romney_ch07.ppt

(1)

C

HAPTER 7

Information Systems Controls

for Systems Reliability

(2)

INTRODUCTION

• Questions to be addressed in this chapter:

– How does security affect systems reliability?

– What are the four criteria that can be used to evaluate the effectiveness of an organization’s information

security?

– What is the time-based model of security and the concept of defense-in-depth?

– What types of preventive, detective, and corrective controls are used to provide information security? – How does encryption contribute to security and how

(3)

INTRODUCTION

• One basic function of an AIS is to provide

information useful for decision making. In

order to be useful, the information must be

reliable, which means:

– It provides an accurate, complete, and timely

picture of the organization’s activities.

– It is available when needed.

– The information and the system that produces

it is protected from loss, compromise, and

(4)

INTRODUCTION

• The five basic principles that contribute to systems reliability:

(5)

INTRODUCTION

– Security

SECURITY SYSTEMS RELIABILITY

(6)

INTRODUCTION

– Security – Confidentiality SECURITY C O N F ID E N T IA L IT Y SYSTEMS RELIABILITY

(7)

INTRODUCTION

– Security – Confidentiality – Privacy SECURITY C O N F ID E N T IA L IT Y P R IV A C Y SYSTEMS RELIABILITY

 Personal information about

customers collected through e-commerce is collected, used,

(8)

INTRODUCTION

• The five basic

principles that

contribute to systems

reliability:

– Security

– Confidentiality

– Privacy

–

_{Processing integrity}

SECURITY C O N F ID E N T IA L IT Y P R IV A C Y P R O C E S S IN G I N T E G R IT Y SYSTEMS RELIABILITY

• Data is processed:

– Accurately

– Completely

– In a timely manner

(9)

INTRODUCTION

• The five basic

principles that

contribute to systems

reliability:

– Security

– Confidentiality

– Online privacy

– Processing integrity

–

_Availability

SECURITY C O N F ID E N T IA L IT Y P R IV A C Y P R O C E S S IN G I N T E G R IT Y A V A IL A B IL IT Y SYSTEMS RELIABILITY

 The system is available to meet operational and contractual

(10)

INTRODUCTION

• Note the importance of

security in this picture. It is

the foundation of systems

reliability. Security

procedures:

– Restrict system access to only authorized users and protect:

• The confidentiality of sensitive organizational data.

• The privacy of personal identifying information collected from customers.

(11)

INTRODUCTION

• Security procedures also:

– Provide for processing integrity by preventing:

• Submission of unauthorized or fictitious transactions.

• Unauthorized changes to stored data or programs.

– Protect against a variety of attacks, including viruses and worms, thereby

ensuring the system is available when needed.

(12)

INTRODUCTION

• This chapter provides a broad introduction

to the topic of information systems

security

.

• Anyone interested in a career in

information systems security would need

to undertake additional detailed study.

(13)

INTRODUCTION

• The press carries many stories about

information security incidents including:

– Denial of service attacks – Fraud

– Loss of trade secrets – Identity theft

• Accountants and IS professionals need to

understand basic principles of information

(14)

COBIT and Trust Services

• Control Objectives for

Information

Technology (C

OBI

T)

• Information systems

controls required for

achieving business

and governance

objectives

(15)

COBIT and Trust Services

• C

OBI

T IT resources:

– Applications

(16)

COBIT and Trust Services

• C

OBI

T information

criteria:

– Effectiveness – Efficiency

– Confidentiality – Integrity

(17)

COBIT and Trust Services

• C

OBI

T domains:

– Basic management activities for IT

(18)

(19)

(20)

(21)

(22)

(23)

(24)

(25)

(26)

FUNDAMENTAL INFORMATION

SECURITY CONCEPTS

• There are three fundamental information

security concepts that will be discussed in

this chapter:

– Security as a management issue, not a

technology issue.

(27)

FUNDAMENTAL INFORMATION

SECURITY CONCEPTS

• There are three fundamental information

security concepts that will be discussed in

this chapter:

–

Security as a management issue, not a

technology issue.

(28)

SECURITY AS A MANAGEMENT ISSUE

• Though information security is a complex

technical subject, security is first and

(29)

SECURITY AS A MANAGEMENT ISSUE

• Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS.

– SOX Section 302 requires that the CEO and CFO certify the accuracy of the financial statements.

– SOX Section 404 requires that the annual report include a report on the company’s internal controls. Within this report,

management acknowledges their responsibility for designing and maintaining internal controls and assessing their effectiveness. – Security is a key component of the internal control and systems

reliability to which management must attest.

(30)

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four

essential criteria for successfully implementing

the five principles of systems reliability:

– Develop and document policies.

– Effectively communicate those policies to all authorized users.

– Design and employ appropriate control procedures to implement those policies.

– Monitor the system, and take corrective action to maintain compliance with the policies.

• Top management involvement and support is

necessary to satisfy each of the preceding

(31)

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability:

– Develop and document policies.

