Information Security Management Systems (ISMS)

Overview

                                    The main objective of an Information Security Management Systems or ISMS, as the name implies is, for an organization to design, implement and maintain a understandable and clearly defined suite of processes and systems for effectively managing information security, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks. As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. The best known ISMS is described in ISO/IEC 27001 related standards published jointly by ISO and IEC.

                                      The Internet gateway of an organization is expected to provide security to its information resources in the internal network from the Internet. To implement the ISMS it should be considered the internet gateway as the Information System. Implementing an ISMS is consists with four major phases; Plan, Do, Check and Act.

Plan is about designing the ISMS, estimating information security risks and selecting appropriate controls.

Do is all about implementing and operating the controls.

Check phase's objective is to review and evaluate the efficiency and effectiveness, basically the performance of the ISMS.

Act phase, changes are made where necessary to bring the ISMS back to peak performance.

Steps to follow to implement ISMS for your organization

                                  Firstly, the top management needs to have a better understanding of what the information security management and how it affects for the organizations information protection. Support from the top management of the organization, and their commitment to and understanding of the problems of information security was seen as one of the most important success factors for an efficient implementation of ISMS.

                       The commanding capability would appreciate from the top management sponsorship for the success of the project. It is this capability that gives the project the authority to decide on issues regarding information security. Without any real decision-making power, it is very hard, if not impossible to do reach the project goals.

                        Well structured project plan is another factor of successful ISMS implementation. Goals, resources and the time plan for the project are developed and documented in a project description, and that the resources in the project are well balanced.

                        Also, all information security projects need budgeted resources. A project without this capability is unable to estimate costs realistically.

                      Most of the ISMS implementations stop at security manager’s level. To avoid that regular communication with the people involved in the project is need.

                      Projects with better analytic capability can accurately analyze the preceding security situation, and therefore develop a well balanced ISMS which is also incorporated with existing management systems.

Communication and Operations management have to be done properly for a better implementation of ISMS. When planning the system we have to consider about the future requirements as well. It is the most crucial part in planning process. Considering performance, future capacity management has to be done since it leads the ISMS to achieve its goals in a proper manner. Without considering the future capacity requirements it is difficult to handle upgrades that have to do to the ISMS in the future.

                           Protection against malicious and mobile code is also has to be considered when talking about future requirements. Detection, prevention and recovery against future threats also need. It can be achieved by a better risk-analysis. Proper backup systems are another factor for better ISMS.

                                Another aspect we have to consider is access control when think of a better implementation of ISMS. The main consideration is a better access policy in this aspect.  User access management, user responsibilities, operating system access controls have to be maintained for better access control strategy.

                                Motivation of individuals participating in the ISMS project, such as project participants, project managers, and those responsible for different areas in the organization is a must for an efficient implementation. After the development of the ISMS, it will also have to be implemented, and at that stage the importance of this success factor grow – at that time; all employees in the whole organization will have to be motivated to adhere to the rules. Further, they should regularly use the technical solutions that the projects have developed and the management decided on –they need motivation.

                                     Thinking about security and writing policies as I mentioned in my last post is one thing, Implementing the ideas, rules, controls, and procedures is another. The executive capability is that the project can do things. One of the things that will need to be done is to put the policy into practice and this in turn often requires for example the ability to influence people in the IT department, in IT development and in other parts of the organization.

                                          Though ISMS involved with the IT department we have to look at it as a whole of the organization. That is called as the holistic approach. This is another plus approach for a better implementation of the project. It is mainly the connection between the information security and the organizations foundation activities that is seen as important, that the ISMS does take into account and that it covers the whole organization, so that the ISMS does not end at the security or IT department.

                                       When considering ISMS implementation formal configuration management plan is a must. Without a proper configuration plan accidental mis-configurations can happen in network devices such as firewalls. This would lead to a security breach of the organization. For all the hardware and software that are using in the ISMS must have appropriate warranties and warranty period must be negotiable.                             

                           Also other than motivating employees to stick those rules, have to instruct them to keep their Desktops, Laptops and Mobile devices up-to-date with patches. All the organization PCs and Laptops must be standardized on a licensed OS. 

                                        These are some of the usages of an ISMS that identified by ourselves referring to ISO/IEC27001 and ISMS7799.

1. Identification and clarification of existing information security management processes.
2. Formulation of security requirements and objectives.
3. To ensure that security risks are cost effectively managed.
4. To ensure agreement with laws and regulations.
5. As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met.
6. To be used by management to determine the status of information security management activities.
7. To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization.
8. To provide relevant information about information security policies, commands, standards and procedures to trading partners.
9. To provide relevant information about information security to customers.

Denial of Service Attack

 

                       

What is DoS Attack?

                      Denial of service or as simply says the DoSis an attack on a computer or network that prevents legitimate use of its resources. In this attacker flood a victim system with non-legitimate service requests or traffic to overload its resources, which prevents it from performing its intended tasks. 

