PROPOSED STRUCTURE FOR HIGH LEVEL SECURITY
Adnan G. Abuarafah Mohamed Osama Khozium
Faculty of Computer and Faculty of Computer and
Information Systems Information Systems
Umm Al-Qura University, Umm Al-Qura University,
Makkah, Saudi Arabia Makkah, Saudi Arabia
The increasing technology trends has turned each infrastructure to its new hazards. Present
information policies designed are not readily equipped with up-to-date analysis or problems
suffered throughout networks. This paper addresses not only technical security issues but also
providing managerial solutions. It practically targets resources allocations keeping in new
management issues with its technical adoption to available parameters. This technical solution
provided; is strategic in its nature but with self assessment criteria. Now system reliability issues
with security complexities can be targeted effectively.
Keywords: Security Risks, Security Process Management, Security Assessment, Security Plans,
Security Model, Security Audit
Actually Probability of loss is not based upon
Every movement that comes to us bring new mathematical certainty; it is consideration of the
challenges. Where as the rising slogan of IT has likelihood that a loss risk event may occur in the
brought new horizons to our attention. Today future, based upon historical data, the history of like
continuous progress & service delivery has changed events at similar enterprises, the nature of the
business imperatives as IT security has become neighborhood, immediate vicinity, overall
integral part for any infrastructure. geographical location, political and social conditions,
Information technology continuous advancements has and changes in the economy, as well as other factors
open the number of possible security threats, that may affect probability.
vulnerabilities and security incidents are even rising pace
despite efforts done by national or international level. All solutions still are necessary to manage the risk
The current problems faced by organizations are not options includes security measures available to reduce
only rising trends in information technology but there the risk of the event. Equipment or hardware, policies
unrealistic approach to coop with evolving and procedures and management practices, and
environment that has caused the world the loss of staffing are the general categories of security related
billions of US dollars. options.
Here is some data from real world ,:
1.1 Computer fraud in the U.S. alone exceeds $3 billion Where as service providers claming to protect with
each year. help of sum of tools are providing unreliable results
1.2 Less than 1% of all computer fraud cases are detected. and that has been caused by security programs that are
1.3 Over 90% of all computer crime goes unreported. not extending its boundaries to combined approach
1.4 “Although no one is sure how much is lost to EFT that is people, process and technologies .
(Electronic Funds Transfer) crime annually, the
consensus is that the losses run in the billions of Even inter departmental collaboration to manage
dollars. Yet few in the financial community are effective processes is not up to mark to achieve high
paying any heed.” level of IT security across any organization.
1.5 Average computer bank theft amounts to $1.5 million The rest of the paper is organized as follows. The next
each year. section provides overview on general threats, Section
three highlights the sources of threats and possible 2.7 Introduction of unauthorized software or hardware.
impacts. In section four the projected risk assessment 2.8 Time bombs: software programmed to damage a
problem will be discussed. In section five we will system on a certain date.
describe the proposed structure for security 2.9 Operating System Design errors: Certain
assessment. Section six introduces the risk assessment systems were not designed to be highly secure (e.g.
procedure, while section seven concludes the paper. PCs, many UNIX versions).
2.10 Protocol Design errors: Certain protocols were
2 OVERVIEW ON GENERAL THREATS not designed to be highly secure. Protocol
weaknesses in TCP/IP can result in:
A threat is a person, place, or thing that has the • Source routing, DNS spoofing, TCP sequence
potential to access resources and cause harm. Threats guessing and unauthorized access is achievable.
can originate from two primary sources: humans and • hijacked sessions and Authentication session /
catastrophic events. Human threats subsequently can transaction replay are possible è Data is changed or
be broken down into two categories: malicious and copied during transmission.
nonmalicious. Nonmalicious “attacks” usually come • Denial of service, due to ICMP bombing,
from users and employees who are not properly TCP_SYN flooding, large PING packets, etc.
trained on computers and who are not aware of 2.11 Logic bomb: software programmed to damage a
various computer security threats. Malicious attacks system under certain conditions.
usually come from external people or disgruntled 2.12 Viruses (in programs, documents and email
current or ex-employees who have a specific goal or attachments).
objective to achieve ,.
In fact there are literally hundreds of ways to 3 SOURCES OF THREATS AND POSSIBLE IMPACTS :
categorize threats, anyhow threats could be listed in 3.1 Sources of threats 
general as follows : a. Political espionage.
b. Commercial espionage. Since the end of
2.1 Human Error: the cold war, the entire intelligence
• Accidental destruction, modification, community has undergone a significant
disclosure, or incorrect classification of shift from classical east-against-west
information. spying to each-country-must-protect-its-
• Ignorance: Inadequate security awareness, economy. Former KGB and CIA
lack of security guidelines, lack of proper employees are now working as freelance
documentation, lack of knowledge (e.g. commercial intelligence services. Sources
system administrators). of such espionage are competitors
• Workload: too many or too few system (domestic and international).
administrators. Highly pressurized users. c. Employees:
• Users may inadvertently give information on • Disgruntled employees and (former)
security weaknesses to attackers. employees.
