Ubiquitous Computing and Communication Journal

PROPOSED STRUCTURE FOR HIGH LEVEL SECURITY

ENHANCEMENT
Adnan G. Abuarafah
Faculty of Computer and
Information Systems
Umm Al-Qura University,
Makkah, Saudi Arabia
abuarafa@uqu.edu.sa

Mohamed Osama Khozium

Faculty of Computer and
Information Systems
Umm Al-Qura University,
Makkah, Saudi Arabia
Osama@khozium.com

ABSTRACT
The increasing technology trends has turned each infrastructure to its new hazards. Present
information policies designed are not readily equipped with up-to-date analysis or problems
suffered throughout networks. This paper addresses not only technical security issues but also
providing managerial solutions. It practically targets resources allocations keeping in new
management issues with its technical adoption to available parameters. This technical solution
provided; is strategic in its nature but with self assessment criteria. Now system reliability issues
with security complexities can be targeted effectively.
Keywords: Security Risks, Security Process Management, Security Assessment, Security Plans,
Security Model, Security Audit
1 INTRODUCTION
Every movement that comes to us bring new
challenges. Where as the rising slogan of IT has
brought new horizons to our attention. Today
continuous progress & service delivery has changed
business imperatives as IT security has become
integral part for any infrastructure.
Information technology continuous advancements has
open the number of possible security threats,
vulnerabilities and security incidents are even rising pace
despite efforts done by national or international level.
The current problems faced by organizations are not
only rising trends in information technology but there
unrealistic approach to coop with evolving
environment that has caused the world the loss of
billions of US dollars.
Here is some data from real world [2],[3]:
1.1 Computer fraud in the U.S. alone exceeds $3 billion
each year.
1.2 Less than 1% of all computer fraud cases are detected.
1.3 Over 90% of all computer crime goes unreported.
1.4 Although no one is sure how much is lost to EFT
(Electronic Funds Transfer) crime annually, the
consensus is that the losses run in the billions of
dollars. Yet few in the financial community are
paying any heed.
1.5 Average computer bank theft amounts to $1.5 million
each year.

Volume 3 Number 3

Page

137

Actually Probability of loss is not based upon

mathematical certainty; it is consideration of the
likelihood that a loss risk event may occur in the
future, based upon historical data, the history of like
events at similar enterprises, the nature of the
neighborhood,
immediate
vicinity,
overall
geographical location, political and social conditions,
and changes in the economy, as well as other factors
that may affect probability.
All solutions still are necessary to manage the risk
options includes security measures available to reduce
the risk of the event. Equipment or hardware, policies
and procedures and management practices, and
staffing are the general categories of security related
options.
Where as service providers claming to protect with
help of sum of tools are providing unreliable results
and that has been caused by security programs that are
not extending its boundaries to combined approach
that is people, process and technologies [1].
Even inter departmental collaboration to manage
effective processes is not up to mark to achieve high
level of IT security across any organization.
The rest of the paper is organized as follows. The next
section provides overview on general threats, Section

www.ubicc.org

Ubiquitous Computing and Communication Journal

three highlights the sources of threats and possible

impacts. In section four the projected risk assessment
problem will be discussed. In section five we will
describe the proposed structure for security
assessment. Section six introduces the risk assessment
procedure, while section seven concludes the paper.

2.7 Introduction of unauthorized software or hardware.

2.8 Time bombs: software programmed to damage a
system on a certain date.
2.9 Operating System Design errors: Certain
systems were not designed to be highly secure (e.g.
PCs, many UNIX versions).
2.10 Protocol Design errors: Certain protocols were
not designed to be highly secure. Protocol
weaknesses in TCP/IP can result in:
Source routing, DNS spoofing, TCP sequence
guessing and unauthorized access is achievable.
hijacked sessions and Authentication session /
transaction replay are possible Data is changed or
copied during transmission.
Denial of service, due to ICMP bombing,
TCP_SYN flooding, large PING packets, etc.
2.11 Logic bomb: software programmed to damage a
system under certain conditions.
2.12 Viruses (in programs, documents and email
attachments).

