Law and Ethics

United States has led the development and implementation of Information Security Legislation to prevent misuse and exploitation of information and information technology.

General Computer Crime Laws:

Computer Fraud and Abuse (CFA) Act of 1986 is the law for many computer related federal laws and enforcement efforts. National Information Infrastructure Protection Act has been amended in October 1996 to CFA. Punishment for offenses prosecuted under this statute varies from fines to imprisonment for up to 20 years.

CFA ACT further modified by the USA PATRIOT (United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) ACT of 2001. Which is enacted in 2001 as a mechanism to provide the United States with a means to investigate and respond to the 9/11 attacks on New York World Trade Center.

Electronic Communications Privacy Act (ECPA) of 1986: is a collection of statutes that regulates the interception of wire, electronic, and oral communications. There statutes are frequently referred to as the federal wiretapping acts.

·         Interception and disclosure of wire, oral, or electronic communications

·         Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices.

·         Confiscation of wire, oral, or electronic communication intercepting devices.

·         Evidentiary use of intercepted wire or oral communications

·         Authorization for interception of wire, oral or electronic communications.

·         Authorization for disclosure and use of intercepted wire, oral, or electronic communications.

·          

Source: Management of Information Security by Whitman and Mattord.

Firewalls

In Information Security a firewall is any device that prevents a specific type of information from moving between trusted and untrusted network. Trusted is in-side world, Un-trusted is outside the world such as Internet. The firewall may be a separate computer system, a service running on an existing router or server, or a separate network containing a number of supporting devices.

First generation of firewalls are packet filtering firewalls, are networking devices that filter packets by examining every incoming and outgoing packet header.  Second generation firewalls known as application-level firewalls; often consist of dedicated computers kept separate from the first filtering router, commonly used in conjunction with a second or internal filtering router. Second server is often called as proxy server.  Third generation firewalls, stateful inspection firewalls, keep track of each network connection established between internal and external systems using as state table. State tables track the state and context of each exchanged packet by recording which station sent which packet and when.  Like first generation stateful inspection firewalls perform packet filtering; stateful inspection firewall can restrict incoming packets by restricting access to packets that constitute responses to internal requests. If the stateful inspections firewall receives an incoming packet that it cannot match in its state table, it defaults to its access control list (ACL) to determine whether to allow the packet to pass. Fourth Generation firewalls called ‘dynamic packet filtering firewalls’, allow only a particular packet with specific source, destination, and port address to pass through the firewall. The new generation firewall is a hybrid built from capabilities of modern networking equipment that can perform a variety of tasks according to the organization’s needs, known as Unified Threat Management (UTM).

Firewall Architectures

Configurations are sometimes mutually exclusive, sometimes can be combined. Architectural implementations of firewalls are

Packet filtering routers:  Routers configured to block packets that the organization doesn’t allow into the network.  This lowers the organization risk from external attack.

Screened-Host Firewall Systems: Combines the packet filtering with a separate, dedicated firewall such as an application proxy server. Approach allows the router to screen packets to minimize the network traffic and load on the internal proxy.

Dual-homed host firewalls: Bastion host contains two network interfaces; one that is connected to external network and one that is connected to the internal network. All traffic must go through the firewall to move between the internal and external networks.

Screened –subnet firewalls: Consists of one or more internal bastion hosts located behind a packet filtering router, with each host protecting the trusted network. 

First general model uses two filtering routers, with one or more dual homed bastion hosts between them.  The second general model connections from the outside or untrusted network are routed through an external filter router, connections from the outside or untrusted network are route into and then out of a routing firewall to the separate network segment known as the DMZ, connections into the trusted internal network are allowed only from the DMZ bastion host servers.

Source: Management of Information Security by Whitman and Mattord.

Access Controls

Access controls regulate the admission of users into trusted areas of an Organization. Access controls or Logical and physical. They are Identification, Authentication, Authorization and Accountability.

Identification: Is a mechanism that provides information about an unverified entity that wants to be granted access to known entity, supplicant identification is called as ID.

Authentication: Is the process of validating a supplicant’s identity.  Ensures that the entity requesting access is the entity claims to be.

There are four types of Authentication mechanism:

Something you know:  This authentication mechanism verifies the user’s identity by mean of password, passphrase or some other unique authentication code, such as a pin. A good rule of thumb is for strong password requires at least 10 characters long, contains at least one letter, one number and one special character. It is better if it has upper and lowercase combinations.