– Effectively communicate those policies to all authorized users. – Design and employ appropriate control procedures to implement

those policies.

• COBIT section PO 6 identifies the CIO as responsible for ensuring that information policies and controls are

(32)

SECURITY AS A MANAGEMENT ISSUE

• _{Policy development}

– It’s more exciting to react to security issues than to prevent them.

– However, it is important to develop a comprehensive set of security policies before designing and

implementing specific control procedures.

– Helps ensure that the security products you ultimately purchase protect each IS resource.

– Developing a comprehensive set of security policies begins with taking an inventory of information systems resources, including:

(33)

SECURITY AS A MANAGEMENT ISSUE

• Once the resources have been identified, they

need to be valued in order to select the most

cost-effective control procedures.

– Not easy—particularly in valuing information itself.

– Management at the highest level needs to be involved because they have a broader understanding of the

(34)

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four

essential criteria for successfully implementing

the five principles of systems reliability:

– _{Effectively communicate those policies to all}

authorized users.

• Top management involvement and support is

necessary to satisfy each of the preceding

(35)

SECURITY AS A MANAGEMENT ISSUE

• _{Effective communication of policies}

– Security policies must be communicated to and

understood by employees, customers, suppliers, and other authorized users.

– Needs to be more than having people sign off that they’ve received and read a written document.

– Employees should have regular reminders about security policies and training in how to comply. – Training and communication will only be taken

seriously if management provides active support and involvement.

– Sanctions must also be associated with these

(36)

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four

essential criteria for successfully implementing

the five principles of systems reliability:

– _{Design and employ appropriate control}

procedures to implement those policies.

• Top management involvement and support is

necessary to satisfy each of the preceding

(37)

SECURITY AS A MANAGEMENT ISSUE

• Design and employ appropriate control procedures

– Control frameworks such as COBIT and Trust Services identify a variety of specific control procedures and tools that can be used to mitigate various security threats.

– Options differ in terms of cost and effectiveness.

– Determining the optimal level of investment in security involves evaluating cost-benefit trade-offs.

– Systems personnel have knowledge about the technical merits of each alternative, as well as the risk of various threats.

– Management insight is needed in identifying potential costs and ensuring that all relevant organizational factors are considered. – COBIT stresses that the CEO and CFO are accountable for

(38)

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four

essential criteria for successfully implementing

the five principles of systems reliability:

– _{Monitor the system, and take corrective action to}

maintain compliance with the policies.

• Top management involvement and support is

necessary to satisfy each of the preceding

(39)

SECURITY AS A MANAGEMENT ISSUE

• Monitor and take remedial action

– Security is a moving target.

– Technology advances create new threats and alter the risks associated with existing threats.

– Effective control involves a continuous cycle of:

• Developing policies to address identified threats; • Communicating those policies to all employees;

• Implementing specific control procedures to mitigate risk; • Monitoring performance; and

(40)

SECURITY AS A MANAGEMENT ISSUE

• Corrective actions often involve the modification

of existing cycles, and the cycle starts all over.

• Senior management must be involved to ensure

(41)

FUNDAMENTAL INFORMATION

SECURITY CONCEPTS

• There are three fundamental information

security concepts that will be discussed in

this chapter:

– Security is a management issue, not a

technology issue.

–

The time-based model of security.

(42)

TIME-BASED MODEL OF SECURITY

• Given enough time and resources, any

preventive control can be circumvented.

• Consequently, effective control requires

supplementing preventive procedures with:

– Methods for detecting incidents; and

– Procedures for taking corrective remedial action.

• Detection and correction must be timely,

especially for information security, because once

preventive controls have been breached, it takes

little time to destroy, compromise, or steal the

(43)

TIME-BASED MODEL OF SECURITY

• The

time-based model of security

focuses on

implementing a set of preventive, detective, and

corrective controls that enable an organization to

recognize that an attack is occurring and take

steps to thwart it before any assets have been

compromised.

(44)

TIME-BASED MODEL OF SECURITY

• The

time-based model of security

focuses on

implementing a set of preventive, detective, and

corrective controls that enable an organization to

recognize that an attack is occurring and take

steps to thwart it before any assets have been

compromised.

• All three types of controls are necessary:

– Preventive

– Detective  Identify when preventive controls

(45)

TIME-BASED MODEL OF SECURITY

• The

time-based model of security

focuses on

implementing a set of preventive, detective, and

corrective controls that enable an organization to

recognize that an attack is occurring and take

steps to thwart it before any assets have been

compromised.

• All three types of controls are necessary:

– Preventive – Detective

– Corrective

• Repair damage from problems that have occurred.

(46)

TIME-BASED MODEL OF SECURITY

• The time-based model evaluates the

effectiveness of an organization’s security by

measuring and comparing the relationship

among three variables:

– P = Time it takes an attacker to break through the organization’s preventive controls.

