methods and references of best practices for the safety of the Information
systems are available. They constitute methodological guides as well to provide
an assurance of a coherent security approach.
In this chapter we
will be based on the 27001/27002 and PCI 12norm
to implement an IT Security concept for a company.
Our concept is
intended as a guide containing advice and to ensure the security of company
process of securing the information system must go through 4 definition steps:
perimeter to be protected (list of
nature of threats,
impact on the information system,
protection measures to be put in
identifies these objectives according to three criteria:
5.2. IT Security Concept
Our Concept will be
based on 13 themes:3
IT security rules is an internal
document signed by the general management and communicated to all employees of the
company. This document describes the company’s general IT security objectives
Schematically, this document sets
the position of the “safety slider” to ensure the best compromise
between the flexibility required by the strategic objectives.
The objective of this category is
to manage the security of information in the administrative structure of the
organization. It is based on the commitment of the IT Team that should actively
support the achievement of the IT security within the organization, with a
clear guideline, evidence of their commitment, and with an explicit recognition
of the importance of security, as well as the coordination of security
In this context, the company is
responsible for the division of responsibilities of security information and
authorization process in different fields.
Finally, the company must ensure
an independent review of the safety of information.
Assets and Data:
All active in the company must be
clearly identified and taken into account in an inventory list, and assigned by
the IT Team who are responsible for their appropriate protection with an appropriate
set of procedures for the labeling. Also, the handling of information should be
developed by the IT Team and implemented in accordance with the classification
Human resource protection:
The objective of this category is
to ensure that employees, contractors and third parties
understand their responsibilities, and the roles that they are adapted for.
This kind of step could help to
reduce the risk of theft, fraud or misappropriation of facilities.
The objective of this category is
to prevent unauthorized physical access, damage or
and the infrastructure of the company using the appropriate controls steps by
identifying the risks and the value of the assets protected through the
physical security in the perimeter of work. 56
The objective of this category is
to ensure the correct and safe operation of the information.
Any kind of Change of information,
Facilities and in treatment systems must be monitored.
All the Functions and the areas of
responsibility should be separated in the goal to reduce as well as possible
any kind of unauthorized modification or misuse of assets in the company.
The Backup copies of information
and software should be made, and tested at the appropriate intervals, in
accordance with the information security system.
the use of monitored information
should be established, and the results of monitoring activities should be
reviewed and examined regularly.
The objective of this category is
the access control of the information, the information processing, and the
business processes, so the access control policy must be established,
documented and regularly verified.
Based on business needs and
external requirements, the use of access privileges should be limited and
maintenance and development:
The objective of this category is
to ensure that security is an integral part of the organization’s information
systems, and business processes.
It is possible to develop a
security application and verify the capacity of the existing information
Incident security management:
The purpose of this category is to
verify the events and problems of an Information system by securing in the same
time the corrective action that is taken.
The Business Continuity Plan (BCP)
is both the name of a concept, a procedure and a document describing it.
This plan should allow a group
(government, community, institution, business,
to still active even in case of disaster; Even if it is in degraded mode, or in
a major crisis.
It is a strategic document,
formalized and regularly updated, in case of a serious disaster.
Its objective is to minimize the
impact of a natural, technological or social crisis or disaster on the activity
(and thus the sustainability) of a company, a government, an institution, or a
The company should take care of
all the communication equipment and the way of communication between them in a
secure point of view.9
The goal of cryptography is to
assure 3 important points: confidentiality, integrity and availability of the
The company is obliged to respect
all kind of contracts and legal obligation.
5.3. Proposed devices
The goal of this
chapter is to give more requirements to improve its security concept as well
moment the situation returns normal.
5.3.1. Security rules
The most important
document in a company is the security policy a that explain the general strategy
of the company to make it secure.
It identifies the
rules and procedures for all individuals accessing and using an organization’s
IT equipment and resources.
The objectives of an
IT Security policy are to assure 3 important principles:
The IT Security
policy is based on different important points like explaining the best password
policy, giving a brief idea about different important security steps like the
incident management, access control, continuity management … and will be
mentioned in a specific document.
The IT Security
policy document will give us a brief idea about the points that we mentioned.
The employees should
have an IT policy that describes their roles and responsibilities.
The IT Team are a
group of employees whose responsible on the administration, configuration and
the security of the technological part.
The IT take in
consideration 4 important things which are
5.3.3. Human resource protection
company should have all the document that make its relationship with all
5.4. Asset and Data
5.4.1. Information classification and Data handling
Clearly one of the most important steps in the security concept is the
organization of our data that could be physically and logically.
