Organizational Information Security: Organizational Information Security

TABLE OF CONTENTS

Heading Page

List of Figures .........................................................................................................8

Abstract...................................................................................................................9

Chapter 1

Introduction

1.1 What is Security?

Physical Security

Operations Security

Communications Security

Network Security

1.2 What is Organizational Information Security?

1.3 Why Information Security is Necessary?

Characteristics of Information Security

1.4 Who is responsible?

Chief Information Security Officer

Security Manager

Security Technician

Security Administrator

Security officers

Security Consultant

Other Position Titles

1.5 How to Protect the Organization Information?

Chapter 2

Internal Security Techniques

2.1 People

Possible Attacks

Employees Innocently Surfing the Internet

Employees Surfing Social Networking Sites

Employees Does Not know about Social Engineering Scheme

Best Possible Solutions

Countering Social Engineering Attacks

Prevention from Dumpster Diving

Developing Strong Federal Laws

Cost of Solutions

2.2 Implementing Strong Security Policy

Challenges in shaping policy

2.3 Physical Security for Desktop Computer and Servers

2.4 Security for Cabling

2.5 Biometric Authentication Method

2.6 Access Control Model

Possible Attacks

Best Possible Solutions

Least Privilege

Need to Know

Separation of Duties

Cost of Solutions

2.7 Cryptography

2.8 Replicating Data at Different Sites

2.9 Installing Proxy Server

2.10 Power Supply Failure

2.11 Service Pack, Update Application, and OS Patch

2.12 Providing Individual ID

2.13 Implementing Security Camera

2.14 Database Security Methodology

2.15 Others

Personnel security

File Integrity Scanners

Chapter 3

External Security Techniques

3.1 Intrusion Detection and Prevention System

Possible Attacks

Best Possible Solutions

Host-Based (HIDS)

Network-Based (NIDS)

Signature-Based (SIDS)

Statistical Anomaly-Based IDPS

Cost of Solutions

3.2 Installing Firewalls

Possible Attacks

Spoofing

Session Hijacking

Denial of Service

Back Doors

Best Possible Solutions

Application-level firewalls

Stateful inspection firewalls

Screen subnet or host firewall system

Denial of Service

Implement Sysctl

Back doors

Cost of Solutions

3.3 Wireless Networking Protection

Possible Attacks

Best Possible Solutions

Wired Equivalent Privacy

Wi-Fi Protection Access

Wi-Max

Bluetooth

Cost of Solutions

3.4 Remote Access Protection.

Possible Attacks

Best Possible Solutions

RADIUS and TACACS

Virtual Private Network

Cost of Solutions

3.5 User Account and Password Strategies

Possible Attacks

Dictionary Attack

Hybridization

Brute Force Attack

Key Loggers

Social Engineering

Sniffing Method

Best Possible Solutions

Password Length

Password Complexity

Testing Password Complexity

Frequency of Change

Cost of Solutions

3.6 Implementing Scanning and Analysis Tools

Possible Attacks

Best Possible Solutions

Port Scanner

Vulnerability Scanners

Packet Sniffers

Content Filters

Trap and Trace

Cost of Solutions

3.7 Web Base Security

Possible Attacks

Cross Site Scripting

Cross site Request Forgery

SQL Injection

Buffer Overflow

Session Hijacking

Best Possible Solutions

Remediation options for Session Hijacking

Remediation options for Buffer Overflow

Cost of Solutions

3.8. Cloud Computing

Benefits of Cloud Computing

Weaknesses of Cloud Computing

How would organization deploy this technology while minimizing its risks?

Cost of Solution

Chapter 4

4.1 Risk Management

4.2 Who is Responsible for Risk Management in an Organization?

Information Security Members

Information Technology community

Management and user

4.3 Risk Mitigation Strategies

Incident Response Plan

Disaster Recovery Plan

Business Continuity Plan

4.4 Risk Determination

Chapter 5

5.1 Conclusion

List of References. ………………………………………………………………89

LIST OF FIGURES

Figure Page

Characteristics of Information Security...................................................................... …13

Position in Information Security................................................................................. …15

Awareness, Training and Education........................................................................... …18

Cryptography.................................................................................................................. 35

Replicating Data at Different Site.................................................................................. 38

Installing Proxy Server................................................................................................... 39

DMZ Technology........................................................................................................... 40

Power Supply.................................................................................................................. 42

Standard ID Format....................................................................................................... 44

Security Camera.............................................................................................................. 46

Intrusion Detection and Prevention System................................................................... 50

Installing Firewall .......................................................................................................... 52

Denial of Service............................................................................................................ 54

RADIUS ........................................................................................................................ 60

Virtual Private Network ................................................................................................ 61

Session Hijacking............................................................................................................ 71

ABSTRACT

ORGANIZATIONAL INFORMATION SECURITY

Vishal Bedre M.S. ISM

Ferris State University, 2011

Advisor: Dr. James H. Jones, Jr.

This research paper mainly focuses on different types of information security attacks which an organization may encounter, the types of techniques and strategies used for mitigating various types of attacks and the costs required for implementing the techniques. This research paper gives the concepts of information security, the importance of information security, duties of the individuals at various organizational levels and there reasons the characteristics of data in the organization should be preserved.

In this research paper, I have divided the security techniques and strategies into two major parts; internal security and external security. During my research work I found several internal security techniques which can be used to avoid various internal security breaches, with minimal cost. I have mainly focused on the roles of the employees and how to prevent an organization from the social engineering types of attacks. In addition, I have found the significance various techniques, such as: security policies, biometric authentication methods, access control models, cryptography, security to network cables, physical securities to laptop, desktop and server machines, data replication, updating application software and operating system, installing proxy server, power supply failure, Individual IDs, security cameras, database security methodologies, and other security techniques. By implementing these techniques and strategies, an organization could provide a high level of security architecture.

During my research on external security techniques, I found various strategies and techniques which are necessary for an organization to prevent external security attacks. I have researched the significance of several types of external security methods with respect to their cost and possible attacks an organization avoid, such as; intrusion detection and prevention systems, installing firewalls, wireless networking protection, remote access protection, user account and password strategies, significance of scanning and analysis tools, web base security, and cloud computing. Adopting these techniques could strengthen the security architecture.

I have assessed the importance of risk management, various risk mitigation strategies and its plans, such as; incident response plans, disaster recovery plan, and business continuity plan. I have also derived how organization should determine the risk after and before an attack on organizational assets. Overall, the main goal of writing this research paper is to provide the highest level of security for an organization at minimal cost.

CHAPTER 1

Introduction

1.1. What is Security: The general definition of security is; the quality or state of being secure or free from danger. Security is important for all living individuals and their assets and property. In order to protect such things, humans do several things, such as; constructing homes, building offices, appointing security guards, installing burglar alarm systems, carrying weapons and many other things. On the other hand, the same thing is true for any country in the world. If any country wants to establish security systems, then they use multilevel security architecture. Each multilevel consists of security professionals, police, army, so on and responsible for different tasks in order to protect the nation’s overall assets. The same is true for any IT organization. It is the role of the management to ensure that each strategy is properly planned, organized, staffed, directed, and controlled. At every organizational level the specialized areas of information security are: the physical security, operational security, communication security and network security. As described below:

a. Physical Security: This includes strategies to protect people, physical assets, and workplace threats from various threats by physical means.

b. Operations Security: This basically concentrates on securing the organization’s ability to carry out its operational activities without interruption or compromise.

c. Communications Security: This mainly focuses on protection of an organization’s communication media, technology, and content, and its ability to use these tools to achieve the organization’s objective.

d. Network Security: Addresses the protection of an organization data networking devices, connections, and contents, and the ability to use that network to accomplish the organization’s data communication functions (Whitman, & Mattord, 2010).

1.2. What is Organizational Information Security: Information security is basically safe-guarding an organization's data and information from unauthorized access or modification to ensure its availability, confidentiality, integrity, privacy, identification, authentication, authorization, and accountability.

1.3. Why Information Security is Necessary: The data of any organization plays an important role in the organization. After considering the importance of data, one can say that the organizational data is the backbone of every organization. Every organization holds sensitive information, such as; employee’s salary information, financial results, and business plans for the years ahead. Sometimes they may also hold trade secrets, research and other information that gives them a competitive edge. Such type of confidential information is used for performing major operations and processes at organizational level. This information should be protected. In order to provide information security to any of the organizations, one needs to implement several methods, policies, and techniques. As the information grows and the usage of electronic transactions through organizations increases, it becomes a big challenge for organization to protect their personal and organizational information. The risk of unauthorized access increases and we are presented with growing challenges of how to best protect it.

1. Characteristics of Information Security: In order to protect the information basically the characteristic of information should be preserved. The core principals of information security are as follows:

a. Confidentiality: The confidentiality of information ensures that only those users with sufficient privileges may access certain information.

b. Integrity: The integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is compromised when it is exposed to corruption, damage, destruction or other disruption of its authentic state.

c. Availability: The availability is making information accessible to user access without interference or obstruction in the required format. Availability simply means available to the authorized users.

d. Privacy: The information that is collected, used, and store by an organization is intended only for the purposed stated by the data owner at the time it was collected. Privacy of information is to be used only for purposes known to the data owner.

e. Identification: An information system possesses the characteristic of identification when they are able to recognize individual users. It is first step in gaining access to protected information and it serves as the foundation for subsequent authentication and authorization.

f. Authentication: The authentication occurs when a control provides proof that a user possesses the identity that he or she claims.

g. Authorization: When the user is authenticated, that process is called as authorization. Authorization provides assurance that the user has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset.

h. Accountability: The accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process (Whitman, & Mattord, 2010).

1.4. Who is Responsible: In order to protect the vital information of organization there are several groups and individuals who work inside and outside the organization, such as; CISO, CIO, department managers, security officers, technicians, administrators, consultants, and community who works for organizations, in order to protect the information. Their responsibilities and functions are as follows:

a. Chief Information Security Officer (CISO): The CISO is the top information security officer position in the organization. CISO usually does not hold an executive-level position and frequently reports to the Chief Information Officer (CIO). CISO provides overall security posture for an organization. The nature of the work is as follows:

1. The CISO is responsible for managing overall information security program and drafts or approves information security policies for an organization.

2. The CISO works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans.

3. The CISO develops information security program budgets, based on funding and sets priorities for InfoSec projects and technology.

4. The CISO makes decisions in recruiting, hiring, and firing of security staff and acts as the spokesperson for the security team.

5. The CISO is also responsible for developing an information security training and awareness program.

b. Security Manager: The security managers are accountable for the day-to-day operation of the information security program. They resolve issues identified by the technicians and accomplish objectives, as identified by the CISO. Security mangers are regularly assigned specific managerial duties, such as; policy development, risk assessment, contingency planning, and operational and tactical planning for security function. They regularly work with other department managers in order to make major decisions inside the organization.

c. Security Technician: The security technicians are technically qualified individuals responsible for configuring security hardware and software, such as; firewalls, IDPS, implement security software, diagnose and troubleshoot problems, and coordinate with system and network administrators to ensure that security technology is properly implemented.

d. Security Administrator: The security administrator performs tasks for security technician and a security manager. The security administrators are also responsible for managing the day-to-day operations of security technology and assisting in the development and conducting the training program, as well as being involved in creating security policies.

e. Security Officers: The security officers are responsible for guarding the organizational assets and data, logically as well as physically.

f. Security Consultant: Security consultant is an independent expert in some aspect of information security. He/she is usually brought in when the organization makes the decision to outsource one or more aspect of their security program. They are basically highly proficient in the managerial aspects of security and usually enter the field after working as experts in the discipline and often have experience as a security manager or CISO (Whitman, & Mattord, 2010).

g. Other Position Titles: Some of the other position titles, who work for providing security to logical and physical assets of the organization, are as follows:

1. Information Security Community: This community is responsible for protecting information assets from the threats. There are several posts in organization who works for this community: InfoSec department manager, InfoSec engineer, and Internal InfoSec consultant.

2. IT Community: This community is responsible for supporting business objectives by supplying appropriate information technology. There are several posts in organization works for this community: CIO, computer operators, help desk associates, telecommunication managers, system programmers, and database administrators.

3. General Business Community: This community is responsible for articulating and communicating policy and allocating resources. There are several posts in organization, who work for this community: physical security department manager, physical assets protection specialists, building and facilities guards, and office maintenance workers.

1.5. How to Protect the Organization Information: In order to protect information, the organization must have to focus and adopt following advance techniques and methods.

CHAPTER 2

A. Internal Security Techniques: The internal security techniques of security are used for securing the physical and logical assets of the organization. There are several different types of internal security techniques available in the market. The organization should implement such types of security techniques in order to provide high level of information security. Some of the internal security techniques are as follows.

2.1. People: The people are the weakest link in the organization. If an organization wants to secure the organizational information they need to create various security awareness programs, training programs, and educating employees about internal and external security techniques. Each employee should know the concept of dumpster diving, social engineering, and the drawbacks of social networking sites.

A. Possible Attacks: Most of the possible attacks occur when the employees are unaware of the following types of attacks:

1. Employees Innocently Surfing the Internet: The problem with the internet is that it is chocked of viruses and malware just waiting to be downloaded by unsuspecting users. Most of the time employees are unaware of virus and unintentionally download the virus inside organizational network. Sometimes a virus can enter inside a network using email attachments. That single virus on one individual computer can wipe out or corrupt an entire network full of company information.

2. Employees Surfing Social Networking Sites: Employees are using social networking sites and posting their vital personal information. Using that information, hackers are able to gain access to their organizational accounts. Apart from that, the identity theft of individual is easily possible because of the social networking sites.

3. Employee Does Not Know About Social Engineering Scheme: The employee does not know about the social engineering scheme such as pre texting, phishing, baiting, quid pro quo, tailgating or piggybacking, dumpster diving and scamming. The employee should know that every social engineering activity and how to overcome such types of activities. As per definition of social engineering, is an attempt by an attacker to either convince an employee to perform an unauthorized activity or to obtain unauthorized access to facilities and systems through illegal means. It basically involves the skills of gaining the trust of people within organizations to allow them to gain authorized access to information and other assets. Several types of social engineering attacks are possible some of them are as follows:

a. Pretexting: It is typically done over the telephone and usually involves more than a simple lie. It is often preceded by prior research to successfully use pieces of known information to support the impersonation and establish legitimacy in the mind of the target. This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives.

b. Phishing: It is a technique of fraudulently obtaining private information. It is often done through email, where the attackers sends an e-mail that appears to come from a legitimate business a bank, or credit card company requesting verification of information and warning of some dire consequence if it is not provided.

c. Baiting: It is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attackers leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.

d. Quid pro quo: It means something for something. In a Quid pro quo attach, an attackers calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attackers will help solve the problem and in the process have the user type commands that give the attackers access or launch malware inside the organization network.

e. Tailgating or piggybacking: It refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint. In this technique the unauthorized person create the deceptive ID for pass into to security network of organization.

f. Skimming: It is another type hi -tech method of social engineering called a skimmer which reads information encoded on the cards’ magnetic stripes. Most of the time the hacker use this technique for credit/ debit card hacking purpose (Ciaramitaro, 2010).

g. Dumpster Diving: Many employees throw away email printouts and other organizational information into their normal trash. The term dumpster diving comes from the habit of literally getting into trash containers, looking for these listings. This is essentially a way to get information about the computer systems of the company who threw out the trash.

B. Best Possible Solutions: Some of the following best solutions used for avoiding people from various attacks:

1. Countering Social Engineering Attacks: To prevent social engineering attacks, the helpdesk people and organizational employees should know the social engineering concepts. The employees should not provide any vital organizational or personal information to any third party persons. The employees should not disclose any confidential information, such as username and password to anyone over the telephone, postal mail or email. The employees should always use a secure web site for submitting information, if necessary. One should verify the user’s credentials before releasing any password information. It is also recommended to keep confidential documents in a fire proof and safe place. While leaving the computer for any period of time, the computer should be shut down. If necessary, the confidential information should be given to the user by using a second channel. If somebody is requesting password information over phone, the information should be sent by the register email of the employee or vice versa. The organization should not publish the important information on the organizational web pages.

Nowadays, social engineering attacks are a more common and successful method of information security attacks. In this situation the employee should be aware, trained and educated on the negative impact of innocently surfing the internet. They should be alert at all times, while surfing the Internet. It is mandatory for the organization to block such social networking sites, and to educate the employees on the negative impacts of such sites. Secondly, for avoiding some of the social engineering attack organization should disable the CD ROM and USB port of the desktop computer and server computer, so that employees are unable to use the CD ROM and pen drive inside the organization. Thirdly, every individual should check the CD and pen drive at the stand alone machine for virus scanning. Before using such devices inside the organization, one should insure that there are no viruses and worms in the respected media. After scanning the CD or pen drive if the virus is not found in the pen drive or CD ROM, then it should be used in actual organization network, otherwise it should be disposed safely. Nowadays in order to avoid social engineering attacks on an organization, installing a screen saver lock application at individual desktop computers. This type of application will be activated when the desktop computer is idle for consecutive minutes.

For social engineering types of attacks, the security awareness, training and education are the best solution for people who work for the organization. In order to make security awareness programs successful one should, include security awareness videos, posters, banners, expert lectures, conferences, computer based trainings, newsletters, brochures, flyers, trinkets, and bulletin boards. The organization should publish security newsletters for educating employees about recent attacks and their remedies. It is a very cost effective and efficient way of educating employees about current threats.

2. Prevention From Dumpster Diving: In order to avoid the dumpster diving attack the respected organization should develop a written recycling and trash handling policy, connected to other security policies. The trash document should be destroyed, in such way that one could reconstruct the document. The CD’s should be properly recycled. The CD’s should be broken or made in such a way that one could not recover the data.

3. Developing Strong Federal Laws: The government of respected country should create strict laws for social engineering types of attacks. Developing these Federal Laws is the strongest way of deterring someone from committing an information security crime. There are several laws that exist to deter someone from committing information security crimes. Nowadays this is very effective way to protect the information. The information security personnel can deter unethical and illegal acts, using policy, education and training, and technology as controls or safeguards to protect the information system.

C. Cost of Solutions: The cost of this technique depends upon the organization’s number of employee and their learning abilities. The cost required for such a solutions is not very expensive, as compared to the losses incurred after a security breach. If these types of security programs are implemented and followed by the organization’s employee, then it would be beneficial to the organization in long-term profits. This type of security programs would directly or indirectly create the shield to protect the logical and physical assets of the organization.

2.2. Implementing Strong Security Policy: Creating strong security policies at the organizational level is another way of protecting organizational information. In general, the policy is a written document that states how a company plans to protect the company's physical and information technology assets. A security policy is often considered to be a living document, meaning that the document is never finished, but is continuously updated as technology and employee requirements change. A company's security policy may include an acceptable use of policy, a description of how the company plans to educate its employees about protecting the company's assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made.

The quality information security program begins and ends with information security policies. The policy is designed to create a productive and effective work environment, free from unnecessary distractions and inappropriate action. Properly developed and implemented policies enable the information security program to function almost seamlessly within workplace. The security policies are the written statement used for providing the complete security to organization assets. The security program is overall depend upon the information security polices of organization.

The Information security policies provide a framework for best practice that can be followed by all employees. The policies help to ensure that risk is minimized and that any security incidents are effectively responded to. Information security policies will also help turn staff into participants in the company’s efforts to secure its information assets, and the process of developing these policies will help to define a company’s information assets. The information security policy also defines the organization’s attitude to information, and announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction.

A. Challenges in Shaping Policy: Every IT and Non IT organization must be follow the following rules while creating information security policy for an organization.

a. Policy should never conflict with law: The policy statement should not be ambiguous and follow the government law. In other words, the policy should not conflict with laws: before implementing a written statement of policies at organization level, one should confirm that whether or not the written policy is following the public security laws.

b. Policy must be able to stand up in court if challenged: The organizational policy should be complete and the written policy statement should not originate two meanings for the same statement. If anyone challenges the policy in court the purpose of the policy should be clear.

c. Policy must be properly supported and administered: The policy should accomplish the required goals of the organization and be within limited organizational assets. Policy must be administered, in order to accomplish desire goal of organization. In other words, the policy should accomplish the desired goals using the appropriate administration.

