Introduction

There is increased dependence worldwide on

information technology (IT) and IT-based services for
public and private sectors.

The modern IT Infrastructure as

we know it today, has evolved
over the years.
-

In the mid 1940s huge computers could not even

do what our small calculators can do today

We then moved on to the mainframe technology

Internet access increased

-

Shift of focus from centralized to decentralized, distributed, network

computing
Drop in hardware prices ,desktop computers with fast processors, more
memory, high capacity
Cloud computing, mobile computing etc... we are talking about Software as
a service (SaaS), technologies

Brought countless of issues

-

Exposure to Cyber threats also increases

Complexity in managing security: Confidentiality, Integrity, and availability

(C.I.A)

 Objectives of IT Security
-

Confidentiality
Integrity
Availability
- Confidentiality, integrity, and availability (CIA) is a model
designed to guide policies for information security within an
organization.
In this context,
- Confidentiality is a set of rules that limits access to
information,
- Integrity is the assurance that the information is
trustworthy and accurate, and
- Availability is a guarantee of ready access to the
information by authorized people.
The model is sometimes known as the CIA triad.

Objectives of IT Security Confidentiality

keeping important information secret and restricted to only those
people who are authorized to access and view that information.
Confidentiality prevents sensitive information from reaching the
wrong people, while making sure that the right people can in fact get
it.
A good example is an account number or routing number when
banking online.
Data encryption is a common method of ensuring confidentiality.
User IDs and passwords constitute a standard procedure; two-factor
authentication is becoming the norm and biometric verification is an
option as well.
In addition, users can take precautions to minimize the number of
places where the information appears, and the number of times it is
actually transmitted to complete a required transaction.
User Levels in Organizations

Objectives of IT Security Integrity

Integrity involves maintaining the consistency, accuracy,
and trustworthiness of data over its entire life cycle.
Data must not be changed in transit, and steps must be
taken to ensure that data cannot be altered by
unauthorized people.
In addition, some means must be in place to detect any
changes in data that might occur as a result of non-humancaused events such as an electromagnetic pulse (EMP) or
server crash. If an unexpected change occurs, a backup
copy must be available to restore the affected data to its
correct state.

Keeping information in its true form. And stopping it from

unauthorized changes.
Bank Account, Someone May change balance of Account.
GCUF CMS, change in Marks etc.

Objectives of IT Security Availability

Availability is best ensured by carefully maintaining

all hardware, performing hardware repairs immediately when

needed, providing a certain measure of redundancy and failover,
providing adequate communications bandwidth and preventing
the occurrence of bottlenecks, implementing emergency backup
power systems, keeping current with all necessary system
upgrades, and guarding against malicious actions such as denialof-service (DoS) attacks.

Services, applications, webpages..etc

Smooth running of the network. Like Broadband
We make sure devices are always available(Resiliant)
Services remain UP.
Disaster Recover BCM Business Continuity Management.
Making sure that business services are always running in
case of disaster , there will be another site named disater
recovery data will be switched there.

Three Foundations of
IT Security

People

who we are

People who use or interact with the ICT Infrastructure

include:

Share Holders / Owners

Management
Employees
Business Partners
Service providers
Contractors
Customers / Clients
Regulators etc

Process

what we do

The processes refer to "work practices" or workflow.

Processes are the repeatable steps to accomplish
business objectives. Typical process in our ICT
Infrastructure could include:

Helpdesk / Service management

Incident Reporting and Management
Change Requests process
Request fulfillment
Access management
Identity management
Service Level / Third-party Services Management

Technology what we use to improve what we do

The IT infrastructure today could consist of the
following components:
Physical Security components:

CCTV Cameras
Clock in systems / Biometrics
Environmental management Systems: Humidity Control, Ventilation ,
Air Conditioning, Fire Control systems
Electricity / Power backup

Access devices:

Desktop computers
Laptops, ultra-mobile laptops and PDAs
Digital cameras, Printers, Scanners, Photocopier etc.

