Controls for Information Security Chapter 8

Learning Objectives Explain how information security affects information systems reliability. Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.

Trust Services Framework Security Access to the system and data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational data is protected. Privacy Personal information about trading partners, investors, and employees are protected. Processing integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability System and information are available.

FUNDAMENTAL INFORMATION SECURITY CONCEPTS There are three fundamental information security concepts that will be discussed in this chapter: Security as a management issue, not a technology issue. The time-based model of security. Defense in depth.

Security is a management issue Security Life Cycle Security is a management issue

Security Approaches Time-based model, security is effective if: P > D + C where P is time it takes an attacker to break through preventive controls D is time it takes to detect an attack is in progress C is time it takes to respond to the attack and take corrective action

TIME-BASED MODEL OF SECURITY EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures: Measure 1 would increase P by 5 minutes. Measure 2 would decrease D by 3 minutes. Measure 3 would decrease C by 5 minutes. Measure 4 would increase P by 3 minutes and reduce C by 3 minutes. Since each measure has the same cost, which do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.)

TIME-BASED MODEL OF SECURITY You may be able to solve this problem by eyeballing it. If not, one way to solve it is to assume some initial values for P, D, and C. So let’s assume that P = 15 min., D = 5 min., and C = 8 min. At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min. With Measure 1, P is increased by 5 minutes: 20 – (5 + 8) = 7 min. With Measure 2, D is decreased by 3 minutes: 15 – (2 + 8) = 5 min. With Measure 3, C is decreased by 5 min. 15 – (5 + 3) = 7 min. With Measure 4, P is increased by 3 minutes and C is reduced by 3 min. 18 – (5 + 5) = 8 min.

Security Approaches Defense-in-depth Multiple layers of control (preventive, detective, and corrective) to avoid a single point of failure

How to Mitigate Risk of Attack Preventive Controls Detective Controls People Process IT Solutions Physical security Change controls and change management Log analysis Intrusion detection systems Penetration testing Continuous monitoring

Preventive: People Culture of security Training Tone set at the top with management Training Follow safe computing practices Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones Protect against social engineering

Preventive: Process Authentication—verifies the person Something person knows Something person has Some biometric characteristic Combination of all three (multifactor)

Preventive: Process Authorization—determines what a person can access and what actions they are permitted to perform Authorization controls are implemented by creating an access control matrix. Specifies what part of the IS a user can access and what actions they are permitted to perform. When an employee tries to access a particular resource, the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed.

Which programs can user 12354 access? Who has the authority to delete Program 2? Which files can user 12354 access? Which programs can user 12354 access?

Preventive: IT Solutions Antimalware controls Education Protection on all devices Centralized patch management Regular review of threats Filtering of incoming traffic Training employees

Preventive: IT Solutions Network access controls Information sent over the Internet is governed by TCP/IP, two protocols for transmitting information over the Internet. Transmission Control Protocol (TCP) specifies the procedures for dividing files and documents into packets and for reassembly at the destination. Internet Protocol (IP) specifies the structure of the packets and how to route them to the proper destination. Every IP packet consists of two parts. Header – contains the packet’s origin and destination addresses, as well as info about the type of data contained in the body. Body.

routers read the destination address fields in packet headers to decide where to send (route) the packet next. A device called a border router connects an organization’s information system to the Internet An organization’s border router checks the contents of the destination address field of every packet it receives. If the address is not that of the organization, the packet is forwarded to another router on the Internet. If the destination address matches the organization, the packet undergoes one or more tests before being allowed in.

Behind the border router is the main firewall, either a special-purpose hardware device or software running on a general purpose computer. Like the border router, firewalls determine what to do with each packet. Firewalls are designed to act as filters and only permit packets that meet specific conditions to pass. Firewalls don’t block all traffic, but only filter it. Certain traffic passes through.

Access Control List (ACL) Static packet filtering/Deep packet inspection Demilitarized Zone (DMZ) Separate network that permits controlled access from the Internet to selected resources Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks

Preventive: IT Solutions Device and software hardening controls Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as endpoints) that comprise the organization’s network. Three areas deserve special attention: Endpoint configuration User accounts Software design

Endpoint Configuration Endpoints can be made more secure by modifying their configurations. Default configurations of most devices typically turn on a large number of optional settings that are seldom, if ever used. Default installations of many operating systems turn on many special purpose programs, called services, which are not essential. Turning on unnecessary features and extra services: Maximizes the likelihood of successful installation without the need for customer support. But the cost is that it creates security weaknesses.

