards,Laptops, etc. Threat for your IT assets leads to threats to other process in organization.
Issues /Threats in Hardware security Issues /Threats to storage devices
Stealing. 1. Internal threat 2. External threat
Unauthenticated users get access to device. Modification by UNSEEN External attacker.
Destruction. Loss and Theft of data. Since they are small in size(like USB), so can
Disposal. be easily hidden after theft.
Unauthorized access. Denial of data.. Malware by intruders.

Prevention to Hardware security Prevention measures

Using Locks.( eg Laptop lock). Need to educate/ train the people and make them aware.

Access control mechnism (eg Biometric access control, finger scan ,RFIDs etc). Use of Advanced surveillance and monitoring technology.

Using VPN’s, firewalls. Implementing certain policies and procedures.

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 25 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 26

THETOPPERSWAY.COM

3. Security issues in Downloadable(peripheral) devices Physical Security of IT Assets

What is Downloadable(peripheral) device? IT assets include crucial information, hardware ,software & operating system & much more.
Those devices which are used to Download the data .
Physical Security describes both measures that prevent or deter attackers from accessing a
Some device are USB drives, USB Patch cords,connectors,Electronic notebook ,PDAs,etc.
facility ,resource, or information stored on physical media.
These devices are used to store information by downloading the data.
 Physical Security of assets is must for total security control.
Threat for your IT assets leads to threats to other process in organization.
You need to uses locks, install detection systems and other access controls to protect the IT
assets.
Issues /Threats to downloadable devices
Threat for your IT assets leads to threats to other process in organization.
Easily hidden as they are small in size. Threats to Physical security
Loss and Theft of devices.
Manipulation /destruction of data. Physical access Exposure to human beings.
Corrupting devi.ces Own employees cause threats like theft, fraud ,accident and sabotage.
Accidental errors by human beings.
Prevention measures Tampering by unauthorized users.
Need to secure password from intruders/attackers.
Buy these devices from authorized vendors.
Physical access exposure to Natural Disaster.
Include fire, lightning ,electric interruption
Regular monitoring.
May destroy all assets.
Interrupt network activity.
Implementing certain policies and procedures.
4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 27 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 28

7
 14-04-2015

Preventive mechanisms to Physical Security of IT assets Preventive mechanisms to Physical Security of IT assets…
THREE Preventive mechanism to provide Physical security to IT assets Mechanism-3:- Intrusion Detection System[ IDS]
Already discussed in detail in UNIT-2.
Mechanism-1:- Physical Access control. It is a software or hardware designed to detect unwanted attempts at accessing
Locks. ,manipulating and disabling of computer systems through the network such as
Biometric identification internet.
Photo IDs Designed to detect actual or attempted unauthorized entry ,identify in location
Magnetic locks using electronic keycard. and signal a response with an alarm.
Computer terminal locks.

Mechanism-2:- Electronic and Visual surveillance systems-CCTV

CCTV stands for Closed Circuit Tele-Vision
CCTV also called as Third Eye
Used for monitoring of asset & surveillance from far place.
CCTV consist of following components:-
1. CCD type Camera
2. Zoom Lens
3. Pan-tilt unit
4. Telemetry Receiver
5. Cables
6. Control System
RFID is also used for monitoring.

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 29 4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 30

THETOPPERSWAY.COM

Backup Security measures

Backup is very crucial asset for an organization. So an organization follows following Practices
to maintain the proper data backup security:-
Assigning Responsibility ,authority and accountability among individual security personnel.

Assessing backup Risks .

Developing sensitive data backup protection processes /strategies.

After developing strategies for data backup, the processes need to be communicated to End of Discussion.
other level of organization for proper organization of security.

After the process for data backup is communicated ,it is needed to execute and test the
processes properly.

Secure your backup data from failures and any kind of causality or disaster.
Advantages of data-backup security
 Increased security.
 Multiple Levels of Redundancy.
 Close personal protection .
 Alarm responses.
 Ease of Use .

4/14/2015 KIET -AUC002- Sec –B - ANKIT GOEL 31