Secure Architecture and Incident Management for E-Business
IT Security and Risk Management
1. IT Security & Risk Management Policy
For Computers
By Hamid Reza Zamanian
May 2007
Course: RedHat Linux Networking and Security
Teacher: Jalal Hajigholamali
Location: ISIRAN Institute, Tehran, Iran
2. IT Security & Risk Management
By Hamid R Zamanian Preface
I-III
IT Security & Risk Management Policy is only to improve the
prevention of your business from different types of data loss,
Information leakage, ID theft and Attacks. In a quick view, IT
Security is an expensive industry, so to avoid extra payments on this
industry, you have to recognize the most convenience needs of your
business to meet the right and suitable security solutions.
But there is no guarantee in IT Security world and NO ONE can
secure your business enough, even if by your real-time updates and
patch advisory solutions. Because, in IT Security we have many
effective factors such as Vulnerabilities, Human factor mistakes,
Bugs, Natural disasters, etc… .
3. IT Security & Risk Management
By Hamid R Zamanian Preface
II-III
IT Security is categorized by Devices and the type of Networks as
the following:
1) Laptops & USB devices
2) Computers
3) Wi-Fi Network & devices
4) Mobile Network & devices
5) Router devices
6) Bluetooth
7) Phone Freak
But this seminar is through Computers security regardless of
station/server type, it also goes through administrators and end users
security policy.
5. IT Security & Risk Management Physical & Security
Computers Security Policy Architectural Location
01 - 33
Physical & Security
Architectural
Location
Server Location Client Location
2.1) Physical & Security Architectural Location:
According to Risk Management factors, you as a security
administrator have to predict any kind of future natural disaster and
out of controlled disaster which may happens to the server and client
pc and as a preliminary action you should recognize the best safe
places to locate your machines to prevent them from any harm. Also
your should use security architectural designs to prevent your
machines from hacking attacks.
6. IT Security & Risk Management Electrical & Noise
Computers Security Policy Protection
02 - 33
Electrical & Noise
Protection
Central UPS and/or
&Noise Protection
Backup Electricity
Safe Cabling
Generator
2.2) Electrical & Noise Protection:
2.2.1) Central UPS and/or Backup Electricity Generator:
You have to have alternative electricity supply for the moment of
power failure to prevent the down time, also it is good to have a Backup
Electricity Generator beside UPS, because UPS can help you for limited
time
2.2.3) Noise Protection and Safe-Cabling:
Electrical Interference/Noise is another problem you can face, so you
should consider enough solutions by Safe-Cabling and convenient devices.
7. IT Security & Risk Management
Computers Security Policy Data Loss Security
03 - 33
Data Loss
Security
Server Client
2.3) Data Loss:
There are two type of Data Loss in IT Security:
1) Data Loss in the meaning of deletion of data.
2) Data Loss in the meaning of going through a 3 rd party wrong hand.
In this section, we discuss about the first option and then we go
through the Data Loss in the meaning of going through a 3 rd party wrong
hand.
Anti-Data Loss Policy (for Data remove) is divided to 2 categories by
the type of machine. First it is through servers and then we talk about clients.
8. IT Security & Risk Management
Computers Security Policy Data Loss Security
04 - 33
Server
Data Loss
Backup Database Data Backup Restore HD Mirroring
Location Backup Policy Policy Programs 2nd Server&
Anti-Human Anti-Natural Official Settings
Factors Disasters Regular Backup Backup
2.3.1) Server Data Loss Policy:
- Server’s Backup Location :
> Anti-Human Factor :
a) No third party is allowed to access Data Backups, set Access Policy
b) Encryption
c) No access from outside or internet, but for exceptions special Key
Certificate should be considered
d) Spy-Cameras for the Backup Archive Office.
e) RFID (Radio Frequency ID) for the allowed staff to access Data Backups
9. IT Security & Risk Management
Computers Security Policy Data Loss Security
05 - 33
- Server’s Backup Location :
> Anti-Natural Disasters :
a) Locate backups in a safe place, to prevent from flood, earthquake, thunder
- Server’s Database Backup Policy :
You have to consider a timetable for making regular Database Backups,
because the most important part which plays role IT business is database.
