copyright © 2015 pearson education, inc. controls for information security chapter 8 8-1

Copyright © 2015 Pearson Education, Inc.

Controls for Information Security

Chapter 8

8-1


Learning Objectives

•Explain how information security affects information systems reliability.

•Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.

8-2


8-3


Trust Services Framework

• Security▫Access to the system and data is controlled and

restricted to legitimate users.• Confidentiality

▫Sensitive organizational data is protected. • Privacy

▫Personal information about trading partners, investors, and employees are protected.

• Processing integrity▫Data are processed accurately, completely, in a

timely manner, and only with proper authorization.• Availability

▫System and information are available. 8-4


FUNDAMENTAL INFORMATION SECURITY CONCEPTS•There are three fundamental information

security concepts that will be discussed in this chapter:▫Security as a management issue, not a

technology issue.▫The time-based model of security.▫Defense in depth.


Security Life CycleSecurity is a management issue

8-6


Security Approaches

•Time-based model, security is effective if:▫P > D + C where

P is time it takes an attacker to break through preventive controls

D is time it takes to detect an attack is in progress

C is time it takes to respond to the attack and take corrective action

8-7


TIME-BASED MODEL OF SECURITY•EXAMPLE: For an additional expenditure

of $25,000, the company could take one of four measures:▫Measure 1 would increase P by 5 minutes.▫Measure 2 would decrease D by 3 minutes.▫Measure 3 would decrease C by 5 minutes.▫Measure 4 would increase P by 3 minutes and

reduce C by 3 minutes. •Since each measure has the same cost,

which do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.)


TIME-BASED MODEL OF SECURITY• You may be able to solve this problem by eyeballing it.

If not, one way to solve it is to assume some initial values for P, D, and C.

• So let’s assume that P = 15 min., D = 5 min., and C = 8 min.

• At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.• With Measure 1, P is increased by 5 minutes:

▫ 20 – (5 + 8) = 7 min.• With Measure 2, D is decreased by 3 minutes:

▫ 15 – (2 + 8) = 5 min.• With Measure 3, C is decreased by 5 min.

▫ 15 – (5 + 3) = 7 min.• With Measure 4, P is increased by 3 minutes and C is

reduced by 3 min.▫ 18 – (5 + 5) = 8 min.


Security Approaches

•Defense-in-depth▫Multiple layers of control (preventive,

detective, and corrective) to avoid a single point of failure

8-10


How to Mitigate Risk of Attack

Preventive Controls

Detective Controls•People•Process•IT Solutions•Physical security•Change controls

and change management

•Log analysis•Intrusion detection

systems•Penetration testing•Continuous

monitoring

8-11


Preventive: People

1. Culture of security▫Tone set at the top with management

2. Training▫Follow safe computing practices

Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones

▫Protect against social engineering

8-12


Preventive: Process

1. Authentication—verifies the person a) Something person knowsb) Something person hasc) Some biometric characteristicd) Combination of all three (multifactor)

8-13


Preventive: Process

2. Authorization—determines what a person can access and what actions they are permitted to perform

▫ Authorization controls are implemented by creating an access control matrix.

Specifies what part of the IS a user can access and what actions they are permitted to perform.

When an employee tries to access a particular resource, the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed.

8-14


• Who has the authority to delete Program 2?

• Which files can user 12354 access?

• Which programs can user 12354 access?

Code Number Password A B C 1 2 3 412345 ABC 0 0 1 0 0 0 012346 DEF 0 2 0 0 0 0 012354 KLM 1 1 1 0 0 0 012359 NOP 3 0 0 0 0 0 012389 RST 0 1 0 0 3 0 012567 XYZ 1 1 1 1 1 1 1

Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete

User Identification Files Programs


Preventive: IT Solutions

1. Antimalware controls▫Education▫Protection on all devices▫Centralized patch management▫Regular review of threats▫Filtering of incoming traffic▫Training employees

8-16



2. Network access controls▫ Information sent over the Internet is governed by

TCP/IP, two protocols for transmitting information over the Internet. Transmission Control Protocol (TCP) specifies the

procedures for dividing files and documents into packets and for reassembly at the destination.

Internet Protocol (IP) specifies the structure of the packets and how to route them to the proper destination.

▫ Every IP packet consists of two parts. Header – contains the packet’s origin and destination

addresses, as well as info about the type of data contained in the body.

Body.

8-17


•routers read the destination address fields in packet headers to decide where to send (route) the packet next.

•A device called a border router connects an organization’s information system to the Internet• An organization’s border router checks the

contents of the destination address field of every packet it receives.

• If the address is not that of the organization, the packet is forwarded to another router on the Internet.

• If the destination address matches the organization, the packet undergoes one or more tests before being allowed in.


•Behind the border router is the main firewall, either a special-purpose hardware device or software running on a general purpose computer.

•Like the border router, firewalls determine what to do with each packet.▫Firewalls are designed to act as filters and only

permit packets that meet specific conditions to pass.

▫Firewalls don’t block all traffic, but only filter it.

▫Certain traffic passes through.


•Access Control List (ACL)•Static packet filtering/Deep packet

inspection•Demilitarized Zone (DMZ)

▫Separate network that permits controlled access from the Internet to selected resources

•Intrusion Prevention Systems (IPS) ▫Monitors patterns in the traffic flow, rather

than only inspecting individual packets, to identify and automatically block attacks



3. Device and software hardening controls▫Information security is enhanced by

supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as endpoints) that comprise the organization’s network.

