DANGERS OF BEING CONNECTED TO INTERNET

Basic Security Concepts

What we mean when we say network is secure or non secure? In fact we use those terms in connection with information. So: network is secure when information in network is confidential, integral and available. Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.

When information is read or copied by someone not authorized to do so, the result is known as loss of confidentiality.

For some types of information, confidentiality is a very important attribute. Examples include research data, medical and insurance records, new product specifications, and corporate investment strategies.

Information can be corrupted when it is available on an insecure network. When information is modified in unexpected ways, the result is known as loss of integrity. This means that unauthorized changes are made to information, whether by human error or intentional tampering. Integrity is particularly important for critical safety and financial data used for activities such as electronic funds transfers, air traffic control, and financial accounting.

Information can be erased or become inaccessible, resulting in loss of availability. This means that people who are authorized to get information cannot get what they need.

Availability is often the most important attribute in service-oriented businesses that depend on information (e.g., airline schedules and online inventory systems). Availability of the network itself is important to anyone whose business or education relies on a network connection. When a user cannot get access to the network or specific services provided on the network, they experience a denial of service.

To make information available to those who need it and who can be trusted with it, organizations use authentication and authorization. Authentication is proving that a user is whom he or she claims to be. That proof may involve something the user knows (such as a password), or something about the user that proves the person's identity (such as a fingerprint). Authorization is the act of determining whether a particular user (or computer system) has the right to carry out a certain activity, such as reading a file or running a program. Authentication and authorization go hand in hand. Users must be authenticated before carrying out the activity they are authorized to perform. Security is strong when the means of authentication cannot later be refuted - the user cannot later deny that he or she performed the activity. This is known as nonrepudiation.

Why Care About Security?

It is remarkably easy to gain unauthorized access to information in an insecure network environment, and it is hard to catch the intruders. Even if users have nothing stored on their computer that they consider important, that computer can be a "weak link", allowing unauthorized access to the organization's systems and information.

Seemingly innocuous information can expose a computer system to compromise. Information that intruders find useful includes which hardware and software are being used, system configuration, type of network connections, phone numbers, and access and authentication procedures. Security-related information can enable unauthorized individuals to get access to important files and programs, thus compromising the security of the system. Examples of important information are passwords, access control files and keys, personnel information, and encryption algorithms.

The consequences of a break-in cover a broad range of possibilities: a minor loss of time in recovering from the problem, a decrease in productivity, a significant loss of money or staff-hours, a devastating loss of credibility or market opportunity, a business no longer able to compete, legal liability, and the loss of life.

What makes attacks possible?

Faulty software

Security holes caused by faulty software are the underlying factor of all hacking. software systems often contain bugs to be exploited. Why? It seems that accumulated exprience and advances in knowledge would enable us to build systems without security flaws. However, this has not been the case so far as these problems are not declining. It is believed that the reason for being that the software systems are becoming more and more complex and sophiscated with every release in a way that their error rate increases. For example, Windows 2000 is rumoured to have over forty million lines of code in the kernel alone. If programer at Microsoft would had made only one error in every 1000 lines they wrote (this is a very generous estimate), Windows 2000 kernel would have 40,000 errors in it when finished. Although most of them are never found, some are trapped through tests and some more may not be significant from a security standpoint, at least some of them will be the sources of a fature hacker attacks.

Software producers normally patch security holes or bugs when they are found. Unfortunately, many people remain unaware of the whole whole story and as a consequence hackers can penetrate their systems from an already patched hole.

One other problem with software complexity is that the many different configurations which give programs desired different functionalities. Although without these the software would not be of much use, the people have no time learning how all their complicated programs are configured by default and how to customise them for their particular situation. It is easier for hackers to guess about how your system is configured, if you haven't touched anything!

Host Detection Techniques

This technique is realised either by actively requesting packets from a system or by monitoring packets coming from the system causing the remote system to leak information about itself.

Requesting Packets

The teqnique can determine whether an arbitrary remote machine is present on line and which of its ports may be active. The reason why this works is that computers talk each other

through protocols, in a way that are predictable to anyone who understand the mechanisms of protocols.