2.3. Physical Security for Desktop Computer and Servers: The overall data of the organization is stored on the desktops, servers and laptop computers. Most of the time, these machines are more vulnerable to physical attacks if physical security is not provided by the organizational individual.

A. Possible Attacks: One can hack or steal the computer desktop, laptop and server information by manually operating such machines. It is easy for hackers to access the physical machines if there is no physical security. Most of the time, the desktop, and laptop and server machines automatically save the important passwords and username. The attackers can steal or surreptitiously copy such type of information and use that information from outside the network. Otherwise the unauthorized person can install malicious or hacking software, wipeout the entire data, copy some important information, add users in the networks, collect the network and user information, modify the user name and password and various other malicious activities. After considering all types of attacks and their affects, the organization should provide physical security for all of the desktops, laptops and server computers.

B. Best Possible Solutions: One should place the machines in secure place where one cannot enter easily. It is also recommended to install the air conditioning in a server room, if the server is placed in a compact place. The air conditioning will increase the performance of the servers. Apart from that, if possible implement biometric authentication techniques for identification authorization of the user. Most the time, user saves their password and username at their individual computer. For security purposes, they should not save the password at their desktop machines. If an attacker takes unauthorized physical possession of computer, then also hacker could not access the user accounts. The organizational individual should not disclose their password to the any third party individual, use network scanning and analysis tool, provide ID to employee, and organization should provide laptop locks for every employee, that would be useful to an employee while traveling at remote location.

C. Cost of Solutions: There is no special cost for implementation of these security techniques. In order to provide the security, one needs to place the server and desktops computer at secure place inside the organization. The table shows the cost for laptop locks available in the market.

2.4. Security for Cabling: Inside the organization network is developed using the several cables such as CAT 5, unshielded twisted pair, shielded twisted pair, fiber optic cable and coaxial cables. The cable is used for transmitting data from one node to another. The node may be physically located on the inside or outside of the organization. It is also used to connect various network components, such as; clients to severs, into hubs, bridges, switches and routers, and other associated network hardware. Overall the physical cable is the basic media of transmission inside and outside of the organization. It should be protected.

A. Possible Attacks: If the cables are open that makes them vulnerable for an attack. It is also a possibility to break the cable and that could affect the overall organization communication networks. It could also possible that an attacker could tap the cable and monitor the overall network traffic. Using an open cable an unauthorized person could access the important communication between the nodes. By taping the cable an attackers or hacker can pass as an authorized user and access the important information. Sometimes the electric power supply waves could interfere with the network data signals. These electronic waves could alter the quality of the data signals.

B. Best Possible Solutions: The cable should be shielded in a protected cover that makes them less vulnerable. The organization should put the LAN network underground. It makes them invisible to the user who is working on the network and the attackers. This would definitely protect the cables from breaking, twisting and any unauthorized user access. At the time of the network development, the developer should select an excellent type of cable for the LAN networking. It is also recommended to select the appropriate topology for network development. One should select suitable topology by considering all the advantages and disadvantages of it. According to the network experts, the mesh type of topology and fiber optic cable is the best possible combination for internal organizational networking.

The shielding for cable, quality network development material and proper arrangement of the cable would make them less vulnerable. The cable should have the proper trucking and conduits. The organization should create the LAN network in such a way that if one cable would break, then the overall network would not be affected. While developing the network, one should provide adequate slack between the cable socket and computer base. There should not be any strain on the cable. The material used for the network development, such as the RJ45 connecter and cable should be of good quality. The physical path of cable should be documented for future use by the organizational network designer. The network designer should check all network equipment at periodically. One should use data encryption technology, when transmission of data is wireless. The organization should protect these cables from the electric wires. As these wires may hinder the transmission of digital signal, which is passing through the network cable.

C. Cost of Solutions: Implementation of this technique only requires the cost of shielding the network cable. It is a onetime investment to establish the underground network connection for the LAN connection inside the network. The table lists the costs required for shielding network cable and RJ45 protection covers is listed below.

2.5. Biometric Authentication Method: The biometric authentication method is an electronic identification technique used for an individual on the basis of his or her unique biological or physiological characteristics, such as; finger print, face recognition, hand geometry, retina geometry, voice, signature, palm print, hand vein, DNA, thermal imaging, ear shape, body odor, keystroke dynamics, and fingernail bed. Implementation of such methods at an organizational level can stop the unauthorized users to access the vital data.

A. Possible Attacks: The unauthorized person can attack the physical and logical assets of an organization. They can hack the vital information and insert, delete, modify and accessed data. It is also possible for a hacker to physically penetrate the organization and possibly steal valuable organizational assets. Without biometric techniques, it would be very difficult to protect the valuable assets of the organization. The ID, username and password authentication method has several limitations. One cannot completely protect assets physically and logically without biometric authentication techniques.

B. Best Possible Solutions: One can compare effectiveness of biometric techniques by comparing the evaluating values of all biometric technique, such as; false reject rate, false accept rate, and crossover error rate. The effectiveness of biometric authentication systems by ranking from the most secure to the least secure, such as; retina pattern recognition, fingerprint recognition, handprint recognition, keystroke pattern recognition and signature recognition. In the security world, these methods are also categorized by the most accepted to the least accepted, such as; keystroke pattern recognition, signature recognition, voice pattern recognition, handprint recognition, fingerprint recognition, and retina pattern recognition. The best solution for any organization depends upon the type of information to be secured and budget of organization to enable them to invest in these types of techniques.

C. Cost of Solutions: The cost of implementation of biometric technique is different for different technique. Some of the important biometric technique cost is listed below

2.6. Access Control Model: It restricts the access to information, information assets, and other physical assets to those with a bona-fide business need. The access control model is basically divided in to two parts, logical and physical data access control model. The logical data access control model is another way to defend information from the unauthorized user. In this technique, the organization should define appropriate access privileges to the data for each department, such as; read, writes, and execute permission. The physical access control model basically deals with the entrance of the user into a trusted area of the organization.

A. Possible Attacks: If every user accesses all data and information from the server, that makes it more vulnerable as compared to the restricted approach. One can easily assess the other departments’ data and also disclose or use the data for their own purpose.

B. Best Possible Solutions: Creating the groups and different user accounts is one way to securing and distributing data to a specific user. Set the read, write, and execute permission to the data and files depending up on the user requirement. The organization should create an appropriate physical access control model for computer rooms, server rooms and even the organization itself. The organization should also adhere to the following techniques for avoiding the information security attacks.

1. Least Privilege: By using this principle the members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. It gives the only information which is needed to know. This will depend up on the user level required for assigned duties.

2. Need to Know: This techniques emphasis is on limiting a user’s access to the specific information required to perform the currently assigned task, and not the category of data required for general work function.

3. Separation of Duties: The separation of duties is a key for data security. In this technique the tasks should be split up in such a way, that more than one individual is responsible for their completion. In some cases the dividing task between two individuals can protect the information from fraud. On other hand, the organization should assign specific tasks to a specific user who can solve the data security problems. One should chose specific strategies depending upon the conditions and the level of security required. Separation of duties also means allocating different organizational tasks to a different person according to their abilities. That would make the individual data secure and ultimately overall; the organizational data will be secure. The main goal of separation of duties is as it relates to security is as follows:

a. Separation of duty provides prevention of quarrel of interest, the appearance of conflict of interest, unlawful acts, deceive, abuse and errors.

b. Second one is the detection of control failures that include security breaches, information theft, and circumvention of security controls. Security controls are measures taken to safeguard an information system from attacks against the confidentiality, integrity, and availability of computer systems, networks and the data they use. In addition, the security controls are selected and applied based on a risk assessment of the information system. These controls restrict the amount of power influence held by any one individual. The proper separation of duties, of course, is designed to ensure that individuals don't have conflicting responsibilities or is responsible for reporting on themselves or their superior. Implementation of physical and logical access control model is the best way of providing the security to the organizational assets. This model should be created carefully in such a way that the physical and logical access permission for individual should not cross each other.

C. Cost of Solutions: There is no external cost required for implementing such type of solution inside the organization. The network operating system provides such types of features, such as; creating groups, users and assigning the access permission. It is also recommended to create a separate team at an organization level for maintaining the access control model.

2.7. Cryptography: The cryptography word is a combination of Greek words kryptos, meaning hidden and graphein, meaning to write. So the cryptography stands for hidden writing. This method basically is used for transmitting organizational information in a secure way. It is executed in two modes, one is data encryption and other one is decryption of information. There are several different methods available in the market; one can select these methods depending upon the importance of the data and information.

A. Possible Attacks: Attackers can access the network data while transmitting from source computer to destination computer. The intruder can change the content of the data or possibly change the destination address of the computer, where the data should be reached.

B. Best Possible Solutions: The data encryption is best method of securing the vital data. It is possible to secure information security using various encryption and decryption methods. Sometime the data may be lost due to the bad communication network or other network problems. The cryptography algorithm provides reliable data transmission framework, which informs the sender about any data transmission errors. It also provides confirmation about the data packets, and if it is received properly at the destinations. Some of the basic cryptography methods are; common ciphers, symmetric encryption, vernam cipher, asymmetric encryption, digital signatures, triple DES, RC4, IDEA, three- key triple IDEA, three- key triple DES, CAST, blowfish, RC5 and RSA. Some of the data encryption techniques encrypt the data in the following ways:

1. Common Ciphers: This encryption method commonly uses algorithm include three functions: substitution, transposition and XOR.

a. Substitution: In this function plain text is substituted with another text called as cipher text.

b. Transposition: It is type of ciphering technique which simply rearranges the values within a block to create cipher text.

c. XOR: This type of ciphering technique the plain text is XOR with key stream text.

2. Symmetric Encryption: In this type of encryption method the encryption and decryption of data can be done using same algorithm and key.

3. Asymmetric Encryption: In this type of encryption method the encryption and decryption of data can be done using different key (public and private key).

The organization should implement the complex security algorithms to secure data, such as; Triple DES, RC4, IDEA, Three- key triple IDEA, Three- key triple DES, CAST, Blowfish, RC5 and RSA. The more complex cryptographic algorithm is, the more secure the data is.

