Principles of Information Security

Principles of training certificatePurposeIn show to protect against accidental or intentional damage or loss of data, interruption of College business, or the compromise of confidential information we moldiness classify data and establish minimum standards and guidelines to delay a arrest system.Effective from 02/02/17ScopeThis insurance essential be apply to all of the following students, efficiency, staff, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with glide path to confidential information through the Modern College of condescension and Science its affiliates/partners. accountable PartyDatabase DepartmentInformation Techno aim downy Support Department name of Reference introduction Any individual(prenominal) inspection or brush up of the confidential information or a copy of the confidential information, or an oral or written account of such information.Confidential Information Information identified by the applicable laws, regulations or policies as individualised information, individually identifiable health information, education records, personally identifiable information, non-public personal data, confidential personal information, or sensitive scientific or sponsored intent information.Data Information generated in official College business. Information that is personal to the performer of a system.Disclosure To permit devil to or release, transfer, distrisolelye, or otherwise take either part of information by all fashion consequent A possibly reportable episode that may incorporate, only is not restricted to, the accomp some(prenominal)ing Attempts to increase unapproved chafe to frameworks or information Undesirable disturbances or Denial od Service An infection diffusion Burglary, ab intention or loss of electronic gear containing private data. Unapproved physical exercise of frameworks for handling or information gathering An office or unit of measure ment basint dispose of confidential of paper information in a proper manner. Unapproved changes to framework equipment, firmw atomic number 18 and programming. indemnity Statement The Modern College of Business and Science must aim towards making a safe milieu for all in terms of data confidentiality and personnel. Information shelter professionals must employ techniques which fundament prevent any threat from exploiting any vulnerability as much as possible. Threats could target privacy, reputation and intellectual spot along with destinys of other data.Data Classification In order for the policy to be entirely effective and be able to experience which data protect the data must be classified into 3 categories folk 1 Data that can be freely distributed to the public. syndicate 2- Internal data only not meant for outsiders.Category 3- Sensitive inborn only data that could affect operations if disclosed to public.Category 4- super sensitive internal data that could put an organization at monetary or legal insecurity if disclosed to public.Security Prevention Measures Security prevention measures ensure security measure and prove comfort for the business and in any case the customers. Prevention measure could consist of many things.Existing Security Measures. entrance control which ensure only allowed exploiters granted permission to access the database may do so. This applies to accessing, modifying and viewing the data.Frequent SQL input validation tests are conducted in order to ensure no unauthorized users can access the database. trinity recess cloud based servers are available, both of which are for dressing up purposes this ensures the availability of the data in the case of the intrusion on one of the servers.All servers are backed up daily.Database auditing is frequently conducted.Database log files are frequently checked to observe in case of any beady-eyed activity.All database security is managed by a third fellowship in order t o ensure maximum security.In order to quash Denial of Service (DOS) attacks which could affect the availability the vane applications are put on different servers.Role-Based Control is utilize in order to hold up sure employees can only retrieve content from the database that they are evidence and authorized to.Discretionary access control is only permitted to the database department as no other faculty or staff needs access or is permitted to access.Flaws which need reviewed give-and-take policy is not implemented purely to students which can result in the compromising of an account.Solution Password Policy essential be applicable to all therefore, database department must take away it mandatory.No honeypotting is available.Solution The undeniable equipment and computer software should be purchased for this to be do. This ordain help the College avoid attacks in the case of SQL injection or any other database attack.No digital certificates are utilised when messages ar e move across the website.Solution Create system to be possessed of to send digital certificate/signature to ensure a better level of security.No certified security professionals are currently employed.Solution Raise restitution to Human Resources as a matter of concern and seek the hiring of a professional or train existing staff.Lack of awareness among staff and faculty regarding security in general.Solution Conduct training for faculty and stuff on how to spot basic threat and potential intrusions and so on*After these flaws are fixed, policy MUST be reviewed and updated.iii) Added PoliciesConduct shrewdness testing frequently and Risk Assesment, report must be generated, reviewed by Chief Information Security Officer (CISO). Vulnerabilities must be fixed.In the case of an incident CISO must be informed to take