AKTU MCA II CYBER SECURITY NOTES UNIT III

 

Unit III

Introduction to E-Commerce , Threats to E-Commerce, Electronic Payment System, e- Cash, Credit/Debit Cards. Digital Signature, Cryptography Developing Secure Information Systems, Application Development Security, Information Security Governance & Risk Management, Security Architecture & Design Security Issues in Hardware, Data Storage & Downloadable Devices, Physical Security of IT Assets - Access Control, CCTV, Backup Security Measures.

*************************************************************************************

Introduction to E-Commerce

E-commerce (electronic commerce) is the buying and selling of goods and services, or the transmitting of funds or data, over an electronic network, primarily the internet. These business transactions occur either as business-to-business (B2B), business-to-consumer (B2C), consumer-to-consumer or consumer-to-business.

E-commerce is basically the process of buying and selling commodities and goods over the Internet. In  E-commerce, transactions take place via digital methods via electronic funds and the processing of online transactions.

Since E-commerce deals with the transfer of money digitally, hackers and attackers use this as an opportunity to break into E-commerce websites and gain some financial profit from them.

 

Threats to E-Commerce

Types of threats to E-commerce:

         Tax Evasion: Organizations show the legal paper records of revenue to the IRS. But in the case of E-commerce shopping, online transactions take place due to which funds get transferred electronically due to which IRS is not able to count the transactions properly and there are high chances of tax evasions by these organizations.

         Payment conflict: In E-commerce, payment conflicts can arise between users and the E-commerce platforms. These electronic funds transferring systems might process extra transactions from the users which will lead to a payment conflict by the users due to some glitches or errors.

         Financial fraud: Whenever an online transaction or transfer of funds takes place, it always asks for some pin or passwords to authenticate and allows only the authorized person to process the transactions. But due to some spyware and viruses used by attackers, they can also process the transactions of the users by allowing the unauthorized person, which will lead to causing a financial fraud with the user.

         E-wallets: E-wallets are now an essential part of E-commerce platforms. Attack on E-wallets can lead to the leak of the sensitive banking credentials of the users which can be used by the attackers for their own profit. Regulators tend to monitor all the activities related to the financial security of the money of the users.

         Phishing:  It is one of the most common attacks nowadays on the users, where the attackers send emails and messages to a large number of users which contain a special link in it. When the users open that link in their browser, the malware starts downloading in the background and the attacker gets full control over the financial information about the users. They make fake websites to make the users believe their website and fill out their financial credentials.

         SQL injections: SQL injections are used by attackers to manipulate the database of large organizations. Attackers enter malicious code full of malware into the database and then they search for targeted queries in the database and then they collect all the sensitive information in the database.

         Cross-site scripting (XSS): Hackers target the website of E-commerce companies by entering malicious code into their codebase. It is a very harmful attack as the control of the entire website goes into the hands of the attackers. It can enable the attackers to track the users by using their browsing activity and their cookies. For More details please read the what is cross-site scripting XSS article.

         Trojans: Attackers make software that may appear to be useful before downloading, but after downloading the software it installs all the malicious programs on the computer. It collects data like personal details, address, email, financial credentials and it may cause data leaks.

         Brute force attacks: Hackers draw patterns and use random methods to crack into someone else’s account as an unauthorized user. It requires the use of multiple algorithms and permutations and combinations to crack the password of an account by the attacker.

         Bots: The hackers use a large number of bots on E-commerce websites to track the competitor in the E-commerce industry rankings and his user’s buying policies in order to scrap the sales and revenue of the competitor. It also decreases the ranking of their E-commerce website as compared to the competitors due to bad experiences faced by the users. It results in overall price decreasing and less revenue overall in sales.

         DDoS attacks: Distributed Denial of Service (DDoS) attacks are most commonly used by hackers to not allow original legitimate users to access and buy and sell products from the E-commerce platforms. Hackers use a large number of computers to flood the number of requests to the server so that at one time the server crashes out.

         Skimming: Skimming is a popular method to spread out the malware on the website’s main pages which are used by a large number of people. It steals and leaks all information entered by the users on that webpage and all this information goes to the attacker through skimming.

         Middlemen attack: In this type of attack, the attacker can clearly get all the information in the conversation taking place between the consumer and the E-commerce platform itself. The attacker sees the conversation between both of them and uses this as an opportunity to make the user face some vulnerability.