Below table provides length of password and time to crack the password based on Intel i7 PC (875K)

Length	Odds of Cracking: 1 in  (Based on Number of Characters and Password length	Estimated time to crack
8	208,827,064,576	2.3 Sec.
9	5,429,503,678,976	1.0 Min.
10	141,167,095,653,376	25.5 Min.
11	3,670,344,486,987,780	11.1 Hrs.
12	95,428,956,661,682,200	12 Days
13	2,481,152,873,203,740,000	311.8 Days
14	64,509,974,703,297,200,000	22.2 Years
15	1,677,259,342,285,730,000,000	577.5 years
16	43,608,742,899,428,900,000,000	15,014.4 Years

Something you have: This authentication mechanism makes use of something a card, or token that the user or the system has. This category includes ID, ATM cards, smart cards or cartographic token. Tokens may be Synchronous are synchronized with a server, each device use the time to generate the authentication number that is entered during the user login. Asynchronous tokens use a challenge –response system in which the server challenges the user with a number, then user enters the challenge number into the token, which in turn calculates a response number, then the user enter the number into system to gain the access.

Something you are:   This mechanism takes advantage of something inherent in the user that is evaluated suing bio-metrics includes the following;

·         Fingerprints

·         Face recognition.

·         Hand Geometry

·         Retina Scan

·         Iris scan

·         Voice Recognition

·         Palm vein authentication.

Something you produce: This mechanism makes use of something the use performs or produces, example are signature or voice pattern.

Reference: Management of Information Security by Whitman and Mattord

Managing Risk

Risk Appetite is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

Residual Risk: is the amount of risk that remains after the organization has implemented policy, education and training, and technical controls and safeguards.

Feasibility

Feasibilities are economic and noneconomic consequences of an exploitation of the vulnerability. Organizational, Operational, Technical and Political are the non-economic feasibilities; Cost-Benefit is an economic feasibility.

Cost-Benefit Analysis:

.  When there are several ways to determine the value of information assets to protect.  One of the techniques is dollar denominated expenses and savings from economic cost avoidance.

Cost: Identifying the cost of the information is difficult, so it is basically calculated based on the cost associated with development of software or acquisition of a vendor product to protect the information system, training cost for the employees to manage/use the vendor product, associated cost for the infrastructure, associated cost with upgrade or maintenance, and associated cost with labor for implementation or maintenance.

Benefit: The value of an organization that get after implementing the controls to prevent losses associated with vulnerability for an asset.

Asset Valuation: Process of assigning financial value or worth to each information asset that is associated with an organization. Asset valuation involves the estimation of real or perceived costs. Cost will be calculated from all the assets that is being used for design, development, install, implementation, maintenance, protection, recovery. Also includes the cost physical assets such as hardware.

Cost-Benefit Analysis is analyzed by calculating Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE).

ARO Indicates that occurrence of an attack, ALE indicates that loss for an asset for each attack.

ALE=SLE *ARO

CBA =ALE (Pre-Control) – ALE (Post Control)

Difference between Pre SLE and Post SLE is identified as Benefit in Cost-Benefit Analysis Process.

Organizational Feasibility: Analysis examines how well the proposed Information Security alternatives will contributes the efficiency, effectives and operations of an Organization. Provides if the implementation align well with the strategic planning for the information systems, or is it deviating from strategic plan.

Operational Feasibility:  Also called as Behavioral feasibility. It refers to user acceptance, management acceptance, the compatibility and support with the requirements of organization stake holders.

Technical Feasibility: Implementation of technological controls is complex, It is necessary to identify the compatibility for the technology with organization policy and strategy.

Political Feasibility: Analysis considers what can and cannot happened based on the consensus and relationships among the interest of communities.

Reference: Management of Information Security by Whitman and Mattord

Risk Assessment

Risk assessment is the process of evaluating the risk associated with vulnerability.  Risk assessment assigns a risk rating to (or score) each vulnerability.

Risk assessment rating is calculated based on likelihood, impact of the vulnerability, existing controls to protect the asset and uncertainty of protection.

Likelihood: A numerical value on a defined scale of the probability that a specific vulnerability with be exploited.  Likelihood ratings are between 0.1 to 1 (NIST Special Publication 800-30). 0.1 is low and 1 is very high. Likelihood values are assigned based on experience and reviewing the existing sources and external sources.

Assessing Potential Loss (Score/Impact): Weighted score will be assigned based on the information identified during the documentation of risk identification process. All assets which impacts business execution and stops the business process are score 100, assets which have the impact of very low impact and low critical will be assigned as 1 and all medium are assigned as 50 (NIST SP 800-30).