- Server’s Data Backup Policy :
> Official Regular Backup :
a) Consider a timetable for making regular Data Backups (None-Database)
b) Consider an Official Codification System for marking Backups
c) Encrypt Data Backups, make a list of backup official codes & key code
d) Consider an Encryption key code Manager for any future Un-Encryption
> Settings Backup :
a) Consider a timetable for making regular Settings Backup
b) Consider an Official Codification System for marking Settings Backups
10. IT Security & Risk Management
Computers Security Policy Data Loss Security
06 - 33
- Restore Programs :
Although restore programs are great, they can not help you in the HD crash
moments and these are considered only for none-crash data loss disasters.
However, you should choose the best by evaluation.
- HD Mirroring & 2nd Alternative Server :
In risk management science we should predict any kind of future risk and
we have to think of alternative choices for the our of controlled problems. So, as
a result HD Mirroring for Hard Disk Crashes is a good alternative choice and 2 nd
Alternative Server (Beside Domain forwarding n global use) s another
alternative choice to prevent your business from down-time.
11. IT Security & Risk Management
Computers Security Policy Data Loss Security
07 - 33
Client
Data Loss
Regular Backup
Backup Location
Restore Backup
Programs Time-table
2.3.2) Client Data Loss Policy:
- Client’s Regular Backup :
> Backup time-table :
a) Consider a time-table for the client regular data & special settings backup.
> Restore Programs :
a) For the none-HD crash situation, Restore Programs should be considered.
Client’s Data Backup Location :
Although data backup from clients is not as important as server’s data backup
but you have to consider a safe place for your client data backups storage.
12. IT Security & Risk Management Confidential Data Loss
Computers Security Policy Security
08 - 33
Another type of is Confidential Data Loss through a third party
wrong hand, as a statistic in 3 categories of this type:
1) Data Loss at work: e.g.: Soft-Bank was hacked via keywords tech &
Numeric matching and they have lost thousands of customers data and had
to pay $14 million fine for those records.
2) Data Loss at plane/home: e.g.: Vendors Administration Co. lost 25.6
million confidential customer records via a stolen USB and paid $16 million
as fine but now government put a $25.6 Billion fine for it.
3) Data Loss at Customer-Side: e.g.: Earnest & Young Co. lost 250,000
records via a fox person in there vendor www.hotel.com via e-mail to a 3 rd
party wrong hand.
Prevention methods against above harms:
a) For the first example is to use File Content Filtering System.
b) Staffs in critical position are not allowed to make personal backups,
whether they are, they must use encryption methods & rights management.
c) End-Point Analysis & Finger-Printing, Strong Job interview in critical job
13. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
09 - 33
OS, App, Data
Security
Admin Users Data
Global Local Global Local Global Local
2.4) OS, Application and Data Security:
In every IT Based Business or Organization there are three main
security policies that should be assigned and all these three policies are
against Human Factor Cyber-Crime activities regardless of the person,
whether these activities are from your clients or a third party outside
your company.
By our division OS, Application and Data Security is categorized in
3 different levels: Security Policy for admin, Client and Data (none-db)
14. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
10 - 33
Admin
Global Local
&Website Hosting
Attacks
.Web App Web servers
2.4.1) Security Policy for administrators:
Generally there are two type of servers
which are different in the type of users, attacks, applications and scale
of there connection.
By our division these two categories are Global Servers and Local
Servers. Global Servers are those which are serving people via Internet
and Extranets and Local Servers serve people via local networks.
15. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
11 - 33
2.4.1.1) Global Servers Security Policy for admin:
Global servers are always in danger more than local servers. The
risk that they are always at, are Cyber-attacks, ID theft, Data Loss.
Global
&Website Hosting
Attacks
.Web App Web servers
We separate admin security policies for global servers into three
different levels:
- Security Policy for Cyber-Attacks
- Security Policy for websites and web applications.
- Security Policy for hosting web servers.
16. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
12 - 33
Attacks
&Social Eng Pharming &Viruses Hacking Fraud
DoS Attacks
Phish Attacks Attack Spywares Attempts Attempts
2.4.1.1.1) Attacks :
We have different types of cyber-attacks that our servers are faced
to, everyday. The only preliminary actions that we can take are
Assessment, Prevention, Detection, Response and Vigilance which we
may go through this seminar.
17. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
13 - 33
Attack types are:
a) DoS attacks.
b) Social Engineering & Phishing attacks.
c) Pharming attacks.
d) Virus, Worms and Spyware attacks
e) Hacking attempts
f) Fraud attempts
18. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
14 - 33
a) DoS attacks : DoS attacks
This attack is to disturb web-based businesses
by overwhelming maximum allowed number
Problems Solutions
of connections.
- Problems: Full Connect H.DoS detect
No Business S.DoS detect
> Connection overflow
Ping Limits
> Stops your business
> Harms your reputation
> Financial Loss (if Financial Co.)
> Extortion purpose probability
- Solutions:
> DoS detection & protection hardware
> DoS detection & protection software
> Ping request limits
> HoneyPots
19. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
15 - 33
&Social Eng
b) Social Eng. & Phishing attacks : Phish Attacks
This attack is used to trick people to ask them
to act as phishers want. It is to deceive people Problems Solutions
by making fake URLs & messages form a Co.. Money Anti-Phishing
Laundry Public Alerts
Scam Codified
- Problems: Hack Communicates
> Harms your reputation
> Financial Loss (if Financial)
> Int. Economic terrorism
> Money Laundry increase
> Internet safety decrease
- Solutions:
> Anti-Phishing Softwares; e.g.: Cyveillance Intelligence Center 3.0
> Business communication codification to avoid 3 rd party’s phishing
> Public alerts about any phishing attacks arount and warnings
20. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
16 - 33
Pharming
c) Pharming attacks : Attack
This attack is used to overwrite the DNS of
a website to redirect its customers to hijack
Problems Solutions
their customer’s data for phishing purpose.
DNS Authentic
- Problems: Overwrite Site Verify
> DNS Overwrite DNS Domain
Hijacking Transfer pwd
> DNS Hijacking
> Harms your reputation
> Financial Loss (if Financial Co.)
> Extortion purpose probability
- Solutions:
> Authentic Site Verify via trusted sites
> Domain transfer password assign
> Domain transfer prohibition
21. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
17 - 33
d) Virus, Super Worm attacks, Spywares : Pharming
Attack
These attacks are used to disturb your web
based business & to disturb local networks Problems Solutions
and to disturb programs & services job . Data Loss Anti-Virus
Unexpected Anti-Spyware
- Problems: Problems Transaction
> Data Loss Info theft monitoring sys
Public Alerts
> Unexpected problems
Patch Update
> Info theft Limits on
> Financial Loss .Execute perm
> Grey Nets
- Solutions:
> Anti-Virus, Anti-Spyware
> Transaction monitoring system
> Patch updates, exec perm. limit
> Public alerts
22. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
18 - 33
e) Hacking attempts : Hacking
Attempts
These attack are used to intrude servers and
PCs for illegal purpose to hijack critical info Problems Solutions
like customers data, business plans, etc… . Intrusion
H. threat detect
Info Hijack
S. threat detect
- Problems: Zombie PC Firewall S.
> Intrusion > Cyber-Criminal use Cyber-Crime Firewall H.
> Info Hijacking > Form injection Usages Anti-Bruteforce
.Form Inject
Login fail limit
> Zombie PC > Brute Force Brute Force
S’ Permit limit
Patch Advisory
- Solutions: No Default
> Threat detection hardware/software > No simple pwd No simple pwd
> Firewall hardware/software > pwd Token Pwd Tokens
SSL Certificate
> Anti-Brute Force > SSL Certificate No SSH gcc
> Login fail limit > No SSH gcc IDS
> S’ permit limit > IDS SQL/DB Guard
Sec. Scanner S.
> Patch advisory > SQL/DB guard Sec. Scanner H.