Prevent threats:

We can prevent the following E-commerce threats in the following ways:

         Anti-malware: We can deploy Anti-malware and Anti-virus software on all our computer systems so that we can prevent these conditions to happen. Anti-malware and Anti-virus software prevent all types of malware and viruses to infect the data on our computer.

         HTTPS:  HTTPS helps to keep the website data secure from any kind of digital attack. SSL and HTTPS encrypt all the data of the users which is harder to crack by the hackers.

         Payment gateway: We can secure the payment gateway used on the E-commerce websites which very high security and strict policies against leaking of any financial credentials of any user.

 

Electronic payment system

Electronic payment is the process where customers make payments by using electronic methods. Whether you want to pay for your favourite food or you want to pay your nearby retailer, you can do it easily via electronic payment solutions.

The different types of e-commerce payments in use today are:

 

Credit Card

The most popular form of payment for e-commerce transactions is through credit cards. It is simple to use; the customer has to just enter their credit card number and date of expiry in the appropriate area on the seller’s web page. To improve the security system, increased security measures, such as the use of a card verification number (CVN), have been introduced to on-line credit card payments. The CVN system helps detect fraud by comparing the CVN number with the cardholder's information

Debit Card

Debit cards are the second largest e-commerce payment medium in India. Customers who want to spend online within their financial limits prefer to pay with their Debit cards. With the debit card, the customer can only pay for purchased goods with the money that is already there in his/her bank account as opposed to the credit card where the amounts that the buyer spends are billed to him/her and payments are made at the end of the billing period.

Smart Card

It is a plastic card embedded with a microprocessor that has the customer’s personal information stored in it and can be loaded with funds to make online transactions and instant payment of bills. The money that is loaded in the smart card reduces as per the usage by the customer and has to be reloaded from his/her bank account.

E-Wallet

E-Wallet is a prepaid account that allows the customer to store multiple credit cards, debit card and bank account numbers in a secure environment. This eliminates the need to key in account information every time while making payments. Once the customer has registered and created E-Wallet profile, he/she can make payments faster.

Netbanking

This is another popular way of making e-commerce payments. It is a simple way of paying for online purchases directly from the customer’s bank. It uses a similar method to the debit card of paying money that is already there in the customer’s bank. Net banking does not require the user to have a card for payment purposes but the user needs to register with his/her bank for the net banking facility. While completing the purchase the customer just needs to put in their net banking id and pin.

Mobile Payment

One of the latest ways of making online payments are through mobile phones. Instead of using a credit card or cash, all the customer has to do is send a payment request to his/her service provider via text message; the customer’s mobile account or credit card is charged for the purchase. To set up the mobile payment system, the customer just has to download a software from his/her service provider’s website and then link the credit card or mobile billing information to the software.

 

eCash

eCash was a digital-based system that facilitated the transfer of funds anonymously. A pioneer in cryptocurrency, its goal was to secure the privacy of individuals that use the Internet for micropayments. eCash was created by Dr. David Chaum under his company, DigiCash, in 1990. Though there was interest in the platform from large banks, eCash never took off and DigiCash filed for bankruptcy in 1998. DigiCash, along with its eCash patents, was eventually sold off. In 2018, Chaum launched a new startup focused on cryptography.

Digital Signatures

 

“Digital Signatures is an authentication tool.”

 

Digital signatures are the public-key primitives of message authentication. In the physical world, it is common to use handwritten signatures on handwritten or typed messages. They are used to bind signatory to the message.

Similarly, a digital signature is a technique that binds a person/entity to the digital data. This binding can be independently verified by receiver as well as any third party.

Digital signature is a cryptographic value that is calculated from the data and a secret key known only by the signer.

In real world, the receiver of message needs assurance that the message belongs to the sender and he should not be able to repudiate the origination of that message. This requirement is very crucial in business applications, since likelihood of a dispute over exchanged data is very high.

Model of Digital Signature

As mentioned earlier, the digital signature scheme is based on public key cryptography. The model of digital signature scheme is depicted in the following illustration −

The following points explain the entire process in detail −

·        Each person adopting this scheme has a public-private key pair.