2 OVERVIEW ON GENERAL THREATS

A threat is a person, place, or thing that has the
potential to access resources and cause harm. Threats
can originate from two primary sources: humans and
catastrophic events. Human threats subsequently can
be broken down into two categories: malicious and
nonmalicious. Nonmalicious attacks usually come
from users and employees who are not properly
trained on computers and who are not aware of
various computer security threats. Malicious attacks
usually come from external people or disgruntled
current or ex-employees who have a specific goal or
objective to achieve [3],[7].
In fact there are literally hundreds of ways to
categorize threats, anyhow threats could be listed in
general as follows :

3 SOURCES OF THREATS AND POSSIBLE IMPACTS :

3.1 Sources of threats [2]
a. Political espionage.
b. Commercial espionage. Since the end of
the cold war, the entire intelligence
community has undergone a significant
shift from classical east-against-west
spying to each-country-must-protect-itseconomy. Former KGB and CIA
employees are now working as freelance
commercial intelligence services. Sources
of such espionage
are competitors
(domestic and international).
c. Employees:
Disgruntled employees and (former)
employees.
Bribed employees.
Dishonest employees (possible at all
levels: from top management down).
System & security administrators are
"high-risk" users because of the
confidence required in them. Choose
with care.
d. Hackers:
Beginners: know very little, use old,
known attack methods
Braggers: Are learning a lot, especially
from other
hackers.
They
seek
gratification by bragging about their
achievements
Experts: High knowledgeable, self
reliant, inventive, try to be invisible.
They may provide tools/information to
the braggers to launch attacks, which
hide their own, more subtle attacks.

2.1 Human Error:

Accidental destruction, modification,
disclosure, or incorrect classification of
information.
Ignorance: Inadequate security awareness,
lack of security guidelines, lack of proper
documentation, lack of knowledge (e.g.
system administrators).
Workload: too many or too few system
administrators. Highly pressurized users.
Users may inadvertently give information on
security weaknesses to attackers.
Incorrect system configuration.
The security policy is not adequate.
The security policy is not enforced.
The security analysis may have omitted
something important, or be simply wrong!
2.2 Dishonesty : Fraud, theft, embezzlement, selling
of confidential corporate information.
2.3 Attacks By Social Engineering:
Attackers may use the telephone to
impersonate employees to persuade users /
administrators to give username/passwords/
modem numbers etc.
Attackers may persuade users to execute
Trojan horse programs.
2.4 Abuse of privileges / trust.
2.5 Unauthorized use of "open" terminals/PCs.
2.6 Mixing of test and production data or environments.

Volume 3 Number 3

Page

138

www.ubicc.org

Ubiquitous Computing and Communication Journal

e. Contractors / vendors who have access

(physical or network) to the systems.
f. Organized crime (with goals such as
blackmail, extortion etc.).
g. Private investigators, "mercenaries", "free
lancers".
h. . Law enforcement & government
agencies (local, national and
international), who may or may not be
correctly following legal procedures
i. Journalists looking for a good story.
3.2 Possible Impacts
Impacts are very business specific, depending
on the assets, the type of business, the current
countermeasures (IT infrastructure). Impacts
describe the effect of a threat. The impact
may also depend on the length of time that
business functions are disrupted.
The following is a list of some basic impacts,
that company may be subjected to :
Disclosure of company secrets, disclosure
of customer data, disclosure of
accounting data.
Modification of accounting data or
customer data.
Attackers impersonating the company or it's
customers.
Bad company publicity: hacker security
breaches publicized.
Bad company publicity: customer
information modified/deleted/publicized.
Bad division publicity: External attackers
used a particular division as an entry
point to the corporate network.
Major disruption of business functions.
Major disruption of the network.
Fraud
Loss of customer confidence (if the
disruption lasts for a longer period of
time, or occurs frequently, customers
would probably be lost).
The company may be legally prosecuted
(negligence, breaking the law or
regulatory requirements)
Reduction of quality of service
Possible gains for competitors and thus loss
of revenue.
The corporate network may be used as a
base by attackers for attacking other
sites.

