MANAGEMENT

INFORMATION SYSTEMS
(MIS 301)
SPRING 2014-2015
ASSESSMENT 2

Students Name: SUAAD AL MARZOUQI

ID: 20131314

Introduction

However, the same businesses that need these systems also fear false positive
events that will cause a negative business impact. This fear becomes critical when
the dollar value of each Internet-based transaction is high. For large online
companies, the cost associated with one minute of legitimate traffic blocking can
range from a few thousand dollars up to a hundred thousand. These businesses
require special consideration in terms of the false-positive problem.
As in any other information security area, risk analysis is an important activity that
needs to be undertaken before any type of countermeasure action is applied to the
network. An online organization that identifies an attack against it, should analyze
the following main parameters:
The business impact of the ongoing attack on the organization; A measure of the
impact that the planned security countermeasures will have on legitimate traffic;
and A comparison between the above two parameters that would help in the
decision on whether the countermeasure is business-justified or not.
Analyzing these parameters is not an easy task. It is necessary to consider business
parameters, network traffic characteristic parameters, and false positive scenarios
that could be the result of the planned security countermeasure.

The ABC Company has many customers who use its products online. The network
security market includes businesses that deploy network intrusion prevention
systems, anti-DDoS (distributed denial of service) network devices and others
security systems that are supposed to detect and automatically block or mitigate
attacks.
Here we will cover emerging network threats and how the security
countermeasures provided by network security technologies today can block
attacks, but, at the same time, can also negatively impact business. We will
continue by presenting a few applicable solutions and technologies that can be
used to measure the business impact and thus, avoid a negative impact by changing
security countermeasures for a minimal impact on legitimate business transactions.
These technologies include network behavioral analysis systems (NBA), Geo-IP
analysis, business analytics and an expert system that when working in synch, can
potentially allow a security manager to apply security countermeasure rules only
after the rules have been carefully simulated and the expected impact is reviewed.
Finally, we will conclude with a few impact simulation cases.

Current Threats and Solutions' Limitations

In the past 20 years, attacks have evolved from exploitation of known operating
systems and application vulnerabilities into zero-day attacks, "non-vulnerability"based attacks and business-logic attacks. The fact is that financially-motivated
cybercrime organizations, activists and individual hackers are all taking advantage
of the evolved multi-dimensional attack vectors (old and new). The evolution of
attacks and attack methods presents a big challenge to attack detection. Having
said that, market demands for real-time mitigation present an even greater
challenge for the following main reasons:

Zero-day Attacks: In a zero-day attack, the vulnerability or the exploit is not yet
known and therefore cannot be detected by traditional security tools, which are
based on a pre-defined knowledge base of known attack patterns. As the attack is
unknown, the only way to try to detect and prevent it is by using generic security
filters that can identify traffic that doesn't comply with the standards of network
and application protocols.

While this approach can potentially uncover suspicious activities that may be part
of a zero-day attack to some extent, it can also create a high level of false positives
in the blocking of this activity. The main reason for this is that in many cases
protocols are not well defined, or even if they are, networking vendors simply don't
follow the protocol rules properly when developing network and application
stacks.

The result is that zero-day security filters will also identify legitimate traffic that
doesn't comply with some of the network application protocol rules as attack traffic
and will falsely block it. In general, we can say that as long the security filter is
more general, which usually typifies zero-day security filters, the chances for false
positives become higher, meaning that legitimate transactions will be dropped.

"Non-vulnerability-based" Attacks: Non-vulnerability based attacks represent a

relatively newer generation of attacks. These types of attacks look "completely"
legitimate. Each transaction complies with the network and protocol rules. It is
only the rate, or sequence of transactions and transaction types which identifies
them as malicious. As they are well integrated into legitimate forms of applications
the separation between legitimate and non-legitimate traffic becomes vague, and so
do the security filters that are responsible for mitigating these attacks. This results
in a higher probability for more false positive events that will eventually block
legitimate transactions.

Examples of "non-vulnerability" based attacks include advanced network and

application level DDoS attacks, dictionary and brute-force attacks (such as
user/pass cracking and application scanning) and business intelligence gathering
activities.