·        Generally, the key pairs used for encryption/decryption and signing/verifying are different. The private key used for signing is referred to as the signature key and the public key as the verification key.

·        Signer feeds data to the hash function and generates hash of data.

·        Hash value and signature key are then fed to the signature algorithm which produces the digital signature on given hash. Signature is appended to the data and then both are sent to the verifier.

·        Verifier feeds the digital signature and the verification key into the verification algorithm. The verification algorithm gives some value as output.

·        Verifier also runs same hash function on received data to generate hash value.

·        For verification, this hash value and output of verification algorithm are compared. Based on the comparison result, verifier decides whether the digital signature is valid.

·        Since digital signature is created by ‘private’ key of signer and no one else can have this key; the signer cannot repudiate signing the data in future.

It should be noticed that instead of signing data directly by signing algorithm, usually a hash of data is created. Since the hash of data is a unique representation of data, it is sufficient to sign the hash in place of data. The most important reason of using hash instead of data directly for signing is efficiency of the scheme.

Cryptography

 

Cryptography is a technique of securing information and communications through use of codes so that only those person for whom the information is intended can understand it and process it.

 

Thus preventing unauthorized access to information. The prefix “crypt” means “hidden” and suffix graphy means “writing”.

 

In Cryptography the techniques which are use to protect information are obtained from mathematical concepts and a set of rule based calculations known as algorithms to convert messages in ways that make it hard to decode it. These algorithms are used for cryptographic key generation, digital signing, verification to protect data privacy, web browsing on internet and to protect confidential transactions such as credit card and debit card transactions.

 

 

 

Types Of Cryptography:

In general there are three types Of cryptography:

 

1.    Symmetric Key Cryptography:
It is an encryption system where the sender and receiver of message use a single common key to encrypt and decrypt messages. Symmetric Key Systems are faster and simpler but the problem is that sender and receiver have to somehow exchange key in a secure manner. The most popular symmetric key cryptography system is Data Encryption System(DES).

2.    Hash Functions:
There is no usage of any key in this algorithm. A hash value with fixed length is calculated as per the plain text which makes it impossible for contents of plain text to be recovered. Many operating systems use hash functions to encrypt passwords.

3.    Asymmetric Key Cryptography:
Under this system a pair of keys is used to encrypt and decrypt information. A public key is used for encryption and a private key is used for decryption. Public key and Private Key are different. Even if the public key is known by everyone the intended receiver can only decode it because he alone knows the private key.

 

 

DEVELOPING SECURE INFORMATION SYSTEMS

 

Every information system is prone to threats like unauthorized access, disclosure, destruction, use or modification. So, for handling such threats we need to develop security programs or policies for the information system. The information security program help in selecting and implementing counter measures against any security breaches. A good security program helps in ensuring that everyone within organization works cooperatively to secure the whole system.

 

Thus, developing a security program is the first action to implement information security. A sell defined information security program outlines the strategies which need to be implemented for achieving the objectives of information system in a secure way. Information security program can also be used to integrate various aspects of an organization to meet business objectives. After developing an information security program, it is also necessary that everyone within the

 

organization should follow this program. This is important because computers are inherently very much vulnerable to a wide variety of threats and thus need to be periodically reviewed and tested.

So, for safeguarding the information system, information systems security programs are used to address the threats like hacking or accidental loss.

 

Information Security Program Objectives

 

The main objectives of an information security program are as follows: To protect information assets and ensure confidentiality, integrity and availability of information throughout the system

> To ensure that any information should not be revealed to persons who are not part of theOrganization

> To provide strength an internal controlling and prevention of improper or unauthorised access to information

>  To make sure that all security flaw or accident must be reported, so that proper analysis and handling of such cases can be done.

