Sunday, September 20, 2009

CSM660 Information Security Management Assignment 1

MICT Management AeU

Semester 06/09 Project Paper 1

Part A: Short Questions [20 Marks]

1. Define and explain the Concepts of Availability, Integrity and Confidentiality under the scope of Information Security Management. In your explanation MUST include below keywords.
• Denial of Service - DoS
• Threats
• Need-to-Know Access
• Separation/Rotation of Duties

Answer:

CIA triad (Confidentiality, Integrity and Availability) is the core principles of information security.

Confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems. In order to maintain confidentiality of information, control of access to retrieval of information by defined users based on their need-to-know access, is paramount. Such monitored access would ensure information is not accessible to third party unintentionally. In practice, this is commonly done by implementing password access to the information storage file or restricting access by key and lock to the server room.

Integrity means that data cannot be modified without authorization. In the same context, it signifies that data, like a person with integrity, can be trusted. In order to maintain integrity, control of passwords should be implemented by segregation of power to information retrieval. An example is the separation/rotation of duties of persons in-charged of passwords for wireless key and password access to the wireless router device. Thus, no same person can change the whole WLAN without another person being informed of the change. Such control and administration of computers and its software should strive to maintain information as its best original form avoiding unlawful alterations.

Availability means when the need of information arises, it must be readily within reach on reasonable convenience to the user. When the information is not readily available due to security breach such as denial of service (DoS) from an overload of spam mails, this DoS thus violate the key ingredient of information security – Availability. Threats of other malwares, like Trojan Horse, can also damage the file, and cause the information store be destroyed thus, no more available to user.

2. Define and describe the term of ALE (Annualized Loss Expectancy), ARO (Annualized Rate of Occurrence), EF (Exposure Factor), Information Asset.

Answer:

The Annualized Loss Expectancy (ALE)
is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as:

ALE = SLE * ARO

where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

Annualized Rate of Occurrence (ARO) is the rate of the risk occurring in a year.

Exposure Factor (EF) is the proportion of an asset's value that is likely to be destroyed by a particular risk, expressed as a percentage.

For example, if the value of a patent would be reduced from $1,000,000 to $250,000 by a leak of information, the exposure factor for the risk of information leakage to the patent is 75%.

Information Asset

An Information Asset is a definable piece of information, stored in any manner which is recognised as 'valuable' to the organisation. The information which comprises an Information Asset, may be little more than a prospect name and address file; or it may be the plans for the release of the latest in a range of products to compete with competitors.

Irrespective, the nature of the information assets themselves, they all have one or more of the following characteristics :-

•They are recognised to be of value to the organisation.
•They are not easily replaceable without cost, skill, time, resources or a combination.
•They form a part of the organisation's corporate identity, without which, the organisation may be threatened.
•Their data classification would normally be Proprietary, Highly Confidential or even Top Secret.

It is the purpose of Information Security to identify the threats against, the risks and the associated potential damage to, and the safeguarding of Information Assets.

3. The success of Social Engineering attacks is primarily due to TWO factors. Find and elaborate these two factors.

Answer:

The two factors are:

a) Human Nature to trust others - People exhibit a natural human tendency to trust others. This natural willingness to accept someone at his or her word leaves many of us vulnerable to attack. Social Engineering attacks identify individuals who are susceptible to this kind of psychological attacks. Strangers who speak with good manners and dress well can be our closest friends in a few minutes!

b) Business Environment – The way we communicate have also evolved tremendously with the use of technology and media. As business operates under large geographical presence and people work on a different time zone and locations, it becomes almost impossible to know who's doing what or is there such a colleague in the organization. Social Engineering attackers mimic voices of people or pretending to be the person via telephone calls or faxes without having to meet face-to-face with the person under attack.


4. Trusted Computing Based (TCB) is now a trend of Information and Communication Technology (ICT) Industries goes for enhancing their security on their products. Kindly explain how TCB could give impact to Information Security.

Answer:

The trusted computing base (TCB) is everything in a computing system that provides a secure environment. This includes the operating system and its provided security mechanisms, hardware, physical locations, network hardware and software, and prescribed procedures. Typically, there are provisions for controlling access, providing authorization to specific resources, supporting user authentication, guarding against viruses and other forms of system infiltration, and backup of data.

Systems that don't have a trusted computing base as part of their design do not provide security of their own: they are only secure insofar as security is provided to them by external means (e.g. a computer sitting in a locked room without a network connection may be considered secure depending on the policy, regardless of the software it runs). As far as computer security is concerned, reasoning about the security properties of a computer system requires being able to make sound assumptions about what it can, and more importantly, cannot do.

With the set security policy, TCB governs the scope of where region of trust encompasses. For example, an isolated PC is TCB compliant when it leaves the manufacturing factory and this trusted status is no more intact when connection is established with other devices. However, for a server on a network, and as according to its security policy, the TCB may encompasses all the network computers and devices that is linked to it until the firewall, and unless some other connections are established on that network this security is considered TCB intact. As such, the security of the TCB depends very much of the scope of the connection, and the policy of TCB is crucial in determining the extent of that trusted area.

5. Define and explain these types of Discretionary Access Control (DAC), and the differences in between Rule-Based Access Control and Role-Based Access Control.

Answer:

Role Based Access Control, as like its name, segregates the access to the information system by the 'role' of the user. It identifies the user by the job function or user group, and not the particular identity that the user carries individually – e.g. IP address, name or IC no. It is non discretionary in exerting its access control. For example, all accountants in the Finance and Administration Department are allowed to access the Accounting Server.

Rule Based Access Control, as oppose to ROLE BASED, is discretionary in controlling access to the information system. It is by setting the RULES with regards to who is allowed to access what, that controls more stringently the access and thus, more controls are in the hands of the system administrator. In most instances, the system administrator sets the RULES.