Besides is the IT team responsible on organizing the labels of the
equipment, their security perimeter and also take our logically about many
stuffs like how to store our data and make they always secure.
5.4.2. Database Database security (Proposed)
Every company is actually using a Database to store its data, that’s
why when creating a database, it is important to get all the necessary
information about data confidentiality, the database owners, and also that the
same login should not be applied across all databases. Clearly to avoid risks,
it is better established the same process for new database requests.
The communication with database
should be strictly controlled, that’s mean the existence of the database in a
DMZ and make it impossible for the external part to communicate with it so an
attacker will not be able to sniff the information from outside
Clearly the firewall rules
are used by both the server and the database to reject connection attempts from
IP addresses that seems dangerous.
It important to start by identifying the needed level of protection and
encryption for each database. Having ensured complete visibility into what is
happening across our databases, we strengthen security and streamline
compliance by reducing the risk of missing suspicious activities.
SSL helps us to protect our data against the threat of malicious activity by
performing real-time encryption and decryption. When we encrypt our database,
associated backups and transaction log files are encrypted without requiring
any changes to our applications.
A timely deployment of current
versions of SQL service packs, cumulative updates will advance the stability of
The use of Nessus could help us
also to detect the missing updates.
5.5. Access control
5.5.1. User roles and responsibilities
The second point that we discuss is the Access control (Requirement 7 & Access control) in web application.
IT is an important
step to limit access to system components and data to only those individuals
whose job requires such access.
is important to define the access requirements for each role, including the
system components and data resources that each role must access for its
function and the level of privileges required (e.g. system administrator, user)
to access resources.
5.5.2. System and application access control
Hackers and computer scientists can use inexpensive advanced programs
and allow them to create or even buy rainbow tables that can decrypt low-power
passwords in real time.
To store passwords today, it is important to combine some kind of
encryption algorithms who are an excellent example of algorithms that can be
used, safely, to store a password.
strong cryptography should assure all this point:
Confidentiality is the assurance that information is readable by
Data Integrity is the assurance that data is not modified in an
unauthorized manner. Cryptographic mechanisms such as digital signatures can be
used to detect the modifications if it happens.
Authentication is done by Cryptography that can provide two
types of authentication services, integrity authentication and source
authentication through digital signatures and several key-agreement techniques.
Authorization which means the permission for access can be
supported through the use of a cryptographic service that is used to provide a
key to allow access.
The goal of
cryptography is to protect our data using a symmetric or asymmetric method.
IT is strict
abolished that web applications send this data in clear text.
Cleary, it is important
to use SSL session, or an IPSec tunnel when we send the data.
The Web Application Server needs
to send sensitive data to the database. To assure the communication and the
exchange both we should use SSL to encrypt communication.
AES and RSA
are really important in the encryption of data.
security Physical and Environmental Security Policy Objective
security of a web application in a company is related with the hole security of
a company that’s why we take a decision to write a physical security policy
about the secure area in the company and the equipment that should be
5.8. Operation management
The first step to
secure a web application in a compnay is based on the point “operation
management” that’s means to be sure about the existence of a firewall protecting
the web application: Based on the first
point of PCI Compliance & Operation security (27002)
Figure 16 : web
5.8.1. Protection from malware
Web Application Firewall (WAF)
Clearly one of the most effective equipment against
malware are the web application firewalls.
The WAF is designed to protect the web application
against a variety of different threats. These include, for example, SQL
injection attacks, script injection attacks, cross-site scripting attacks
(XSS), or buffer overflow attacks, Also, an unauthorized access to certain
areas of the web server can be avoided.12
It provides protection for web applications by
analyzing traffic between clients and web servers at application level. It can
monitor, filter, and block HTTP traffic, and is installed directly on the
In contrast to a normal firewall, the data is not
examined on network and protocol level, but directly on the application level.
Often, traditional firewalls and the WAF are used
together and analyze communication and data in successive step.
During the analysis, the application firewall
observes both the data sent by the web server and the received data.
A WAF examines all queries sent to a web server and
firewall detects suspicious or dangerous patterns, it prevents the further
communication of the respective client or entire data streams. In addition to
predefined patterns, the application firewalls are usually capable of
recognizing dangerous or forbidden traffic in an advanced learning phase.
While network firewalls only analyze sender and
destination addresses or the ports and network services used for the
communication data, the WAF works directly on the application level. This
provides additional protection for the existing network filters. It can close
vulnerabilities of applications that have not been updated, and may cover
several attack targets behind the WAF through a single filter.
