Information Systems Controls for Systems Reliability

1

• Information Systems Controls for Systems
  Reliability
• Part 1 Information Security

2
INTRODUCTION

• Questions to be addressed in this chapter
• How does security affect systems reliability?
• What are the four criteria that can be used to
  evaluate the effectiveness of an organizations
  information security?
• What is the time-based model of security and the
  concept of defense-in-depth?
• What types of preventive, detective, and
  corrective controls are used to provide
  information security?
• How does encryption contribute to security and
  how do the two basic types of encryption systems
  work?

3
INTRODUCTION

• The Trust Services framework developed by the
  AICPA and the Canadian Institute of Chartered
  Accountants (CICA) identified five basic
  principles that contribute to systems reliability

SYSTEMS RELIABILITY
4
INTRODUCTION

• The Trust Services framework developed by the
  AICPA and the Canadian Institute of Chartered
  Accountants (CICA) identified five basic
  principles that contribute to systems
  reliability
• Security

SYSTEMS RELIABILITY

• Access to the system and its data is controlled.

SECURITY
5
INTRODUCTION

• The Trust Services framework developed by the
  AICPA and the Canadian Institute of Chartered
  Accountants (CICA) identified five basic
  principles that contribute to systems
  reliability
• Security
• Confidentiality

SYSTEMS RELIABILITY
CONFIDENTIALITY

• Sensitive information is protected from
  unauthorized disclosure.

SECURITY
6
INTRODUCTION

• The Trust Services framework developed by the
  AICPA and the Canadian Institute of Chartered
  Accountants (CICA) identified five basic
  principles that contribute to systems
  reliability
• Security
• Confidentiality
• Privacy

SYSTEMS RELIABILITY
CONFIDENTIALITY
PRIVACY

• Personal information about customers collected
  through e-commerce is collected, used, disclosed,
  and maintained in an appropriate manner.

SECURITY
7
INTRODUCTION

• The Trust Services framework developed by the
  AICPA and the Canadian Institute of Chartered
  Accountants (CICA) identified five basic
  principles that contribute to systems
  reliability
• Security
• Confidentiality
• Privacy
• Processing integrity

SYSTEMS RELIABILITY

• Data is processed
• Accurately
• Completely
• In a timely manner
• With proper authorization

CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
SECURITY
8
INTRODUCTION

• The Trust Services framework developed by the
  AICPA and the Canadian Institute of Chartered
  Accountants (CICA) identified five basic
  principles that contribute to systems
  reliability
• Security
• Confidentiality
• Online privacy
• Processing integrity
• Availability

SYSTEMS RELIABILITY

• The system is available to meet operational and
  contractual obligations.

CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SECURITY
9
INTRODUCTION

• Security is the foundation of systems
  reliability. Security procedures
• Restrict system access to only authorized users
  and protect
• The confidentiality of sensitive organizational
  data.
• The privacy of personal identifying information
  collected from customers.

SYSTEMS RELIABILITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SECURITY
10
INTRODUCTION

• Security procedures also
• Provide for processing integrity by preventing
• Submission of unauthorized or fictitious
  transactions.
• Unauthorized changes to stored data or programs.
• Protect against a variety of attacks, including
  viruses and worms, thereby ensuring the system is
  available when needed.

SYSTEMS RELIABILITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SECURITY
11
FUNDAMENTAL INFORMATION SECURITY CONCEPTS

• There are three fundamental information security
  concepts that will be discussed in this chapter
• Security as a management issue, not a technology
  issue.
• The time-based model of security.
• Defense in depth.

12
FUNDAMENTAL INFORMATION SECURITY CONCEPTS

• There are three fundamental information security
  concepts that will be discussed in this chapter
• Security as a management issue, not a technology
  issue.
• The time-based model of security.
• Defense in depth.

13
FUNDAMENTAL INFORMATION SECURITY CONCEPTS

• There are three fundamental information security
  concepts that will be discussed in this chapter
• Security is a management issue, not a technology
  issue.
• The time-based model of security.
• Defense in depth.