necessary action. Any employee failing to do so shall face disciplinary action.Database MUST use views rather than tables no ensure security, all entries must be pred efined queries.Database remote access and other distance access must not be modifyd by blocking ports such as the telnet port, FTP and others.Database tidings MUST be updated ever fortnight to ensure security of the discussion.Password strength policy must be implemented for the database ( min 8 characters, capital small, numerical, special characters).Back Ups must in any case be done offsite and not only on the cloud.Backing up data of Category 3 4 as mentioned above must also be done on a certain specially encrypted drive and separate from normal back ups.Group ResponsibilitiesAll the members of the College are prudent nigh extent of the security of their own data and other things. Below is what from from each one one group of individuals is responsible for.A. Custodians are responsible for1. Information Security Procedures proof2. Managing authorizations3. Recordkeeping.4. consequent handling and reportingB. Users are responsible for1. Abiding the College IT poli cy2. sensible security3. Information storage4. Information spreading and direct5. Method of disposal of info and devices6. Passwords7. Computer security8. Remote access9. Logging off10. Virus and malicious code egis11. Backups12. Incident handling and reportingC. Managers are responsible for1. All what users are responsible for2. All that the custodians are responsible for3. Sharing responsibility for information security with the employees they supervise4. Establishing information security procedures5. Managing authorizations6. User training and awareness7. Physical security8. Incident handling and reportingD. Information Service Providers are responsible for1. More extensive information security requirements than individuals2. Establishing information security procedures3. Physical security4. Computer security5. Ne 2rk security6. Access controls7. Passwords8. Contingency planning9. Incident handling and reporting Administrative ResponsibilitiesA. The CISO should ever so be monitoring the colleges database security system to ensure no flaws or loopholes and should propose tools or mitigation strategies. S/He must do the following1. Creating, reviewing, and revising policies, procedures, standards.2. Ensuring security training and awareness.3. Overall authority for College ne cardinalrks and systems security.4. Incident handling, remediation, and reporting.5. Collaborating with the Office of Internal Audit to ensure policy conformance.Enforcement Implementation The undeniable actions mentioned in the policies and rules must be carried out from the effective mentioned above, those who fail to harmonize and follow this policy shall face disciplinary action. This policy must be strictly implemented.Principles of Information SecurityPrinciples of Information SecurityMan in the Middle and Man in the Browser Attacks on Financial Institutions. twitchFour decades ago, what started as a US military research foremost to build network for connectiveing US un iversities and research centers is now the Internet. To solar day it has spread out to e precise corner of the globe (Privgcca, 2016). The number of Internet users has risen from fewer computer scientists to 3.17 billion users. It has helped in reducing costs of communication as one can easily be in touch and communicate with each other with the help of chatting, email applications and online actions/payments (Friedman, 2014). It has also helped organizations to bring home the bacon better customer service, reduce amount of paper work, increase productivity, and enable customers to perform enquiry and relationss anytime and from anywhere. This paper will be focusing on the importance of online banking/transaction security.IntroductionBanking organizations have been developing for long time in a broad scope and have started to replace to a greater extent traditional banking techniques in certain fields such as treat cheques, making transactions and money transfers to online, th erefore payment systems are always undergoing radical changes. More security measures are present but the users of these systems must also be allowed decent compatibility. Due to the amount of modern day threats these banks have also been facing a vast amount of risk and vulnerability exploitations, banks are unremarkably very concerned about two kind of attacks, man in the middle attack (MITM) and man in the web web browser attack (MITB). As a result, financial institutions must ensure to deliver effective authentication techniques. These two attacks (MITM and MITB) will be the chief(prenominal) concentration and the focus of the analysis will on these attacks as well.The devil Common Attacks. The Man in The Middle and Man the Browser are the very predominant attacks in the finance industry. The difficult part is identifying each type of attack and taking precautionary measures from either attack. MITM occurs when a machine politician can see and modify the communication bet ween the client and the bank, it makes both parties believe they are directly communicating with each other to grass but there is usually an attacker eavesdropping. Therefore, this is very common on unsecured and unprotected networks. On the other hand, MITB uses malware to infect a web browser. This is done by the malware exploiting vulnerabilities in the browser security which enables them to modify and pull strings the page.Getting Technical, MITB vs. MITMOne of the few important differences between these two attacks is that MITM attacks knead at the network layer whereas MITB operate on the application