Network Security And Management UNIT -IV Divyaksha Prabhu

WHAT IS RISK MANAGEMENT ?

Three definitions related to risk management show why it is sometimes considered difficult
to | understand.
(i) The dictionary defines “Risk” as the possibility of suffering harm or loss.
(ii) Carnegie Mellon University‟s Software Engineering Institute (SED) defines continuous risk
management as, processes, methods and tools for managing risks is a project. It provides a
disciplined environment for proactive decision-making to
(a) assess continuously what could go wrong (risks),
(b) determine which risks are important to deal with, (c) implement strategies to deal with those
risks.
(ii) In modem business term, risk management is the process of identifying vulnerabilities and
threats to an organization‟s resources and assets and deciding what countermeasures, if any, to take
to reduce the level of risk to an acceptable level based on the value of the asset to the organization.

IDENTIFY THE RISK TO AN ORGANIZATION

The identification of risk is straightforward. All you need to do is to identify the
vulnerabilities and the threats that you are exposed to. Once vulnerabilities, threats, and
countermeasures are identified, we can identify specific risks to the organization.
When identifying specific vulnerabilities, begin by locating all the entry points to the
organization. In other words, find all the access points to information (in both electronic and
physical form) and systems within the organization. This means identifying the following:
 Internet connections
 Remote access points
 Connections to the other organizations
 Physical access to facilities
 User access points
 Wireless access points.

1 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

For each of these access points, identify the information and systems that are accessible. Then
identify how the information and the systems may be accessed. Be sure to include in this list any
known vulnerabilities in operating systems and applications.
Threat assessment is very detailed and in some cases, difficult task. Attempts to identify
specific or targeted threats to an organization will often turn up obvious candidates such as
competitors. However, true threats will attempt to remain hidden from view. True, targeted threats
may not show themselves until an event has occurred.
A targeted threat is the combination of a known agent having known access with a known
performing a known event against a known target. Thus, we may have a disgruntled employee (the
agent) who desires knowledge of the latest designs an organization is working on (the motivation).
This employee has access to the organizations information systems (access) and known where the
information is located (knowledge). The employee is targeting the confidentiality of the new designs
and may attempt to force his way into the files he wants (the events).
The identification of all targeted threats can be very time consuming and difficult. An
alternative to identifying targeted threats is to assume a generic level of threat (we are not paranoid,
somebody is out to get us). If it is assumed that there exists a generic level of threat in the world,
this threat would be comprised of anyone with potential access to an organization‟s systems or
information. The threat exists because a human (employee, customer, supplier and so on) must
access the system and information used in the organization in order to be useful. However, we may
not necessarily have knowledge of a directed or specific threat against some part of the organization.
If we assume a generic threat (somebody, probably has the access, knowledge and motivation
to do something bad), we can examine the vulnerabilities within an organization that may allow the
access to occur. Any such vulnerability than translates into a risk since we assume there is a threat
that may exploit the vulnerability. Vulnerabilities cannot be examined in a vacuum. A potential
avenue of attack must be examined in the context of the environment and compensating controls
must be taken into account when determining if vulnerability truly exists.

Countermeasures include the following:

 Firewalls
 Antivirus software
 Access control
 Authentication systems
 Biometrics
 Guards
 Encryption
 Well-trained employees
 Intrusion detection systems
 Automated patch and policy management systems.

For each access point within an organization, countermeasures should be identified, For, example,
the organization has an Internet connection. This provides potential access to the organization's

2 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

systems, This access point is protected by a firewall. Examination of the rule set on the firewall will
identify the extent to which an external entity can actually access internet) systems. Therefore, some
of the vulnerabilities via this access point may not be available to ay external attacker since the
firewall prevents access to those vulnerabilities or systems in their entirely.
Once vulnerabilities, threats and countermeasures are identified, we can identify specific task
to the organizations. This question is now simple: Give the identified access point with the existing
countermeasures, what could someone do to the organization through each access point? For the
answer to this question, we take the likely threats for each process point (or a generic threat) and
examine the potential targets (confidentiality, integrity, availability and accountability) through each
access point. Based on the damage that can be done, each risk is treated related high, medium or
low. It should be noted that the same vulnerability, may pose different levels of risk based on the
access point so there is no risk. However, internal employees have access to the system since they
do not need to enter the network through firewall.

