Information Security Risk Management - Case Study Example

?Answer A & B Accordingly, information or data is vital for organizations. They need to protect their data from competitors, hackers, cyber criminalsand many more. This paper will highlight information security risk management and implementation of the proposal for an ISO 27001 compliant information security management system (ISMS) for a chain of Peter’s bakeries, in order to implement a standard to ensure confidentiality, availability, and integrity of data. 1 What is ISMS? The ISMS consists of Policies, Processes, Guidelines, Standards, and tools. Likewise, in order to make this system a successful part of information security management system, it contains five key elements. The first component is CONTROL. The control establishes a framework and distributes responsibilities in order to develop an environment for implementing the ISMS. The next key element is PLAN. The Plan defines the service level agreements as per business requirements, foundation of contracts, operational level agreements, and policy statements. All these components included in the planning are based on the requirements of the business. After the completion of control and plan, the next key element is to IMPLEMENT all these components. Implementation involves creating knowledge and consciousness along with categorization and listing of assets. Moreover, personnel security and physical security related to theft is implemented. Likewise, implementation element also involves security related to network, applications and computing devices. In addition, configuration and management of access rights and contingency planning of security incident processes is also a part of this element. All of the three elements control, plan and implement lays a foundation of a structure. After the deployment of ISMS structure, the next key element is EVALUATE. The evaluation consists of internal and external auditing of the processes that are implemented in the previous three phases. Moreover, self-assessment is also conducted, along with security incident evaluation. For instance, if there is a breach in security, the security management processes ensure to deal with security incidents. The last key element is MAINTAIN. This phase frequently monitors processes including security management, new threats, vulnerabilities and risks. These elements, do not only monitors these processes, but also improve processes where required , and if there are certain processes that needs to be improved, the ISMS cycle start from the first key element i.e. CONTROL. 1.1 ISMS Scoping A good definition of ISMS is available on www.praxiom.com, defined as “An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system”. The goal is to protect the information of the organization itself as well as its customers. The ISO/IEC has established two standards that emphasize of ISMS. The ISO/IEC 17799 is a code for information security management. It is the framework or a system that is based on certain processes, to ensure that organizations achieve their information security management objectives i.e. ISMS. The second standard is ISO/IEC 27001 is associated with several different factors including (, ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements): Implemented in the organization to originate security requirements and goals Implemented within the organization in such a manner that security risk management bears less cost Implemented within the organization for guaranteed deployment of compliance with laws and regulations Implement a process framework within the organization for deployment and management of controls in order to meet particular security objectives Defining new processes for information security management The scope for ISMS can be implemented on one or more than one department. The data is synchronized on a daily basis from each outlet of Peter’s bakery to the file server. The Sales server is the most crucial as far as both clients and organization is concerned, as it contains all the financial data related to daily sales, products sold etc. The outlets are connected to the head office via virtual private network. Coordination of each employee, whether the internal staff or the sales outlet staff, is conducted by emails relayed from the email server located at the head office. The ISMS is applicable in the head office servers for ensuring data security. The reason for implementing ISMS on the servers is that both the organization and clients are accessing information from these servers. If any threat or security breach is triggered on these servers, both clients and the customers will suffer. Figure 1.1 shows the current ISMS scope for Peter’s bakery. The scope does not protect the overall network. Moreover, the servers are vulnerable due to no protection between the workstations and the wireless connectivity. In order to protect these servers from threats and vulnerabilities, deployment of firewall is required. Figure 1.1 Practical Scope Figure 1.2 Figure 1.2 demonstrating the existence of a firewall in between the wireless network, traffic from the bakery outlets and traffic coming from the inbound network of the bakery. 