UNIT 1: INTRODUCTION

 Introduction https://www.youtube.com/watch?v=4vWXpzlL7Mo&t=14s

 Ethics in the Business World

 Including Ethical Considerations in Decision Making

 Ethics in Information Technology

 IT Security Incidents

 Implementing Trust worthy Computing

II-CSE-C 1
 Implementing Trust worthy Computing:
The term Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure,
available, and reliable.

• 4 Pillars • Detection
• Risk Assessment
• Establishing a Security Policy • Response
• Educating Employees and Contract – Incident Notification
Workers
• Prevention – Protection of
– Installing a Corporate Firewall Evidence and
– Intrusion Detection Systems
Activity Logs
– Installing Antivirus Software on
Personal Computers – Incident
– Implementing Safeguards Against Containment
Attacks by Malicious Insiders
– Defending Against Cyber – Eradication
terrorism
– Incident Follow-Up
– Addressing the Most Critical
Internet Security Threats – Computer Forensics
– Conducting Periodic IT Security
Audits II-CSE-C 2
 4 pillars
• More recently, Microsoft has adopted the
term Trustworthy
• Computing as the title of a company initiative
to improve public
• trust in its own commercial offerings

II-CSE-C 3
 Security:

Microsoft’s first pillar of Trustworthy Computing is

security.
• Technology Investment-Investing expertise.
• Responsible Leadership-Working with law
enforcement agencies, government experts etc.
• Customer Guidance and Engagement- Educating
consumers with training and information.

II-CSE-C 4
 Privacy:
Microsoft has privacy as the second pillar for
Trustworthy Computing.
• In a world of spam, hackers, and unwanted
popups,computer users need to feel empowered with
the tools and computing products, especially when it
comes to protecting their personal information.

• Contribute to standards and policies created by

industry organizations and government for privacy.
II-CSE-C 5
 Reliability:
Microsoft’s third pillar of Trustworthy Computing is
reliability.
Six key attributes have been defined for a reliable
system:
• Resilient:
• Recoverable:
• Controlled:
• Undisruptable:
• Predictable:
II-CSE-C 6
 Business Integrity:
Microsoft’s fourth pillar of Trustworthy
Computing is
business integrity.
• Be responsive—take responsibility for
problems and take action to correct them.
• Be transparent—be open in dealings with
customers ,keep motives clear, keep promises,
and make sure customers know where they
stand in dealing with the company.
II-CSE-C 7
 Implementing Trust worthy Computing:
The term Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure,
available, and reliable.

• 4 Pillars • Detection
• Risk Assessment
• Establishing a Security Policy • Response
• Educating Employees and Contract – Incident Notification
Workers
• Prevention – Protection of
– Installing a Corporate Firewall Evidence and
– Intrusion Detection Systems
Activity Logs
– Installing Antivirus Software on
Personal Computers – Incident
– Implementing Safeguards Against Containment
Attacks by Malicious Insiders
– Defending Against Cyber – Eradication
terrorism
– Incident Follow-Up
– Addressing the Most Critical
Internet Security Threats – Computer Forensics
– Conducting Periodic IT Security
Audits II-CSE-C 8
II-CSE-C 9
Risk Assessment

II-CSE-C 10
 The steps in a general security risk assessment process are as
follows:

Step 1—Identify the set of IT assets about which the

organization is most concerned. Priority is typically
given to those assets that support the organization’s
mission and the meeting of its primary business goals.
Step 2—Specify the loss events or the risks or threats
that could occur, such as a distributed denial-of-service
attack or insider fraud.
Step 3—Assess the frequency of events or the
likelihood of each potential threat; some threats, such
as insider fraud, are more likely to occur than others.
II-CSE-C 11
Step 4—Determine the impact of each threat occurring. Would the threat
have a minor impact on the organization, or could it keep the organization
from carrying out its mission for a lengthy period of time?

Step 5—Determine how each threat can be mitigated so that it becomes

much less likely to occur or, if it does occur, has less of an impact on the
organization.