Technology .
Network Infrastructure:

Cabling, Data/Voice Networks and equipment

Telecommunications services, including VoIP services , Broadband , Video
Conferencing
Server computers and associated storage devices
Operating software for server computers
Communications equipment and related hardware.
Intranet and Internet connections
VPNs and Virtual environments
Remote access services
Wireless connectivity

Application software:

Finance and assets systems, including Accounting packages, Inventory

management, HR systems, Assessment and reporting systems
Software as a service (Sass) - instead of software as a packaged or custom-made
product. Etc..

What are the Challenges &

Current Threats ?

Challenges
Globalization and Jurisdiction issues on Cyber crime
- There are no borders, no need for Visas
- Conflicting or Non-existing regulations
- cultural differences and varying degrees of technological maturity

IT security arms race - the bad guy is motivated

- with the adversary able to focus time and money on attacks while the target
has to prioritize spending on IT security among other budget items.

Blended Cyber Threats changing attacks

- Technology and methods of attack always changing. Can combine several
methods of attack

The Threats

People
Process
Technology

The Threats - People

IT security threats and attacks caused by the Human
factor :
is Engineering:
a chain, and People
theact
weakest
link insomeone
the chain into giving
Security
Social
This are
is the
of tricking
sensitive or confidential info that may be used against the company.

Insider threats: perhaps the most difficult category of threats, since the
perpetrators are already inside the organization. For example a
disgruntled employee could sell Companys clients database to the
Competition. Includes as well outsourcing vendors, employees
introducing malware.

Application and Infrastructure Abuse: Employees continue to misuse

and abuse IT resources
- Instant messaging (IM) e.g. yahoo, msn, skype etc..
- P2P File Sharing Applications e.g BitTorrent, Kaaza, BearShare, Limewire etc..
- Employees Internet / misuse e.g facebook, Twitter, youtube etc..

The Threats People

Data Diddling: is the act of modifying information, programs, or

documents to commit fraud, tampers with INPUT data.
For example if a cashier enters an amount of Rs. 40,000/= into the cash
Security is a chain, and People are the weakest link in the chain
register, but really charges the customer Rs. 60, 000/= and keeps the
extra Rs. 20,000/=.

Salami attack: one in which an attacker commits several small crimes

with the hope that the overall larger crime will go unnoticed.
For example, a bank employee may alter a banking software program to
subtract 5 Paisa from each of the banks customers accounts once a
month such as a debit could be represented as service charge, and
moved to some other bank account. If this happened to all of the banks
50,000 customer accounts, the intruder could make up to Rs. 30,000 a
year.

Trap Door/ Maintenance hooks: An undocumented access path through

a system usually made by Application Developers. This typically bypasses
the normal security mechanisms and can be used to gain access later on.

The Threats People

Hackers / Crackers / phreakers: Hackers sometimes break into networks for

the thrill of the challenge (Script Kiddies), or for bragging rights in the hacker
community. Crackers aim at financial gain, Phreakers break into
telecommunication infrastructure like Public telephone systems or company.

Publication of illegal content: Involves dissemination of unacceptable

content online, include Racist material, terrorist literature, etc..

Shoulder Surfing: Is a technique in which the attacker looks over someone's

shoulder to obtain passwords, Information, PINs and other security codes
being entered. Shoulder surfing can also be done long distance with the aid of
binoculars or other vision-enhancing devices.

Wire tapping: Most communication signals can be vulnerable to some type

wire tapping or eaves dropping, using tools like cellular scanners, radio
receivers; telephone tapping devices etc.
Dumpster diving: practice of go through commercial or residential trash to
find items, documents or records that have been discarded by their owners,
but which may be useful to the dumpster diver.

The Threats People

The Threats

People
Process
Technology

The Threats - Process

This section looks at weaknesses in the business
processes which could lead to attacks on the
Security
is a chain, and People are the weakest link in the chain
Infrastructure:

Failure to develop an Information Systems security

Program:
Organizations should develop an Information Systems
Security program that documents the policy, procedures,
standards etc for protecting the concerned assets. Issues
that arise due to lack of a proper security program could
include:
1.
2.
3.
4.