Managing User Accounts and Privileges User accounts must be carefully managed, especially when they have unlimited (administrative) rights on the computer. Users who need administrative powers on a particular computer should be assigned two accounts: One with administrative rights One with limited privileges Users should log in under the limited account to perform routine duties. They should be logged into their limited account when browsing the web or reading email. If they visit a compromised website or open an infected email, the attacker will only acquire limited rights.

Software Design Controls are also needed over in-house development and modification of programs, because poorly-written code can be exploited to give attackers administrative privileges. Some common input-related vulnerabilities: buffer overflow attack SQL injection Cross-site scripting

Preventive: IT Solutions Encryption (covered in Chapter 9)

Preventive: Physical security Within a few minutes, a skilled attacker with unsupervised direct physical access to the system can successfully obtain access to sensitive data. Physical access control begins with entry points to the building itself. Should be one regular entry point unlocked during normal office hours. Fire codes require emergency exits. These should not permit entry from outside. Should be connected to an alarm that is triggered if someone leaves through the exit. A receptionist or security guard should be stationed at the main entrance of the building to: Verify the identity of employees. Require that visitors sign in and be escorted to their destination.

Once inside the building, physical access to rooms housing computer equipment must be restricted. Access to wiring used in LANs must be restricted to prevent wiretapping. Cables and wiring should not be exposed in areas accessible to casual visitors. Wall jacks not in use should be physically disconnected from the network. Wiring closets should be securely locked. If shared with other tenants of a building, the telecommunications equipment should be placed inside locked steel cages.

Laptops, cell phones, and PDA devices require special attention. Laptop theft is a major problem, and the major cost is not the price of the laptop but the loss of the confidential information and the costs of notifying those affected. To deal with laptop theft, employees should be trained to lock their laptops to an immovable object. Sensitive data should only be stored on removable media, not the hard drive, and special care should be taken to restrict access to the removable media.

Preventive: Change controls Change controls and change management Formal processes in place regarding changes made to hardware, software, or processes

Detective: Log Analysis Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. Logs form an audit trail of system access. Are of value only if routinely examined. Log analysis is the process of examining logs to monitor security.

Log analysis should be done regularly to detect problems in a timely manner. Not easy because logs can quickly grow in size. So system administrators use software tools to efficiently strip out routine log entries so that they can focus their attention on anomalous behavior. Also supplement log analysis with software tools called intrusion detection systems to automate the monitoring process.

Detective: Intrusion Detection An IDS creates a log of network traffic that was permitted to pass the firewall. Analyzes the logs for signs of attempted or successful intrusions. Most common analysis is to compare logs to a database containing patterns of traffic associated with known attacks. An alternative technique builds a model representing “normal” network traffic and uses various statistical techniques to identify unusual behavior.

Detective: Penetration Testing Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security. This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization’s IS. Masquerading as custodians, temporary workers, or confused delivery personnel to get into offices to locate passwords or access computers. Climbing through roof hatches and dropping through ceiling panels. Some claim they can get into 90% or more of the companies they attack.

Detective: Continuous Monitoring Employee compliance with security policies Performance of business processes

Corrective: Computer Incident Response Team (CIRT) Responsible for dealing with major incidents. Should include technical specialists and senior operations management. Response process: Recognize Contain Recover Follow-up

Corrective: Chief Information Security Officer (CISO) Should be independent of other IS functions and report to either the COO or CEO. Must understand the company’s technology environment and work with the CIO to design, implement, and promote sound security policies and procedures. Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions. Works with the person in charge of building security, as that is often the entity’s weakest link. Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures.

Corrective: Patch management Hackers usually publish instructions for doing so (known as exploits) on the Internet. Although it takes skill to discover the exploit, once published, it can be executed by almost anyone. A patch is code released by software developers to fix vulnerabilities that have been discovered. Patch management is the process for regularly applying patches and updates to all of an organization’s software.

New Considerations Virtualization Cloud Computing Risks Multiple systems are run on one computer Cloud Computing Remotely accessed resources Software applications Data storage Hardware Risks Increased exposure if breach occurs Reduced authentication standards Opportunities Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein