Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 4: Protection of Info.Assets (6_Network Security Controls (Threats…
Module 4: Protection of Info.Assets
6_Network Security Controls
Network characteristics
Anonymity
Automation
Distance
Opaqueness
Routing diversity
Threats & vulnerabilities
Information gathering
Port scan
Social engineering
Reconnaissance
Dumpster diving
Eavesdropping
OS & application fingerprinting
Bulletin boards & chats
Documentation
Malware
Communication subsystem vulnerabilities
Eavesdropping / wiretapping
Microwave signal tapping
Satellite signal tapping
Interception in wireless network
Optical fibre
Zombies & botnets
Protocol flaws
FTP transmits user id
& password in plaintext
Impersonation
Guessing
eavesdropping
avoidance by OS
Non existent authentication
Default passwords
Spoofing & masquerading
Session hijacking
Man-in-the-middle attack
Message confidentiality threats
Misdelivery
Exposure
Traffic analysis
Message Integrity Threats
Changing contents of the message
Replacing a message entirely
Reusing an old message
Combining pieces of diff.
messages into one false message
Deleting a message
Website
Defacement
Denial of service
Connection flooding
Ping of death
Traffic redirection
DNS attack
Other threats
Cookies
Scripts
Active code
Malicous code
Viruses
Logic bomb / time bomb
Current trends in attacks
Network security controls
Architecture
Encryption
Content integrity
Strong authentication
Remote access security
Firewalls
IDS
Wireless security threats
VoIP
Penetration testing
Layers of security controls on Network
Perimeter
Firewall
Network based anti-virus
VPN encryption
Network
IDS/IPS
User authentication
Vulnerability mgt.system
Host
Host IDS
Anti virus
User authentication
Application
Application shield
User authentication
Input validation
Data
Encryption
User authentication
5_Logical Access
Controls
Paths of Logi.
Access Controls
Hardware
Systems software
DBMS
Application software
Access control software
Logical Access attacks
Masquerading
Piggybacking
Wiretapping
DOS
Impersonating over phone
Key logger
Malware
Malicious code
Logi. Access controls policy & procedure
User management
User registration
Priviledge mgt.
Password management
Review and monitoring of accesses
Default users
User responsibilities
User awareness
Password change
Use of strong passwords
User to ensure his equipment not left unprotected
Network access controls
Policy on use of networked services
Segragation of networks
Network connection & routing controls
Enforced path
Clock synchronisation
Application system access controls
Sensitive system isolation
Event logging
Monitoring system use
Database access controls
Profiles
Storing in Password hash
Operating system access controls
Automated terminal identification
Password mgt.system
Duress alarm to safeguard users
Session time out
Limitations on connection time
Access control mechanism
Identification
Authentication
Something the user KNOWS
Password
Something the use HAS
Identification Badge
Token
Smart Card
Bank Card
Something the user IS
Fingerprint
Authorisation
Attacks on Logon /
Password systems
Brute force
Dictionary attack
Trojan
Spoofing attack
Piggybacking
Access control list (ACL)
SSO
AD
Kerberos
4_Physical &
Environmental
controls
Physical controls
Objectives of
Phy.Access controls
Prevent unauthorised access
Cause least inconvenience to Auth. users
Protect from loss or impairment
Categories of
Phy.Security threats
Electrical
Environmental
Hardware
Maintenance
Sources of Physical
security threats
Unauthorised personnel
gaining access
Auth.personnel misusing
their rights
Auth.personnel gaining
access beyond auth.access
Former employees
Accidental / ignorant violations
Discontented employees
/ outsourced empl.
Employees on strike
Suspended or
terminated employees
Addicted to substances
or gamblers
Experiencing fin. or
emotional problems
Physical security controls techniques
Choosing & designing a secure site
Security management
Emergency procedures
HR controls
Perimeter security
Smart cards
Environmental controls
Env.threats
& exposures
Natural threats
Man made threats
Exposures
Fire
Magnetic tapes using inflammable material
Poor quality of power cables
Lightening
Improper Air conditioning & humidity
Dropping of beverage or liquid
Food particles / leftover
Fungi formation on tapes
EMI electro magnetic interference
Water leakages
Power degradation
Black out
Sag / dip
Surge
Transient
Techniques
of Env.controls
Choosing a safe site
Facilities planning
Documentation
People training & responsibility
Vendors /suppliers background
Infrastructure
Fire resistant walls
Power supplies
Smoke detectors
Water detectors
Fire suppression systems
Water based
Gas based
Fire alarms
1_Info. Risk Mgt.
Type of
Risk Responses
Avoid
Transfer
Accept
Mitigate
Types of
Internal Controls
Preventive
Detective
Corrective
2_Info.Security Mgt.
Key elements
Senior mgt. commitment & support
Policies & procedures
Types of
Policies
Data classification & Privacy policy
Acceptable use of Information assets policy
Physical access & security policy
Asset management policy
Business Continuity mgt. policy
Network security policy
Password policy
Tools to
implement Policy
Standards
Guidelines
Procedures
Org.structure &
roles & responsibilities
Cearly Defined
duties
Segregation of duties
Four eyes (two person) principle
Rotation of duties
Key man policies
Responsibility
Ownership
Custodianship
Controlling
Security awareness & education
Monitoring
Compliance
Incident handling & response
Implementing Info.
security policies
Increasing awareness
Communicating effectively
Simplify enforcement
Integrating security with
the corporate culture
3_Info.Assets &
their protection
Benefits of Info.classification
Determine the level of protection
Help in meeting compliance requirement
Reduces operational costs
Enables access control tech. to function more effectively
Classification
schema
Unclassified / Public
Sensitive
Client confidential data
Company confidential data
Data Privacy
Compliance requirements
PCIDS Standards
IT Act 2000
RBI / CERT-in / Min. of IT
Legislations for International org.
Gramm-Leach-BIiley Act
Video privacy protection Act
Children's online privacy protection Act (COPPA)
Health Insurance Portability & Accountability Act (HIPPA)
Electronic communication privacy Act (ECPA)
Medical Information
Location information
Information on WWW