RISK ANALYSIS
Good, effective security planning includes a careful risk analysis. A risk is a potential
problem that the system or its users may experience. We distinguish a risk from other project events
by Joking for three things.

(i) A loss associated with an event: The event must generate effect: Compromised security, lost
time, and diminished quality, lost money, lost control, lost understanding, and so on. This loss is
called the risk impact.
(ii) The likelihood that the event will occur: There is a probability of occurrence associated with
each risk, measured from 0 (impossible) to 1 (certain). When the risk probability is 1, we say we
have a problem.
(iii) The degree to which we can change the outcome: We must determine what, if anything, we
can do to avoid the impact or at least reduce its effects. Risk control involves a set of actions to
reduce or eliminate the risk. Many of the security control are examples of risk control.
We usually want to weigh the prons and cons of different actions we can take to address each
risk. To that end, we can quantify the effects of a risk by multiplying the risk impact by the risk
probability, yielding the risk exposure. For example, if the likelihood of virus attack is 0.3 and the
cost to clean up the affected files is ¥ 10,000 then the risk exposure is z 3,000. So, we may use a
calculation like this, one to decide that a virus checker is worth an investment of { 100, since it will
prevent a much larger potential loss. Clearly, risk probabilities can change over time, so it is
important to track them and plan for events accordingly.
in general, there are three strategies for risk reduction:

(a) Avoid the risk, by changing requirements for security or other system characteristics.
(b) Transferring the risk, by allocating the risk to other systems, people, organizations or assets; or
by buying insurance to cover any financial loss should the risk become a reality.

3 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

(c) Assuming the risk, by accepting and controlling it with available resources, and preparing to
deal with the loss if it occurs.
Thus, costs are associated not only with the risk‟s potential impact but also with reducing it.
Risk leverage is the difference in risk exposure divided by the cost of reducing the risk. In other
words, risk leverage is
(iii) (Risk exposure before reduction) — (Risk exposure after reduction) (Cost of risk reduction)
If the leverage „value of a proposed action is not high enough, then we look for alternative but less
costly actions or more effective reduction techniques.
Risk analysis is the process of examining a system and its operational context to determine
Possible exposures and the potential harm they can cause. Thus, the first step in a risk analysis is to
identify and list all exposures in the computing system of interest. Then for each exposure, We
identify possible controls and their costs. The last step in a cost-benefit analysis: Does it cost less to
implement a control or to accept the expected cost of the loss?
In our everyday lives, we take risks. In crossing the road, eating oysters or playing the
lottery, we take the chance that our actions may result in some negative result—such as being
injured, getting sick or losing money. Consciously or unconsciously, we weight the benefits of
taking the action with the possible losses that might result. Just because there is a risk to a Certain
act we do not necessarily avoid it; we may look both ways before crossing the street, but we do
cross it. In building and using computing systems, we must take a more organized and careful
approach to assessing our risks. Many of the systems we build and use can have dramatic impact on
life and health if they fail. For this reason, risk analysis is an essential par of security planning.
We cannot guarantee that our system will be risk-free, that is why our security plans must
address action needed, should an unexpected risk become a problem. And some risks are simply
part of doing business; for example as we have seen, we must steps to avoid disaster in firs, place.
When we acknowledge that a significant problem cannot be prevented, we can use controls to
reduce the seriousness of a threat. For example, you can backup files on your computer or a defense
against the possible failure of a file storage device. But as our computing system become more
complex and more distributed, complete risk analysis becomes more difficult and time consuming
and more essential.
Risk analysis is performed in many different contexts, for example environmental and health
risks are analyzed for activities such as building dams, disposing of nuclear waste or changing a
manufacturing process. Risk analysis for security is adapted from more general management
practices, paying special emphasis on the kinds of problems likely to arise from security issues. By
following well-defined steps, we can analyze the security risks in computing system.
(i) Identify assets
(ii) Determine vulnerabilities
(iii) Estimate likelihood of exploitation
(iv) Compute expected annual loss
(v) Survey applicable controls and their costs

(vi) Project annual savings of control.