C. Cost of Solutions: Some of the algorithms are built-in the operating system, there are no external software or hardware required for encryption and decryption of data. These are some of the advance cryptographic software the organization needs to purchase for securing vital data:

2.8. Replicating Data at Different Sites: This method provides effective ways to secure huge amount organizational information. If one location site of data is corrupted or no longer in use, then one can use another location site of data in order to continue the business operations. In general it is a refined type of backup technique for data recovery. In the IT organization the recovery of data in a small time period is important because every operation is depending upon the data.

A. Possible Attacks: Sometimes the hacker can be successful in wiping out an overall database of a server or a client computer. Sometimes because of natural disasters the data may be corrupted and no one can access the physical data stored at the respected server or client computer. In such a case without data, the IT organization cannot continue their organizational operation.

B. Best Possible Solutions: In order to avoid the data loss, one needs to create a strong backup and recovery technique at the organization level. The data should be stored at several remote locations. So that, if the data from one location is not available one could retrieve data from other location. The data backup should be scheduled by the individual after periodic time interval. Time span between two backups will depend upon the importance of the data. If the data is important, the time interval between two consecutive backups will be less.

C. Cost of Solution: These types of solutions require, only the cost of mirroring data at a different place. For this purpose the organization need to allocate separate server.

2.9. Installing Proxy Server: In computer networks, a proxy server is a server that acts as an intermediary for requests from the clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules. The common functions of a proxy server in the organization network is restricting a user from accessing specific web sites, masks the IP address of an internal user from the outsider, maintain logs of the users request from internet, and maintains a cache of the sites that users on the network have visited. In other word the proxy server is work as intermediate in between inside network and outside network called as internet. This is one of the most common methods for protecting the internal user from unauthorized access of sites and from malicious contents. Several different types of proxy servers are available to the market. Following are some commonly known proxies: anonymous proxy, distorting proxy, high anonymity proxy, intercepting proxy, reverse proxy and transparent proxy

A. Possible Attacks: Possible attacks on the proxy server are as follows:

1. Attacks made through Proxy Servers: The hacker and cracker can use a proxy server concept for concealing their identification. Using this concept they can establish several types of attacks, such as; buffer overflow, denial-of- service, and session-hijacking attacks. The attackers can send or receive the confidential data outside the organization network.

B. Best Possible Solutions: The organization should install the DMZ technology to protect the proxy servers from the attacks. The DMZ stands for demilitarized zones. DMZ in networking gets its name from the demilitarized zones, which is land that the military would use as a barrier against the enemy. It is a secure server that adds an additional layer of security to a network. It acts as a buffer between a local area network and a less secure network which is the internet. The DMZ server is also known as a data management zone and provides secure services to local area network users for email, web applications, ftp, and other applications that require access to the internet.

It also acts as a management server that is placed on the network that contains multiple network interfaces that plays specific roles in protecting the local area network. The IT administrators use a 4-port Ethernet card in the firewall to create a series of networks that includes an internal trusted network, DMZ network, and the un-trusted network, which is the internet. The Multiple DMZ networks are created to reduce the impact of damage to the system in the event that one of the DMZ hosts is compromised for any reason. Although a regular network firewall is installed to provide protection for the local area network, a DMZ establishes rules for protecting the DMZ network from the internet. It also establishes rules for protecting the local area network from the DMZ in the event the DMZ is compromised. This provides added protection against hackers that try to breach the local area network.

C. Cost of Solutions: The proxy server installation at the organization level does not require any additional cost. Implementing a proxy server means using the functionality of server operating system. It is commonly included in router and firewall software. When user requested for web site the request routed through the proxy server. The proxy server stores the users IP address and time of request. Some of the common proxies and their costs are as follows:

2.10. Power Supply Failure: In the organization, uninterrupted power supply is necessary in order to continue the organizational operation. The server and host computer should require the uninterrupted power supply because every organizational operation is dependent upon it. In the IT organization, two major power supplies should be required because if one power supply is having a problem then, the other power supply can automatically be activated to provide uninterrupted power supply for continuing organizational operation.

A. Possible Attacks: Sometimes the hacker or cracker can compromise the organizations’ security by cutting down on the source of power supply. It may cost millions of dollars to the organization. The unauthorized person can easily infiltrate and attack the organizational network, because all of the security mechanisms working will be dependent upon the power supply. The loss of power may stop the communication within the organization and outside world. Sometimes the monetary transactions could be lost.

B. Best Possible Solutions: One can use the UPS or generator technology in order to provide uninterrupted power supply to the organizational network. There are numerous types of generators and UPS available in the market. The most common fuel type generators are basically classified into four types, such as; Gas Generators, LPG Generators, Diesel Generators and Natural Gas Generators. The classification of UPS is dependent upon required capacity of UPS. Implementing a generator and UPS is one of the best solutions to avoid future power failures, a problem for an organization. A major problem in the forefront of the IT industry is voltage fluctuation and power failure. In this type of environment, the organization should implement UPS and generators. The UPS is also used for voltage stabilization, which could protect the computer from hardware failure problems.

C. Cost of Solutions: The cost of implementing generates and UPS are depending upon the size of the organization. The capacity of UPS and generator is directly proportional to the cost of such types of electronic instruments. Some of the cost for generator and UPS are as follows:

2.11. Service Pack, Update Application, and OS Patch: It is mandatory for every organization to update the software and install patches of OS at regular time intervals, which makes them less vulnerable. The patches and updates can be downloaded manually or automatically. The automatic updating feature is already available in most of the application software and operating systems. One can easily update the application software using the internet. Updating the application software and OS can protect the data from new threats and future vulnerabilities.

A. Best Possible Solutions: Updating the software and OS on a regular basis is only way to secure data from unauthorized access. The organization should update their commercial software applications at regular periodic intervals. The IT person should visit the vendor site and update the applications. Operating systems such as; Windows and UNIX both release patches every single hour, hence an organization should install types of patches that does not leave them vulnerable.

B. Cost of Solutions: Updating an application software and operating system is free, if the organization buys a licensed copy of that software or operating system. It is a vendor’s responsibility to give out updates at the regular periodic intervals. It is also recommended to inform the software or operating system vendor by organization, if they trace any vulnerability in their applications or organization networks.

2.12. Providing Individual ID: Is another way of providing physical and logical security to the organizational assets. The organization must provide individual IDs for each employee, which protects the unauthorized person from entering into the organizations secured area. When employees are entering and exiting the organization, the security officer at gate should check ID’s for authorized and unauthorized individuals before allowing admittance.

A. Possible Attacks: The attackers can physically infiltrate into the organization if there is no identification of each employee. An attacker might use organizational assets for malicious purposes, steal, read or modify the vital information of the company. Not providing IDs to employees may allow an unauthorized user to pretend to be an authorized user and asks for confidential information. The attackers can infiltrate an organization and carried out the social engineering attacks.

B. Best Possible Solutions: The organization should provide ID’s for each employee so that it could helpful for them to identify the authorize user. The organization should give the ID with a PIN number to each of the employees. This mechanism could work like a dual level security for organizational assets. The ID is only recommended for general purpose security for organizational assets. The ID for each employee is not enough for the specific identification of employees. There might be a possibility of attacks using a fake ID. The respected organization should implement biometric authentication techniques for high levels of security to the organizational assets.

C. Cost of Solutions: Providing ID’s to each employee is a cheaper way to secure the organizational assets. For each ID generated the cost for each employee is two to ten dollars.

2.13. Implementing Security Camera: Implementing security cameras at internal and external sites at the organization is recommended. It is another way of deterring attackers, both internally and externally, from committing an information security crime. In physical security, the organization should implement the security cameras to monitor individual’s activities. If security crime does occur at the organization, it can easily detect the problem and provide an appropriate solution for the problem.

A. Possible Attacks: An attacker can physically break into the organization and access valuable information and physical assets. Sometimes the attackers can create dangerous situations within the organization, by destroying assets and the physical information. The camera can give solid proof to the organization when hackers are conducting a crime inside the organization.

B. Best Possible Solutions: Providing identification to the every employee, as it can save the organization by denying access to the unauthorized persons inside the organization. Implementation of camera is another way of protecting physical assets of organization. In the organization one should implement hidden cameras, instead of open installations. This technique could protect the cameras from the attackers. There are several types of security cameras and the basic types are wired and wireless. The wired camera implementation does not have any kind of limitation as compared to a wireless camera. The wireless camera’s video stream may be disturbed or influenced by moving objects or strong radio frequencies. The wired cameras can capture the stable videos at the extreme condition.

The organization should install excellent quality cameras. Before purchasing the cameras they should check for the recording capacity of the camera. They also should check for the resolution of the camera, zooming capability, suitable lens, and illumination factor LUX, and image sensors. It is recommended to select charge coupled device (CCDs) image sensor type of camera, which gives a better image quality. There are several types of security cameras available to the market such as: indoor, outdoor, pinhole camera, infrared day/night, bullet, board camera, dome camera, standard surveillance camera, water-resistant security camera, and water-proof hidden camera. The organization should implement this technology according to their requirement.

C. Cost of Solutions: The following table lists some of security cameras available and the costs. The table also mentions cost for the security surveillance package which is comprises of various types of cameras and storage device, remote and computer monitor.

2.14. Database Security Methodology: Various database software available in the market, such as; Oracle, SQL Server, DB2, and Microsoft Access. This software provides the inbuilt security systems to the databases and database users. This database management software is not only used for security purposes, but it is also used for the efficient manipulation of data.

A. Possible Attacks: Unauthorized users can access data from remote locations. Attackers could modify or erase the contents of the database. The data may be lost due to a power failure or any other types of natural disasters. The data base software is used to preserve the characteristics of the data.

B. Best Possible Solutions: The organization should install reputable database application software for securing and handling massive data and files. The organization should select the database software, depending upon the functionality provided by the software. Users of the database server should not divulge the user name and/or password to third party individuals. The organization should utilize the backup and recovery functionality of the database server application. The organization should periodically perform a full database backup, differential data backup, transaction log, and file group backup for the database. The organization should implement SQL Server 2008, as it provides better performance, more reliable output, and requires a lower hardware cost as compared to other database software.