 

Management Commitment

Management commitment to security is very essential for developing a successful information security

 

System Management commitment helps in motivating the information resource owner and user and also provides the visibility which is needed by the information security team for ensuring the suppon of business units. All the individuals within the show commitment towards security by following the security guidelines and practices given by the authoritative sources Management support helps in better handling of security issues and leads to decrease in likelihood of failures. If the top management do not show support for information system security efforts, then their employees w also show less support for efforts If the organization emphasizes the negative effects of loss re information, then this will put pressure on business units and will motivate them to improve security Also if a ranking system for business units is established within the organization based on quality of their information security, then this will ensure an active participation of all the units in information security within the organization and will also apply pressure on the individual who do not

 

Information System Security Program Development Responsibilities

 

The information system security team should be responsible for developing the information security program. As an alternative, a management committee within the organization can be given the responsibility to draft security policies and guidelines. It is important that the team which will be making the information security program must be familiar with current business culture and technologies. This will help in making intelligent decisions. Knowing the business culture helps in designing an information security program that will ensure compatibility and familiarity with technology helps to know the limitations of technological solutions and security capabilities. The team ater considering all the important aspects of the information security, design a information security program to protect the system from threats

 

Application Development Security

 

Application development security includes foundation, principle and design guidelines which are based on basic aims of information security for developing safe applications.

 

The framework helps in secure development of applications which helps as a component to defense part of the system and at the same time protects information assets.

 

Foundation

 

Foundation includes the basic aspects of applications development which one needs to know before developing a secure application. It includes • Knowledge of company's security policy, methods and guidelines.

• Knowledge of application development methodology.

• Knowledge of programming languages and translators

 

Principles

 

The following principles need to be followed when developing a secure application.

Adhering to trusted standards. Protection of information assets.

 

Authentication

 

• Mechanism of overcoming failures.

• Use of accuracy in date and time.

• Users need to know how it works, rather that its implementation.

Login monitoring and auditing

• Use of security mechanisms

Security is implemented as a part of design.

Assuming hostile situations

• Minimize use of computing elements and there protection.

 

Design Guidelines

 

It guides the application development towards the use of best practices for securing the application The best known and widely accepted security methods are used for implementing the code for the application.

They are as follows

 

Input Validation

Exception Handling

Random Numbers

Canonical Representation

Cryptography.

 

Information Security Governance & Risk Management

Information security governance is defined as “a subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risk appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security program,” according to the Information Systems Audit and Control Association.

Need an Information Security Governance Framework?

While the definition sounds complex, it can be simplified. An information security governance framework helps you prepare for risks or events before they occur by forcing you to continually reevaluate critical IT and business functions through:

         Integrated risk management functions

         Threat and vulnerability analysis

         Data governance and threat protection

·         Aligning business strategy with IT strategy

Reactive Versus Proactive

Information security governance also helps an organization move from a reactive approach to cybersecurity to a proactive approach. It allows you to:

·         Categorize and mitigate risks and threats

         Prepare an organization for identifying, remediating, and recovering from a cyberattack or breach

         Provide a method for executive leadership to understand their risk posture and maturity levels

         Outline a risk-based approach to the people, systems, and technology that are used every day

Main Components of Information Security Governance?

There are four main components to the information security governance framework:

·         Strategy

         Implementation

         Operation

         Monitoring

Strategy

Information security should align with business objectives. IT strategic plans need to satisfy the current and future business requirements. The goal of information security governance is to align business and IT strategies with organizational objectives.

Implementation

Information security governance requires commitment, resources, assignment of responsibilities, and implementation of policies and procedures that address the controls within a chosen framework. Buy-in from senior management and above is critical to the implementation of the program.

Operation

It’s important that adequate resources are in place, projects that align with your overall strategy are deployed, and operational and technology risks are addressed and mitigated to appropriate levels.

Monitoring

Metrics and monitoring help document the effectiveness of the program provide information to help management make decisions, address any compliance issues, and establish information security controls with a more proactive approach.

Information security risk management or ISRM

Information security risk management, or ISRM, is the process of managing risks associated with the use of information technology. It involves identifying, assessing, and treating risks to the confidentiality, integrity, and availability of an organization’s assets. The end goal of this process is to treat risks in accordance with an organization’s overall risk tolerance. Businesses shouldn’t expect to eliminate all risks; rather, they should seek to identify and achieve an acceptable risk level for their organization.

Stages of ISRM:

Identification

Identify assets: What data, systems, or other assets would be considered your organization’s “crown jewels”? For example, which assets would have the most significant impact on your organization if their confidentiality, integrity or availability were compromised? It’s not hard to see why the confidentiality of data like social security numbers and intellectual property is important. But what about integrity? For example, if a business falls under Sarbanes-Oxley (SOX) regulatory requirements, a minor integrity problem in financial reporting data could result in an enormous cost. Or, if an organization is an online music streaming service and the availability of music files is compromised, then they could lose subscribers.