Volume 3 Number 3

Page 139

The corporate network may distribute

software containing attacker software.
Electronic fraud
4 PROJECTED RISK ASSESSEMNET PROBLEM.
For effective risk management, sound business
decisions with continuous monitoring over assets and
all issues related to their sensitivity and criticality are
needed. Along with there associated assets proper
decisions are needed to work up risk management
plans that can have impact to departments and
organizations environment as well [12] .
Today several standards adopted by national and
international are needed with all their classification
and to be managed with up to date continuous
coordinated directions for service providers. Here not
only technical but operational issues are also to be
targeted in well established way [4] .
Information management can provide continuity of
plans and collaborative IT security where availability
of critical services are always ensured to its maximum
level. For that organization has to apply self
assessment criteria for continuous planning so that
measured results can be inferred from resources; with
evolving security plans that can recognize and provide
remedial actions for the organizations [14] .
Information management plans can lead us
towards effective planning that enable us to audit
administrative and functional areas of IT in terms
of resources and finance concerned along with
positive reporting process [8] .
5 PROPOSED STRUCTURE FOR SECURITY
ASSESSMENT
Traditional approaches like intrusion detection system
generally detects unwanted manipulations of computer
systems,
mainly
through the Internet.
The
manipulations may take the form of attacks by
crackers. But in our proposed approach we focus on
the behavior of the employee of the organization
themselves.
The following figures are included as example, to give
an idea what is going on in the real world [2],[3]:
Common Causes of damage: Human Error
52%, Dishonest people 10%, Technical
Sabotage 10%, Fire 15%, Water 10% and
Terrorism 3%. Figure 1.
Who causes damage? Current employees 81%,
Outsiders 13%, Former employees 6%.Figure 2.

www.ubicc.org

Ubiquitous Computing and Communication Journal

16%, Alteration of data 12%, Theft of services

10%, Trespass 2%.

Types of computer crime: Money theft 44%,

Damage of software 16%, Theft of information

60
50
40
30
20
10
0
Human
Error

Dishonest
People

Technical
Sabotage

Fire

Water

Terrorism

Figure.1 : The common causes of damage in security area

From sections 3 and 4 once the threats, impacts and

corresponding risks have been listed and the
constraints have been analyzed, the significant
business risks (or weaknesses) will be more evident,
allowing a counter strategy to be developed.
The formulation of following steps can enhance
information security structure for any organization i.e.
1.
Identify Security Deficiency

2. Continuous IT planning for technical &

operational tasks
3. Self Assessment mechanism
4. Audit Process planning
5. Incident handling procedures
6. Information recovery methodology
7. Back up of Data & Configuration
8. Incident Impacts
9. Future Security Visions
10. Quality measures for security

Outsiders
13%

Current
Employees
81%

Former
Employees
6%

Figure.2 : Types of employees who cause damage in security area

Volume 3 Number 3

Page 140

www.ubicc.org

Ubiquitous Computing and Communication Journal

Where as for any effective plan, senior management

should always be involved in implementation process
that bound ness can bring true strategy of
management.
Current infrastructure providing physical security
measures hasnt proved to be adequate enough
because of potentially large scale undefined problems
can not be limited to few work stations. Security
safeguards needed to be improved via identification &
authentication where low risk environment prevails.
While considering security procedures access
privileges need to be monitored and controlled for
every level of access [5] .
Organizations have to apply departmental zones with
reference to security control and access mechanism.
As one key mechanism that is often neglected by
many organizations is continuous monitoring of
network traffic with all its available resources.
As shown in figure3, along with proper security
standards controlling is also ensured to identify
security breaches, suspected or known security threats.
Organizational security plan can be adopted with
proper control mechanism that are
1. Physical access controls
2. Device & media controls
3. Procedural controls
With all its departments, organizations should evaluate
risk assessment plans often after certain period of time as
tools associated with security are not at halt. Where as
organizations have to share their experiences for better
control as tools provided by venders some time are not
focused regional issues [11].
All technical and operational environments should log
the event in case any incident occur .Management plan
should qualify to access potential impact and proper
identification of the system so to tackle this issue,
system control should be
configured with best
practices[4].

priority as mentioned or described by security advisors

as described in figure 4.