C. Cost of Solutions: The database application software costs are listed below:

2.15. Others:

a. Personnel Security: The human resource department of the organization should check the background and references of individuals before hiring. It is mandatory for an organization to check the resume for; credibility of employment records, qualifications, reasons for leaving previous employment and the criminal records.

b. File Integrity Scanners: Use a Tripwire software tool to check file and directory integrity in case of an alteration or substitution. This software tool stores information about files in its database and this database file will be compared with the current version of the file. If there is any difference between the current status and stored status then the administrator will act accordingly to the changes found.

Price of the tool: Verisys for File Integrity Monitoring $319.99 USD per agent

CHAPTER 3

B. External Security Techniques: The external security technique is used for avoiding external attacks by hackers and intruders. When the organization’s LAN or MAN network connects to the outside network or internet, it is very difficult to protect the information from any unauthorized users. In this condition, the organization could provide a high level of security by implementing the following external security techniques:

3.1 Intrusion Detection and Prevention System: This system works like a burglar alarm. The alarm can be many different forms, such as: audible, via email, and numerical or text paging. This depends upon the configuration of the intrusion detection and prevention system. It can be configured as a burglar alarm in order to notify an external information organization.

A. Possible Attacks: The most common attacks occur by the attacker such as; accessing, deleting, and modifying data and files from the host computer. By accessing vital data the attacker can use for malicious purposes or other types of network attacks. The attacker can create the denial of service attacks by creating a flood of packets, which can stop the overall communication between the computer networks. Sometimes they can send the data packets with malicious contents into the organizational networks.

B. Best Possible Solutions: The IDPS is best solution for the above attacks. There are many different types of intrusion detection and prevention systems available in market. The organization should select the type of solution depending upon the type of attacks. The IDPS working mechanism is described as follows:

1. Host-Based (HIDS): A host based IDPS works by configuring and classifying various categories of the system and the data files. This IDPS is mostly configured on a host and monitors only the activities of the host. It looks for changes in file attributes such as; create, modify and delete.

2. Network-Based (NIDS): Network based IDPS monitor the network traffic. It looks for the patterns of network traffic, such as; large collections of related traffic that can indicate a denial-of-service attack or a series of related packets that could indicate a port scan in progress.

3. Signature-Based (SIDS): Works like an antivirus software. It examines data traffic for something that matches the signatures, which comprise preconfigured and predetermined attack patterns.

4. Statistical Anomaly-Based IDPS: Collects data from normal traffic and establishes a baseline. It then periodically samples network activity, using statistical methods, and compares the sample to the baseline. When activity falls outside the baseline parameters, the IDPS notifies the administrator. Implementing such types of techniques depends upon the organizational needs. In other words, the kind of security required depends upon the appropriate IDPS selected.

C. Cost of Solutions: The cost of this solution depends upon the number of users. The number of users varies the cost of software. The security will be provided by the software venders for a period of one year.

3.2. Installing Firewalls: A firewall is a device that prevents specific types of information from moving between the non-trusted network and the trusted network. It may be a separate system, a service running on an existing router or server, or a separate network containing a number of supporting devices.

A. Possible Attacks: A major problem with organizations is accessing the internet sources and data, which contain the malicious information. This information is intentionally or unintentionally routed inside the network by the employees. This could hinder the organizational operations and hack the important data from the organizational networks. Sometimes the employees use several prohibited sites during work hours on the organizational network, such as; sexually explicit, social networking, personal email, and job search sites. Most of the time, these sites contain malicious codes which are innocently downloaded by the employee inside the organizational network. This may compromise the data security of the organization. The attacker can find out the type of firewall used in an organization’s network and find several ways to bypass the firewalls. Sometimes the attacker is successful sending the organizational information to another user through email. Some of the most common attacks are as follows:

1. Spoofing: In this type of attack, the hacker appears as a legitimate user, which allows the hacker to send and receive packets to and from a network.

2. Session Hijacking: In this type of attack, the attacker intervenes in an active session. The attacker acts like as an authorized user and accesses all packets within a session. For these types of hacking purposes the hacker uses the user IP address to continue the hacking operation.

3. Denial of Service: This attack is a more popular type of attack. In this attack, the attacker doesn’t require a local account on the machine. Such attacks exploit an error in the TCP/IP stack or a running service on the target machine by sending one or more unusually formatted packets to the target, which could crash the target system or specific process on the target system. Some of the popular packet denial-of-service attacks, such as: land, latierra, ping of death, jolt2, rose, teardrop, and winnuke.

4. Back Doors: This type is an alternative method of hacking internal networks. After a successful attack on the organizational network the attacker creates a new user on the system with administrative privileges. With this newly created account the hacker can use later attacks on the network. Sometimes the hacker uses the program Back Orifice to gain remote access to an organizational network computer.

B. Best Possible Solutions: There are basic four types of firewalls available to the market. One can implement the firewalls at an organizational network depending upon the type of attacks an organization is facing and the type of data an organization wants to secure. At the time of installing a firewall at the organizational level the administrator needs to carefully configure the firewall. The major types of firewalls and its mechanism are as follows:

1. Packet filtering firewalls: The packet filtering firewalls are a network device that filters packets by examining every incoming and outgoing packet header. One can be configured the packet filtering firewalls to filter based on IP address, type of packet, port request and other element present in the packet. In this type of packet filtering firewall configuration the actual packet compared with the firewall database. If the data packet is equal to the incoming packet it will be allowed inside the network, otherwise not.

2. Application-level firewalls: The application firewall is typically built to monitor one or more specific application or services, such as a web or database services.

3. Stateful inspection firewalls: This is a third generation firewall and consists of enhanced features. It monitors each network connection established between the internal and external system using the state tables. State tables track the state and context of each exchanged packet, by recording which station sent which packet and when.

4. Screen subnet or host firewall system: This firewall consists of a packet filtering router with separate, dedicated firewalls, such as an application proxy server. This approach allows the router to screen packets to minimize the network traffic and the load on internal proxy.

The following are the solutions for the attacks explained above:

1. Denial of Service: Implementing firewalls, switches, intrusion-prevention systems and routers. Configuring the network device properly will protect it from the denial of service attacks. These devices can route unwanted packets or discard the floods of packets easily.

a. Implement Sysctl: This prevents ping attacks by disabling ping responses on the network machines. An organization should implement a proxy server at the organizational level. That will protect the original server from attacks. An organization can protect the organizational network from remote denial of service type of vulnerability by implanting several software and hardware techniques. The firewalls, IPS, and routers with proper configuration can protect an entire network from these types of attacks.

3. Back Doors: In order to prevent this type of attack, the organization needs to reinstall the computer and fix the bug used by the hacker to access the computer. The implementation of this type of firewall depends upon the requirement of the organization.

C. Cost of Solutions: There are many firewall vendors in the market, and their products have different features and different vulnerabilities. Table below shows the various prices for the firewall:

3.3. Wireless Networking Protection: Wireless network protection is mandatory for an organization. Today, several organizations are using wireless technology as a major communication media. It is a low cost alternative media to a wired network. In order to protect and increase the strength of the wireless signal the organization should adopt several techniques such as; wired equivalent privacy, Wi-Fi protected access, and Wi-max technology.

A. Possible Attacks: The major disadvantage of a wireless and a Wi-Fi network is an attacker can easily enter into the wireless network. The latest threat for a wireless network is war driving. The wire driver is used by attacker to find out scanning for open or unsecured WAPs.

B. Best Possible Solution: The following are the best possible solutions available:

1. Wired Equivalent Privacy (WEP): This technique is used to provide the basic level of security protection to radio networks. It protects the networks from unauthorized users. It does not protect users from each other; it only protects the network from unauthorized user like the traditional wired network.

2. Wi-Fi Protection Access (WAP): This is a family of protocol used for secure wireless networks. Protocol provides a high capability mechanism for authentication to users and the data encryptions while communication as compared to wired equivalent privacy. This type of authentication server uses message integrity code to provide security to the data. It issues a unique key to authenticate users.

3. Wi-Max: The Wi-max is the next generation of wireless networking. It is an improvement in technology developed for cellular telephones and modems.

4. Bluetooth: The Bluetooth is an industry standard used for short range wireless communication devices. The devices might be telephone and handsets, between PDAs and desktop computers, and between laptops. The organization should adopt these types of technologies which depend upon the type of data to be secured, size of network, budget of network setup, and geographical area of the network that should be covered.

C. Cost of Solutions: Some of wireless protection products price are listed below:

3.4. Remote Access Protection: Before the internet emerged as a public network, every IT organization created their private network and allowed individuals and other organizations to connect to them using dial–up or leased line connections. Today, firewalls play an important role in order to safeguard the connections between an organization and its public network connection. Considering all attacks on the dial-up network the organization should provide an equivalent level of protection to the connections when using private networks, which allow dial-up access. Most of the large organizations have replaced much of their dial-up connection with internet-enabled VPN connectivity. The maintenance and protection of dial-up connections from user’s homes and in small offices remains a concern for some organizations.

A. Possible Attacks: The unsecured dial-up access represents a substantial exposure to attack. An attacker who suspects that an organization has dial-up lines can use a device called a war-dialer to locate the connection points. A war dialer is an automatic phone dialing program that dials every number in a configured range, and checks whether a person, answering machine, or modem picks up. If a modem answers, the war-dialer program makes a note of the number and then moves to the next target number. The attacker then attempts to hack into the network through the identified modem connection using a variety of techniques.

B. Best Possible Solutions: The organization should implement the following protection techniques for a remote access type of attacks:

1. RADIUS and TACACS: This system technology provides a mechanism to authenticate the credential of users who are trying to access an organization’s networks via a dial-up device or a secured network session. In the dial-up network, the remote access system installs to check the authentication and authorization of users. After checking if the user is authorized, then the system will allow the user to connect to the modems. The problem with this type of system is the dial-up system includes multiple points of entry. The multiple points of entry and providing user authentication are difficult for the remote access system to manage. The Remote Authentication Dial-In User Service (RADIUS) removes this drawback of remote access system. The central RADIUS server provides centralized management of the user authentication. When user requests a dial-up connection, then the request will be routed through a remote access server (RAS) to the RADIUS server. The RADIUS then validates the credentials of the user and passes the resulting decision back to the accepting RAS. The Terminal Access Controller Access Control (TACACS) works the same as a RADIUS. It is also recommended to install the latest version of TACACS, which provides an advance security and monitoring option. Overall, the organization should implement the RADIUS or TACACS for authentication and authorization of remote access users.