Identify vulnerabilities: What system-level or software vulnerabilities are putting the confidentiality, integrity, and availability of the assets at risk? What weaknesses or deficiencies in organizational processes could result in information being compromised?

Identify threats: What are some of the potential causes of assets or information becoming compromised? For example, is your organization’s data center located in a region where environmental threats, like tornadoes and floods, are more prevalent? Are industry peers being actively targeted and hacked by a known crime syndicate, hacktivist group, or government-sponsored entity? Threat modeling is an important activity that helps add context by tying risks to known threats and the different ways those threats can cause risks to become realized via exploiting vulnerabilities.

Identify controls: What do you already have in place to protect identified assets? A control directly addresses an identified vulnerability or threat by either completely fixing it (remediation) or lessening the likelihood and/or impact of a risk being realized (mitigation). For example, if you’ve identified a risk of terminated users continuing to have access to a specific application, then a control could be a process that automatically removes users from that application upon their termination. A compensating control is a “safety net” control that indirectly addresses a risk. Continuing with the same example above, a compensating control may be a quarterly access review process. During this review, the application user list is cross-referenced with the company’s user directory and termination lists to find users with unwarranted access and then reactively remove that unauthorized access when it’s found.

Assessment
This is the process of combining the information you’ve gathered about assets, vulnerabilities, and controls to define a risk. There are many frameworks and approaches for this, but you’ll probably use some variation of this equation:

Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security controls

Note: this is a very simplified formula analogy. Calculating probabilistic risks is not nearly this straightforward, much to everyone’s dismay.

Treatment
Once a risk has been assessed and analyzed, an organization will need to select treatment options:

Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.
Example: You have identified a vulnerability on a server where critical assets are stored, and you apply a patch for that vulnerability.

Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely.
Example: You have identified a vulnerability on a server where critical assets are stored, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.

Transference: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized.
Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited. (Note: this should be used to supplement risk remediation and mitigation but not replace them altogether.)

Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized.
Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, and a successful exploit of the vulnerability is very complex. As a result, you decide you do not need to spend time and resources to fix the vulnerability.

Risk avoidance: Removing all exposure to an identified risk 
Example: You have identified servers with operating systems (OS) that are about to reach end-of-life and will no longer receive security patches from the OS creator. These servers process and store both sensitive and non-sensitive data. To avoid the risk of sensitive data being compromised, you quickly migrate that sensitive data to newer, patchable servers. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers.

Communication
Regardless of how a risk is treated, the decision needs to be communicated within the organization. Stakeholders need to understand the costs of treating or not treating a risk and the rationale behind that decision. Responsibility and accountability needs to be clearly defined and associated with individuals and teams in the organization to ensure the right people are engaged at the right times in the process.

Rinse and Repeat
This is an ongoing process. If you chose a treatment plan that requires implementing a control, that control needs to be continuously monitored. You’re likely inserting this control into a system that is changing over time. Ports being opened, code being changed, and any number of other factors could cause your control to break down in the months or years following its initial implementation.

 

Security Architecture & Design Security Issues in Hardware

Security architecture and Design

• Security Architecture and Design of a system means a bundle of following components:-hardware, software and operating system and how to use those component to design, architect, and evaluate secure computer systems.

• Security Architecture and Design is a three-part domain.

1. The first part covers the hardware and software required to have a secure computer system

2. The second part covers the logical models required to keep the system secure

3. and the third part covers evaluation models that quantify how secure the system really is.

Secure System Design Concept

We can design a secure system by implementing software and hardware specifically and including following principles

– Layering

– Abstraction

– Security domains

– The ring model

– Open-closed systems

• Layering

Layering separates hardware and software functionality into modular tiers.

A generic list of security architecture layers is as follows :

1. Hardware (bottom layer)

2. Kernel and device drivers

3. Operating System

4. Applications (Top Layer)

• Abstraction: Abstraction hides unnecessary details from the user.

• Complexity is the enemy of security:

– the more complex a process is, the less secure it is. That said, computers are tremendously complex machines.

• Abstraction provides a way to manage that complexity.

– For example ,while music is being played from a file through the speaker of the computer system. The user is only concerned with playing of music just with click without knowing the internal working of music player.