2 Risk Assessment and Analysis Before conducting risk assessment, core factors are considered. The identification of information assets is vital before conducting risk assessment. Information assets are defined as the entities that hold organization data. A good definition is available on ‘www.ibm.com’ which states it as, “information assets are specific to your business functions and business strategies, they may be contained within broad categories such as contractual and legislative compliance, those needing virus prevention, those critical to business recovery following security compromises, etc.” The information assets for an organization will be technology assets, data asset, service asset and people asset. In this scenario, the owners for server hardware will be the server administration group. The owners for the applications running on the servers will be the application support group and the owners for the data, which is stored on the server, will be system development group. The risk assessment table is required to identify the assets, CIA profile, Likely hood, impact, and source along with risk summary. Figure 2.1 demonstrates the risk assessment table below. Figure 2.1 2.1 Defining Asset Value for Sales Server The asset value is the process, which includes availability, confidentiality, and integrity. 2.1.1 Availability If the sales server stops responding or suffers from a hardware or software failure, the sales outlets of Peter’s bakery will not be able to send sales data to the servers. The sales process will be halted, as the system will not process any data from these outlets. On the other hand, the customer connected to Wi-Fi will not be able to access services related to Peter’s bakery sales. As there is no backup available for the sales server, it is very critical. It will be marked as three (critical) 2.1.2 Confidentiality It is possible for any employee to gain access of the sales server, for amending sales figures related to any particular sales outlets. This is possible because no firewall rules are defined and no access mechanisms are set for each employee. Furthermore, a hacker may intrude in the sales server and extract all the sales figures of Peter’s bakery. The hacker can then sell this information to the competitors, as they will be delighted to know which product is on the top list. This is the most critical issue as data leakage is not acceptable at any level. It will be marked as three (critical) 2.1.3 Integrity An employee can amend sales figures before sending them to the sales server, resulting in a revenue loss for the bakery. A hacker may also disrupt the transmission of data, from the sales outlets to the ‘sales server’ located at the head office. This issue is under control, as the transmission between the sales outlets and the head office are encrypted due to VPN deployment. It will be marked as two (medium) Asset Value for Sales Server Sales Server Value = 3 + 3 + 3 = 9 (Critical) Sales Server Value = 3 + 3 + 2 = 8 (Critical) Threats Associated with the Sales Server Hardware Failure Power failure Fire Virus Hacking Data corruption Unauthorized access Network failure 2.2 Risk Treatment as per ISO 27001 Standards Threats ISO Complaint 27001 Controls Deployment Hardware Failure A.9.2.4 AMC Power Failure A.9.2.2 Generators, Alternate source of Electricity Fire A.9.1.4 Roof Sprinklers, Fire extinguishers Virus A.10.4. Anti spyware, antivirus, Trojan removal tools DOS attacks / Hacking A.6.2.1, A.6.2.3, A.10.6. Appropriate network controls, IDS implementation Data corruption A.10.5. Backup data servers Unauthorized access A.11.2.2, A.11.2.4, A.11.5. Deploying Active directory, defining policy for user rights Network failure A.14.1 Business Continuity Planning Figure 2.2 3 Security Policy: The security policy would enable the Peter’s Bakeries Ltd. to follow certain set of control policy, which will give a type of broad idea of how the organization should function on daily basis. Also after implementing of the rules, they need to be checked at a periodical basis in order to keep up with the latest threats and vulnerabilities. The following are the guidelines to control the security policy of the organization: 1) All data must be identified as confidential and should be managed by using access rights. 