4 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

Different organizations take slightly different approaches, but the basic activities are still the
same. For example, army used its operation security guidelines during the war. The guidelines
involve five steps.
(i) Identify the critical information to be protected
(ii) Analyze the threats
(iii) Analyze the vulnerabilities
(iv) Assess the risks
(v) Apply countermeasures.
The steps are similar, but their details are always tailored to the particular situation at hand For this
reason, it is useful to use someone else‟s risk analysis process as a framework, but is important to
change it to match your own situation.

INCIDENT MANAGEMENT
Security is only as effective as the response it generates. A structured response ensures that
an as the incident is recognized early and dealt with in the most appropriate manner. An incident
that is pot responded to in a timely manner can expose an organization to many issues including, but
not necessarily limited to:

 Disclosure of confidential information

 Prolonged recovery times due to more extensive damage as a result of the ongoing incident.
 The inability to proceed with a criminal or civil case due to lack of evidence or inadequate
evidence gathered.
 Negative impact to the organizations image in the eyes of shareholders, customers and/ or
partner organization.
 The organization may face potential legal and/or compliance issues depending on the
regulatory and legal requirements.
 Exposure to legal cases from third party organizations impacted as result of the incident.
 Exposure to legal/libel cases from employees/individuals who may have been delt with
unfairly by an inappropriate and/or cumbersome response.
An organization that has a structured and formalized response in place to internal and external IT
security incidents demonstrates that it is taking its corporate and legal responsibilities seriously and
has a positive security posture. This security posture ensures that the organization can deal with
security incidents quickly, efficiently and effectively. This will result in:
(a) The rapid and accurate assessment of security incidents and the most appropriate response.
(b) Shortened recovery times to incidents and minimized business disruption.
(c) The confidence to proceed with a disciplinary, legal or civil case as a result of using proper
procedures and processes to gather evidence in response to an incident.
(d) Ensures that the company complies with local legal, regulatory and industry requirements.
(e) A potential reduction in incidents as the organization is not considered a „soft target‟.
(f) Provides accurate reporting and statistics to continuously, improve the security of the
organization.

5 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

Incident Notification/Identification
The notification or identification that an incident is occurring can happen in many different
Ways. Notification of an incident can happen:
 Automatically from specific security devices such as an alert from a firewall.
 Automatically from non-security devices such as a network monitoring systems that
Observes unusual network activity.
 from the manual review of system and security log files on network and/or security devices.
Incident Classification
In order to ensure that incidents are responded to in a structured manner it is essential that
incidents are classified into different levels so that high priority incidents can be responded to
quicker than incidents of a lower nature. For example excessive traffic on port 80 on a firewall may
indicate the start of a Denial of Service attack and would require a quick response to ensure minimal
disruption to the network and therefore would be classified higher than, say a rejected access
attempt to the personal directory of an employee.
The security of the incident does not alone impact the classification. The potential target also
impacts the classification. A rejected access attempt to the organization‟s sensitive information will
have a higher event classification than a rejected access attempt to unclassified information.
Classifying incidents will depend on many factors such as:
 The nature of the incident.
 The criticality of the systems being impacted.
 The number of systems impacted by the incident.
 The impact the incident can have an organization from a legal and/or public relations point
of View.
 Legal and regulatory requirements for disclosure.

Incident can be classified as shown in Table 15.1.

6 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

INCIDENT RESPONSE
In order to implement an appropriate incidence response, the proper people and processes
need to be involved and the most appropriate response subsequently developed. Some incidents will
simply require no response, others will require only an automated response, e.g. drop a connection
to a blocked part on a firewall, whereas others will require a more complicated response involving
personnel from various parts of the organization and different levels of management.
It is important to establish the appropriate levels of responses to an incident and also that the
incident response has the necessary levels of authorization and autonomy. There is no point having
senior management involved in a response to an incident that has minimal business impact.
All personnel involved in responding to an incident must be properly trained and versed in
their responsibilities. If the skills are not available in house then they should be source else where.
In addition all policies and procedures should be properly tested and reviewed on a regular basis to
ensure their effectiveness and applicability. A review process should also be put in place to ensure
that lessons are learnt from any incidents that require a response. Failure to take these steps could
adversely impact business operations leading to loss of revenue or mission effectiveness, legal
ramifications or a loss of public trust.
This incident response methodology will be dependent on the incident classification. The
response team will also need to confirm that the incident has occurred and if so what the most
appropriate response to the incident is. Once an incident has been confirmed and has initiated the
appropriate incident response process, all care must be taken to preserve and record all information
and potential evidence in the incident a legal or civil case ensues.
What response is required to an incident will depend on a mixture of business and technical
drivers as the type of response can impact on employee, customer, and public relations and may
even have legal ramifications. It is therefore essential that clear, concise and accurate processes and
procedures that have been approved by senior management are in place for all - Personnel to follow.