– D = Time it takes to detect that an attack is in progress.

– C = Time to respond to the attack.

• These three variables are evaluated as follows:

(47)

TIME-BASED MODEL OF SECURITY

• The model provides management with a

means to identify the most cost-effective

approach to improving security by

comparing the effects of additional

(48)

TIME-BASED MODEL OF SECURITY

• EXAMPLE: For an additional expenditure of

$25,000, the company could take one of four

measures:

– Measure 1 would increase P by 5 minutes. – Measure 2 would decrease D by 3 minutes. – Measure 3 would decrease C by 5 minutes.

– Measure 4 would increase P by 3 minutes and reduce C by 3 minutes.

• Because each measure has the same cost,

which do you think would be the most

cost-effective choice? (Hint: Your goal is to have P

exceed [D + C] by the maximum possible

(49)

TIME-BASED MODEL OF SECURITY

• You may be able to solve this problem by eyeballing it. If not, one way to solve it is to assume some initial values for P, D, and C. • So let’s assume that P = 15 min., D = 5 min., and C = 8 min. • At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.

• With Measure 1, P is increased by 5 minutes:

– 20 – (5 + 8) = 7 min.

• With Measure 2, D is decreased by 3 minutes:

– 15 – (2 + 8) = 5 min.

• With Measure 3, C is decreased by 5 min.

– 15 – (5 + 3) = 7 min.

• With Measure 4, P is increased by 3 minutes and C is reduced by 3 min.

– 18 – (5 + 5) = 8 min.

 The most cost-effective choice would therefore be Measure 4, because for the same money, it

(50)

FUNDAMENTAL INFORMATION

SECURITY CONCEPTS

• There are three fundamental information

security concepts that will be discussed in

this chapter:

– Security is a management issue, not a

technology issue.

– The time-based model of security.

(51)

DEFENSE IN DEPTH

• The idea of defense-in-depth is to employ

multiple layers of controls to avoid having a

single point of failure.

• If one layer fails, another may function as

planned.

• Information security involves using a

combination of firewalls, passwords, and other

preventive procedures to restrict access.

(52)

DEFENSE IN DEPTH

 Major types of preventive controls used for defense in depth include:

– Authentication controls (passwords, tokens, biometrics, MAC addresses)

– Authorization controls (access control matrices and compatibility tests)

– Training

– Physical access controls (locks, guards, biometric devices) – Remote access controls (IP packet filtering by border routers

and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls)

– Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account

(53)

DEFENSE IN DEPTH

• Detective controls include:

– Log analysis

– Intrusion detection systems

– Managerial reports

(54)

DEFENSE IN DEPTH

• Corrective controls include:

– Computer emergency response teams

– Chief Security Officer (CSO)

(55)

Understanding Targeted Attacks

• How are they done?

– Reconnaissance

– Social Engineering

– Scan and Map

– Research

– Attack Execution

– Cover Tracks

 Collecting information to identify potential vulnerabilities.

 Tricking unsuspecting employees into allowing access to system.

 Detailed scan of system to identify potential points of remote entry.

 Researching vulnerabilities of software identified during scan.

(56)

PREVENTIVE CONTROLS

• Major types of preventive controls used for defense in depth include:

– Authentication controls (passwords, tokens, biometrics, MAC addresses)

– Authorization controls (access control matrices and compatibility tests)

– Training

– Physical access controls (locks, guards, biometric devices) – Remote access controls (IP packet filtering by border routers

and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls)

– Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account

(57)

PREVENTIVE CONTROLS

• The objective of preventive controls is to

prevent security incidents from happening.

• Involves two related functions:

– Authentication

• Focuses on verifying the identity of the person or device attempting to gain access.

– Authorization

(58)

PREVENTIVE CONTROLS

• Users can be authenticated by verifying:

– Something they

know

, such as passwords or

PINs.

– Something they

have

, such as smart cards or

ID badges.

(59)

PREVENTIVE CONTROLS

• Passwords are probably the most

commonly used authentication method

and also the most controversial.

– An effective password must satisfy a number

of requirements:

• Length

 Longer is better.

(60)

PREVENTIVE CONTROLS

• Passwords are probably the most

commonly used authentication method

and also the most controversial.

– An effective password must satisfy a number

of requirements:

• Length

• Multiple character types

(61)

PREVENTIVE CONTROLS

• Passwords are probably the most

commonly used authentication method

and also the most controversial.

– An effective password must satisfy a number

of requirements:

• Length

• Multiple character types

• Random

• Passwords should not be words found in the dictionary or dictionary words preceded or followed by a number such as 4dog or dog4.

• Should not be related to the employee’s

personal interests or hobbies, because special-purpose, password-cracking dictionaries can be found on the Internet containing the most

(62)

PREVENTIVE CONTROLS

• Passwords are probably the most

commonly used authentication method

and also the most controversial.

– An effective password must satisfy a number

of requirements:

• Length

• Multiple character types • Random

• Secret

• The most important requirement.

