Administrative Security Procedural Controls

1
Administrative Security Procedural Controls
2
Contents

• Information Storage
• Passwords
• Password introduction
• Biometric passwords
• Password attack methods
• Managing passwords
• Auditing
• Auditing systems
• Audit process

3
Information Storage

• Information can be stored in various format on
  various storage media
• Written documents and images on papers or
  negatives
• Voice records on tapes
• Digital format information on
• Floppy disc
• Zip disk
• Flash memory (e.g. USB key drive, CF card, SD
  card)
• Hard drive
• CD - (R, RW)
• DVD (R, -R, -RW, RW)
• Tape

4
Information Storage (Cont.)

• Information storage management includes
• External marking of media
• Destruction of media
• Sanitization of media
• Transportation of media
• Emergency destruction

5
Passwords

• A password is information associated with an
  entity that confirms the entitys identity.
• Has been widely used for long time
• Bank card PIN
• SSN associated with your mothers maiden name
• Computer account login,

T1 ch11.2, T2 ch12.2
6
Biometric Passwords

• Face recognition
• Voice recognition
• Iris codes
• Fingerprints
• Handwritten signatures
• Keystroke
• Combinations

T1 ch11.4, T2 ch12.4
7
Biometric Passwords (cont.)

• Advantages
• Automatic identification of an individual
• Better results than token or pin
• Problems
• Performance
• Take large computing resources
• Public acceptance
• People are afraid of giving their fingerprints or
  iris patterns for security records

8
Password Attack Methods

• Password Guessing
• Most common attack
• Attacker knows a login (from email/web page, etc)
  
• Attempts to guess password
• Success of attack depends on password chosen by
  user
• Some categories of passwords that are easy to
  guess
• Based on account names
• Based on user names
• Based on computer names
• Dictionary words
• Reversed dictionary words
• Dictionary words with some or all letters
  capitalized

9
Password Attack Methods (cont.)

• Password Capture
• Watching over shoulder as password is entered
• Using Trojan horse (virus-infected) program
• Attacks on password entry due to faulty system
  design
• Eavesdropping The password characters are
  plaintext
• The login screen is faked
• Unlimited password retries
• Storage Attack
• Analyze un-encrypted audit trails
• Password is stored as plain text

10
Managing Passwords

• Need password policies and good user education
• Ensure every account has a default password
• Ensure users change the default passwords to
  something they can remember
• Protect password file from general access
• Set technical policies to enforce good passwords
• Minimum length (gt6)
• Require a mix of upper lower case letters,
  numbers, punctuation
• Block known dictionary words
• Require change of password periodically

11
Auditing

• Auditing is a technique for determining security
  violations
• Logging is the recording of events or statistics
  to provide information about system use and
  performance
• Auditing is the analysis of log records to
  present information about the system in a clear
  and understandable manner

T1 ch21.1 T2 ch24.1
12
Auditing (cont.)

• Generally, to support auditing, the automated
  information system generates logs that indicate
• What happened
• Who did it
• What went wrong
• How far some information spreads
• Who had access to some information

13
Auditing Systems

• An auditing system consists of three components
• The logger collect data
• The analyzer analyze the collected data
• The notifier report the results of analysis

T1 ch21.2 T2 ch24.2
14
Auditing Systems (cont.)

• Logger
• The type and quantity of information are decided
  by system or program configuration parameters
• Information may be recorded in binary or
  human-readable form or transmit directly to an
  analysis system

15
Auditing Systems (cont.)

• Logger (cont.)
• Examples of auditable events
• Login
• Logoff
• Operating system changes
• User-invoked operating system commands
• User-invoked applications
• Read of data
• Creation of objects
• Network events

16
Auditing Systems (cont.)

• Analyzer
• An analyzer takes a log as input and analyzes it.
• The results of analysis may lead to changes in
  the data being recorded, or detection of some
  events or problems, or both.
• Example
• Audit analysis mechanism used by an intrusion
  detection system to detect attacks by analyzing
  log records

17
Auditing Systems (cont.)

• Notifier
• The notifier informs the analyst and other
  entities of the results of the audit.
• Actions may be taken in response to these
  results.
• Example
• Consider a login system, in which three
  consecutive failed login attempts disable the
  users account. When a users failed login
  attempts reaches 3 times, audit system will
  invoke the notifier, which will report the
  problem to administer and disable the account.

18
Audit Process

• Audits team
• Accountants people who are fascinated in
  auditing
• Needed expertise varies
• CISA - Certified Information Systems Auditor
• CISM - Certified Information Systems Manager
• Check www.isaca.org (Information Systems Audit
  and Control Organization) for further information

19
Steps of Audit Process

• 1. Planning Phase
• 2. Testing Phase
• 3. Reporting Phase

20
Planning Phase

• Entry Meeting
• Define Scope
• Learn Controls
• Historical Incidents
• Past Audits
• Site Survey
• Review Current IA Policies
• Questionnaires
• Define Objectives
• Develop Audit Plan / Checklist

21
Testing Phase

• Evaluate Audit Plan
• What data will be collected
• How/when it will be collected
• Site employees involvement
• Other relevant questions
• Data Collection
• Based on scope/objectives
• Types of Data
• Activities involving physical security
• Interview staff
• Vulnerability assessments
• Access control assessments

22
Reporting Phase

• Exit Meeting - Short Report
• Immediate problems
• Questions answer for site managers
• Preliminary findings
• NOT able to give in depth information
• Long Report After Going Through Data
• Objectives/scope
• How data was collected
• Summary of problems
• In depth description of problems
• Glossary of terms
• References
• Any computer misuse or abuse should be reported
  and law enforcement may be involved if needed

23
References

• M. Merkow, J. Breithaupt, Information Security
  Principles and Practices, Prentice Hall, August
  2005, ISBN 0131547291
• Matt Bishop, Introduction to Computer Security,
  Addison-Wesley, 2004, ISBN 0321247442
• Matt Bishop, Computer Security Art and Science,
  Addison- Wesley, 2002, ISBN 0201440997