INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY PART I

1
INFORMATION SYSTEMS CONTROLS FOR SYSTEMS
RELIABILITY PART I

• Chapter 7

2
Trust Services Framework
SYSTEMS RELIABILITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SECURITY
3
Fundamental Information Security Concepts

• Security as a management issue, not a technology
  issue
• The time-based model of security
• Defense in depth

4
Security as a Management Issue

• Management is responsible for the accuracy of
  various internal reports and financial statements
  produced by the organizations IS.
• SOX Section 302
• SOX Section 404
• Security is a key component of the internal
  control and systems reliability
• Managements philosophy and operating style are
  critical to an effective control environment
  (COSO model)

5
Four Criteria for Implementing Principles of
Systems Reliability

• Develop and document policies
• Effectively communicate those policies to all
  authorized users
• Design and employ appropriate control procedures
  to implement those policies
• Monitor the system, and take corrective action to
  maintain compliance with the policies

6
Time-Based Model of Security

• The time-based model of security focuses on
  implementing a set of preventive, detective, and
  corrective controls that enable an organization
  to recognize that an attack is occurring and take
  steps to thwart it before any assets have been
  compromised.
• All three types of controls are necessary
• Preventive
• Detective
• Corrective

7
Time-Based Model of Security

• The time-based model evaluates the effectiveness
  of an organizations security by measuring and
  comparing the relationship among three variables
• P Time it takes an attacker to break through
  the organizations preventive controls
• D Time it takes to detect that an attack is in
  progress
• C Time to respond to the attack
• These three variables are evaluated as follows
• If P (D C), then security procedures are
  effective.
• Otherwise, security is ineffective.

8
Time-Based Model of Security

• EXAMPLE For an additional expenditure of
  25,000, the company could take one of four
  measures
• Measure 1 would increase P by 5 minutes.
• Measure 2 would decrease D by 3 minutes.
• Measure 3 would decrease C by 5 minutes.
• Measure 4 would increase P by 3 minutes and
  reduce C by 3 minutes.
• Since each measure has the same cost, which do
  you think would be the most cost-effective
  choice? (Hint Your goal is to have P exceed (D
  C) by the maximum possible amount.)

9
Defense in Depth

• Major types of preventive controls used for
  defense in depth include
• Authentication controls (passwords, tokens,
  biometrics, MAC addresses)
• Authorization controls (access control matrices
  and compatibility tests)
• Training
• Physical access controls (locks, guards,
  biometric devices)
• Remote access controls (IP packet filtering by
  border routers and firewalls using access control
  lists intrusion prevention systems
  authentication of dial-in users wireless access
  controls)
• Host and Application Hardening procedures
  (firewalls, anti-virus software, disabling of
  unnecessary features, user account management,
  software design, e.g., to prevent buffer
  overflows)
• Encryption

10
Preventive Controls

• Users can be authenticated by verifying
• Something they know, such as passwords or PINs.
• Something they have, such as smart cards or ID
  badges.
• Some physical characteristic (biometric
  identifier), such as fingerprints or voice.

11
Preventive Controls

• Passwords requirements
• Length
• Multiple character types
• Random
• Secret

12
Preventive Controls

• Each authentication method has its limitations.
• Passwords
• Physical identification techniques
• Biometric techniques

13
Preventive Controls

• Authorization controls are implemented by
  creating an access control matrix.
• Specifies what part of the IS a user can access
  and what actions they are permitted to perform.

14
Preventive Controls
15
Preventive Controls

• Authentication and authorization can be applied
  to devices
• Network interface card (NIC)
• Each network device has a unique identifier,
  referred to as its media access control (MAC)
  address.

16
Preventive Controls

• Training should include safe computing practices,
  such as
• Never open unsolicited email attachments.
• Use only approved software.
• Never share or reveal passwords.
• Physically protect laptops.

17
Preventive Controls

• Control physical access control
• Should be one regular entry point
• Emergency exits
• A receptionist or security guard at the main
  entrance of the building

18
Preventive Controls

• Physical access computer equipment
• Rooms should be securely locked.
• All entries and exits should be monitored
• Multiple failed access attempts should trigger an
  alarm
• Rooms with servers with highly sensitive data
  should supplement regular locks with
• Card readers
• Numeric keypads or
• Biometric devices

19
Preventive Controls

• Access to wiring used in LANs must be restricted
• Cables and wiring should not be exposed
• Wall jacks not in use should be physically
  disconnected
• Wiring closets should be locked
• Laptops, cell phones, and PDA devices require
  special attention

20
Preventive Controls

• Perimeter Defense Routers, Firewalls, and
  Intrusion Prevention Systems

21
Preventive Controls

• TCP/IP
• Transmission Control Protocol (TCP) specifies the
  procedures for dividing files and documents into
  packets and for reassembly at the destination.
• Internet Protocol (IP) specifies the structure of
  the packets and how to route them to the proper
  destination.
• Header contains the packets origin and
  destination addresses, as well as info about the
  type of data contained in the body.
• Body.