Business Logic Attacks: This attack category can be considered part of the "nonvulnerability"-based attack family but it is more focused on fraud rather than DoS
and information stealth. They abuse the functionality of the application aiming at
the business directly. As in the case of non-vulnerability-based attacks they don't
contain any malformed requests and therefore, it is even more difficult to form an
effective accurate security filter that will mitigate them without blocking legitimate
transactions at the same time.
In an OWASP (Open Web Application Security Project) article, "Testing for
Business Logic," these business logic attacks were outlined. "Business logic can
have security flaws that allow a user to do something that isn't allowed by the
business. Frequently these business logic checks simply are not present in the
application."
As can be understood from the above, as long as attackers are trying to integrate
well into legitimate forms of applications it is harder to detect them in an accurate
manner.
Security solutions are responsible for covering all types of threats, including the
more challenging ones such as the zero-day and non-vulnerability based attacks.
Mitigation of these attack types requires the solution to be able to define security
filters that include "behavior" rules, rather than just sequences of bytes in the
content. Behavior rules should typically include the rate of application requests, the
sequence in which these requests are being generated in each transaction and
request types. Behavior is harder to predict and therefore, is also harder to
accurately define. Security managers are increasingly being required to ensure that
their organization's information systems and data can survive a disaster. In order to

accomplish this, security managers are conducting disaster-recovery projects which

identify critical information systems, tasks and processes, and define in what order
and how quickly they must be recovered after a disaster.
A key requirement for a successful disaster-recovery project is conducting an
effective business impact analysis (BIA). This article presents an overview of the
BIA process and how to conduct an effective one.
A BIA is a systematic process by which an organization gathers and analyzes
information about its essential functions and processes (applications, data,
networks, information systems, facilities, etc.). This information is then used to
determine how the organization would be impacted if these functions and
processes were interrupted by a disaster.
Identifying Assets and Vulnerabilities to Known Threats

Assessing an organization's security needs also includes determining its

vulnerabilities to known threats. This assessment entails recognizing the types of
assets that an organization has, which will suggest the types of threats it needs to
protect itself against. Following are examples of some typical asset/threat
situations:
The security administrator of a bank knows that the integrity of the bank's
information is a critical asset and that fraud, accomplished by compromising
this integrity, is a major threat. Fraud can be attempted by inside or outside
attackers.
The security administrator of a Web site knows that supplying information
reliably (data availability) is the site's principal asset. The threat to this

information service is a denial of service attack, which is likely to come

from an outside attacker.
A law firm security administrator knows that the confidentiality of its
information is an important asset. The threat to confidentiality is intrusion
attacks, which might be launched by inside or outside attackers.
A security administrator in any organization knows that the integrity of
information on the system could be threatened by a virus attack. A virus
could be introduced by an employee copying games to his work computer or
by an outsider in a deliberate attempt to disrupt business functions.

Identifying Likely Attack Methods, Tools, and Techniques

Listing the threats (and most organizations will have several) helps the security
administrator to identify the various methods, tools, and techniques that can be
used in an attack. Methods can range from viruses and worms to password and email cracking. It is important that administrators update their knowledge of this
area on a continual basis, because new methods, tools, and techniques for
circumventing security measures are constantly being devised.
Establishing Proactive and Reactive Strategies
For each method, the security plan should include a proactive strategy as well as
a reactive strategy.
The proactive or pre-attack strategy is a set of steps that helps to minimize existing
security policy vulnerabilities and develop contingency plans. Determining the

damage that an attack will cause on a system and the weaknesses and
vulnerabilities exploited during this attack helps in developing the proactive
strategy.
The reactive strategy or post-attack strategy helps security personnel to assess the
damage caused by the attack, repair the damage or implement the contingency plan
developed in the proactive strategy, document and learn from the experience, and
get business functions running as soon as possible.
Testing
The last element of a security strategy, testing and reviewing the test outcomes, is
carried out after the reactive and proactive strategies have been put into place.
Performing simulation attacks on a test or lab system makes it possible to assess
where the various vulnerabilities exist and adjust security policies and controls
accordingly.
These tests should not be performed on a live production system because the
outcome could be disastrous. Yet, the absence of labs and test computers due to
budget restrictions might preclude simulating attacks. In order to secure the
necessary funds for testing, it is important to make management aware of the risks
and consequences of an attack as well as the security measures that can be taken to
protect the system, including testing procedures. If possible, all attack scenarios
should be physically tested and documented to determine the best possible security
policies and controls to be implemented.
Certain attacks, such as natural disasters such as floods and lightning cannot be
tested, although a simulation will help. For example, simulate a fire in the server
room that has resulted in all the servers being damaged and lost. This scenario can