Using the above example, Rule Based Access Control for the Finance and Administration Department may be set by the individual password tied to a login name. Hence, making certain key persons at a higher level able to read and modify documents whereby others are only to read the files. Another example is to restrict access by time of the day, or by implementing certain rights to access others' mail boxes, etc.

Where ever there is a breach of security, Rule Based Access Control has an avenue to identify the attacker than the Role Based Access Control because individual user is distinctive and authenticated by personal password or code. Of course, if the password or code is available to an attacker, this security feature is compromised too.


Part B: Case Study [10 Marks]

Ignorance is not an excuse for breaching the security regulations of a jurisdiction – a loud and clear common knowledge that most of us are aware.

For the layman, what we commonly encountered is the No-Smoking Sign. Ignorance of the No-Smoking sign is not an excuse to smoke in a restricted/forbidden smoking area. However, many are not aware of the risk of overstepping limits of cyberspace which may be construed as criminal in the eyes of law. At large, this is not normally envisaged in our daily lives as not many of us are investigated for such a crime in our local context.

The case of Professor Smith is a typical incidence of ignorance in the risk of using information technology without properly equipped security knowledge and applications in place. As mentioned above, he may be liable to the consequences of such a digital crime.

In the recent time, the cyberspace has become criminal ground to prosper and for some, to instigate political terrorism. Malware and social engineering attacks are rampant with the aim of performing industrial espionage known to few but severe in magnitude to many. Credit card scams crippled some rich corporations who, in their educated mind, know cyberspace like the back of their hands. Then, there are many others who are like Professor Smith, caught in the ignorance of the simple-mindedness of the emailing scam, although not much a financial catastrophe, a tragedy to the career of a faculty member of the respected medical profession.

Cyber Law and its awareness is one of the key things to illustrate to us the danger and the damage done by cyber criminals. Many cyber crime are without borders, and for Prof Smith’s case, the email came from another country. It affected his work and life as his friends in the contact list could have lost all stored data, key research findings and like Prof Smith, a reputation melt-down. Many would blame Prof Smith for transmitting the malware, whether or not they understood the good intention of Prof Smith for receiving a email from an old friend in the first place.

This is the rule of the “non-repudiation of origin” whereby the original sender cannot deny the act of executing the email. For such transaction to be legal, non-repudiation of origin is important and basis for transactions to be legal.

Prof Smith is unfortunate in the way that he is unaware of the consequences of email fraud. Many existing means of prevention of this email fraud are available. There are applications of Anti-Spam software and Anti-Spyware available for download, many a time free of charge. Although they may be variations in effectiveness between one another, the filtering of spams and spywares can be strengthened with these softwares.

The second aspect of Prof Smith's defense against email scam can be good practice of not falling prey to unnecessary senders, or possible social engineering attacks. Web mail services such as Yahoo, Hotmail, Gmail, etc., are free for anyone with Internet access. These and other free e-mail services like them are a great way for people to communicate with each other. In this case study, Prof Smith used Yahoo Mail and ended up with legal troubles.

In fact, such accounts are not well monitored; people are free to send any kind of content they want. While some Web e-mail providers do perform virus checking of e-mails, security experts would not permit them to be used on work computers. Having anti-virus software, and keeping the definition files current, are two different things.

Furthermore, people like Prof Smith may be thinking that Yahoo Mail will do everything for him, and thus fall prey to such ignorant assumptions.

The larger concern is that most Web e-mail services don’t filter for what many would consider inappropriate content. Depending on the nature of the material, having it appear on a work computer’s monitor could be construed as sexual harassment. In today’s world, what might be funny to one person could very well be offensive to another, resulting in a complaint to your human resources department — or all of a sudden, construed as politically terrorist in nature.

Another major element in Prof Smith's case is the issue of liability of malware infecting all his contacts' computer due to the spam emails originated from his computer. The worm came from a close friend from his native country, together with an attachment file which executed the malware code. He became an agent in delivering the threat. The question is whether in law, he personally, his employer or Yahoo Mail is liable for the harm done.

The point to highlight is the fact that Prof Smith was already using Yahoo Mail before joining University Y in State J and it served him well then. Thus, the argument could be that Yahoo Mail had been meeting up to his security standard – as a medical professor rather than an IT security consultant. In short, the security features provided by Yahoo Mail should have picked up the threat, and the wrong is on Yahoo Mail rather than Prof Smith that a proliferation of email scam occurred.

On the other hand, the argument may be on the side of Prof Smith that his employer University Y in State J should have provided him with a mail-box rather than resorting to Yahoo Mail. If such facility were given to employees, the threat of worms and other malwares should have been mitigated at the server level in the university mainframe. Hence, such negligence should not be blamed on Prof Smith as he is employed as medical clinician and not IT security specialist.

In fact, Prof Smith is a victim. Victim of computer malwares infection, under the negligence theory, can sue the provider, distributor or operator of the infected software – in this case – the Yahoo Mail Service - for his damages. In this regards, Prof Smith would have a good chance to get out of the legal liability and either his employer or Yahoo Mail could be the party to shoulder the damage caused.

To conclude, the case of email fraud is both embarrassing and significant in time and cost taken to make good the information and hardware lost. The limit of our cyberspace is borderless and there should be some form of protective layers to shield us from threats unknown and unpredictable to us. This could be achieved by having barriers to the incoming threats in the form of security filters such as firewall or good and constantly updated anti-malwares. On the other hand, there is the need to address the source of the infiltration by having cyber legislations in place. It is crucial that such legislations be enforced by capable teams of security specialists to counter the attacks.

For emailing has become an indispensable communication tool in our modern society.

No comments:

Search This Blog

How do you find my articles?