(63)

PREVENTIVE CONTROLS

• A password that meets the preceding criteria is

typically difficult to memorize—exacerbated by

the typical requirement that the password be

changed every 90 days.

• So most people either:

– Select passwords that can be easily guessed but can be memorized; or

– Select passwords that meet the criteria for a strong password but write them down.

– When the password is written down, it changes from something the employee knows to something the

(64)

PREVENTIVE CONTROLS

• As a result of this dilemma, some security

experts argue for abandoning the quest to

develop and use strong passwords.

– They note that a major component of help

desk costs is associated with resetting

passwords.

– They suggest reliance on dual-factor

authentication methods, such as a

(65)

PREVENTIVE CONTROLS

• Other experts disagree.

– They note that operating systems can now

accommodate passwords longer than 15 characters. – So users can create strong but easy-to-remember

paraphrases like: Idlike2binParis.

– Long paraphrases dramatically increase the effort required to crack them by guessing.

– So this group argues that longer length, coupled with the fact that it is easier to remember a long

paraphrase than a strong password, should

(66)

PREVENTIVE CONTROLS

• Each authentication method has its

limitations.

–

Passwords

(67)

PREVENTIVE CONTROLS

• Each authentication method has its

limitations.

– Passwords

–

Physical identification techniques

• Include cards, badges, and USB devices.

(68)

PREVENTIVE CONTROLS

• Each authentication method has its

limitations.

– Passwords

– Physical identification techniques

–

_{Biometric techniques}

• Expensive and often cumbersome.

• Not yet 100% accurate, sometimes rejecting legitimate users and allowing unauthorized people.

• Some techniques like fingerprints may carry negative connotations that hinder acceptance.

• Security concerns surround the storage of this data.

– If the data is compromised, it could create serious, life-long problems for the donor.

(69)

PREVENTIVE CONTROLS

• Although none of the three basic authentication

methods is foolproof by itself, the use of two or

three in conjunction, known as

multi-factor

authentication

, is quite effective.

(70)

PREVENTIVE CONTROLS

• Authorization controls are implemented by

creating an

access control matrix

.

– Specifies what part of the IS a user can

access and what actions they are permitted to

perform.

– When an employee tries to access a

particular resource, the system performs a

(71)

PREVENTIVE CONTROLS

• Who has the authority to delete Program 2? Code

Number Password A B C 1 2 3 4

12345 ABC 0 0 1 0 0 0 0

12346 DEF 0 2 0 0 0 0 0

12354 KLM 1 1 1 0 0 0 0

12359 NOP 3 0 0 0 0 0 0

12389 RST 0 1 0 0 3 0 0

12567 XYZ 1 1 1 1 1 1 1

Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update

3 = Read, display, update, create, and delete

(72)

PREVENTIVE CONTROLS

• Which files can user 12354 access? Code

12345 ABC 0 0 1 0 0 0 0

12346 DEF 0 2 0 0 0 0 0

12354 KLM 1 1 1 0 0 0 0

12359 NOP 3 0 0 0 0 0 0

12389 RST 0 1 0 0 3 0 0

12567 XYZ 1 1 1 1 1 1 1

(73)

PREVENTIVE CONTROLS

• Which programs can user 12354 access? Code

12345 ABC 0 0 1 0 0 0 0

12346 DEF 0 2 0 0 0 0 0

12354 KLM 1 1 1 0 0 0 0

12359 NOP 3 0 0 0 0 0 0

12389 RST 0 1 0 0 3 0 0

12567 XYZ 1 1 1 1 1 1 1

(74)

PREVENTIVE CONTROLS

(75)

PREVENTIVE CONTROLS

• Authentication and authorization can be applied to devices as well as users.

– Every workstation, printer, or other computing device needs a network interface card (NIC) to connect to the organization’s network.

– Each network device has a unique identifier, referred to as its media access control (MAC) address.

– It is possible to restrict network access to only those devices which have a recognized MAC address or to use MAC

addresses for authorization.

– For example, payroll or EFT applications should be set only to run from authorized terminals.

(76)

PREVENTIVE CONTROLS

 These are the multiple layers of preventive

controls that reflect the

defense-in-depth approach to

satisfying the

constraints of the time-based

(77)

PREVENTIVE CONTROLS

• Training

- The first

layer of

(78)

PREVENTIVE CONTROLS

• People play a critical role in information

security.

• The effectiveness of specific control

procedures depends on how well

employees understand and follow the

organization’s security policies.

• Employees should be taught why security

measures are important to the

(79)

PREVENTIVE CONTROLS

• Employees should be trained to follow

safe computing practices, such as:

– Never open unsolicited email attachments.

– Use only approved software.

– Never share or reveal passwords.

(80)

PREVENTIVE CONTROLS

• Train employees about social engineering attacks, which use deception to obtain unauthorized access.