be useful for testing the responsiveness of administrators and security personnel,

and for ascertaining how long it will take to get the organization functional again.
Testing and adjusting security policies and controls based on the test results is an
iterative process. It is never finished and should be evaluated and revised
periodically so that improvements can be implemented.

Definition of Biometric Authentication

Biometric Authentication is any process that validates the identity of a user who
wishes to sign into a system by measuring some intrinsic characteristic of that user.
Biometric samples include finger prints, retinal scans, face recognition, voice
prints and even typing patterns.
Biometric Authentication depends on measurement of some unique attribute of the
user. They presume that these user characteristics are unique, that they may not be
recorded and reproductions provided later, and that the sampling device is tamperproof.

Types of Biometrics

A number of biometric methods have been introduced over the years, but few have
gained wide acceptance.
Signature dynamics. Based on an individual's signature, but considered
unforgeable because what is recorded isn't the final image but how it is produced -i.e., differences in pressure and writing speed at various points in the signature.
Typing patterns. Similar to signature dynamics but extended to the keyboard,
recognizing not just a password that is typed in but the intervals between characters
and the overall speeds and pattern. This is akin to the way World War II
intelligence analysts could recognize a specific covert agent's radio transmissions
by his "hand" -- the way he used the telegraph key.

10

Eye scans. This favorite of spy movies and novels presents its own problems. The
hardware is expensive and specialized, and using it is slow and inconvenient and
may make users uneasy.

11

The advantages of biometrics are the person is the key so you need never
remember your card or key again. Each body part is unique and Biometrics uses
your unique identity to enable a purchase activate something or unlock something.
Biometrics encompasses Voice, Vein, Eye, Fingerprint, Facial recognition and
more.
The disadvantages are numerous however: criminals have been known to remove
fingers to open biometric locks, Biometrics requires a lot of data to be kept on a
person, these systems are not always reliable as human beings change over time if
you are ill; eyes puffy, voice hoarse or your fingers are rough from laboring for
example it maybe more difficult for the machinery to identify you accurately.
Every time you use Biometrics you are being tracked by a database bringing up a
range of privacy issues. The final disadvantage is the expense and technical
complexity of such systems.

Disadvantages of a biometric system.

The finger print of those people working in Chemical industries are often
affected. Therefore these companies should not use the finger print mode of
authentication.

It is found that with age, the voice of a person differs. Also when the person
has flu or throat infection the voice changes or if there are too much noise in the
environment this method may not authenticate correctly. Therefore this method
of verification is not workable all the time

12

For people affected with diabetes, the eyes get affected resulting in
differences.

Biometrics is an expensive security solution.

Advantages of Biometrics system:

Increase security - Provide a convenient and low-cost additional tier of

security.

Reduce fraud by employing hard-to-forge technologies and materials. For

e.g.Minimise the opportunity for ID fraud, buddy punching.

Eliminate problems caused by lost IDs or forgotten passwords by using

physiological attributes. For e.g. Prevent unauthorized use of lost, stolen or
"borrowed" ID cards.

Reduce password administration costs.

Replace hard-to-remember passwords which may be shared or observed.

Integrate a wide range of biometric solutions and technologies, customer

applications and databases into a robust and scalable control solution for facility
and network access

Make it possible, automatically, to know WHO did WHAT, WHERE and

WHEN!

Offer significant cost savings or increasing ROI in areas such as Loss

Prevention or Time & Attendance.

Unequivocally link an individual to a transaction or event.

13

REFERENCES
http://searchsecurity.techtarget.com/definition/biometric-authentication
http://www.computerworld.com/article/2556908/security0/biometricauthentication.html
http://www.brighthub.com/computing/enterprisesecurity/articles/103266.aspx
http://www.griaulebiometrics.com/en-us/book/understandingbiometrics/introduction/authentication-technologies/comparison/adv-and-dis

14