Principles of Information Security

Principles of study SecurityPurposeIn order to nurse against accidental or intentional damage or loss of selective information, interruption of College business, or the compromise of surreptitious knowledge we moldiness classify data and establish minimum standards and guidelines to ensure a secure system.Effective from 02/02/17ScopeThis form _or_ system of government essentialiness be applied to all of the following students, faculty, round, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with ingress to confidential information through the juvenile College of commercial enterprise and Science its affiliates/partners.Responsible PartyDatabase Department entropy Technology Support DepartmentTerms of ReferenceAccess Any personal inspection or review of the confidential information or a copy of the confidential information, or an oral or written account of such information.Confidential Information Information identif ied by the applicable laws, regulations or policies as personal information, individually identifiable health information, education records, personally identifiable information, non-public personal data, confidential personal information, or sensitive scientific or sponsored project information.Data Information generated in official College business. Information that is personal to the operator of a system. apocalypse To permit access to or release, transfer, distri entirelye, or otherwise communicate any part of information by any gist mishap A perchance reportable episode that may incorporate, however is not restricted to, the accompanying Attempts to increase unapproved access to frameworks or information Undesirable disturbances or Denial od Service An infection spreading Burglary, abuse or loss of electronic gear containing private data. Unapproved utilization of frameworks for handling or information gathering An daub or unit after partt dispose of confidential of pap er information in a proper manner. Unapproved changes to framework equipment, firmware and programming.Policy Statement The Modern College of Business and Science must aim towards making a safe environment for all in terms of data confidentiality and personnel. Information Security professionals must employ techniques which base prevent any threat from exploiting any vulnerability as much as possible. Threats could target privacy, re fixation and intellectual property along with lots of other data.Data Classification In order for the insurance to be entirely effective and be able to know which data protect the data must be classified into 3 categoriesCategory 1 Data that give the bounce be freely distributed to the public.Category 2- Internal data entirely not meant for outsiders.Category 3- Sensitive internal only data that could assume operations if disclosed to public.Category 4- Highly sensitive internal data that could put an organization at financial or legal seek if dis closed to public.Security Prevention Measures Security prevention measures ensure auspices and prove harbor for the business and also the customers. Prevention measure could consist of many things.Existing Security Measures.Access control which ensure only allowed users granted permission to access the database may do so. This applies to accessing, falsifying and viewing the data.Frequent SQL input validation tests are conducted in order to ensure no unauthorized users nookie access the database. trine separate cloud based servers are available, two of which are for back up purposes this ensures the availability of the data in the case of the intrusion on iodine of the servers. all(prenominal) servers are backed up daily.Database auditing is frequently conducted.Database log files are frequently checked to observe in case of any malicious activity. entirely database security is managed by a third party in order to ensure maximum security.In order to avoid Denial of Service (DO S) attacks which could affect the availability the web applications are put on different servers.Role-Based Control is used in order to make sure employees can only cogitate content from the database that they are authenticated and authorized to.Discretionary access control is only permitted to the database department as no other faculty or staff needs access or is permitted to access.Flaws which need reviewed battle cry policy is not implemented strictly to students which can result in the compromising of an account.Solution Password Policy mustiness be applicable to all at that placefore, database department must make it mandatory.No honeypotting is available.Solution The necessary equipment and software should be purchased for this to be done. This go out help the College avoid attacks in the case of SQL injection or any other database attack.No digital certificates are utilised when messages are sent across the website.Solution Create system to have to send digital certifi cate/signature tune to ensure a better level of security.No certified security professionals are currently employed.Solution Raise issue to Human Resources as a matter of concern and seek the hiring of a professional or cogwheel existing staff.Lack of awareness among staff and faculty regarding security in general.Solution Conduct training for faculty and stuff on how to spot raw material threat and potential intrusions etc.