INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY – PART I Chapter 7
Trust Services Framework SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY SECURITY
Fundamental Information Security Concepts • Security as a management issue, not a technology issue • The time-based model of security • Defense in depth
Security as a Management Issue • Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS. • SOX Section 302 • SOX Section 404 • Security is a key component of the internal control and systems reliability • Management’s philosophy and operating style are critical to an effective control environment (COSO model)
Four Criteria for Implementing Principles of Systems Reliability • Develop and document policies • Effectively communicate those policies to all authorized users • Design and employ appropriate control procedures to implement those policies • Monitor the system, and take corrective action to maintain compliance with the policies
Time-Based Model of Security • The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. • All three types of controls are necessary: • Preventive • Detective • Corrective
Time-Based Model of Security • The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables: • P = Time it takes an attacker to break through the organization’s preventive controls • D = Time it takes to detect that an attack is in progress • C = Time to respond to the attack • These three variables are evaluated as follows: • If P > (D + C), then security procedures are effective. • Otherwise, security is ineffective.
Time-Based Model of Security • EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures: • Measure 1 would increase P by 5 minutes. • Measure 2 would decrease D by 3 minutes. • Measure 3 would decrease C by 5 minutes. • Measure 4 would increase P by 3 minutes and reduce C by 3 minutes. • Since each measure has the same cost, which do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.)
Defense in Depth • Major types of preventive controls used for defense in depth include: • Authentication controls (passwords, tokens, biometrics, MAC addresses) • Authorization controls (access control matrices and compatibility tests) • Training • Physical access controls (locks, guards, biometric devices) • Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls) • Host and Application Hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows) • Encryption
Preventive Controls • Users can be authenticated by verifying: • Something they know, such as passwords or PINs. • Something they have, such as smart cards or ID badges. • Some physical characteristic (biometric identifier), such as fingerprints or voice.
Preventive Controls • Passwords requirements • Length • Multiple character types • Random • Secret
Preventive Controls • Each authentication method has its limitations. • Passwords • Physical identification techniques • Biometric techniques
Preventive Controls • Authorization controls are implemented by creating an access control matrix. • Specifies what part of the IS a user can access and what actions they are permitted to perform.
Preventive Controls • Authentication and authorization can be applied to devices • Network interface card (NIC) • Each network device has a unique identifier, referred to as its media access control (MAC) address.
Preventive Controls • Training should include safe computing practices, such as: • Never open unsolicited email attachments. • Use only approved software. • Never share or reveal passwords. • Physically protect laptops.
Preventive Controls • Control physical access control • Should be one regular entry point • Emergency exits • A receptionist or security guard at the main entrance of the building
Preventive Controls • Physical access computer equipment • Rooms should be securely locked. • All entries and exits should be monitored • Multiple failed access attempts should trigger an alarm • Rooms with servers with highly sensitive data should supplement regular locks with: • Card readers; • Numeric keypads; or • Biometric devices
Preventive Controls • Access to wiring used in LANs must be restricted • Cables and wiring should not be exposed • Wall jacks not in use should be physically disconnected • Wiring closets should be locked • Laptops, cell phones, and PDA devices require special attention
Preventive Controls • Perimeter Defense: Routers, Firewalls, and Intrusion Prevention Systems
Preventive Controls • TCP/IP • Transmission Control Protocol (TCP) specifies the procedures for dividing files and documents into packets and for reassembly at the destination. • Internet Protocol (IP) specifies the structure of the packets and how to route them to the proper destination. • Header – contains the packet’s origin and destination addresses, as well as info about the type of data contained in the body. • Body.
Preventive Controls • Routers read the destination address fields in packet headers to decide where to send the packet next • The current version of the IP protocol, IPv4, uses 32-bit long addresses • Consist of four 8-bit numbers separated by periods. • E.g., www.prenticehall.com is translated into 220.127.116.11
Preventive Controls • Access control list (ACL) determine which packets are allowed in and which are dropped • Static packet filtering screens individual packets based only on the contents of the source and/or destination fields in the packet header • ACL will normally deny entry to packets with: • illegal source address • organization’s IP address as source address • Any packet not dropped is forwarded on to the firewall
Preventive Controls • Firewalls use more sophisticated techniques than border routers to filter packets. • Most employ stateful packet filtering. • Static packet filtering would examine each IP packet in isolation, but stateful packet filtering maintains a table that lists all established connections between the organization’s computers and the Internet. • The firewall consults this table to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer. • Enables the firewall to reject specially crafted attack packets that would have passed a simple static packet filter.