Incident Response Team

The Incident Response Team is responsible for managing the organization‟s response to an
incident and how the organization interacts with third parties such as low enforcement agencies,
regulatory bodies, customers, employees and the media.
The team should be made up of a number of people with knowledge and skills in different
areas. It may be necessary to source certain skills externally to the organization. For example,
forensic gathering skills are not commonplace and are often better sourced from vendors who
specialize in the area. If this is the case then a formulated process should be in place to ensure that
resource is available when required.
The Incident Response Team should also have the full backing and support of Senior
Management. This should include giving the Incident Response Team the autonomy and authority
to make decisions carry out actions in the absence senior management during a critical incident.

Typically an Incident Response Team will be made up of representatives of the following:

7 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

(i) IT security: The case team members will be those from the IT security team as they are the most
knowledgeable with regards to managing and dealing with computer security incidents.
(ii) IT operations: As the operations team is very often the first line of defence/ detection of
incidents either via monitoring tools or from reports to the support desk, it is essential that
representation from this team is on the Incident Response Team.
The severity of the incident does not alone impact the classification. The potential target also
impacts the classification. A rejected access attempt to sensitive data will have a higher event
classification than a rejected access attempt to non-sensitive systems, for example unauthorized
access to a staff member‟s home directory may be classified with a lower priority than unauthorized
access to the payroll system. .

INCIDENT RESPONSE
In order to implement an appropriate incidence response, the proper people and processes
need to be involved and the most appropriate response subsequently developed. Some incidents will
simply require no response, others will require only an automated response, e.g. drop a connection
to a blocked part on a firewall, whereas others will require a more complicated response involving
personnel from various parts of the organization and different levels of management.
It is important to establish the appropriate levels of responses to an incident and also that the
incident response has the necessary levels of authorization and autonomy. There is no point having
senior management involved in a response to an incident that has minimal business impact.
All personnel involved in responding to an incident must be properly trained and versed in
their responsibilities. If the skills are not available in house then they should be sourceelsewhere. In
addition all policies and procedures should be properly tested and reviewed on a regular basis to
ensure their effectiveness and applicability. A review process should also be put in place to ensure
that lessons are learnt from any incidents that require a response. Failure to take these steps could
adversely impact business operations leading to loss of revenue or mission effectiveness, legal
ramifications or a loss of public trust.
This incident response methodology will be dependent on the incident classification. The
response team will also need to confirm that the incident has occurred and if so what the most
appropriate response to the incident is. Once an incident has been confirmed and has initiated the
appropriate incident response process, all care must be taken to preserve and record all information
and potential evidence in the incident a legal or civil case ensues.
What response is required to an incident will depend on a mixture of business and technical drivers
as the type of response can impact on employee, customer, and public relations and may even have
legal ramifications. It is therefore essential that clear, concise and accurate processes and procedures
that have been approved by senior management are in place for all personnel to follow.
As a large majorities of incidents may happen outside office hours or when key personnel are
not immediately available, all staff must be given clear guidelines in how they report and respond to
incidents.
Many incidents may simply require an automated response. For example a known computer
virus detected in a file could be automatically deleted by the Anti-Virus software and not require a

8 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

further response. However, an attack on the firewall will require a More measured response any
many require the involvement of a senior management to decide Whether to shut the firewall down
to minimize the damage to the firewall or allow the attack to continue so further evidence may be
gathered in the incident a legal case may be required.
An Incident Response Log should be kept where all actions and results of those actions are
recorded accurately. Details as to who completed the actions, the time of the action and the outcome
need to be maintained. This is to ensure that an accurate record of all action is taken in the event that
the incident leads to a civil or criminal court case, or indeed these logs van be used to determine the
effectiveness of the incident response procedures.