For example, installing virus protection on all computers makes it much

less likely for a computer to contract a virus. Due to time and resource
limitations,
most organizations choose to focus on those threats that have a high
(relative to all other threats) frequency and a high (relative to all other
threats)
impact. In other words, first address those threats that are likely to occur
and
that would have a high negative impact on the organization.
II-CSE-C 12
Step 6—Assess the feasibility of implementing the mitigation
options.
Step 7— Perform a cost-benefit analysis to ensure that your
efforts will be cost effective.
No amount of resources can guarantee a perfect security
system, so organizations must balance the risk of a security
breach with the cost of preventing one. The concept of
reasonable assurance recognizes that managers must use
their judgment to ensure that the cost of control does not
exceed the system’s benefits or the risks involved.
Step 8— Make the decision on whether or not to implement
a particular countermeasure. If you decide against
implementing a particular countermeasure, you need to
reassess if the threat is truly serious and, if so, identify a less
costly countermeasure.
II-CSE-C 13
II-CSE-C 14
II-CSE-C 15
 Implementing Trust worthy Computing:
The term Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure,
available, and reliable.

• 4 Pillars • Detection
• Risk Assessment
• Establishing a Security Policy • Response
• Educating Employees and Contract – Incident Notification
Workers
• Prevention – Protection of
– Installing a Corporate Firewall Evidence and
– Intrusion Detection Systems
Activity Logs
– Installing Antivirus Software on
Personal Computers – Incident
– Implementing Safeguards Against Containment
Attacks by Malicious Insiders
– Defending Against Cyber – Eradication
terrorism
– Incident Follow-Up
– Addressing the Most Critical
Internet Security Threats – Computer Forensics
– Conducting Periodic IT Security
Audits II-CSE-C 16
II-CSE-C 17
II-CSE-C 18
The SANS (SysAdmin, Audit, Network, Security) Institute’s Web site
offers a number of security-related policy templates that can help
an organization to quickly develop effective security policies. The
following is a partial list of the templates available from the SANS
Institute:
• Ethics Policy—This template defines the means to establish a culture of
openness, trust, and integrity in business practices.
• Information Sensitivity Policy—This sample policy defines the requirements
for classifying and securing the organization’s information in a manner
appropriate to its level of sensitivity.
• Risk Assessment Policy—This template defines the requirements and
provides the authority for the information security team to identify, assess,
and remediate risks to the organization’s information infrastructure
associated with conducting business.
• Personal Communication Devices and Voice-mail Policy—This sample policy
describes security requirements for personal communication devices and
voice mail.

II-CSE-C 19
II-CSE-C 20
II-CSE-C 21
II-CSE-C 22
 Implementing Trust worthy Computing:
The term Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure,
available, and reliable.

• 4 Pillars • Detection
• Risk Assessment
• Establishing a Security Policy • Response
• Educating Employees and Contract – Incident Notification
Workers
• Prevention – Protection of
– Installing a Corporate Firewall Evidence and
– Intrusion Detection Systems
Activity Logs
– Installing Antivirus Software on
Personal Computers – Incident
– Implementing Safeguards Against Containment
Attacks by Malicious Insiders
– Defending Against Cyber – Eradication
terrorism
– Incident Follow-Up
– Addressing the Most Critical
Internet Security Threats – Computer Forensics
– Conducting Periodic IT Security
Audits II-CSE-C 23
II-CSE-C 24
 Implementing Trust worthy Computing:
The term Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure,
available, and reliable.

• 4 Pillars • Detection
• Risk Assessment
• Establishing a Security Policy • Response
• Educating Employees and Contract – Incident Notification
Workers
• Prevention – Protection of
– Installing a Corporate Firewall Evidence and
– Intrusion Detection Systems
Activity Logs
– Installing Antivirus Software on
Personal Computers – Incident
– Implementing Safeguards Against Containment
Attacks by Malicious Insiders
– Defending Against Cyber – Eradication
terrorism
– Incident Follow-Up
– Addressing the Most Critical
Internet Security Threats – Computer Forensics
– Conducting Periodic IT Security
Audits II-CSE-C 25
 Prevention
• Installing a Corporate Firewall -A firewall
stands guard between an organization’s
internal network and the Internet, and it
limits network access based on the
organization’s access policy.