– Do not divulge passwords or other info about their accounts or workstation configuration to anyone who contacts them by

phone, email, or IM, even if they claim to be part of systems security staff.

– Do not allow other people (employees or outsiders) to follow them through restricted-access entrances.

• This type of piggybacking can take place at main entrances and at internal locked doors.

• Often succeeds because people feel it is rude not to let the other person come through with them.

(81)

PREVENTIVE CONTROLS

• It is also important to invest in continuing

professional education for information

security specialists.

– New technology developments create new

security threats and make old solutions

obsolete.

(82)

PREVENTIVE CONTROLS

• It is also useful to keep abreast of recent

hacking developments.

– “White hat” organizations monitor hacker

activities and publish findings on the Web.

• How the activities are perpetrated.

(83)

PREVENTIVE CONTROLS

– Underground journals, books, and cracker

Websites provide information on how to break

into systems, including how to:

• Breach a server

• Generate virus code • Hide your identity

(84)

PREVENTIVE CONTROLS

• Top management must also provide support for

training.

– Providing funding

– Demonstrating that they support employees who follow prescribed security policies.

• Especially important for combating social engineering attacks.

– Enforcing consequences against employees who willfully violate security policies.

• Sends strong message to other employees.

(85)

PREVENTIVE CONTROLS

• Controlling

Physical

Access

– Physical access

controls are the second layer of

(86)

PREVENTIVE CONTROLS

• Within a few minutes, a skilled attacker with

unsupervised direct physical access to the system can successfully obtain access to sensitive data.

– Special boot disks exist that, when inserted, provide the person with unfettered privileges and rights on the computer.

– Keystroke loggers can be installed on the PC through hardware or software, which will capture every one of the authorized user’s keystrokes, including his ID and password.

– A diskette with a publicly available utility can be inserted in a PC which will instantly capture any ID number or password that has been entered on that PC, since the time it was last booted.

(87)

PREVENTIVE CONTROLS

• Physical access control begins with entry points

to the building itself.

– Should be one regular entry point unlocked during normal office hours.

– Fire codes require emergency exits.

• These should not permit entry from outside.

• Should be connected to an alarm that is triggered if someone leaves through the exit.

– A receptionist or security guard should be stationed at the main entrance of the building to:

• Verify the identity of employees.

(88)

PREVENTIVE CONTROLS

• Once inside the building, physical access to rooms housing computer equipment must be restricted.

– Rooms should be securely locked.

– All entries and exits should be monitored by closed-circuit TV.

– Multiple failed access attempts should trigger an alarm. – Rooms with servers with highly sensitive data should

supplement regular locks with:

• Card readers;

(89)

PREVENTIVE CONTROLS

• Access to wiring used in LANs must be

restricted to prevent wiretapping.

– Cables and wiring should not be exposed in

areas accessible to casual visitors.

– Wall jacks not in use should be physically

disconnected from the network.

– Wiring closets should be securely locked.

• If shared with other tenants of a building, the

(90)

PREVENTIVE CONTROLS

• Physical access security must be cost

effective.

– Requires top management involvement to

ensure resources are properly valued and that

the access controls are appropriate for that

(91)

PREVENTIVE CONTROLS

• Laptops, cell phones, and PDA devices require

special attention.

– Laptop theft is a major problem, and the major cost is not the price of the laptop but the loss of the

confidential information and the costs of notifying those affected.

– To deal with laptop theft, employees should be trained to always lock their laptops to an immovable object— even while in the office.

(92)

PREVENTIVE CONTROLS

– Because theft is always possible, confidential or

sensitive data should be encrypted during storage to minimize the likelihood that a thief can access it.

– Some organizations install special software on

(93)

PREVENTIVE CONTROLS

• Cell phones and PDAs increasingly store

confidential information and need the same

types of controls used for laptops.

• Access to network printers should also be

(94)

PREVENTIVE CONTROLS

• Controlling

Remote

Access

– The third layer of defense is control of

(95)

PREVENTIVE CONTROLS

• Perimeter Defense: Routers, Firewalls, and Intrusion

Prevention Systems

– This figure shows the relationship between an organization’s information

system and the Internet.

– A device called a

border router

(96)

 Behind the

border router is the main firewall, either a special-purpose

hardware device or software

running on a

(97)

 Web servers and email servers are placed in a

separate network called the

demilitarized zone (DMZ), because it sits outside the

corporate

(98)

• Together, the

border router and firewall control which information is allowed to enter and leave the

organization’s information system.

• To understand

how they function, we first need to discuss how information is

(99)

PREVENTIVE CONTROLS

• Information traverses the Internet and

internal networks in the form of packets.

– Documents and files that you send to a printer

or to a colleague are first divided into packets.

– The packets are sent over the LAN and

maybe the Internet to their destination.

– The device receiving the packets must

(100)

PREVENTIVE CONTROLS

• This process is governed by TCP/IP, two

protocols for transmitting information over

the Internet.