14
TIME-BASED MODEL OF SECURITY

• The time-based model of security focuses on
  implementing a set of preventive, detective, and
  corrective controls that enable an organization
  to recognize that an attack is occurring and take
  steps to thwart it before any assets have been
  compromised.
• All three types of controls are necessary
• Preventive
• Detective
• Corrective

15
TIME-BASED MODEL OF SECURITY

• The time-based model evaluates the effectiveness
  of an organizations security by measuring and
  comparing the relationship among three variables
• P Time it takes an attacker to break through
  the organizations preventive controls
• D Time it takes to detect that an attack is in
  progress
• C Time to respond to the attack
• These three variables are evaluated as follows
• If P gt (D C), then security procedures are
  effective.
• Otherwise, security is ineffective.

16
TIME-BASED MODEL OF SECURITY

• EXAMPLE For an additional expenditure of
  25,000, the company could take one of four
  measures
• Measure 1 would increase P by 5 minutes.
• Measure 2 would decrease D by 3 minutes.
• Measure 3 would decrease C by 5 minutes.
• Measure 4 would increase P by 3 minutes and
  reduce C by 3 minutes.
• Since each measure has the same cost, which do
  you think would be the most cost-effective
  choice? (Hint Your goal is to have P exceed (D
  C) by the maximum possible amount.)

17
TIME-BASED MODEL OF SECURITY

• You may be able to solve this problem by
  eyeballing it. If not, one way to solve it is to
  assume some initial values for P, D, and C.
• So lets assume that P 15 min., D 5 min., and
  C 8 min.
• At our starting point, P (D C) 15 (5 8)
  2 min.
• With Measure 1, P is increased by 5 minutes
• 20 (5 8) 7 min.
• With Measure 2, D is decreased by 3 minutes
• 15 (2 8) 5 min.
• With Measure 3, C is decreased by 5 min.
• 15 (5 3) 7 min.
• With Measure 4, P is increased by 3 minutes and C
  is reduced by 3 min.
• 18 (5 5) 8 min.

18
FUNDAMENTAL INFORMATION SECURITY CONCEPTS

• There are three fundamental information security
  concepts that will be discussed in this chapter
• Security is a management issue, not a technology
  issue.
• The time-based model of security.
• Defense in depth.

19
DEFENSE IN DEPTH

• The idea of defense-in-depth is to employ
  multiple layers of controls to avoid having a
  single point of failure.
• If one layer fails, another may function as
  planned.
• Computer security involves using a combination of
  firewalls, passwords, and other preventive
  procedures to restrict access.
• Redundancy also applies to detective and
  corrective controls.

20
DEFENSE IN DEPTH

• Major types of preventive controls used for
  defense in depth include
• Authentication controls (passwords, tokens,
  biometrics, MAC addresses)
• Authorization controls (access control matrices
  and compatibility tests)
• Training
• Physical access controls (locks, guards,
  biometric devices)
• Remote access controls (IP packet filtering by
  border routers and firewalls using access control
  lists intrusion prevention systems
  authentication of dial-in users wireless access
  controls)
• Host and Application Hardening procedures
  (firewalls, anti-virus software, disabling of
  unnecessary features, user account management,
  software design, e.g., to prevent buffer
  overflows)
• Encryption

21
DEFENSE IN DEPTH

• Detective controls include
• Log analysis
• Intrusion detection systems
• Managerial reports
• Security testing (vulnerability scanners,
  penetration tests, war dialing)

22
DEFENSE IN DEPTH

• Corrective controls include
• Computer Emergency Response Teams
• Chief Security Officer (CSO)
• Patch Management

23
PREVENTIVE CONTROLS

• Major types of preventive controls used for
  defense in depth include
• Authentication controls (passwords, tokens,
  biometrics, MAC addresses)
• Authorization controls (access control matrices
  and compatibility tests)
• Training
• Physical access controls (locks, guards,
  biometric devices)
• Remote access controls (IP packet filtering by
  border routers and firewalls using access control
  lists intrusion prevention systems
  authentication of dial-in users wireless access
  controls)
• Host and Application Hardening procedures
  (firewalls, anti-virus software, disabling of
  unnecessary features, user account management,
  software design, e.g., to prevent buffer
  overflows)
• Encryption

24
PREVENTIVE CONTROLS

• The objective of preventive controls is to
  prevent security incidents from happening.
• Involves two related functions
• Authentication
• Focuses on verifying the identity of the person
  or device attempting to gain access.
• Authorization
• Restricts access of authenticated users to
  specific portions of the system and specifies
  what actions they are permitted to perform.