II-CSE-C 26
 Prevention
• Intrusion Detection Systems -An intrusion detection system (IDS) is
software and/or hardware that monitors system and network resources
and activities, and notifies network security personnel when it detects
network traffic that attempts to circumvent the security measures of a
networked computer environment. Such activities usually signal an
attempt to breach the integrity of the system or to limit the availability
of network resources.

II-CSE-C 27
 Prevention
– Installing Antivirus Software on Personal Computers

II-CSE-C 28
 Prevention
• Implementing Safeguards Against Attacks by Malicious Insiders -
Another important safeguard is to create roles and user accounts so that
users have the authority to perform their responsibilities and nothing
more
• Defending Against Cyber terrorism – organizations need to be aware of
the resources available to help them combat this serious threat
– Addressing the Most Critical Internet Security Threats –
Worms, Trojans …
– Conducting Periodic IT Security Audits- evaluates whether an
organization has a well-considered security policy in place and if it is
being followed

II-CSE-C 29
 Implementing Trust worthy Computing:
The term Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure,
available, and reliable.

• 4 Pillars • Detection
• Risk Assessment
• Establishing a Security Policy • Response
• Educating Employees and Contract – Incident Notification
Workers
• Prevention – Protection of
– Installing a Corporate Firewall Evidence and
– Intrusion Detection Systems
Activity Logs
– Installing Antivirus Software on
Personal Computers – Incident
– Implementing Safeguards Against Containment
Attacks by Malicious Insiders
– Defending Against Cyber – Eradication
terrorism
– Incident Follow-Up
– Addressing the Most Critical
Internet Security Threats – Computer Forensics
– Conducting Periodic IT Security
Audits II-CSE-C 30
Response - A response plan should be developed well in advance of any
incident and be approved by both the organization’s legal department and
senior management. Eg: DreamHost (Web site hosting service, takes
action)

– Incident Notification –
• who needs to be notified ?
• what information does each person need to have?
• Under what conditions should the company contact
major customers and suppliers?
• How does the company inform them of a disruption in
business without unnecessarily alarming them?
• When should local authorities or the FBI be contacted?
Protection of Evidence and Activity Logs
• important to capture all system events, the specific
actions taken (what, when, and who), and all external
conversations (what, when, and who) in a logbook.
II-CSE-C 31
– Incident Containment
• The response plan should clearly define the process
for deciding if an attack is dangerous enough to
warrant shutting down or disconnecting critical
systems from the network.
• How such decisions are made, how fast they are
made, and who makes them are all elements of an
effective response plan
– Eradication
• it must collect and log all possible criminal evidence
from the system, and then verify that all necessary
backups are current, complete, and free of any virus
II-CSE-C 32
– Incident Follow-Up
The key elements of a formal incident report include the following:
• IP address and name of host computer(s) involved
• The date and time when the incident was discovered
• The length of the incident
• How the incident was discovered
• The method used to gain access to the host computer
A detailed discussion of vulnerabilities that were exploited
• A determination of whether or not the host was compromised as a
result of
the attack
• The nature of the data stored on the computer (customer, employee,
etc.)
• Whether the data is considered personal, private, or confidential
• The number of hours the system was down
• The overall impact on the business
• An estimate of total monetary damage from the incident
• A detailed chronology of allII-CSE-C
events associated with the incident 33
– Computer Forensics
– A discipline that combines elements of law and
computer science to identify, collect, examine, and
preserve data from computer systems, networks,
and storage devices in a manner that preserves
the integrity of the data gathered so that it is
admissible as evidence in a court of law

II-CSE-C 34
 Implementing Trust worthy Computing:
The term Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure,
available, and reliable.

• 4 Pillars • Detection
• Risk Assessment
• Establishing a Security Policy • Response
• Educating Employees and Contract – Incident Notification
Workers
• Prevention – Protection of
– Installing a Corporate Firewall Evidence and
– Intrusion Detection Systems
Activity Logs
– Installing Antivirus Software on
Personal Computers – Incident
– Implementing Safeguards Against Containment
Attacks by Malicious Insiders
– Defending Against Cyber – Eradication
terrorism
– Incident Follow-Up
– Addressing the Most Critical
Internet Security Threats – Computer Forensics
– Conducting Periodic IT Security
Audits II-CSE-C 35