With this technique the Operating System running the machine under scrutiny, can be easily identified. As many security holes are dependent on OS versions it is usful for hackers to identify the Operating System running on the computer they want to attack.

Monitoring the network

In some networking technologies, where messages are broadcasted over the network, allow any computer on the network to pick up these messages regardless of their destination. A computer normally would be configured to ignore messages that are not addressed to it. However, it can be set to promiscuous mode so that it sees all traffic.

In this environment a program can be written in a way that it snatches up messages as they travel across the network and saves those of interest in a log file for later perusal. If a program like this, is installed on a busy machines like servers or routers, a lot of infomation can be intercepted. Hackers use this technique for attaining user names and passwords as well as identifying the Operating Systems.

How to prevent attacks?

Best solution is to avoid internet. Some companies (financial institiutions etc. where security is crucial) create their own LANs (WANs) between cities , connected with internet in as little points as possible, however it’s quite costly.

Encryption of data (crucial)

Careful administration (some companies even create special job position – IT security officer):

· Ensure all accounts have a password and that the passwords are difficult to guess. A one-time password system is preferable. If possible use biometric equipment ( i.e.fingerprints) etc.· Use secure programming techniques when writing software.· Be vigilant in network use and configuration, making changes as vulnerabilities become known. · Regularly check with vendors for the latest available fixes and keep systems current with upgrades and patches. · Regularly check on-line security archives, such as those maintained by incident response teams, for security alerts and technical advice. · Audit systems and networks, and regularly check logs. Many sites that suffer computer security incidents report that insufficient audit data is collected, so detecting and tracing an intrusion is difficult.

Usage of network tools such as firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS).

What is a Firewall and what does it do?

A Firewall is a piece of hardware or software/or a combination of both,

designed to protect networked computers from unauthorized hostile

intrusion. A Firewall sits at the junction point or gateway between the two

networks, usually a private network and a public network such as the

Internet and examines all traffic/packets of data routed between the two

networks both incoming and outgoing - to determine whether it should be

allowed to pass or be blocked.

Since the Firewall Software inspects each and every packet of data as it

arrives at the computer - BEFORE it's seen by any other software

running within your computer - the firewall has total power over your

computer's receipt of anything from the Internet.

A port, opening on your computer to receive and send data, is only

"open" if the first arriving packet requests the establishment of a

connection and is answered by your computer. If the arriving packet is

ignored, that port of your computer will effectively disappear from the

Internet. No one and nothing can connect to it. This is the Firewall theory

and you can accept or reject data from anywhere.

Although the majority of firewalls are currently deployed between the

Internet and internal networks, there are good reasons for using firewalls

when connecting any trusted network with a less trusted network, be it

internal or external.

A firewall can enforce security policy. A firewall can log activity

effectively. A firewall can limit your exposure to the not trusted network

by controlling/restricting access to/from it to the level defined in the

security policy. This includes controlling what users use the Internet for.

A firewall can be a focus for security decisions - a choke point. All traffic

to or from the Internet must pass through it. By focusing defences on this

point they can reduce internal system security overhead since they allow

an organisation to concentrate security efforts on a limited number of

machines.

Firewalls provide good protection at the lower levels of the TCP/IP

model, but they provide almost no protection against higher level

protocols.

Any data that is passed by the firewall still has the potential to cause

problems. For example a firewall offers no protection against viruses

contained in files transferred via ftp or as MIME attachment to an e-mail

message.

A firewall can't protect against malicious insiders. A firewall cannot

differentiate between hosts on the same side of a network therefore any

Internet Host can spoof any other Internet Host and any internal host can

spoof any other internal host.

A firewall can't protect against connections that don't go through it (i.e.

backdoors). Firewalls can restrict the access to certain facilities and

users will sometimes bypass the firewall to gain access to those facilities.

A good example would be a firewall that didn't allow access to the World

Wide Web. Users on that network may establish point to point

connections with an Internet service provider over a normal telephone

line and introduce Internet connectivity behind the firewall. This type of

threat can only be addressed by management procedures which are

embodied in the organisations security policies.

A firewall can't protect against completely new threats if the security

strategy is different from "deny everything unless specifically permitted."

Again this is dealt with within the security policy by basing it on just such

a strategy.

Host based security and network security.