Security Domains : A security domain is the list of objects a subject is allowed to access.

• With respect to kernels, two domains are user mode and kernel mode.

– Kernel mode (also known as supervisor mode) is where the kernel lives, allowing low-level access to memory, CPU, disk, etc. It is the most trusted and powerful part of the system.

– User mode is where user accounts and their processes live. The two domains are separated: an error or security lapse in user mode should not affect the kernel.

The Ring Model:

• The ring model is a form of CPU hardware layering that separates and protects domains (such as kernel mode and user mode) from each other.

• Many CPUs, such as the Intel 86 family, have four rings, ranging from ring 0 (kernel) to ring 3.

• The rings are (theoretically) used as follows:

Ring 0: Kernel

Ring 1: Other OS components that do not fit into ring 0

Ring 2: Device drivers

Ring 3: User applications

 

Open and Closed Systems:

• An open system uses open hardware and standards, using standard components from a variety of vendors.

– Ex - Assembled Desktop computer

• Close systems- only use proprietary hardware or software from specific vendor.

– Ex- Branded Desktop (HP)

Secure hardware architecture

• Secure Hardware Architecture focuses on the physical computer hardware required to have a secure system.

• The hardware must provide confidentiality, integrity, and availability for processes, data, and users.

Security issues in 1.hardware, 2.data storage and 3.downloadable device

• Securing computer system means to protect all of its components that includes

– hardware, software, storage devices, operating system and peripheral devices.

• Each component has its own vulnerability or weakness.

– Hardware parts can be stolen and destroyed .

• Security of every component of the system is equally important.

– We need to be able to control our computer system completely so that the information asset can be protected.

Security Issues in Hardware

• Hardware is the component on which the entire computer system is based this include processor, hard drive and monitor.

• Hardware mainly faces security issues related to stealing, destruction, gaining unauthorized access and breaking the security code of conduct.

• Any breaking of code of conduct needs proper security measures such as placing the hardware with your controlled environment.

Counter Security Measures in hardware To secure H/W from unauthorized access, following mechanism should be used-

• Biometric access control.

• Authentication token (entry via smart card).

• Radio Frequency Identification (RFID).

• Use VPN to provide complete security over internet.

• Use strong passwords.

• Provide limited access to the devices.

 

2. Security Issues with Storage Devices

• Data storage devices are used to save information.

• Devices such as compact disk(CD), digital versatile disk(DVD), memory cards, flash drives etc.

• The main issue faced by these devices is-

– Loss and theft of data.

– Improper disposal of data.

– Introduction to malwares in your system.

– Denial of data i.e., attack on availability of data.

• All these issues can be overcome by using following measures-

– Making people aware of the various kinds of attacks.

– Educating people regarding various cyber laws of the nation.

– Making the people understandable the importance of security.

– Implement certain policies and procedures that provide security for the storage devices and data.

2. Security Issues with Storage Devices

• E.g. PD-USB: PDA, External Hard Drive

• Security Issues related to them are-

– Stealing of data.

– Destruction of data.

– External attacks (virus etc.).

• Measures include:

– Protection of data from theft/ manipulation

– Protection of devices from being stolen or destroyed

– Protection of environment from undesired access.

Physical Security of IT Assets

• An IT asset is a piece of software or hardware within an information technology environment.

• Tracking of IT assets within an IT asset management system can be crucial to the operational or financial success of an enterprise.

• IT assets are integral components of the organization’s systems and network infrastructure.Security of data and asset is equally important.

• Physical security of our asset, especially the IT asset is also very important.

– There are several issues that need to be countered in order to apply total security control.

• We may need to lock and other access control techniques to protect our asset from unwanted users.

Physical Security of IT Assets(Threats)

• Threats for physical security are as follows:-

(1) Physical access exposure to human beings : Organizations own employees are one of the main factors to cause physical security threats.

• Can be controlled through

– Strong authentication mechanism

– restricted use of resources

– Restricted area and building

– Proper standards for verification and validation of user identity.

(2) Physical access exposure to natural disasters:- Natural disasters may destroy your computer systems or all data storage systems and might interrupt your network.

– For example fire, lightening, or electronic interruption

– Can’t be controlled, but recovery measures could be taken.

