Presented by : - Ankit kumar Mishra Rohit gir Information Security Presented by : - Ankit kumar Mishra Rohit gir

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. —The Art of War, Sun Tzu

Information Security (IS) when raw facts and figures are processed Communicate meaningful/understandable sentence Security :- Degree of resistance or protection from harm As quoted by Institute for Security and Open Methodologies (ISECOM) “a form of protection where a separation is created between the assets and the threat”

Information Security (cont.) “Preservation of confidentiality, integrity and availability of information. Note: In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.” (ISO/IEC 27000:2009) “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.” (CNSS, 2010) Note :- IEC – International Electro-technical Commission ISO – International Organization for Standard CNSS – Committee on National Security Systems

Terminologies Confidentiality: In information security, confidentiality "is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes" (Excerpt ISO27000). Integrity: In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its entire life-cycle. This means that data cannot be modified in an unauthorized or undetected manner. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of consistency as understood in the classic ACID model of transaction processing. Information security systems typically provide message integrity in addition to data confidentiality.

Terminologies (cont.) Availability: For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system essentially forcing it to shut down. Non-repudiation: In law, non-repudiation implies one's intention to fulfil their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Note: This is also regarded as part of Integrity.

Threat level Low: The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. Moderate: The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss might (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious, life-threatening injuries.

Threat level (cont.) High: The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss might (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious, life- threatening injuries.

Penetration testing(Pentest) Phases Phase 1 – Reconnaissance Phase 2 – Scanning Phase 3 – Gaining Access Phase 4 – Maintaining Access Phase 5 – Covering Tracks

Phase 1 – Reconnaissance What enables the enlightened rulers and good generals to conquer the enemy at every move and achieve extraordinary success is foreknowledge. —Sun-tzu longest phase Information gained through Internet searches Social engineering Dumpster diving Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) treasures like access codes or passwords written down on sticky notes, phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques

Phase 1 – Reconnaissance (cont.) Employees are often easily tricked For providing tidbits of information which, over time, act to complete a complete picture of processes, organizational structure, and potential soft-spots Non-intrusive network scanning Don't alert them Domain name management/search services WhoIS

Phase 1 – Reconnaissance (Prevention) Make sure your systems don't leak information to the Web, including: Software versions and patch levels Email addresses Names and positions of key personnel Ensure proper disposal of printed information Provide generic contact information for domain name registration lookups Like company info. and contact Prevent perimeter LAN/WAN devices from responding to scanning attempts

Phase 2 – Scanning Open ports Open services Vulnerable applications, including operating systems Weak protection of data in transit Make and model of each piece of LAN/WAN equipment

Phase 2 – Scanning (cont.)

Phase 3 - Gaining Access Modern-day attack to either extract information of value to the attacker or use the network as a launch site for attacks against other targets

Phase 3 - Gaining Access (cont.)

Phase 3 - Gaining Access (Prevention) Physical security controls should detect attempts at a hands-on attack delay an intruder long enough to allow effective internal or external human response (i.e., security guards or law enforcement). Security managers should make every effort to ensure end-user devices and servers are not easily accessible by unauthenticated users. denying local administrator access to business users closely monitoring domain and local admin access to servers

Phase 3 - Gaining Access (Prevention) encrypt highly sensitive information and protect keys Even if network security is weak, scrambling information and denying attacker access to encryption keys is a good final defence when all other controls fail. But don't rely on encryption alone. There are other risks due to weak security, such as system unavailability or use of your network in the commission of a crime.

Phase 4 - Maintaining Access Having gained access, an attacker must maintain access long enough to accomplish his or her objectives.  Although an attacker reaching this phase has successfully circumvented your security controls, this phase can increase the attacker's vulnerability to detection. Detect and filter file transfer content to external sites or internal devices Look for connections to odd ports or nonstandard protocols Prevent/detect direct session initiation between servers in your data centre and networks/systems not under your control

Phase 4 - Maintaining Access (cont.)

Phase 5 – Covering Tracks After achieving his or her objectives, the attacker typically takes steps to hide the intrusion and possible controls left behind for future visits.  Again, in addition to anti-malware, personal firewalls, and host-based IPS solutions, deny business users local administrator access to desktops.  Alert on any unusual activity, any activity not expected based on your knowledge of how the business works.  To make this work, the security and network teams must have at least as much knowledge of the network as the attacker has obtained during the attack process.

Why is IS needed? We need information security to reduce the risk of unauthorized information disclosure, modification, and destruction. We need information security to reduce risk to a level that is acceptable to the business (management). We need information security to improve the way we do business.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. ― Sun Tzu, The Art of War Any Questions

Thank You