Percentage of Risk Mitigated by Current Controls: Calculated based on the controls that are employed against the threats and vulnerabilities.

Uncertainty: Calculates based on the how likely an attack against an asset or impact of successful attack would have impacted the organization business process.  And percentages are estimated by experience and review.

Risk Determination is based on the formula using Likelihood, Score, Existing controls and uncertainty

Risk Determination = (Score *Likelihood) – (% of Controls of Score) +Uncertainty percentage value of Score

Reference: Management of Information Security by Whitman and Mattord

Risk Management Framework

Developed by NIST and DoD with six step process. Intent of this common framework is to improve Information security, strengthen risk management processes and encourage reciprocity among federal agencies.

Characteristics of RMF:

·         Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes.

·         Encourages the use of automation to provide senior leaders the necessary information to make cost effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions.

·         Integrates InfoSec into the enterprise architecture and system development life cycle provides emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems.

·         Links risk management processes at the information system level to risk management processes at the organization level through a risk executive.

·         Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems.

Risk Management Framework Steps:

1.       Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis

2.       Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

3.       Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

4.       Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

5.       Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

6.       Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security stat of the system to designated organizational officials.

Source: Management of Information Security by Michael E Whitman and Herbert J. Mattord

Information Security Roles, Learning Objectives

Implementing Security Education, Training, and Awareness

Security Education Training and Awareness (SETA) program begins after the information security program has been in place. Program offers 3 major benefits

·         Program improve employee benefits

·         Inform members of the organization about where to report violations of policy.

·         Enable the organization to hold employees accountable for their actions.

Employee accountability is necessary to ensure that the acts of an individual do not threaten the long-term viability of the entire organization.

Learning Objectives

Understanding of:

·         Access control systems and methodology

·         Applications and systems development

·         Business continuity planning

·         Cryptography

·         Law, Investigation, and ethics

·         Operations security

·         Physical security

·         Security architecture and models

·         Security management practices

·         Telecommunications, network and Internet Security.

Accomplishment In:

·         Firewalls

·         IDSs

·         Access Controls

·         Vulnerability assessment

·         Operating System Security

·         Cryptography

Mastery of:

·         Firewall ACLs

·         Firewall architecture

·         Firewall generations

·         Proxy services

·         DMZ configuration

·         VPN configuration

·         Remote firewall management.

Source: Management of Information Security by Michael E Whitman and Herbert J. Mattord

Information Security Policy

Access Control Lists

Include the user access lists, matrices, and capability tables that govern the rights and privileges of users. ACLs can control access to file storage systems, object brokers, or other network communications devices. A capability table specifies which subjects and objects that users or groups can access.

ACLs enable administrators to restrict access according the users, computer, time, duration, or even a particular file.

ACL’s regulate

·         Who can use the system

·         What authorized users can access

·         When authorized user can access the system

·         Where authorized users can access the system from

·         How authorized users can access system.

Accessing files and applications can be restricted with four types of privileges.

·         Read

·         Write

·         Execute

·         Delete

Configuration Rules

Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly.

Guidelines for Effective Policy

An effective approach has six stages: development, distribution, review, comprehension, compliance, and uniform enforcement.

·         Developed using industry-accepted practices

·         Distributed using all appropriate methods

·         Read by all employees

·         Understood by all employees

·         Formally agreed to by act or affirmation

·         Uniformly applied an enforced.

Policy Compliance

Policy compliance means the employee must agree to the policy. According to Whitman, Policies must be agreed to by act r affirmation. Agreement by act occurs when the employee performs an action, which requires them to acknowledge understanding of the policy, prior to use of a technology or organizational resource.

Policy Enforcement

The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny.

Reference: Management of Information Security by Whitman and Mattord

Contingency Planning (CP)

The overall process of preparing for unexpected adverse events is called contingency planning. Goal of Contingency planning is to restore normal modes of operation with minimal cost and disruption to normal business activities after an unexpected adverse event.

During contingency planning, Information Security communities and respective organizational units to prepare for detect, react to , and recover from events that threaten that security of information resources and assets, which includes human, information, and capital.

Components of CP:

·         Business impact analysis (BIA)

·         Incident response Plane (IR Plan)

·         Disaster recovery plan (DR Plan)

·         Business Continuity Plan (BC Plan).

According NIST recommendation following steps required to in Developing CP

·         Develop the policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.

·         Conduct BIA. The BIA helps identify and prioritize information systems and components critical to supporting the organizations mission/business process.

·         Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.