The idea of host based security is to protect your system by securing

machines on a host by host basis, and remove any security problems on

that particular host. This is very useful on servers, for example, but don't

scale well to large, diverse networks. Network security takes the view of

controlling network access to your network, by building firewalls and

using encryption to protect sensitive data. The important thing to

remember is that no security model can do it all. There will always be

things that need to be taken care of by other means, such as

management. Security is not an absolute - you can increase it to make it

difficult to break in, but there is always a trade off, be it in convenience,

or cost. In general, it means you have to weigh up risk versus reward of a

particular model in your situation.

Types of firewalls.

There are a few different types of firewalls that you can use, each of

which imposes a different type of architecture on your network. Firewalls

use one or more methods to control traffic flowing in and out of the

network:

Packet filtering – these work by routing packets between

networks, selectively controlling the data that is allowed though.

This type of firewall is implemented using IP chains or IP tables,

and works by specifying rules that say what services are allowed,

and what is denied. Packet filtering is widely available, quite

efficient to implement, and helps protect an entire network, but

reduces router performance, and can sometimes be hard to

configure.

Proxy services - or application level gateways work by taking

requests from clients, deciding if the client has authorisation to

perform the action, and then connects to the destination server on

the clients behalf. They are useful because they can perform

logging of actions that you wouldn't otherwise get, and can provide

user level authentication, which is impossible to do with a packet

filtering firewall. Additionally, some proxies perform caching by

keeping a local copy of the data, which can increase performance

dramatically in some cases - the best example of this is a web

proxy. However, there are some disadvantages to using proxy

servers. You may require a different proxy server for each service

you wish to proxy, as the server has to understand the protocol it

will be proxying. Proxy servers also lag behind - when a new

service is introduced there may be some time before a proxy

server that can handle it becomes available, dependant on how

suitable the service is for proxying, and how popular they are.

Stateful(specific) inspection - A newer method that doesn't

examine the contents of each packet but instead compares certain

key parts of the packet to a database of trusted information.

Information travelling from inside the firewall to the outside is

monitored for specific defining characteristics, and then incoming

information is compared to these characteristics. If the comparison

yields a reasonable match, the information is allowed through.

Otherwise it is discarded.

Network Address Translation or NAT. NAT takes internal

addresses and changes, or translates them to an external address

that can reach the service you desire. By using this form of

firewalling, you can ensure control over outgoing connections, as

the internal network can't reach outside without using it.

Additionally, it gives good control over access to the internal

network, as there are no direct connections available through this

type of firewall. However, not every protocol works with NAT. NAT

also interferes with logging - an entire network can appear to be

coming from one address, which makes it hard to work out who's

done what

Software vs. Hardware.

A software firewall can be installed on the computer in your home that

has an Internet connection. This computer is considered a gateway

because it provides the only point of access between your home network

and the Internet.

With a hardware firewall, the firewall unit itself is normally the gateway.

Usually it has a built-in Ethernet card and hub. Computers in your home

network connect to the router, which in turn is connected to either a

cable or DSL modem. Hardware firewalls are quite secure and not very

expensive.

What attacks us…

There are many creative ways that unscrupulous people use to access or

abuse unprotected computers:

Remote login - When someone is able to connect to your

computer and control it in some form. This can range from being

able to view or access your files to actually running programs on

your computer.

Application backdoors - Some programs have special features

that allow for remote access. Others contain bugs that provide a

backdoor or hidden access that provides some level of control of

the program.

SMTP session hijacking - SMTP is the most common method of

sending e-mail over the Internet. By gaining access to a list of e-

mail addresses, a person can send unsolicited junk e-mail (spam)

to thousands of users. This is done quite often by redirecting the e-

mail through the SMTP server of an unsuspecting host, making the

actual sender of the spam difficult to trace.

Operating system bugs - Like applications, some operating

systems have backdoors. Others provide remote access with

insufficient security controls or have bugs that an experienced

hacker can take advantage of.

Denial of service - You have probably heard this phrase used in

news reports on the attacks on major Web sites. This type of attack

is nearly impossible to counter. What happens is that the hacker

sends a request to the server to connect to it. When the server

responds with an acknowledgement and tries to establish a

session, it cannot find the system that made the request. By

inundating a server with these unanswerable session requests, a

hacker causes the server to slow to a crawl or eventually crash.

