Professional Documents
Culture Documents
Compai Chapter 8
Compai Chapter 8
Compai Chapter 8
Controls for
Information Security
After studying this chapter, you should be able to:
1. Explain how security and the other four principles in the Trust Services Framework affect
systems reliability.
2. Explain two fundamental concepts: why information security issue, and the time-based model of
information security.
3. Discuss the steps criminals follow to execute a targeted attack an organization's information
system.
4. Describe the preventive, detective, and corrective controls that can be used to protect an
organization's information.
5. Describe the controls that can be used to timely detect that an organization's information system
is under attack.
6. Discuss how organizations can timely respond to attacks against their information system.
7. Explain how virtualization, cloud computing, and the Internet of Things affect information
security.
2
Integrative Case: Northwest Industries
Jason Scott's next assignment is to review the internal controls over Northwest
Industries' information systems. Jason obtains a copy of Control Objectives for
Information and Related Technology 5 (COBIT 5) and is impressed by its
thoroughness. However, he tells his friend that he feels overwhelmed in trying to
use COBIT 5 to plan his audit of Northwest Industries. His friend suggests that he
examine the Trust Services Framework developed jointly by the American
Institute of Certified Public Accountants (AICPA) and the Canadian Institute of
Chartered Accountants (CICA) to guide auditors in assessing the reliability of an
organization's information system. After reviewing the framework, Jason
concludes that he can use it to guide his audit effort. He decides that he will begin
by focusing on the controls designed to provide reasonable assurance about
information security.
3
Integrative Case: Northwest Industries
He writes down the following questions that will guide his investigation:
1. What controls does Northwest Industries employ to prevent unauthorized
access to its accounting system?
2. How can successful and unsuccessful attempts to compromise the
company's accounting system be detected in a timely manner?
3. What procedures are in place to respond to security incidents?
4
As noted in Chapter 7, COBIT 5 is a comprehensive
framework of best practices relating to all aspects of the
governance and management of IT.
We organize this chapter and the next two around the
principles in the Trust Services Framework, which was
developed jointly by the AICPA and the CICA to provide
guidance for assessing the reliability of information
systems.
5
The Trust Services Framework organizes IT-related controls into five
principles that jointly contribute to systems reliability:
1. Security - access (both physical and logical) to the system and its data is controlled and
restricted to legitimate users.
2. Confidentiality - sensitive organizational information (e.g.. marketing plans, trade
secrets) is protected from unauthorized disclosure.
3. Privacy - personal information about customers, employees, suppliers, or business
partners is collected, used, disclosed, and maintained only in compliance with internal
policies and external regulatory requirements.
4. Processing Integrity - data are processed accurately, completely, in a timely manner,
and only with proper authorization.
5. Availability - the system and its information are available to meet operational and
contractual obligations.
6
FIGURE 8-1
Relationships Among the
Five Trust Services
Principles for Systems
Reliability
7
Two Fundamental Information Security Concepts
8
FIGURE 8-2
The Security Life Cycle
9
Two Fundamental Information Security Concepts
10
The time-based model of information security can be
expressed in the following formula:
P>D+R, where
P = the time it takes an attacker to break through the various controls that protect
the organization's information assets
D = the time it takes for the organization to detect that an attack is in progress
R = the time it takes to respond to and stop the attack
11
The time-based model of security provides a
means for management to identify the most
cost-effective approach to improving security
by comparing the effects of additional
investments in preventive, detective, or
corrective controls.
12
Organizations attempt to satisfy the objective of the time-based model of
security by employing the strategy of defense-in-depth.
13
For example, management may be considering the investment of an
additional $100,000 to enhance security.
15
Basic steps criminals use to attack an organization's
information system:
1. Conduct reconnaissance. The objective of this initial
reconnaissance is to learn as much as possible about the
target and to identify potential vulnerabilities.
16
2. Attempt social engineering. Such use of deception to
obtain unauthorized access to information resources is
referred to as social engineering. Social engineering can
take place in countless ways, limited only by the creativity
and imagination of the attacker.
17
• Social engineering attacks often take place over the
telephone.
• Social engineering attacks can also take place via e-mail.
Spear phishing involves sending e-mails purportedly
from someone that the victim knows.
• Another social engineering tactic is to spread USB
drives in the targeted organization's parking lot.
18
3. Scan and map the target. The attacker uses a variety of automated tools
to identify computers that can be remotely accessed and the types of
software they are running.
