The vulnerability of human interactions with the information systems can be easily exploited to launch a scathing cyber attack. A better understanding of the elements of cyber security will cause the information managers to get over their misguided sense of invincibility and plug the loopholes bringing about a malicious attack.
Application security embraces steps taken through an information application’s lifecycle to thwart any attempts to transgress the authorization limits set by the security policies of the underlying system. The security protocols set right the exceptions in the systems that are inherently flawed owing to design, development, and deployment, up-gradation or maintenance of the application.
Applications are only concerned with controlling the utilization of resources given to them. The specific use of resources is determined through the application users via application security.
The methodology to tackle threats to application security involves knowing about the potential threats, adequately enhancing the security of the application, network or host, and embedding security within the software development process.
In the context of application security, an asset refers to a resource of value like information within a database or in the file system or system resource. The challenge is to identify the vulnerabilities within the parent system which when becomes exposed to the cyber attacker can be exploited to provide valuable insights into the functioning of the application. The risk can be mitigated by weaving security within the application.
Common application threats and attack types are enumerated below.
- Input validation related like cross site coding, buffer overflow, canonicalization, SQL injection and buffer overflow.
- Authentication related like brute force assault, network eavesdropping, replaying cookies, dictionary assaults, stealing credentials etc.
- Authorization related like intentional revelation of sensitive information, tampering with critical data, privilege elevation, inviting attacks etc.
- Configuration management related like illegitimate access to administration controls, illegitimate entry to configuration stores, and absence of user accountability, higher-privilege service and procedural accounts, retrieving clear text configuration information.
- Sensitive information related like attempting to enter storage area for accessing critical data, eavesdropping network lines and tapering with data.
- Session management related like hijacking session, replaying session, man in the middle etc.
- Cryptography related like poor public/private key generation/ key management, weak encryption.
- Parameter manipulation related like query manipulating query string, form field, cookie or HTTP header.
- Exception management related like denial of service, information disclosure.
- Auditing and logging related like denial by user to perform an operation, exploitation of an application by attacker and covering up the trail.
Information security involves safeguarding sensitive information from illegitimate access, usage, revelation, disruption, alteration, reading, inspection, damage or recording. This is an assurance that critical data is not lost when any issue like natural disasters, malfunction of system, theft or other potentially damaging situation arises.
The attributes defining security are confidentiality, integrity and availability. The information systems are a conglomerate of hardware, software and communications. The motive is identifying and applying information security pertaining to protection and prevention mechanisms at the three levels. The procedures developed serve as guidelines for administrators, users and operators to adhere to safe usage practices for heightened security.
Data confidentiality relates to thwarting the willful or inadvertent information disclosure to illegitimate systems or individuals. Confidentiality is enforced through encryption of critical information during transmission over fragile communication channel vulnerable to eavesdropping. The places where information will be visible are limited like databases, log files, backups, printed receipts etc. and by imposing restrictions on the information storage area. It prevents security breach which can lead to disclosure of private information from a safe system.
Data integrity refers to maintenance and assurance of the reliability, consistency and accuracy of classified data throughout its life. This implies preventing undetected or unauthorized modification of data either in storage or while in transit.
Data availability means information is available for use when required by authorized services and users. This calls for proper functioning of systems employed for storing and processing information, security controls used for protecting information, and the network channels used for accessing it. The system should be available round the clock by not allowing service disruptions owing to power failures, hardware glitches and system upgrades. This also applies in deterring denial of service attacks.
Authenticity implies genuineness of the information, transactions, communications or documents. It involves checking the credentials of the users going to transact with the system. Non-repudiation means that the parties involved in a transaction cannot deny their role with data transmission or reception.
Risks that hold the potential of damaging the information system are assessed and necessary mitigation steps are taken.
Network security refers to comprehensive security policies and provisions adopted in an adaptive and proactive manner by the network administrator for thwarting and monitoring unauthorized access, deliberate misuse, alteration, denial of service for a computer host and other network accessible and interaction related resources. It involves checking the privilege rights of users to validate the legitimacy of users and grant them access to network’s data or allow for exchange of information. Users are allotted ID and password or other form of authentication checks to demarcate their authority and consequent usage of authorized domain.
Network security extends coverage over diverse computer networks, encompassing private and public that is used for transacting and communicating among organizations.
Security procedure starts with user authentication; one, two, or three factors based. One factor implies password validation, while two means password coupled with security dongle, token, card or mobile phone; and three implies retinal scan or fingerprint coupled with aforesaid two.
Once the authentication has been completed, a network firewall imposes access policies like what services can be accessed by network users. Antivirus application and intrusion prevention system assists in detecting and inhibiting the potentially malicious content passed along over the network like Trojans and worms. An anomaly-based intrusion detection system may be employed for monitoring the network traffic for suspicious or unexpected content or behavior. This will help in averting situations like denial of service attacks or a disgruntled employ tampering with the files, thus protecting the resources. Individual events happening within the network can be logged for auditing or high level scrutiny later on.