Lack of security awareness

Concentration of duties
Lack of ways to detect fraud
Security through obscurity: Idea that attacker might fail to see
loopholes

The Threats Process

Excessive User Rights/ privileges: Excessive user rights or privileges,

Security is a chain, and People are the weakest link in the chain

is a very common security issue that has become increasingly hard to

control. It occurs if a user has more access rights than necessary, beyond
the necessary need to know.

Unencrypted Laptops and Removable Media: Loss of laptops and

removable media has become a major liability for corporations and
government agencies as well as for general consumers.

All too frequently, a major loss of personal or identifying information is

traced back to the loss of a single laptop or piece of removable media.

The Threats

People
Process
Technology

The Threats - Technology

Technology could be a powerful enabler of business
productivity
asPeople
wellare
astheaweakest
catalyst
Security
is a chain, and
link infor
the crime
chain activity:

Access Control attacks:

Access control is the process that involves :
- One Identifying who they are - Identification
- Proving that they are, who they say they are - Authentication
- Getting granted access to those areas of the system, where they are
supposed to have access - Authorization
This process could be compromised by any of the following attacks:
1. A dictionary attack uses a brute-force technique of successively trying
all the words in an exhaustive list (from a pre-arranged list of values)
- Brute force is trying every possible combinations

The Threats - Technology

2. Spoofing at login: A technique used by an attacker to present a fake
Security
is a screen,
chain, and
People
are the
in thelogin.
chainThe
credentials
login
often
tricking
theweakest
user to link
try and

are stored somewhere for the attacker to use later.

The Threats - Technology

Email and Instant Messaging Redirectors:

Email redirectors are programs that intercept and relay outgoing emails,
and send
an additional
copy
anweakest
unintended
Security
is a chain,
and People
aretothe
link inaddress
the chainto which an
attacker has access. Instant messaging redirectors monitor instant
messaging applications and transmit transcripts to an attacker.

Session hijacking attack: Session hijacking refers to an attack in which

a legitimate user session is commandeered.

System Reconfiguration Attacks/ Ransomware: System

reconfiguration attacks, such as hostname lookup attacks and proxy
attacks, modify settings on a users computer to cause information to be
compromised. Ransomware can encrypts data and extort money from the
target in order to restore it.

Rootkits: refers generally to any software that hides the presence and
activity of malicious software.

The Threats - Technology

Man-in-the-Middle Attacks: A man-in-the-middle attack refers generally

to an attack in which the attacker positions himself between two
Security
is a chain, and
People
the weakest
link into
thewhich
chain he
should not
communicating
parties
andare
gleans
information
have access.

Zero Day Attacks: A zero day vulnerability occurs when a flaw in software
code has been discovered and exploits of the flaw appear before a fix or
patch is available. Once a working exploit of the vulnerability is released
into the wild, users of the affected software will be compromised until a
software patch is available or some form of mitigation is taken by the user.

Phishing attack is a process of attempting to acquire sensitive

information such as usernames, passwords and credit card details by
masquerading as a trustworthy entity in an electronic communication.

Keyloggers and Screenloggers: Program installed on a victim's

machine that records every keystroke that a user makes. Used to steal
login in details.

The Threats - Technology

Content Injection Attacks: Content injection refers to inserting

malicious content into a legitimate site. In addition to deceptive actions
such is
asa redirecting
to other
malicious
can
Security
chain, and People
aresites,
the weakest
link incontent
the chain
install
crimeware on a users computer through a web browser vulnerability
or by social engineering, such as asking a user to download and install
anti-virus software that actually contains crimeware. Examples include:
1. Cross-Site Scripting (XSS):
Cross site scripting, better known as XSS, is the most pernicious and easily found
web application security issue. XSS allows attackers to deface web sites, insert
hostile content, conduct phishing attacks, take over the users browser using
JavaScript malware, and force users to conduct commands not of their own
choosing - an attack known as Cross-site Cross request forgeries (CSRF).

