1 / 50



Download Presentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript



  3. Fundamental Information Security Concepts • Security as a management issue, not a technology issue • The time-based model of security • Defense in depth

  4. Security as a Management Issue • Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS. • SOX Section 302 • SOX Section 404 • Security is a key component of the internal control and systems reliability • Management’s philosophy and operating style are critical to an effective control environment (COSO model)

  5. Four Criteria for Implementing Principles of Systems Reliability • Develop and document policies • Effectively communicate those policies to all authorized users • Design and employ appropriate control procedures to implement those policies • Monitor the system, and take corrective action to maintain compliance with the policies

  6. Time-Based Model of Security • The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. • All three types of controls are necessary: • Preventive • Detective • Corrective

  7. Time-Based Model of Security • The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables: • P = Time it takes an attacker to break through the organization’s preventive controls • D = Time it takes to detect that an attack is in progress • C = Time to respond to the attack • These three variables are evaluated as follows: • If P > (D + C), then security procedures are effective. • Otherwise, security is ineffective.

  8. Time-Based Model of Security • EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures: • Measure 1 would increase P by 5 minutes. • Measure 2 would decrease D by 3 minutes. • Measure 3 would decrease C by 5 minutes. • Measure 4 would increase P by 3 minutes and reduce C by 3 minutes. • Since each measure has the same cost, which do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.)

  9. Defense in Depth • Major types of preventive controls used for defense in depth include: • Authentication controls (passwords, tokens, biometrics, MAC addresses) • Authorization controls (access control matrices and compatibility tests) • Training • Physical access controls (locks, guards, biometric devices) • Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls) • Host and Application Hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows) • Encryption

  10. Preventive Controls • Users can be authenticated by verifying: • Something they know, such as passwords or PINs. • Something they have, such as smart cards or ID badges. • Some physical characteristic (biometric identifier), such as fingerprints or voice.

  11. Preventive Controls • Passwords requirements • Length • Multiple character types • Random • Secret

  12. Preventive Controls • Each authentication method has its limitations. • Passwords • Physical identification techniques • Biometric techniques

  13. Preventive Controls • Authorization controls are implemented by creating an access control matrix. • Specifies what part of the IS a user can access and what actions they are permitted to perform.

  14. Preventive Controls

  15. Preventive Controls • Authentication and authorization can be applied to devices • Network interface card (NIC) • Each network device has a unique identifier, referred to as its media access control (MAC) address.

  16. Preventive Controls • Training should include safe computing practices, such as: • Never open unsolicited email attachments. • Use only approved software. • Never share or reveal passwords. • Physically protect laptops.

  17. Preventive Controls • Control physical access control • Should be one regular entry point • Emergency exits • A receptionist or security guard at the main entrance of the building

  18. Preventive Controls • Physical access computer equipment • Rooms should be securely locked. • All entries and exits should be monitored • Multiple failed access attempts should trigger an alarm • Rooms with servers with highly sensitive data should supplement regular locks with: • Card readers; • Numeric keypads; or • Biometric devices

  19. Preventive Controls • Access to wiring used in LANs must be restricted • Cables and wiring should not be exposed • Wall jacks not in use should be physically disconnected • Wiring closets should be locked • Laptops, cell phones, and PDA devices require special attention

  20. Preventive Controls • Perimeter Defense: Routers, Firewalls, and Intrusion Prevention Systems

  21. Preventive Controls • TCP/IP • Transmission Control Protocol (TCP) specifies the procedures for dividing files and documents into packets and for reassembly at the destination. • Internet Protocol (IP) specifies the structure of the packets and how to route them to the proper destination. • Header – contains the packet’s origin and destination addresses, as well as info about the type of data contained in the body. • Body.

  22. Preventive Controls • Routers read the destination address fields in packet headers to decide where to send the packet next • The current version of the IP protocol, IPv4, uses 32-bit long addresses • Consist of four 8-bit numbers separated by periods. • E.g., is translated into

  23. Preventive Controls • Access control list (ACL) determine which packets are allowed in and which are dropped • Static packet filtering screens individual packets based only on the contents of the source and/or destination fields in the packet header • ACL will normally deny entry to packets with: • illegal source address • organization’s IP address as source address • Any packet not dropped is forwarded on to the firewall

  24. Preventive Controls • Firewalls use more sophisticated techniques than border routers to filter packets. • Most employ stateful packet filtering. • Static packet filtering would examine each IP packet in isolation, but stateful packet filtering maintains a table that lists all established connections between the organization’s computers and the Internet. • The firewall consults this table to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer. • Enables the firewall to reject specially crafted attack packets that would have passed a simple static packet filter.

  25. Preventive Controls • Intrusion prevention systems (IPS) • Designed to identify and drop packets that are part of an attack • Techniques to identify undesirable packets: • Checking packet contents against a database of patterns (signatures) of known attack methods • Developing a profile of “normal” traffic and using statistical analysis to identify packets that don’t fit the profile • Using rule bases that specify acceptable standards for specific types of traffic and dropping packets that don’t conform

  26. Preventive Controls • Internal firewalls

  27. Preventive Controls • Wireless access points should be located in DMZ

  28. Preventive Controls • Wireless Access Security Procedures: • Turn on available security procedures • Authenticate all devices attempting to establish access • Configure all authorized wireless NICs to operate only in infrastructure mode • Turn off SSID • Predefine a list of authorized MAC addresses and only accept connections from those MAC addresses • Reduce broadcast strength of wireless access points • Locate wireless access points in the interior of the building and use directional antennae