The communication occurring among network hosts can be encrypted to avoid eavesdropping. Deployment of decoy network accessible resources will serve as surveillance and early warning measures. Techniques employed by attackers for compromising the decoy resources can be studied post attack to understand their logic behind development of new exploitation means.
The common types of attacks confronted by networks include passive ones like idle scan, port scanner, wiretapping; or active like DDOS attack, spoofing, ARP poisoning, smurf attack, buffer or heap overflow, format string attack and SQL injection.
Disaster Recovery/ Business Continuity Planning
Business continuity is the process of summoning into action planned and managed procedures which enable an organization to carry out the operation of its critical business units, while a planned or unintentional disruption hampering regular business operations is in effect. Once a cyber attack has brought the business to a standstill by crippling the information systems, this disaster recovery planning plays a vital role in keeping critical parts ticking to make the business survive. The planning assists in bringing down the recovery cost and operational overheads.
The key aspects defined below should be intensely focused upon for creating effective business continuity plans that will allow businesses to sail through difficult times effortlessly.
- In the event of a disaster striking the information system, what are the primary areas where attention should be committed? Should the authorized users be called upon to ensure their safety or the bank or e-payment gateways are approached to ascertain that the business capital is safe? The emergency response fleet should be adequately prepared to tackle the disaster and the Crisis Management team should start doing its bit.
- Which areas of the business should be focused on first for recovery? Should this be the segment which serves as the cash cow or should it be the one where the bulk of capital has been directed to? Which part of the information system is vital for sustained future growth? The identified segment should be the business unit that is the most critical.
- What should be the logical time frame within which the recovery of critical information units should be started? The answer to this question will require calculating the quantum of cost involved in recovering from a disruption.
- What resources and infrastructures would be required to bring about an effective IT recovery? One should critically consider the relative importance of each contributing aspect. This will help in gaining clarity on the cost involved. The onus of driving business continuity rests on the shoulders of business leaders.
- What would be the most strategic point to conduct business recovery? Will the business center have adequate space or would it be overwhelmed with other disaster stricken people?
- Once the disaster recovery plan has been pressed into service and the production has been started in reduced capacity, assessment has to be conducted to determine the life of such operations in the non-availability of major operational sites. Careful assessment should be done to understand the resilience of business.
- The disaster recovery plan should be tested at least once every year to ascertain that the plan yields the desirable results, should a business recovery is mandated. The plan can be reviewed for sufficiency and necessary rewrites/ updates can be implemented.
A business continuity plan takes a comprehensive approach to deal with enterprise wide disaster effects. A disaster recovery plan inherently is a subset of business continuity and directs its focus on taking relevant steps to get the normal business operations resumed at the earliest. The execution of disaster recovery plan takes place hot on the heels of disaster. It carries in detail the list of steps that are to be executed for effective recovery of sensitive information technology infrastructure. Disaster recovery planning leads to the formation of a planning group to carry out risk assessment, prioritize jobs, develop recovery tactics, prepare inventories and get the plan documented. The implementation of the plan is preceded by development of verification criteria and auditing procedure.
End User Education
The human element in cyber security is the weakest link that has to be adequately trained to make less vulnerable. Comprehensive security policies, procedures and protocols have to be understood in depth by users who regularly interact with the highly secure system and accessing classified information. Periodic end user education and reviews are imperative to highlight the organizational weaknesses, system vulnerabilities and security loopholes to the user. Sound security behavior of users should take precedence over other aspects.
It has been observed that training imparted randomly or at high-level prove to be less productive than frequent, granular training and exercises that have been custom made to tackle specific behavioral patterns and practices of users. Senior leaders should compulsorily participate in training events for demonstrating the importance of responsible security behavior to better gear up to tackle the challenge of cyber-attacks.
Strong cyber security programs believe in leveraging a combination of technological and human elements. Organizations should exhibit keen interest in investing in areas of human based security apart from technological infrastructure. Substantial benefits can be drawn by providing greater transparency and exhibiting willingness to embrace newer techniques by users.
The training should be based on research conducted for identification of the behaviors and motivations of users at different levels of information security. Better human element protocols in the security chain can be established by gaining insights into the viewpoints of users regarding technology and response to security threats. Training sessions will lead to further research in the region of human machine interactions.
Cyber crimes are increasingly becoming social engineering, wherein perpetrators of the crime invest resources to gain knowledge about organizational stakeholders. Training will allow senior management to familiarize themselves with system users that will help to better nurture awareness regarding user specific access privileges and internal sources capable of providing access to confidential information. User training will help eliminate resistance to change and lead to closer user scrutiny.