E-mail bombs - An e-mail bomb is usually a personal attack.

Someone sends you the same e-mail hundreds or thousands of

times until your e-mail system cannot accept any more messages.

Macros - To simplify complicated procedures, many applications

allow you to create a script of commands that the application can

run. This script is known as a macro. Hackers have taken

advantage of this to create their own macros that, depending on

the application, can destroy your data or crash your computer.

Viruses - Probably the most well-known threat is computer viruses.

A virus is a small program that can copy itself to other computers.

This way it can spread quickly from one system to the next. Viruses

range from harmless messages to erasing all of your data.

Spam - Typically harmless but always annoying.

Redirect bombs - Hackers can use ICMP to change (redirect) the

path information takes by sending it to a different router. This is

one of the ways that a denial of service attack is set up.

Source routing - In most cases, the path a packet travels over the

Internet (or any other network) is determined by the routers along

that path. But the source providing the packet can arbitrarily specify

the route that the packet should travel. Hackers sometimes take

advantage of this to make information appear to come from a

trusted source or even from inside the network. Most firewall

products disable source routing by default.

Some of the items in the list above are hard, if not impossible, to filter

using a firewall. While some firewalls offer virus protection, it is worth the

investment to install anti-virus software on each computer.

Firewall Components – router.

The type of router used in a packet filtering firewall is called a screening

router. It is configured with rules to block or filter protocols and addresses

and is installed at the external network gateway. Internal users usually

have direct access to the Internet while all or most access to site

systems from the Internet is blocked. However, the router could allow

selective access to systems and services, depending on the policy.

The screening router passes or rejects an IP packet based on

information contained on the packet's header. The main information used

is:

IP Source and Destination Address - By filtering packets on the IP

source and destination address the screening router is able to

effectively block access to or from any site or host that is not

trusted.

TCP or UDP source and destination port.

A packet filtering router suffers a number of disadvantages:

There is little or no logging capability. It is often therefore difficult

for an administrator to determine whether the router has been

compromised or is under attack;

Packet filtering rules are difficult to test thoroughly, which may

leave a site open to untested vulnerabilities;

If complex filtering rules are required, the filtering rules may

become unmanageable, and

each host directly accessible from the Internet will require its own

copy of advanced authentication measures.

What’s a virus?

A virus is a program that reproduces its own code – usually without your permission or knowledge – by attaching itself to other executable files in such a way that the virus code is executed when the infected executable file is executed.

How do viruses behave?

There are many forms of viruses, but they all potentially have two phases to their execution, the infection phase and the attack phase.

The infection phase.

When the virus executes it has the potential to infect other programs. Different viruses do it in different moments: each time they’re executed upon certain triggers:

o a day or timeo an external event on the infected PCo a counter within the viruso etc.

Infection may not be immediate.

The attack phase.

Many viruses do unpleasant things such as: deleting files changing random data on the infected disk simulating typos or merely slowing the infected PC downSome viruses do less harmful things such as: playing music creating messages or animation on your screen.

Just as the infection phase, the attack phase also has its own trigger.

The attack phase is optional.

The number of viruses.

There are currently over 50,000 computer viruses and that number is growing rapidly. Fortunately, only a small percentage of these are circulating widely.There are more MS-DOS/Windows viruses than all other types of viruses combined (by a large margin).

1990 200-5001991 600-1000late 1992 1000-2300mid-1994 4500-75001996 over 100001998 200002000 50000

The confusion exists partly because it's difficult to agree on how to count viruses. For example: Does a small modification (e.g. only of the comment displayed on your screen) mean it’s a new

virus? How to treat mutations (i.e. different versions of a virus used when infecting different files) of

viruses? Some viruses have not been detected in the wild but exist stashed only in someone’s virus

collection.

A new virus is detected every 18 seconds!

Virus names

Virus writers do not get to name their beasts. Thus, a virus' name is generally assigned by the first researcher to encounter it. The problem is that multiple researchers may encounter a new virus in parallel which often results in multiple names. This is not a problem for anti-virus software, as it identifies viruses by their characteristics; it is, however, confusing for the general public. The problem of naming will continue, as bringing any order to the naming requires a lot of time, as large amounts of data need to be collected. Still there are sites that try to correlate the names of viruses (see WildList – www.wildlist.org or VGrep – www.virusbtn.com/VGrep/).