–

Transmission Control Protocol (TCP)

specifies the procedures for dividing files and

documents into packets and for reassembly at

the destination.

(101)

PREVENTIVE CONTROLS

• The structure of IP packets facilitates their

efficient transmission over the Internet.

– Every IP packet consists of two parts.

• Header—contains the packet’s origin and destination

addresses, as well as info about the type of data contained in the body.

• Body.

(102)

PREVENTIVE CONTROLS

• Special purpose devices called

routers

read the

destination address fields in packet headers to

decide where to send (route) the packet next.

– The current version of the IP protocol, IPv4, uses 32-bit long addresses.

• Consist of four 8-bit numbers separated by periods.

– When users type a URL in their browser, e.g.,

(103)

PREVENTIVE CONTROLS

– An organization’s border router checks the

contents of the destination address field of

every packet it receives.

• If the address is not that of the organization, the packet is forwarded to another router on the

Internet.

• If the destination address matches the

(104)

PREVENTIVE CONTROLS

• A set of rules called an

access control

list (ACL)

determine which packets are

allowed in and which are dropped.

– Border routers typically perform a

static

packet filtering

, which screens individual

packets based only on the contents of the

(105)

PREVENTIVE CONTROLS

• ACL normally specifies that the following

packets should not be allowed entry.

– Packets with illegal source addresses. Certain

source addresses are reserved for internal

use and cannot be routed over the Internet:

• 10.0.0.0 – 10.255.255.255 • 172.16.0.0 – 172.31.255.255 • 192.168.0.0 – 192.168.255.255

(106)

PREVENTIVE CONTROLS

• Packets with the organization’s IP address as

the source address.

– Does not make sense that an internal message is routed over the Internet, so these are typically

spoofed addresses and not allowed in.

• Border router ACLs often contain several

additional rules that specify other types of

packets that should be denied entry.

• The ACL rules mainly focus on dropping

packets, but the last rule in the ACL specifies

that any packet not dropped should be

(107)

PREVENTIVE CONTROLS

• The firewall will subject the packet to more

detailed testing before allowing it to enter the

internal network.

• Like the border router, firewalls use ACLs to

determine what to do with each packet.

– Firewalls are designed to act as filters and only permit packets that meet specific conditions to pass.

– The final rule in the firewall ACL usually specifies that any packet not allowed entry by a previous rule

should be dropped.

(108)

PREVENTIVE CONTROLS

• Firewalls use more sophisticated techniques

than border routers to filter packets.

– Most employ stateful packet filtering.

– Static packet filtering would examine each IP packet in isolation, but stateful packet filtering maintains a table that lists all established connections between the organization’s computers and the Internet.

– The firewall consults this table to determine whether an incoming packet is part of an ongoing

communication initiated by an internal computer.

– Enables the firewall to reject specially crafted attack packets that would have passed a simple static

(109)

PREVENTIVE CONTROLS

• Stateful packet filtering is still limited to

examining only information in the IP

packet header—the same as screening

mail by looking at just the destination and

return addresses on the envelope.

– Process is fast and catches patently

undesirable packages.

(110)

PREVENTIVE CONTROLS

• Control would be more effective if each envelope

or package were opened and inspected.

• A process called

deep packet inspection

examines the data in the body of an IP packet to

provide more effective access control.

(111)

PREVENTIVE CONTROLS

• Deep packet inspection is the heart of a new

type of filter called

intrusion prevention

systems (IPS)

.

– IPS are designed to identify and drop packets that are part of an attack.

– Uses several techniques to identify undesirable packets:

• Checking packet contents against a database of patterns (signatures) of known attack methods.

• Developing a profile of “normal” traffic and using statistical analysis to identify packets that don’t fit the profile.

(112)

PREVENTIVE CONTROLS

• The major benefit of this approach is that it

blocks not only known attacks for which

signatures already exist, but also blocks new

attacks that violate the standards.

• IPS is a promising addition to the security

arsenal, but does have problems.

– Slows overall throughput.

(113)

PREVENTIVE CONTROLS

• Much research is being undertaken to improve the intelligence of IPS, and they are likely to become an important part of an organization’s security toolkit.

– Will not replace firewalls and routers; they are complementary tools and provide another layer of perimeter defense.

– Border routers will filter out obviously bad packets and pass the rest to the firewall.

– The firewall does more detailed checking, allowing in only those packets purporting to contain specific types of data for specific types of programs and dropping others.

– The IPS does deep packet inspection on the packets that

(114)

• Another dimension of the defense-in-depth concept is the use of a

number of internal firewalls to

(115)

PREVENTIVE CONTROLS

• Many security incidents involve employees

rather than outsiders.

• These internal firewalls help restrict the

data and portions of the IS that particular

employees can access.

(116)

PREVENTIVE CONTROLS

• Modems are cheap and easy to install, so employees are often tempted to install them on their desktops without seeking permission or notifying anyone.