there, in this case on the web browser. Although MITM attacks remain habitual attackers prefer MITB as banks may use sessions IDs to identify MITM attacks. Using session IDs banks can restore whether there has been malicious activity during a transaction and notice the double-dealing attempt and consequently cancel it. By giving the customers device a unique ID, the bank ca n then use algorithms to analyze and link the multiple user sessions from where they typically perform their banking (Eisen, 2012). MITB attacks are a lot more deceitful, they exclusively take control over the users website and control the browser while the user thinks everything is normal. The attackers in this scenario alter web views and account rest period without the users knowledge. Once the user logs in they can also redirect any sensitive traffic to an attackers system, while keeping the original SSL/TLS protections intact (Trusteer, 2013).MITB populate are very commonly exposed to the risk of these attacks due to the browser security riddles in the case of MITB browser extensions are frequently the malware which allows the attacker to exploit the vulnerability. Browser extensions are frequently portrayed as recyclable software which enhance user experience but is malicious software or code. This is known as a Trojan. Browser extensions may be plugins, Browser Helper Obj ects (BHO), JavaScript and summarize-on features.The functionality of BHOs is usually to provide add functionality to a browser these could be written by the attacker with programming experience. The problem with BHOs is that they can hide from antivrus this makes them undetectable. In a MITMB attack these are used to change a site, add fields, remove fields. They also can add registries to the system and load at booting (Utakrit, 2009).Grease Monkey is a popular add on for chrome which can allow a user to change the appearance of a website or eliminate ads. This JavaScript is not malicious but it uses the same methodology as the malicious JavaScript applets. The danger of add-ons is that they can easily monitor and retrieve the users information at any time.SSL has been persuasion of as a solution by some security experts for MITB attacks but even this control has been proven to be ineffective. The reason for this is that the attacker injects or gives the user a Trojan which carr ies out malicious activities directly inner(a) the browser. Therefore, no suspicious activity is detected.MITMMITM are less common as security professionals have learned ways to mitigate the attacks that use this method. It is also widely known as session hijacking. In this case, the attacker usually seeks vulnerable hotspots or networks. The attacker would usually direct the victim to a fake login page of a website (perhaps a phished paged) and then get the corroboration as soon as they are authenticated. The attacker could then patently access the account and withdraw money or make transactions. Security measures such as the OTP are not effective as denial against this attack as the attacker could fraudulently capture the temporary password and forward it on the portal in the 30 60 seconds provided. In this attack the main issue is that the user has no way of being sure or verifying who is asking for information. As a result, two step verification is also considered vulnerab le.Protective measures.The security triad which is an important principle to security experts evolves around three elements. C- Confidentiality, this means do not allow unauthorized individuals to access or see data or systems. A- Availability, which means ensure the system/data is available when needed. I- Integrity, if data or a system or in this case a transaction it loses its integrity which means it has been manipulated with. In the case of transactions, Integrity is a very important principle. Banks and financial institutions need to always ensure the integrity is maintained. By doing so, we need to implement controls, also known as countermeasures.User rampart Strategies and Controls MITBIn order to minimize these attacks the knowledge has to be known on either side of the equation, the users should be aware as well as the bank. Users can take precaution by installing anti virus, although not entirely effective it does depend on the detection capability and reduces the chanc es. Secondly, use a hardened browser in a USB drive, this will provide moderate protection. Thirdly, only do online banking with banks who are aware of these kinds of threats and implement countermeasure. finally there is risk in every procedure, unless you are will to completely not use online banking there will always be risks and threats.MITM palliation for Banks. MITBAs previously mentioned, attackers have also learned how to compromise two step authentication as well the same also applies to captcha and others. The malware can simply wait till the user has authenticated himself. It can also intercept and modify response when using SSL or encryption. Moderate protection could be offered by the bank itself providing clients with Hardened Browsers on USBs containing cryptographic unused tokens for authentication. The hardened browsers are harder to infect. Similarly, OTP token with signature would be effective, the user would have to re-enter the transaction details to the OTP d evice and then it could generate a signature based on that in that way it would not teammate if the MITB alters the request, this is also rather inconvenient. Fraud detection based on transaction type and amount is also sometimes effective, in the case of an anomalous transactions some banks call the client to check if it is genuine or not. User profiling could also be used.MITM