Preventive Controls • Intrusion prevention systems (IPS) • Designed to identify and drop packets that are part of an attack • Techniques to identify undesirable packets: • Checking packet contents against a database of patterns (signatures) of known attack methods • Developing a profile of “normal” traffic and using statistical analysis to identify packets that don’t fit the profile • Using rule bases that specify acceptable standards for specific types of traffic and dropping packets that don’t conform
Preventive Controls • Internal firewalls
Preventive Controls • Wireless access points should be located in DMZ
Preventive Controls • Wireless Access Security Procedures: • Turn on available security procedures • Authenticate all devices attempting to establish access • Configure all authorized wireless NICs to operate only in infrastructure mode • Turn off SSID • Predefine a list of authorized MAC addresses and only accept connections from those MAC addresses • Reduce broadcast strength of wireless access points • Locate wireless access points in the interior of the building and use directional antennae
Preventive Controls • Host Configuration • Default configurations of most devices typically turn on a large number of optional settings that are seldom, if ever used. • Default installations of many operating systems turn on many special purpose programs, called services, which are not essential
Preventive Controls • Managing User Accounts and Privileges • Users with administrative rights should be assigned two accounts: • One with administrative rights • One with limited privileges • Log in under the limited account to perform routine duties
Preventive Controls • Software Design • Controls are also needed over in-house development and modification of programs, because poorly-written code can be exploited to give attackers administrative privileges. • Primary weakness involves failing to adequately screen input data. • The most common input-related vulnerability is a buffer overflow attack. • Attacker sends a program more data than it can handle. • May cause the system to crash or provide a command prompt, giving the attacker full administrative privileges and control.
Plaintext Preventive Controls This is a contract for . . . Key + • Encryptionis the process of transforming normal text, calledplaintext, into unreadable gibberish, calledciphertext. • Decryptionreverses this process. Encryption Algorithm Key Xb&j &m 2 ep0%fg . . . + Cipher- text Decryption Algorithm This is a contract for . . . Plain- text
Preventive Controls • Encryption Strength • Key length • Key management policies • The nature of the encryption algorithm
Preventive Controls • Symmetric Encryption Systems • Use the same key to encrypt and decrypt. • Symmetric encryption advantages: • Faster than asymmetric encryption • Symmetric encryption disadvantages: • Both parties need to know the secret key • A different key needs to be created for each party with whom the entity engages in encrypted transactions
Preventive Controls • Asymmetric Encryption Systems • Use two keys: • Public key • Private key • Asymmetric encryption advantages: • Any text encrypted with it can only be decrypted using the private key • The public key can be distributed by email or posted on a website • Any number of parties can use the same public key to send messages • Asymmetric encryption disadvantage: • Slow
Preventive Controls • Hashing • Takes plaintext of any length and transforms it into a short code • Different from encryption • Encryption always produces ciphertext similar in length to the plaintext; hashing produces a hash of a fixed short length • Encryption is reversible; hashing is not
Preventive Controls • Digital Signatures • Information encrypted with the creator’s private key • Can only be decrypted using the corresponding public key • Private key is known only to its owner • Digital Certificate • Electronic document created and digitally signed by a trusted third party. • Certifies the identity of the owner of a particular public key • Contains that party’s public key
Preventive Controls • Public key infrastructure (PKI) • the system and processes used to issue and manage asymmetric keys and digital certificates. • Certificate authority • An organization that issues public and private keys and records the public key in a digital certificate • Hashes the information stored on a digital certificate • Encrypts that hash with its private key • Appends that digital signature to the digital certificate • Provides a means for validating the authenticity of the certificate
Preventive Controls • Effects of Encryption on Other Layers of Defense • Protects confidentiality and privacy of the transmission and provides for authentication and non-repudiation of transactions • Firewall cannot effectively inspect encrypted packets • Anti-virus and intrusion detection systems also have difficulty dealing with encrypted packets
Detective Controls • Actual system use must be examined to assess compliance through: • Log analysis • Intrusion detection systems • Managerial reports • Periodically testing the effectiveness of existing security procedures
Detective Controls • Log Analysis • The process of examining logs to monitor security • Logs form an audit trail of system access
Detective Controls • Intrusion Detection Systems • Represent an attempt to automate part of the monitoring • Creates a log of network traffic that was permitted to pass the firewall • Analyzes the logs for signs of attempted or successful intrusions • E.g., compare logs to a database containing patterns of traffic associated with known attacks
Detective Controls • Managerial Reports • COBIT • Specifies 34 IT-related control objectives • Provides: • Management guidelines • Key performance indicators
Detective Controls • Security Testing • Vulnerability scans -- use automated tools designed to identify whether a system possesses any well-known vulnerabilities. • Security websites such as the Center for Information Security (www.cisecurity.org) provide: • Benchmarks for security best practices. • Tools to measure how well a system conforms. • Penetration testing provides a way to test the effectiveness of an organization’s computer security
Corrective Controls • Two of the Trust Services framework criteria for effective security are the existence of procedures to: • React to system security breaches and other incidents. • Take corrective action on a timely basis.
Corrective Controls • Three key components that satisfy the preceding criteria are: • Establishment of a computer emergency response team. • Designation of a specific individual with organization-wide responsibility for security. • An organized patch management system.
Corrective Controls • The CERT should lead the rganization’s incident response process through four steps: • Recognition that a problem exists • Containment of the problem • Recovery • Follow-up
Corrective Controls • Chief security officer (CSO): • Independent of other IS functions • Report to either the COO or CEO • Must understand the company’s technology environment • Promote sound security policies and procedures. • Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions • Works with the person in charge of building security • Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures
Corrective Controls • Patch management is the process for regularly applying patches and updates to all of an organization’s software. • Challenges: • Patches can have unanticipated side effects that cause problems • May be many patches each year for each software program
Summary • We have: • Discussed how security affects systems reliability • Described the four criteria that can be used to evaluate the effectiveness of an organization’s information security • Defined the time-based model of security, as well as the concept of defense-in-depth • Described the types of preventive, detective, and corrective controls that are used to provide information security • Determined how encryption contributes to security and described how the two basic types of encryption systems work