4. Research. The next step is to conduct research to find known
vulnerabilities for those programs and learn how to take advantage of those
vulnerabilities.
5. Execute the attack. The criminal takes advantage of a vulnerability to
obtain unauthorized access to the target's information system.
6. Cover tracks. After penetrating the victim's information system, most
attackers attempt to cover their tracks and create "back doors".
19
Protecting Information Resources
20
TABLE 8-1
Preventive,
Detective, and
Corrective
Controls Used to
Satisfy the Time-
Based Model of
Security
21
PEOPLE: CREATION OF A “SECURITY-CONSCIOUS” CULTURE
22
PEOPLE: TRAINING
23
• All employees should be taught why security measures are important to
the organizations long-run survival.
• They also need to be trained to follow safe computing practices.
• Training is especially needed to educate employees about social
engineering attack. Such as piggybacking which can take place not only
at the main entrance to the building but also at any internal locked doors,
especially to rooms that contain computer equipment.
• Security awareness training for senior management is important for spear
phishing.
• Training of information security professionals is also important.
24
However, an organization's investment in security training will be effective
only if management clearly demonstrates that it supports employees who
follow prescribed security policies. For example, one of the authors heard
an anecdote about a systems professional at a major bank who refused to
allow a person who was not on the list of authorized employees to enter the
room housing the servers that contained the bank's key financial
information. The person denied entry happened to be a new executive who
was just hired. Instead of reprimanding the employee, the executive
demonstrated the bank's commitment to and support for strong security by
writing a formal letter of commendation for meritorious performance to be
placed in the employee's performance file.
25
PROCESS: USER ACCESS CONTROLS
26
To accomplish that objective, COBIT 5 management practice
DSS05.04 stresses the need for controls to manage user
identity and logical access so that it is possible to uniquely
identify everyone who accesses the organization's information
system and track the actions that they perform.
Implementing DSS05.04 involves the use of two related but
distinct types of user access controls: authentication controls
and authorization controls.
27
AUTHENTICATION CONTROLS
Authentication is the process of verifying the identity of the person or device attempting
to access the system. The objective is to ensure that only legitimate users can access the
system.
29
It is important to authenticate not only people but also every
device attempting to connect to the network. Every
workstation, printer, or other computing device needs a
network interface card (NIC) to connect to the
organization’s internal network. Each NIC has a unique
identifier, referred to as its media access control (MAC)
address.
30
Effectiveness of Passwords as Authentication Credentials
• Length. The strength of a password is directly related to its length. The longer, the
better.
• Multiple character types. Using a mixture of upper and lowercase alphabetic,
numeric, and special characters greatly increases the strength of the password.
• Randomness. Passwords should not be easily guessed. Therefore, they should not be
words found in dictionaries. Nor should they be words with either a preceding or
following numeric character (such as 3Diamond or Diamond3).
• Changed frequently. Passwords should be changed at regular intervals.
• Kept secret. Most important, passwords must be kept secret to be effective.
31
AUTHORIZATION CONTROLS
32
FIGURE 8-4
Example of an
Access Control
Matrix
33
FIGURE 8-5 Implementing Authorization Controls in an ERP System
34
Like authentication controls, authorization controls can and
should be applied not only to people but also to devices.
35
PROCESS: PENETRATION TESTING
36
PROCESS: CHANGE CONTROLS AND CHANGE MANAGEMENT
37
Characteristics of a well-designed change control and change
management process include:
38
• A special process for timely review, approval, and documentation of
“emergency changes” as soon after the crisis as is practical.
• Development and documentation of “backout” plans to facilitate reverting
to previous configurations if the new change creates unexpected problems.
• Careful monitoring and review of user rights and privileges during the
change process to ensure that proper segregation of duties is maintained.
39
IT SOLUTIONS: ANTIMALWARE CONTROLS
Malware (e.g., viruses, worms, keystroke logging software, etc.) is a major threat.