WHAT ARE THE E-MAIL THREATS THAT ORGANIZATION’S ~ FACE?

By using e-mail, organizations face several threats. These range from legal threats to network
congestion:
Legal Liability
In most cases the employer is held responsible for all the information transmitted on or from
their systems. As a result, inappropriate e-mails can result in multimillion dollar penalties. In the last
few years there have been several high profile lawsuits such as the case against UK firm Norwich
Union, who were forced to pay £450,000 in an out of court settlement after an employee sent an e-
mail stating that their competitor Western Provident Association was in financial difficulties. In the
US, Chevron settled a case filed by four female employees for $2.2 million. The employees alleged
that sexually harassing e-mails sent through the organization e-mail system caused a threatening
work environment. One of the sexually offensive messages was a „joke‟ sheet titled ‟25 reasons why
beer is better than women‟. An organization can also be liable if one of its employees sends an e-
mail containing a virus.

Confidentiality Breaches
Most confidentiality breaches occur from within the organization. These breaches can be
accidental, for instance by selecting a wrong contact in the To: field. However, confidentiality
breaches can also be intentional, as Borland International Inc. experienced first hand: A Borland
employee used the organization‟s e-mail system to send out confidential information to competitor
Symantec, his new employer. The trade secrets included product design specifications, sales data
and information regarding a prospective contract for which both organizations were competing. The
employee and recipient were both charged with trade secret theft. Whether it is by mistake or on
purpose, the result of the loss of confidential data is the same.

Damage to Reputation
There is no doubt that the contents of corporate e-mails reflect on the business. A badly
written e-mail, or an e-mail containing unprofessional remarks will cause the recipient to have a bad
impression of the organization the sender is representing. UK law firm Norton Rose had to find this
out the hard way when two of their employees originated the „Claire Swire‟ e-mail, a sexually
explicit e-mail that ended up being read by over 10 million people around the world. Especially

9 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

since the organization in question was a law firm, and the employees were attorneys, this e-mail
caused severe damage of reputation.

Lost Productivity
Lost productivity due to inappropriate use of an organization's e-mail system is becoming a
wing area of concern. In the US, a survey revealed that 86 per cent of workers used their
organization e-mail to send and receive personal e-mails. A recent study by the Gartner Group
found that unproductive internal e-mails take up 30 per cent of employees‟ time spent in reading e-
mail. It is concluded that banning e-mail which contains gossip, jokes, and other time-wasting
content would save a considerable amount of employees‟ time. In addition to personal e-mails,
unwanted spam messages are a huge time waster.

Network Congestion and Down Time

Spam and personal (mis) use of e-mail can cause organization‟s e-mail system to waste
valuable bandwidth resources, not to mention employees‟ time. A Gartner Group Study held under
13,000 e-mail users, found that 90 per cent receive spam at least once a week, and almost 50 per
cent get spammed more than 6 times a week. Personal e-mails cause network congestion since they
are not only unnecessary, but tend to be mailed to a large list of recipients and often include large
attachments such as mp3, executable or video files that users do not zip. Viruses are another
important area of concern. If a virus hits the organization system this can cause network congestion
or even down time.

E-mail Retrieval on Court Order

E-mail records are increasingly used in lawsuits since they tend to contain important
evidence. For instance, if your company is faced with a wrongful termination lawsuit, chances are
that you will be ordered to search all company e-mails for messages relating to that person. This is
usually not just a matter of a quick keyword search. The retrieval often involves restoring thousands
of e-mails on servers and result in slow and painful searches. Worse still, the court could even
confiscate your computers as evidence. Not to mention the fact that the search might uncover some
embarrassing evidence you never knew you were „safekeeping‟. If on the other hand you regularly
delete e-mail as stipulated in corporate e-mail policy guidelines, the court might not force you to do
an expensive search since it has enough reason to believe that it will not yield any result.