*After these flaws are fixed, policy MUST be reviewed and updated.iii) Added PoliciesConduct penetration testing frequently and Risk Assesment, report must be generated, reviewed by Chief Information Security Officer (CISO). Vulnerabilities must be fixed.In the case of an incident CISO must be informed to resume necessary action. Any employee failing to do so shall face disciplinary action.Database MUST use views rather than tables no ensure security, all entries must be predefined queries.Database remote access and other distance access must not be enabled by blocking ports such as the telnet port, FTP and others.Database password MUST be updated ever fortnight to ensure security of the password.Password strength policy must be implemented for the database ( min 8 characters, capital small, numerical, special characters).Back Ups must also be done offsite and not only on the cloud.Backing up data of Category 3 4 as mentioned above must also be done on a certain specially encrypted drive and separate from normal back ups.Group ResponsibilitiesAll the members of the College are responsible some extent of the security of their own data and other things. Below is what each group of individuals is responsible for.A. Custodians are responsible for1. Information Security Procedures Establishment2. Managing authorizations3. Recordkeeping.4. hazard handling and reportingB. Users are responsible for1. Abiding the College IT policy2. Physical security3. Information storage4. Information spreading and sending5. Method of disposal of info and devices6. Passwords7. Computer security8. Remote access9. Logging off10. Virus and malicious code protection11. Backups12. Incident handling and reportingC. Managers are responsible for1. All what users are responsible for2. All that the custodians are responsible for3. Sharing responsibility for information security with the employees they wield4. Establishing information security procedures5. Managing authorizations6. User training and awareness7. Physical security8. Incident handling and reportingD. Information Service Providers are responsible for1. much extensive information security requirements than individuals2. Establishing information security procedures3. Physical security4. Computer security5. Network security6. Access controls7. Passwords8. Contingency planning9. Incident handling and reporting Administrative ResponsibilitiesA. The CISO should always be monitoring the colleges database security system to ensure no flaws or loopholes and should propose tools or mit igation strategies. S/He must do the following1. Creating, reviewing, and revising policies, procedures, standards.2. Ensuring security training and awareness.3. Overall authority for College networks and systems security.4. Incident handling, remediation, and reporting.5. Collaborating with the Office of Internal Audit to ensure policy conformance.Enforcement Implementation The required actions mentioned in the policies and rules must be carried out from the effective mentioned above, those who fail to comply and follow this policy shall face disciplinary action. This policy must be strictly implemented.Principles of Information SecurityPrinciples of Information SecurityMan in the Middle and Man in the Browser Attacks on Financial Institutions. hornswoggleFour decades ago, what started as a US military research initiative to build network for linking US universities and research centers is now the Internet. Today it has expanded to e rattling corner of the globe (Privgcca, 2016) . The number of Internet users has risen from few computer scientists to 3.17 billion users. It has helped in reducing costs of dialogue as one can easily be in touch and communicate with each other with the help of chatting, email applications and online transactions/payments (Friedman, 2014). It has also helped organizations to offer better customer service, overcome fall of paper work, increase productivity, and enable customers to perform enquiry and transactions anytime and from anywhere. This paper will be emphasising on the importance of online fixing/transaction security. entreBanking organizations have been developing for years in a broad scope and have started to replace more traditional banking techniques in certain fields such as processing cheques, making transactions and money transfers to online, therefore payment systems are constantly undergoing radical changes. More security measures are present but the users of these systems must also be allowed decent compat ibility. Due to the amount of modern day threats these banks have also been facing a vast amount of risk of exposure and vulnerability exploitations, banks are usually very concerned about two kind of attacks, man in the middle attack (MITM) and man in the web web browser attack (MITB). As a result, financial institutions must ensure to provide effective authentication techniques. These two attacks (MITM and MITB) will be the main concentration and the focus of the analysis will on these attacks as well.The Two Common Attacks. The Man in The Middle and Man the Browser are the very predominant attacks in the finance industry. The difficult part is identifying each type of attack and taking precautionary measures from either attack. MITM occurs when a hacker can see and modify the communication between the client and the bank, it makes both parties believe they are directly communicating with each other to deceive but there is usually an attacker eavesdropping. Therefore, this is ve ry communal on unsecured and unprotected networks. On the other hand, MITB uses malware to infect a web browser. This is done by the malware exploiting vulnerabilities in the browser security which enables them to modify and manipulate the page.Getting Technical, MITB vs. MITMOne of the few important differences between these two attacks is that MITM attacks operate at the network layer whereas MITB operate on the application there, in this case on the web