• Measures to ensure physical security of IT assets-

(1)Physical access controls

• Through photo IDs, biometric authentication systems, entry logs, magnetic locks using electronic keycard, computer terminal locks.

(2)Electronic and visual surveillance systems

• Through closed circuit television (CCTV), RFID sensors

• CCTV cameras are also called the third eye because if human being missed noticing some people entering a restricted zone, these cameras could capture the event or photos.

(3) Intrusion Detection Systems (IDS):-

IDS are a way of dealing with unauthorized access to information system assets.

Physical Security of IT Assets (Measures)

Backup Security Measures

• Following practices should be performed for maintaining proper data backup security-

– Assigning responsibility, authority and accountability.

– Assessing risks.

– Developing data protection processes.

– Communicating the processes to the concerning people.

– Executing and testing the process.

1. Assign Accountability, Responsibility and Authority

• Make storage security a function of overall information security policies and architecture

• Divide duties where data is highly sensitive.

• ensure that the person authorizing access is not the person charged with responsibility for execution.

2. Assessing Risk

• Perform a Risk Analysis of the Entire Backup Process.

• Execute a Cost/Benefit Analysis on Backup Data Encryption

• Identify Sensitive Data.

3. Develop Data Protection Process

• Adopt a Multi-Layered Security Approach

. Authentication: Authorization: Encryption Auditing:

• Copy Your Backup Tapes

4. communicating the processes to the concerning people

• it is important to ensure that the people responsible for carrying out its security are informed and trained.

• Security policies are the most important aspect of assigning accountability, responsibility and authority.

5. Executing and testing the process

• Once the end-to-end plan has been developed, defined and communicated to the appropriate people, it is time to begin execution and testing process.

Access Control

• Access Control is the process or mechanism for giving the authority to access the specific resources, applications and system.

• Access control defines a set of conditions or criteria to access the system and its resources.

• There are three main accesses Control model first is Mandatory access control model, second is Discretionary access control model and third is Role based access control models.

Types of Access control

• Mandatory access control (MAC) :

in this security policy users do not have the authority to override the policies and it totally controlled centrally by the security policy administrator.

The security policy administrator defines the usage of resources and their access policy, which cannot be overridden by the end users, and the policy, will decide who has authority to access the particular programs and files.

MAC is mostly used in a system where priority is based on confidentiality.

 

• Discretionary access control (DAC) :

This policy Contrast with Mandatory Access Control (MAC) which is determined by the system administrator while DAC policies are determined by the end user with permission.

In DAC, user has the complete authority over the all resources it owns.and also determines the permissions for other users who have those resources and programs.

• Role-based access control (RBAC) :

This policy is very simple to use.

In RBAC roles are assigned by the system administrator statically. In which access is controlled depending on the roles that the users have in a system.

(RBAC) is mostly used to control the access to computer or network resources depending on the roles of individual users within an organization.

Due to the static role assignment it does not have complexity. Therefore it needs the low attention for maintenance.

CCTV

A closed-circuit television camera can produce images or recordings for surveillance or other private purposes. Cameras can be either video cameras, or digital stills cameras. Walter Bruch was the inventor of the CCTV camera. The main purpose of a CCTV camera is to capture light and convert it into a video signal. Underpinning a CCTV camera is a CCD sensor (charge-coupled device). The CCD converts light into an electrical signal and then signal processing converts this electrical signal into a video signal that can be recorded or displayed on the screen

Data storage and downloadable devices

Data storage and downloadable devices are two important aspects of data management. Data storage refers to the physical or electronic media used to store data, while downloadable devices are devices that can be used to transfer data from one location to another.

There are many different types of data storage devices, including hard drives, solid-state drives (SSDs), optical discs (CDs, DVDs, and Blu-rays), and flash drives. Each type of device has its own advantages and disadvantages, such as capacity, speed, durability, and cost.

Downloadable devices include smartphones, tablets, laptops, and desktop computers. These devices can be used to download data from the internet, such as music, movies, software, and documents. They can also be used to transfer data between devices, such as transferring photos from a camera to a computer.

The choice of data storage device and downloadable device will depend on the specific needs of the user. For example, a user who needs to store a large amount of data may choose a hard drive, while a user who needs a portable device may choose a flash drive.