2. Virtual Private Network (VPN): Is another way of securing organizational data. In general the VPN is stands for virtual private network. It is a network technology that creates a secure network connection over a public network such as; the internet or a private network owned by a service provider. This technology is popular in large and small corporations, educational institutions, and government agencies. This technology enables remote users to securely connect to a private network. Using VPN, the organization can connect to multiple sites over a large distance, which works just like a wide area network. The VPNs used to extend intranets worldwide to broadcast organizational information and news to a wider user base. The organization use VPNs to connect different branches that can be distributed across the country or around the world. In order to gain access to the private network of organization, a user must be authenticated using a unique identification and a password. An authentication token is often used to gain access to a private network through a personal identification number (PIN) that a user must enter. The PIN is a unique authentication code that changes according to a specific frequency, usually every 30 seconds.

Some of the following advantages of VPN force an organization to adopt the new technology such as: it is an inexpensive effective way of building a private network, gives enhanced security, provides flexibility, provides remote control, online anonymity, better performance, reduced costs, share files, unblocks websites and bypass filters. There is no need to change the IP address when individual of an organization needs an IP address from another country.

C. Cost of Solutions: Installing virtual private network does not require any additional cost to the organization. The organization and end user require an internet connection to communicate between them. The wireless internet connection on the desktop computer has become inexpensive. The table below shows some of the other hardware required for VPN network development, and the cost for implementing RADIUS technique:

3.5. User Account and Password Strategies: In an organization most of the work is distributed in work groups. The technique username and password gives them a unique identification for an individual’s work. This technique should be secured by the organization because an attacker could hack the account of the user and access the user’s work information, assets information, and important organizational data. Most of the time attacks on a user account create huge loss at an organizational level. So that vital information must be protected using appropriate username and password strategies.

A. Possible Attacks: There are several tools available in the market that is used for breaking the password of a user account. This software applies all possible passwords until the user insert inside the account. The amount of time required to break a password depends upon the computer processor speed and the complexity of the password being cracked. There are several password crackers programs available on internet such as Cain and Abel, Crack, John the Ripper, Telnet crack, THC hydra, and L0phtCrack. This application program can be used for windows as well as UNIX/Linux platform. Some of the possible attacks are listed below:

1. Dictionary Attack: In this process the password of the user account will be guessed by using a list of common words. In this password guessing process the software tool inserts one by one a dictionary word or combination of a dictionary words until the attacker is able to login to the victims account.

2. Hybridization: This is a guessing password method, the password will be guessed using combination dictionary words and numbers. In this technique the combination of number range will be added before, in-between and after the dictionary word.

3. Brute Force Attack: This type of attack the password will be guessed by attacker using all possible combination of letters, numbers, and special characters.

4. Key Loggers: This type of attack the key loggers program will be installed by stealthy or using e-mail attachment. In this case the user does not realize that a program on his or her computer is recording every key pressed. The cracker examines the file generated by a key loggers program and determines the password by examining the key logger’s log (Basta, & Halton, 2008).

5. Social Engineering: The hacker uses the social engineering technique for hacking a password by pretending it is a legitimate user. This effective technique is used for stealthily retrieving the password of a user account. Sometimes the attackers steal the password file, where the password hashes are stored from the victim’s computer.

6. Sniffing Method: In this type of attack, the hacker uses packet sniffers software to catch the clear text password from protocols such as: Telnet, FTP and POP3. The attacker runs snuffer application software in order to extract the username and passwords from network traffic. This application searches for the user name and password from the network. If the passwords and usernames are in an encrypted form, then the cracker would use a directory or brute-force attacks on the network traffic log to retrieve the password.

B. Best Possible Solutions: For assigning and implementing a user name and password strategy the organization needs to pursue the following techniques to avoid the above attacks:

a. Password Length: It is recommended to have at minimum an eight character long password. The eight character long password required possible combination 7.2*10¹⁶ to break such type of password. In other words, if the password breaking software is running on 3.GHz computer then it requires twenty four years and six months to break this type of password.

b. Password Complexity: While selecting the password, it should not be belonging to any of the English word dictionary. It is also recommended that the password not be written down anywhere, which would make it less vulnerable. The standard password should include letters, numbers, special symbol, capital letters and punctuation.

c. Testing Password Complexity: The user name should be chosen by the user of the accounts or there should be appropriate strategies to choose the username, such as, user’s first name and last name or combination of both. The password should be alphanumeric which contains at least one number, special symbol, and capital letter.

d. Frequency of Change: The account should be blocked, if there are a number of unsuccessful attempts. An attacker can measure the keystrokes of the user and according to that, can specify whether the password is correct or not. The password should be changed at a regular periodic interval. One should never disclose the password to third party users.

C. Cost of Solutions: Assigning a password does not require any cost to implement. The cost of the user name and password storage may vary on the basis of character size.

3.6. Implementing Scanning and Analysis Tools: The network scanner and analysis tools are used for find vulnerabilities in network systems, holes in security components, and most of the unsecured points in the network. These tools are used to attack organizational secure networks. In other hand, the IT organization can use these tools for preventing the attacks on organizational assets. Usually, these tools have a distinct signature and the internet service providers are capable to scan such type of signatures. The internet service provider finds the users, who have these types of hacking tools. It automatically denies access to that those customers and discontinues the service.

A. Possible Attacks: The attackers use the scanning tools for gathering the network information. They may use the foot printing method for collecting information about the target computer. Using a sophisticated web crawler, social engineering techniques, and scanning and analysis tools, the hacker is able to collect the information about the target network. The collected information contains; server name, username names, password, network IP address, no of network devices, OS running on the computer, ports open, no user, email address of user network traffic, and other vital information about the target network.

The ports work as a network point for data communication to every computer. Using several free ports and vulnerability scanning tools one can access the open ports in the network. The hacker and intruder can use this port scanning information for launching attacks inside the network through that open ports. Using this open port information the attackers can transmit the malicious data and information to the computer. It is also possible to hack data using open ports on the standalone and sever computer. Using this port they can send, read, modify, and delete the important information on the target computer.

The attacker uses the packet snuffer tool for stealthy monitor the network traffic. She/he can access the packet and find out the source and destination address of the packet. It is also possible for one to access the packet data. They could receive that data and modify it and retransmits the same data with same source and destination information.

B. Best Possible Solutions: There are several scanning and analysis tools available in the market for specific operating systems. The organization should install specific network scanning and analysis tools depending up on the network requirements. The most common tool used for scanning and analysis of network vulnerabilities, such as; port scanner, vulnerability scanner, and packet snuffer, content filters and trap and trace. The combination of these types of scanning software makes the organization less vulnerable from various threats. The organization should select the specific tools inside the network, which is depends upon the network operating system used in the network. For solving the above problems the organization needs to install and adopt the following network scanning and analysis tools:

1. Port Scanner: These utilities are used to identify an activated computer on a network, active ports, services on those computers, function and roles fulfilled by the computer and other useful information. The port scanner is also used for scanning specific type of computer, protocols, or resources, or one can conduct generic scans.

2. Vulnerability Scanners: It is a variant of a port scanner and is used for scanning the network for detailed information. It identifies any exposed user names and groups, shows open network shares, and exposes configuration problems and other server vulnerabilities. The vulnerability scanners tools are available in market, such as; Nmap, WebInspect, SARA, Whisker, NeWT, Saint5, Nikto, AppScan and GFI LANguard. These software tools are freely available on the internet. Some of the commercial tools are also available; the organization needs to purchase the tools which is depends upon their network requirements and the type of vulnerability they are facing.

3. Packet Sniffers: This tool is used for collecting and analyzing copies of packets from the network. This technique provides valuable information to a network administrator which is used to diagnose and resolve the networking issues. Some of the freely available packet snuffers on the internet are sniffer, Snort and Wireshark. Free network protocol analyzers are also available on internet such as; Ethereal and Wiresharks. These tools are useful for administrative purposes, as one can examine both live network traffic and previously captured data. The organization should install the packet snuffer applications inside the organization so that, they can monitor their own network. It is recommended to use packet snuffer software on personal networks instead of public networks. It is illegal to use the packet snuffer software on public networks.

4. Content Filters: This tool protects the organizational system from misuse and unintentional denial of service conditions. This software program or hardware/software application allows the administrator to restrict content into the network. Using this tool the organization restricts the access of websites with non business-related materials, such as pornography and entertainment. It is also recommended to update the content filters application on a periodic basis to protect organizational network from new threats.

5. Trap and Trace: The Trap and Trace function software creates a trap for individuals who are illegally perusing the internal areas of a network. Using this trap one can easily determine who they are. The attacker discovers rich content areas on the network. These indicators are actually set up to attract the potential attacker, which is known as honey pots. This trap distracts from the hacking and at the same time the application software notifies the administrator about the attacker.

C. Cost of Solutions: Some of the port scanner, content filters, packet sniffers, and vulnerability scanners are freely available on the internet. One can easily download and install such application software to find various network vulnerabilities. This free software provides limited functionality. If an organization wants to install the full version of such software they need to purchase the software. There are various venders provide the application software, some of them are listed below:

3.7. Web Base Security: Every organization’s web pages and web servers’ play an important role. The organizational web pages and web server contains all of the organization’s information, such as; user information, employee payroll information, user login details, product details, and the various important data bases. This vital information can be accessed by the web pages. The web pages are open for everyone to access, so it is more vulnerable to attack.

A. Possible Attacks: Some of the following attacks are possible on the web sites of the organization:

1. Cross Site Scripting: The cross-site scripting is the most common hacking technique. The attacker adds codes at the web application to allow an attacker to send malicious content from an end-user. This technique basically is used for collecting some type of data from the victim. This is done by an expert hacker after injecting a malicious code into a web application to create an intended result. In this attack, the attacker places hyperlinks on web pages that bypass controls of the user, to another page and asks for personal information, such as; bank account number, credit card details, SSN, passwords, usernames, phone number and email address. Sometimes the attacker uses cross scripting to inject false contents into a website. Such contents may redirect users to a malicious website or install malicious software into user browser.