WHY DO YOU NEED AN E-MAIL POLICY?

By having a good e-mail policy in place you can secure your organization in several ways.
Firstly, the e-mail policy helps prevent e-mail threats, since it makes your staff aware of the
corporate rules and guidelines, which if followed will protect your organization.
Secondly, an e-mail policy can help stop any misconduct at an early stage by asking
employees to come forward as soon as they receive an offensive e-mail. Keeping the incidents
to a minimum can help avoid legal liability. For instance in the case of Morgan Stanley, a US
investment bank that faced an employee‟s court case, the court ruled that a single e-mail

10 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

communication (a racist joke, in this case) cannot create a hostile work environment and dismissed
the case against them.
If an incident does occur, an e-mail policy can minimize the organization‟s liability for the
employee's actions. Previous cases have proven that the existence of an e-mail policy can prove that
the company has taken steps to prevent inappropriate use of the e-mail system, and therefore can be
freed of liability. WorldCom Corp. for instance, faced a court case from two former employees for
allowing four racially offensive jokes on its e-mail system. WorldCom successfully defended
themselves because they had an e-mail policy that spelled out inappropriate content and because
they took prompt remedial action against the coworker who sent the racially harassing e-mails.
Finally, if you are going to use e-mail filtering software to check the contents of your
employee‟s e-mails, it is essential to have an e-mail policy that states the possibility of e-mail
monitoring. If you do not have such policy you could be liable for privacy infringement.

ELECTRONIC MAIL SECURITY

E-mail is vital for today's commerce, as well as a convenient medium for communication
among ordinary users. But, as we noted earlier, e-mail is very public; exposed at every point from
the sender's work station to the recipient‟s screen. Just as you would not put sensitive op private
thought on a postcard, you must also acknowledge that e-mail messages are exposed and available
for others to read. Sometimes we would like e-mail to be more secure. If we were to make a list of
the requirements for secure e-mail, our wish list would include the following protections.
 message confidentiality (the message is not exposed en route to the receiver)
 message integrity (what the receiver sees is what was sent)
 sender authentication (the receiver is confident who the sender was)
 nonrepudiation (the sender cannot deny having sent the message)

Not all of these qualities are needed for every message, but an ideal secure e-mail package would
allow these capabilities to be invoked selectively.

PGP for Electronic Mail Security PGP stands for Pretty Good Privacy. It was developed originally
by Phil Zimmerman. However, in its incarnation as open PGP, it has now become an open standard.
PGP is open-secure, Although PGP can be used for protecting data in long-term storage, it is used
primarily for email security. PGP‟s operation consists of five services.
1. Authentication service: Sender authentication consists of the sender attaching his/her digital
signature to the e-mail and the receiver verifying the signature using public-key cryptography. Here
is an example of authentication operations carried out by the sender and the receiver:
(a) At the sender‟s end, the SHA-1 hash function is used to create a 160-bit message digest of the
outgoing e-mail message.
(b) The message digest is encrypted with RSA using the sender‟s private key and the result
prepended to the message. The composite message is transmitted to the recipient.
(c) The receiver uses RSA with the sender‟s public key to decrypt the message digest.
(d) The receiver compares the locally computed message digest with the receive message digest.

11 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

The above description was based on using a RSA/SHA based digital signature. PGP also supports
DSS/SHA based signatures. DSS stands for Digital Signature Standard. Additionally, the above
description was based on attaching the signature to the message. PGP also supports detached
signature to the message. PGP also supports detached signatures that can be sent separately to the
receiver. Detached signatures are also useful when a document must be signed by multiple
individuals.

12 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

Internet Banking:-
Steps
I. Client requesting for the web page of the bank offering Internet banking.
2. The request passes through the Internet to the firewall of the bank located in the data centre.
3. Depending upon the type of request and the configuration in the firewall, the request is passed on
to the web server or the request is dropped.
4 and 5. The web server displays the web page containing the application interface and the control
passes to the Internet banking application server.
6. The details entered by the customer are sent to the Internet banking database for verification and
subsequent action.
7, 8 and 9. Data is transferred from the centralized database to the Internet banking database through
the middleware.
10. The verification result and the transaction result are passed onto the Internet banking application
server.
11, 12 and 13. The details are given to the web server to be displayed to the customer. 14 and 15.
The web server displays the results of the transaction on the web browser of the customer. Steps to
be followed to complete one transaction, say, a balance enquiry, are:
1-2-3-4-5-6-10-11-12-13-14-15.
In case the transaction requires real-uume connectivity, say, payment of bills, the control is
transferred from the Internet banking database to the Central database. The steps to be followed to
complete this transaction are:
1-2-3-4-5-6-7-8-910-1 1-12-13-14-15.