Here are some of the benefits of using data storage and downloadable devices:

·         Data security: Data storage devices can help to protect data from unauthorized access. For example, hard drives and SSDs can be encrypted to prevent unauthorized access to the data stored on them.

·         Data backup: Data storage devices can be used to backup data, which can help to protect data from loss in the event of a hardware failure or other disaster.

·         Data sharing: Data storage devices can be used to share data with others. For example, a user can share photos or documents with friends or family by transferring them to a flash drive or cloud storage.

Here are some of the risks associated with using data storage and downloadable devices:

·         Data loss: Data can be lost if a data storage device is damaged or lost.

·         Data corruption: Data can be corrupted if a data storage device is not properly formatted or if it is infected with a virus.

·         Data theft: Data can be stolen if a data storage device is lost or stolen.

It is important to take steps to protect data stored on data storage devices and downloadable devices. These steps include:

·         Encrypting data: Encrypting data can help to protect it from unauthorized access.

·         Backing up data: Backing up data can help to protect it from loss in the event of a hardware failure or other disaster.

·         Using strong passwords: Using strong passwords can help to protect data from unauthorized access.

·         Keeping data storage devices safe: Keeping data storage devices safe can help to protect them from damage, loss, or theft.

Data storage and downloadable devices are essential tools for data management. By understanding the benefits and risks of these devices, users can take steps to protect their data.

cctv :

What is CCTV?

CCTV stands for closed-circuit television. It is a system of video cameras that are used to transmit a signal to a specific place, on a limited set of monitors. CCTV systems are often used for security purposes, but they can also be used for other purposes, such as traffic monitoring or retail analytics.

How does CCTV work?

CCTV systems typically consist of three main components:

·         Video cameras: The cameras capture images of the area that is being monitored.

·         Recording devices: The recording devices store the images that are captured by the cameras.

·         Monitors: The monitors display the images that are captured by the cameras.

CCTV systems can be wired or wireless. Wired CCTV systems use cables to connect the cameras, recorders, and monitors. Wireless CCTV systems use radio waves to connect the cameras, recorders, and monitors.

Benefits of CCTV

CCTV systems offer a number of benefits, including:

·         Security: CCTV systems can help to deter crime and to identify criminals.

·         Safety: CCTV systems can help to keep people safe by providing a visual record of events.

·         Monitoring: CCTV systems can be used to monitor activities in a variety of settings, such as businesses, schools, and public areas.

·         Analytics: CCTV systems can be used to collect data about traffic patterns, customer behavior, and other activities.

Drawbacks of CCTV

CCTV systems also have some drawbacks, including:

·         Privacy concerns: Some people have concerns about the privacy implications of CCTV surveillance.

·         Cost: CCTV systems can be expensive to install and maintain.

·         Maintenance: CCTV systems require regular maintenance to ensure that they are working properly.

Backup security measures

 

Backup security measures are important to protect your data from unauthorized access, corruption, or loss. Here are some of the most important backup security measures to consider:

·         Use strong passwords and encryption: Your backup files should be encrypted with a strong password that you do not use for any other purpose. This will help to protect your data from unauthorized access.

·         Store your backups in a secure location: Your backup files should be stored in a secure location that is not accessible to unauthorized individuals. This could be a physical location, such as a safe or a locked cabinet, or a cloud-based storage service.

·         Encrypt your backup media: If you are using physical backup media, such as an external hard drive or a tape drive, you should encrypt the media with a strong password. This will help to protect your data from unauthorized access if the media is lost or stolen.

·         Rotate your backups: You should rotate your backups on a regular basis. This means that you should create new backups and delete old backups. This will help to protect your data from corruption or loss if one of your backups becomes corrupted or lost.

·         Test your backups regularly: You should test your backups regularly to make sure that they are working properly. This will help to ensure that you can restore your data if it is ever lost or corrupted.

By following these backup security measures, you can help to protect your data from unauthorized access, corruption, or loss.

Here are some additional backup security measures that you may want to consider:

·         Use a cloud-based backup service: Cloud-based backup services offer a number of security features, such as encryption, access control, and disaster recovery.

·         Use a backup software solution with security features: There are a number of backup software solutions that offer security features, such as encryption, access control, and auditing.

·         Keep your backup software up to date: Backup software vendors regularly release security updates. It is important to keep your backup software up to date to ensure that you are protected from the latest security threats.