Symptoms of a DoS Attack

1. Slow network performance
2. Unavailability of a particular website
3. Inability to access any website
4. Dramatic increase of spam emails received

Detection Techniques

           Detection techniques are based on identifying and discriminating the illegitimate traffic increase and flash events from legitimate packet traffic.

Activity profiling:

            Activity profile can be identified by analyzing network packet’s header information. An attack is indicated by an increase of activity level among clusters.

Wevlet Analysis:

            This describes an input signal in terms of spectral components. This will provide for concurrent time and frequency description. By analyzing each spectral window’s energy determines the presence of anomalies.

 Countermeasure strategies

• Absorbing the attack: Use additional capacity to absorb traffic; It requires additional resources.
• Degrading services: Identify critical services and stop non-critical services.
• Shutting down services:  Shutdown all the services until the attack has decreased.

1. Configure the firewall to block external ICMP traffic access.
2. Prevent using unnecessary functions such as gets, strcpy, etc. in programming.
3. Secure the remote administration and connectivity testing.
4. Prevent the return address being overwritten.
5. Data processed by the attacker should be stopped from being executed.
6. Perform thorough input validation.
7. Use a better network card to handle large number of traffic.
8. Update kernel to the latest release.
9. Disable unused and insecure services.

DoS/DDoS Protection Tools

1. NetFlow analyzer (http://www.manageengine.com/)
2. D-Guard anti DDoS firewall (http://www.d-guard.com/)
3. RegX fuzzer (http://www.microsoft.com/)
4. NetSclar (http://www.citrix.com/)
5. FortGuard (http://www.fortguard.com/)
6. IntruGuard (http://www.intruguard.com/)
7. WANGuard (http://www.andrisoft.com/)

Integrated Production Server Honeypot

                     This is the research I have done for my post graduate studies. It's only an overview to get an idea to someone interest on this topic Honeypots. A honeypot is a server that is attached to the Internet. This server’s purpose is to attempt to attract potential hackers. Once the honeypot tracks a potential hacker it then studies it to find out how it is able to break into the systems. Honeypots are made to look attractive to potential hackers. The honeypot wants the hacker to partially break into its network in order for the honeypot to study the hacker. Most likely, the intruder will have no idea the honeypot is studying him or her. The majority of honeypots are installed inside a system’s firewall so that the honeypot can be properly managed.

Overview

                    As at present, compromising network security is an increasing problem for computer networks. It can be a major disaster for businesses and organizations relaying on their IT systems where a security incident will result in damage to the information assets. Hence, IT Departments of such organizations are exploring numerous possibilities in detecting and preventing these attacks. Out of many the Honeypot is one such technology which can be used to detect and prevent network based attacks.

                    Honeypot is a highly flexible tool with different applications on security. It does not fix single problem but instead can be used for multiple purposes, such as prevention, detection, or information gathering.

                   Generally, the honeypot is a computer within the network but which is placed isolated to the other servers. Usually a honeypot is used as bait. The intruder is compelled to detect the Honeypot and break into it. The Honeypot then specifies what the attacker will be able to perform. The attackers would then be attracted towards the Network. As a result, the vulnerability of the network grows with time.

Objectives

                      The main objective of this project is to keep the Honeypot inside the production server without degrading its performance in a persistent attack than without having it. To achieve this we have to perform following steps.  

1. To capture and gather traffic information of intruders (by tracking the movement) attracted to the network without causing any harm to data in the production server.
2. Simultaneously analyzing the information gathered.
3. Redirecting the intruder’s traffic according to the results of the analysis.
4. Eliminating intruders by the help of an IPS.

                         In this kind of scenario the intruder has to be given some level of freedom to use the functionalities and services of the production network. Subsequently by analyzing the traffic and the actions taken by the visitor, there is a possibility to decide whether he is an intruder and if so he can be redirected to the network’s Intrusion Prevention System (IPS) to eliminate the attack. In the methodology envisaged in this project where the honeypot is implemented inside the production server following issues were predicated:

1. The production server can get over loaded and as a result its performance may get degraded.
2. There is likelihood of network getting more vulnerable to attack since honeypot is implemented inside a production server.
3. What methodology to be taken to block a particular IP address once it has been identified to be belonged to an intruder.

The measures adopted in this study in order to resolve the issues are described below:

1. Proving that the degradation caused by an intruder is much more severe than the   performance degradation by honeypot being present in the production server. 
2. Proving that the intruder would be detected and prevented in a short period of time so that the damage caused to production server would be minimal. 
3. Various testing methodologies will be conducted in order to select the best method for blocking intruders.

                        So the above three points also can be consider as some of the miner objectives of my project. However, since my study involves research as well as implementation, I may have to try out various options in order to develop most efficient and appropriate method for tracking of attackers.