22
Preventive Controls

• Routers read the destination address fields in
  packet headers to decide where to send the packet
  next
• The current version of the IP protocol, IPv4,
  uses 32-bit long addresses
• Consist of four 8-bit numbers separated by
  periods.
• E.g., www.prenticehall.com is translated into
  165.193.123.253

23
Preventive Controls

• Access control list (ACL) determine which packets
  are allowed in and which are dropped
• Static packet filtering screens individual
  packets based only on the contents of the source
  and/or destination fields in the packet header
• ACL will normally deny entry to packets with
• illegal source address
• organizations IP address as source address
• Any packet not dropped is forwarded on to the
  firewall

24
Preventive Controls

• Firewalls use more sophisticated techniques than
  border routers to filter packets.
• Most employ stateful packet filtering.
• Static packet filtering would examine each IP
  packet in isolation, but stateful packet
  filtering maintains a table that lists all
  established connections between the
  organizations computers and the Internet.
• The firewall consults this table to determine
  whether an incoming packet is part of an ongoing
  communication initiated by an internal computer.
• Enables the firewall to reject specially crafted
  attack packets that would have passed a simple
  static packet filter.

25
Preventive Controls

• Intrusion prevention systems (IPS)
• Designed to identify and drop packets that are
  part of an attack
• Techniques to identify undesirable packets
• Checking packet contents against a database of
  patterns (signatures) of known attack methods
• Developing a profile of normal traffic and
  using statistical analysis to identify packets
  that dont fit the profile
• Using rule bases that specify acceptable
  standards for specific types of traffic and
  dropping packets that dont conform

26
Preventive Controls

• Internal firewalls

27
Preventive Controls

• Wireless access points should be located in DMZ

28
Preventive Controls

• Wireless Access Security Procedures
• Turn on available security procedures
• Authenticate all devices attempting to establish
  access
• Configure all authorized wireless NICs to operate
  only in infrastructure mode
• Turn off SSID
• Predefine a list of authorized MAC addresses and
  only accept connections from those MAC addresses
• Reduce broadcast strength of wireless access
  points
• Locate wireless access points in the interior of
  the building and use directional antennae

29
Preventive Controls

• Host Configuration
• Default configurations of most devices typically
  turn on a large number of optional settings that
  are seldom, if ever used.
• Default installations of many operating systems
  turn on many special purpose programs, called
  services, which are not essential

30
Preventive Controls

• Managing User Accounts and Privileges
• Users with administrative rights should be
  assigned two accounts
• One with administrative rights
• One with limited privileges
• Log in under the limited account to perform
  routine duties

31
Preventive Controls

• Software Design
• Controls are also needed over in-house
  development and modification of programs, because
  poorly-written code can be exploited to give
  attackers administrative privileges.
• Primary weakness involves failing to adequately
  screen input data.
• The most common input-related vulnerability is a
  buffer overflow attack.
• Attacker sends a program more data than it can
  handle.
• May cause the system to crash or provide a
  command prompt, giving the attacker full
  administrative privileges and control.

32
Preventive Controls
Plaintext
This is a contract for . . .
Key

• Encryption is the process of transforming normal
  text, called plaintext, into unreadable
  gibberish, called ciphertext.
• Decryption reverses this process.

Encryption Algorithm
Key
Xbj m 2 ep0fg . . .

