Controls for Information Security Chapter 8

Learning Objectives Explain how information security affects information systems reliability. Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.

Trust Services Framework Security Access to the system and data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational data is protected. Privacy Personal information about trading partners, investors, and employees are protected. Processing integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability System and information are available. The trust services framework is a means to organize IT controls to help ensure systems reliability. At the foundation of this framework is security which is absolutely necessary for success and for achieving the other four principles. Security procedures: Restrict access to authorized users only which protects confidentiality of sensitive organizational data and the privacy of personal data collected from customers, suppliers, employees, and so on. Security protects the processing integrity by preventing submission of unauthorized transactions or unauthorized changes to the data. Security provides protection from unwanted attacks that could bring down the system and make it unavailable.

This is a good visual of the Trust Services Framework Using an analogy of building a house, you need a good foundation; otherwise the house will fall apart. Then to keep the roof over your head, you need to have wel-constructed walls. Similarly, for good systems reliability you need a good foundation of Security. The walls are the four pillars focused on maintaining good systems reliability.

Security is a management issue Security Life Cycle Security is a management issue See pages 256-257 for details. Although technologies tools are used for security and the security expertise is within an IT department, effective security must have the support of senior management to understand the potential threats to an organizations information systems which would impede the organization from achieving its goals. As we previously discussed about threats to an AIS, management must assess the threat to an AIS and determine how to respond (reduce, accept, share, avoid). The second step is to develop security policies (e.g., employees should not click on any links embedded into e-mails) and make sure that those policies are communicated (best way is through training). The third step is to invest in the necessary resources (human and technology) to reduce the security threats. Finally, active monitoring to evaluate the security effectiveness provides a feedback loop as management may need to make updates based upon new threats or techniques that affect security. Overall, management is responsible for maintaining a “culture of security”. The fourth step requires monitoring of performance because if you do not monitor how well you are doing with your objectives, how do you know if it is achieved?

Security Approaches Defense-in-depth Multiple layers of control (preventive and detective) to avoid a single point of failure Time-based model, security is effective if: P > D + C where P is time it takes an attacker to break through preventive controls D is time it takes to detect an attack is in progress C is time it takes to respond to the attack and take corrective action

Steps criminals use to attack an organization’s information systems Conduct reconnaissance Attempt social engineering Scan and map the target Research Execute the attack Cover tracks

How to Mitigate Risk of Attack Table 8-1 Preventive Controls Detective Controls People Process IT Solutions Physical security Change controls and change management Log analysis Intrusion detection systems Penetration testing Continuous monitoring

Preventive: People Culture of security Training Tone set at the top with management Training Follow safe computing practices Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones Protect against social engineering

Preventive: Process Authentication—verifies the person Something person knows Something person has Some biometric characteristic Combination of all three Focus 8-1 on Effective of passwords Authorization—determines what a person can access Access control matrix These two concepts are related, to get into a system, you need to be authenticated, then authorization is where you are allowed to go once you are in the system.

Preventive: IT Solutions Antimalware controls Network access controls Device and software hardening controls Encryption

Preventive: Other Physical security access controls Limit entry to building Restrict access to network and data Change controls and change management Formal processes in place regarding changes made to hardware, software, or processes

Corrective Computer Incident Response Team (CIRT) Chief Information Security Officer (CISO) Patch management

Key Terms Defense-in-depth Time-based model of security Social engineering Authentication Biometric identifier Multifactor authentication Multimodal authentication Authorization Access control matrix Compatibility test Border router Firewall Demilitarized zone (DMZ) Routers Access control list (ACL) Packet filtering Deep packet inspection Intrusion prevention system Remote Authentication Dial-in User Service (RADIUS) War dialing Endpoints Vulnerabilities Vulnerability scanners Hardening Change control and change management Log analysis Intrusion detection system (IDS)

Key Terms (continued) Penetration test Computer incident response team (CIRT) Exploit Patch Patch management Virtualization Cloud computing