> No default pwd/setting > Sec. scanners
23. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
19 - 33
Fraud
f) Fraud attempts : Attempts
These attacks are used to cheat admin and
clients and used to earn illegal money via Problems Solutions
Internet and info hijack for illegal purpose. Safety decrease Fraud Protect
No Trust /Detect sofware
Financial issue Social Eng.
- Problems: Charge backs Prevent methods
> Safety decrease Business stop Public Alerts
> Not Trust
> Financial issues
> Charge backs
> Business stop
- Solutions:
> Fraud detection & protection software
> Public Alerts
> Social Eng. Prevention methods
24. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
20 - 33
Website &
Web App.
Process limit Service Web application
Alerts Usage limits Security control
2.4.1.1.2) Website & Web application Security Policy for administrators:
a) Process Limit Alert:
This setting is to use for controlling client’s web application maximum
process exceeding, to warn them and to send an alert to admin.
b) Service Usage Limit:
This setting is to use for controlling client’s web applications & shell codes
and to limit their abilities to use some specific server services.
c) Web Application Security Control:
This policy is to use for controlling Web applications before running
them on the server to prevent server from getting at risk, because some
of web applications have bugs that lets remote shell from outside which
can put our machines at risk.
25. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
21 - 33
Hosting
Web Servers
FTP Security Service Web application
Settings Security setting Security control
2.4.1.1.3) Hosting Servers Security Policy for administrators:
a) FTP Security Setting:
This setting is to use for limiting FTP executions to restrict this service for
hacking purpose usage.
b) Server Security Settings:
These setting are to use for limiting web application in PHP, CGI, ASP,
DO, CFM, etc …, to prevent server from being Hacked by its own clients via
web shell applications.
c) Privilege Settings:
Privilege settings are to use for limiting unauthorized access from none-
allowed groups and users. (see 2.4.1.1.3.3)
d) Spam detect & protect policy:
This common policy is to avoid tricky clients who intend to use server as a
zombie PC for spamming purpose
26. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
22 - 33
2.4.1.1.3.3) Hosting Server Privilege Security Policy for administrators:
a) Websites Privilege Security Setting:
a.1) Application Updates & Process limit control:
Application updates are for those hosting companies which use a
shared web application for all clients, so if the application faces a bug
as it is shared between clients updates should be taken effect on time.
Process limit control is for avoiding web applications to exceed
their allowed process limit.
a.2) Apache & PHP Privilege:
Apache & PHP Privilege should not be root and these should be
fully controlled, because many of hacking & intrusion reasons today
are because of this factor.
a.3) No SSH, No Telnet = No Backdoor :
Nowadays one of the most important factors in intrusion is by ssh
service clients who by mistake are hacked and could open
server’s
doors to intruders.
27. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
23 - 33
b) SSH & VPN Security Setting:
b.1) Source compile command limits :
The users who use SSH should be limited for compiling course
codes, because they compile and then if compiler is under root privilege
and they have enough privilege to execute, then your server can be at a
big risk.
b.2) SSH group limits :
You have to be careful about your SSH clients and before allowing
them to use this service, you have to do enough evaluations and consider
policies of “How to limit SSH user?” to prevent them from intrusion
activities into unauthorized sections in your server.
b.3) Service limits privacy :
You have to know the relation between the client and the services
which they use or they ask for and limit them for the services usages
according to your business privacy & policy.
28. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
24 - 33
Client
Global Local
&Agreement Forced
Policy Settings
2.4.2) Security Policy for Clients:
Security policy for clients is divided into two categories that one is
to introduce our policy and ask their agreement; second is the forced
settings that we take to limit them and prevent them from illegal
activities via the services we have offered.
However you should know that although your users accept your
policy at first, there can be some tricky people among your clients who
are waiting for a situation to access unauthorized services and data for
illegal usage.
29. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
25 - 33
&Agreement
Policy
Cyber-Crime Confidential Messaging
Privacy pwd rules& System Policy
2.4.2.1.1) Agreement & Policy :
a.1) Cyber-Crime Privacy:
Nowadays Cyber-Crime has been increased and you have to
warn you users about not to involve in any kind of these activities
via the services you offer them. The most common Cyber-Criminal
activities today that you should prevent your client from getting
involve in, are :
> Selling drugs via Websites.
> Phishing purpose sites
> Warez forums and websites
> Hacking activities
> Child Porn sites
30. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
26 - 33
a.2) Confidential & Password Policy:
This agreement is to recommend some security points to your
clients as an advice and warning to protect them from any future
security problem that they may face, such as:
> Using digits, uppercase, lowercase letters, symbol in their pwd
> Keeping passwords in a safe place
> Never respond to a suspicious message which asks for their info
> They should always check the URL while they login
a.3) Messaging Policy:
This policy is to introduce your messaging system to your
clients to protect them from any future phishing attempts by a third
party. Also it is good to consider one of the followings:
> Web based support board with message codification system
> Support forum
> Ticketing support system
31. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
27 - 33
2.4.2.1.2) Forced Settings :
b.1) Registration form & Account forced settings:
These setting are out of client’s control and these are settled by
administrators to decrease security risks. As a part of these policies,
you may use the following options:
> Java Script codes in registration forms to prevent clients from
using simple passwords.
> Account registration form’s Java script codes to avoid submitting
fake info..
> Single write for some records: e.g. account name, secret questions
> Profile last change details record.
b.2) Threat & Accounts activity monitor:
Although you consider security policies, client monitoring and
vigilance are two factors that you should be care about.
32. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
28 - 33
Data
Global Local
Critical .Web App
Data Source code
2.4.3) Data Security Policy :
In every IT based business, protection of source codes, business plans
and customer records is the most important item that needs more attention
from security policy advisors.
By our divisions through importance of data and accessibility scale, we
have divided them into two groups of Global and Local according to the
server & network type.
However we only go through global type in this section.
33. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
29 - 33
2.4.3.1) Global Servers Data Security Policy :
a.1) Critical Data Security Policy:
a.1.1) Anti-ID theft:
As ID theft is the most important cyber crime today, we
have to consider some types of file content filtering systems to
avoid critical data to go into the wrong hands. Anti-ID thefts:
> Cyveillance Intelligence Center 3.0
a.1.1.1) Database Security:
To protect your customer’s data from unauthorized changes
& leaking, you have to consider some kinds of settings or tools.
By our experience the following tools and methods can be
useful:
> Separate read & write connection password for database
> Database write limits from third party’s IP or process id
> Database guard software & hardware
> Information Filtering system instead of content filtering sys.
34. IT Security & Risk Management OS, Application
Computers Security Policy Data Security
30 - 33
a.1.1.2) Data Encryption :
Data Encryption is a good solution to protect your data even if
it gets into the wrong hands, but your should know how to use this
technology in the right way, for using this technology you should
consider the following privacies:
> Data Encryption by private keys, listing key names in data profile
> Encryption key manager for any future un-encryption
> Consider a safe place to store encrypted data and their keys
separately.
b.1) Web application source codes:
Since special web application nowadays are much expensive
and some of them too specific, business owners are really serious to
protect the source code from getting into an unauthorized party. So
the solution we offer, are by the followings:
> Source code encryption
> Local license key for the application or IP lock license key
> Application security assessment to detect bugs
35. IT Security & Risk Management Security Logs &
Computers Security Policy Finger-Printing
31 - 33
2.5) Security Logs, End Point Finger-Printing & Analysis :
Although you monitor threats and take preliminary action to prevent
your machines, sometimes the bad guys are ahead and that is out of your
control. In these situation the only remaining help is using Finger-Printing
methods to trace back the bad guys through their IPs, contacting the proxy
servers, etc … . For these kinds of situations you have to set the following
services and features for log storage:
> Apache log storage in a none-default path in your server.
> Set an automatic apache log archiving feature beside its regular mailing
> Database access log storage in a none-default path in your server
> Set an automatic db access log archiving feature beside its regular mailing
For your information log default paths in Unix/Linux family are mentioned
on the next page.