Departments

IT Division

End Users

Security

Privacy

Figure-4 : Securing Users Privacy

6 RISK ASSESSMENT PROCEDURE

Risk assessment should take into account the potential
adverse impact on the organization reputation,
operations and assets. Risk assessment should be
conducted by teams composed of appropriate
managers, administrators and all other personnel
associated with those activities. [11]
Organizations need to adopt local notification
procedures which include reporting mechanism
where as for disaster recovery plan should also specify
emergency procedures plan including system
documentation required for performing recovery.
In many of organizations where proper systems hasnt
been deployed still missing corrective measures or
never considered in their security consideration need
to apply recovery plans along with all possible
strategic planning and that should not be limited to all
management decisions but communications and
actions should be properly recorded.

Management Security Plan

7 CONCLUSION

Standards
& Policies

Creating
Awareness

Monitoring &
Controlling

Risk
Assessment

Figure-3 : Information hierarchy for Security Implementation

All operational records associated with humans

operations and service delivery should always include
risk related to IT system with reference to their

Volume 3 Number 3

Page 141

Information security issues can better be targeted if

effective risk management plans come into existence
as proposed in this paper that continuous planning
along with standards can bring IT infrastructure where
processes are not only managed but effective control
along with audit can create awareness among humans
that can readily initiate action plans for best security
configuration [6], [10] .
We strongly address that beside physical security
measures following steps are needed for security
advancements both in management and technical
areas.
1. Promote a culture of security

www.ubicc.org

Ubiquitous Computing and Communication Journal

2.
3.
4.
5.
6.
7.

Raise awareness about the risk of Information

systems
Enhance confidence level among all
participants in information system
Adopt the culture of cooperation and
information sharing
Conduct full risk assessment in accordance
with international accredited standards
Coordination with departments for regular
monitoring of all servers.
Develop action plans and milestone for
information security

[6]

ISO/IEC 27002 " Code of practice for Information

Security
Management",
BSI
Management
Systems, 2005.

[7]

MSSC, "Securing Widows

Microsoft TechNet, 2006.

[8]

Pfleeger, charles P., Security

Prentice Hall,1989.

[9]

Risk Management Group, "Sound Practices for

Management & Supervision of Operational Risk"
Bank for International Settlements (BIS), 2003.

[10]

Schwartz Mathew, " How to lower security

compliance costs ", IT compliance institute, June,
15, 2005.

2000

server

",

in Computing,

REFERENCES
[1]

Bishop Matt, " Introduction to computer security ",

prentice hall PTR, 2004.

[2]

Boran Sean,
linuxsecurity, 2003.

cookbook",

[11]

[3]

Devoney Chris, " Security in review : yesterday

and tomorrow ", Enterprise strategies newsletters,
esj.com, Dec., 18, 2007.

Stoneburner G., Goguen A. and Fringa A., " Risk

Management Guide for Information Technology
Systems ", NIST special publication 800-30, July
2002.

[12]

Glaessner Thomas, Electronic Security: Risk

Mitigation in Financial IT Transactions, The
World Bank, June 2002.

Swindle Orson, " Cybersecurity and Consumer

Data: What's at Risk for the Consumer? " Federal
Trade Commission, 2003.

[13]

US Presidents Information Technology Advisory

Committee, Cyber Security Report, Feb.2005.

[14]

Zamorski Michael, Audit IT Examination

Handbook And FFIEC Audit Examination
Procedures, US Federal financial Institutions
Examination Council. HB 49, Proc.27, 2003.

[4]

[5]

"IT

security

Higgins, John C., National Training Standard for

Information
Systems
Security
(INFOSEC)
Professionals, Proceedings of the 12th National
Computer Security Conference, June. 1994

Volume 3 Number 3

Page

142

www.ubicc.org