2. Cross Site Request Forgery: The cross site request forgery is a one-click attack or session riding. In this type of attack, often uses another user’s credentials to attack applications, such as changing cookie values and exploits trust assigned to user’s browser.

3. SQL Injection: The attacker injects data into a database by manipulating user inputs on a web application. It is special type of code which can corrupt a server database. Sometimes the attacker uses this technique to store malicious code at web server for hacking purposes or for future malicious activities. This type of code will work as a logic bomb, which will explode after some interval of time without leaving any proof of the attack.

4. Buffer Overflow: Buffer overflow is a common condition in a programming language known as C. It is used to write the utilities and operating systems program. The buffer overflow mainly occurs when input applied to a variable is greater than the memory allocated to that variable. Vulnerabilities occur when the attacker sends more data to a vulnerable program, and the original software developer did not plan for such type of data, when writing the code for the program. The buffer that is overflowed is just a variable used by the target program. This type of problem occurred because the developer forgot to create a code to check the size of the user input before moving it around in memory. Based on this mistake, an attacker can send more data than anticipated and break out of the bounds of certain variables, possibly altering the flow of the target program and the values of other variables of the program (Skoudis and Liston, 2007).

5. Session Hijacking: Session hijacking refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. It is also known as TCP session hijacking. This method takes over a web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user's session ID has been accessed, the attacker can masquerade as that user and do anything the user is authorized to do on the network. Some of the methods to use for session hijacking are: session fixation, session side jacking, and cross-site scripting.

B. Best Possible Solutions: In order to protect the web pages from attacks the organization should implement a proxy server inside the network. The precaution while surfing through web pages is one of the remedies against the security attacks. One should process valuable information through the trusted websites only. The organization should use web security applications for handling the SQL injection, cross site scripting, session hijacking and cross site request forgery types of attacks.

1. Remediation options for Session Hijacking: There are several ways to avoid the session hijacking. The web session manger program should use a long random number or string as the session key. One can avoid the session hijacking by regenerating the session ID after a successful login of users. This prevents session fixation because the attacker does not know the session ID of the user after he has logged in. One should use the proper encryption technique for secure communication between the parties; in particular the session key. The web page should check the key stroke of user while login. Every organizational user should clear history of browsing data while leaving their personal computer. The employees should log out of their email accounts properly when no longer in use. Use https or SSL for email, which is provided by email vendor. Use digital signature with files or emails, this will not prevent session hijacking but it will certainly prevent them from alternating actual messages. The session hijacking is very difficult to detect such type of attack by using intrusion detection and prevention systems. One can overcome this problem by controlling the cookies in a web session. The organization should implement several web scanners tools for protecting the web pages from the attacks.

2. Remediation options for Buffer Overflow: One can avoid the buffer overflow vulnerability by checking the program or software using all possible inputs. It is also recommended to use advance programming language such as Java, and .NET for reducing the efforts of handling the buffer overflow problems. One can overcome buffer overflow problem by using standard libraries function of C and C++ in programming. The software developer should rectify the buffer overflow problem while developing the software. There are also numerous automated codes checking tools available in market such as ITS4, RAST and the flaw finder. Using these tools the software developer can rectify buffer overflow problems. One can also avoid the buffer overflow problem while compiling programs by altering the way the stack function, and keeping systems up-to-date with the most current security patches.

a. Executable Space Protection: Executable space protection is an approach to buffer overflow protection which prevents execution of the code on the stack or the heap.

b. Address Space Layout Randomization: This technique hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.

c. Inspecting Data Packet: This is one of the methods of protecting the buffer overflow attack by inspecting all of the incoming packets. The buffer overflow is not easily discovered, but if they discovered it is very difficult to exploit them. So, one can easily avoid the buffer overflow problem while developing the application software. The organization should also test the software in an appropriate environment and rectify them according to their possible code errors. This can be the remedy to overcome the buffer overflow attacks.

C. Cost of Solutions: The organization should take several precautions while creating the web pages. There are several web scanners are available to the market, some of them are commercial, full version and trial downloads. The organization should install the following commercial scanner for protecting the web pages from various attacks.

3.8. Cloud Computing: The cloud may refer to a company's own network, but it typically refers to the internet and the use of web browser-based or rich client applications. In these applications, the software comes from the web servers, and the data may be saved on the servers as well. It is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility. The cloud computing describes a new supplement, consumption and delivery model for IT services based on the internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet. It is a byproduct and consequence of the ease of access to remote computing sites provided by the internet.

The cloud computing is a general term for anything that involves delivering hosted services over the internet. Its services are normally divided into three types, such as: Platform-as-a-Service, Software-as-a-Service and Infrastructure-as-a-Service. It is usually sold on demand, in general it is sold at the rate by the minute or the hour and a user is independent to choose whether to have as much or as little of a service according to his/ her wish.

a. Benefits of Cloud Computing: By using cloud computing the IT organization is able to reduce expenses and cost, by using cloud computing the respected company can reduce their computer hardware and networking expenses of their own company. It allows businesses to use less money and other resources on their information technology departments. They are able to reduce the company staffs for the network maintenance or the company could use these staff for other aspects of the business, such as research and development. Using cloud computing the organizations can process massive amount of data on a private computer systems. The cloud computer provides all possible software and application programs to the organizations, so that the organization does not need to worry about keeping the software up to date, as it updates automatically. The cloud computing offers much more flexibility than past computing methods. The employees can access information wherever they are, rather than having to remain at their desks.

b. Weaknesses of Cloud Computing: After implementing cloud computing technology at the organizational level, the client would come up with several problems, such as; security problem, loss of control, unstable cost structure, potentially decrease business flexibility, and the integration problems. The main weakness of the cloud is that it has no control over the business assets. The main assets in every organization are data files with valuable customer information. The important data may be divulged because of a third party service provider. Securing vital data of organizations through a third party would not fit into the definition of information security. The organization must require an adaptive architecture, including a new business model and must develop such practices to retrieve business value. In order to implement cloud computing at organization level, organization requires more funds for organizational changes such as adapting the technology (procedure, skills, and business model). In cloud computing environment, the data recovery requires more funds. That would be definitely very complicated. The organization also required to incur some of the hidden cost such as compliance regulations, backup, restore, disaster recovery and problem solving. Three reasons for companies' fears about cloud computing are hackers, inability to access the servers where their data is being held, and the possibility that the storage providers could close up shop, which could make it harder to retrieve their data.

c. How would organization deploy this technology while minimizing its risks: The organization should consider following methods while deploying cloud computing at organization level in order to minimize its risk.

1. The organization should understand all the risks caused by cloud computing and take appropriate action according to risk. (e.g.: Data recovery risk: take backups of data).

2. The organization should adopt an updated technology according to the requirements of cloud computing.

3. The organization should understand the technology used by cloud service provider in order to gain all benefits provided by the service provider.

4. One should understand, formulate and maintain an exit procedure to change from cloud service provider.

C. Cost of Solution: The cost required for using various application software, operating system, I/O and storage are listed below:

CHAPTER 4

4.1. Risk Management: The risk management is collective efforts of every individual in the organization. The risk management team plays crucial role in order to mitigate or eradicate the information security attacks. In the organization, some conditions exist where several advance technologies fail to protect the data from the danger and hacking. In such conditions, the organization should require the storage risk management and mitigating plan for avoiding such type of risks. It is very difficult to provide complete security to organizational data. The hacker and intruder are always trying to find security breaches at those organizational security frameworks. The organization should create expert risk management team at organizational for avoiding such types of risks.

4.2. Who is Responsible for Risk Management in an Organization: There are three basic types of communities responsible for risk management. These communities are working together in order to address every level of risk, ranging from full scale disasters to the smallest mistake made by an employee.

1. Information Security Members: The information security member takes a leadership role in addressing risk. They can easily identify the threats and attacks which could introduce risk.

2. Information Technology community: This community can build secure systems and ensure their safe operations.

3. Management and user: This group plays a part in the early detection and response process. The member of this community ensure that sufficient resources are allocated to the information security and information technology groups to meet the security needs of the organization.

4.3. Risk Mitigation Strategies: According to the definition of mitigation, it is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of vulnerability (Whitman, & Mattord, 2010). The risk mitigation strategies compose of three basic plans:

a. Incident Response Plan (IRP): It comprises a detailed set of procedure and procedure that anticipate, detect, and mitigate the effect of an unexpected event that might compromise information resources and organizational assets. This type of plan is used for mitigating immediate risks at organization level. Such type of plan will be deployed inside the organization when an incident or disaster unfolds. The incident response plan made up of three sets of procedure used to detect, contain, and resolve incidents: Every incident scenario, the contingency planning team creates three sets of incident- handling procedure:

1. Incident Detection: It this phase the incident response team determines whether to use an event routine system or an actual incident. The incident classification is a process of examining a possible incident and determining whether or not it constitutes an actual incident. Initial reports from end users, intrusion detection systems, host-and network-based anti-virus software and system administrator are all ways to track and detect incident candidates.

2. Incident Containment: Incident containment strategies mainly focus on two tasks, stopping the incident and recovering control of the systems. The incident response team can stop the incident and attempt to recover control by using several strategies such as: disconnecting the affected communication circuits, dynamically applying filtering rules to limit certain types of network access, disabling compromised user accounts, and reconfiguring firewalls to block problem traffic, temporarily disabling compromised process or service, taking down conduit application or server, and stopping all computers and network devices.