– Creates a huge hole in perimeter security, especially because employees seldom configure any strong authentication controls. – A single rogue modem creates a “back door” through which

attackers can successfully compromise the system.

– information security or internal audit staff should periodically check for the existence of rogue modems.

– War dialing software (also used by hackers) can dial every phone number assigned to the organization to identify those connected to modems.

(117)

PREVENTIVE CONTROLS

• Wireless access

– Many organizations also provide wireless

access to their information systems.

• It’s convenient and easy.

• But anyone with a wireless NIC can attempt to connect to the network.

• Ease of access provides another venue for attack and extends the perimeter that must be protected. • Wireless signals can often be picked up from miles

(118)

PREVENTIVE CONTROLS

• Dial-up connections

– Many organizations still allow employees to dial into their network from remote locations.

– Dial-in access often bypasses the firewalls.

– It is important to verify the identity of these users.

– Remote Authentication Dial-In User Service

(RADIUS) is a standard method for doing that.

• Users connect to a remote-access server and submit log-in credentials.

• The remote-access server passes the credentials to the RADIUS server, which does compatibility tests to

(119)

• To secure wireless access, all wireless access points

(devices that accept incoming wireless communications and permit connection to the network) should be located in the DMZ.

(120)

PREVENTIVE CONTROLS

• The following procedures should also be

followed to adequately secure wireless access:

– Turn on available security features.

• Most wireless devices are sold and installed with these features disabled.

• Example: Encryption is usually turned off.

– Authenticate all devices attempting to establish

wireless access to the network before assigning them an IP address.

(121)

PREVENTIVE CONTROLS

– Configure all authorized wireless NICs to operate only in infrastructure mode.

• Forces the device to connect only to wireless access points. • Wireless NICs configured in ad hoc mode can communicate

directly with any other device that has a wireless NIC. Creates a security threat because it creates peer-to-peer networks with no authentication controls.

– Use non-informative address for the access point’s address, called a service set identifier (SSID).

(122)

PREVENTIVE CONTROLS

– Predefine a list of authorized MAC addresses

and configure wireless access points to only

accept connections from those MAC

addresses.

– Reduce broadcast strength of wireless access

points to make unauthorized reception more

difficult off premises.

– Locate wireless access points in the interior of

the building and use directional antennae to

make unauthorized access and

(123)

PREVENTIVE CONTROLS

– As with modems, it’s easy and inexpensive for

employees to set up rogue wireless access

points.

(124)

PREVENTIVE CONTROLS

• Host and

Application

Hardening

(125)

PREVENTIVE CONTROLS

• Routers, firewalls, and intrusion prevention systems are designed to protect the network perimeter.

• Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations,

servers, printers, and other devices (collectively referred to as hosts) that comprise the organization’s network. • Three areas deserve special attention:

(126)

PREVENTIVE CONTROLS

– Host configuration – User accounts

(127)

PREVENTIVE CONTROLS

• Host configuration

– Hosts can be made more secure by modifying their configurations.

• Default configurations of most devices typically turn on a large number of optional settings that are seldom, if ever used.

• Default installations of many operating systems turn on many special purpose programs, called services, which are not

essential.

– Turning on unnecessary features and extra services:

• Maximizes the likelihood of successful installation without the need for customer support.

(128)

PREVENTIVE CONTROLS

• Every program contains flaws, called vulnerabilities, and therefore represents a potential point of attack.

• Optional programs and features that are not used should be disabled.

• Tools like the Microsoft Baseline Security Analyzer and vulnerability scanners can identify unused and

unnecessary programs that represent potential security threats.

• This process of turning off unnecessary features is called

(129)

PREVENTIVE CONTROLS

• In addition to hardening, two other preventive

controls should be applied to hosts on the

network:

– Every host should be running anti-virus and firewall software that is regularly updated.

– COBIT states that it is important to harden and

(130)

PREVENTIVE CONTROLS

(131)

PREVENTIVE CONTROLS

• _{Managing user accounts and privileges}

– COBIT stresses the need to carefully manage user accounts, especially when they have unlimited

(administrative) rights on the computer.

– Users who need administrative powers on a particular computer should be assigned two accounts:

• One with administrative rights. • One with limited privileges.

– Users should log in under the limited account to perform routine duties.

• They should be logged into their limited account when browsing the Web or reading email.

• If they visit a compromised Website or open an infected email, the attacker will only acquire limited rights.

(132)

PREVENTIVE CONTROLS

• Default accounts must be managed when installing an operating system.

– Windows creates a guest and administrator account.

– The guest account has limited power but provides anonymous access so that it’s not possible to identify who used the account and for what resources.

– The default guest account should be disabled.

– The default administrator account has unlimited power.

– Its default password is well-known, so it should be renamed and given a strong password.

(133)

PREVENTIVE CONTROLS

(134)

PREVENTIVE CONTROLS

• Software design

– Attacks often exploit software vulnerabilities

– Buffer overflows

– SQL injections

– Cross-site scripting

–

Buffer overflow attack

• Attacker sends a program more data than it can handle.