25
PREVENTIVE CONTROLS

• Users can be authenticated by verifying
• Something they know, such as passwords or PINs.
• Something they have, such as smart cards or ID
  badges.
• Some physical characteristic (biometric
  identifier), such as fingerprints or voice.

26
PREVENTIVE CONTROLS

• Each authentication method has its limitations.
• Passwords
• Physical identification techniques
• Biometric techniques

27
PREVENTIVE CONTROLS

• Authentication and authorization can be applied
  to devices as well as users.
• Every workstation, printer, or other computing
  device needs a network interface card (NIC) to
  connect to the organizations network.
• Each network device has a unique identifier,
  referred to as its media access control (MAC)
  address.
• It is possible to restrict network access to only
  those devices which have a recognized MAC address
  or to use MAC addresses for authorization.
• For example, payroll or EFT applications should
  be set only to run from authorized terminals.

28
PREVENTIVE CONTROLS

• These are the multiple layers of preventive
  controls that reflect the defense-in-depth
  approach to satisfying the constraints of the
  time-based model of security.

29
PREVENTIVE CONTROLS

• Training
• The first layer of preventive controls is
  training.

30
PREVENTIVE CONTROLS

• Controlling Physical Access
• Physical access controls are the second layer of
  preventive controls.

Training
Control Physical Access
Control Remote Access
Hardening
Encryption
31
PREVENTIVE CONTROLS

• Controlling Remote Access
• The third layer of defense is control of remote
  access.

Training
Control Physical Access
Control Remote Access
Hardening
Encryption
32
PREVENTIVE CONTROLS

• Perimeter Defense Routers, Firewalls, and
  Intrusion Prevention Systems
• This figure shows the relationship between an
  organizations information system and the
  Internet.
• A device called a border router connects an
  organizations information system to the Internet.

33
PREVENTIVE CONTROLS

• Behind the border router is the main firewall,
  either a special-purpose hardware device or
  software running on a general purpose computer.

34
PREVENTIVE CONTROLS

• Web servers and email servers are placed in a
  separate network called the demilitarized zone
  (DMZ), because it sits outside the corporate
  network but is accessible from the Internet.

35
PREVENTIVE CONTROLS

• Together, the border router and firewall act as
  filters to control which information is allowed
  to enter and leave the organizations information
  system.

36
PREVENTIVE CONTROLS

• Another dimension of the defense-in-depth concept
  is the use of a number of internal firewalls to
  segment different departments within the
  organization.

37
PREVENTIVE CONTROLS

• Wireless Access
• Many organizations also provide wireless access
  to their information systems.
• Its convenient and easy.
• But anyone with a wireless NIC can attempt to
  connect to the network.
• Ease of access provides another venue for attack
  and extends the perimeter that must be protected.
• Wireless signals can often be picked up from
  miles away by perpetrators in cars, nearby
  buildings, etc.

38
PREVENTIVE CONTROLS

• The following procedures should also be followed
  to adequately secure wireless access
• Turn on available security features
• Most wireless devices are sold and installed with
  these features disabled.
• Example encryption is usually turned off.

39
PREVENTIVE CONTROLS

• Configure all authorized wireless NICs to operate
  only in infrastructure mode.
• Forces the device to connect only to wireless
  access points.
• Wireless NICs configured in ad hoc mode can
  communicate directly with any other device that
  has a wireless NIC. Creates a security threat
  because it creates peer-to-peer networks with no
  authentication controls.
• Turn off automatic broadcasting of the access
  points address, called a service set identifier
  (SSID).
• Forces users to manually enter the wireless
  access points SSID.
• Makes unauthorized access more difficult.

40
PREVENTIVE CONTROLS

• Predefine a list of authorized MAC addresses and
  configure wireless access points to only accept
  connections from those MAC addresses.
• Reduce broadcast strength of wireless access
  points to make unauthorized reception more
  difficult off premises.
• Locate wireless access points in the interior of
  the building and use directional antennae to make
  unauthorized access and eavesdropping more
  difficult.