▫Three areas deserve special attention: Endpoint configuration User accounts Software design

8-21


•Endpoint Configuration▫Endpoints can be made more secure by

modifying their configurations. Default configurations of most devices typically turn

on a large number of optional settings that are seldom, if ever used.

Default installations of many operating systems turn on many special purpose programs, called services, which are not essential.

▫Turning on unnecessary features and extra services: Maximizes the likelihood of successful installation

without the need for customer support. But the cost is that it creates security weaknesses.


•Managing User Accounts and Privileges▫User accounts must be carefully managed,

especially when they have unlimited (administrative) rights on the computer.

▫Users who need administrative powers on a particular computer should be assigned two accounts: One with administrative rights One with limited privileges

▫Users should log in under the limited account to perform routine duties. They should be logged into their limited account when

browsing the web or reading email. If they visit a compromised website or open an

infected email, the attacker will only acquire limited rights.


•Software Design▫Controls are also needed over in-house

development and modification of programs, because poorly-written code can be exploited to give attackers administrative privileges.

▫Some common input-related vulnerabilities: buffer overflow attack SQL injection Cross-site scripting



4. Encryption (covered in Chapter 9)

8-25


Preventive: Physical security ▫Within a few minutes, a skilled attacker with

unsupervised direct physical access to the system can successfully obtain access to sensitive data.

▫Physical access control begins with entry points to the building itself. Should be one regular entry point unlocked during normal

office hours. Fire codes require emergency exits.

These should not permit entry from outside. Should be connected to an alarm that is triggered if someone

leaves through the exit.▫A receptionist or security guard should be stationed at

the main entrance of the building to: Verify the identity of employees. Require that visitors sign in and be escorted to their

destination.8-26


•Once inside the building, physical access to rooms housing computer equipment must be restricted.

•Access to wiring used in LANs must be restricted to prevent wiretapping.▫Cables and wiring should not be exposed in

areas accessible to casual visitors.▫Wall jacks not in use should be physically

disconnected from the network.▫Wiring closets should be securely locked.

If shared with other tenants of a building, the telecommunications equipment should be placed inside locked steel cages.


•Laptops, cell phones, and PDA devices require special attention.▫Laptop theft is a major problem, and the major

cost is not the price of the laptop but the loss of the confidential information and the costs of notifying those affected.

▫To deal with laptop theft, employees should be trained to lock their laptops to an immovable object.

▫Sensitive data should only be stored on removable media, not the hard drive, and special care should be taken to restrict access to the removable media.


Preventive: Change controls

•Change controls and change management▫Formal processes in place regarding

changes made to hardware, software, or processes

8-29


Detective: Log Analysis

• Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. Logs form an audit trail of system access. Are of value only if routinely examined. Log analysis is the process of examining

logs to monitor security.

8-30


•Log analysis should be done regularly to detect problems in a timely manner.▫Not easy because logs can quickly grow in size.▫So system administrators use software tools to

efficiently strip out routine log entries so that they can focus their attention on anomalous behavior.

▫Also supplement log analysis with software tools called intrusion detection systems to automate the monitoring process.


Detective: Intrusion Detection

• An IDS creates a log of network traffic that was permitted to pass the firewall.

▫ Analyzes the logs for signs of attempted or successful intrusions.

▫ Most common analysis is to compare logs to a database containing patterns of traffic associated with known attacks.

▫ An alternative technique builds a model representing “normal” network traffic and uses various statistical techniques to identify unusual behavior.

8-32


Detective: Penetration Testing

Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security.

• This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization’s IS.▫ Masquerading as custodians, temporary workers, or

confused delivery personnel to get into offices to locate passwords or access computers.

▫ Climbing through roof hatches and dropping through ceiling panels.

• Some claim they can get into 90% or more of the companies they attack. 8-33


Detective: Continuous Monitoring •Monitor

▫Employee compliance with security policies▫Performance of business processes

8-34


Corrective: Computer Incident Response Team (CIRT)

• Responsible for dealing with major incidents.

• Should include technical specialists and senior operations management.

• Response process:▫ Recognize▫ Contain▫ Recover▫ Follow-up

8-35


Corrective: Chief Information Security Officer (CISO)

• Should be independent of other IS functions and report to either the COO or CEO.

• Must understand the company’s technology environment and work with the CIO to design, implement, and promote sound security policies and procedures.

• Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions.

• Works with the person in charge of building security, as that is often the entity’s weakest link.

• Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures.

8-36


Corrective: Patch management

•Hackers usually publish instructions for doing so (known as exploits) on the Internet.

•Although it takes skill to discover the exploit, once published, it can be executed by almost anyone.

•A patch is code released by software developers to fix vulnerabilities that have been discovered.

•Patch management is the process for regularly applying patches and updates to all of an organization’s software. 8-37


New Considerations• Virtualization

▫ Multiple systems are run on one computer

• Cloud Computing▫ Remotely accessed

resources Software

applications Data storage Hardware

• Risks▫ Increased exposure if

breach occurs▫ Reduced

authentication standards

• Opportunities▫ Implementing strong

access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein

copyright © 2015 pearson education, inc. controls for information security chapter 8 8-1

Documents

pearson education

p d c

information security

security life cycle

security approaches

preventive controls

progress c

corrective controls