(135)

PREVENTIVE CONTROLS

• This type of attack can only occur if the

programmer fails to include a check on the

amount of data being input.

– Can be prevented by sound programming practices. – Treat all input from external users as untrustworthy

(136)

PREVENTIVE CONTROLS

• Encryption

– The final

layer of

(137)

PREVENTIVE CONTROLS

• Encrypting sensitive stored data provides one

last barrier that must be overcome by an

intruder.

• Also strengthens authentication procedures and

plays an essential role in ensuring and verifying

the validity of e-business transactions.

(138)

PREVENTIVE

CONTROLS

This is a contract

for . . .

Encryption algorithm

Xb&j &m 2 ep0%fg . . .

Decryption algorithm

This is a contract Plaintext Plain- text Cipher- text Key

• Encryption is the

process of transforming normal text, called

plaintext, into

unreadable gibberish, called ciphertext.

• Decryption reverses this process.

• To encrypt or decrypt, both a key and an

algorithm are needed.

+

(139)

PREVENTIVE CONTROLS

• Computers represent plaintext and ciphertext as a series of binary digits (0s and 1s).

– The key is also a string of binary digits of a fixed length. – A 128-bit key consists of a string of 128 0s and 1s.

• The algorithm is a formula for combining the key and the text.

• Most documents are longer than the key, so the

computer first divides the plaintext or ciphertext into blocks—each block being of equal length as the key.

(140)

PREVENTIVE CONTROLS

• This process produces a ciphertext version of

the document or file equal in size to the original.

• To reproduce the original, the ciphertext is

divided into 128-bit blocks, and the decryption

key is applied to each block.

• Because each character in English is

(141)

PREVENTIVE CONTROLS

• Encryption strength

– Three important factors determine the

strength of any encryption system:

• Key length;

• Longer keys provide stronger encryption by reducing the number of repeating

blocks of ciphertext.

(142)

PREVENTIVE CONTROLS

• Encryption strength

– Three important factors determine the

strength of any encryption system:

• Key length

• Key management policies

• If the key is compromised, encryption is easily broken.

• But, must have a way to decrypt data if employee leaves

– Build-in master key in software.

(143)

PREVENTIVE CONTROLS

• Encryption strength

– Three important factors determine the

strength of any encryption system:

• Key length

• Key management policies

• The nature of the encryption algorithm

• The nature of the algorithm also affects encryption strength.

– A strong algorithm is difficult, if not impossible, to break with brute-force guessing techniques.

– Secrecy is not necessary for strength.

(144)

PREVENTIVE CONTROLS

• Types of encryption systems

– There are two basic types of encryption

systems:

(145)

PREVENTIVE CONTROLS

• Types of encryption systems

– There are two basic types of encryption

systems:

• Symmetric encryption systems

(146)

PREVENTIVE CONTROLS

• Symmetric encryption systems

(147)

PREVENTIVE CONTROLS

• Symmetric encryption advantages:

– It is much faster than asymmetric encryption. • Symmetric encryption disadvantages:

– Both parties need to know the secret key, so a

method is needed to securely exchange the keys, and email is not an appropriate solution.

– A different key needs to be created for each party with whom the entity engages in encrypted transactions.

(148)

PREVENTIVE CONTROLS

• Types of encryption systems

– There are two basic types of encryption

systems

• Symmetric encryption systems

(149)

PREVENTIVE CONTROLS

• Asymmetric encryption systems

– Use two keys:

• The public key is publicly available.

• The private key is kept secret and known only to the owner of that pair of keys.

– Either key can be used to encrypt.

(150)

PREVENTIVE CONTROLS

• Asymmetric encryption solves several problems with symmetric keys.

– It doesn’t matter who knows the public key, because any text encrypted with it can only be decrypted using the private key. – The public key can be distributed by email or posted on a

Website for anyone who wants to send an encrypted message to the entity.

– Any number of parties can use the same public key to send

messages, because only the owner of the key can decrypt them. – Because only one party has the private key, it’s possible to

(151)

PREVENTIVE CONTROLS

• The main drawback to asymmetric encryption is

speed.

– Much (thousands of times) slower then symmetric encryption.

(152)

PREVENTIVE CONTROLS

• So, e-business uses both types of encryption

systems:

– Symmetric encryption to encode most of the data being exchanged.

– Asymmetric encryption to safely send the symmetric key to the recipient for use in decrypting the

ciphertext.

– Asymmetric encryption can also be used in

(153)

PREVENTIVE CONTROLS

• Hashing

– Hashing takes plaintext of any length and transforms it into a short code called a hash.

– SHA-256 creates 256 bit hash regardless of text length.

– Hashing differs from encryption in that:

• Encryption always produces ciphertext similar in length to the plaintext, but hashing produces a hash of a fixed short

length.