·         Develop a contingency plan. The contingency plan should contain detailed guidance and procedures for restoring damaged organizational facilities unique to the each business unit’s impact level and recovery requirements.

·         Ensure plan, testing, training and exercises.  Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined the activities improve plan effectiveness and overall organization preparedness.

·         Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.

Reference: Management of Information Security by Whitman and Mattord

IT Governance and Benefits

According to the Information Technology Governance Institute (ITGI), governance includes all the accountability and methods undertaken by the board of directors. IT Governance focuses specifically on information technology systems, their performance and risk management

Benefits of Information Security Governance

• An increase in share value for organizations
• Increased predictability and reduced uncertainty of business operations by lowering information-security-related risks to definable and acceptable levels.
• Protection from the increasing potential for civil or legal liability as result of information inaccuracy or the absence of due care.
• Optimization of the allocation of limited security resources
• Assurance of effective Infosec Policy and policy compliance.
• A firm foundation for efficient and effective risk management, process improvement, and rapid incident response.
• A level of assurance that critical decisions are not based on faulty information.
• Accountability for safeguarding information during critical business activities, such as merger and acquisitions, business process recovery, and regulatory response.

Reference: Management of Information Security by Whitman and Mattord

Information Security Project Management Areas

Project Scope Management

Project scope management ensures that the project plan includes only those activities that are necessary to complete it. One thing that undermines many projects once they are underway is scope creep. Scope Creep occurs when the quantity or quality of project deliverables is expanded from the original project plan.

Project Scope management Includes:

·         Scope Planning

·         Scope definition

·         Scope verification.

Project Time Management

Project time management entails ensuring that the project is finished by the identified completion date while meeting its objectives.  Failure to meet deadlines is one of the most frequently cited failures in project management.

Trimming time or resources from these amounts requires reducing the quantity or quality of the deliverables.

Project Time management Includes

·         Activity definition

·         Activity sequencing

·         Activity duration estimating

·         Schedule development

·         Schedule control.

Project Cost management:

Cost management includes the processes required to ensure that a project is completed within the resource constraints placed on it. Some projects are planned using financial budget which all resources – personnel, equipment, supplies and so forth.

Cost management includes

·         Resource Planning

·         Cost Estimating

·         Cost Budgeting

·         Cost Control

Project Quality Management

Includes the processes required to ensure that the project adequately meets the project specifications.

Deliverables of the project meet the requirements specified in the project plan, then that project has bet the met its quality objective.

Quality management includes

·         Quality planning

·         Quality Assurance

·         Quality control.

Project Human Resource Management

Includes the process necessary to ensure that the personnel assigned to a project are effectively employed.

Human resource Management must address some of the following factors

·         Not all workers operate at the same level of efficiency; in fact, wide variance in the productivity of individuals is the norm. Project managers must accommodate the work style of each project resource while encouraging every worker to be as efficient as possible.

·         Not all workers begin the project assignment with the same degree of skill. An astute project manager attempts to evaluate the skill level of some or all of the assigned resources to better match them to the needs of the project plan.

·         Skill mixtures among actual project workers seldom match the needs of the project plan. Therefore in some circumstances, workers may be asked to perform tasks for which they are not necessarily well suited, and those tasks take longer and or cost more than planned.

For information Security projects has additional complexities including

·         Extended clearances may be required. Some infosec projects involve working in sensitive areas of the organization. Project managers may have restrictions placed on which resources can be used.

·         Infosec project deploy technology controls that are new to the organization, and in such cases there is not a pool of skilled resources in that area from which to draw.

Human resource management includes the following processes:

·         Organizational planning

·         Staff acquisition

·         Team Development.

Project Communications Management

Communications management includes the processes necessary to convey to all involved parties the details of activities associated with the project. Includes creation, distribution, classification, storage, ultimate destruction of documents, messages and other associated project information.

Communication management includes the following processes.

·         Communication Planning

·         Information Distribution

·         Performance reporting

·         Administrative closure

Project Risk Management

Risk management include the process necessary to assess, mitigate, manage, and reduce the impact of adverse occurrences on the project.

Risk management includes the following processes.

·         Risk identification

·         Risk quantification

·         Risk response development

·         Risk response control

Project Procurement Management

Procurement management includes the processes necessary to acquire needed resources to complete the project.

Processes that includes are follows:

·         Procurement planning

·         Solicitation planning

·         Solicitation.

·         Source selection

·         Contract Administration

·         Contract closeout.

Reference: Management of Information Security by Whitman and Mattord