A LAYERED APPROACH TO SECURITY

The fact that each financial transaction has to traverse different layers of the Internet before it
can reach its final conclusion, has prompted a layered approach to the security of such a transaction;
wherein each layer adds a level of security and in this process also helps the succeeding layer

13 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

determine the security mechanisms that it needs to incorporate to build q holistic secure system of
Internet banking. Also the layers function as a complement to the other preceding and succeeding
layers in providing a secure system—if one layer fails, then the next layer does a Cover-up, i.e., if
security is breached in one layer, then the other layers in the system can stop the attack and/or limit
the damages that may occur.
Starting with the web browser at the client‟s end to the management of the bank offering this
service, each layer is elaborated below, along with the risks associated with that particular layer and
the control measures that need to be adopted to reduce the risk to a It can be observed from the
Figure 18.2, where the web browser is the starting point of the layers and can be said to be the tip of
the security triangle with the management of the bank being the foundation.

1.Web Browser
The web browser is a software application located on the client system that is used to locate
and display web pages. Risks: The misuse of information provided by the end-user, active content
(example: applets etc.) that can crash the system or breach the user‟s privacy, cookies that can cause
annoyance. Controls: Proper security settings in the browser based on the web content zone, non-
disclosure of personal information unless warranted, robust-logon process and controlling cookies.
2. Perimeter Access Control (Firewall)
A firewall is a system or group of systems that enforces an access control policy between a
trusted network and an untrusted network.
Risks: The access control methodology—whether a firewall starts with a „deny all‟ policy first or
„permit all‟ first, the attack on the firewall itself resulting in the failure or malfunction of the firewall
and the inappropriate framing of the access control policy itself.
Controls: The primary control is to frame an access control policy that takes into consideration the
various factors like the methodology to be used—use the „deny all‟ first methodology to start with
and later „permit‟ based on requirement, the inbound and outbound access to be permitted, the type
of firewall—use stateful inspection firewall; and the need for people with valid experience and

14 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

expertize to configure the firewall. The firewall should be „selfmonitoring‟ and should prevent itself
from being attacked; or in the least should be able to alert the administrator in any such event.

3. Web Server
The web server is a software application that is used to deliver web pages to a web browser,
when requested for that particular web page.
Risks: Inherent weaknesses in the web server software itself, improper configuration an necessary
open „ports‟ and/or „services‟, lack of authentication; and lack of access contr) Controls: A proper
policy that specifies the requirement in terms of necessary services and ports, proper configuration
of the web server in terms of the policy defined;

4. Web Host (with Intrusion Monitoring) it is the system on which the web server software is
loaded—the operating system. This well boost is also loaded with intrusion monitoring software.
Risks: Unknown and unnecessary services in the operating system, access control of the system and
the capacity planning of the web host. Controls: Plan carefully to ensure sufficient amount of CPU,
memory and disk storage for the expected usage; monitor system resources; ensure redundancy and
availability of system resources; ensure physical and logical security; and ensure auditing/logging
and monitoring. The monitoring software detects any attempts to attack the web host and/or web
server and alerts the administrator to such attempts; to enable the administrator to take proper action
on the alerts.
5. Internet Banking Application Server ,
It is a program, residing on a system, that handles all application (Internet banking, in this
case) Operations between the end-users and the back-end database.
Risks: Security of the operating system, access control for the server and the application, „
application-specific risks.
Controls: The application-specific risks need to be taken care of at the time of design of the
application, while at the same time ensuring that it is properly configured in the server. All controls
specified for the web host is valid in this case too. Ensure proper access control—both physical and
logical for the system. Ensure sufficient redundancy and availability in terms of clustering and/or
load-balancing.
6. Internet Banking Database (with Intrusion Monitoring) It is the system on which all the
details of the Internet banking customers are stored. It is also faded with intrusion monitoring
software to monitor the activity on the system and the
database. This database gets its data from the centralized banking database through # middleware.
All transactions which do not require online access to the central database are handled by this
database server.
Risks: The customer details are classified as very sensitive and tampering with this database can
cause a huge loss—quantitative and qualitative, to the bank; access control for the server and the
database.
Controls: Apart from applying all the controls specified for the web host, ensure proper access
control—both physical and logical for the system. Access to the database files should be allowed