Software attacks

These are programs written deliberately to vandalize someone's computer or to use that computer in an unauthorized way. Sometimes the media refers to all malicious software as viruses. This is not correct and it's important to understand the distinction between the various types as it has some

bearing on how you react to the attack. It is essential to make clear distinctions between malicious software types. Realize that often a malicious program may have characteristics of more than one of these types (e.g., a virus that attacks files but also spreads itself across a network).

In addition to viruses there are: Logic Bombs . Just like a real bomb, a logic bomb will lie dormant until triggered by some event it

will do something nasty to the computer. Although you can detect it after the fact, there is unfortunately no way to prevent a well written logic bomb from damaging your system.

Trojans . These are named after the Trojan horse, which delivered soldiers into the city of Troy. The Trojan program appears to be a useful program of some type, but when a certain event occurs, it does something nasty and often destructive to the system. Some researchers consider viruses a particular case of a Trojan; others say that if a virus does not do any deliberate damage it cannot be classed as a Trojan. In common use, most people use Trojan to refer to a non-replicating malicious program.

Worms . A worm is a self-reproducing program that does not infect other programs as a virus will, but instead creates copies of itself, that create even more copies. They are usually seen on networks and on multi-processing operating system. Each new copy will create more copies quickly clogging the system.

What do viruses infect?

System sectors (Master Boot Record and DOS Boot Record) are often targets for system sector viruses. These boot viruses use all of the common viral techniques to infect and hide themselves. While mostly obtained from an infected disk left in the drive when the computer starts, they can also be "dropped" by some file infectors.

While more in number, file infectors are not the most commonly found. They infect in a variety of ways and can be found in a large number of file types.

Pure data files cannot propagate viruses, but with extensive macro languages in some programs the line between a "data" file and executable file can easily become blurred to the average user. Macro viruses use this vulnerability. While text E-mail messages can't contain viruses they may have attachments that do and some E-mail programs will automatically load and run these.

Companion viruses make use of a DOS quirk that runs COM files before EXE files. The virus infects EXE files by installing a same-named COM file.

Cluster viruses change the directory so that when you try to run a program you first run the virus.

Batch file viruses can use batch files to transmit binary executable code and either be or drop viruses.

Source code found on your system can be infected by source code viruses; usually by adding Trojan code to it.

Visual Basic Script files can be used for malicious purposes; particularly in the role of worms.

How do viruses infect.

Polymorphic viruses change themselves with each infection. There are even virus-writing toolkits available to help make these viruses.

A virus must change things in order to infect a system. In order to avoid detection, a stealth virus will often take over system functions likely to spot it and use them to hide itself. A virus may or may not save the original of things it changes so using anti-virus software to handle viruses is always the safest option.

A fast infector infects any file accessed, not just run. A slow infector only infects files as they are being created or modified.

A sparse infector uses any one of a variety of techniques to minimize detection of its activity.

An armored virus is such a virus that attempts to make disassembly difficult.

Multipartite viruses have a dual personality. Some are file viruses that can infect system sectors; others are system sector infectors that can infect files.

A cavity (spacefiller) virus attempts to install itself inside of the file it is infecting. This is difficult but has become easier with new file formats designed to make executable files load and run faster.

Some viruses (tunneling viruses) will attempt to tunnel under anti-virus monitoring programs in order to bypass their monitoring functions.

When scanners were less sophisticated it might have been possible for a camouflage virus to sneak by as scanners sometimes did not display some alarms, knowing them to be false. Such a virus would be extremely hard to write today.

The NT File System allows alternate data streams to exist attached to files but invisible to some file-handling utilities. An NFTS ADS virus can exploit such a system.

A dropper is a program that, when run will attempt to install a regular virus onto your hard disk.

The anti-virus protection

Scanning looks for known viruses by a signature or characteristics that make new viruses similar to existing viruses. This requires that anti-virus makers and users keep products up to date.