browser. Although MITM attacks remain popular attackers prefer MITB as banks may use sessions IDs to identify MITM attacks. Using session IDs banks can determine whether there has been malicious activity during a transaction and notice the fraudulent attempt and consequently cancel it. By giving the customers device a unique ID, the bank can then use algorithms to analyze and link the multiple user sessions from where they typically perform their banking (Eisen, 2012). MITB attacks are a lot more deceitful, they completely carry control over the users website and control the browser while the user thinks everything is normal. The attackers in this scenario alter web views and account balance without the users knowledge. Once the user logs in they can also redirect any sensitive traffic to an attackers system, while keeping the original SSL/TLS protections intact (Trusteer, 2013).MITBPeople are very commonly exposed to the risk of these attacks due to the browser security problems in the case of MITB browser extensions are frequently the malware which allows the attacker to exploit the vulnerability. Browser extensions are frequently portrayed as useful software which enhance user experience but is malicious software or code. This is known as a Trojan. Browser extensions may be plugins, Browser Helper Objects (BHO), JavaScript and add-on features.The functionality of BHOs is usually to provide add functionality to a browser these could be written by the attacker with programming experience. The problem with BHOs is that they can hide from antivrus this makes them undetectable. In a MITMB attack these are used to change a site, add fields, remove fields. They also can add registries to the system and warhead at booting (Utakrit, 2009).Grease Monkey is a popular add on for chrome which can allow a user to change the appearance of a website or eliminate ads. This JavaScript is not malicious but it uses the same methodology as the malicious JavaScript applets. The danger of add-ons is that they can easily monitor and retrieve the users information at any time.SSL has been thought of as a solution by some security experts for MITB attacks but even this control has been proven to be ineffective. The moderateness for this is that the attacker injects or gives the user a Trojan which carries out malicious activities directly inside the browser. Therefore, no suspicious activity is detected.MITMMITM are less common as security professionals have wise to(p) ways to mitigate the attacks that use this method. It is also widely known as session hijacking. In this case, the attacker usually seeks vulnerable hotspots or networks. The attacker would usually direct the victim to a fake login page of a website (perhaps a phished paged) and then get the credentials as soon as they are authenticated. The attacker could then simply access the account and withdraw money or make transactions. Security measures such as the OTP are not effective as defense against this attack as the attacker could fraudulently capture the temporary password and forward it on the adit in the 30 60 seconds provided. In this attack the main issue is that the user has no way of being sure or verifying who is enquire for information. As a result, two step verification is also considered vulnerable.Protective measures.The security triad which is an important principle to security experts evolves around three elements. C- Confidentiality, this means do not allow unauthorized individuals to access or see data or systems. A- Availability, which means ensure the system/data is available when needed. I- Integrity, if data or a system or in this case a transaction it loses its integrity which means it has been manipulated with. In the case of transactions, Integrity is a very important principle. Banks and financial institutions need to always ensure the integrity is maintained. By doing so, we need to implement controls, also known as countermeasures.User Protection Strategies and Controls MITBIn order to minimize these attacks the knowledge has to be known on either side of the equation, the users should be aware as well as the bank. Users can gather up precaution by installing anti virus, although not entirely effective it does depend on the detection capability and reduces the chances. Secondly, use a hardened browser in a USB drive, this will provide moderate protection. Thirdly, only do online banking with banks who are aware of these kinds of threats and implement countermeasure . Ultimately there is risk in every procedure, unless you are will to completely not use online banking there will always be risks and threats.MITM Mitigation for Banks. MITBAs previously mentioned, attackers have also learned how to compromise two step authentication as well the same also applies to captcha and others. The malware can simply wait till the user has authenticated himself. It can also intercept and modify response when using SSL or encryption. Moderate protection could be offered by the bank itself providing clients with Hardened Browsers on USBs containing cryptographic yen tokens for authentication. The hardened browsers are harder to infect. Similarly, OTP token with signature would be effective, the user would have to re-enter the transaction details to the OTP device and then it could generate a signature based on that in that way it would not match if the MITB alters the request, this is also rather inconvenient. Fraud detection based on transaction type and am ount is also sometimes effective, in the case of an abnormal transactions some banks call the client to check if it is genuine or not. User profiling could also be used.MITM