Malware can damage or destroy information or provide a means for unauthorized
access. Therefore, COBIT 5 section DSS05.01 lists malware protection as one of
the keys to effective security, specifically recommending the following:
1. Malicious software awareness education
2. Installation of antimalware protection tools on all devices
3. Centralized management of patches and updates to antimalware software
4. Regular review of new malware threats
5. Filtering of incoming traffic to block potential sources of malware
6. Training employees not to install shared or unapproved software
40
IT SOLUTIONS: NETWORK ACCESS CONTROLS
41
Perimeter Defense: Routers, Firewalls, And Intrusion Prevention Systems
42
FIGURE 8-6
Example
Organizational
Network Architecture
43
FIGURE 8-7
How Files Are
Broken into Packets
to Be Sent Over
Networks and Then
Reassembled by the
Receiving Device
44
The TCP header contains fields that specify the sequential
position of that packet in relation to the entire file and the port
numbers (addresses) on the sending and receiving devices from
which the file originates and where it is to be reassembled. The IP
header contains fields that specify the network address (IP
address) of the sending and receiving devices. The Ethernet
header contains the MAC addresses of the sending and receiving
device, which is used to control the flow of traffic on the local
area network (LAN).
45
Controlling Access by Filtering Packets
46
Packet filtering - A process that uses various fields in a packet’s IP and
TCP headers to decide what to do with the packet.
Deep packet inspection - A process that examines the data in the body
of a TCP packet to control traffic, rather than looking only at the
information in the IP and TCP headers.
47
Using Defense-in-Depth to Restrict Network Access
The use of multiple perimeter filtering devices is more efficient and effective
than relying on only one device. Thus, most organizations use border routers to
quickly filter out obviously bad packets and pass the rest to the main firewall.
The main firewall does more detailed checking, and then other firewalls perform
deep packet inspection to more fully protect specific devices such as the
organization’s web server and e-mail server. In addition, an IPS monitors the
traffic passed by the firewalls to identify and block suspicious network traffic
patterns that may indicate that an attack is in progress.
48
Securing Wireless Access
49
The following procedures need to be followed to adequately secure wireless access:
50
IT SOLUTIONS: DEVICE AND SOFTWARE HARDENING
CONTROLS
51
ENDPOINT CONFIGURATION
52
Exploit - A program designed to take advantage of a known
vulnerability.
Patch - Code released by software developers that fixes a particular
vulnerability.
Patch Management - The process of regularly applying patches
and updates to software.
Hardening - The process of modifying the default configuration of
endpoints to eliminate unnecessary settings and services.
53
The trend towards permitting employees to use their own personal devices at work, referred
to as Bring Your Own Device (BYOD), makes endpoint configuration much more complex
to manage effectively.
54
USER ACCOUNT MANAGEMENT
55
SOFTWARE DESIGN
Buffer overflows, SQL injection, and cross-site scripting are common examples of attacks against the software
running on websites.
Buffer overflows occur when a program or process attempts to write more data to a fixed-length block of
memory, or buffer, than the buffer is allocated to hold.
SQL injection attacks occur whenever web application software that interfaces with a database server does not
filter user input, thereby permitting an attacker to embed SQL commands within a data entry request and have
those commands executed on the database server.
Cross-site scripting attacks occur when web application software does not carefully filter user input before
returning any of that data to the browser, in which case the victim’s browser will execute any embedded
malicious script.
Section BAI03 of the COBIT 5 framework specifies the need to carefully design security into all new applications
and section APO10 prescribes best practices for managing the risks associated with purchasing software.
56
IT SOLUTIONS: ENCRYPTION
57
PHYSICAL SECURITY: ACCESS CONTROLS
Physical access control begins with entry points to the building itself.
Once inside the building, physical access to rooms housing computer equipment must be restricted.
Access to the wiring used in the organization’s LANs needs to be restricted in order to prevent
wiretapping.
Laptops, cell phones, and tablets require special attention to their physical security because they
frequently store sensitive information and are so easily lost or stolen.
COBIT 5 management practice DSS05.06 stresses the importance of restricting physical access to
network printers, because they often store document images on their hard drives.
Finally, an especially promising way to achieve defense-in-depth is to integrate physical and remote
access control systems.
58
Detecting Attacks
59
LOG ANALYSIS - The process of examining logs to identify evidence of possible attacks.
FIGURE 8-8
Example of a
System Log
60
INTRUSION DETECTION SYSTEMS (IDS)
61
CONTINUOUS MONITORING
62
RESPONDING TO ATTACKS
63
COMPUTER INCIDENT RESPONSE TEAM (CIRT)
The CIRT should lead the organization’s incident response process through the
following four steps:
3. Recovery
4. Follow-up
64
CHIEF INFORMATION SECURITY OFFICER (CISO)
65
CHIEF INFORMATION SECURITY OFFICER (CISO)
67
68
69
Thanks!
Any questions?
You can find me at:
@username
user@mail.me
70
Team Presentation
71