DMZ Zone (Web application model)
5.8.2. Logging and monitoring
Basically, if a company want to log and monitor its
system the intrusion detection and prevention systems provide a good
opportunity to assure that.
“An IPS is an active system that sits on the network
behind the Firewall and intercepts network traffic, analyses and stops anything
“Whereas IDS is a passive system; it doesn’t stop
network traffic, but instead sets alerts and sends messages if something
happens” and the administrator should take the important steps to control this
notification. IPS and IDS appliances can be either behavior based, or signature
based which is a database that contain all kind of vulnerabilities to and could
detect it directly.
. It’s good to have a combination of components for
maximum network security.13
5.8.3. Information systems audit considerations
Nessus could be a very good idea to audit the system
periodically and get the important information that we need about our network
and could help our IT Team to install the missed patch or get some
misconfiguration in a server or an application.
5.9. Communication security
A company should monitor and audit
any use of its computing and communication networks and to access or retrieve
any material or data that is accessed, stored or transmitted on or via these
One of the most important tools that
we could use is Wireshark, because it is able to sniff different IP trams and
analyze their contents.
E-mail and Internet access is automatically recorded and may be monitored.
5.9.1. Web Server
attacks originate over the network. But a big majority of these attacks can be
blocked even before it touches our web application.
close all ports, and open only the ones that we need, also we should scan them and block
attacking IPs so could the valid users come directly to a standard service
port, and request the information that they need.
should segregate private and public network that’s why only our web server and mail
server should be open to the public. All others such as application server,
database server, backup server, should be off limits to direct access.
5.9.2. DNS application server
the Domain Name System (DNS) is the distributed database used
to map domain names to IP addresses.
Basically, attackers can harm the
server by using denial-of-service attacks on DNS, attackers can prevent email
from being delivered to and from our network, disable most commerce applications,
redirect all Web server queries to non-existent server.
Clearly Sharing DNS
with other services on a server is explicitly prohibited and most important is
the existence of an internal Firewall that should be installed on the server.
Basically, only SSH access should be allowed to the server.
To be more secure
SNMP requests should be controlled by firewall.
5.10. Incident security management
An incident response
policy is important as it guides the Incident Response Team on what actions
need to be taken during certain incidents.
An incident response policy is important as it
guides the Incident Response Team on what actions need to be taken during
This strategy touch upon
the security incidents affecting the company and surely the IT systems. An
important point also is the losses of information that could happen and that’s
will make the defining of risk really important to decide the needs on security
and finally the Calculation of loss that could happen.
To protect our
company all employees, have a responsibility to assure the CIA and to report about
the suspected information, so we could take action to minimize the threads.
Based on configuration items, including procedures
for recovery it is important is to record certain details
Time and date of the incident
Who (or what) reported the incident
Nature of the incident
When the incident occurred
Hardware or software involved
Points of contact for involved personnel
The response to an incident
is dependent on its severity. To handle the problem we should answer the
Is it affecting business as usual?
Is there an insider threat?
What is the revenue loss? 14
The IT Team will take all the actions to solve any problem and an
evaluation will be done in the same time.
5.11. Maintenance and development
5.11.1. Security requirements of information systems
The change or the improvement of the IT system must
be formally documented and indicate the security controls that are implemented.
Clearly, a change in the system must be supported by
a full audit trail.
Basically, there must be a sufficient level of
detail provided in the system’s Risk assessment to allow a thorough assessment
of any associated application’s security architecture and configuration.
The use of encryption products and encrypted
material must comply with current legislation.
The use of
digital signatures must be considered where there is a need to verify the
origin and the integrity of information.
5.11.2. Security in development and support processes
An appropriate controls and procedures must be in place to allow the
system to reliably recover in the event of a system failure.
Disaster recovery plans must be documented, and specify plans or manual
processing procedures that must be followed in the case of an extended loss of
the system. Those plans must be regularly tested.
Management is a process that help to minimize
the impact of the risks that could affect its system.
A good categorization
of the risks is an important issue that we should do to know how to behave in
the right moment.
The main idea is to
categorize the risks in 3 Categories and give the roles and responsibilities to
A Recovery process
scenario should be respected as well and give a company the possibility to
manage the problem in the best way.
A Bunch of Document should be filled in the
case a problem happens.
1 (PCI-DSS-VEREINBARUNG, 2016)
4 (Perkins, 2015)
5 (Rouse M. ,
6 (Economics, 2014)
7 (Alexander, 2017)
8 (herderhen, 2017)
9 (Magoha, 2014)
11 (Kirill.F, 2016)
12 (Rouse M. , 2015)
14 (Arora, 2010)