2) Any unauthorized software found on the system would be deleted with due effect. 3) Internet access should only be granted, to selected authorized personals only. 4) Access of certain ports and proxy must be granted to certain authorized people only, which would help in identifying the individual if any damage or illegal activity is monitored. 5) Passwords of profile of each employee must contain at least 8 to 15 characters with minimum of one capital character, one special character and one number. 6) Passwords will expire within duration of 3 months without repeating the previous ones. 7) This is mandatory for all workstations to have an anti-virus and firewall system. 8) The workstation will have write protection enabled and would not allow any executables to run except for the required software. 9) There must be a black list created for any IP addresses from external source to be logged and blocked if found trying to scan, penetrate or exploit the network. 10) All the installation and maintenance of the workstation must be performed by system administrator only. 11) If any problem is faced in the network or workstation or servers, a note must be taken and the risk treatment plan appropriate for that problem must be started. 12) All kinds of removable media must be disabled to increase the security and to prevent any unwanted software (viruses, spyware) to be installed on the local system jeopardizing the entire network’s security. 13) The open wireless bridge must be closely monitored in order to stop any malicious activity and prevent any risk to the organization’s network security. 14) Each and every staff needs to be acquainted with the Security Policy and should keep in mind if any inappropriate activity is triggered, would lead to severe penalties. Answer (C) Critical Reflection 4 IP Tables for Peter’s bakery “Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains” (, iptables - Linux Command - Unix Command). Two Scripts are developed, in order to ensure security and strict compliance by dealing with threats and vulnerabilities. The figure 1.1 shows the current configuration for Peter’s bakery firewall configuration. No rules are defined, for the three types of chains INPUT, FORWARD and OUTPUT. 4.1 Default Firewall Configuration for Peter’s bakery Ltd. Figure 1.1 4.2 Firewall Drop Rules (Sales Server) Figure 1.2 Figure 1.2 shows the rules for restricted access along with port number. ‘A’ syntax is representing ‘Append’, ‘INPUT’ is indicating that the data packets from these ports will not be allowed to enter the network. P is indicating protocol TCP is indicating protocol type following with destination port numbers ‘j’ is indicating jump target. If the data packet matches with the same criteria as defined in the IP tables, it will be dropped, as indicated by ‘DROP’ Port number that is restricted on the sales server may harm or help a hacker, virus, Trojan, cyber criminals, and malicious codes to breach in the server. A table below shows description against each port number. Port number Vulnerable to Description and Purpose 2283 Dumaru.Y This port is used for Lotus notes email system and is relatively unnecessary to be active. 3128 MyDoom.B Squid proxy operates in this port and is relatively unnecessary to be active. 8866 Beagle.B It is not a registered port means that a hacker can use it for hacking purpose. 17300 Kuang2 It is not a registered port means that a hacker can use it for hacking purpose. 27374 Sub seven It is not a registered port means that a hacker can use it for hacking purpose. 3389 Remote Desktop Protocol RDP is blocked by default due to security issues, if the network team needs access they can edit rules in the IP tables to make it operational. 4899 Remote Admin Remote Admin is blocked by default due to security issues, if the network team needs access they can edit rules in the IP tables to make it operational 6129 Dame Ware Threats were detected from this port in April 2005 by Dame Wares development staff. Impact was privilege elevation (, DameWare Development Security Bulletins ) 12345-12346 Netbus Hacking tool was detected using these ports, as it attempts to create a session between client and the server (, Commodon Communications - Threats to your Security on the Internet ) 12361-12362 Whack-a-mole Trojan operates on these ports, which may harm the integrity of sales data of Peter’s bakery. 