Integrity products record information about your system for later comparison in order to detect changes. Just detecting changes is not enough, however; the detection must have some "intelligence" behind it to avoid confusion.

Interception - monitoring for system-level routines that perform destructive acts can help, but such monitoring is fairly easily bypassed. Do not depend on it alone.

Conclusion: it’s best to combine these three (as many of the AV programs do nowadays).

Some tips on AV protection: understand how your AV program works before scanning make sure your system’s booting sequence doesn’t start with the hard disc (if it

does, any boot sector virus on your computer could gain control before you run the anti-virus program)

cold boot your PC from a write-protected disc before virus checking, particularly if you suspect you have a virus

make sure you always have the latest version of your AV program before you execute or install any new software, check it first if the anti-virus software has a component that installs under Windows in order to scan all files

before they are opened by all means install that component it is best to allow the AV program scan all files (not just those with certain extensions, as

extensions are not an accurate indicator of which files can be infected and which cannot) show the extensions (otherwise you don’t really know if the file actually is executable or not) don’t open e-mail attachments (especially if you don’t know the sender) – it’s better to save them

and check with an AV program first it’s better to turn of the attachment preview function disable Windows Scripting Host if you don’t need it keep up with the latest security patches write-protect any floppies id you put them into someone else’s computer

consider subscribing to a newsletter from your AV software provider and most importantly BACKUP

With the emergence of new technology strategies such as Intranets and Extranets, protection of informational assets has become paramount. The first step is an enterprise-wide Information Systems Security Policy.

Traditionally, organizations have relied on policies to communicate high-level directives from the management. These documents, once issued, provide top down influence for everyone in the company—from business units to departments to individual employees. Furthermore, these policies typically were developed at one time in the organization's evolution to capture the current environment. One of the major challenges for an organization in this area is the continued growth and adaptation of the policies to mirror the transformation within the organization. The fastest area of growth and change within an organization is Information Systems. With the rapid development and push toward new technologies, organizations find themselves striving to maintain current technical environments with outdated policies. Secondly, with the emergence of new technology strategies such as Intranets and Extranets, security and the protection of informational assets has become paramount.

The first step is an enterprise-wide Information Systems Security Policy that is consistently enforced even as business needs change. Unfortunately, most companies have only bits and pieces of security scattered throughout the organization. These may make some departments or individuals feel safe, but they do little to protect the enterprise as a whole.

To address these needs, PricewaterhouseCoopers has desig-ned a Security Knowledge Manage-ment system—the Enterprise Secu-rity Architecture System (ESAS). The idea is to assist an organization in providing a key security infrastructure tool. Primarily ESAS is built on PPT methodology (People, Policy & Technology). Over the period PwC also went ahead mapping ESAS with COBIT methodology from ISACA and the guidelines given in ISO 17799.

What is PPT methodology?PPT stands for People, Policy, & Technology. The security process is a mixture of these three elements. Each element depends in some manner on the other elements. Also, issues receive greater coverage when the elements are combined. The controls environment is greatly enhanced when these three elements work in concert. A simple drawing will suffice to illustrate this (see Figure 1). This drawing shows the basic elements and also the coverage areas.

As you move toward the union of these elements, the controls environment increases—there is greater coverage. Let's understand these three elements individually.

People This core element is the most important. The people element comprises the people and various roles and responsibilities within the organization. These are the people that are put in place to execute and support the process. A few key roles include

senior management, security administrators, system and IT administrators, end users, and auditors.

Policy This element comprises the security vision statement, security policy and standards, and the control documentation. This is basically the written security environment—the bible that the security process will refer to for direction and guidance.

Technology This element includes tools, methods, and mechanisms in place to support the process. These are core technologies—the operating systems, the databases, the applications, the security tools—embraced by the organization. The technology then is the enforcement, monitoring, and operational tool that will facilitate the process.

The concept is that each core element could be measured for effectiveness and coverage. Also, issues can be measured against the model to determine what controls coverage for that issue. The objective then is to move issues into the intersecting areas of the elements—with the final objective of moving the issue into the middle area of greatest coverage. As risk issues are identified, each step to manage the risk will fall into one of the core elements of people, policy, or technology. If the issue is resolved with one of the elements, addressing one of the other elements can enhance this resolution. As the core elements are added to the controls environment and utilized in concert, the issue is then resolved on several fronts. The controls coverage is greater.