2. SQL Injection:
Injections, particularly SQL injections, are common in web applications. Injections
are possible due to intermingling of user supplied data within dynamic queries or
within poorly constructed stored procedures

Cross-Site Scripting

The Threats - Technology

Denial of service (DoS): is a general term for many different types of

Security
is aHowever,
chain, andeach
People
are the
link in
in common,
the chain which is the goal
attacks.
attack
hasweakest
one thing
to deny others the service that the victim system usually provides.

Spam E-mail: Spam is anonymous, unsolicited bulk email it is

effectively the email equivalent of physical junk mail delivered through the
post office. Spam is a problem not only because of the enormous
resources it demands, but also because it now serves as a means for
other types of attack. There is also reduced system performance and the
costs of filtering e-mail, loss of employee productivity or required
increased usage of help desk support. Spam consumes network
bandwidth used to transmit messages or consumes disk storage used to
store messages.

Botnets: A Botnet is collection of infected and compromised computing

devices harnessed together and remotely controlled for malicious
purposes. Thousands of systems with zombie codes can be used in
DDOS (Distributed denial of Service attacks) or spammers.

The Threats - Technology

Click Fraud: Online advertising networks offer the ability for a web site
operator to host third-party advertisements and collect payment for every
Security is a chain, and People are the weakest link in the chain
time a user clicks on an advertisement. Click fraud refers to various
schemes in which the number of clicks is artificially inflated..

Other Malware: software designed to cause damage to a single

computer, server, or computer network. These include:
- Viruses - Virus is a small application, or a string of code, that infects
application, requires user action to compromise a machine. .
- Spy ware Software that monitors user activity without user knowledge
or consent. Spyware can capture and release sensitive data, make
unauthorized changes, and decrease system performance.
- Trojan Horse - Trojan Horse is a program that is disguised as another
program, masquerades as useful application, but does harm.
- Worm - A Worm is Malware that reproduces on its own without a host
application. Worms can infect and take over computers without any help,
bar lax security, from a victim

The Threats - Technology

Wireless Networks threats: Wireless networks have now become

very common, for both organizations and individuals. Most laptops
Security is a chain, and People are the weakest link in the chain
ship with wireless adaptors and organizations have also deployed
wireless LANs given the easy of deployment. Some of the security
issues with wireless networks include the following:
- Accidental association: When a user turns on a computer and it latches
on to a wireless access point from a neighboring companys overlapping
network, this could cause security issues if the victim network is not
secure.
- War driving - War driving is the act of searching for Wi-Fi wireless
networks by a person in a moving vehicle, using a portable computer
(laptop) or PDA. Software for war driving is freely available on the Internet,
notably NetStumbler for Windows, Kismet or SWScanner for Linux. These
tools can sniff for any available wireless access points (APS)

The Threats - Technology

Blue tooth attacks: Various security holes have already appeared in

Security
is a chain,
and
are the
weakest
linkin
in mobile
the chainphones

Bluetooth,
which
isPeople
becoming
widely
used
and highend smart phones. Some of these are listed below:
- Bluebugging - Refers to hacking into a Bluetooth device and using the
commands of that device without notifying or alerting the user. By blue
bugging, a hacker could eavesdrop on phone conversations, place phone
calls, send and receive text messages, and even connect to the Internet.
- Bluejacking - A kind of practical joke played out between Bluetoothenabled devices, bluejacking takes advantage of a loophole in the
technology's messaging options that allows a user to send unsolicited
messages to other nearby Bluetooth. (Similar to doorbell ditching)

The Threats - Technology

Physical ICT Infrastructure threats:

Security is a chain, and People are the weakest link in the chain
The threats to the Physical ICT infrastructures include Natural
environment threats (earthquakes floods, tornadoes), Supply system
threats (power, Internet and Telecom outage, water, gas etc..),
Manmade threats (vandalism, fraud, theft), Politically motivated threats
(terrorist attacks, riots, bombings).
Other threats to look out for:
- 419 scam - Advance Fee Fraud
- Web vandalism: Attacks that deface web pages
- Fake products / Product imitations

So What is the solution?:

Strategies for protecting ICT Infrastructures