20034 Net Bus 2 pro Second version of Netbus Trojan operates on this port. 21544 Girlfriend Operates on this port, tries to establish a connection between the client / server. 5000-5001- 50505 Sockets de Troie It is a Trojan, which operates on these ports. 3129-40421- 40422-40423- 40426 Masters Paradise It is a Trojan, which operates on these ports. 31337 UDP Back Orifice It is a Trojan, which operates on this port. 2140-3150 UDP Deep Throat It is a Trojan, which operates on this port. 4.3 List of defined rules in the IP Tables (Sales Server) Figure 1.3 4.4 Allowed Rules (Sales Server) Figure 1.4 Only required ports are allowed, in order to maintain strict security in terms of sales data. The ports that are allowed in this IP table are mentioned below: Port number Functionality Purpose 21 FTP Server Employees from the shops and within the organization need to access sales data. 22 SSH Server It provides secure data sharing between two nodes on the network. A data owner requires access to check the health status of the sales files via SSH. 25 SMTP Used to transfer mails for Peter’s bakeries Ltd. 53 Domain Name System It is required for centralized administration of workstations for the organization. 80 World Wide Web Provides Internet access 110 POP 3 It stores emails of each employee, when they are not available, with a limited space on the email server, so that employees can download and respond to emails later. 143 IMAP (Internet message application protocol) works in parallel with Pop3 and is used for email retrieval from the POP server. 445 Microsoft -ds Required for Miscellaneous Microsoft services 4.5 List of defined rules in the IP Tables (Sales Server) Figure 1.5 4.6 IP Table Scripts for Head Office Queue Type Queue Function Chain in Queue Chain Function Filter Packet Filtering Forward Filters packets to the accessible servers via another NIC on the firewall Input Packet filtering to the destination i.e. firewall Output Packet filtering of packets from the initiating firewall Figure 1.6 (IP Table implementation Criteria) #!/bin/sh #set of the ip's Router IP ="192.168.0.2" Wireless Router IP ="192.168.0.3" Email Server IP ="192.168.0.4" Sales Server IP="192.168.0.5" Web Server ="192.168.0.6" ‘sudo iptables -A OUTPUT -d 74.125.230.144/24 -j DROP’ The above command will drop any possible connection from this range of IP addresses 74.125.230.144/24. The social networking websites can be block in the similar way. As seen in figure 1.6, Google.com is restricted. Figure 1.6 Separate workstation was selected to create, (station_SUB 192.168.0.3), to established a connection, essentially, a terminal was used as , to create a connection, by providing password request. These commands will be executed: ‘sudo iptables -A OUTPUT -s $station_Main -p tcp --dport 22 -j LOG’ ‘sudo iptables -A OUTPUT -s $station_Main -p tcp --dport 22 -j DROP’ The fig. 1.7 illustrates SSH server connectivity. Figure 1.7 Fig 1.8 shows the connectivity from the separate machine where FTP is configured with no policies or restrictions. In order to test the FTP server, a file is downloaded from the FTP server named as testfile.txt Figure 1.8 Fig. 1.8 demonstrates that the ftp 192.168.0.3 21 has successfully downloaded a testfile.txt via ftp connection configured on the separate workstation. ‘sudo iptables -A INPUT -s $station_Main -p tcp --sport 21 -j LOG’ ‘sudo iptables -A INPUT -s $station_Sub -p tcp --sport 21 -j DROP’ Figure 1.9 Fig. 1.9 shows that the firewall rules have restrict FTP session creation and consequently drop packets. The logs will be stored on this path “/var/logs/messages”, and if a prefix be included like “sudo iptables -A INPUT -s $station_Main -p tcp --sport 21 -j LOG --log –prefix ‘SSH IDENTIFIED’ ”, will assist the administration to detect specific connections. Now there is a requirement to restrict HTTP, and allow ftp or SSH, connection. However, the act of “surfing” by the users on the workers workstation will be denied: ‘station_Main="192.168.0.2’ ‘sudo iptables -A OUTPUT -s $station_Main -p tcp --dport 80 -j DROP’ Figure 2.0 A similar use of the code: ‘station_Main="192.168.0.7’ ‘sudo iptables -A OUTPUT -s $station_Main -p tcp --dport 443 -j DROP’ Replacing the port 80 for port 443, would allow the view of http web services, and deny the https ones, that use SSL or TLS handshakes and encryption, this will prevent the misuse of this service. # ‘f’ is indicating the flush command that is used to reset the IP tables to the default configuration ‘sudo iptables –f’ Figure 2.1 #restricting google.com sudo iptables -A OUTPUT -d 216.239.61.104 /24 -j DROP # create Logs for Secure Shell (SSH) sudo iptables -A OUTPUT -s $station_Main -p tcp --dport 22 -j LOG #restricting SSH by port 22 sudo iptables -A OUTPUT -s $station_Main -p tcp --dport 22 -j DROP #create logs for File Transfer Protocol sudo iptables -A INPUT -s $station_Main -p tcp --sport 21 -j LOG #Restrict File Transfer Protocol sudo iptables -A INPUT -s $station_Main -p tcp --sport 21 -j DROP #drop connection established throw port 80(http) sudo iptables -A OUTPUT -s $station_Main -p tcp --dport 80 -j DROP #allow established sessions to receive traffic sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #drops all the input packaging not referred in the previous examples sudo iptables -A INPUT -j DROP #drops all the output packaging not referred in the previous examples sudo iptables -A OUTPUT -j DROP 4.7 IP Table Script for Bakery Outlets The bakery outlet requires specific services from the head office. The IP table must allow Hypertext Transfer protocol, File transfer protocol and Secure shell. However, the first step should be to receive traffic from the head office. A communication session needs to be allowed from the IP tables that are represented as: sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -j DROP sudo iptables -A OUTPUT -j DROP Having all this services open, will highly compromise the security of the system, also, the chances of misuse of certain privileges will be incremented, since certain ports, like the port 80 would allow, normal users without privileges\clearance to use certain services like facebook, or even, conduct downloads of eligible or malware files into the system with FTP. Exploring now the SMTP (simple mail transfer protocol), on this new IP table before conducting any coding, SMTP server was created. After the creation of this server the implementation of the code was done: #Logging SMTP activities by ‘sudo iptables -A OUTPUT -s $outlet_store -p tcp --dport 25 -j LOG’ #stop SMTP connectivity ‘sudo iptables -A OUTPUT -s $outlet_store -p tcp --dport 25 -j DROP’ The command demonstrated above will create a log file for the admin to analyze the SMTP transfers, verifying if they were secure or responsible for any damage to data or the system itself. Like mention before, the justification for the use of: #allow established sessions to receive traffic ‘sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT’ #drops all the input packaging not referred in the previous examples ‘sudo iptables -A INPUT -j DROP’ #drops all the output packaging not referred in the previous examples ‘sudo iptables -A OUTPUT -j DROP’ Is going to be given, what basically implements is a drop of all the different protocols not mentioned before in the overall protocol that is being implemented, regarding all the code of the second IP table, there’s the fact that any expression for HTTPS is mention in it. I am regarding the fact that I am not doing ACCEPT or DROP, so it’s counted has not mentioned. After running this new IP table protocol, an attempt to connect to http and https web sites was attempt, acquiring these results: Figure 2.2 Figure 2.3 Fig. 2.2 is demonstrating the restricted access to HTTPS and Fig 2.3 is demonstrating the permission for HTTP is granted. ‘sudo iptables -A OUTPUT -s $outlet_store -p tcp --dport 80 -j ACCEPT’ ‘sudo iptables -A INPUT -s $outlet_store -p tcp --sport 80 -j ACCEPT’ The expressions INPUT and OUTPUT needs to be executed, otherwise ‘connection time out’ error will occur. For this example again a use of the $iptables –vL, was used in order to verify in detail the drop of packages regarding the attempt to establish connection with the https web service. Figure 2.4 is illustrating the records or logs of the packets that have been dropped whenever they attempt to access HTTPS. Figure 2.4 References , ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements . Available: http://www.iso.org/iso/catalogue_detail?csnumber=42103 [3/17/2011, 2011]. , ISO 27001 and ISO 27002 Information Security Definitions . Available: http://www.praxiom.com/iso-27001-definitions.htm [3/16/2011, 2011]. , IBM - Security policy definition - Hong Kong . Available: http://www-935.ibm.com/services/hk/index.wss/offering/its/b1329378 [3/17/2011, 2011]. , iptables - Linux Command - Unix Command . Available: http://linux.about.com/od/commands/l/blcmdl8_iptable.htm [3/17/2011, 2011]. , DameWare Development Security Bulletins . Available: http://www.dameware.com/support/security/ [3/17/2011, 2011]. , Commodon Communications - Threats to your Security on the Internet . Available: http://www.commodon.com/threat/threat-nb.htm [3/17/2011, 2011]. Appendices ‘A’ Security Policy of ISMS Appendices ‘B’ Read More