The PPT ModelThe PPT Model can be illustrated with a few simple examples. Figure 2 shows the PPT Model with regards to Internet usage and misuse. Users are educated on the proper usage of the Internet. The controls environment relies solely on the user. An Internet usage policy is written to document proper use of the Internet and the consequences of misuse. The controls environment now is supported by two of the three core elements.

Filtering software is deployed on the firewall. Now the controls environment is covered by all three elements. Figure 3 demonstrates when an issue is covered only by two of the three elements. It also shows the consequence of a limited controls environment.

The Internet connection is protected by the deployment of a firewall. Core elements coverage = 1.

The firewall administrator receives specialized training and develops the skill set necessary to administer the firewall. Core elements coverage = 2.

The firewall administrator leaves the organization. The controls now rely back on just one element—the technology.How can the model be used to identify an alternative solution to Figure 3?

This is depicted in Figure 4.

The Internet connection is protected by the deployment of a firewall. Core elements coverage = 1.

The firewall administrator receives specialized training and develops the skill set necessary to administer the firewall. Core elements coverage = 2.

Firewall operating standards are written and controls are documented. Core elements coverage = 3.

The firewall administrator leaves the organization. The controls environment relies on two of the core elements. The controls, standards, and technology are documented so that the skill and knowledge does not completely leave the organization. Core elements coverage = 2.

From these examples, it is easy to see how the PPT model can simplify the analysis of a risk issue. If the issue is broken down into the three core elements, action items can be determined for each core element. In this manner, control coverage can be moved from one element to two, and ultimately to coverage by all of the elements.

The PPT model sounds like a very comfortable proposition but during actual implementation, CIO's used to get lost in the framework. This is simplified by the ESAS tool.

The ESAS repository ESAS is a Security Knowledge Management tool designed to bridge the gap between business and technology. It provides organizations with a centralized repository of security policies and technical control information. ESAS allows an organization to effectively communicate security policies and controls throughout the enterprise, and provide the key infrastructure for a successful Information Security program.

The major objectives of the ESAS are:

Ensure consistency of organizational security objectives throughout operating units

Allow business strategies and goals to drive Information Security

Allow an organization to deal with the changes in both business initiatives and technology and manage the risk associated with change

Provide a comprehensive set of security policies for the organization

Provide a method to look at information and technical systems from a Risk perspective

Provide the methods to implement security objectives effectively and efficiently at a technical level

ESAS is built on a unique security model/Framework (explained below) to provide flexibility in managing the information.

Understanding the Security Framework PricewaterhouseCoopers' Information Security Framework provides the overall model for developing comprehensive security programs. The framework illustrates an enterprise approach for security.

Key elements, also referred to as the "Four Pillars" to Information Security, include:

Solid Senior Management Commitment An overall Security Vision and Strategy

A comprehensive Training and Awareness Program A solid Information Security Management Structure including key skill sets and

documented responsibilities

Within the four "pillars" of the program, several phases are included.

The first is the Decision Driver Phase, which contains factors determining the business drivers of security. These include Technology Strategy and Usage, Business Initiatives and Processes and Threats, Vulnerabi-lities and Risk. All these combine to form a unique "Security Profile" of the organization. The "profile" needs to be reflected in the Security Policies and Technical Controls.

The next facet of the Information Security Framework includes the design of the security environment also called the Design Phase. This is the stage where the organization documents its security policy, the control environment and deals with controls on the technology level. A key element in this process is not only the clear definition of security policy and technical control information, but also the "Security Model" of the enterprise. Information Classifications and Risk Assessment methods fall under this component. These processes allow the organization to manage risk appropriately and identify the risks and values of information assets.

The final facet of the Information Security Framework is the Implementation phase. This begins by documenting the Administrative and End-User guidelines and procedures. These guidelines must be succinct and flexible for the changing environment. Enforcement, Monitoring, and Recovery processes are then layered on for the operational support of the security program. These processes are "where the rubber hits the road". All the benefits of the Security Program design and documentation is diminished if it is not put into effect on an operational day-to-day basis.