• Incorrect system configuration. • Bribed employees.
• The security policy is not adequate. • Dishonest employees (possible at all
• The security policy is not enforced. levels: from top management down).
• The security analysis may have omitted System & security administrators are
something important, or be simply wrong! "high-risk" users because of the
confidence required in them. Choose
2.2 Dishonesty : Fraud, theft, embezzlement, selling with care.
of confidential corporate information. d. Hackers:
• Beginners: know very little, use old,
2.3 Attacks By Social Engineering: known attack methods
• Attackers may use the telephone to • Braggers: Are learning a lot, especially
impersonate employees to persuade users / from other hackers. They seek
administrators to give username/passwords/ gratification by bragging about their
modem numbers etc. achievements
• Attackers may persuade users to execute • Experts: High knowledgeable, self
Trojan horse programs. reliant, inventive, try to be invisible.
They may provide tools/information to
2.4 Abuse of privileges / trust. the braggers to launch attacks, which
2.5 Unauthorized use of "open" terminals/PCs. hide their own, more subtle attacks.
2.6 Mixing of test and production data or environments.
e. Contractors / vendors who have access • The corporate network may distribute
(physical or network) to the systems. software containing attacker software.
f. Organized crime (with goals such as • Electronic fraud
blackmail, extortion etc.).
g. Private investigators, "mercenaries", "free 4 PROJECTED RISK ASSESSEMNET PROBLEM.
h. . Law enforcement & government For effective risk management, sound business
agencies (local, national and decisions with continuous monitoring over assets and
international), who may or may not be all issues related to their sensitivity and criticality are
correctly following legal procedures needed. Along with there associated assets proper
i. Journalists looking for a good story. decisions are needed to work up risk management
plans that can have impact to departments and
3.2 Possible Impacts organization’s environment as well  .
Impacts are very business specific, depending Today several standards adopted by national and
on the assets, the type of business, the current international are needed with all their classification
countermeasures (IT infrastructure). Impacts and to be managed with up to date continuous
describe the effect of a threat. The impact coordinated directions for service providers. Here not
may also depend on the length of time that only technical but operational issues are also to be
business functions are disrupted. targeted in well established way  .
The following is a list of some basic impacts, Information management can provide continuity of
that company may be subjected to : plans and collaborative IT security where availability
• Disclosure of company secrets, disclosure of critical services are always ensured to its maximum
of customer data, disclosure of level. For that organization has to apply self
accounting data. assessment criteria for continuous planning so that
• Modification of accounting data or measured results can be inferred from resources; with
customer data. evolving security plans that can recognize and provide
• Attackers impersonating the company or it's remedial actions for the organizations  .
customers. Information management plans can lead us
• Bad company publicity: hacker security towards effective planning that enable us to audit
breaches publicized. administrative and functional areas of IT in terms
• Bad company publicity: customer of resources and finance concerned along with
information modified/deleted/publicized. positive reporting process  .
• Bad division publicity: External attackers
used a particular division as an entry 5 PROPOSED STRUCTURE FOR SECURITY
point to the corporate network. ASSESSMENT
• Major disruption of business functions. Traditional approaches like intrusion detection system
• Major disruption of the network. generally detects unwanted manipulations of computer
systems, mainly through the Internet. The
manipulations may take the form of attacks by
• Loss of customer confidence (if the
crackers. But in our proposed approach we focus on
disruption lasts for a longer period of
the behavior of the employee of the organization
time, or occurs frequently, customers
would probably be lost).
• The company may be legally prosecuted
(negligence, breaking the law or The following figures are included as example, to give
regulatory requirements) an idea what is going on in the real world ,:
• Reduction of quality of service • Common Causes of damage: Human Error
• Possible gains for competitors and thus loss 52%, Dishonest people 10%, Technical
of revenue. Sabotage 10%, Fire 15%, Water 10% and
Terrorism 3%. Figure 1.
• The corporate network may be used as a
base by attackers for attacking other • Who causes damage? Current employees 81%,
sites. Outsiders 13%, Former employees 6%.Figure 2.
• Types of computer crime: Money theft 44%, 16%, Alteration of data 12%, Theft of services
Damage of software 16%, Theft of information 10%, Trespass 2%.
Human Dishonest Technical Fire Water Terrorism
Error People Sabotage
Figure.1 : The common causes of damage in security area
From sections 3 and 4 once the threats, impacts and 2. Continuous IT planning for technical &
corresponding risks have been listed and the operational tasks
constraints have been analyzed, the significant 3. Self Assessment mechanism
business risks (or weaknesses) will be more evident, 4. Audit Process planning
allowing a counter strategy to be developed. 5. Incident handling procedures
6. Information recovery methodology
The formulation of following steps can enhance 7. Back up of Data & Configuration
information security structure for any organization i.e. 8. Incident Impacts
1. Identify Security Deficiency 9. Future Security Visions
10. Quality measures for security
Figure.2 : Types of employees who cause damage in security area
Where as for any effective plan, senior management priority as mentioned or described by security advisors
should always be involved in implementation process as described in figure 4.
that bound ness can bring true strategy of
Current infrastructure providing physical security
measures hasn’t proved to be adequate enough
because of potentially large scale undefined problems
can not be limited to few work stations. Security Departments IT Division End Users
safeguards needed to be improved via identification &
authentication where low risk environment prevails.
While considering security procedures access
privileges need to be monitored and controlled for
every level of access  . Security Privacy
Organizations have to apply departmental zones with
reference to security control and access mechanism.
As one key mechanism that is often neglected by
Figure-4 : Securing User’s Privacy
many organizations is continuous monitoring of
network traffic with all its available resources.
As shown in figure3, along with proper security
standards controlling is also ensured to identify
6 RISK ASSESSMENT PROCEDURE
security breaches, suspected or known security threats.
Organizational security plan can be adopted with
Risk assessment should take into account the potential
proper control mechanism that are
adverse impact on the organization reputation,
1. Physical access controls
operations and assets. Risk assessment should be
2. Device & media controls
conducted by teams composed of appropriate
3. Procedural controls
managers, administrators and all other personnel
With all its departments, organizations should evaluate
associated with those activities. 
risk assessment plans often after certain period of time as
Organizations need to adopt local notification
tools associated with security are not at halt. Where as
procedures which include reporting mechanism
organizations have to share their experiences for better
where as for disaster recovery plan should also specify
control as tools provided by venders some time are not
emergency procedures plan including system
focused regional issues .
documentation required for performing recovery.
All technical and operational environments should log
In many of organizations where proper systems hasn’t
the event in case any incident occur .Management plan
been deployed still missing corrective measures or
should qualify to access potential impact and proper
never considered in their security consideration need
identification of the system so to tackle this issue,
to apply recovery plans along with all possible
system control should be configured with best
strategic planning and that should not be limited to all
management decisions but communications and
actions should be properly recorded.
Management Security Plan
Information security issues can better be targeted if
effective risk management plans come into existence
as proposed in this paper that continuous planning
Creating Monitoring & along with standards can bring IT infrastructure where
& Policies Assessment processes are not only managed but effective control
along with audit can create awareness among humans
that can readily initiate action plans for best security
configuration ,  .
Figure-3 : Information hierarchy for Security Implementation
We strongly address that beside physical security
All operational records associated with human’s measures following steps are needed for security
operations and service delivery should always include advancements both in management and technical
risk related to IT system with reference to their areas.
1. Promote a culture of security
2. Raise awareness about the risk of Information  ISO/IEC 27002 " Code of practice for Information
systems Security Management", BSI Management
3. Enhance confidence level among all Systems, 2005.
participants in information system
4. Adopt the culture of cooperation and  MSSC, "Securing Widows 2000 server ",
information sharing Microsoft TechNet, 2006.
5. Conduct full risk assessment in accordance
with international accredited standards  Pfleeger, charles P., Security in Computing,
6. Coordination with departments for regular Prentice Hall,1989.
monitoring of all servers.
7. Develop action plans and milestone for
information security  Risk Management Group, "Sound Practices for
Management & Supervision of Operational Risk"
Bank for International Settlements (BIS), 2003.
 Schwartz Mathew, " How to lower security
 Bishop Matt, " Introduction to computer security ", compliance costs ", IT compliance institute, June,
prentice hall PTR, 2004. 15, 2005.
 Boran Sean, "IT security cookbook",  Stoneburner G., Goguen A. and Fringa A., " Risk
linuxsecurity, 2003. Management Guide for Information Technology
Systems ", NIST special publication 800-30, July
 Devoney Chris, " Security in review : yesterday
and tomorrow ", Enterprise strategies newsletters,
esj.com, Dec., 18, 2007.  Swindle Orson, " Cybersecurity and Consumer
Data: What's at Risk for the Consumer? " Federal
Trade Commission, 2003.
 Glaessner Thomas, “Electronic Security: Risk
Mitigation in Financial IT Transactions”, The
World Bank, June 2002.  US President’s Information Technology Advisory
Committee,” Cyber Security Report”, Feb.2005.
 Higgins, John C., “National Training Standard for
Information Systems Security (INFOSEC)  Zamorski Michael, “Audit IT Examination
Professionals”, Proceedings of the 12th National Handbook” And “FFIEC Audit Examination
Computer Security Conference, June. 1994 Procedures”, US Federal financial Institutions
Examination Council. HB 49, Proc.27, 2003.