15 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

only through the application. Ensure sufficient redundancy and availability in terms of clustering
and/or load-balancing.

7 Middleware
The middleware is software that connects otherwise separate applications. It is used to
transfer data from the central database to the Internet banking database.

Risks: Availability is a major risk. If the middleware is not available, transfer cannot take place;
also, a „slow‟ middleware cannot guarantee availability. Access to the middleware is also a risk.
Controls: Apart from ensuring proper access
control—both physical and logical for the system, there should also be sufficient redundancy built
into the system to ensure availability of the resource. .

8 Database (with Intrusion Monitoring)

It is the centralized location of data pertaining to all the customers of the bank and other data
pertaining to the bank.
The risks and controls associated with the central database are similar to the Intermet banking
database. In addition to those controls, the bank should also ensure that proper back up of the
database is taken; while also planning for contingencies like earthquake etc. by investing in a
Disaster Recovery Site.
The data centre is the facility where the entire banking system viz. the servers, databases etc.
are housed.
Risks: Physical security of the centre and the equipment it houses.
Controls: A physical security monitoring system should be in place to monitor all the entry/ exit
points. Access should be controlled through one/two factor mechanisms and backed up with
logs/registers. Environmental conditions in the centre should be maintained as stipulated in the
policies and procedures.

9 Data Centre
The data centre is the facility where the entire banking system viz. the servers, databases etc.
are housed.
Risks: Physical security of the centre and the equipment it houses.
Controls: A physical security monitoring system should be in place to monitor all the entry, exit
points. Access should be controlled through one/two factor mechanisms and backed up with
logs/registers. Environmental conditions in the centre should be maintained as stipulated in the
policies and procedures.
10. Internal Network
It is the network which hosts the systems used by the bank staff for the monitoring and
maintenance of all the servers, databases and systems of the bank.
Risks: Improper network design for hosting each system can cause unwanted traffic; traffic
to the systems for management purposes can eat up bandwidth.

16 SBC- Karkala
 Network Security And Management UNIT -IV Divyaksha Prabhu

Controls: The network should be properly designed so as to optimally utilize the bandwidth
available—place the web server on a separate sub-network connected to the firewall, the database
and application servers placed on a separate sub-network in the internal network. Also, the path
between the internal systems and the servers and databases should be secure when doing content
management.

11 . People
This layer is basically the administrators and operators of each and every system, server or
database.
Risks: Insufficient exposure to technology and their requirements during installation and
maintenance; random application of patches and updates.
Controls: Ensuring the compliance to policies and procedures during administration and
management; auditing of the people, processes and the systems; encouraging knowledge up
gradation activities and educating them on the evils of „social engineering‟. The most important
control that we can suggest is „to do the right things in the right way at the right time‟.
12. Management
This includes all the different types of management including the bank top management. The
primary responsibility of the bank management is to lend support to the implementation of the
Internet banking system as a delivery channel of the bank; support the framing, implementation
and compliance to all the policies and the procedures relating to the entire Internet banking system.
When the control of a transaction traverses through the layers, it can be seen that the lacunae or
weakness in one layer is made up for, by the next layer.
For example, if the web server has some unnecessary service open and some attacker tries to enter
the Internet banking system through that service, then the intrusion monitoring software in the web
host will alert the administrator to some anomalous activity happening in the web host, enabling the
administrator to take suitable corrective action thereby ensuring that the system remains secure.
Also, total security in one layer will not guarantee the total security of the entire Internet banking
system. For example, let the web server be totally secure.

17 SBC- Karkala