Cipher- text
Decryption Algorithm
This is a contract for . . .
Plain- text
33
Preventive Controls

• Encryption Strength
• Key length
• Key management policies
• The nature of the encryption algorithm

34
Preventive Controls

• Symmetric Encryption Systems
• Use the same key to encrypt and decrypt.
• Symmetric encryption advantages
• Faster than asymmetric encryption
• Symmetric encryption disadvantages
• Both parties need to know the secret key
• A different key needs to be created for each
  party with whom the entity engages in encrypted
  transactions

35
Preventive Controls

• Asymmetric Encryption Systems
• Use two keys
• Public key
• Private key
• Asymmetric encryption advantages
• Any text encrypted with it can only be decrypted
  using the private key
• The public key can be distributed by email or
  posted on a website
• Any number of parties can use the same public key
  to send messages
• Asymmetric encryption disadvantage
• Slow

36
Preventive Controls

• Hashing
• Takes plaintext of any length and transforms it
  into a short code
• Different from encryption
• Encryption always produces ciphertext similar in
  length to the plaintext hashing produces a hash
  of a fixed short length
• Encryption is reversible hashing is not

37
Preventive Controls

• Digital Signatures
• Information encrypted with the creators private
  key
• Can only be decrypted using the corresponding
  public key
• Private key is known only to its owner
• Digital Certificate
• Electronic document created and digitally signed
  by a trusted third party.
• Certifies the identity of the owner of a
  particular public key
• Contains that partys public key

38
Preventive Controls

• Public key infrastructure (PKI)
• the system and processes used to issue and manage
  asymmetric keys and digital certificates.
• Certificate authority
• An organization that issues public and private
  keys and records the public key in a digital
  certificate
• Hashes the information stored on a digital
  certificate
• Encrypts that hash with its private key
• Appends that digital signature to the digital
  certificate
• Provides a means for validating the authenticity
  of the certificate

39
Preventive Controls

• Effects of Encryption on Other Layers of Defense
• Protects confidentiality and privacy of the
  transmission and provides for authentication and
  non-repudiation of transactions
• Firewall cannot effectively inspect encrypted
  packets
• Anti-virus and intrusion detection systems also
  have difficulty dealing with encrypted packets

40
Detective Controls

• Actual system use must be examined to assess
  compliance through
• Log analysis
• Intrusion detection systems
• Managerial reports
• Periodically testing the effectiveness of
  existing security procedures

41
Detective Controls

• Log Analysis
• The process of examining logs to monitor security
• Logs form an audit trail of system access

42
Detective Controls

• Intrusion Detection Systems
• Represent an attempt to automate part of the
  monitoring
• Creates a log of network traffic that was
  permitted to pass the firewall
• Analyzes the logs for signs of attempted or
  successful intrusions
• E.g., compare logs to a database containing
  patterns of traffic associated with known attacks

43
Detective Controls

• Managerial Reports
• COBIT
• Specifies 34 IT-related control objectives
• Provides
• Management guidelines
• Key performance indicators

44
Detective Controls

• Security Testing
• Vulnerability scans -- use automated tools
  designed to identify whether a system possesses
  any well-known vulnerabilities.
• Security websites such as the Center for
  Information Security (www.cisecurity.org)
  provide
• Benchmarks for security best practices.
• Tools to measure how well a system conforms.
• Penetration testing provides a way to test the
  effectiveness of an organizations computer
  security

45
Corrective Controls

• Two of the Trust Services framework criteria for
  effective security are the existence of
  procedures to
• React to system security breaches and other
  incidents.
• Take corrective action on a timely basis.

46
Corrective Controls

• Three key components that satisfy the preceding
  criteria are
• Establishment of a computer emergency response
  team.
• Designation of a specific individual with
  organization-wide responsibility for security.
• An organized patch management system.

47
Corrective Controls

• The CERT should lead the rganizations incident
  response process through four steps
• Recognition that a problem exists
• Containment of the problem
• Recovery
• Follow-up

48
Corrective Controls

• Chief security officer (CSO)
• Independent of other IS functions
• Report to either the COO or CEO
• Must understand the companys technology
  environment
• Promote sound security policies and procedures.
• Disseminates info about fraud, errors, security
  breaches, improper system use, and consequences
  of these actions
• Works with the person in charge of building
  security
• Should impartially assess and evaluate the IT
  environment, conduct vulnerability and risk
  assessments, and audit the CIOs security measures

49
Corrective Controls

• Patch management is the process for regularly
  applying patches and updates to all of an
  organizations software.
• Challenges
• Patches can have unanticipated side effects that
  cause problems
• May be many patches each year for each software
  program

50
Summary

• We have
• Discussed how security affects systems
  reliability
• Described the four criteria that can be used to
  evaluate the effectiveness of an organizations
  information security
• Defined the time-based model of security, as well
  as the concept of defense-in-depth
• Described the types of preventive, detective, and
  corrective controls that are used to provide
  information security
• Determined how encryption contributes to security
  and described how the two basic types of
  encryption systems work