  29. Preventive Controls • Host Configuration • Default configurations of most devices typically turn on a large number of optional settings that are seldom, if ever used. • Default installations of many operating systems turn on many special purpose programs, called services, which are not essential

  30. Preventive Controls • Managing User Accounts and Privileges • Users with administrative rights should be assigned two accounts: • One with administrative rights • One with limited privileges • Log in under the limited account to perform routine duties

  31. Preventive Controls • Software Design • Controls are also needed over in-house development and modification of programs, because poorly-written code can be exploited to give attackers administrative privileges. • Primary weakness involves failing to adequately screen input data. • The most common input-related vulnerability is a buffer overflow attack. • Attacker sends a program more data than it can handle. • May cause the system to crash or provide a command prompt, giving the attacker full administrative privileges and control.

  32. Plaintext Preventive Controls This is a contract for . . . Key + • Encryptionis the process of transforming normal text, calledplaintext, into unreadable gibberish, calledciphertext. • Decryptionreverses this process. Encryption Algorithm Key Xb&j &m 2 ep0%fg . . . + Cipher- text Decryption Algorithm This is a contract for . . . Plain- text

  33. Preventive Controls • Encryption Strength • Key length • Key management policies • The nature of the encryption algorithm

  34. Preventive Controls • Symmetric Encryption Systems • Use the same key to encrypt and decrypt. • Symmetric encryption advantages: • Faster than asymmetric encryption • Symmetric encryption disadvantages: • Both parties need to know the secret key • A different key needs to be created for each party with whom the entity engages in encrypted transactions

  35. Preventive Controls • Asymmetric Encryption Systems • Use two keys: • Public key • Private key • Asymmetric encryption advantages: • Any text encrypted with it can only be decrypted using the private key • The public key can be distributed by email or posted on a website • Any number of parties can use the same public key to send messages • Asymmetric encryption disadvantage: • Slow

  36. Preventive Controls • Hashing • Takes plaintext of any length and transforms it into a short code • Different from encryption • Encryption always produces ciphertext similar in length to the plaintext; hashing produces a hash of a fixed short length • Encryption is reversible; hashing is not

  37. Preventive Controls • Digital Signatures • Information encrypted with the creator’s private key • Can only be decrypted using the corresponding public key • Private key is known only to its owner • Digital Certificate • Electronic document created and digitally signed by a trusted third party. • Certifies the identity of the owner of a particular public key • Contains that party’s public key

  38. Preventive Controls • Public key infrastructure (PKI) • the system and processes used to issue and manage asymmetric keys and digital certificates. • Certificate authority • An organization that issues public and private keys and records the public key in a digital certificate • Hashes the information stored on a digital certificate • Encrypts that hash with its private key • Appends that digital signature to the digital certificate • Provides a means for validating the authenticity of the certificate

  39. Preventive Controls • Effects of Encryption on Other Layers of Defense • Protects confidentiality and privacy of the transmission and provides for authentication and non-repudiation of transactions • Firewall cannot effectively inspect encrypted packets • Anti-virus and intrusion detection systems also have difficulty dealing with encrypted packets

  40. Detective Controls • Actual system use must be examined to assess compliance through: • Log analysis • Intrusion detection systems • Managerial reports • Periodically testing the effectiveness of existing security procedures

  41. Detective Controls • Log Analysis • The process of examining logs to monitor security • Logs form an audit trail of system access

  42. Detective Controls • Intrusion Detection Systems • Represent an attempt to automate part of the monitoring • Creates a log of network traffic that was permitted to pass the firewall • Analyzes the logs for signs of attempted or successful intrusions • E.g., compare logs to a database containing patterns of traffic associated with known attacks

  43. Detective Controls • Managerial Reports • COBIT • Specifies 34 IT-related control objectives • Provides: • Management guidelines • Key performance indicators

  44. Detective Controls • Security Testing • Vulnerability scans -- use automated tools designed to identify whether a system possesses any well-known vulnerabilities. • Security websites such as the Center for Information Security ( provide: • Benchmarks for security best practices. • Tools to measure how well a system conforms. • Penetration testing provides a way to test the effectiveness of an organization’s computer security

  45. Corrective Controls • Two of the Trust Services framework criteria for effective security are the existence of procedures to: • React to system security breaches and other incidents. • Take corrective action on a timely basis.

  46. Corrective Controls • Three key components that satisfy the preceding criteria are: • Establishment of a computer emergency response team. • Designation of a specific individual with organization-wide responsibility for security. • An organized patch management system.

  47. Corrective Controls • The CERT should lead the rganization’s incident response process through four steps: • Recognition that a problem exists • Containment of the problem • Recovery • Follow-up

  48. Corrective Controls • Chief security officer (CSO): • Independent of other IS functions • Report to either the COO or CEO • Must understand the company’s technology environment • Promote sound security policies and procedures. • Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions • Works with the person in charge of building security • Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures

  49. Corrective Controls • Patch management is the process for regularly applying patches and updates to all of an organization’s software. • Challenges: • Patches can have unanticipated side effects that cause problems • May be many patches each year for each software program

  50. Summary • We have: • Discussed how security affects systems reliability • Described the four criteria that can be used to evaluate the effectiveness of an organization’s information security • Defined the time-based model of security, as well as the concept of defense-in-depth • Described the types of preventive, detective, and corrective controls that are used to provide information security • Determined how encryption contributes to security and described how the two basic types of encryption systems work

More Related