3. Incident Resolve: Once the incident has been contained, and the system control regained, incident recovery will begin. In this phase, incident response teams assess the full extent of damage in order to determine what must be prepared to restore the systems. After determining the damage the recovery process begins, in this process the following steps an organization should follow:

a. The organization should identify and resolve vulnerabilities that allowed the incident to occur and spread inside the organizational network.

b. Address, install, and replace/upgrade safeguards that failed to stop or limit the incident, or were missing from system in the first place.

c. Evaluate monitoring capabilities to improve detection and reporting methods, or install new monitoring capabilities.

d. Restore data from backups.

e. Restore services and processes in use where compromised services and processes must be examined, cleaned, and then restored.

f. The organization should continuously monitor the system.

g. It is mandatory for organization to restore the confidence of the members of the organization’s communities of interest.

b. Disaster Recovery Plan (DRP): These plan strategies useful to limit losses before and during the disaster. This plan will be deployed inside the organization immediately after the incident is labeled as a disaster. The disaster recovery plan is a plan which entails the preparation for and recovery from a disaster, whether nature or human-made. This plan will be prepared after the incidence response plan may no longer be able to handle an effective and efficient recovery from the loss. Each and every individual and organizational asset is important for an organization. In order to prevent, and recover information or organization assets from human-made or nature disaster the disaster recovery plan plays an important role. The disaster recovery plan will be applied when the organization wants to reestablish operations at a location where the organization is usually located.

c. Business Continuity Plan (BCP): It ensures that the critical business function can continue, if a disaster occurs. This plan is most properly managed by the CEO of the organization. This plan will be deployed inside the organization immediately after the disaster is determined to affect the continued operations of the organization. It is one component of contingency planning. Business continuity plan ensures that important business functions can continue if a disaster occurs. A Disaster might be any kind man made or natural. This plan is activated and executed with a disaster recovery plan when the gravity of disaster is major or long term and requires fuller and more complex restoration of information and IT resources. This plan is useful for continuing the major business function at the time of a critical situation. This plan reestablishes the critical business function as an alternate site. Using alternate site the respected CEO of the organization can easily relocate organizational operations quickly with a minimal loss of revenue.

1. The Continuity Plans should be Tested and Rehearsed: The important function of the continuity plans is the identification of critical business functions and the resources to support them. At the time of the disaster these function will be reestablished at an alternate site. Every plan is first tested in an appropriate situation and then it should be implemented. The testing and rehearsal is a useful method for finding flaws in the continuity plan. It also determines whether a better alternative has emerged or whether the organization requires a new solution. Sometimes they cannot give the appropriate result. The continuity plan is tested with respect to vulnerabilities, faults, and inefficient process. If any problem identified during testing process one can improve the respected plan according to current situation of organization. After identifying flaws one can take appropriate actions or revise the plan for upcoming critical situation.

2. Business Impact Analysis: The business impact analysis is first phase in the contingency planning process. It helps the organization to determine which business function and information system are the most important to the success of the organization. The business impact analysis provides the information to the contingency planning team about system and threat they face. The business impact analysis is an important component of the initial planning stage after an attack. It gives detailed scenarios of the effects that each potential attack could have on the organization. The contingency planning team conducts the business impact analysis in following stages:

a. Threat Attack Identification and Prioritization: In this stage the attack will be identified and prioritized according to the strength of the attacks.

b. Business Unit Analysis: In each business department, the units will be independently evaluated in order to determine how important its functions are to the organization.

c. Organization should develop attack success scenario.

d. Potential Damage Assessment: In this phase, the business impact analysis team estimates the cost of the best, worst, and most likely outcome by preparing attack scenarios end case. It allows the organization to identify what must be done in order to recover from each possible case.

e. Subordinate Plan Classification: Once the potential damage has been assessed and attack scenario end case has been evaluated, a subordinate plan must be developed or identified from among the existing plans already in place. After identifying the gravity of the problem, the contingency planning teams develops an incident response plan to solve the problem or mitigate the strength of problem.

4.4. Risk Determination: Sometimes the risk determination and identification, before and after the attack is difficult for an organization. The main reason behind this is an organization cannot evaluate the cost of organizational assets and losses incurred by the organization after the information security attack. The organization should implement appropriate solutions before the attacker attacks the organizational network. In general the organization could evaluate what the risk as follows:

After determining the value of information security assets, the security expert can start evaluating the losses incurred by the organization after exploitation of any kind of vulnerability. In order to find the loss values associated with the most likely loss from an attack, the organization should evaluate value for Single Loss Expectancy (SLE). This value should be calculated for the every vulnerability. The SLE value will be the product of the value of the asset and the expected percentage of loss that would occur from a particular attack at the organizational level.

The organization should calculate the Annualized Loss Expectancy (ALE). This value gives the loss expected by the organization in a given time period. This value is the product of SLE and Annualized Rate of Occurrence of attack (ARO). The ARO value indicates how frequently an attack from each type of threat is likely to occur within a given time frame.

The organization should also evaluate the system to determine efficiency of the overall security system before and after implementation of controls against the attacks. Using Cost-Benefit Analysis (CBA) the organization could evaluate the overall information system. The cost-benefit analysis is the subtraction of ALE of the risk before the implementation of control, ALE examined after the control has been in place for a period of time and the annual costs of the safeguard (Whitman, & Mattord, 2010).

CHAPTER 5

5.1. Conclusion: The data security is a major concern for every organization. After considering the role of data at an organizational level, I can easily say that the organization should protect the data from the attackers and hackers to avoid future losses. Today the hackers and intruders find all possible loop-holes in the organization security architecture to enable an attack on the organizational information. The attacker creates all possible attacks to accomplish their criminal intent. At the organizational level, providing security to the information is an ongoing and critical process. If the organization would like to secure the data of the organization, then they should preserve the characteristics of the data. Preserving characteristics of the data may ultimately give security to the data. Sometimes providing a high level of information security is collective task. The high level of security can only be possible when every organizational individual works accordingly to achieve it. In addition, the top level of management and various security mangers perform key roles to provide the security to the organizational assets. They could provide information security by adopting different advanced methods, strategies, techniques and deploying superior information security policies at the organization level.

The organization should implement the proper mitigation technique to avoid the various inevitable attacks. The mitigation techniques should be selected on the basis of losses incurred by the organization after the attacks. If the costs required for the solution is less than the losses incurred by the organization after attack, then organization should implement those solutions. On the other hand, if the cost required for the solution is more than the losses incurred by the organization after the attack, then the organization should find an alternate solution, where the cost of the implementation of the solution is less and gives a higher level of security. At the organizational level, the security expert should generate all possible solutions before and after the attacks are made. After implementing these security techniques and the attackers still gain access to the secured resources of the organization, then the security experts should create an appropriate risk management plans to avoid any other attacks.

The organization should also consider the single loss expectancy, annualized loss expectancy and cost benefit analysis values for each of the security attacks. These values give the exact solution, type of modification an organization need to implement into their security architecture and what the cost of that modification will be to protect the organization from various attacks. Finally, the data is the heart of organization the organization should implement all possible solutions to prevent it from any future hackers or attackers.

REFERENCES

Whitman, Michael E, & Mattord, Herbert J. (2010). Management of information security. Course Technology.

Norton, P, & Stockman, M. (1999). Peter norton's network security fundamentals. Sams Publishing.

Poole, O. (2002). Network security: a practical guide. Butterworth Heinemann.

Skoudis, Ed, & Liston, Tom. (2006). Counter hack reloaded: a step-by-step guide to computer attacks and effective defenses. Prentice Hall.

Stallings, W. (2007). Network security essentials: applications and standards. New Jersey: Prentice Hall.

Basta, Alfred, & Halton, Wolf. (2008). Computer security and penetration testing. Delmar Pub.

Laet, De Gert, & Schauwers, Gert. (2005). Network security fundamentals. Indiana: Cisco Press.

PrinterFargo (n.d) Fake ID Card Making is Easy to Do with a Badge System.

Retrieved March 23, 2011 from: http://bit.ly/eHbvaU

Galarneau, Mike. (2009, Aug 09), The Advantages and Disadvantages of Cloud Computing Retrieved April 01, 2011 from: http://bit.ly/9vhAUq

Mike S. (2009, Aug 07). Types of Proxy Servers, Transparent and Anonymous Proxies Retrieved March 10, 2011 from: http://bit.ly/hdwmDy

Miller, Michael. (2009, Feb 13). Cloud Computing Pros and Cons for End Users Retrieved March 1, 2011 from: http://bit.ly/eLkyqx

Bewley, Alex. (2009, January 28th) Cost of cloud computing, expensive Retrieved March 5, 2011 from: http://bit.ly/eSFLwf

Ciaramitaro, Dr. Barbara. (2010). Social Engineering Retrieve March 1, 2011 from: Ferris connects.

Carlson, Matt and Scharlott, Andrew (2006, May 05). Intrusion Detection and prevention Systems Retrieved from: http://bit.ly/i2CqQR

Admin (2010, September 24). SQL Injection Attacks and how to prevent them Retrieved March 2, 2011 from: http://database-benchmark.com/?p=365

Tipton, Harold. F, & Krause, Micki. (2004). Information security management handbook. CRC Press.

Skoudis, Edward, and Liston, Tom. ( 2007, Nov 21). Gaining Access to Target Systems Using Application and Operating System Attacks Retrieved March 27, 2011 from: http://bit.ly/hi9jzi

Lam, Kevin., and LeBlanc, David and Smith Theft, Ben. (2004). On The Web: Prevent Session Hijacking Retrieved April 1, 2011 from: http://bit.ly/hRdAPp

Pal, Prasenjit. (2011). A Discussion on Virtual private Network

Retrieved April 10, 2011 from: http://bit.ly/g4ipT8

CURRICULUM VITAE

VISHAL V. BEDRE

Education:

Ferris State University, Big Rapids, Michigan

Masters in Management Information Systems (MIS)

Kavi kulguru Institute Of Engineering, Ramtek, Maharashtra, India

Bachelors in Information Technology

N.P Hirani Poly Technique Institute of Technology, Pusad, Maharashtra, India

Diploma in Information Technology

PROFESSIONAL EXPERIENCE:

Yashwantrao Chavan Collage of computer Science and I.T.

It is reputed college which conducts the several bachelor and master degree programs.

Computer Lab Assistant (15^th July 2008 to 10^th July 2009)

Key area of expertise:

Programming Skills

C, C++, JAVA (Core), VB Script, Java Script, HTML, XML, ASP.net, VB .Net, COBOL and Visual Basic.

Computer Hardware and Networking Skills

Diploma in Computer Hardware and Networking.

Operating System Known

Microsoft Vista, Microsoft XP, Windows 98-2008, UNIX, and Linux.

Database Known

Microsoft Access, Oracle & SQL SERVER.